Using Your Sybex Electronic Book To realize the full potential of this Sybex electronic book, you must have Adobe Acrob...

Author: Mark Minasi | Christa Anderson | Michele Beverridge | C. A. Callahan | Lisa Justice

21 downloads 892 Views 24MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Report copyright / DMCA form

DOWNLOAD PDF

Using Your Sybex Electronic Book To realize the full potential of this Sybex electronic book, you must have Adobe Acrobat Reader with Search installed on your computer. To find out if you have the correct version of Acrobat Reader, click on the Edit menu—Search should be an option within this menu file. If Search is not an option in the Edit menu, please exit this application and install Adobe Acrobat Reader with Search from this CD (doubleclick on AcroReader51.exe in the Adobe folder).

Navigation Navigate throught the book by clicking on the headings that appear in the left panel; the corresponding page from the book displays in the right panel.

Find and Search To find and search, click on the toolbar or choose Edit > Find to open the "Find" window. Enter the word or phrase in the "Find What" field and click "Find." The result will be displayed as highlighted in document. Click "Find Again" to search for the next consecutive entry. The Find command also provides search parameters such as "Match Whole Word Only" and "Match Case." For more information on these features, please refer to the Acrobat Help file in the application menu.

Click here to begin using your Sybex Elect ronic Book!

www.sybex.com

Mastering

™

Windows Server 2003 ®

Mark Minasi Christa Anderson Michele Beveridge C.A. Callahan Lisa Justice

San Francisco

London

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

Associate Publisher: Neil Edde Acquisitions and Developmental Editor: Chris Denny Production Editor: Kylie Johnston Technical Editor: Jim Kelly Copyeditor: Sally Engelfried Compositor: Interactive Composition Corporation—Rozi Harris Graphic Illustrator: Interactive Composition Corporation—Rozi Harris CD Coordinator: Dan Mummert CD Technician: Kevin Ly Proofreaders: Laurie O’Connell, Yariv Rabinovitch, Nancy Riddiough, Monique van den Berg Indexer: Ted Laux Book Designer: Maureen Forys, Happenstance Type-O-Rama Cover Designer: Design Site Cover Illustrator/Photographer: Tania Kac, Design Site Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher. An earlier version of this book was published under the title Mastering Windows 2000 Server, Fourth Edition © 2002 Sybex Inc. Library of Congress Card Number: 2002115479 ISBN: 0-7821-4130-7 SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States and/or other countries. Mastering is a trademark of SYBEX Inc. Screen reproductions produced with FullShot 99. FullShot 99 © 1991–1999 Inbit Incorporated. All rights reserved. FullShot is a trademark of Inbit Incorporated. The CD interface was created using Macromedia Director, COPYRIGHT 1994, 1997–1999 Macromedia Inc. For more information on Macromedia and Macromedia Director, visit www.macromedia.com. Internet screen shots using Microsoft Internet Explorer 5 reprinted by permission from Microsoft Corporation. TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer. The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book. Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

Software License Agreement: Terms and Conditions The media and/or any online materials accompanying this book that are available now or in the future contain programs and/or text files (the “Software”) to be used in connection with the book. SYBEX hereby grants to you a license to use the Software, subject to the terms that follow. Your purchase, acceptance, or use of the Software will constitute your acceptance of such terms. The Software compilation is the property of SYBEX unless otherwise indicated and is protected by copyright to SYBEX or other copyright owner(s) as indicated in the media files (the “Owner(s)”). You are hereby granted a single-user license to use the Software for your personal, noncommercial use only. You may not reproduce, sell, distribute, publish, circulate, or commercially exploit the Software, or any portion thereof, without the written consent of SYBEX and the specific copyright owner(s) of any component software included on this media. In the event that the Software or components include specific license requirements or end-user agreements, statements of condition, disclaimers, limitations or warranties (“End-User License”), those End-User Licenses supersede the terms and conditions herein as to that particular Software component. Your purchase, acceptance, or use of the Software will constitute your acceptance of such End-User Licenses. By purchase, use, or acceptance of the Software you further agree to comply with all export laws and regulations of the United States as such laws and regulations may exist from time to time.

