Archive for the ‘Server’ Category

Types of File Encryption in Server 2003

Posted: May 23, 2010 in Security, Server, Server 2003, System Information
Tags: , ,
0


If you have evaluated EFS in Windows 2000 and found critical features missing, it’s worth taking a second look at EFS in Windows Server 2003 and XP. The changes include the following:

  • New and more cryptographically robust encryption methods. You can now choose between DESX encryption (used by Windows 2000) and 3DES (Triple-DES), an algorithm that complies with government standards for handling of non-classified documents.
  • Offline file encryption. This feature is one of the most significant improvements in Windows Server 2003 and XP. It enables users to use a highly convenient feature, offline file storage, while retaining the ability to protect their files with encryption.
  • Encrypted file transfer over WebDAV. The Web-based Distributed Authorizing and Versioning redirector uses HTTP rather than SMB. Encrypted files are transferred in their encrypted state rather than being decrypted prior to transport as happens with SMB. Also, servers can store encrypted files using WebDAV without compromising security with Kerberos delegations.
  • More flexible group policy control. EFS can now be disabled throughout a domain with a single click of the mouse in a group policy. This contrasts with Windows 2000, which requires removing and re-importing X.509 certificates to control encryption.
  • Shared encrypted files. Users with encrypted files can assign access to other users. This enhances the use of EFS in a workgroup. Only individual users can be given access, not groups. Additional users can only be selected by users who already have access.
  • Copy warnings. Explorer now warns users when they attempt to copy or move encrypted files to an unprotected location such as a Zip drive, floppy drive, or FAT partition. New switches in COPY and XCOPY permit overriding these protections, if necessary.
  • Visual cues. The Explorer shell now shows the names of encrypted files and folders in a different color, similar to the way compressed files are displayed in Windows 2000.
  • Improved command-line administration. The CIPHER command-line utility has been updated with several new features, including the ability to generate file recovery certificates, the ability to search for encrypted files on a volume, the ability to refresh certificates for all encrypted files on a volume, and the ability to wipe all unused disk space to remove temporary files. (The wipe feature was released in Windows 2000 SP3.)
  • Security improvements. Although not strictly an EFS improvement, the handling of the crypto Master key has been changed so that it is not updated when a local user password is changed by anyone other than the user. This eliminates a serious deficiency for standalone laptops and desktops. Now a hacker cannot use utilities to change a user’s password (or the Administrator password) on a standalone machine to gain access to encrypted files.

Not every change is a welcome one, however. In Windows 2000, files cannot be encrypted without the certificate of a Data Recovery Agent (DRA). This ensures that a user cannot encrypt files and then quit the company and leave you without a means of recovering the files. In Windows Server 2003 and XP, it is possible to encrypt files without a DRA. This “feature” has potentially serious consequences because users could encrypt their files and then lose the private key, thereby losing access to the files permanently.

Perform a unattended Server Core install

Posted: May 21, 2010 in Server, Server 2008, System Information
Tags: ,
1


As with previous versions of the OS, you use an ‘‘unattend’’ file for a Server Core installation or a regular Windows Server 2008 image. The unattended server install enables you to perform most of the initial configuration tasks during Setup. The following section describes an unattended installation of the Server Core image. If you have a number of servers to install, the unattended installation of Server Core can provide a host of benefits.

There is no need to perform initial configuration using command-line tools because you can include options in the unattend file that will enable remote administration. Once Setup completes you will be able to connect with various tools and applications and continue to fine-tune and configure.

To install a Server Core installation by using an unattend file, do the following:

1. First create an .xml file titled unattend.xml. You can use any text editor or the Windows System Image Manager.

2. Next copy the unattend.xml file to a local drive or place it on a shared network resource.

3. Place the Windows Preinstallation Environment (Windows PE), Windows Server 2003, or Windows XP media in the machine’s CD drive and start your computer.

4. Next place the CD of the Server Core installation image of Windows Server 2008 into your disk drive. As soon as the auto-run Setup window appears, click Cancel. This will bring you to the command prompt.

