Archive for April, 2010


Group policies simplify administration by giving administrators central control over privileges, permissions, and capabilities of both users and computers. Through group policies you can

  • Create centrally managed directories for special folders, such as My Documents. This is covered in the section of this chapter entitled “Centrally Managing Special Folders.”
  • Control access to Windows components, system resources, network resources, Control Panel utilities, the desktop, and the Start menu. This is covered in the section of this chapter entitled “Using Administrative Templates to Set Policies.”
  • Define user and computer scripts to run at specified times. This is covered in the section of this chapter entitled “User and Computer Script Management.”
  • Configure policies for account lockout and passwords, auditing, user rights assignment, and security. This is covered in Part II of this book, “Microsoft Windows Server 2003 Directory Service Administration.”

Understanding Group Policies

You can think of a group policy as a set of rules that helps you manage users and computers. You can apply group policies to multiple domains, to individual domains, to subgroups within a domain, or to individual systems. Policies that apply to individual systems are referred to as local group policies and are stored on the local system only. Other group policies are linked as objects in the Active Directory directory service.

To understand group policies, you need to know a bit about the structure of Active Directory. In Active Directory, logical groupings of domains are called sites and subgroups within a domain are called organizational units. Thus, your network could have sites called NewYorkMain, CaliforniaMain, and WashingtonMain. Within the WashingtonMain site, you could have domains called SeattleEast, SeattleWest, SeattleNorth, and SeattleSouth. Within the SeattleEast domain, you could have organizational units called Information Services (IS), Engineering, and Sales.

Group policies apply only to systems running Windows 2000, Windows XP Professional, and Windows Server 2003. You set policies for Windows NT 4.0 systems with the System Policy Editor (Poledit.exe). For Windows 95 and Windows 98, you need to use the System Policy Editor provided with Windows 95 or Windows 98, respectively, and then copy the policy file to the Sysvol share on a domain controller.

Group Policy settings are stored in a Group Policy Object (GPO). One way to think of a GPO is as a container for the policies you apply and their settings. You can apply multiple GPOs to a single site, domain, or organizational unit. Because policy is described using objects, many object-oriented concepts apply. If you know a bit about object-oriented programming, you might expect the concepts of parent-child relationships and inheritance to apply to GPOs—and you’d be right.

Through inheritance, a policy applied to a parent container is inherited by a child container. Essentially, this means that a policy setting applied to a parent object is passed down to a child object. For example, if you apply a policy setting in a domain, the setting is inherited by organizational units within the domain. In this case, the GPO for the domain is the parent object and the GPOs for the organizational units are the child objects.

The order of inheritance is as follows:

Site –> Domain –> Organizational Unit

This means that the group policy settings for a site are passed down to the domains within that site and the settings for a domain are passed down to the organizational units within that domain.

As you might expect, you can override inheritance. To do this, you specifically assign a policy setting for a child container that contradicts the policy setting for the parent. As long as overriding of the policy is allowed (that is, overriding isn’t blocked), the child’s policy setting will be applied appropriately. To learn more about overriding and blocking GPOs, see the section of this chapter entitled “Blocking, Overriding, and Disabling Policies.”

In What Order Are Multiple Policies Applied?

When multiple policies are in place, policies are applied in the following order:

  1. Windows NT 4.0 policies (Ntconfig.pol)
  2. Local group policies
  3. Site group policies
  4. Domain group policies
  5. Organizational unit group policies
  6. Child organizational unit group policies

If there are conflicts among the policy settings, the policy settings applied later have precedence and overwrite previously set policy settings. For example, organizational unit policies have precedence over domain group policies. As you might expect, there are exceptions to the precedence rule. These exceptions are discussed later in the section of this chapter entitled “Blocking, Overriding, and Disabling Policies.”

When Are Group Policies Applied?

