| Introduction | xliii |
| PART I PREPARING FOR INSTALLATION | |
| 1 Overview of Windows 2000 | 2 |
| Deploying Server and Workstation Functions Together | 4 |
| Network Management | 5 |
| The Microsoft Management Console | 6 |
| Group Policy | 6 |
| Zero Administration | 6 |
| Terminal Services | 7 |
| Interoperability | 8 |
| System and Network Security | 8 |
| Hardware Support | 9 |
| Availability and Reliability | 10 |
| Active Directory | 11 |
| Storage and File System Support | 11 |
| Removable Storage | 12 |
| Remote Storage | 12 |
| Disk Administrator | 12 |
| Microsoft Distributed File System | 12 |
| NTFS 5 | 12 |
| Communications | 13 |
| Internet Services | 13 |
| Defying Categories | 14 |
| The Need for Planning | 14 |
| Summary | 15 |
| 2 Introducing Directory Services | 16 |
| Understanding Directory Services | 17 |
| Active Directory in Windows 2000 | 19 |
| Terminology and Concepts in Active Directory | 20 |
| The Active Directory Architecture | 23 |
| The Directory System Agent | 23 |
| Naming Formats | 24 |
| The Data Model | 25 |
| Schema Implementation | 25 |
| The Security Model | 25 |
| Naming Contexts and Partitions | 27 |
| The Global Catalog | 27 |
| Summary | 29 |
| 3 Planning Namespace and Domains | 30 |
| Analyzing Naming Convention Needs | 31 |
| Trees and Forests | 31 |
| Defining a Naming Convention | 33 |
| Determining Name Resolution | 36 |
| Planning a Domain Structure | 38 |
| Domains vs. Organizational Units | 38 |
| Designing a Domain Structure | 40 |
| Domain Security Guidelines | 41 |
| Creating Organizational Units | 41 |
| Planning Multiple Domains | 42 |
| Planning a Contiguous Namespace | 42 |
| Determining the Need for a Forest | 43 |
| Creating the Forest | 43 |
| Summary | 43 |
| 4 Planning Deployment | 44 |
| How Information Technology Functions | 46 |
| Identifying Business Needs | 46 |
| Getting Specific | 47 |
| Seeing into the Future | 47 |
| Assessing Your Current Setup | 48 |
| Documenting the Network | 48 |
| Making a Roadmap | 50 |
| Defining Goals | 51 |
| Assessing Risk | 52 |
| Summary | 53 |
| PART II INSTALLATION AND INITIAL CONFIGURATION | |
| 5 Getting Started | 56 |
| Windows Installation Considerations | 57 |
| Reviewing System Requirements | 58 |
| Planning Partitions | 59 |
| Gathering Network Information | 61 |
| Physical Preparation | 62 |
| Dual-Boot Considerations | 63 |
| Installing Windows 2000 | 65 |
| Manually Installing Windows | 66 |
| Automating Windows Installations | 78 |
| Using Setup Command-Line Parameters | 79 |
| Creating a Distribution Folder | 82 |
| Creating Answer Files Using the Setup Manager Wizard | 89 |
| Using SysPrep to Clone Your Computer | 97 |
| Troubleshooting Installations | 99 |
| Setup Freezes or Locks Up | 99 |
| Setup Stops During File Copying | 101 |
| Previous OS Will Not Boot | 102 |
| Summary | 104 |
| 6 Configuring New Windows 2000 Server Installations | 106 |
| Checking for Setup Problems | 107 |
| Configuring Devices | 108 |
| Using the Add/Remove Hardware Wizard | 108 |
| Using Device Manager | 110 |
| Configuring Networking Settings | 114 |
| Changing Your Network Identity | 114 |
| Configuring Network Components | 116 |
| Configuring TCP/IP | 117 |
| Configuring NWLink IPX/SPX | 124 |
| Configuring Storage | 125 |
| Using the Windows 2000 Configure Your Server Tool | 125 |
| Choosing Whether to Set Up a Domain Controller | 126 |
| Configuring the First Server on Your Network | 127 |
| Performance and Memory Tuning | 129 |
| Updating Windows | 132 |
| Securing Windows | 133 |
| Summary | 135 |
| 7 Upgrading to Windows 2000 | 136 |
| Architectural Improvements in Windows 2000 | 137 |
| Domain Controllers and Server Roles in Windows 2000 | 137 |