5. Next, change to the drive that contains the installation media, enter the following command, and press Enter:

setup /unattend:<path>\unattend.xml

The <path> is the path to your unattend.xml file described in step 2. Setup will run to completion with whatever you have in the unattend.xml file.

Partitioning hard-disk drives

Posted: May 21, 2010 in Server, Server 2008, System Information
Tags: ,
1

 

Give Windows Server 2008 a hand, and it takes an arm . . . or at least another drive. Installation assesses all the hard-drive resources in the system, and if you have two drives (or partitions), the OS attempts to use both. The first active partition gets snagged for the system files . . . the minimum required to raise the system to a point where you can run recovery tools or the Recovery Console. Windows Server 2008 calls this the system volume.

Windows Server 2008 then snags a second drive or partition and uses it for the boot files, the files needed to boot the rest of the operating system all the way to the desktop on which you can log in. Windows Server 2008 calls this volume the boot volume. (This is a reversal of the old naming convention for boot and system partitions.)

Two reasons exist for the dual-disk consumption. First, Windows Server 2008 is optimized to use more than one hard-disk drive. Second, a minimum boot disk can be configured to hold just the boot files and can be formatted as FAT or FAT32 instead of NTFS. The theory is that if you lose the base operating system — that is, if you cannot boot to the desktop — you can atleast boot to a DOS diskette and then, from DOS, copy new base files over the corrupt ones (or replace a defective drive). Many NT and NetWare systems have been configured this way. However, a well-designed and managed system need not retain a FAT boot disk, which, because of its poor security, is a risk to the entire system because it does not support file-level security.

Windows Server 2008, however, enables you to boot to the Boot Options console (whenever it detects a disaster). Here you have several options, such as Safe Mode with Networking, and from there you can attempt to boot without certain services and debug the problem after you have the OS up and running. You can also boot the Recovery Mode Console, which takes you to a command line that you can use to access NTFS partitions and the boot disks. The practice of leaving boot or system files on FAT volumes is old-fashioned — the result of bad memories from Windows NT days. We recommend the partition arrangement options described in the following sections.

Option 1: One HDD

This arrangement uses one hard-disk drive, which forces Windows Server 2008 to put both boot files and system files onto the same drive and partition. To use this option, follow these steps:

1. Configure the system with one hard-disk drive of about 12GB in size. (Microsoft’s official recommendation is to supply at least a 10GB partition, but with roles and features to be added, as well as patches and fixes and new features coming down the road, you need to leave room for expansion.)

2. Format the partition during the install as NTFS.

3. Have Windows Server 2008 choose the default partition name.

The pros of this partitioning option are as follows: First, you save on hard-disk drives. Second, you can mirror this disk for fault tolerance. (Unfortunately, you can mirror the disk only under hardware disk mirroring because Windows Server 2008 does not enable you to mirror a disk that was installed as a basic partition . . . even if you make the disk a dynamic disk.)

The negatives of this partitioning option are that, if you must format the system or boot volumes as FAT, you end up with a disk consisting of numerous partitions. This is not necessary on a server and can later lead to problems, such as no capability to mirror or diminishing hard-disk space and the advanced features of dynamic disks. You may also have trouble providing dual-boot capability, but dual boot is not recommended, and besides, you have no need to provide dual boot on a production server.

Option 2: Two HDDs

This arrangement uses two hard-disk drives: Windows Server 2008 puts boot files on one disk and system files on the second disk. To use this option, follow these steps:

1. Configure the system with two hard-disk drives of about 2GB each in size.

2. Format the drives as NTFS during the install.

3. Have Windows Server 2008 choose the partition names and the default and put the files where it needs to.

The positive aspect of this partitioning option, as far as we can tell, is that you have the option of leaving the boot volume formatted as FAT (or FAT32) and formatting the rest of the partitions and drives as NTFS.

The negatives of this partitioning option are that you use up a second drive for a small amount of hard-disk space, but if you are bent on dual or multi-boots, the second drive can hold the additional OS.

Although you have a performance incentive to use a second hard disk, the increased performance is not worth the effort and the second drive, considering the speed and response of modern hard disks. We are also talking about Server Core here and not Active Directory, LOB servers, SQL Server, or Exchange, which are built to take advantage of additional drives. You would be better off using a second drive as a mirror of the first to gain a fault-tolerance feature.