As you’ll discover when you start working with group policies, policy settings are divided into two broad categories:

  • Those that apply to computers
  • Those that apply to users

Although computer policies are normally applied during system startup, user policies are normally applied during logon. The exact sequence of events is often important in troubleshooting system behavior. The events that take place during startup and logon are as follows:

  1. The network starts and then Windows Server 2003 applies computer policies. By default, the computer policies are applied one at a time in the previously specified order. No user interface is displayed while computer policies are being processed.
  2. Windows Server 2003 runs startup scripts. By default, startup scripts are executed one at a time, with each completing or timing out before the next one starts. Script execution isn’t displayed to the user unless specified.
  3. A user presses Ctrl+Alt+Del to log on. After the user is validated, Windows Server 2003 loads the user profile.
  4. Windows Server 2003 applies user policies. By default, the policies are applied one at a time in the previously specified order. The user interface is displayed while user policies are being processed.
  5. Windows Server 2003 runs logon scripts. Group policy logon scripts are executed simultaneously by default. Script execution isn’t displayed to the user unless specified. Scripts in the Netlogon share are run last in a normal command-shell window as in Windows NT 4.0.
  6. Windows Server 2003 displays the start shell interface configured in Group Policy.

By default, Group Policy is refreshed only when a user logs off or a computer is restarted. You can change this behavior by setting a Group Policy refresh interval as discussed in the section of this chapter entitled “Refreshing Group Policy.” To do this, open a command prompt and type gpupdate.

Group Policy Requirements and Version Compatibility

Group policies were introduced with Windows 2000 and apply only to systems running Windows 2000, Windows XP Professional, and Windows Server 2003. As you might expect, each new version of the Windows operating system has brought with it changes to Group Policy. Sometimes these changes have made older policies obsolete on newer versions of Windows. In this case, the policy only works on a specific version of the Windows operating system, such as only on Windows 2000.

Generally speaking, however, most policies are forward compatible. This means that policies introduced in Windows 2000 can, in most cases, be used on Windows 2000, Windows XP Professional, and Windows Server 2003. It also means that in most cases Windows XP Professional policies aren’t applicable to Windows 2000, and that policies introduced in Windows Server 2003 aren’t applicable to Windows 2000 or Windows XP Professional.

If a policy isn’t applicable to a particular version of the Windows operating system, you can’t enforce the policy on computers running those versions of the Windows operating system.

How will you know if a policy is supported on a particular version of Windows? Easy. The properties dialog box for each policy has a Supported On field in the Setting tab. This text-only field lists the policy’s compatibility with various versions of the Windows operating system. If you select the policy with the Extended display in the Group Policy Object Editor, you’ll also see a Requirements entry that lists compatibility.

You can also install new policies when you add a service pack, install Windows applications, or add Windows components. This means that you’ll see a wide range of compatibility entries.

Managing Local Group Policies

Each computer running Windows Server 2003 has one local group policy. You manage local policies on a computer by completing the following steps:

  1. Open the Run dialog box by clicking Start and then clicking Run.
  2. Type mmc in the Open field and then click OK. This opens the Microsoft Management Console (MMC).
  3. In MMC, click File, and then click Add/Remove Snap-In. This opens the Add/ Remove Snap-In dialog box.
  4. In the Standalone tab, click Add.
  5. In the Add Standalone Snap-In dialog box, click Group Policy Object Editor, and then click Add. This starts the Group Policy Wizard.
  6. Under Group Policy Object, Local Computer should be selected by default. If you want to edit the local policy on your computer, simply click Finish. To find the local policy on another computer, click Browse. After you find the policy you want to work with, click OK and then click Finish.
  7. Click Close and then click OK. You can now manage the local policy on the selected computer. For details, see the section of this chapter entitled “Working with Group Policies.”

Local group policies are stored in the %SystemRoot%\System32\GroupPolicy folder on each Windows Server 2003 computer. In this folder you’ll find the following subfolders:

  • Adm

Stores administrative template files currently being used. These files end with the .adm file extension. The Adm folder is only on domain controllers.

  • Machine

Stores computer scripts in the Script folder and registry-based policy information for HKEY_LOCAL_MACHINE (HKLM) in the Registry.pol file.

  • User

Stores user scripts in the Script folder and registry-based policy information for HKEY_CURRENT_USER (HKCU) in the Registry.pol file.

Warning: You shouldn’t edit these folders and files directly. Instead, you should use the appropriate features of the Group Policy console. By default, these files and folders are hidden. If you want to view hidden files and folders in Windows Explorer, select Folder Options from the Tools menu, click the View tab, choose Show Hidden Files And Folders, clear Hide Protected Operating System Files, and then click OK.