| Active Directory | 139 |
| Hardware Support | 142 |
| Software Support | 143 |
| Planning a Domain Upgrade | 144 |
| Documenting the Existing Network | 145 |
| Making a Recovery Plan | 148 |
| Planning the Site Topology | 156 |
| Developing an Upgrade Strategy | 158 |
| Preparing Domains and Computers for Upgrading | 161 |
| Preparing the Domains | 161 |
| Preparing the Computers | 161 |
| Upgrading to Windows 2000 Professional from Windows 95/98 | 163 |
| Difficulties Involved with Windows 95/98 Upgrades | 164 |
| Using a Dual Boot | 165 |
| Performing the Upgrade | 166 |
| Upgrading to Windows 2000 Server from Windows NT | 168 |
| Switching Domain Operational Modes | 169 |
| Summary | 173 |
| 8 Installing and Managing Printers | 174 |
| Understanding the Basics | 175 |
| Printer Terminology | 175 |
| Understanding Network Printers | 176 |
| Understanding Print Servers | 177 |
| Understanding the Printing Process | 180 |
| What Happens When You Print a Document | 180 |
| Planning Printer Deployment | 183 |
| Establishing Printer Naming Conventions | 184 |
| Creating Location-Naming Conventions | 185 |
| Choosing Printers and Print Servers | 187 |
| Installing Printers | 189 |
| Adding Local Printers | 190 |
| Sharing Printers on a Network | 192 |
| Adding Printers Shared by Another Computer | 193 |
| Adding TCP/IP Printers on a TCP/IP Printer Port | 194 |
| Adding Printers on an LPR Printer Port | 198 |
| Adding AppleTalk Printing Devices | 199 |
| Modifying Printer Properties | 200 |
| Setting Security Options | 200 |
| Changing Printer Options | 205 |
| Changing Default Print Settings | 213 |
| Setting Print Server Options | 215 |
| Printers and Active Directory | 218 |
| How Printers Are Published | 218 |
| Using Active Directory to Find Printers | 218 |
| Using Printer Location Tracking | 219 |
| Managing Printers and Print Servers | 222 |
| Managing Printers from Windows 2000 | 222 |
| Managing Printers from a Web Browser | 225 |
| Troubleshooting Printing Problems | 227 |
| Printing from the Client Machine Experiencing the Problem | 228 |
| Checking the Print Server Status | 230 |
| Printing from Another Client Machine | 231 |
| Checking the Printer | 231 |
| Deleting Stuck Documents | 232 |
| Troubleshooting Printer Location Tracking | 233 |
| Summary | 234 |
| 9 Managing Users and Groups | 236 |
| Understanding Groups | 237 |
| Assigning Group Scopes | 238 |
| Planning Organizational Units | 240 |
| Creating Organizational Units | 241 |
| Moving Organizational Units | 241 |
| Deleting Organizational Units | 241 |
| Planning a Group Strategy | 242 |
| Determining Group Names | 242 |
| Using Global and Domain Local Groups | 242 |
| Using Universal Groups | 243 |
| Implementing the Group Strategy | 243 |
| Creating Groups | 243 |
| Deleting Groups | 244 |
| Adding Users to a Group | 245 |
| Changing the Group Scope | 246 |
| Creating Local Groups | 247 |
| Managing Built-in Groups and User Rights | 248 |
| Built-in Local Groups | 248 |
| Built-in Domain Local Groups | 249 |
| Built-in Global Groups | 250 |
| Defining User Rights | 250 |
| Creating User Accounts | 257 |
| Naming User Accounts | 257 |
| Account Options | 257 |
| Passwords | 258 |
| Creating a Domain User Account | 260 |
| Creating a Local User Account | 261 |
| Setting User Account Properties | 262 |
| Testing User Accounts | 263 |
| Managing User Accounts | 263 |
| Disabling and Enabling a User Account | 264 |
| Deleting a User Account | 264 |
| Finding a User Account | 265 |
| Moving a User Account | 266 |
| Renaming a User Account | 266 |
| Securing the Administrator Account | 267 |
| Resetting a User's Password | 268 |