What Is Server Core?

Posted: May 21, 2010 in Server, Server 2008
Tags: , ,
0

The Server Core installation lets you install a minimal OS for running just the chosen server

roles that would not even need a GUI. This means that you don’t have the huge ‘‘attack’’ surface

that will ensue from all the service requirements. One more thing: Once you install just Server

Core you can stand your server up in a secure environment, both physical and online, and

worry only about securing the services you are actually running. Once Server Core has been

installed you can then open Server Manager (remotely or via scripting) and install, among many

others, the following server roles:

■ Active Directory Domain Services (AD DS)

■ Application Server

■ DHCP Server

■ DNS Server

■ File Services

■ Print Services

Here are some more benefits of the Server Core installation alternative:

■ Lower maintenance. You only need to maintain on the server what is actually installed

on the server. Why worry about maintaining File Services on a server that is nothing more

than a simple domain controller?

■ You need less disk space. The Server Core requires only about 1 gigabyte (GB) of disk

space to install and approximately 2GB for operations after the installation.

■ Less management. Management costs in realms like security, availability, and service

level are far less than previous installation scenarios. You would not have to worry about

supporting a bunch of services and code that you are not using.

Managing Restart and Shutdown of Remote Systems

Posted: May 2, 2010 in Server, System Basics, System Information, WorkStation
Tags: ,
0

With remote systems, you need to specify the UNC name or IP address of the system you want to shut down or restart using the /M parameter. Thus, the basic syntax for shutdown, restart, and cancel delayed shutdown become

Shutdown remote system:

shutdown /s /t ShutdownDelay /l /f /m \\System

Restart remote system:

shutdown /r /t ShutdownDelay /l /f /m \\System

Cancel delayed shutdown of remote computer:

shutdown /a /m \\System

In this example, MAILER1 is restarted after a 30-second delay:

shutdown /r /t 30 /m \\Mailer1

In this example, the system with the IP address 192.168.1.101 is restarted immediately and running applications are forced to stop running:

shutdown /r /f /m \\192.168.1.101

Managing Restart and Shutdown of Local Systems

Posted: May 2, 2010 in Registry, Server, System Basics, System Information, WorkStation
Tags:
0

On a local system, you can manage shutdown and restart using the following commands:

Shutdown local system:

shutdown /s /t ShutdownDelay /l /f

Restart local system:

shutdown /r /t ShutdownDelay /l /f

Cancel delayed shutdown of local computer:

shutdown /a

where /T ShutdownDelay is used to set the optional number of seconds to wait before shutdown or restart, /L optionally logs off the current user immediately, and /F optionally forces running applications to close without warning users in advance. In this example, the local system is restarted after a 60-second delay:

shutdown /r /t 60

Starting, Stopping, and Pausing Services

Posted: May 2, 2010 in Registry, Server, System Information, Uncategorized
Tags: ,
0

As an administrator, you’ll often have to start, stop, or pause Windows services. The related SC commands and their syntaxes are

Start a service:

sc start ServiceName

Pause a service:

sc pause ServiceName

Resume a paused service:

sc continue ServiceName

Stop a service:

sc stop ServiceName

where ServiceName in each case is the abbreviated name of the service you want to work with, such as

sc start w3svc

As with all SC commands, you can also specify the name of the remote computer whose services you want to work with. For example, to start the w3svc on MAILER1, you would use the following command:

sc \\Mailer1 start w3svc

The state listed in the results should show START_PENDING. With stop, pause, and continue you’ll see STOP_PENDING, PAUSE_PENDING, and CONTINUE_PENDING respectively as well. If an error results, the output states FAILED and error text is provided to describe the reason for the failure in more detail. If you are trying to start a service that is already started, you’ll see the error

An instance of the service is already running.

If you are trying to stop a service that is already stopped, you’ll see the error

The service has not been started.