Creating and Editing Site, Domain, and Organizational Unit Policies

You create and edit site, domain, and organizational unit policies by completing the following steps:

  1. For sites, you start the Group Policy snap-in from the Active Directory Sites And Services console. Open the Active Directory Sites And Services console.
  2. For domains and organizational units, you start the Group Policy snap-in from the Active Directory Users And Computers console. Open the Active Directory Users And Computers console.
  3. In the appropriate console root, right-click the site, domain, or organizational unit on which you want to create or manage a group policy. Then select Properties on the shortcut menu. This opens a properties dialog box.
  4. In the properties dialog box, select the Group Policy tab. existing policies are listed in the Group Policy Object Links list.
  5. To create a new policy, click New. You can now configure the policy as explained in the section of this chapter entitled “Working with Group Policies.”
  6. To edit an existing policy, select the policy and then click Edit. You can now edit the policy as explained in the section of this chapter entitled “Working with Group Policies.”
  7. To change the priority of a policy, select the policy that you want to work with and then use the Up or Down button to change its position in the Group Policy Object Links list.

Site, domain, and organizational unit group policies are stored in the %SystemRoot%\ Sysvol\Domain\Policies folder on domain controllers. In this folder you’ll find one subfolder for each policy you’ve defined on the domain controller. The policy folder names are the policy’s Global Unique Identifier (GUID). The GUIDs can be found on the policy’s properties page in the General tab in the summary frame. Within these individual policy folders, you’ll find the following subfolders:

  • Adm

Stores administrative template files currently being used. These files end with the .adm file extension. The Adm folder is only on domain controllers.

  • Machine

Stores computer scripts in the Script folder and registry-based policy information for HKEY_LOCAL_MACHINE (HKLM) in the Registry.pol file.

  • User

Stores user scripts in the Script folder and registry-based policy information for HKEY_CURRENT_USER (HKCU) in the Registry.pol file.

Blocking, Overriding, and Disabling Policies

You can block policy inheritance at the site, domain, and organizational unit level. This means that you could block policies that would otherwise be applied. At the site and domain level, you can also enforce policies that would otherwise be contradicted or blocked. This gives top-level administrators the ability to enforce policies and prevent them from being blocked. Another available option is to disable policies. You can disable a policy partially or entirely without deleting its definition.

You configure these policy options by completing the following steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work with as specified in Steps 1–4 of the “Creating and Editing Site, Domain, and Organizational Unit Policies” section earlier in this chapter.
  2. Select Block Policy Inheritance to prevent the inheritance of higher-level policies (unless those policies have the No Override option set).
  3. Use the No Override option to prevent lower-level policies from blocking the policy settings. Select or clear the No Override option by double-clicking in the appropriate column to the right of the group policy entry. A check mark indicates the option is selected.
  4. Use the Disabled option to prevent the policy from being used. Select or clear the Disabled option by double-clicking in the appropriate column to the right of the group policy entry. A check mark indicates the option is selected.
Disabling an Unused Part of Group Policy

Another way to disable a policy is to disable an unused part of the GPO. When you do this, you block the Computer Configuration or User Configuration settings, or both, and don’t allow them to be applied. By disabling part of a policy that isn’t used, the application of GPOs and security will be faster.

You can enable or disable configuration settings in Group Policy by following these steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work with as specified in Steps 1–4 of the “Creating and Editing Site, Domain, and Organizational Unit Policies” section earlier in this chapter.
  2. Click Properties in the Global Policy tab, and then select or clear Disable Computer Configuration Settings and Disable User Configuration Settings.

Caution

Any settings of the blocked node aren’t applied and are essentially lost. To get these settings back, you’ll have to clear the Disable … Settings options.

Applying an Existing Policy to a New Location

Any group policy that you’ve created can be associated with another computer, unit, domain, or site. By associating the policy with another object, you can use the policy settings without having to recreate them.

