Active Directory

An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online information and was originally created in 1996. It was first used with Windows 2000. An active directory (sometimes referred to as an AD) does a variety of functions including the ability to provide information on objects, helps organize these objects for easy retrieval and access, allows access by end users and administrators and allows the administrator to set security up for the directory. An active directory can be defined as a hierarchical structure and this structure is usually broken up into three main categories, the resources which might include hardware such as printers, services for end users such as web email servers and objects which are the main functions of the domain and network.

Understanding Active Directories

It is interesting to note the framework for the objects. Remember that an object can be a piece of hardware such as a printer, end user or security settings set by the administrator. These objects can hold other objects within their file structure. All objects have an ID, usually an object name (folder name). In addition to these objects being able to hold other objects, every object has its own attributes which allows it to be characterized by the information it contains. Most IT professionals call these settings or characterizations schemas. The type of schema created for a folder will ultimately determine how these objects are used. For instance, some objects with certain schemas cannot be deleted, they can only be deactivated. Others types of schemas with certain attributes can be deleted entirely. For instance, a user object can be deleted, but the administrator object cannot be deleted. When understanding active directories, it is important to know the framework that objects can be viewed at. In fact, an active directory can be viewed at either one of three levels, these levels are called forests, trees or domains. The highest structure is called the forest because you can see all objects included within the active directory. Within the Forest structure are trees, these structures usually hold one or more domains. Going further down the structure of an active directory are single domains. To put the forest, trees and domains into perspective, consider the following example. A large organization has many dozens of users and processes. The forest might be the entire network of end users and specific computers at a set location. Within this forest directory are now trees that hold information on specific objects such as domain controllers, program data and system, among others. Within these objects are even more objects which can then be controlled and categorized.

How are Active Directories used?

If you are a computer administrator for a large corporation or organization, you can easily update all end users computers with new software, patches and files simply by updating one object in a forest or tree. Because each object fits into a set schema and has specific attributes, a network administrator can easily clear a person on a set tree or instantly give or deny access to select users for certain applications. The Microsoft servers use trust to determine whether or not access should be allowed. Two types of trusts that Microsoft active directories incorporate are transitive trusts and one way non transitive trusts. A transitive trust is when there is a trust that goes further than two domains in a set tree, meaning two entities are able to access each other's domains and trees. A one way transitive trust is when a user is allowed access to another tree or domain; however, the other domain does not allow access to the further domains. This can be summed up as a network administrator

and end user. The network administrator can access most trees in the forest including a specific end user's domain. However, the end user, while able to access his or her own domain, cannot access other trees. It is important to note that active directories are a great way to organize a large organization or corporation's computers' data and network. Without an active directory, most end users would have computers that would need to be updated individually and would not have access to a larger network where data can be processed and reports can be created. While active directories can be technical to a good extent and require considerable expertise to navigate, they are essential to storing information and data on networks.

DHCP Relay Agent Overview

The Dynamic Host Configuration Protocol (DHCP) is a service that runs at the application layer of the TCP/IP protocol stack to dynamically assign IP addresses to DHCP clients, and to allocate TCP/IP configuration information to DHCP clients. This includes subnet maskinformation, default gateway IP addresses, DNS IP addresses, and WINS IP addresses. The DHCP protocol is derived from the Bootstrap Protocol (BOOTP) protocol. The DHCP server is configured with a predetermined pool of IP addresses (scopes), from which it allocates IP addresses to DHCP clients. During the boot process, DHCP clients request IP addresses, and obtain leases for IP addresses from the DHCP server. When the DHCP client boots up on the network, the DHCP lease process occurs between the DHCP server and DHCP client. During the DHCP lease process, the DHCP scopes configured for a DHCP server is used to provide DHCP clients with IP addresses. The DHCP lease process consists of four messages sent between the DHCP server and the DHCP client: y y y y
DHCPDISCOVER message: This message is sent by a client when it boots up on the network to request an IP address lease from a DHCP server. The message is sent as a broadcast packet over the network, requesting for a DHCP server to respond to it DHCPOFFER message: This message is a response to a DHCPDISCOVER message, and is sent by one or numerous DHCP servers. DHCPREQUEST message: The client sends the initial DHCP server which responded to its request a DHCP Request message. The message indicates that the client is requesting the particular IP address for lease. DHCPACK message: The DHCP Acknowledge message is sent by the DHCP server to the DHCP client and is the process whereby which the DHCP server assigns the IP address lease to the DHCP client.

Because the DHCPDISCOVER message is a broadcast message, and broadcasts only cross other segments when they are explicitly routed, you might have to configure a DHCP Relay Agent on the router interface so that all DHCPDISCOVER messages can be forwarded to your DHCP server. Alternatively, you can configure the router to forward DHCP messages and BOOTP message. In a routed network, you would need DHCP Relay Agents if you plan to implement only one DHCP server. For DHCP to operate, all of client computers should be able to contact the DHCP server. DHCP relies on the network topology, and is in turn relied on by all TCP/IP based hosts within your networking environment. Therefore, if your network has multiple segments, you have to perform either of the following: y y y
Place a DHCP server on each segment Place a DHCP Relay Agent on each segment Configure your routers to forward broadcast messages.

The DHCP Relay Agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages. The DHCP Relay Agent is therefore the routing protocol that enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet, or which is not located on the local subnet. If you have no configured DHCP Relay Agent, your clients would only be able to obtain IP addresses from the DHCP server which is on the same subnet. To enable clients

to obtain IP addresses from a DHCP server on a remote subnet, you have to configure the DHCP Relay Agent on the subnet that contains the remote clients, so that it can relay DHCP broadcast messages to your DHCP server. The systems that can use the DHCP Relay Agent are: y y y
Windows NT Server Windows 2000 Server Windows Server 2003

In routed networks, you need to either enable your routers to forward DHCP broadcast messages or configure a DHCP Relay Agent for the following resons: y y
The router will drop DHCP broadcast messages if it is not configured to forward them, and no DHCP Relay Agent exists. The DHCP lease process would not be able to place. The initial message sent by the DHCP client is a broadcast message.

Configuring the DHCP Relay Agent

The process for configuring the DHCP Relay Agent is outlined below: y y y y y
1. 2. 3. 4. 5. 6. 7. 8. 9. Enable Routing and Remote Access Server (RRAS) Install the DHCP Relay Agent routing protocol Configure DHCP Relay Agent properties Configure/enable the DHCP Relay Agent on the router interface to forward DHCP broadcast messages. View statistical information on the operation of the DHCP Relay Agent

How to enable Routing and Remote Access Server (RRAS)

Click Start, All Programs, Administrative Tools and then click Routing and Remote Access to open the Routing And Remote Access console. Right-click the node of your server, and then choose Configure And Enable Routing and Remote Access from the shortcut menu. The Routing and Remote Access Server Setup Wizard launches. Click Next on the initial page of the wizard. On the Configuration page, select the Custom Configuration option. Click Next. On the Custom Configuration page, enable the LAN Routing checkbox. Click Next. Verify your configuration settings on the Summary page. Click Finish. Click Yes when prompted to start the RRAS service.

How to install the DHCP Relay Agent routing protocol

1. 2. 3. 4. 5. 6. Open the Routing And Remote Access console Expand the IP Routing node in the console tree. Right-click the General node, and then select New Routing Protocol from the shortcut menu. The New Routing Protocol dialog box opens. Select DHCP Relay Agent. Click OK.

How to configure DHCP Relay Agent properties

1. 2. 3. 4. 5. 6. Click Start, All Programs, Administrative Tools and then click Routing and Remote Access to open the Routing And Remote Access console. Expand the IP Routing node in the console tree. Right-click the DHCP Relay Agent node, and then select Properties from the shortcut menu. On the General tab, enter the IP address of the DHCP server in the Server Address text box, and click Add. Repeat the above step for each DHCP server that you have to add. Click OK.

How to enable the DHCP Relay Agent on a router interface

1. 2. 3. 4. 5. 6. 7. 8.

Click Start, All Programs, Administrative Tools and then click Routing and Remote Access to open the Routing And Remote Access console. Expand the IP Routing node in the console tree. Right-click the DHCP Relay Agent node and then select New Interface from the shortcut menu. Select the interface that is on the same subnet as the DHCP clients. Click OK. In the DHCP Relay Properties dialog box, ensure that the Relay DHCP Packets checkbox is selected on the General tab. You can change the Hop-Count Threshold and Boot Threshold values. Click OK.

How to view statistical information on the operation of the DHCP Relay Agent
1. 2. Click Start, All Programs, Administrative Tools and then click Routing and Remote Access to open the Routing And Remote Access console. Select the DHCP Relay Agent node, and view the statistical information that is displayed in the details pane of the Routing And Remote Access console: Received requests Received replies Discarded requests Discarded replies

o o o o

Domain Name Service (DNS) Overview

Domain Name Service (DNS) enables applications and users to connect to hosts in TCP/IP based networks by specifying a name. DNS is a hierarchically distributed database that creates hierarchical names that can be resolved to IP addresses. The IP addresses are then resolved to MAC addresses. DNS therefore provides the means for naming IP hosts, and for locating IP hosts when they are queried for by name. The protocols and standards of DNS provide the following key components: y y y y The method for updating address information in a DNS database. The method for querying address information in a DNS database. he schema of the DNS database. The ability of replicating address information between DNS servers in the DNS topology. The HOSTS files were used to resolve host names to IP addresses before DNS was in existence. The HOSTS files were manually maintained by administrators. The HOSTS file was located on a centrally administered server on the Internet. Each site or location that needed to resolve host names to IP addresses had to at regular intervals download a new copy of the HOSTS file. The size of the HOSTS file grew as the Internet grew. The traffic that was generated from downloading a new copy of the HOSTS file also grew. This led to the design and implementation of Domain Name Service (DNS) in 1984, the hierarchically distributed database that can resolve host names to IP addresses. The main design requirement of DNS provides the following key features over the HOST file. y A hierarchical name space

y y y y y y

Hostnames in the DNS database can be distributed between multiple servers The database has an unlimited size. Extensible data types Together with supporting host name to IP address mappings, different data types are supported as well. No degrade in performance as more servers are added . the database is scalable. Distribution of administration . naming can be managed individually for each partition. From the days of Windows NT Server 4.0, DNS has been included with the operating system. DNS is the primary name registration and resolution service in Windows 2000 and Windows Server 2003, and provides the following features and services:

y y

A hierarchically distributed and scalable database. Provides name registration, name resolution and service location for Windows 2000 and Windows Server 2003 clients. Locates domain controllers for logon.

The Differences between the NetBIOS Naming System and DNS

Before discussing the differences between the NetBIOS naming system and DNS, lets first look at the different name types used in Windows operating systems: y Computer name: This is the name which an administrator assigns to a computer. To verify the computer name of a computer:

1. Right-click My Computer, and select Properties from the shortcut menu. 2. Click the Computer Name tab to verify the computer.s name. y NetBIOS name: A unique name used to identify a NetBIOS resource on the network. The NetBIOS name is resolved to an IP address for communication to occur. Host name: A host name is assigned to a computer to identify a host in a TCP/IP network. The host name can be described as being the alias that is assigned to a node, to identify it. When the host name is used and not the IP address, the host name has to be resolved to an IP address for IP communication to occur. The HOSTS file is a text file that contains host names to IP addresses mappings. The HOSTS file is stored locally. Fully qualified domain name (FQDN): This is the DNS name that is used to identify a computer on the network. FQDNs have to be unique. The FQDN usually consists of the following:

1. Host name 2. Primary DNS suffix 3. Period y DNS Name: A DNS name is name that can include a number of labels that are segregated by a dot. When a DNS name displays the entire path, it is known as the Fully Qualified Domain Name (FQDN). Alias: This is name used instead of another name. The Canonical Name (CNAME) is an alias name in DNS.

y Nickname: This is another name used for a host. It is usually an abbreviated version of the FQDN. A nickname has to be unique for each node if you want to map it the FQDN. y Primary DNS suffix: Computers running in a Windows Server 2003 network are assigned primary DNS suffixes for name registration and name resolution purposes. The primary DNS suffix is also referred to as the primary domain name, or domain name. Connection-specific DNS suffix: This is a DNS suffix which is assigned to an adapter. The connection-specific DNS suffix is called the adapter DNS suffix. The name differences between the NetBIOS naming system and DNS namespace are noted below: y y y y A NetBIOS name cannot be greater than 16 characters. With DNS, up to 255 characters can be used for names. The NetBIOS naming system is a flat naming system. The namespace used by DNS is a hierarchical space, or hierarchical system. The DNS naming system is called the domain namespacef. If you decide to use a private domain namespace, and there is no interaction with the Internet, it does not have to be unique.

Understanding the DNS namespace

The naming system used by DNS is a hierarchical namespace, called the DNS namespace. The DNS namespace has a unique root. The root can contain numerous subdomains. Each subdomain also can contain multiple subdomains. The DNS namespace uses a logical tree structure wherein an entity is subordinate to the entity which resides over it. Each node in the DNS domain tree has a name, which is called a label. The label can be up to 63 characters. Nodes that are located on the same branch within the DNS domain tree must have different names. Nodes that reside on separate branches in the DNS hierarchy can have the same name.