Group Policy Management in Windows Server 2003

Posted: April 25, 2010 in Active Directory, Exchange Server, Server, Server 2003, System Information
Tags: , , ,
3


Group policies simplify administration by giving administrators central control over privileges, permissions, and capabilities of both users and computers. Through group policies you can

  • Create centrally managed directories for special folders, such as My Documents. This is covered in the section of this chapter entitled “Centrally Managing Special Folders.”
  • Control access to Windows components, system resources, network resources, Control Panel utilities, the desktop, and the Start menu. This is covered in the section of this chapter entitled “Using Administrative Templates to Set Policies.”
  • Define user and computer scripts to run at specified times. This is covered in the section of this chapter entitled “User and Computer Script Management.”
  • Configure policies for account lockout and passwords, auditing, user rights assignment, and security. This is covered in Part II of this book, “Microsoft Windows Server 2003 Directory Service Administration.”

Understanding Group Policies

You can think of a group policy as a set of rules that helps you manage users and computers. You can apply group policies to multiple domains, to individual domains, to subgroups within a domain, or to individual systems. Policies that apply to individual systems are referred to as local group policies and are stored on the local system only. Other group policies are linked as objects in the Active Directory directory service.

To understand group policies, you need to know a bit about the structure of Active Directory. In Active Directory, logical groupings of domains are called sites and subgroups within a domain are called organizational units. Thus, your network could have sites called NewYorkMain, CaliforniaMain, and WashingtonMain. Within the WashingtonMain site, you could have domains called SeattleEast, SeattleWest, SeattleNorth, and SeattleSouth. Within the SeattleEast domain, you could have organizational units called Information Services (IS), Engineering, and Sales.

Group policies apply only to systems running Windows 2000, Windows XP Professional, and Windows Server 2003. You set policies for Windows NT 4.0 systems with the System Policy Editor (Poledit.exe). For Windows 95 and Windows 98, you need to use the System Policy Editor provided with Windows 95 or Windows 98, respectively, and then copy the policy file to the Sysvol share on a domain controller.

Group Policy settings are stored in a Group Policy Object (GPO). One way to think of a GPO is as a container for the policies you apply and their settings. You can apply multiple GPOs to a single site, domain, or organizational unit. Because policy is described using objects, many object-oriented concepts apply. If you know a bit about object-oriented programming, you might expect the concepts of parent-child relationships and inheritance to apply to GPOs—and you’d be right.

Through inheritance, a policy applied to a parent container is inherited by a child container. Essentially, this means that a policy setting applied to a parent object is passed down to a child object. For example, if you apply a policy setting in a domain, the setting is inherited by organizational units within the domain. In this case, the GPO for the domain is the parent object and the GPOs for the organizational units are the child objects.

The order of inheritance is as follows:

Site –> Domain –> Organizational Unit

This means that the group policy settings for a site are passed down to the domains within that site and the settings for a domain are passed down to the organizational units within that domain.

As you might expect, you can override inheritance. To do this, you specifically assign a policy setting for a child container that contradicts the policy setting for the parent. As long as overriding of the policy is allowed (that is, overriding isn’t blocked), the child’s policy setting will be applied appropriately. To learn more about overriding and blocking GPOs, see the section of this chapter entitled “Blocking, Overriding, and Disabling Policies.”

In What Order Are Multiple Policies Applied?

When multiple policies are in place, policies are applied in the following order:

  1. Windows NT 4.0 policies (Ntconfig.pol)
  2. Local group policies
  3. Site group policies
  4. Domain group policies
  5. Organizational unit group policies
  6. Child organizational unit group policies

If there are conflicts among the policy settings, the policy settings applied later have precedence and overwrite previously set policy settings. For example, organizational unit policies have precedence over domain group policies. As you might expect, there are exceptions to the precedence rule. These exceptions are discussed later in the section of this chapter entitled “Blocking, Overriding, and Disabling Policies.”

When Are Group Policies Applied?