You apply an existing policy to a new location by completing the following steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work with.
  2. In the Group Policy tab, click Add. As shown in Figure 4-2, this opens the Add A Group Policy Object Link dialog box.
  3. Use the tabs and fields provided to find the group policy you want to apply to the current location. When you find the policy, click OK.
Deleting a Group Policy

You can disable or delete group policies that you don’t use. To disable a policy, double-click in the Disabled column to the right of the group policy entry. A check mark indicates that the option is selected. To delete a policy, follow these steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work with as specified in Steps 1–4 of the section of this chapter entitled “Creating and Editing Site, Domain, and Organizational Unit Policies.”
  2. Select the policy you want to delete and then click Delete.
  3. If the policy is linked, you have the option of deleting the link without affecting other containers that use the policy. To do this, in the Delete dialog box select Remove The Link From The List.
  4. If the policy is linked, you can also delete the link and the related policy object, which permanently deletes the policy. To do this, select Remove The Link And Delete The Group Policy Object Permanently.
Refreshing Group Policy

When you make changes to Group Policy, those changes are immediate. However, they aren’t propagated automatically. Client computers request policy when

  • The computer starts
  • A user logs on
  • An application or user requests a refresh
  • A refresh interval is set for Group Policy and the interval has elapsed

As you learned previously in this chapter, you can request that a policy be refreshed on a local computer using the Gpupdate command-line utility. Simply type gpupdate at the command prompt. You can also refresh a policy by setting a specific refresh interval, which thereby periodically forces a refresh. Either way, however, the refresh is only a background refresh and some policies might not be updated. The only way to ensure that all user policies are updated is to have the user log off. The only way to ensure that all computer policies are updated is to restart the computer.

To set a refresh interval in Group Policy, follow these steps:

  1. Access the Group Policy console for the site, domain, or organizational unit you want to work with as specified in the section of this chapter entitled “Creating and Editing Site, Domain, and Organizational Unit Policies.”
  2. Access the Group Policy node by expanding Computer Configuration\ Administrative Templates\System\Group Policy.
  3. In the details pane, double-click Group Policy Refresh Interval For Computers. This policy controls the background refresh rate for computer policies.
  4. In the Setting tab, Select Enabled. You can now set the refresh interval for computer policies using the options provided. With the default settings, Group Policy is updated every 90 minutes with a random offset of 0 to 30 minutes. The offset makes it less likely that multiple computers will request updates at the same time. Click OK.
  5. Access User Configuration\Administrative Templates\System\Group Policy.
  6. In the details pane, double-click Group Policy Refresh Interval For Users. This policy controls the background refresh rate for computer policies.
  7. In the Setting tab, select Enabled. You can now set the refresh interval for user policies using the options provided. Click OK when finished.
  8. When applying a refresh, network traffic is generated. During the update, the local computer might be less responsive than normal, which might affect the user’s work.

Note

The refresh interval for computers doesn’t apply to domain controllers. If you want domain controllers to regularly refresh a policy, access Computer Configuration\Administrative Templates\System\Group Policy and then double-click Group Policy Refresh Interval For Domain Controllers. You can now set the refresh interval.

Advertisements


Exchange Server supports public folders. Public folders are for common access to messages and files. Files

can be dragged from file−access interfaces, such as Explorer in Windows 98, NT 4, 2000, and 2003, and can

be dropped into public folders.

You can set up sorting rules for a public folder so that items in the folder are organized by a range of

attributes, such as the name of the sender or the creator of the item, or the date that the item arrived or was

placed in the folder. Items in a public folder can be sorted by conversation threads. You can also put

applications built on existing products such as Word or Excel or with Exchange or Outlook Forms Designer,

client or server scripting, or the Exchange API set into public folders. You can use public folders to replace

many of the maddening paper−based processes that abound in every organization.

For easy access to items in a public folder, you can use a folder link. You can send a link to a folder in a

message. When someone goes to the folder and double−clicks a file you put in the folder, the file opens.

Everyone who receives the message works with the same linked attachment, so everyone reads and can

modify the same file. As with document routing, applications such as Microsoft Word can keep track of each

person’s changes to and comments on file contents. Of course, your users will have to learn to live with the

fact that only one person can edit an application file at a time. Most modern end−user applications warn the

user that someone else is using the file and allow the user to open a read−only copy of the file, which, of

course, can’t be edited. Third−party applications offer tighter document checkout control (see the Appendix,

‘Cool Third−Party Applications for Exchange Server and Outlook Clients’).