Each node in the DNS domain tree or DNS hierarchy is identified by a FQDN. This is a DNS domain name that specifies the node.s location in relation to the DNS domain tree/hierarchy. A domain name can be defined as the list of labels along the path from the root of the DNS domain tree/hierarchy to a particular node. The FQDN is the entire list of labels for a specific node. Each domain registered in DNS is connected to a DNS name server. The DNS server of a domain provides authoritative replies to queries for that particular domain. Internet Corporation for Assigned Names and Numbers (ICANN) manages the DNS root of the Internet domain namespace. ICANN manages the assignment of globally unique identifiers which are key to the operation of Internet. This includes the following components: y y y y Internet domain names IP addresses Port numbers Protocol parameters Below the root DNS domain are the top-level domains. These top-level domains are also managed by ICANN. The top-level domains managed by ICANN are: y o o o y o o o o y Organizational domains: Organizational domains have the following characteristics: Organizational domains can be used globally. They are named via a three-character code. The code defines the main function of the organizations of the DNS domain. Geographical domains: Geographical domains have the following characteristics: Geographical domains are usually used by organizations not residing in the United States. They are named via a two-character country and region codes. The codes were established by the International Organization for Standardization (ISO) 3166. The codes identify a country, such as .uk for the United Kingdom Reverse domains: These domains are used for IP address to name mappings. This is called reverse lookups. The additional top-level domains defined by ICANN in late 2000 are: y .aero; for the air transportation industry

y y y y y y

.biz; for businesses .coop; for cooperatives .info; for information .museum; for museums .name; for individual names .pro; for credentialed professions such as attorneys. The common top-level domain names used are:

y y y y y y y y y y y

.com; commercial organizations .edu; for educational institutes. .gov; for government. .int; for international organizations. .mil; for military organizations .net; for Internet providers, and networking organizations .org; non-commercial organizations .uk; United Kingdom .us; United States .ca; Canada .jp; Japan

Understanding DNS Components and Terminology

The components which DNS is dependant on and the terminology used when discussing and managing DNS are listed below: y DNS server: This is a computer running the DNS Server service, or BIND; that provides domain name services. The DNS server manages the DNS database that is located on it. The DNS server program, whether it is the DNS Server service or BIND; manages and maintains the DNS database located on the DNS server. The information in the DNS database of a DNS server pertains to a portion of the DNS domain tree structure or namespace. This information is used to provide responses to client requests for name resolution. When a DNS server is queried it can do one of the following: o Respond to the request directly by providing the requested information.

o o o

Provide a pointer (referral) to another DNS server that can assist in resolving the query Respond that the information is unavailable Respond that the information does not exist A DNS server is authoritative for the contiguous portion of the DNS namespace over which it resides. The following types of DNS servers exist:

Primary DNS server: This DNS server owns the zones defined in its DNS database, and can make changes to these zones. Secondary DNS server: This DNS server obtains a read-only copy of zones via DNS zone transfers. A secondary DNS server cannot make any changes to the information contained in its read-only copy. A secondary DNS server can however resolve queries for name resolution. Secondary DNS servers are usually implemented for the following reasons: Provide redundancy: It is recommended to install one primary DNS server, and one secondary DNS server for each DNS zone (minimum requirement). Install the DNS servers on different subnets so that if one DNS server fails, the other DNS server can continue to resolve queries. Distribution of DNS processing load: Implementing secondary DNS servers assist in reducing the load of the primary DNS server. Provide fast access for clients in remote locations: Secondary DNS servers can also assist in preventing clients from transversing slow links for name resolution requests. DNS zones: A DNS zone is the contiguous portion of the DNS domain name space over which a DNS server has authority, or is authoritative. A zone is a portion of a namespace . it is not a domain. A domain is a branch of the DNS namespace. A DNS zone can contain one or more contiguous domains. A DNS server can be authoritative for multiple DNS zones. Zone files store resource records for the zones over which a DNS server has authority. DNS client: This is a machine that queries the DNS server for name resolution. To issue DNS requests to the DNS server, DNS resolvers are used. Queries:The types of DNS queries which can be sent to a DNS server are: Recursive queries Iterative queries

y y

y o o

DNS resolvers: These are programs that use DNS queries to request information from the DNS servers. In Windows Server 2003, the DNS Client service performs the function of the DNS resolver. A DNS resolver can communicate and issue name queries to remote DNS servers, or to the DNS server running locally. When a DNS resolver receives a response from a DNS server, the resolver caches the information locally. The local cache is then used if the same information is requested. Resource records: The DNS database contains resource records (entries) that are used to resolve name resolution queries sent to the DNS server. Each DNS server contains the resource records it needs to respond to name resolution queries for the portion of the DNS namespace for which it is authoritative. Root servers: A root server performs the following functions when a query cannot be resolved from the local zone files: Returns an authoritative answer for a particular domain. Returns a referral to another DNS server that can provide an authoritative answer

o o

How DNS Resolves Queries

A DNS client queries a DNS server to resolve a name. The query contains the following important information: y y y The DNS domain name in the FQDN format. The query type The class for the DNS domain name A DNS client uses one of three query types to query a DNS server: y o o y Iterative queries: The DNS server provides the best answer it can. This can be: The resolved name A referral to a different DNS server Recursive queries: The DNS server has to reply with the requested information, or with an error. The DNS server cannot provide a referral to a different DNS server. Inverse queries: The query sent to the DNS server is to resolve the host name associated with a known IP address. All the domains have to be queried to provide a correct answer to the query. If a DNS server cannot find a match for a queried name in its zone information, or in its cache; the DNS server performs recursion to resolve the name. This is the default configuration for DNS servers.Recursion is the process whereby which the DNS server queries other DNS servers for the client. By the initial DNS server

querying the other DNS servers, recursion actually ends up making the initial DNS server a DNS client! In order to perform recursion, root hints assist the DNS server in determining where in the DNS namespace it should commence searching for the queried name. Root hints is a collection of resource records which the DNS Server service utilizes to locate DNS servers who are authoritative for the root of the DNS domain namespace structure. If you are using Windows Server 2003 DNS, a preconfigured root hints file named Cache.dns already exists. The file can be found in the WINDOWS\System32\Dns directory. Cache.dns contains the addresses of root servers in the Internet DNS namespace, and is preloaded to memory when the DNS Server service initiates. If however recursion is disabled for the DNS server, and the DNS server cannot find a match for the queried name in its zone information, or in its cache; the client begins to perform iterative queries. The root hint referrals from the DNS server are used for iterative queries. When a client performs iterative queries, the client sends repeated requests to different DNS servers to resolve the queried name. The events that occur to resolve a name requested in a query are explained below: 1. The resolver sends a recursive DNS query to its local DNS server, to request the IP address of a particular name. 2. Because the local DNS server cannot refer the resolver to a different DNS server, the local DNS server attempts to resolve the requested domain name. 3. The local DNS server checks its zones. 4. If it finds no zones for the requested domain name, the local DNS server sends an iterative query for the requested name to the root DNS server. 5. The root DNS server is authoritative for the root domain. It responds with an IP address of a name server for the specific top-level domain. 6. The local DNS server next sends an iterative query for the requested name to this name server who in turn replies with the IP address of the particular name server servicing the requested domain name. 7. The local DNS server then sends an iterative query for the requested name to the particular name server servicing the particular domain. 8. The name server responds with the requested IP address. 9. The IP address is returned to the resolver.

The different query response types which can be returned from the DNS server are: y Authoritative answer: This is a positive response which is returned to a client. The authority bit set in the DNS message indicates that the reply was received from a DNS server that has direct authority for the name queried in the message. Positive answer: This response type returns the queried resource record that corresponds to the name and record type queried in the original query. Referral answer: A referral response is returned if the DNS server does not support recursion. A referral contains additional resource records for resolving the request. Negative answer: A negative answer is returned to the client when the following events occur: The name queried does not exist in the DNS namespace. This information is obtained from an authoritative server. The authoritative server indicated that the name queried does exist in the DNS namespace. However, there are no resource records of this type present for the requested name.

y o

How caching works in DNS

In DNS, caching is used to reduce traffic on the network that is generated from queries sent to DNS servers. The DNS Server service and the DNS Client service both utilize caching to improve DNS performance, and reduce DNS specific traffic. y DNS Server Cache: When the DNS server performs recursive queries for clients, the DNS server stores the resource records in its DNS server cache. If the same information is requested again, the cached information is used. The contents of the DNS server cache is removed when the DNS Server service is stopped. You can also manually remove the contents of the DNS server cache by using the DNS console, the management console for administering DNS. DNS Client Cache: This cache is also referred to as the DNS resolver cache. Information is added to the DNS client cache when the following events occur: The DNS Client service starts: The records in the HOSTS file are loaded into the DNS client cache. The DNS server responds to a client.s request: When the DNS server returns a response to a query, the information is added to the DNS client cache. The contents of the DNS client cache is removed when the DNS Client service is stopped.

o o

Understanding the FAT File Systems

The FAT file system was initially introduced with the MS-DOS operating system (OS) when hard disks were generally much smaller, and the structure of folders was not as intricate as it is in networks today. The FAT file system continues to be supported by each Microsoft OS since its advent. The initial FAT file system could only support a maximum partition size of 2GB. What this meant was that where a computer's hard disk drive was greater than 2GB, you had to partition the drive into a number of smaller partitions, with each partition size not exceeding 2GB. The FAT file system protects files by storing two copies of the file allocation table on the FAT volume. In cases where one copy of the file allocation table is corrupt, the other copy of the file allocation table is utilized. The file allocation table's location is specified in the BIOS Parameter Block (BPB) of the FAT boot sector. It is also stored on the volume in a specified byte offset. This ensures that any files necessary to start the system can be found. The actual numbers in the names of the different FAT file systems are associated with the number of bits utilized for a file allocation table entry. For instance, FAT12 utilizes a 12-bit file allocation table entry, FAT16 utilizes a 16-bit file allocation table entry, and FAT32 utilizes a 32-bit file allocation table entry. FAT16 works effectively on small disks and uncomplicated folder structures, while FAT32 works effectively on large disks that have intricate folder structures. FAT16 in MS-DOS, Windows 3.x, Windows 95, Windows 98 and Windows 2000 operates in the identical manner with each OS. FAT32 was introduced with Windows 98's second release (OSR2). FAT32 operates the same in the Windows 98 OSR2 and Windows 2000.

The FAT16 File System

The FAT16 file system is compatible with the majority of operating systems. This is evident by MS DOS, Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000 and Windows XP being able to utilize the FAT16 file system. FAT16 generally works well in managing disk space when the size of the volume is less than 256MB. You should refrain from using FAT16 on volumes that are larger than 512MB. FAT16 cannot be utilized on volumes that exceed 4 GB. FAT16 maps clusters on the FAT partition. A cluster is the smallest unit that the OS operating system utilizes when it assigns space on the partition. A cluster is also at times referred to as an allocation unit. The file allocation table identifies a cluster in the FAT partition as either: y y y y Unused Cluster in use by a file Bad cluster Last cluster in a file The FAT16 volume is structured as follows: y y y y y Boot sector on the system partition The primary file allocation table The copy or duplicate file allocation table A root folder Other folders and all files

The root folder holds an entry for each file and folder stored on the FAT16 volume and has its maximum number of table entries set at 512 for each disk drive. A file's or folder's entry contains the information listed below: y y y y y y y y y Name: This is in 8.3 format Attribute: 8 bits Create time: 24 bits Create date: 16 bits Last access date: 16 bits Last modified time: 16 bits Last modified date: 16 bits Starting cluster number in the file allocation table: 16 bits File size: 32 bits The Attribute byte in a folder indicates what kind of entry it is and is generally controlled by the OS. Four bits of the attribute byte can be enabled or disabled by the user. These are: y Archive, System, Hidden, Read-only Files are allocated the first available location on the FAT16 volume. The first cluster's address utilized by the file i the starting cluster number in the file allocation table. Clusters also have a pointer to the next cluster in the file. The cluster at the end of the file however contains a hex indicator which indicates that this particular cluster is the end of the file. A few disadvantages associated with the FAT16 file system are summarized below: y y y The FAT16 file system has no local security for the file system or compression features. The boot sector is not backed up. The root folder can only have a maximum of 512 entries which means that files which have long names can greatly decrease the number of entries available. FAT16 does not work well with volume sizes that are large.

The FAT32 File System

The FAT32 file system can handle larger partitions than what the FAT16 file system can handle. FAT32 can support partitions up to 2047 GB in size compared to FAT16's 4 GB. With FAT32, there is no restriction on the number of entries that the root folder can contain. With FAT16, the root folder could only contain a maximum of 512 entries. The boot sector is also backed up on FAT32 volumes. A FAT32 volume must however have a minimum of 65,527 clusters. The FAT32 architecture is very much like the architecture of the FAT16 file system. FAT32 was designed with little architectural changes to ensure compatibility with existing programs and device drivers. What this means is that device drivers and FAT tools used for FAT16 partitions would continue to work for FAT32 partitions.