As you’ll discover when you start working with group policies, policy settings are divided into two broad categories:

  • Those that apply to computers
  • Those that apply to users

Although computer policies are normally applied during system startup, user policies are normally applied during logon. The exact sequence of events is often important in troubleshooting system behavior. The events that take place during startup and logon are as follows:

  1. The network starts and then Windows Server 2003 applies computer policies. By default, the computer policies are applied one at a time in the previously specified order. No user interface is displayed while computer policies are being processed.
  2. Windows Server 2003 runs startup scripts. By default, startup scripts are executed one at a time, with each completing or timing out before the next one starts. Script execution isn’t displayed to the user unless specified.
  3. A user presses Ctrl+Alt+Del to log on. After the user is validated, Windows Server 2003 loads the user profile.
  4. Windows Server 2003 applies user policies. By default, the policies are applied one at a time in the previously specified order. The user interface is displayed while user policies are being processed.
  5. Windows Server 2003 runs logon scripts. Group policy logon scripts are executed simultaneously by default. Script execution isn’t displayed to the user unless specified. Scripts in the Netlogon share are run last in a normal command-shell window as in Windows NT 4.0.
  6. Windows Server 2003 displays the start shell interface configured in Group Policy.

By default, Group Policy is refreshed only when a user logs off or a computer is restarted. You can change this behavior by setting a Group Policy refresh interval as discussed in the section of this chapter entitled “Refreshing Group Policy.” To do this, open a command prompt and type gpupdate.

Group Policy Requirements and Version Compatibility

Group policies were introduced with Windows 2000 and apply only to systems running Windows 2000, Windows XP Professional, and Windows Server 2003. As you might expect, each new version of the Windows operating system has brought with it changes to Group Policy. Sometimes these changes have made older policies obsolete on newer versions of Windows. In this case, the policy only works on a specific version of the Windows operating system, such as only on Windows 2000.

Generally speaking, however, most policies are forward compatible. This means that policies introduced in Windows 2000 can, in most cases, be used on Windows 2000, Windows XP Professional, and Windows Server 2003. It also means that in most cases Windows XP Professional policies aren’t applicable to Windows 2000, and that policies introduced in Windows Server 2003 aren’t applicable to Windows 2000 or Windows XP Professional.

If a policy isn’t applicable to a particular version of the Windows operating system, you can’t enforce the policy on computers running those versions of the Windows operating system.

How will you know if a policy is supported on a particular version of Windows? Easy. The properties dialog box for each policy has a Supported On field in the Setting tab. This text-only field lists the policy’s compatibility with various versions of the Windows operating system. If you select the policy with the Extended display in the Group Policy Object Editor, you’ll also see a Requirements entry that lists compatibility.

You can also install new policies when you add a service pack, install Windows applications, or add Windows components. This means that you’ll see a wide range of compatibility entries.

Managing Local Group Policies

Each computer running Windows Server 2003 has one local group policy. You manage local policies on a computer by completing the following steps:

  1. Open the Run dialog box by clicking Start and then clicking Run.
  2. Type mmc in the Open field and then click OK. This opens the Microsoft Management Console (MMC).
  3. In MMC, click File, and then click Add/Remove Snap-In. This opens the Add/ Remove Snap-In dialog box.
  4. In the Standalone tab, click Add.
  5. In the Add Standalone Snap-In dialog box, click Group Policy Object Editor, and then click Add. This starts the Group Policy Wizard.
  6. Under Group Policy Object, Local Computer should be selected by default. If you want to edit the local policy on your computer, simply click Finish. To find the local policy on another computer, click Browse. After you find the policy you want to work with, click OK and then click Finish.
  7. Click Close and then click OK. You can now manage the local policy on the selected computer. For details, see the section of this chapter entitled “Working with Group Policies.”

Local group policies are stored in the %SystemRoot%\System32\GroupPolicy folder on each Windows Server 2003 computer. In this folder you’ll find the following subfolders:

  • Adm

Stores administrative template files currently being used. These files end with the .adm file extension. The Adm folder is only on domain controllers.

  • Machine

Stores computer scripts in the Script folder and registry-based policy information for HKEY_LOCAL_MACHINE (HKLM) in the Registry.pol file.

  • User

Stores user scripts in the Script folder and registry-based policy information for HKEY_CURRENT_USER (HKCU) in the Registry.pol file.