Reusable Code in This Book The author(s) created reusable code in this publication expressly for reuse by readers. Sybex grants readers limited permission to reuse the code found in this publication, its accompanying CD-ROM or available for download from our Web site so long as the author(s) are attributed in any application containing the reusable code and the code itself is never distributed, posted online by electronic transmission, sold, or commercially exploited as a stand-alone product.

Warranty SYBEX warrants the enclosed media to be free of physical defects for a period of ninety (90) days after purchase. The Software is not available from SYBEX in any other form or media than that enclosed herein or posted to www.sybex.com. If you discover a defect in the media during this warranty period, you may obtain a replacement of identical format at no charge by sending the defective media, postage prepaid, with proof of purchase to: SYBEX Inc. Product Support Department 1151 Marina Village Parkway Alameda, CA 94501 Web: www.sybex.com After the 90-day period, you can obtain replacement media of identical format by sending us the defective disk, proof of purchase, and a check or money order for $10, payable to SYBEX.

Disclaimer SYBEX makes no warranty or representation, either expressed or implied, with respect to the Software or its contents, quality, performance, merchantability, or fitness for a particular purpose. In no event will SYBEX, its distributors, or dealers be liable to you or any other party for direct, indirect, special, incidental, consequential, or other damages arising out of the use of or inability to use the Software or its contents even if advised of the possibility of such damage. In the event that the Software includes an online update feature, SYBEX further disclaims any obligation to provide this feature for any specific duration other than the initial posting. The exclusion of implied warranties is not permitted by some states. Therefore, the above exclusion may not apply to you. This warranty provides you with specific legal rights; there may be other rights that you may have that vary from state to state. The pricing of the book with the Software by SYBEX reflects the allocation of risk and limitations on liability contained in this agreement of Terms and Conditions.

Software Support Components of the supplemental Software and any offers associated with them may be supported by the specific Owner(s) of that material, but they are not supported by SYBEX. Information regarding any available support may be obtained from the Owner(s) using the information provided in the appropriate read.me files or listed elsewhere on the media. Should the manufacturer(s) or other Owner(s) cease to offer support or decline to honor any offer, SYBEX bears no responsibility. This notice concerning support for the Software is provided for your information only. SYBEX is not the agent or principal of the Owner(s), and SYBEX is in no way responsible for providing any support for the Software, nor is it liable or responsible for any support provided, or not provided, by the Owner(s).

Shareware Distribution This Software may contain various programs that are distributed as shareware. Copyright laws apply to both shareware and ordinary commercial software, and the copyright Owner(s) retains all rights. If you try a shareware program and continue using it, you are expected to register it. Individual programs differ on details of trial periods, registration, and payment. Please observe the requirements stated in appropriate files.

Copy Protection The Software in whole or in part may or may not be copy-protected or encrypted. However, in all cases, reselling or redistributing these files without authorization is expressly forbidden except as specifically provided for by the Owner(s) therein.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

Dedicated to the memory of Scott Anderson (1964–2002). Christa’s husband was, for lack of better words, a great guy. I (Mark) met him in 1992 and thus was fortunate enough to enjoy his company for a decade. He was a smart, funny, capable-at-nearly-everything person who told good stories, played games masterfully, and brewed good beer. It has to be one of life’s great ironies that a man with so much heart was betrayed by that very organ, and far too soon. As a computer type, I’m used to a world of reversible catastrophes; there are always backups. It is daunting to be reminded that some things can’t be restored. Even precious things.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