FAT32 does however need 4 bytes in the file allocation table to store cluster values. This has led to the revision or expansion of internal data structures, on-disk data structures and published APIs. A few disadvantages associated with the FAT32 file system are summarized below: y Like the FAT16 file system, the FAT32 file system includes no local security for the files system or compression features. The MS-DOS, Windows 95, and Windows NT 4.0 OSs are unable to access or read FAT32 partitions. Both FAT16 and FAT32 partitions do not scale well - the file allocation table increases in size as the volume grows.

y y

An Overview of NTFS
y In order to store data on a local partition on a Windows server, you have to format it with a file system. The system that you use influences the manner in which data is stored on the disk. It also specifies the security that can be defined for folders and files stored on the partitions. Although Windows servers offer support for the File Allocation Table (FAT) file system, NT file system (NTFS), and CDFS (Compact Disc File System), the file systems generally utilized by local partitions is the FAT file system and NTFS file system. y
The FAT partitions utilized by operating systems such as Microsoft DOS, Windows 95, Windows 98, and Windows Me do not allow you to specify security for the file system after a user has logged on. What this means is that any data stored in a FAT partition is available to each user that shares the same computer. The FAT file system also includes no support for file compression, or encryption. You cannot store Macintosh files on FAT partitions. Because Windows 2000, Windows XP and Windows Server 2003 support FAT32, you may choose to configure FAT32 partitions if you need dual-boot capability to Windows 95, Windows 98 and Windows Me.

NTFS partitions on the other hand enable you to specify security for the file system after a user has logged on. NTFS permissions control the access users and groups have to files and folders on NTFS partitions. You can set an access level for each particular user to the folders and files hosted on NTFS partitions. You can allow access to the NTSF files and folders, or you can deny access to the NTFS files and folders. In this manner,NTFS supports local security. The NTFS file system also includes other features such as encryption, disk quotas, file compression, mounted drives, NTFS change journal, and multiple data streams. You can also store Macintosh files on NTFS partitions.

Comparing NTFS 4.0 and NTFS 5.0

The two available versions of NTFS are:

NTFS 4.0: This is the version of NTFS utilized with Windows NT 4.0. Even though it supports access control on files and folders, it does not support the majority of Windows 2000 and Windows Server 2003 file system features. It does however include support for file compression.

NTFS 5.0: This version of NTFS supports all the previously mentioned features of the NTFS file system. NTFS version 5.0 is utilized with Windows 2000 and Windows Server 2003.Windows NT 4.0 systems that are running Service Pack 4 or later are able to access NTFS 5.0 files and folders.

The key differences between NTFS 4.0 and NTFS 5.0 are summarized below: y
Maximum volume size:

y y

NTFS 4.0: 32 GB NTFS 5.0: 2 terabytes on Master Boot Record (MBR) disks, and 18 exabytes on GUID Partition Table (GPT) disks.

Maximum file size:

y y

NTFS 4.0: 32 GB NTFS 5.0: With NTFS 5.0, file size is limited by the size of the volume.

Support for advanced file access permissions:

y y

NTFS 4.0: Yes NTFS 5.0: Yes

Support for file compression:

y y

NTFS 4.0: Yes NTFS 5.0: Yes

Support for encryption, disk quotas, sparse files, remote storage and Active Directory structures:

y y

NTFS 4.0: No NTFS 5.0: Yes

NTFS File and Folder Permissions

The main feature of the NTFS file system is that you can defines local security for files and folders stored

on NTFS partitions. You can specify access permissions on files and folders which control which users can access the NTFS files and folders. You can also specify what level of security is allowed for users or group. NTFS enables you to specify more precise permissions that what share permissions enable. You can only specify share permissions on folders. NTFS permissions can be set for folers and files. On NTFS partitions, permissions are applied to users who access the computer locally, and who access a NTFS folder which has been shared over the network.

By default, permissions of NTFS volumes are inheritable. What this means is that files and subfolders inherit permissions from their associated parent folder. You can however, configure files and subfolders not to inherit permissions from their parent folder. You can specify NTFS permissions at the file level and the folder level. The NTFS permissions that can be set at the folder level are listed below: y
Full Control: Enables a user to view or change a folders attributes, permissions and take ownership. A user is also able to create, modify and delete folders. Users can also traverse folders and execute files that contain programs stored in a folder. The Full Control permissions allow users to compress files as well.

y y y y y

Read and Execute: The rights enabled by this permission include traversing folders and executing files in the folders, listing a folders content, and viewing the attributes of folders. Write: Users are able to create new folders, new subfolders and new files in the folders. A user is also able to change a folders attributes. List Folder Contents: Users are able to transverse folders, list the contents of the folder, and view a folders attributes. Modify: A user can change the properties of a folder, create new folders, and also delete folders. Read: This permission enables a user to view the folder, and any subfolders and files stored within the folder.

The NTFS permissions that can be set at the file level are listed below:

y y y y y

Full Control: Enables a user to view or change a files attributes, create and delete files, compress files, view the attributes of files, and add data to files. A user can also execute files. Read and Execute: The rights enabled by this permission include executing files in the folders, and viewing the attributes of files. Write: Users are able to create new files, change a files attributes, write data to files, view file ownership and permissions, and overwrite files Modify: A user can change the properties of a file, create new files, delete files, write data to files, and view the attributes of files. Read: This permission enables a user to view files and the files attributes.

With Windows Server 2003, basic NTFS permission settings are assigned for five default users and groups when a new NTFS partition is created. The users/groups and the default permissions created for them are summarized below:

y y y y y

Administrators: Full Control Allow System: Full Control Allow Users: Read Allow, Read and Execute Allow, List Folder Contents Allow Creator Owner: Have no default permissions set Everyone: Have no default permissions set

Before you can apply NTFS permissions, you have to format the disk partition as an NTFS partition. NTFS permissions are applied through Windows Explorer. You simply have to right-click the particular file or folder that you want to control access to and select Properties from the shortcut menu. The Properties dialog box of NTFS files and folders contains a Security tab. This the tab utilized to apply NTFS permissions.

How to configure NTFS permissions for files and folders on NTFS partitions

1. 2. 3. 4. 5. 6.

Navigate to Windows Explorer Right-click the particular file or folder that you want to control access to, and click Properties from the shortcut menu. When the Properties dialog box of the folder/file opens, click the Security tab If you want to specify new ermissions, click the Add button. The Select Users, Computers, Or Groups dialog box opens next. In the Enter The Object Names To Select section of the dialog box, insert the name of the user/group that you want to specify permissions for. Click OK When the Security tab appears, highlight the user or group in the topmost box, and then set the permissions that should be applied for that particular user or group. Click OK.

7.

8.

How to configure permission inheritance

Click the Advanced button on the Security tab to access the Advanced Security Settings dialog box. This is where you configure permission inheritance. You can set the following permission inheritance options:

y y

Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here. Replace permission entries on all child objects with entries shown here that apply to child objects.

When you clear the Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here checkbox, a security dialog box is displayed. The security dialog box allows you to either completely remove the existing inherited permissions, or change the existing inherited permissions to explicit permissions.

How to configure NTFS special permissions

NTFS special permissions enable administrators to set precise user access permissions for NTFS files and folders. Special permissions is the result of the basic file and folder permissions being split even further into more precise or specific permissions. NTFS special permissions are also referred to as NTFS advanced permissions. You can specify NTFS special permissions by clicking the Advanced button from the Security tab of the file or folders Property dialog box. The Advanced Security Settings dialog box opens. You can view existing special permission entries by selecting the particular user/group, and then clicking the Edit button. Clicking the Edit button opens the Permission Entry dialog box. This is where you can perform the following:

y y y

The Change button can be used to modify the set of users or groups stored in the Name box. You can use the Allow checkbox and Deny checkbox to change the permission entries. The Apply Onto drop-down list box can be used to apply the special permissions to specific objects.

The NTFS special permissions are listed below:

y y y y y y y y y

Full Control: The user can perform all the NTFS special permissions listed below Traverse Folder/Execute File: Traverse Folder enables users to navigate through folders and files beneath the location at which the permission is applied. Execute File enables application programs to be run. List Folder/Read Data: List Folder either allows or denies the names of files and subfolders of a folder to be viewed. Read Data enables the data within the files to be read. Read Attributes: Either allows or denies the attributes of folders and files to be read. Read Extended Attributes: Either allows or denies the extended attributes of folders and files to be read. Create Files/Write Data: Create Files allows or denies new files to be created within folders. Write Data either allows or denies changes to be made to files, and to overwrite files. Create Folders/Append Data: Either allows or denies new subfolders to be created within a folder, and allows or denies changes to be made to the end of a file. Write Attributes: Allows the attributes on a subfolder and file to be changed. Write Extended Attributes: Allows the extended attributes on a subfolder and file to be changed

y y y y y

Delete Subfolders and Files: Allows files and subfolders to be deleted even though the elete permission is not granted on the subfolder or file. Delete: Enables file or folders to be deleted. Read Permissions: Allows the permissions that have been applied to folders and files to be viewed. Change Permissions: Allows the permissions that have been applied to folders and files to be changed. Take Ownership: Allows the user to modify the owner of the file or folder.

How to determine NTFS effective permissions

You typically need to determine a users effective permissions before you assign any other permissions to the particular user for a folder/file. A users effective permissions are determined by:

y y y

Individual user permissions Permissions inherited from parent folders Permissions inherited from group membership

You can view the effective permissions of a user on the Effective Permissions tab on the Advanced Security Settings dialog box.

1. 2. 3. 4. 5. 6.

Open Windows Explorer Right-click the particular file or folder and choose Properties from the shortcut menu When the Properties dialog box of the file/folder opens, click the Security tab To open the Advanced Security Settings dialog box, click the Advanced button When the Advanced Security Settings dialog box opens, click the Effective Permissions tab. To specify the user or group that you want to determine effective permissions for, click Select, and enter the name of the particular user or group. Click OK The effective permissions for the user or group that you have chosen to view are displayed next.

7.

How to determine NTFS permissions for copied or moved files

When you copy or move NTFS files to different locations, it is possible that the NTFS permissions that have been originally specified for the files can indeed change in the new file location. Whether the permissions changes or not, is determined by the following:

y y y

Was the file moved to an NTFS volume or a partition that is not NTFS formatted such as FAT partitions Was the file copied to a different location on the identical NTFS volume, or was it copied to a different NTFS volume Was the file moved or copied

You can use the rules detailed next to determine whether an NTFS file that is moved or copied would retain its prior permissions:

y y y y

Files that are copied or moved to FAT partitions do not retain any of their prior NTFS permissions in the new location. Files that are moved from one folder to a different location on the identical NTFS volume keep all its prior NTFS permissions. Files that are copied from one folder to a different location on the identical NTFS volume inherit the NTFS permissions of the destination location or folder. Files that are moved from one location or folder to a folder on a different NTFS volume inherit the NTFS permissions of the destination location or folder.

How to configure folder and file auditing on NTFS partitions

Before you can configure folder and file auditing on NTFS partitions, auditing for object access - Audit Object Access; has to be enabled for the computer. You have to be a member of the local Administrators group to enable an audit policy on the local machine. If you want to set auditing policy via Active Directory, you must be a member one of the following groups: Domain Admins, Enterprise Admins. After auditing for object access has been enabled, you can define the files or folders that should be audited; and specify the users and groups that should be tracked. You either audit events for success or failure. Use the steps below to configure NTFS folder and file auditing,

1. 2. 3. 4. 5. 6. 7.

Right-click the folder or file you want to set auditing for and choose Properties, from the shortcut menu. Click the Security ta when the Properties dialog box of the file or folder opens. Click the Advanced button When the Advanced Security Settings dialog box opens, click the Auditing tab. Click the Add button to open the Select User, Computer, Or Group dialog box. Insert the names of the users or groups whose actions you want to track. Click OK. When the Auditing Entry For Data dialog box is displayed, select the events that should be audited.