| Unlocking a User Account | 268 |
| Using Home Folders | 269 |
| Maintaining User Profiles | 271 |
| Local Profiles | 273 |
| Roaming Profiles | 273 |
| Assigning a Logon Script to a User Profile | 278 |
| Configuring Shares and Permissions | 279 |
| Using Special Shares | 280 |
| Shares and Permissions on NTFS vs. FAT | 282 |
| Sharing a Folder | 282 |
| Share Permissions | 285 |
| Mapping Shared Folders and Drives | 286 |
| Working with Shared Folders | 288 |
| Maintaining Folder and File Permissions | 290 |
| Considering Inheritance | 290 |
| What the Permissions Mean | 291 |
| How Permissions Work | 293 |
| Configuring Folder Permissions | 294 |
| Assigning Permissions to Files | 295 |
| Configuring Special Permissions | 295 |
| Ownership and How It Works | 297 |
| Understanding Group Policies | 299 |
| Components of Group Policy | 301 |
| Managing Group Policies | 303 |
| Order of Implementation | 304 |
| Creating a Group Policy Object | 307 |
| Using the Group Policy Editor | 307 |
| Using Group Policy for Folder Redirection | 310 |
| Summary | 314 |
| PART III NETWORK ADMINISTRATION | |
| 10 Managing Day-to-Day Operations | 316 |
| Using the Secondary Logon | 317 |
| Opening Programs Using Another Account | 318 |
| Starting a Command-Line Window for Administration | 318 |
| Administration Tools | 320 |
| Installing Administration Tools Locally | 322 |
| Making Administration Tools Available Remotely | 322 |
| Support Tools | 322 |
| Network Connectivity Tester | 323 |
| Windows 2000 Domain Manager | 323 |
| Active Directory Replication Monitor | 323 |
| Disk Probe | 324 |
| Microsoft Management Console Basics | 325 |
| Creating an MMC-Based Console with Snap-ins | 325 |
| Automating Chores with Scripts | 332 |
| Auditing Events | 333 |
| Audit Settings for Objects | 334 |
| Viewing Event Logs | 336 |
| Searching Event Logs | 337 |
| Filtering Event Logs | 338 |
| Setting the Size of Event Logs | 338 |
| Archiving Event Logs | 339 |
| Delegating Control | 340 |
| Using Task Scheduler | 341 |
| Changing a Schedule | 343 |
| Tracking Task Scheduler | 343 |
| Viewing Tasks on a Remote Computer | 344 |
| Using the AT Command | 345 |
| Summary | 347 |
| 11 Installing and Configuring Active Directory | 348 |
| Using the Active Directory Installation Wizard | 350 |
| Preparing for Installation | 351 |
| Promoting Your First Server to a Domain Controller | 353 |
| Choosing Installation Options | 361 |
| Upgrading Windows NT 4 Domain Controllers | 365 |
| Demoting a Domain Controller | 365 |
| Changing a Domain Controller Identification | 368 |
| Setting a Global Catalog Server | 370 |
| Using Active Directory Domains and Trusts | 371 |
| Launching Active Directory Domains and Trusts | 372 |
| Changing the Domain Mode | 372 |
| Managing Domain Trust Relationships | 374 |
| Specifying the Domain Manager | 375 |
| Configuring User Principal Name Suffixes for a Forest | 376 |
| Managing Domains | 377 |
| Using Active Directory Users and Computers | 377 |
| Launching Active Directory Users and Computers | 377 |
| Viewing Active Directory Objects | 378 |
| Creating an Organizational Unit | 386 |
| Configuring OU Objects | 386 |
| Delegating Object Control | 389 |
| Creating a User Object | 390 |
| Configuring User Objects | 391 |
| Creating a Group | 396 |
| Configuring Group Objects | 398 |
| Creating a Computer Object | 398 |
| Configuring Computer Objects | 399 |
| Using Remote Computer Management | 399 |
| Publishing a Shared Folder | 400 |
| Publishing a Printer | 400 |
| Moving, Renaming, and Deleting Objects | 400 |
| Summary | 401 |
| 12 Managing Active Directory | 402 |
| Using Active Directory Sites and Services | 403 |
| Defining Site Objects | 405 |