Acknowledgments This book was a lot of work, so I’m sure glad I didn’t have to do most of it! This is essentially the twelfth edition of the Mastering NT Server book that debuted in 1994. In every other edition, we always had contributors who only worked on a chapter or a less, and so did not get co-author credit. This time, I wanted everyone who worked on it to get their name on the cover, and turned to two old tried-and-true contributors. Christa Anderson has contributed in a major way to every version of this book, and this one is no exception. Lisa Justice’s work also appeared in the past six editions and she is a welcome addition to this one as well. This book also introduces two newcomers to book writing, but not to networking. Michele Beveridge, the University of Georgia’s Active Directory architect, and veteran tech teacher C.A. Callahan come from solid backgrounds in both working with technology and communicating it, and I think you’ll agree that their first outing as geek book co-authors is a successful one. They dug into every chapter, forsaking family and friends in order to get this done. I owe all four co-authors quite a bit, and am quite thankful for their efforts. (Additionally, Michele tells me that a techie friend of hers, Martijn Middleplaats, helped her with some of the heavy lifting by researching some of her chapter material. She thanks him and so do I.) While this should have been an easy book to write, it wasn’t, as I’ll explain in the Introduction— that’s my fault. That made life horrendous for the Sybexers involved, and I can’t thank them enough for their help in getting this volume out. Chris Denny and Neil Edde got the ball rolling, and Sally Engelfried edited the chapters. Many thanks also to technical editor Jim Kelly for his painstaking checking and verifying. There is, of course, the whole production crew to thank as well. Without them, all we’d have is a collection of electronic files. Kylie Johnston steered the project smoothly through the production channels, as she did with previous editions; Rozi Harris at Interactive Composition Corporation transformed the manuscripts into the handsome book before you; and the proofreaders—Laurie O’Connell, Yariv Rabinovitch, Nancy Riddiough, and Monique van den Berg—scrutinized the many pages to ensure that no stone was left unturned. Thanks also to Ted Laux, the indexer, and Dan Mummert and Kevin Ly of the CD team. Finally, we could not have done this without the assistance of Microsoft, who not only created the product but also allowed us to see it before it was finished.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

Introduction I said it in the Acknowledgments, and I’ll say it again: man, was this book a lot of work! But trust me, I don’t say that to complain; rather, it lets me explain—to explain what is probably the question in most prospective readers’ minds: “Is this a book only for people who use Windows Server 2003?” The answer is, definitely not. Yes, it’s a Server 2003 book—but it’s also basically Mastering Windows 2000 Server, FIFTH edition. Here’s what I mean. When planning this book, I decided early on that it had to have two major goals. First, it had to cover the new features in Server 2003, or the title would be downright wrong. But the differences between 2000 and 2003 are, while not insignificant, not huge either. And that led me to the second goal. I’m guessing that almost no one reading this will have thrown away all of their “old” Windows 2000 Server systems when adopting Server 2003; as a matter of fact, many of you tell me that you’re still running Windows NT 4 Servers! Nor is that a bad thing—NT 4 and Win2K are both really good tools, in my opinion. Yes, in some ways Server 2003 is better—and you’ll learn those ways in this book—but not so much better that many can justify tossing out the Win2K systems to make room for Server 2003. No, I’m guessing that Server 2003 will move into your network gradually, and so you’ll be living in a server environment that includes both Windows 2000 Server and Windows Server 2003 for quite a while. That’s why I asked my co-authors to “think of this as the Fifth!” Instead of taking the Mastering Windows 2000 Server book and looking for things that we’d have to change to make it a Server 2003 book, we started with the topics that previous editions of the Windows 2000 Server book explored and took them further, to build on the book series’ growth. For example, previous editions didn’t consider a lot of Active Directory maintenance issues, like checking database integrity or compacting the database, so this one did, even though it wasn’t a new-to-2003 topic. A look at the Macintosh chapter will reveal that what was a chapter consisting of only a handful of pages in previous editions is now 50 or so pages long, with completely new information on Mac OS/X clients. We tried, then, to make this essentially two books in one; I hope you think we succeeded.

What’s Inside In Chapter 1, I briefly list and explain what’s new in Windows Server 2003. As you’ll see, Server 2003 is basically 2000 Server, version 1.1. But when you consider what a big product Windows 2000 Server is, and what a major change it was from NT 4, then you’ll understand that even just a 1.1 version of 2000 would involve a lot of changes—this chapter outlines them. In Chapter 2, I offer a basic answer to the question, “Why do we network?” for those who are just joining us. Folks who have no idea what a domain is, or why they’d want one, should take a look at Chapter 2 and in no time you’ll sound like a grizzled network veteran. Lisa Justice then shows you in Chapter 3 how to navigate the Server 2003 user interface. Thank God it wasn’t as large a change as the NT-to-2000 shift, and that it doesn’t come out of the box configured in the XP “Playskool” user interface. But you’ll find a few things have changed, and Lisa will guide you through the new stuff. She also walks you through the process of creating your own user interface with taskpads, a great way to build customized tools for administrators.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