Volume Shadow Copies Overview

Volume shadow copies, a new Windows Server 2003 feature, are used to create copies of files at a specific point in time, or set time interval. Shadow copies can only be created on NTFS volumes to create automatic backups of files or data per volume. When enabled, the Shadow copies feature protects you from accidentally losing important files in a network share. Remember that when users delete files from over the network, those files are permanently deleted. Because shadow copies enable users to view previous versions of files, the feature allows them to restore a backup of deleted files. A few advantages of enabling volume shadow copies on shared folders are: y If volume shadow copies are enabled for shared folders, you can restore or recover files which have been accidentally deleted or which have become corrupt. The prior versions of files can be copied to the same location, or to another location. Through volume shadow copies, you can recover files which have been overwritten when you need to use a previous version of the file. Volume shadow copies also enable you to compare changes between a current version of the file and a previous version of the file. The integrity of the previous file versions are maintained because they are read-only copies, thereby preventing any user from changing a file which was shadow copied. If users need to change a previous version of a file, they have to copy the version to a different location, and then perform the necessary changes. As mentioned previously, you can only configure volume shadow copies on NTFS volumes. The shadow copies feature is in fact a new NTFS feature introduced with Windows Server 2003. Shadow copies are used to create shadowed copies of files, at a specified point in time and on a per volume basis, which means that you basically configure shadow copies at the volume level. You cannot therefore specify only certain files and folders for volume shadow copies. The main requirements for enabling the shadow copies feature are: y y Shadow copies must be configured on NTFS volumes, and on a per volume basis. The NTFS volume that you want to configure for volume shadow copies must have 100MB of free volume space (minimum requirement). The maximum is 10% of the volume's free disk space, by default. A few important points to consider when working with shadow copies are: y Each volume enabled for shadow copies can only store 64 shadow copies. When this limit is reached on a volume, the oldest shadow copy is permanently deleted, and cannot be restored. You can therefore only view a maximum of 64 previous versions of files. Shadow copies should not be utilized to replace performing regular backups, but should be used to enhance the backup strategy of your organization.

Configuring Shadow Copies

To enable shadow copies on a volume, y y You must be a member of the Administrators group on the local machine. Shadow copies must be enabled on the server.

For clients to access shadow copies, they need to have the Previous Versions Client software installed. The software can be found in the %windir%\system32\clients\twclient folder. The software can be distributed or deployed via Group Policy, Systems Management Server (SMS), or you can create a share so that clients can download the necessary software. You can enable shadow copies through the Computer Management console which can be accessed through the Administrative Tools folder. Shadow copies are enabled from the Shared Folders folder in the left pane of the Computer Management console. To navigate to the Shared Folders folder, expand System Tools. To open the Shadow Copies dialog box, right-click Shared Folders, select All Tasks, and then click the Configure Shadow Copies option on the shortcut menu. This is the location where you manage and configure the volume shadow copies feature. Te Shadow Copies dialog box is made up of the following panes:

The uppermost pane of the Shadow Copies dialog box is where you enable shadow copies for the particular volume. To enable shadow copies, click the Enable button. If you do not want a volume to use shadow copies, click the Disable button. To change the configuration settings of existing enabled shadow copies, click the Settings button to open the Settings dialog box. The Settings dialog box is divided into the following two sections: Storage Area: This is where you change the storage location of shadow copies, and the amount of space used to store shadow copies. Schedule: This where you configure how often, or when shadow copies are to be created. The settings which you can configure for enabled shadow copies on the Settings dialog box are:

o o o

Location on this volume drop-down list box: This drop-down list box is used to specify the volume on the server on which the shadow copies are to be stored. In cases where only one volume exists, then this is the volume which is automatically selected, and you are unable to select other volumes. Details button: Click this button to view information on the disk space available, and the total disk space. Maximum Size - No limit option: To specify that unlimited disk space can be used to store shadow copies, click the No limit option under the Maximum Size option. Maximum Size - Use Limit option: To specify the disk space which can be used to store shadow copies, click the Use Limit option under the Maximum Size option, and then set how much disk space, in megabytes (MB) can be used to store shadow copies. Schedule button: To specify the interval when shadow copies are created, click the Schedule button. The intervals which can be set for when shadow copies are created are Daily Weekly Monthly Once

 

   

   o

At System Startup At Logon When idle The bottom pane of the Shadow Copies dialog box displays a list of all the existing shadow copies which have been created.

How to enable shadow copies

o o o Click Start, Programs, Administrative Tools, and then click Computer Management. Expand the System Tools node in the left pane of the console to navigate to the Shared Folders folder. Right-click Shared Folders, select All Tasks, and then select Configure Shadow Copies from the shortcut menu. The Shadow Copies dialog box opens next. Choose the specific volume for which you want to enable shadow copies, and then click the Enable button. The Enable Shadow Copies message box displays, prompting you to verify that shadow copies should be enabled for the particular volume. The message also informs you that the default settings will be utilized for the particular shadow volume. Click Yes to continue with enabling shadow copies. After you have enabled shadow copies, click the Settings button on the Shadow Copies tab to configure settings for the shadow copies. Select either the Maximum Size option's No Limit option, or the Use Limit option to configure the disk space which can be used to store shadow copies. Click the Schedule button to create a schedule which defines when shadow copies are created. Click New in the dialog box that opens to define a new schedule for the shadow copies. From the Schedule Task drop-down list box, choose one of the following intervals: Daily Weekly Monthly Once At System Startup At Logon When idle The default schedule used to create the shadow copies specifies that they are created Monday - Friday, two times a day (7:00 A.M. and 12:00 P.M)

o o

o o o        o

o o

After you have configured the schedule for the shadow copies, click OK. To close the Shadow Copies dialog box, click OK.

How to manually create the first shadow copy

o o Click Start, Programs, Administrative Tools, and then click Computer Management. To connect to the computer which you want to work with, right-click Computer Management in the left pane, and select Connect To Another Computer on the shortcut menu. When the Select Computer dialog box opens, select the computer. In the left pane, expand the Storage Node, and select Disk Management. All the volumes on the computer are listed in the details pane. Right-click the appropriate volume, and click Properties on the shortcut menu. On the Shadow Copies tab, using the Select A Volume listing choose the volume, and then click the Settings button. Configure all necessary configuration settings for the shadow copies on the Settings dialog box, and click OK. On the Shadow Copies tab, click the Create Now button to force the creation of the first shadow copy. Click OK.

o o o o o

o o

How to install the client software for shadow copies

y For clients to access shadow copies, they need to have the Previous Versions Client software installed. The software can be found in the %windir%\system32\clients\twclient folder. You can use one of the methods listed below to install the Previous Versions Client software through a Windows Installer Package on client computers: Double-clicking the Windows Installer Package launches a wizard which allows the user to install the Previous Versions Client software. You can use the software deployment feature of Group Policy to install the software for client computers. You can create a share, copy the Windows Installer Package to the shared folder, and inform clients to download the necessary software. You can use Systems Management Server (SMS).

o o

How to access previous versions of a file

y To access previous versions of a file, access the Properties of the particular folder or file through a shared folder, and then select the Previous Versions tab. The Previous Versions tab lists the previous versions of the file. This Previous Versions tab is only displayed if you have enabled the shadow copies feature on the particular server, and if you access the Properties of the particular folder or file through a shared folder. You cannot view the Previous Versions tab if the file is located on the local hard drive. The tasks which can be performed from the Previous Versions tab are: To view a read-only previous version of a specific file, click the View button on the Previous Versions tab.

y o

To copy a previous version of a particular file to a different location, click the Copy button on the Previous Versions tab. When the Copy Items dialog box opens, specify the location to which you want to copy the previous version of the file. To replace the current version of a particular file with a previous version of the file, click the Restore button on the Previous Versions tab. Click Yes, to the message which appears, warning you that current version the file will be replaced with this particular previous version of the file. To access shadow copies from a client that has the Previous Versions Client software installed,

o o o o   

Open Windows Explorer. Right-click the particular network share, and then click Properties from the shortcut menu. Click the Previous Versions tab. Click the previous version which you want to work with, and then select one of the following buttons: Click View to view a previous file version. Click Copy to copy the shadow copy to a different location. Click Restore to replace the existing version with a previous version.

How to install the Previous Versions Client software and view files from shadow copies
o o Open Windows Explorer. Navigate to the system32\clients\twclient folder on the server to access the Windows Installer package. Double-click the Windows Installer package. The Previous Versions Client Wizard launches next. On the initial page of the Wizard, click Next to install the Previous Versions Client software. Once the Previous Versions Client software is installed, access the Properties of the particular folder or file through a shared folder. Click the Previous Versions tab. Choose the previous version of the file that you want to work with, and click the View button.

o o o

o o

How to delete a shadow copy

o o Click Start, Programs, Administrative Tools, and then click Computer Management. To connect to the computer which you want to work with, right-click Computer Management in the left pane, and select Connect To Another Computer on the shortcut menu. When the Select Computer dialog box opens, select the computer. In the left pane, expand the Storage Node, and select Disk Management. All the volumes on the computer are listed in the details pane. Right-click the appropriate volume, and click Properties on the shortcut menu.

o o o o

o o

On the Shadow Copies tab, using the Select A Volume listing choose the volume. The Shadow Copies Of Selected Volume area displays all the shadow copies of the volume which you have selected. Select the shadow copy that must be deleted, and click the Delete Now button.

How to disable shadow copies

o o Click Start, Programs, Administrative Tools, and then click Computer Management. To connect to the computer which you want to work with, right-click Computer Management in the left pane, and select Connect To Another Computer on the shortcut menu. When the Select Computer dialog box opens, select the computer. In the left pane, expand the Storage Node, and select Disk Management. Right-click the appropriate volume, and click Properties on the shortcut menu. On the Shadow Copies tab, using the Select A Volume listing select the volume, and then click the Disable button. Click Yes to verify that you want to disable shadow copies.

o o o o

How to manage shadow copies from the command-line

Shadow copies can also be managed from the command-line. The Vssadmin command which is used and its associated parameters are: vssadmin [Add ShadowStorage] [Create Shadow] [Delete Shadow] [Delete Shadow Storage] [List Providers] [List Shadows] [List ShadowStorage] [List Volumes ] [List Writers] [Resize ShadowStorage] o o o o Add ShadowStorage; sets the location where the shadow copies should be stored for a particular volume. Create Shadow; to force the creation of a shadow copy. Delete Shadow; to delete a particular shadow copy. Delete Shadow Storage; to delete the link between a volume and the location that stores the shadow copies. List Providers; to list the shadow copy providers. List Shadows; to list all shadow copies. List ShadowStorage; to list the volume locations that store shadow copies. List Volumes; to list the volumes that have the shadow copies feature enabled. List Writers; to list all applications using shadow copies. Resize ShadowStorage; to change the space available for storing shadow copies.

o o o o o o

Shadow Copies Best Practices

The factors to remember when working with shadow copies, and a few shadow copies best practices are summarized below:

Shadow copies should not be utilized as a replacement for regular backups. You should therefore continue to perform regular backups of the system. Shadow copies should not be utilized on dual boot computers because a previous version could become corrupted if the computer is booted to an operating system OS which is not Windows Server 2003. Enable shadow copies on computers running only Windows Server 2003. Be careful when determining the amount of hard disk space needed for shadow copies. If you configure the limit too small, you could have an insufficient quantity of shadow copies created. When shadow copies are enabled, remember that mounted drives are excluded when shadow copies are created. When you define the schedule for shadow copies, base it on when users make changes to files. For instance, it would be unnecessary to schedule shadow copies to be created over the weekend if files are not modified during this time frame. It is recommended to not schedule shadow copies to take place at an interval greater than once per hour. The interval or frequency for which you configure shadow copies to be created affects how space is utilized. You have to restore a shadow copy to change the contents of a shadow copy. A file that is restored keeps its file permissions. If you recover a deleted file, the file's permissions are the default permissions of the directory. Before you disable shadow copies on a volume, delete the shadow copies schedule.

o o o o

IPSec Overview
IPSec is a suite of protocols which was designed by Internet Engineering Task Force (IETF) to protect data by signing and encrypting data before it is transmitted over public networks. The IETF Request for Comments (RFCs) 2401-2409 defines the IPSec protocols with regard to security protocols, security associations and key management, and authentication and encryption algorithms. IPSec is a framework of open standards for encrypting TCP/IP traffic within networking environments. IPSec works by encrypting the information contained in IP datagrams through encapsulating. This in turn provides network level data integrity, data confidentiality, data origin authentication, and replay protection. The primary features of IPSec are: y Authentication; protects the private network and the private data it contains. IPSec secures private data from man-in-the-middle attacks, from attackers attempting to access the network, and from an attacker changing the contents of data packets. Encryption; conceals the actual content of data packets so that it cannot be interpreted by unauthorized parties. IPSec can be used to provide packet filtering capabilities. It can also authenticate traffic between two hosts and encrypt traffic passed between the hosts. IPSec can be used to create a virtual private network (VPN). IPSec can also be used to enable communication between remote offices and remote access clients over the Internet. IPSec operates at the network layer to provide end-to-end encryption. This basically means that data is encrypted at the source computer sending the data. All intermediate systems handle the encrypted

portion of the packets as payload. Intermediate systems such as routers merely forward the packet to its end destination. Intermediate systems do not decrypt the encrypted data. The encrypted data is only decrypted when it reaches the destination. IPSec interfaces with the TCP/UDP transport layer and the Internet layer, and is applied transparently to applications. IPSec is transparent to users as well. This basically means that IPSec can provide security for most of the protocols within the TCP/IP protocol suite. When it comes to applications, all applications that use TCP/IP can enjoy the security features of IPSec. You do not have to configure security for each specific TCP/IP based application. By using rules and filters, IPSec can receive network traffic and select the required security protocols, determine which algorithms to use, and can apply cryptographic keys required by any of the services. The security features and capabilities of IPSec can be used to secure the private network and private confidential data from the following y y y y Denial-of-service (Dos) attacks Data pilfering. Data corruption. Theft of user credentials In Windows Server 2003, IPSec uses the Authentication Header (AH) protocol and Encapsulating Security Payload (ESP) protocol to provide data security on: y y y y y y Client computers Domain servers Corporate workgroups Local area networks (LANs) Wide area networks (WANs) Remote offices The security functions and features provided by IPSec are summarized below: y Authentication; a digital signature is used to verify the identity of the sender of the information. IPSec can use Kerberos, a preshared key, or digital certificates for authentication. Data integrity; a hash algorithm is used to ensure that data is not tampered with. A checksum called a hash message authentication code (HMAC) is calculated for the data of the packet. When a packet is modified while in transit, the calculated HMAC changes. This change will be detected by the receiving computer. Data privacy; encryption algorithms are utilized to ensure that data being transmitted is undecipherable. Anti-replay; prevents an attacker from resending packets in an attempt to gain access to the privatenetwork. Nonrepudiation; public key digital signatures are used to prove message origin.