| Understanding Domain Replication | 407 |
| Launching Sites and Services | 408 |
| Using Active Directory Schema | 416 |
| Examining Schema Security | 416 |
| Launching Active Directory Schema | 417 |
| Modifying the Schema | 419 |
| Modifying Display Specifiers | 424 |
| Performing Batch Importing and Exporting | 428 |
| Understanding Operations Master Roles | 431 |
| Summary | 439 |
| 13 Understanding TCP/IP | 440 |
| The TCP/IP Protocol Suite | 441 |
| Internet Protocol | 442 |
| Transmission Control Protocol | 442 |
| User Datagram Protocol | 443 |
| Windows Sockets | 443 |
| Network Basic Input/Output System | 444 |
| Requests for Comments | 444 |
| IP Addresses and What They Mean | 446 |
| Class A Networks | 446 |
| Class B Networks | 447 |
| Class C Networks | 447 |
| Class D and Class E Addresses | 447 |
| Routing and Subnets | 448 |
| What Is a Subnet? | 449 |
| Gateways and Routers | 450 |
| Routers | 450 |
| Routing Protocols | 451 |
| Name Resolution | 452 |
| The Domain Name System | 452 |
| Windows Internet Name Service | 461 |
| IP Version 6 | 463 |
| Summary | 465 |
| 14 Administering TCP/IP | 466 |
| Using DHCP | 468 |
| Designing DHCP Networks | 468 |
| Installing the DHCP Service | 470 |
| Creating a New Scope | 471 |
| Authorizing the DHCP Server and Activating Scopes | 475 |
| Adding Address Reservations | 476 |
| Enabling Dynamic Updates to a DNS Server for Earlier Clients | 477 |
| Using Multiple DHCP Servers for Redundancy | 479 |
| Other DHCP Functions | 482 |
| Setting Up a DHCP Relay Agent | 484 |
| Moving DHCP to Another Server | 486 |
| Using Ipconfig to Release, Renew, or Verify a Lease | 487 |
| Using DNS Server | 488 |
| Installing DNS | 488 |
| Using the Configure A DNS Server Wizard | 490 |
| Creating Zones | 494 |
| Creating Subdomains and Delegating Authority | 496 |
| Adding Resource Records | 499 |
| Configuring Zone Transfers | 502 |
| Interoperating with Other DNS Servers | 504 |
| Enabling Dynamic DNS Updates | 505 |
| Enabling WINS Resolution | 506 |
| Setting Up a Forwarder | 507 |
| Updating Root Hints | 508 |
| Setting Up a Caching-Only DNS Server | 509 |
| Setting Up a WINS Server | 510 |
| Determining Whether You Need WINS | 510 |
| Configuring the Server to Prepare for WINS | 512 |
| Installing WINS | 513 |
| Adding Replication Partners | 513 |
| Miscellaneous WINS Functions | 515 |
| Compacting the WINS Database | 516 |
| Summary | 517 |
| 15 Implementing Disk Management | 518 |
| Understanding Disk Terminology | 519 |
| Overview of Disk Management | 521 |
| Disk Administration Enhancements | 522 |
| Remote Management | 524 |
| Dynamic Disks | 524 |
| Disk Management Tasks | 525 |
| Adding a Partition or Volume | 525 |
| Converting a Disk to a Dynamic Disk | 538 |
| Extending a Volume | 539 |
| Adding a Mirror | 541 |
| Converting a Volume or Partition from FAT to NTFS | 546 |
| Formatting a Partition or Volume | 547 |
| Changing a Drive Letter | 549 |
| Mounting a Volume | 550 |
| NTFS Version 5 | 551 |
| Disk Quotas | 551 |
| Encrypting on the File System Level | 555 |
| Summary | 557 |
| 16 Using Clusters | 558 |
| What Is a Cluster? | 559 |
| Network Load Balancing Clusters | 559 |
| Server Clusters | 560 |
| Cluster Scenarios | 560 |
| Intranet or Internet Functionality | 560 |
| Mission-Critical Availability | 561 |
| Integrated Windows Clustering | 561 |
| Requirements and Planning | 562 |
| Identifying and Addressing Goals | 562 |
| Identifying a Solution | 562 |
| Identifying and Addressing Risks | 563 |
| Making Checklists | 563 |
| Network Load Balancing Clusters | 564 |
| NLB Concepts | 564 |
| Choosing an NLB Cluster Model | 565 |
| Planning the Capacity of an NLB Cluster | 566 |