XXXII

INTRODUCTION

The user interface is one way to control Server 2003, and that’s why Lisa covers it in Chapter 3. But the other way is via the Registry, 2000’s place to store system settings and home to hundreds of undocumented or poorly documented switches, dials, knobs, and levers. No NT, 2000, XP, or 2003 techie can last long without a bit of Registry work, and so in Chapter 4 I introduce it. By now, you’ll be itching to load it up and try it out, so in Chapter 5 I not only show you how to shove a CD into a drive and answer questions, but I also cover scripting 2003 installs, using the Remote Installation Server, and finally, how Sysprep can make setting up systems and cloning them easier. Microsoft has made automated rollouts—scripts, RIS, and Sysprep—quite a bit easier and more powerful. Study Chapter 5 and you’ll see how to deploy 2003 with style and grace…but mostly with a minimum of effort on your part! Chapters 6 and 7 permit me to explain how TCP/IP works, both in a general sense and in the specific sense of configuring Server 2003 to use it. In Server 2003, Microsoft has taken another baby step toward making the NT platform an IP-only platform, as NetBEUI is no longer even an option for protocols. Chapter 6 explains the basics: how to get on an internet; how IP addresses, subnet masks, and routing work; and how to use a Server 2003 as a router. Chapter 7 then explains the three basic TCP/IP services that every Microsoft network needs: DHCP, WINS, and DNS. Server 2003 doesn’t really do much that’s new in DHCP and WINS, but DNS now offers several new features, all of which the chapter covers. The biggest changes in the chapter, however, are in the structure of the DNS section, which now spans almost 200 pages. It’s not only a primer on DNS; in this edition I completely reoriented the discussion and the examples around building not just any DNS infrastructure, but a more secure infrastructure, using split-brain DNS techniques—and if you don’t know what that means, don’t worry, the chapter covers it all. You’ll also see in Chapters 6 and 7 that I’ve worked hard to unify the step-by-step examples so that they all fit together, allowing you to follow along and build a small network that is then completely ready for Active Directory…which is the next chapter’s topic. Chapter 8 is basically a medium-sized book in itself, at 81,000 words and 110-plus figures. It takes you from the basics of “What is an Active Directory and why would you want one?” to designing an AD, implementing one, managing it, optimizing it, rearranging its structure when necessary, and fixing it when it breaks. Server 2003’s changes permeate this topic, as you’ll see. The migration section is much larger than in the 2000 Server book, and it and the rest of the chapter offers many step-by-step examples that allow you to build a small working AD. Lisa returns in Chapter 9 to explain the ins and outs of creating and managing user accounts. That’s a big topic, as it includes user profiles and group policies, which Lisa explains in detail. She also showcases and shows you how to use 2003’s new Resultant Set of Policies troubleshooting tool for group policies. GP fans will love it. Windows 2000 handles storage differently than NT did, and 2003 changes things a bit more, as you’ll learn in Chapter 10. In that chapter, Michele Beveridge shows you how to connect, partition, and format drives, and she also covers Windows 2000’s RAID functions. I was very fortunate to get Michele’s help on this book, as she’s responsible for the University of Georgia’s Active Directory, both its design and implementation. Her years of real-world, in-the-trenches experience with NT in its various forms show through in her coverage of both this and the companion Chapter 11. That chapter covers shared folders, including how to secure those shares with both share and NTFS permissions, as well as coverage of Windows 2000 and Server 2003’s Distributed File System and the File Replication Service. In that chapter, you’ll also learn about the Encrypted File System—which