y y

Dynamic rekeying; keys can be created during data sending to protect segments of the communication with different keys. Key generation; the Diffie-Hellman key agreement algorithm is used to enable two computers to exchange a shared encryption key. IP Packet filtering; the packet filtering capability of IPSec can be used to filter and block specific types of traffic, based on either of the following elements or on a combination of them: IP addresses Protocols Ports

o o o

What New in Windows Server 2003 IPSec

A few new IPSec features have been included in Windows Server 2003, together with enhancements to some IPSec features which existed in previous Windows operating systems: y Windows Server 2003 includes the new IP Security Monitor tool which is implemented as an MMC snapin. The IP Security Monitor tool provides enhanced IPSec security monitoring. With the IP Security Monitor tool, you can perform the following administrative activities: Customize the IP Security Monitor display Monitor IPSec information on the local computer. Monitor IPSec information on remote computers. View IPSec statistics. View information on IPSec policies View security associations information. View generic filters View specific filters Search for specific filters based on IP address You can configure IPSec using the Netsh command-line utility. The netsh command-line utility replaces the previously used Ipsecpol.exe command-line utility. IPSec supports the new Resultant Set of Policy (RSoP) feature of Windows Server 2003. The Resultant Set of Policies (RSoP) calculator can be used to determine the policies which have been applied to a particular user or computer. Resultant Set of Policy (RSoP) sums all group policies which are applied to a user and computer in a domain. This includes all filters and exceptions. You can use the feature through the Resultant Set Of Policy (RSoP) Wizard or from the command-line to view the IPSec policy that is applied. IPSec integration with Active Directory enables you to centrally manage security policies.

o o o o o o o o o y

Kerberos 5 authentication is the default authentication method used by IPSec policies to verify the identity of computers. IPSec is backward compatible with the Windows 2000 Security Framework. If a local policy or Active Directory based policy cannot be applied to a computer, you now have the option of creating a persistent policy for the specific computer. The characteristics of persistent policies are: Persistent policies can only be configured through the Netsh command-line utility. Persistent policies are always positive. Persistent policies cannot be overridden. In Windows Server 2003 IPSec deployments, only Internet Key Exchange (IKE) traffic is exempt from IPSec. Previously, Resource Reservation Protocol (RSVP) traffic, Kerberos traffic, and IKE traffic was exempt from IPSec. IPSec in Windows Server 2003 includes support for the Group 3 2048-bit Diffie-Hellman key exchange. The Group 3 key is much stronger and more complex than the previous Group 2 1024-bit Diffie-Hellman key exchange. If however you need backward compatibility with Windows 2000 and Windows XP, then you have to use the Group 2 1024-bit Diffie-Hellman key exchange. IPSec ESP packets can pass over Network Address Translation (NAT) through User Datagram ProtocolEncapsulating Security Payload (UDP-ESP) encapsulation in Windows Server 2003 IPSec deployments.

y y

o o o y

Understanding IPSec Terminology

This section of the Article lists the commonly used IPSec terminology and concepts: y Authentication Header (AH): This is one of the main security protocols used by IPSec. AH provides data authentication and integrity, and can therefore be used on its own when data integrity and authentication are relevant factors and confidentiality is not. This is because AH does not provide for encryption, and therefore cannot provide data confidentiality. Authentication Header (AH) and Encapsulating Security Payload (ESP) are the main security protocols used in IPSec. These security protocols and can be used separately, or together. Encapsulating Security Payload (ESP): This is one of the main security protocols used by IPSec. ESP ensures data confidentiality through encryption, data integrity, data authentication, and other features that support optional anti-replay services. To ensure data confidentiality, a number of symmetric encryption algorithms are used. Certificate Authorities (CAs): This is an entity that generates and validates digital certificates. The CA adds its own signature to the public key of the client. CAs issue and revoke digital certificates. Diffie-Hellman groups: Diffie-Hellman Key Agreement enables two computers to create a shared private key that authenticates data and encrypts an IP datagram. The different Diffie-Hellman groups are listed here: Group 1; provides 768-bit key strength Group 2; provides 1024-bit key strength Group 3; provides 2048-bit key strength

o o o

Internet Key Exchange (IKE): The IKE protocol is used by computers to create a security association (SA) and to exchange information to generate Diffie-Hellman keys. IKE manages and exchanges cryptographic keys so that computers can have a common set of security settings. Negotiation occurs on which authentication method, and encryption algorithm and hashing algorithm the computers will use. IPSec Driver: The IPSec driver performs a number of operations to enable secure network communication, including the following: Creates IPSec packets Generates checksums. Initiates the IKE communication Adds the AH and ESP headers Encrypts data before it is transmitted. Calculates hashes and checksums for incoming packets. IPSec Policies: IPSec policies define when and how data should be secured, and defines which security methods to use for securing data. IPSec policies contain a number of elements: Actions. Rules Filter lists Filter actions. IPSec Policy Agent: This is a service running on a computer running Windows Server 2003 that accesses IPSec policy information. The IPSec Policy Agent accesses the IPSec policy information in either the Windows registry or in Active Directory. Oakley key determination protocol: The Diffie-Hellman algorithm is used for two authenticated entities to negotiate and be in agreement on a secret key. Security Association (SA): A SA is a relationship between devices that define how they use security services and settings. Triple Data Encryption (3DES): This is a strong encryption algorithm used on client machines running Windows, and on Windows Server 2003 computers. 3DES uses 56-bit keys for encryption.

o o o o o o y

o o o o y

Understanding How IPSec Works

A security association (SA) has to first be established between two computers before data can be securely passed between the computers. A Security Association (SA) is a relationship between devices that define how they use security services and settings. The SA provides the information necessary for two computers to communicate securely. Internet Security Association and Key Management Protocol (ISAKMP) and the IKE protocol are the mechanism that enables two computers to establish security associations. When an SA is established between two computers, the computers negotiate on which security settings to utilize to secure data. A security key is exchanged and used to enable the computers to communicate securely.

The security association (SA) contains the following: y The policy agreement which dictates which algorithms and key lengths the two computers will use to secure data. The security keys used to secure data communication. The security parameters index (SPI). With IPSec, two separate SAs are established for each direction of data communication: y y One SA secures inbound traffic. One SA secures outbound traffic. In addition to the above, there is a unique SA for each IPSec security protocol. There are therefore basically two types of SAs: y ISAKMP SA: When traffic flow is two directional and IPSec needs to establish a connection between computers, an ISAKMP SA is established. The ISAKMP SA defines and handles security parameters between the two computers. The two computers agree on a number of elements to establish the ISAKMP SA: Determine which connections should be authenticated. Determine the encryption algorithm to use. Determine the algorithm to verify message integrity. After the above elements have been negotiated between the two computers, the computers use the Oakley protocol to agree on the ISAKMP master key. This is the shared master key which will be used with the above elements to enable secure data communication. After a secured communication channel is established between the two computers, the computers start to negotiate the following elements: o o o Determine whether the Authentication Header (AH) IPSec protocol should be used for the connection. Determine the authentication protocol which should be used with the AH protocol for the connection. Determine whether the Encapsulating Security Payload (ESP) IPSec protocol should be used for the connection. Determine the encryption algorithm which should be used with the ESP protocol for the connection. IPSec SA: IPSec SAs pertain to the IPSec tunnel and IP packet, and define security parameters to use during a connection. The IPSec SA is derived from the above four elements just negotiated between the two computers. To secure and protect data, IPSec uses cryptography to provide the following capabilities: y Authentication: Authentication deals with verifying the identity of the computer sending the data, or the identity of the computer receiving the data. The methods which IPSec can use to authenticate the sender or receiver of data are:

y y

o o o

o y

Digital certificates: Provides the most secure means of authenticating identities. Certificate authorities (CAs) such as Netscape, Entrust, VeriSign, and Microsoft provide certificates which can be used for authentication purposes. Kerberos authentication: A downside of using the Kerberos v5 authentication protocol is that the identity of the computer remains unencrypted up to the point that the whole payload is encrypted at authentication. Pre-shared keys; should be used when none of the former authentication methods can be used. Anti-replay ensures that the authentication data cannot be interpreted as it is sent over the network. In addition to authentication, IPSec can provide nonrepudiation. With nonrepudiation, the sender of the data cannot at a later stage deny actually sending the data.

Data integrity: Data integrity deals with ensuring that the data received at the recipient has not been tampered with. A hashing algorithm is used to ensure that the data is not modified as it is passed over the network. The hashing algorithms which can be used by IPSec are: Message Digest (MD5); a one-way hash that results in a 128-bit hash which is used for integrity checking. Secure Hash Algorithm 1 (SHA1); a 160-bit secret key to generate a 160-bit message digest which provides more security than MD5. Data confidentiality: IPSec ensures data confidentiality by applying encryption algorithms to data before it is sent over the network. If the data is intercepted, encryption ensures that the intruder cannot interpret the data. To ensure data confidentiality, IPSec can use either of the following encryption algorithms: Data Encryption Standard (DES); the default encryption algorithm used in Windows Server 2003 which uses 56-bit encryption. Triple DEC (3DES); data is encrypted with one key, decrypted with another key, and encrypted again with a different key. 40-bit DES; the least secure encryption algorithm.

o o

Understanding the IPSec Modes

IPSec can operate in one of the following modes: y Tunnel mode: IPSec tunnel mode can be used to provide security for WAN and VPN connections that use the Internet as the connection medium. In tunnel mode, IPSec encrypts the IP header and the IP payload. With tunneling, the data contained in a packet is encapsulated inside an additional packet. The new packet is then sent over the network. Tunnel mode is typically used for the following configurations: o o o Server to server Server to gateway Gateway to gateway The process of communication that occurs when tunnel mode is defined as the IPSec mode is detailed below:

o o o o o o

Data is transmitted using unprotected IP datagrams from a computer on the private network. When the packets arrive at the router, the router encapsulates the packet using IPSec security protocols. The router then forwards the packet to the router at the other end of the connection. This router checks the integrity of the packet. The packet is decrypted. The data of the packet is then added to unprotected IP datagrams and sent to the destination computer on the private network. Transport Mode: This is the default mode of operation used by IPSec in which only the IP payload is encrypted through the AH protocol or ESP protocol. Transport mode is used for end-to-end communication security between two computers on the network.

IPSec Components
The primary two components installed when IPSec is deployed are: y IPSec Policy Agent: This is a service running on a computer running Windows Server 2003 that accesses IPSec policy information. The IPSec Policy Agent accesses the IPSec policy information in either the Windows registry or in Active Directory. The main functions which the IPSec Policy Agent provides are listed below: The IPSec Policy Agent passes information to the IPSec driver. The IPSec Policy Agent accesses IPSec policy information from the local Windows registry when the computer does not belong to a domain. The IPSec Policy Agent accesses IPSec policy information from the Active Directory when the computer is a member of a domain. The IPSec Policy Agent scans IPSec policies for any configuration changes. IPSec driver: The IPSec driver performs a number of operations to enable secure network communication, including the following: Creates IPSec packets Generates checksums. Initiates the IKE communication Adds the AH and ESP headers Encrypts data before it is transmitted. Calculates hashes and checksums for incoming packets

o o

o y

o o o o o o

Understanding the IPSec Protocols

As mentioned previously, the main IPSec security protocols are the Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols. There are other IPSec protocols such as ISAKMP, IKE, and Oakley that use the Diffie-Hellman algorithm.