Warning: You shouldn’t edit these folders and files directly. Instead, you should use the appropriate features of the Group Policy console. By default, these files and folders are hidden. If you want to view hidden files and folders in Windows Explorer, select Folder Options from the Tools menu, click the View tab, choose Show Hidden Files And Folders, clear Hide Protected Operating System Files, and then click OK.

Creating and Editing Site, Domain, and Organizational Unit Policies

You create and edit site, domain, and organizational unit policies by completing the following steps:

  1. For sites, you start the Group Policy snap-in from the Active Directory Sites And Services console. Open the Active Directory Sites And Services console.
  2. For domains and organizational units, you start the Group Policy snap-in from the Active Directory Users And Computers console. Open the Active Directory Users And Computers console.
  3. In the appropriate console root, right-click the site, domain, or organizational unit on which you want to create or manage a group policy. Then select Properties on the shortcut menu. This opens a properties dialog box.
  4. In the properties dialog box, select the Group Policy tab. existing policies are listed in the Group Policy Object Links list.
  5. To create a new policy, click New. You can now configure the policy as explained in the section of this chapter entitled “Working with Group Policies.”
  6. To edit an existing policy, select the policy and then click Edit. You can now edit the policy as explained in the section of this chapter entitled “Working with Group Policies.”
  7. To change the priority of a policy, select the policy that you want to work with and then use the Up or Down button to change its position in the Group Policy Object Links list.

Site, domain, and organizational unit group policies are stored in the %SystemRoot%\ Sysvol\Domain\Policies folder on domain controllers. In this folder you’ll find one subfolder for each policy you’ve defined on the domain controller. The policy folder names are the policy’s Global Unique Identifier (GUID). The GUIDs can be found on the policy’s properties page in the General tab in the summary frame. Within these individual policy folders, you’ll find the following subfolders:

  • Adm

Stores administrative template files currently being used. These files end with the .adm file extension. The Adm folder is only on domain controllers.

  • Machine

Stores computer scripts in the Script folder and registry-based policy information for HKEY_LOCAL_MACHINE (HKLM) in the Registry.pol file.

  • User

Stores user scripts in the Script folder and registry-based policy information for HKEY_CURRENT_USER (HKCU) in the Registry.pol file.

Blocking, Overriding, and Disabling Policies

You can block policy inheritance at the site, domain, and organizational unit level. This means that you could block policies that would otherwise be applied. At the site and domain level, you can also enforce policies that would otherwise be contradicted or blocked. This gives top-level administrators the ability to enforce policies and prevent them from being blocked. Another available option is to disable policies. You can disable a policy partially or entirely without deleting its definition.

You configure these policy options by completing the following steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work with as specified in Steps 1–4 of the “Creating and Editing Site, Domain, and Organizational Unit Policies” section earlier in this chapter.
  2. Select Block Policy Inheritance to prevent the inheritance of higher-level policies (unless those policies have the No Override option set).
  3. Use the No Override option to prevent lower-level policies from blocking the policy settings. Select or clear the No Override option by double-clicking in the appropriate column to the right of the group policy entry. A check mark indicates the option is selected.
  4. Use the Disabled option to prevent the policy from being used. Select or clear the Disabled option by double-clicking in the appropriate column to the right of the group policy entry. A check mark indicates the option is selected.
Disabling an Unused Part of Group Policy

Another way to disable a policy is to disable an unused part of the GPO. When you do this, you block the Computer Configuration or User Configuration settings, or both, and don’t allow them to be applied. By disabling part of a policy that isn’t used, the application of GPOs and security will be faster.

You can enable or disable configuration settings in Group Policy by following these steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work with as specified in Steps 1–4 of the “Creating and Editing Site, Domain, and Organizational Unit Policies” section earlier in this chapter.
  2. Click Properties in the Global Policy tab, and then select or clear Disable Computer Configuration Settings and Disable User Configuration Settings.

Caution

Any settings of the blocked node aren’t applied and are essentially lost. To get these settings back, you’ll have to clear the Disable … Settings options.

Applying an Existing Policy to a New Location

Any group policy that you’ve created can be associated with another computer, unit, domain, or site. By associating the policy with another object, you can use the policy settings without having to recreate them.