If all this isn’t already enough, Exchange is very much Internet aware. With Exchange Server 2003, you can

publish all or selected public folders on the Internet, where they become accessible with a simple Internet

browser. You can limit Internet access to public folders only to users who have access under Windows Server

2003’s security system, or you can open public folders to anyone on the Internet. Just think about it:

Internet−enabled public folders let you put information on the Internet without the fuss and bother of website

design and development. Any item can be placed on the Internet by simply adding a message or other object

to a public folder.

Before we leave public folder applications, I want to mention one more option: Exchange Server 2003 enables

you to bring any or all of those Usenet Internet newsgroups to your public folder environment. With their

Outlook clients, users then can read and reply to newsgroup items just as though they were using a standard

newsgroup reader application. Exchange Server comes with all the tools that you need to do this. All you need

is an Internet connection, access to a host computer that can provide you with a feed of newsgroup messages,

and a set of rules about which groups to exclude. Remember, this is where the infamous alt.sex newsgroups

live. But you don’t have to use public newsgroups. Rather, you can create your own private newsgroups for

internal communications.

Exchange Server 2003 is a complex product with a remarkably easy−to−use interface for administration and

management. All of this complexity and parallel ease of use requires an industrial−strength computer. The

minimum server computer suggested here is for testing, learning about, and evaluating the product. It’s also

enough for a small, noncritical installation. However, as I discuss in the book, when the server moves into

critical production environments, where it will be accessed by large numbers of users, you’ll need to beef up

its hardware and add a number of fault−tolerant capabilities. On the client side, with the broad range of clients

available for Exchange, the machines now on desktops in most organizations should be more than adequate.

At a minimum, to test, learn about, and evaluate Exchange Server, you need the following:

Either Microsoft Exchange Server 2003 and any version of Windows Server 2003 or Microsoft

Exchange Server 2003 Enterprise Edition and Windows Server 2003 Enterprise or Datacenter Edition.

  • ·A 1GHz Pentium III− or 4−based PC with 512MB of RAM and two 9GB disk drives. This allows you

to complete exercises involving a single Exchange server.

  • ·A minimum of three additional computers in the class just described. This allows you to complete

exercises involving multiple computers in multiple administrative groups and Windows Server 2003

domains.

  • · Tape backup hardware or at least one independent disk drive for backup.
  • · A local area network (preferably connected to the Internet).

At least one 800MHz Pentium III or 4 or equivalent computer with 128MB of memory running

Windows XP Professional.

Many command-line utilities are included with Windows Server 2003. Most of the utilities you’ll work with as an administrator rely on Transmission Control Protocol/Internet Protocol (TCP/IP). Because of this, you should install TCP/IP networking before you experiment with these tools.

Utilities to Know

As an administrator, you should familiarize yourself with the following command-line utilities:

  • ARP

Displays and manages the IP-to-Physical address mappings used by Windows Server 2003 to send data on the TCP/IP network.

  • AT

Schedules programs to run automatically.

  • DNSCMD

Displays and manages the configuration of DNS services.

  • FTP

Starts the built-in FTP client.

  • HOSTNAME

Displays the computer name of the local system.

  • IPCONFIG

Displays the TCP/IP properties for network adapters installed on the system. You can also use it to renew and release DHCP information.

  • NBTSTAT

Displays statistics and current connections for NetBIOS over TCP/IP.

  • NET

Displays a family of useful networking commands.

  • NETSH

Displays and manages the network configuration of local and remote computers.

  • NETSTAT

Displays current TCP/IP connections and protocol statistics.

  • NSLOOKUP

Checks the status of a host or IP address when used with DNS.

  • PATHPING

Traces network paths and displays packet loss information.

  • PING

Tests the connection to a remote host.

  • ROUTE

Manages the routing tables on the system.

  • TRACERT

During testing, determines the network path taken to a remote host.

To learn how to use these command-line tools, type the name at a command prompt followed by /?. Windows Server 2003 then provides an overview of how the command is used (in most cases).