Authentication Header (AH) Protocol

The AH protocol provides the following security services to secure data: y y y Authentication Anti-replay Data integrity The AH protocol ensures that data is not modified as it moves over the network. It also ensures that the data originated from the sender. The AH protocol does not though provide data confidentiality because it does not encrypt the data contained in the IP packets. This basically means, that if the AH protocol is used by itself; intruders that are able to capture data would be able to read the data. They would not though be able to change the data. The AH protocol can be used in combination with the ESP protocol if you need to ensure data confidentiality as well. The communication process which occurs when the AH protocol is used is shown here: 1. One computer transmits data to another computer. 2. The IP header, AH header, and the data itself is signed to ensure data integrity. 3. The AH header is inserted between the IP header and IP payload to provide authentication and integrity. The fields within a AH header, together with the role performed by each field is listed here: y Next Header; used to specify the type of IP payload through the IP protocol ID that exists after this AH header. Length; indicates the length of the AH header. Security Parameters Index (SPI); indicates the correct security association for the communication through a combination of the following: IPSec security protocol. Destination IP address Sequence Number; used to provide IPSec anti-replay protection for the communication. The sequence number commences at 1, and is incremented by 1 in each ensuing packet. Packets that have the same sequence number and security association are discarded. Authentication Data; holds the integrity check value (ICV) calculated by the sending computer to provide data integrity and authentication. The receiving computer calculates the ICV over the IP header, AH header, and IP payload, and then compares the two ICV values.

y y

o o y

Encapsulating Security Payload (ESP) protocol

The ESP protocol provides the following security services to secure data: y y Authentication Anti-replay

y y

Data integrity Data confidentiality The primary difference between the AH protocol and the ESP protocol is that the ESP protocol provides all the security services provided by the AH protocol, together with data confidentiality through encryption. ESP can be used on its own, and it can be used together with the AH protocol. In transport mode, the ESP protocol only signs and protects the IP payload. The IP header is not protected. If the ESP protocol is used together with the AH protocol, then the entire packet is signed. ESP inserts an ESP header and ESP trailer, which basically encloses the payload of the IP datagram. All data after the ESP header to the point of the ESP trailer, and the actual ESP trailer is encrypted. The fields within an ESP header, together with the role performed by each field are listed here:

Security Parameters Index (SPI); indicates the correct security association for the communication through a combination of the following: IPSec security protocol. Destination IP address Sequence Number; used to provide IPSec anti-replay protection for the communication. The sequence number commences at 1, and is incremented by 1 in each ensuing packet. Packets that have the same sequence number and security association are discarded. The fields within an ESP trailer, together with the role performed by each field are listed here:

o o y

y y y y

Padding; required by the encryption algorithm to ensure that byte boundaries are present. Padding Length; indicates the length (bytes) of the padding which was used in the Padding field. Next Header; used to specify the type of IP payload through the IP protocol ID. Authentication Data; holds the integrity check value (ICV) calculated by the sending computer to provide data integrity and authentication. The receiving computer calculates the ICV over the IP header, AH header, and IP payload, and then compares the two ICV values.

Understanding IPSec Security Filters, Security Methods, and Security Policies

Security filters basically match security protocols to a specific network address. IPSec filters can be used to filter out unauthorized traffic. The filter contains the following information: y y y Source and destination IP address Protocol used Source and destination ports Each IP address contains a network ID portion and a host ID portion. Through security filters, you can filter traffic according to the following: y y Traffic allowed to pass through Traffic to secure

Traffic to block Security filters can be grouped into a filter list. There is no limit to the number of filters which can be included in a filter list. IPSec policies uses IP filters to ascertain whether an IP security rule should be used in a packet. You can use a security method to specify the manner in which an IPSec policy should deal with traffic matching an IP filter. Security methods are also referred to as filter actions. The filter actions result in either of the following events:

y y y

Drops traffic Allows Traffic Negotiates security. To apply security in your network, IPSec policies are used. The IPSec policies define when and how data should be secured. The IPSec policies also determine which security methods to use when securing data at the different levels in your network. You can configure IPSec policies so that different types of traffic are affected by each individual policy. IPSec policies can be applied at the following levels within a network:

y y y y y

Active Directory domain Active Directory site Active Directory organizational unit Computers Applications The different components of an IPSec policy are listed here:

IP filter; informs the IPSec driver on the type of inbound traffic and outbound traffic which should be secured. IP filter list; used to group multiple IP filters into a single list in order to isolate a specific set of network traffic. Filter action; used to define how the IPSec driver should secure traffic. Security method; refers to security types and algorithms used for the key exchange process and for authentication. Connection type: identifies the type of connection which the IPSec policy impacts. Tunnel setting; the tunnel endpoint's IP address/DNS name. Rule; a grouping of the following components to secure a specific subset of traffic in a particular manner: IP filter Filter action.

y y

y y y o o

o o o

Security method Connection type Tunnel setting.

Windows Internet Name Server (WINS) Overview

WINS is an enhanced NetBIOS name server (NBNS) which was designed by Microsoft to resolve NetBIOS computer names to IP addresses, and at the same time eliminate the usage of broadcasts for name resolution. In this manner, WINS eliminates traffic generated by broadcasting on the network. WINS provides a WINS databasethat it utilizes to store and maintain NetBIOS computer names to IP addresses mappings. WINS registers NetBIOS computer names, and stores these client name registrations in the WINS database. The registrations are used when clients query for host name resolution and service information. The database is then utilized to resolve a NetBIOS name to an IP address. WINS can resolve NetBIOS names for local hosts and remote hosts. Clients that are configured to utilize a WINS server as a NetBIOS name server (NBNS) are called WINS enabled clients or simply WINS clients. Clients that are not configured to utilize WINS for name resolution are called broadcast clients. The main advantages of using WINS to resolve the NetBIOS names of computers into IP addresses are summarized below: y NetBIOS client requests are transmitted to the WINS server. If the WINS server resolves the NetBIOS name to an IP address, no broadcast traffic is sent over the network. This basically means that traffic generated by broadcasting is reduced. Broadcasts are only used if the WINS server is unable to resolve the NetBIOS name. The WINS database is updated dynamically. This ensures that the database remains current. When a WINS client's IP address changes, the WINS client automatically updates the WINS server database with the change. The need to manually maintain a LMHOSTS file for each computer is eliminated. A WINS enabled client can communicate with a WINS server that is located anywhere on the internetwork. When a WINS enabled client queries the WINS database, the following events occur. This chain of events is often called the WINS name resolution process: 1. The NetBIOS name cache is first checked for an entry that is associated with the requested name. 2. A NAME QUERY REQUEST message is sent to the primary WINS server configured for the WINS client. 3. WINS uses User Datagram Protocol (UDP) port 137 for communication. 4. The WINS server performs a search in WINS database to determine if the queried name exists in the database. 5. Based on whether the NetBIOS name is found in the database, the WINS server returns either a positive response or a negative response to the client.

y y

y y

6. If the WINS server locates the NetBIOS name in the WINS database during its search, and the NetBIOS name has an active state, the associated IP address is returned to the client. Queried service lookups are also returned. This is called a positive response, and is sent in the form of a POSITIVE NAME QUERY RESPONSE message to the client. 7. If the WINS server locates the NetBIOS name in the WINS database during its search but the NetBIOS name has a state other than the active state, a negative response is returned to the client, wherein the client is informed that the requested NetBIOS name is unavailable. The client is not forced to transmit a broadcast for NetBIOS name resolution. 8. If the WINS server cannot locate the NetBIOS name in the WINS database during its search, a negative response is returned to the client. This takes the form of a NEGATIVE NAME QUERY RESPONSE message. The client is then forced to transmit a broadcast for NetBIOS name resolution. 9. The WINS server sends the client a number of WAIT FOR ACKNOWLEDGEMENT RESPONSE messages if it cannot immediately respond to the request. This prevents clients from timing out while they wait for a response from the WINS server. 10. If a clientis configured to use a primary WINS server and a secondary WINS server, the client uses the secondary WINS server if the primary WINS server fails to respond to its request. The client proceeds to send NAME QUERY REQUEST messages to the secondary WINS server for name resolution. Because WINS client registrations are not permanent, registration information can become outdated. The validity of the WINS client registrations is determined by the time to live interval of the WINS servers. WINS clients use a three step process to ensure that registration information in the WINS database remains current: y o WINS Name Registration: A WINS client is configured with the IP address of one or two WINS servers: Primary WINS server: The WINS client registers its NetBIOS name and IP address with the primary WINS server when the client initially starts. To do this, the WINS client sends a NAME REGISTRATION REQUEST message directly to the configured primary WINS server. The NAME REGISTRATION REQUEST message includes the time that the NetBIOS name is registered to the client. This is defined as the Time to Live (TTL). The WINS server then stores the NetBIOS name to IP address mapping in the WINS database. If the primary WINS server is unavailable, the WINS client tries two more times to register with the primary WINS server before attempting to register with a secondary WINS server. Secondary WINS server: When a client is configured with the IP address of two WINS servers, the secondary WINS server is only attempted for WINS name registration after the client unsuccessfully tried to contact the primary WINS server. When either the primary WINS server or secondary WINS server receives a WINS name registration request, the WINS server first searches its database to determine whether the requested name exists. The client is successfully registered with the WINS server if the name which the client is registering does not exist in the WINS database. If the name already exists in the database, the WINS server sends a NAME QUERY REQUEST message to the owner of the particular record to determine whether the name is still active. If the current owner responds with a POSITIVE NAME QUERY RESPONSE, the WINS server sends the new client a NEGATIVE NAME REGISTRATION RESPONSE message. In this case, the WINS server denies name registration to the new client. If the current owner responds with a NEGATIVE NAME QUERY RESPONSE, the WINS server purges the existing record from its database, and assigns the name to the new client. WINS Name Renewal: The NetBIOS names in the WINS database are registered for only a specific period of time. This is called the TTL period. The default TTL periodis 6 days. This basically means that

the NetBIOS name registrations with the WINS server is only temporary. WINS clients therefore have to renew their names in order to remain current in the WINS database. As mentioned earlier, the WINS database is dynamically updates. Clients can both register their names and un-register their names. This is done at the configured time intervals, and is dependant on the TTL interval of registered names. The TTL interval is reset when the following events occur: o Whenever a WINS client restarts, it registers its name with the WINS server. This results in the TTL interval being reset. If however the WINS client remains logged on the network for half of the TTL interval, its starts sending NAME REFRESH REQUEST messages to the WINS server. The WINS server replies with a POSITIVE NAME REFRESH RESPONSE message that resets the TTL interval. If however the WINS server replies to a WINS client with a NEGATIVE NAME REFRESH RESPONSE message, the client has to register a different NetBIOS name with the WINS server. The existing name registration is then cancelled. If the primary WINS server is unavailale when the client attempts name renewal, the client repeats it request for name renewal for each 10 minutes until an hour has passed. At this stage, the client will use a secondary WINS server if one is configured. If the secondary WINS server fails to respond, the client also repeats it request for name renewal at 10 minutes intervals until an hour has passed. This process of switching WINS servers to attempt name renewal continues until either of the following events occur: o o y The name is eventually renewed. TTL interval finally expires WINS Name Release: The WINS name release process occurs when WINS clients perform the following events: Shuts down the computer. Stops a NetBIOS service or application. When these events occur, the computer sends a NAME RELEASE REQUEST message to the WINS server. The message indicates that the registered NetBIOS name should be expired in the WINS database. The name is released when the WINS server returns a POSITIVE NAME RELEASE RESPONSE message. In this case, the WINS server located the NetBIOS name and IP address in the WINS database, and they matched to that of the sending client. A NEGATIVE NAME RELEASE RESPONSE message is sent when the record for the NetBIOS name in the WINS database holds a different IP address to that of the sending WINS client. NetBIOS clients use the Enhanced h-node (hybrid) type for name resolution querying. Enhanced h-node type uses the p-node type (peer-to-peer) and b-node type (broadcasts), and DNS to resolve NetBIOS names to IP addresses. Enhanced h-node type is the default node type used for Windows 2000, Windows XP, and Windows Server 2003 NetBIOS clients who have a configured WINS server for name resolution. The order in which Enhanced h-node type clients resolve NetBIOS name are: y y y y NetBIOS name cache. Primary WINS server Secondary WINS server Broadcasting name resolution method.

o o

y y y y

LMHOSTS file DNS name cache HOSTS file DNS server

Considerations for Implementing WINS Servers

Since Windows 2000 was the first Windows operating system where NetBIOS naming was no longer required, you might still need to provide support for NetBIOS naming if you have legacy applications. Remember that all Windows operating system prior to Windows 2000 require NetBIOS name support. A WINS server is typically not required for NetBIOS name resolution when your network is only a small LAN that resides on one physical network segment, and there are no more than 50 clients. To implement WINS, you only need one WINS server for an internetwork. However, implementing two WINS servers provides fault tolerance for name resolution. The recommendations for implementing WINS servers are: y Implement two WINS servers. This provides fault tolerance for name resolution. The secondary WINS server would be used for name resolution if the primary WINS server is unavailable to service WINS clients' requests. A WINS server can cope with 1,500 name registrations and roughly 4,500 name queries per minute. It is recommended to have one WINS server and a backup server for each 10,000 WINS clients. It is recommended to not use DHCP to configure the TCP/IP properties of the WINSserver. The WINS server must be statically assigned with the following TCP/IP parameters: A static IP address Subnet mask Default gateway

y y o o o

How to install the WINS service using Control Panel/Add or Remove Programs
1. Click Start, and then click Control Panel. 2. Click Add or Remove Programs. 3. Click Add/Remove Windows Components to start the Windows Component Wizard. 4. In Window Components page, in the Components list, click Networking Services. Click the Details button. 5. In the Networking Services dialog box, select the Windows Internet Name Service (WINS) checkbox. 6. Click OK, and then click Next. 7. The WINS service installation process starts. 8. Click Finish.