| Providing Fault Tolerance | 567 |
| Optimizing an NLB Cluster | 567 |
| Server Clusters | 568 |
| Server Cluster Concepts | 569 |
| Types of Resources | 570 |
| Defining Failover and Failback | 573 |
| Configuring a Server Cluster | 573 |
| Planning the Capacity of a Server Cluster | 575 |
| Summary | 577 |
| 17 Configuring Storage | 578 |
| The Distributed File System | 579 |
| Advantages | 580 |
| Concepts and Terminology | 582 |
| Structure and Topology | 585 |
| Setup | 587 |
| Backing Up and Restoring the Dfs Database | 593 |
| Dfs Command-Line Administration | 593 |
| Removable Storage | 594 |
| Benefits and Requirements | 594 |
| Concepts and Terminology | 596 |
| Use and Management | 600 |
| Remote Storage | 610 |
| Concepts and System Requirements | 611 |
| Setup and Configuration | 616 |
| Data Recovery and Protection | 628 |
| Shared Folders | 633 |
| Using the Shared Folders Snap-In | 633 |
| Setting Up Shared Folders | 634 |
| Ending Folder Sharing | 636 |
| Disconnecting Users | 636 |
| Limiting Simultaneous Connections | 636 |
| Setting Permissions | 637 |
| Configuring Web Shares | 638 |
| Summary | 639 |
| 18 Planning for Security | 640 |
| Smart Cards | 641 |
| Security Basics | 642 |
| Authentication | 643 |
| Data Protection | 645 |
| Access Control | 647 |
| Auditing | 648 |
| Nonrepudiation | 648 |
| Public-Key Infrastructures | 649 |
| Public-Key Encryption vs. Symmetric-Key Encryption | 650 |
| Public-Key Certificates and Private Keys | 651 |
| Certificate Authorities | 653 |
| Certificate Registration | 655 |
| Certificate Directories | 656 |
| Certificate Revocation | 656 |
| Certificate Renewal | 658 |
| Security-Enabled Protocols | 658 |
| Secure Multipurpose Internet Mail Extensions | 658 |
| Kerberos Version 5 | 660 |
| Windows NT LAN Manager | 661 |
| Secure Socket Layer | 661 |
| Internet Protocol Security | 662 |
| Virtual Private Networks | 665 |
| Remote Access VPNs | 666 |
| Router-to-Router VPNs | 667 |
| Security Modules | 667 |
| Cryptographic Application Programming Interface | 667 |
| Cryptographic Service Providers | 668 |
| Summary | 669 |
| 19 Implementing Security | 670 |
| Physical Security | 672 |
| Using Templates to Implement Security Policies | 673 |
| Running the Security Templates Snap-In | 673 |
| Examining Template Policies | 674 |
| Using Predefined Templates | 675 |
| Defining New Templates | 679 |
| Applying Templates | 680 |
| Using Security Configuration and Analysis | 680 |
| Opening a Security Database | 681 |
| Importing and Exporting Templates | 681 |
| Analyzing Security and Viewing the Results | 682 |
| Configuring Security | 684 |
| Enabling Authentication | 685 |
| Obtaining Smart Cards and Certificates | 686 |
| Logging On with Smart Cards | 688 |
| Enabling Remote Certificate or Smart Card Authentication | 688 |
| Configuring Authentication for a Remote Access Server | 691 |
| Implementing Access Control | 691 |
| Establishing Ownership | 692 |
| Assigning Permissions | 692 |
| Managing Certificates | 694 |
| Exporting Certificates and Private Keys | 695 |
| Importing Certificates | 696 |
| Requesting Certificates | 696 |
| Enabling Certificates for Specific Purposes | 697 |
| Using Internet Protocol Security Policies | 698 |
| Defining IPSec Policies | 698 |
| Assigning IPSec Policies | 706 |
| Securing Local Data | 707 |
| Creating Your Recovery Policy | 707 |
| Encrypting Files and Folders | 709 |
| Decrypting Files and Folders | 710 |
| Recovering Files | 710 |
| Auditing | 712 |
| Establishing an Audit Policy | 712 |
| Auditing Access to Objects | 713 |
| Viewing the Security Log | 714 |
| What to Do If You Get Hacked | 715 |
| Summary | 716 |