Using NET Tools

You can more easily manage most of the tasks performed with the NET commands by using graphical administrative tools and Control Panel utilities. However, some of the NET tools are very useful for performing tasks quickly or for obtaining information, especially during telnet sessions to remote systems. These commands include

  • NET SEND

Sends messages to users logged in to a particular system

  • NET START

Starts a service on the system

  • NET STOP

Stops a service on the system

  • NET TIME

Displays the current system time or synchronizes the system time with another computer

  • NET USE

Connects and disconnects from a shared resource

  • NET VIEW

Displays a list of network resources available to the system

To learn how to use any of the NET command-line tools, type NET HELP followed by the command name, such as NET HELP SEND. Windows Server 2003 then provides an overview of how the command is used.

Control Panel contains utilities for working with a system’s setup and configuration. You can organize the Control Panel in different ways according to the view you’re using. A view is simply a way of organizing and presenting options. The key utilities you’ll want to use include

  • Add Hardware

Starts the Add Hardware Wizard, which you can use to install and troubleshoot hardware.

  • Add Or Remove Programs

Used to install programs and to safely uninstall programs. Also used to modify Windows Server 2003 setup components. For example, if you didn’t install an add-on component, such as Certificate Services, during installation of the OS, you can use this utility to add it later.

  • Date And Time

Used to view or set a system’s date, time, and time zone. Rather than manually setting the time on individual computers in the domain, you can use the Windows Time Service to automatically synchronize time on the network.

  • Display

Used to configure backgrounds, screen savers, video display mode, and video settings. You can also use this utility to specify desktop icons and to control visual effects, such as the menu fade effect.

  • Folder Options

Used to set a wide variety of folder and file options, including the type of desktop used, the folder views used, whether offline files are used, and whether you need to single-click or double-click to open items.

  • Licensing

On a workstation you use this utility to manage licenses on a local system. On a server it also allows you to change the client-licensing mode of installed products, such as Windows Server 2003 or Microsoft SQL Server.

  • Network Connections

Used to view network identity information, to add network components, and to establish network connections. You can also use this utility to change a system’s computer name and domain.

  • Printers And Faxes

Provides quick access to the Printers And Faxes folder, which you can use to manage print devices on a system.

  • Scheduled Tasks

Allows you to view and add scheduled tasks. You can schedule tasks on a one-time or recurring basis to handle common administrative jobs.

  • System

Used to display and manage system properties, including properties for startup/shutdown, environment, hardware profiles, and user profiles.

The Windows Server 2003 family of operating systems consists of Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; and Windows Server 2003, Web Edition. Each edition has a specific purpose:

  • Windows Server 2003, Standard Edition

Designed to provide services and resources to other systems on a network. It’s a direct replacement for Windows NT 4.0 Server and Windows 2000 Server. The operating system has a rich set of features and configuration options. Windows Server 2003, Standard Edition supports up to 4 gigabytes (GB) of RAM and two CPUs.

  • Windows Server 2003, Enterprise Edition

Extends the features provided in Windows Server 2003, Standard Edition to include support for Cluster Service, metadirectory services, and Services for Macintosh. It also supports 64-bit Intel Itanium-based computers, hot swappable RAM, and nonuniform memory access (NUMA). Enterprise servers can have up to 32 GB of RAM on x86, 64 GB of RAM on Itanium, and eight CPUs.

  • Windows Server 2003, Datacenter Edition

The most robust Windows server. It has enhanced clustering features and supports very large memory configurations with up to 64 GB of RAM on x86 and 128 GB of RAM on Itanium. It has a minimum CPU requirement of 8 and can support up 32 CPUs in all.

  • Windows Server 2003, Web Edition

Designed to provide Web services for deploying Web sites and Web-based applications. As such, this server edition includes the Microsoft .NET Framework, Microsoft Internet Information Services (IIS), ASP.NET, and network load-balancing features but lacks many other features, including Active Directory. In fact, the only other key Windows features in this edition are the Distributed File System (DFS), Encrypting File System (EFS), and Remote Desktop for administration. Windows Server 2003, Web Edition supports up to 2 GB of RAM and two CPUs.

When you install a Windows Server 2003 system, you configure the system according to its role on the network.

  • Servers are generally assigned to be part of a workgroup or a domain.
  • Workgroups are loose associations of computers in which each individual computer is managed separately.
  • Domains are collections of computers that you can manage collectively by means of domain controllers, which are Windows Server 2003 systems that manage access to the network, to the directory database, and to shared resources.