How to install the WINS service using Control Panel/Network Connections window
1. Click Start, and then click Control Panel. 2. Click Network Connections. 3. Right-click Network Connections and select Open from the shortcut menu. 4. Click Advanced, and choose Optional Networking Components. 5. Install the WINS service through the Windows Optional Networking Components Wizard.

Configuring the WINS Server

Configuring the WINS server, and managing it consists of the following key administrative tasks: y o o y o o o Configure WINS replication: This includes: Configuring replication partners Configuring a replication method(s) Manage the WINS database. This includes: Managing the entries in the WINS database Backing up the WINS database Restoring the WINS database

The MMC console used to configure the WINS server is the WINS console. The WINS console is automatically added to the Administrative Tools Menu when you install the WINS service. Through the WINS console, you can perform the following functions: y y y View information on the configured WINS servers on the network. Perform WINS configuration tasks, and management tasks. View the contents of the WINS database, and locate entries in the database. To open the WINS console, 1. Click Start, Administrative Tools, and then click WINS As mentioned previously, you should implement redundancy in your WINS design so that your WINS servers can push or pull database information between each other. This ensures that all WINS database information is similar for all your WINS servers. The mechanism which can be used to implement redundancy in your WINS design is WINS replication. If all the information in the WINS databases is the same, you can configure NetBIOS clients with the IP addresses of numerous WINS server. This ensures that WINS can still be used for name resolution if one of the WINS servers has a failure.

How to configure WINS replication

To replicate among each other, the WINS servers in your network have to be configured as replication partners. This can be done manually, or automatically: y Manually configuring WINS server replication partners is done by an administrator. You have to know the WINS server name or the IP address of the WINS server that you want to configure as a replication partner. Automatically creating WINS replication partners takes place through the Automatic Partner Configuration feature of Windows 2000 and Windows Server 2003.

How to manually configure WINS server replication partners

1. Click Start, Administrative Tools, and then click WINS to open the WINS console. 2. In the console tree, right-click the WINS server, and click New Replication Partner on the shortcut menu. 3. In the New Replication Partner dialog box, enter the IP address of the WINS server that you want replication to occur with. 4. Click OK 5. Perform the above process on the other WINS server.

How to automatically create WINS replication partners

1. Click Start, Administrative Tools, and then click WINS to open the WINS console. 2. In the console tree, right-click Replication Partners, and then select Properties from the shortcut menu. 3. Click the Advanced tab. 4. Select the Enable A Partner Configuration checkbox. 5. Click OK.

How to configure WINS replication methods

After the WINS replication partners are configured, you have to specify how replication will occur between your WINS servers. The two available methods are: y Pull replication: With pull replication, WINS data is pulled by WINSserver1 from WINSserver2. This method should be used if network connectivity between the WINS servers is not as fast. The pull replication method allows you to configure when replication is to occur between your WINS servers. Push replication: With push replication, WINS data is pushed from WINSserver1 to WINSserver2. Push replication should be used when fast network connectivity exists between the WINS servers. With push replication, a specific number (Number of changes in version ID) indicates how many changes must occur in the WINS database before replication occurs. When the specific number is reached, a message is sent to the replication partner, informing the partner that WINS data need to be replicated. In order for push replication to occur, the replication partner has to send a positive replication request message before its push partner can push WINS data changes to it. By default, when WINS replication partners are configured, both pull and push replication is specified. To view the existing replication method(s), 1. Click Start, Administrative Tools, and then click WINS to open the WINS console.

2. In the console tree, select Replication Partners 3. Select the replication partner whose replication method you want to view in the Details pane. 4. Right-click on the specific replication partner, and then select Properties from the shortcut menu. 5. When the Properties dialog box for the specific replication partner opens, click the Advanced tab.

How to configure pull replication

1. Click Start, Administrative Tools, and then click WINS to open the WINS console. 2. In the console tree, right-click Replication Partners, and then select Properties from the shortcut menu. 3. Click the Pull Replication tab. 4. In the Hours, Minutes, and Seconds boxes of the Start Time field, enter the time when you want pull replication to start automatically. The default setting of all 0s indicates that pull replication does not occur automatically. 5. In the Hours, Minutes, and Seconds boxes of the Replication Interval field, enter the pull replication time interval. The default setting is 30 minutes. 6. In the Number Of Retries field, enter how many attempts the WINS service should make to connect with a replication partner. 7. Select the Start pull replication at service startup checkbox if you want pull replication to occur when the WINS service starts. 8. Select the Use persistent connections for pull replication partners checkbox if you want a connection to a replication partner to remain open for replication. 9. Click OK.

How to configure push replication

1. Click Start, Administrative Tools, and then click WINS to open the WINS console. 2. In the console tree, right-click Replication Partners, and then select Properties from the shortcut menu. 3. Click the Push Replication tab. 4. Select the At service startup checkbox if you want the WINS server to inform its replication partners of database changes when the WINS service starts. The default setting is that this option is not selected. 5. Select the When address changes checkbox if you want the WINS server to inform its replication partners of database changes when address changes occur. The default setting is that this option is not selected. 6. In the Number of changes in version ID before replication field, specify how many database changes have to occur prior to replication partners being informed that push replication is waiting to take place./li> 7. Select the Use persistent connections for pull replication partners checkbox if you want a connection to a replication partner to remain open for replication. 8. Click OK.

How to manually force replication with all replication partners

1. Click Start, Administrative Tools, and then click WINS to open the WINS console. 2. In the console tree, right-click Replication Partners, and then select Replicate Now from the shortcut menu. 3. Click OK to the message requesting verification that manual replication should occur with all replication partners.

How to manually force replication with a specific replication partner

1. Click Start, Administrative Tools, and then click WINS to open the WINS console. 2. In the console tree, select Replication Partners, and then right-click the specific replication partner. 3. Select Start Pull Replication from the shortcut menu if you want to start pull replication. Click Yes to the message stating that the request could cause can increase in network traffic. Click OK to start pull replication. 4. Select Start Push Replication from the shortcut menu if you want to start push replication. When the Start Push Replication dialog box appears, select the Start with this partner only option. Click OK to start push replication.

Configuring Advanced WINS Configuration Options

1. Click Start, Administrative Tools, and then click WINS to open the WINS console. 2. In the console tree, right-click the WINS server, and then select Properties on the shortcut menu. 3. Click the Advanced tab. 4. Enable the Log detailed events to Windows event log checkbox if you want the WINS service to log WINS specific events in the System log of the WINS server. Enabling this option for troubleshooting purposes is recommended. 5. Select the Enable burst handling checkbox if you want to enable the WINS server to simultaneously handle a large number of requests. This advanced option setting is enabled by default. Choose between the following options: Low (300), Medium (500), High (1,000), or Custom and then enter your own number). 6. You can change the path where the WINS database and log files are located in the Database Path box. 7. In the Starting Version ID (hexadecimal) box, enter the number that will be used for the start version ID number of the WINS database. The default setting is 1. 8. Select the Use computer names that are compatible with LAN Manager checkbox if you want nonMicrosoft NetBIOS clients to register with the WINS server. This setting is by default enabled. 9. Click OK.

Managing the WINS Database

The administrative tasks that you need to perform to mange the WINS database are: y Locate WINS record entries in the WINS database: You can use the WINS console to locate specific WINS entries or records. You can filter records in the WINS database by:

o o

NetBIOS name IP address With Windows 2000 WINS, you can locate entries in the WINS database using the following search criteria:

o o

Record name Record owner. With Windows Server 2003 WINS, you can locate entries in the WINS database using the following search criteria:

o o o o y

Record name Record owner Record type Use a combination of the above. Add WINS records to the WINS database: Name to IP address mappings can be added to the WINS database: Dynamically: This happens when a WINS client registers or renews NetBIOS names with the WINS server. Manually: An administrator can manually add name to IP addresses mappings to the WINS database. Remove WINS records from the WINS database: This occurs: Dynamically: WINS clents release their NetBIOS names with the WINS server. Manually: An administrator can manually delete name to IP address mappings from the WINS database. Verify WINS database consistency:Through verification of the consistency of the WINS records, you can ensure that the WINS database only contains current WINS entries. Checking database consistency assists you in identifying incorrect WINS records in the WINS database. Reconcile WINS records: This is the process whereby WINS records are verified, or validated. This ensures that the integrity of the records in the WINS database is maintained. Manually compact the WINS database: You would need to manually compact the WINS database to maintain the database size. The WINS database grows as more WINS clients are added to it. Back up and restore the WINS database The WINS database is named wins.mdb, and is located in the following folder by default:

o y o o y

%systemroot%\system32\wins

How to view records in the WINS database

1. Click Start, Administrative Tools, and then click WINS to open the WINS console.

2. In the console tree, right-click the WINS server whose WINS database records you want to view, and then select Display Records from the shortcut menu.

How to view specific records in the WINS database

1. Click Start, Administrative Tools, and then click WINS to open the WINS console. 2. In the console tree, right-click Active Registrations and then select Display Records from the shortcut menu. 3. When the Display Records dialogue box opens, you will be presented with the following tabs: o o o Record Mapping Record Owners Record Types

4. You can specify search parameters on each tab. When the search of the WINS database is performed, it will include the data specified on each tab. 5. You can filter the search by: o o o Matching name pattern Matching IP address Matching IP address based on subnet mask.

6. You can select the Enable result caching checkbox if you want the search results cached locally on the machine running the query.

How to add WINS records to the WINS database

WINS only dynamically adds entries to the WINS database for WINS enabled client. Clients that are not configured to use WINS do not automatically have their name to IP address mappings added to the WINS database. You can manually add record entries for non WINS enabled NetBIOS clients so that your WINS clients can use WINS to query non WINS clients. When you manually add record entries to the WINS database, the entries that you add are regarded as being static entries, or static name to IP address mappings. These entries remain in the WINS database until they are manually deleted. The different types of static NetBIOS names which can be added to the WINS database are the same as those names that WINS automatically registers: y y Unique; identifies a unique NetBIOS name to IP address mapping. Group; adds the entry to a workgroup the IP address is not stored in WINS and is resolved through broadcasting. Domain Name; identifies a domain name mapping of Windows NT domain controllers with a record entry. Internet Group; for creating groups to manage resources. This group is used for administration purposes. Multihomed; identifies a computer that has multiple interface cards with different IP addresses.

y y y

When you add static mappings to the WINS database, they by default override any conflicting dynamically added WINS record. You can however configure this to not occur through enabling the Overwrite unique static mappings at this server(migrate on) option. When the option is enabled for a WINS server, all manually configured static mappings in the database are handled as dynamically added WINS records. The option can be configured differently (enabled/disabled) for each WINS server. When WINS entries or records are added to the WINS database, they are structured in a way that enables you to sort the records according to field name. The field names in the WINS database are: y Record Name; this is the registered NetBIOS name that defines a unique name, group, internet group or multihomed computer. Type;this is the service identifier, and its associated hexadecimal value. IP Address;this is the IP address associated with the NetBIOS name. State; records can be in either of the following states: Active: Signifies that the NetBIOS name is currently being used on the network. Released: Signifies that the NetBIOS name of the record has been released from the WINS database. Tombstoned: Signifies a record that is flagged to be deleted when the following extinction interval occurs. Static;indicates static entry. Owner; indicates the WINS record's owner. Version; this is a unique number assigned to a registered record that is used during replication to determine the most current version of the record. Expiration; indicates when (date, time) the lease of a record is due to expire.

y y y o o o y y y

How to configure a static mapping in the WINS database

1. Click Start, Administrative Tools, and then click WINS to open the WINS console. 2. In the console tree, select Active Registrations, right-click it and then select New Static Mapping from the shortcut menu. 3. The New Static Mapping dialog box opens. 4. In the Computer Name box, enter the NetBIOS computer name of the non WINS NetBIOS client. 5. For the NetBIOS Scope (optional) box, you can leave the box empty, or you can enter a NetBIOS scope identifier. 6. In the Type box, select one of the following entry types: Unique, Group, Domain Name, Internet or Multihomed. 7. In the IP address box, enter the IP address for the computer. 8. Click Apply to add this entry to the WINS database. 9. Add any additional static mapping records, and click Apply after adding each entry.

10. Click OK.

How to configure the Overwrite unique static mappings at this server (migrate on) option for a WINS server
1. Click Start, Administrative Tools, and then click WINS to open the WINS console. 2. In the console tree, select Active Registrations, right-click it and then select Properties from the shortcut menu. 3. On the General tab, enable the Overwrite unique static mappings at this server (migrate on) checkbox. 4. Click OK.