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INTRODUCTION

has changed in some subtle but important ways since Windows 2000—and offline folders, a modification of the network redirector that offers greater network response, laptop synchronization support, and network fault tolerance. C.A. Callahan joins us in Chapter 12 to describe one of 2000, XP, and 2003’s nicest features for desktop support folks: central software distribution. Callahan has been in the technical teaching business for many years and has a well-honed talent for digging into a topic, getting excited about it, and explaining to you so that you’ll be excited about it as well. (She’s also a Mac geek, which is why she rewrote the Mac chapter [Chapter 16] completely and made it about ten times larger than it was before.) Christa returns in Chapter 13 to describe how to network printers under Server 2003. Lisa then explains, in Chapter 14, how to connect client PCs to a Server 2003 network, whether those PCs are running DOS, Windows, or whatever. And you may be surprised to hear that it’s now impossible to connect a DOS or Windows 9x system to a 2003-based Active Directory…unless you know the trick. (Of course, Lisa lets you in on the secret.) Christa then warms to a favorite topic of hers in Chapter 15, where she covers the built-in Terminal Services feature of Server 2003 and remote server administration in general. And if you have no idea what Terminal Services does, check out that chapter: Terminal Services makes your Server 2003 system a multiuser computer, in many ways combining the best of the PC and the mainframe! Then, in Chapter 16, Callahan “cracks the Mac,” as I’ve already mentioned. Once your organization is connected to the Internet, you’ll probably want to get a Web server up and running. Server 2003 includes a Web server, as did NT 4 and Windows 2000, but 2003’s IIS 6 is built to be both more secure and more reliable, so you won’t want to miss Lisa’s coverage of it, including not only the Web piece but also the FTP server piece, the SMTP mail server, and 2003’s new POP server. Yes, that’s right, Server 2003 now comes with a complete e-mail server service built in, and you can read about it in Chapter 17. Then, in Chapter 18, Christa offers some advice and instruction on tuning and monitoring a Server 2003–based network, and in Chapter 19, she looks at disaster recovery—never a happy topic, but a necessary one. Michele returns for a lengthy and quite complete look at dial-up, ISDN, and frame relay support in Routing and Remote Access Service (RRAS) in Chapter 20. Callahan then finishes the book with coverage of NetWare coexistence in Chapter 21.

Conventions Used in This Book As you know, when discussing any network technology, things can get quite complex quite quickly, so I’ve followed some conventions to make them clearer and easier to understand.

Referring to Windows NT, 2000, XP, and 2003 Throughout this book, you’ll see me refer to Server 2003, Windows 2000, NT 4, and just plain NT. I don’t want to confuse, so let me clarify what I mean when I use those terms. When I say “Server 2003,” “Windows 2000” or “NT 4,” then of course I mean those particular products. But when I say “NT,” I’m referring to the various versions of the NT operating system that have come out, including NT 4, Windows 2000, Windows XP, and Windows Server 2003. Despite the name change from NT-version-something to Windows-model-year, under the hood, NT 4, 2000, XP, and 2003 are quite similar. The underlying kernel, the piece of the operating system that

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

XXXIII

XXXIV

INTRODUCTION

manages memory, handles multitasking, and loads and unloads drivers, changes with every revision, but not in any earthshaking way. For example, from NT 4 to 2000 the look of NT changed, but under the hood the main kernel difference we saw as administrator types was Plug and Play. Basically, you can think of it this way: ◆ ◆ ◆

Windows 2000 = NT 5.0, in both Workstation and Server flavors. Windows XP Professional = NT 5.1 Workstation. (XP Home is also NT 5.1 Workstation, but crippled. Don’t use it.) Windows Server 2002 = NT 5.2 Server, no Workstation version. (The next version of Workstation probably won’t appear until 2005, code-named “Longhorn.”)

I wish they’d just kept calling things “NT version something,” because then simply saying “NT” would obviously refer generically to all versions of the OS. In this book, therefore, I’m going to use the phrase “NT networks” to mean “anything running NT 4, 2000, XP and/or 2003.” When I’m talking about NT 4–based things, I’ll include the “4.”