All versions of Windows Server 2003 allow you to configure different views for the Start Menu. The views for the Start Menu are

  • Classic Start Menu

The view used in previous versions of Windows. With this view, clicking Start displays a pop-up dialog box with direct access to common menus and menu items.

With the Classic Start Menu, you access administrative tools by clicking Start, clicking Programs, and then clicking Administrative Tools. You access the Control Panel by clicking Start, pointing to Settings, and then clicking Control Panel.

  • Simple Start Menu

Allows you to directly access commonly used programs and directly execute common tasks. You can, for example, click Start and then click Log Off to quickly log off the computer.

With the Simple Start Menu, you access administrative tools by clicking Start and then clicking Administrative Tools. You access the Control Panel by clicking Start and then clicking Control Panel.

Domain Controllers and Member Servers

When you install Windows Server 2003 on a new system, you can configure the server to be a member server, a domain controller, or a stand-alone server. The differences between these types of servers is extremely important. Member servers are a part of a domain but don’t store directory information. Domain controllers are distinguished from member servers because they store directory information and provide authentication and directory services for the domain. Stand-alone servers aren’t a part of a domain and have their own user database. Because of this, stand-alone servers also authenticate logon requests themselves.

Windows Server 2003 doesn’t designate primary or backup domain controllers. Instead, it supports a multimaster replication model. In this model any domain controller can process directory changes and then replicate those changes to other domain controllers automatically. This differs from the Windows NT single master replication model in which the primary domain controller stores a master copy and backup controllers store backup copies of the master. Additionally, Windows NT distributed only the Security Account Manager (SAM) database, but Windows Server 2003 distributes an entire directory of information called a data store. Inside the data store are sets of objects representing user, group, and computer accounts as well as shared resources, such as servers, files, and printers.

Domains that use Active Directory are referred to as Active Directory domains. This distinguishes them from Windows NT domains. Although Active Directory domains can function with only one domain controller, you can and should configure multiple domain controllers in the domain. This way, if one domain controller fails, you can rely on the other domain controllers to handle authentication and other critical tasks.

In an Active Directory domain, any member server can be promoted to a domain controller, and you don’t need to reinstall the OS as you had to in Windows NT. To promote a member server, all you need to do is install the Active Directory component on the server. You can also demote domain controllers to be member servers, provided that the server isn’t the last domain controller on the network. You promote and demote domain controllers by using the Active Directory Installation Wizard and following these steps:

  1. Click Start.
  2. Click Run.
  3. Type dcpromo in the Open field, and then click OK.

Understanding and Using Server Roles

Servers running Windows Server 2003 are configured based on the services they offer. You can add or remove services at any time by using the Configure Your Server Wizard and following these steps:

  1. Click Start.
  2. Click Programs or All Programs as appropriate.
  3. Click Administrative Tools, and then select Configure Your Server Wizard.
  4. Click Next twice. Windows Server 2003 gathers information about the server’s current roles. The Server Role page displays a list of available server roles and specifies whether they’re configured. Adding and removing roles is easy:
  • If a role isn’t configured and you want to add the role, click the role in the Server Role column and then click Next. Follow the prompts.
  • If a role is configured and you want to remove the role, click the role in the Server Role column and then click Next. Read any warnings displayed carefully and then follow the prompts.

Any server can support one or more of the following server roles:

  • Application server

A server that provides XML Web services, Web applications, and distributed applications. When you configure a server with this role, IIS, COM+, and the Microsoft .NET Framework are installed automatically. You also have the option of adding Microsoft FrontPage Server Extensions and enabling or disabling ASP.NET.

  • DHCP server

A server that runs the Dynamic Host Configuration Protocol (DHCP) and can automatically assign Internet Protocol (IP) addresses to clients on the network. This option installs DHCP and starts the New Scope Wizard.

  • DNS server

A server that runs DNS resolves computer names to IP addresses and vice versa. This option installs DNS and starts the DNS Server Wizard.

  • Domain controller

A server that provides directory services for the domain and has a directory store. Domain controllers also manage the logon process and directory searches. This option installs DNS and Active Directory.

  • File server

A server that serves and manages access to files. This option enables you to quickly configure disk quotas and indexing. You can also install the Web-based file administration utility, which installs IIS and enables Active Server Pages (ASP).