How to remove WINS records from the WINS database

The methods that you can use to manually remove WINS records from the WINS database are: y y y Start scavenging: This informs the WINS service to flag all records for deletion immediately. Delete a WINS record from a single WINS server: This is performed from within the WINS database. Tombstone a WINS record. This would replicate the deletion of the WINS record through your WINS topology. This is performed from within the WINS database.

How to start scavenging of the WINS database

1. Click Start, Administrative Tools, and then click WINS to open the WINS console. 2. In the console tree, select the specific WINS server whose database you want to initiate scavenging for. 3. Right-click the WINS server and then select Scavenge Database from the shortcut menu. 4. Click OK in the message dialog box that appears.

How to delet WINS records from within the WINS database

You delete WINS records from within the WINS database by selecting the record, and then pressing the Delete key on the selected record. Pressing the Delete key on a WINS record displays the Delete Record dialog box, with the following options: y Delete the record only from this server: Select this option if you want to delete the WINS record from this specific WINS server only. Clicking OK after selecting this option immediately removes the record from the WINS database. Replicate deletion of this record to other servers (tombstoned): Select this option if you want to replicate the deletion of the record through your WINS topology. The WINS record is tombstoned in the database, and is then marked to be replicated to the other WINS servers when the next extinction interval occurs. After selecting this option, click Yes to the WINS message that is displayed, requesting ownership to be taken of the particular WINS record.

How to verify WINS database consistency

When you verify the consistency of the WINS database, you are basically determining whether the database has any incorrect records. Database consistency pulls WINS records from the other WINS databases, and then compares these records to the local WINS database. The result of the check leads to either of the following events occurring:

For records in the local WINS database that match WINS records pulled from the other WINS databases, the local WINS record is time stamped with the record owner's database. For a WINS record where the remote WINS record has a higher version ID, the following occurs: The local WINS record is set to be deleted The remote WINS record is added to the local WINS database. You can perform WINS database consistency checks:

y o o

y y

Manually Automatically (scheduling) You can perform two types of WINS database consistency checks:

Database consistency: The local WINS database's consistency is verified with other WINS server databases. Version consistency: This consistency check takes place on each WINS server in your WINS topology, to determine whether each WINS server has the highest version ID number on each of its owned WINS records. WINS servers do not have ownership of any WINS records which were added to their databases through WINS replication.

How to manually verify database consistency

1. Click Start, Administrative Tools, and then click WINS to open the WINS console. 2. In the console tree, right-click the specific WINS server that you want to perform database consistency on and then select Verify Database Consistency from the shortcut menu. 3. Click Yes to verify that you want to schedule database consistency for the WINS server, and to continue with your request. 4. Click OK to the second message that appears, indicating that the database consistency check has been queued on the server. 5. You can consult the Windows event log to check when the database consistency check has completed.

How to verify version consistency

1. Click Start, Administrative Tools, and then click WINS to open the WINS console. 2. In the console tree, right-click the WINS server and then select Verify Version ID Consistency from the shortcut menu. 3. Click Yes to the message that is displayed, requesting verification that you want to continue with the version consistency operation. 4. The Verify Version ID Consistency Progress window displays, showing the results of the version consistency process.

How to configure automatic database verification

1. Click Start, Administrative Tools, and then click WINS to open the WINS console. 2. In the console tree, right-click the specific WINS server and ten select Properties from the shortcut menu.

3. When the Properties dialog box of the WINS server opens, click the Database Verification tab. 4. Select the Verify database consistency every: checkbox. 5. In the Hours box, enter how often database verification should occur. 6. Use the Begin Verifying At: boxes to set when database verification should start. 7. Enter the appropriate value in the Maximum number of records verified each period box. 8. Select whether you want the database should be verified against: o o Owner servers Randomly selected partners

9. Click OK.

How to reconcile WINS records

Integrity of the WINS database and the validity of the WINS records in the database are achieved through reconciling your WINS database records. There are two methods of reconciling the WINS database: y y Manually specify each individual WINS record that you want to reconcile. Import multiple WINS records from a text file. Before to attempting to reconcile the WINS database, you need to determine the following information y y The WINS server's IP address whose database you want to reconcile with. The WINS record's NetBIOS name and hexadecimal number that you want to reconcile. To reconcile WINS records, 1. Click Start, Administrative Tools, and then click WINS to open the WINS console. 2. In the console tree, expand the WINS server node, and then select Active Registrations. 3. Right-click Active Registrations, and then select Verify Name Records from the shortcut menu. 4. The Verify Name Records dialog box that opens is divided into a Name Records section, and a Servers section. 5. In the Name Records section, select the List (case sensitive) option. 6. Enter the name of the WINS record(s) that you want to reconcile. The hexadecimal service locator should be included as well. Click the Add button. 7. In the Servers section, select the List option. 8. Enter the IP address of the WINS server(s) that you want to reconcile the just specified WINS record against. Click Add.

9. Click OK to start the verification of the WINS record(s). 10. The Checking Names Registrations window displays the results of the name record verification process.

How to manually compact the WINS database

The WINS service automatically schedules for the WINS database to be compacted, by default. However, you can use the jetpack.exe tool to manually compact the WINS database. 1. Open a command prompt window 2. Enter net stop wins to stop the WINS database. 3. Navigate to the location of the WINS database. 4. Enter jetpack wins.mdb temp_dbname.mdb to compact the WINS database. 5. Enter net start wins to start the WINS database.

Configuring WINS Clients

In order to use WINS to resolve NetBIOS names to IP addresses, you have to configure your clients as WINS clients. A computer running any of the following operating systems can be configured as WINS clients: y y y y y y y y y y Windows Server 2003 Windows XP Windows 2000 Windows NT 3.5 or later Windows Me Window 98 or Windows 95 Windows for Workgroups 3.11 running the Microsoft TCP/IP-32 stack. Microsoft Network Client 3.0 for MS-DOS LAN Manager 2.2c for MS-DOS Non Microsoft operating systems such as Macintosh, UNIX and Linux.

How to configure a WINS client

1. Click Start, Control Panel, and then click Network Connections. 2. Select Local Area Connection, and then click Properties. 3. The Local Area Connection Properties dialog box opens. 4. Select Internet Protocol (TCP/IP) from the list, and then click Properties. 5. When the Internet Protocol (TCPIP) Properties dialog box opens, click Advanced. 6. The Advanced TCP/IP Settings dialog opens.

7. Click the WINS tab. 8. Click the Add button to add the IP address of the WINS server(s). 9. In the TCP/IP WINS Server dialog box, enter the address of your WINS server and click Add. 10. Verify that the WINS server you specified is displayed in the list on the Advanced TCP/IP Settings dialog box. 11. After adding all the WINS servers, use the arrow buttons to define precedence for your WINS servers. The WINS servers at the top of the list are used before those close to the bottom of the list. 12. Click OK on the Advanced TCP/IP Settings dialog box. 13. Click OK on the Internet Protocol (TCP/IP) Properties dialog box. 14. Click OK on the Local Area Connection Properties dialog box.

How to configure WINS and DNS integration

1. Click Start, Administrative Tools, and then click DNS. 2. The DNS console opens. 3. Expand the Forward Lookup Zones container. 4. Select the zone which you want to configure. 5. Right-click the zone, and then select Properties on the shortcut menu. 6. When the Properties dialog box for the zone opens, click the WINS tab. 7. Select the Use WINS forward lookup checkbox. 8. Enter the IP address of the WINS server, and click Add. 9. Click the Advanced button on the WINS tab. 10. Enter the appropriate value in the Cache time-out box. This setting's value determines the duration for which DNS servers are able to cache WINS entries. 11. Enter an appropriate value in the Lookup time-out box. The value of this setting determines the time duration for which a DNS server will wait for a response from the WINS forward lookup server. 12. Click OK.

How to configure WINS and DHCP integration

The DHCP options that you can enable to configure DHCP to support WINS are: y 044 WINS/NBSN Servers: This option enables you to specify the IP addresses of the WINS servers in the order in which clients register and query for NetBIOS names. The IP address at the top of the list is used as the primary WINS server, and the IP addresses under it are used as secondary WINS servers. 046 WINS/NBT Node Type: This option requires you to specify the node type that you want clients to use. Other important configuration settings for configuring WINS and DHCP support are:

Enable LMHOSTS Lookup; informs the client to search for a configured LMHOSTS file in the %systemroot%\system32\drivers directory. NetBIOS setting options determine whether a client is configured for NetBIOS use: Default: The vendor specific setting in DHCP is used to determine if the client is enabled/disabled for NetBIOS use. The Disable NetBIOS over TCP/IP (NetBT) DHCP option disables the client for NetBIOS use. Enable NetBIOS over TCP/IP: This setting enables NetBIOS use. Disable NetBIOS over TCP/IP: This setting disables NetBIOS use.

y o

o o

To configure DHCP for WINS support, 1. Click Start, Administrative Tools, and then click DHCP. 2. The DHCP console opens. 3. In the console tree, right-click Server Options and then select Configure Options from the shortcut menu. 4. When the Server Options dialog box opens, select the 044 WINS/NBNS Servers option or the 046 WINS/NBT Node Type option.

SharePoint Services is a web-based solution for storing and sharing documents, and communicating. It has the following built-in features:
y y y y y

Lists Document Libraries Discussion boards Surveys Security

This document is a tutorial on how to use these features in SharePoint Services.

What is SharePoint Services?

Microsoft SharePoint Services is a web-based collaboration tool that groups/project teams may find useful for working together. SharePoint services can be used for:
y y y y y

Lists (announcements, contacts, events, common interest links, tasks) Libraries of documents (files, pictures, forms) Discussion boards Surveys Security (access permissions)

SharePoint Services runs on a server that is accessible from the web. The server is maintained by Computing Services. Beneficially, additional software is not necessary on workstations; another benefit is ease of use.

Who Can Use SharePoint Services?

The following groups are eligible to request a Departmental SharePoint site:
y y y

Academic Departments Administrative Departments Student Organizations

The following individuals are eligible to request a Personal SharePoint site:

y y y

Faculty Staff Students

It is expected that each site has an administrator, and the administrator is responsible for setting up the site, for security, and training. Additional information may be obtained from sharepoint.uark.edu.

Customizing a SharePoint Site

Once a site has been created, an email message containing the URL of the site will be sent to the sites requestor. Upon accessing the site URL with a web browser, UARK username and password authentication is required. Sign in using the gacl\UARK username or UARKusername@uark.edu format. Once signed in, if it is determined that the point size of the text is inappropriate, modify the text size using web browser settings. From within Internet Explorer, go to View on the file menu, select Text Size, and then choose a comfortable text size. Click the Site Settings link from the SharePoint top navigation bar. The following window will appear:

Notes about Document Versioning

Document versioning allows multiple versions of a document to be stored. If a change needs to be reversed, the previous version can be restored. When versioning is turned on, a Version History command is added to the dropdown list that is seen when the arrow is clicked next to a document name in the library.

When Version History is selected, a list of the previous versions of the document appears. The user can open an old version, restore a version (replacing the current version), or delete an old version.
y y

When a file is deleted from a library, all previous versions are deleted. Versions can be created for all file types except HTML files that contain images or embedded objects (in which case the MHTML format (.mht) must be used).

When versioning is enabled, versions are automatically created whenever a document is updated in a document library. Versions are created in the following situations:
y y

y y

When a user checks out a file, makes changes, and checks the file back in. When a user opens a file, makes changes, and then saves the file for the first time. Note: If the user saves the file again, without closing the file, a new version is not created. If the user closes the application he or she is using to edit the file, and then opens it and saves the file again, another version is created. When a user restores an old version of a file (and does not check it out). When a user uploads a file that already exists, in which case the current file becomes an old version.

Notes about Content Approval

Content approval allows creation of a list or library where items or files submitted by users are not visible to all site users until the items or files have been approved by a site administrator or a user with the Manage Lists right. Users can view a list of the items that they submit and check approval statuses. Administrators and users with the Manage Lists right use the Approve/reject items view of the list or library to set an item or file to approved, rejected, or pending. Comments regarding approval decisions can be made. Submissions by site administrators or Manage Lists right users are automatically approved, though other administrators or Manage Lists right users can still reject the items. Rejected items should be deleted. Content Approval can be enabled from the list or library following theModify settings and columns link and then selecting the Change general settings link. Now that the document library has been created, click the Upload Document button and the following window will open:

Lists
In SharePoint you can create lists for:

y y y y y y

Links of useful web links for your project/team Announcements Contacts Events Tasks Issues

From the SharePoint top navigation bar, click Create. Under the Lists and Custom Lists headings try creating a couple of different list types.

Discussion Boards
A discussion board provides a place for newsgroup style discussions. From the SharePoint top navigation bar, click Create. Click the Discussion Board link on the Create page.

Surveys
Surveys can be created in SharePoint for groups/projects. This is easy to do, by creating various types of questions using menus. Click Create from the SharePoint top navigation bar, and click the SurveyLink. Try creating a survey with a couple different types of questions.

Help!
Click the Help link on the SharePoint top navigation bar for further information.