Call It “Server 2003” And speaking of names…Microsoft is working so hard to “brand” the name Windows that now they’ve attached the name to three totally different operating systems. The first of the “original” Windows—versions 1.0, 2.0, 2.1, 3.0, 3.1, 3.11, Windows for Workgroups 3.1 and 3.11, Windows 95 and 98—is an ever-evolving operating system built to extend the life of Microsoft’s cash cow, MS-DOS. The second was NT, a project intended originally to extend an older operating system named OS/2. And the third is Windows CE, an OS designed for smaller, diskless computers, including the of-dubious-value “AutoPC,” a computer designed for your car’s dashboard. (Oh great, now I get to worry that the bozo in front of me in traffic will be distracted playing Warcraft; good call, Bill.) Now, of course, what should have been called “NT Server 5.2” has the much-longer name “Windows Server 2003, Standard Edition.” If I stopped to write that every time I needed to identify the product, I wouldn’t get the book done until about 2009, so permit me to just shorten it to “Server 2003.” I can’t wait until Microsoft sends Pella and Andersen cease and desist letters enjoining them from using the word “Windows” in their corporate name and product-line descriptions.

Directory Names: \windows, system32 In a change from previous versions of Server, Windows Server 2003 installs by default into a directory named \windows on some drive. Upgrades from previous versions stay in whatever directory you installed the previous version in—probably \winnt. You can decide at installation time to put the operating system somewhere else, but almost no one does. As a result, I have a bit of a problem: I often need to refer to the directory that Server 2003 is installed into, and I need a phrase less cumbersome than “whatever directory you installed your server into” or the brief and technically accurate but nonintuitive %systemroot%. So you’ll see references to the \windows directory, which you should read as “whatever directory you’ve installed Windows Server 2003 into.”

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INTRODUCTION

Similarly, both Server 2003 and every other version of NT includes a directory inside \winnt or or whatever called system32—\winnt\system32 on older OSes and upgrades, \windows\ on fresh installs. I’ll refer to that directory as system32. But let me stress this: If you see a reference in this book to \windows or \windows\system32 and you do not have a \windows or \windows\system32, don’t panic—just substitute \winnt and it’ll work.

\windows system32

Stay Up-to-Date with Our Free Newsletter With the first version of this book, I tried out a way to keep you folks informed about book errata, changes to the NT family, or just plain new stuff that I’ve learned. No matter how long 2003 stays around, we’ll never know everything about it—there will always be new things to learn. And certainly I’ll include the things that I learn into new editions of the book—but why wait for the next edition? I’d rather get you at least some of that new information immediately! So I’m extending the following offer to my readers. Visit my Web site at www.minasi.com and register to receive my free Windows Networking newsletter. It covers everything from NT 4 to 2000 to XP to 2003 and even a little Linux. Every month that I can, I send you a short update on tips and things that I’ve learned, as well as any significant errata that appear in the book (which I’m praying don’t appear). It won’t be spam—as the saying goes, “Spammers must die!”—just a short heads-up on whatever I’ve come across that’s new (to me) and interesting about NT, 2000, XP, or 2003. Past newsletters have also included lengthy articles on DNS troubleshooting, Indexing Service, and IPSec, so I think you’ll find it a worthwhile newsletter for the price. Well, okay, about the spam part: there will be one bit of naked marketing—when the next edition of the book comes out, I’ll announce it in the newsletter.

For Help and Suggestions: Check the Newsletter and www.minasi.com/gethelp As always, if I can help, I’m available on e-mail. Got a question the book didn’t answer? Visit my FAQ page at www.minasi.com/gethelp and, if that doesn’t help, there are instructions on how to e-mail me. I can’t promise that I’ll have the answer, but I’ll sure try! I’m often traveling, sometimes for weeks at a time, and I don’t pick up e-mail when I’m on the road, so if I take a week or few to respond, don’t worry, I’ll get back to you as soon as I can. It’s easiest to help with questions which are specific but brief—please understand that I sometimes open my e-mail to find more than a hundred questions waiting for me! In addition to offering help, I’d appreciate your help and feedback. Sybex and I have been able to get a new edition of this book out roughly annually since NT Server first appeared in 1993. I don’t know everything about Microsoft networking—I’m not certain anyone does—and through the years, reader suggestions and “book bug reports” have been a tremendous source of assistance in making the NT books better and better. (“Gasp! An error? In my book? No, say it isn’t so!”) Got a tip, something you want to share with the world? Pass it along to me, and I’ll include it in the next edition and acknowledge your contribution. And by the way, to all of you reading this book: thank you so much, and I hope you enjoy our coverage of Microsoft’s flagship networking platform!