You apply an existing policy to a new location by completing the following steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work with.
  2. In the Group Policy tab, click Add. As shown in Figure 4-2, this opens the Add A Group Policy Object Link dialog box.
  3. Use the tabs and fields provided to find the group policy you want to apply to the current location. When you find the policy, click OK.
Deleting a Group Policy

You can disable or delete group policies that you don’t use. To disable a policy, double-click in the Disabled column to the right of the group policy entry. A check mark indicates that the option is selected. To delete a policy, follow these steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work with as specified in Steps 1–4 of the section of this chapter entitled “Creating and Editing Site, Domain, and Organizational Unit Policies.”
  2. Select the policy you want to delete and then click Delete.
  3. If the policy is linked, you have the option of deleting the link without affecting other containers that use the policy. To do this, in the Delete dialog box select Remove The Link From The List.
  4. If the policy is linked, you can also delete the link and the related policy object, which permanently deletes the policy. To do this, select Remove The Link And Delete The Group Policy Object Permanently.
Refreshing Group Policy

When you make changes to Group Policy, those changes are immediate. However, they aren’t propagated automatically. Client computers request policy when

  • The computer starts
  • A user logs on
  • An application or user requests a refresh
  • A refresh interval is set for Group Policy and the interval has elapsed

As you learned previously in this chapter, you can request that a policy be refreshed on a local computer using the Gpupdate command-line utility. Simply type gpupdate at the command prompt. You can also refresh a policy by setting a specific refresh interval, which thereby periodically forces a refresh. Either way, however, the refresh is only a background refresh and some policies might not be updated. The only way to ensure that all user policies are updated is to have the user log off. The only way to ensure that all computer policies are updated is to restart the computer.

To set a refresh interval in Group Policy, follow these steps:

  1. Access the Group Policy console for the site, domain, or organizational unit you want to work with as specified in the section of this chapter entitled “Creating and Editing Site, Domain, and Organizational Unit Policies.”
  2. Access the Group Policy node by expanding Computer Configuration\ Administrative Templates\System\Group Policy.
  3. In the details pane, double-click Group Policy Refresh Interval For Computers. This policy controls the background refresh rate for computer policies.
  4. In the Setting tab, Select Enabled. You can now set the refresh interval for computer policies using the options provided. With the default settings, Group Policy is updated every 90 minutes with a random offset of 0 to 30 minutes. The offset makes it less likely that multiple computers will request updates at the same time. Click OK.
  5. Access User Configuration\Administrative Templates\System\Group Policy.
  6. In the details pane, double-click Group Policy Refresh Interval For Users. This policy controls the background refresh rate for computer policies.
  7. In the Setting tab, select Enabled. You can now set the refresh interval for user policies using the options provided. Click OK when finished.
  8. When applying a refresh, network traffic is generated. During the update, the local computer might be less responsive than normal, which might affect the user’s work.

Note

The refresh interval for computers doesn’t apply to domain controllers. If you want domain controllers to regularly refresh a policy, access Computer Configuration\Administrative Templates\System\Group Policy and then double-click Group Policy Refresh Interval For Domain Controllers. You can now set the refresh interval.

Exchange Public Folders

Posted: April 25, 2010 in Active Directory, Exchange Server, Server, Server 2003, System Information
Tags: , , ,
0


Exchange Server supports public folders. Public folders are for common access to messages and files. Files

can be dragged from file−access interfaces, such as Explorer in Windows 98, NT 4, 2000, and 2003, and can

be dropped into public folders.

You can set up sorting rules for a public folder so that items in the folder are organized by a range of

attributes, such as the name of the sender or the creator of the item, or the date that the item arrived or was

placed in the folder. Items in a public folder can be sorted by conversation threads. You can also put

applications built on existing products such as Word or Excel or with Exchange or Outlook Forms Designer,

client or server scripting, or the Exchange API set into public folders. You can use public folders to replace

many of the maddening paper−based processes that abound in every organization.

For easy access to items in a public folder, you can use a folder link. You can send a link to a folder in a

message. When someone goes to the folder and double−clicks a file you put in the folder, the file opens.