  • Mail server (POP3, SMTP)

A server that provides basic Post Office Protocol 3 (POP3) and Simple Mail Transfer Protocol (SMTP) mail services so that POP3 mail clients can send and receive mail in the domain. Once you install this service, you define a default domain for mail exchange and then create and manage mailboxes. These basic services are best for small offices or remote locations where e-mail exchange is needed but you don’t need the power and versatility of Microsoft Exchange Server.

  • Print server

A server that provides and manages access to network printers, print queues, and printer drivers. This option enables you to quickly configure printers and print drivers that the server should provide.

  • Remote access/VPN server

A server that routes network traffic and manages dial-up networking or virtual private networking (VPN). This option starts the Routing and Remote Access Setup Wizard. You can configure routing and remote access to allow outgoing connections only, incoming and outgoing connections, or no outside connections at all.

  • Server cluster node

A server that operates as part of a group of servers working together called a cluster. This option starts the New Server Cluster Wizard, which allows you to create a new cluster group, or the Add Nodes Wizard, which allows you to add the server to an existing cluster. (This server role is supported by the Enterprise and Datacenter versions only.)

  • Streaming media server

A server that provides streaming media content to other systems on the network or the Internet. This option installs Windows Media Services. (This server role is supported by the Standard and Enterprise versions only.)

  • Terminal Server

A server that processes tasks for multiple client computers running in terminal services mode. This option installs Terminal Server. You don’t need to install Terminal Server to remotely manage this server. Remote Desktop is installed automatically with the OS.

  • WINS server

A server that runs Windows Internet Name Service (WINS) resolves NetBIOS names to IP addresses and vice versa. This option installs WINS.

Once installed, you can manage server roles using Manage Your Server. This enhanced utility in Windows Server 2003 might just become your command and control center.

Frequently Used Tools

Many utilities are available for administrating Windows Server 2003 systems. The tools you’ll use the most include

  • Control Panel

A collection of tools for managing system configuration. With Classic Start Menu, you can access these tools by selecting Start, choosing Settings, and then selecting Control Panel. With Simple Start Menu, you can access these tools by selecting Start and then selecting Control Panel.

  • Graphical administrative tools

The key tools for managing network computers and their resources. You can access these tools by selecting them individually on the Administrative Tools submenu.

  • Administrative wizards

Tools designed to automate key administrative tasks. Unlike in Windows NT, there’s no central place for accessing wizards. Instead, you access wizards by selecting the appropriate menu options in other administrative tools.

  • Command-line utilities

You can launch most administrative utilities from the command line. In addition to these utilities, Windows Server 2003 provides others that are useful for working with Windows Server 2003 systems.

Microsoft Windows Server 2003 represents a major advance in reliability, availability, and manageability. Not only is the operating system more versatile than its predecessors, but it also builds on the revolutionary system management and administration concepts introduced with Windows 2000, including

  • Active Directory directory service

An extensible and scalable directory service that uses a namespace based on the Internet standard Domain Name System (DNS).

  • IntelliMirror

Change and configuration management features that support mirroring of user data and environment settings as well as central management of software installation and maintenance.

  • Security Architecture

The architecture provides improvements for smart cards, public and private encryption keys, and security protocols. It also features tools for analyzing system security and for applying uniform security settings to groups of systems.

  • Terminal Services

Services that allow you to remotely log on to and manage other Windows Server 2003 systems.

  • Windows Script Host

A scripting environment for automating common administration tasks, such as creating user accounts or generating reports from event logs.

Although Windows Server 2003 has dozens of other new features, each of the features just listed has far-reaching effects on how you perform administrative tasks. None has more effect than Active Directory technology. A sound understanding of Active Directory structures and procedures is essential to your success as a Windows Server 2003 systems administrator.

That said, the Windows Server 2003 security architecture also has a far-reaching effect on how you perform administrative tasks. Through Active Directory and administrative templates, you can apply security settings to workstations and servers throughout the organization. Thus, rather than managing security on a machine-by-machine basis, you can manage security on an enterprise-wide basis.

Still, one of the biggest changes has to do with the realignment of product families. Clients systems are now organized under the Windows XP umbrella and server systems are now organized under the Windows Server 2003