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

XXXV

Chapter 1

Windows Server 2003 Overview If you lived through the change from NT 4 Server to Windows 2000 Server, then you might be a bit gun-shy about Windows Server 2003; how much more will you have to learn, and how hard will it be? If so, then I have good news: while Server 2003 offers a lot of new stuff, there’s not nearly as much new stuff—if 2000 was a tsunami, 2003 is just a heavy storm. (If, however, you’re an NT 4 guy getting ready to move to 2003, then yes, there’s a whole lot of new stuff to learn. But don’t worry, this is the right book, and I’ll make it as easy as is possible!) Clearly explaining what Server 2003 does is the job of the entire book, but in this chapter I’ll give you a quick overview of what’s new. I’m mainly writing this chapter for those who already know Windows 2000 Server and are looking for a quick overview of what’s new in 2003, so if you’re just joining the Microsoft networking family then don’t worry if some of this doesn’t make sense. I promise, in the rest of the book I’ll make it all clear.

Four Types of Server Once, there was just one kind of NT Server. Under 3.1 it was called NT Advanced Server 3.1, which confused people—was there a cheaper “basic” server available?—and so Microsoft just renamed it NT Server 3.5 for its second outing, and it stayed that way through NT Server 3.51. But with NT 4 came a slightly more powerful (and expensive) version called Enterprise Edition, which offered a different memory model and clustering but not much else, so not many chose it.

Pre-Server 2003 Varieties Under Windows 2000, the basic server was just called Windows 2000 Server, and Enterprise became Windows 2000 Advanced Server. It offered a bit more incentive to buy it than Enterprise had, but not much; its most enticing feature was a new tool called Network Load Balancing Module, something that Microsoft had purchased and decided to deny to the buyers of basic Server. (But it’s now shipped in the basic Server, thankfully.)

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

2

CHAPTER 1

WINDOWS SERVER 2003 OVERVIEW

Microsoft also started releasing a third version of Server called Datacenter Server, but you couldn’t just go to the store and buy it—they only “OEMed” it, which means that they allowed vendors to buy Datacenter and tune it very specifically for their particular hardware. The only way that you’re going to get a copy of Datacenter is if you spend a whole lot of money on a high-end server computer, and then you get Datacenter with it. Should you feel left out because you can’t buy a copy of Datacenter 2000 and slap it on your TurboClone3000 no-name Web server? Probably not. Yes, there are a few things that Datacenter 2000 can do that the others can’t: eight-computer clusters is the main one, but for most of us the loss isn’t great. Unfortunately, that changes with Windows Server 2003.

Windows Server 2003 Flavors: Web Edition Makes Four As you’d expect, Microsoft introduced a number of new features with Windows Server 2003 but didn’t make them available in all of the versions. It also added a new low-cost version, Web Edition, and reshuffled the features among the four versions. There are actually a whole pile of different versions of Server 2003 if you include the 64-bit versions, the embedded versions, and so on, but the main product grouping is the four “product editions”: ◆ ◆ ◆ ◆

Windows Server 2003, Standard Edition Windows Server 2003, Enterprise Edition Windows Server 2003, Datacenter Edition Windows Server 2003, Web Edition

I’m going to focus on Standard Edition in this book, but let’s take a very quick look at each edition. “Regular Old Server” Gets a Name