Everyone who receives the message works with the same linked attachment, so everyone reads and can

modify the same file. As with document routing, applications such as Microsoft Word can keep track of each

person’s changes to and comments on file contents. Of course, your users will have to learn to live with the

fact that only one person can edit an application file at a time. Most modern end−user applications warn the

user that someone else is using the file and allow the user to open a read−only copy of the file, which, of

course, can’t be edited. Third−party applications offer tighter document checkout control (see the Appendix,

‘Cool Third−Party Applications for Exchange Server and Outlook Clients’).

If all this isn’t already enough, Exchange is very much Internet aware. With Exchange Server 2003, you can

publish all or selected public folders on the Internet, where they become accessible with a simple Internet

browser. You can limit Internet access to public folders only to users who have access under Windows Server

2003’s security system, or you can open public folders to anyone on the Internet. Just think about it:

Internet−enabled public folders let you put information on the Internet without the fuss and bother of website

design and development. Any item can be placed on the Internet by simply adding a message or other object

to a public folder.

Before we leave public folder applications, I want to mention one more option: Exchange Server 2003 enables

you to bring any or all of those Usenet Internet newsgroups to your public folder environment. With their

Outlook clients, users then can read and reply to newsgroup items just as though they were using a standard

newsgroup reader application. Exchange Server comes with all the tools that you need to do this. All you need

is an Internet connection, access to a host computer that can provide you with a feed of newsgroup messages,

and a set of rules about which groups to exclude. Remember, this is where the infamous alt.sex newsgroups

live. But you don’t have to use public newsgroups. Rather, you can create your own private newsgroups for

internal communications.

Using Command-Line Utilities in Server 2003

Posted: April 18, 2010 in Active Directory, Server, Server 2003, System Information
Tags: , ,
0

Many command-line utilities are included with Windows Server 2003. Most of the utilities you’ll work with as an administrator rely on Transmission Control Protocol/Internet Protocol (TCP/IP). Because of this, you should install TCP/IP networking before you experiment with these tools.

Utilities to Know

As an administrator, you should familiarize yourself with the following command-line utilities:

  • ARP

Displays and manages the IP-to-Physical address mappings used by Windows Server 2003 to send data on the TCP/IP network.

  • AT

Schedules programs to run automatically.

  • DNSCMD

Displays and manages the configuration of DNS services.

  • FTP

Starts the built-in FTP client.

  • HOSTNAME

Displays the computer name of the local system.

  • IPCONFIG

Displays the TCP/IP properties for network adapters installed on the system. You can also use it to renew and release DHCP information.

  • NBTSTAT

Displays statistics and current connections for NetBIOS over TCP/IP.

  • NET

Displays a family of useful networking commands.

  • NETSH

Displays and manages the network configuration of local and remote computers.

  • NETSTAT

Displays current TCP/IP connections and protocol statistics.

  • NSLOOKUP

Checks the status of a host or IP address when used with DNS.

  • PATHPING

Traces network paths and displays packet loss information.

  • PING

Tests the connection to a remote host.

  • ROUTE

Manages the routing tables on the system.

  • TRACERT

During testing, determines the network path taken to a remote host.

To learn how to use these command-line tools, type the name at a command prompt followed by /?. Windows Server 2003 then provides an overview of how the command is used (in most cases).

Using NET Tools

You can more easily manage most of the tasks performed with the NET commands by using graphical administrative tools and Control Panel utilities. However, some of the NET tools are very useful for performing tasks quickly or for obtaining information, especially during telnet sessions to remote systems. These commands include

  • NET SEND

Sends messages to users logged in to a particular system

  • NET START

Starts a service on the system

  • NET STOP

Stops a service on the system

  • NET TIME

Displays the current system time or synchronizes the system time with another computer

  • NET USE

Connects and disconnects from a shared resource

  • NET VIEW

Displays a list of network resources available to the system

To learn how to use any of the NET command-line tools, type NET HELP followed by the command name, such as NET HELP SEND. Windows Server 2003 then provides an overview of how the command is used.

Older Entries
Newer Entries