For the first time since 1983, the basic variety of server has a name; it is now Windows Server 2003, Standard Edition. (I suspect I may have to sue Microsoft for the extra carpal tunnel damage that I’m getting writing this book—where I could once just say “NT 4,” now I’m typing half a sentence just to identify the product.) In general, it has just about all of the features that it did back when it didn’t have a name. Standard Edition comes with a bunch of new features that are new to all of 2003’s editions, as you’d expect, but it also comes with a bit of quite welcome news: Standard Edition includes Network Load Balancing (NLB). NLB’s not new, as it was included in Windows 2000 Advanced Server, the more expensive version of Windows 2000 Server. But where Microsoft once required you to buy the pricier version of 2000 Server to get this very useful feature, it’s now included in all four editions of Windows Server 2003. (You’ll learn how to set it up in Chapter 6.) But that’s not all that’s new in Standard Edition—for instance, how does, “You finally get a complete e-mail server free in the box” sound? But I’m getting ahead of myself. Web Edition Debuts

The newest and fourth option for Server is Web Edition. The idea is that Microsoft really wants their Web server, IIS, to completely crush, overtake, and overwhelm the competition: Apache and Sun Web servers. So they ripped a bunch of things out of Server and offered it to hardware vendors as an

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

XP SUPPORT COMES TO SERVER

OEM-only copy of Windows Server 2003. It can only address 2GB of RAM (NT has always been able to access 4 or more GB) and cannot ◆ ◆ ◆ ◆ ◆

Be a domain controller, although it can join a domain Support Macintosh clients, save as a Web server Be accessed remotely via Terminal Services, although it has Remote Desktop, like XP Provide Internet Connection Sharing or Net Bridging Be a DHCP or fax server

So it’s unlikely that you’ll actually see a copy of Web Edition, but if you do, then don’t imagine that you’ll be able to build a whole network around it. As its name suggests, it’s pretty much intended as a platform for cheap Web servers. What You’re Missing: Enterprise and Datacenter Features

Back in the NT 4 days, Microsoft introduced a more expensive version of Server called NT 4 Server, Enterprise Edition. It supported clusters and a larger memory model. When Windows 2000 Server came around, Microsoft renamed it Windows 2000 Advanced Server. With Server 2003, Microsoft still offers this higher-end version of Server, but with yet another name change. Now it’s called Windows Server 2003, Enterprise Edition. Yes, you read that right: once it was Enterprise Edition, then it became Advanced Server, and now it’s back to Enterprise Edition. (Don’t shoot me, I just report this stuff.) Enterprise Edition still does clusters—four-PC clusters now. It also lets you boot a server from a Storage Area Network (SAN), hot-install memory like Datacenter can, and run with four processors. With Windows Server 2003, Microsoft has finally made me covetous of Datacenter. It has this incredibly cool tool called Windows Resource Manager that basically lets you do the kind of system management that you could do on the mainframe years and years ago. How’d you like to say to your system, “Don’t let SQL Server ever use more than 50 percent of the CPU power or 70 percent of the RAM?” WRM lets you do that, and it only ships with Datacenter. Datacenter also now supports eight-PC clusters as well as hot-installing RAM—yup, that’s right, you just open the top of the server while it is running and insert a new memory module, wait a second or two and poof! the system now recognizes the new RAM, no reboot required.

XP Support Comes to Server For the first time in a long time, Microsoft shipped NT in two parts, delivering NT Workstation version 5.1—that is, Windows XP Professional and its sadly eviscerated sibling, XP Home—over a year earlier than its NT Server counterpart, Windows Server 2003. I don’t think that Microsoft originally intended for there to be a year and a half interregnum, but that unintended extra time let Microsoft make Windows Server 2003 much more than “XP Server”—it’s NT Server version 5.2. XP was a nice upgrade from 2000 Professional but not a great one, not a must-upgrade for current Windows 2000 Professional systems, but a very attractive step up for those running NT 4 or Windows 9x/Me on their desktops. Okay, I might have understated things a bit there—let’s go back and italicize that “very.” And for people running—auggh—Wintendo (9x and Me) put that “very”

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

3

4

CHAPTER 1

WINDOWS SERVER 2003 OVERVIEW

in double-sized bold text. (This assumes, of course, that you have the minimum reasonable hardware to run XP—128MB RAM and a 600MHz processor.) But, again, if you’re already running 2000 Pro and you want some you-are-a-fool-if-your-company-doesn’t-upgrade-to-XP reasons, then I can’t help. But that doesn’t mean that XP didn’t introduce some neat features, and now with the introduction of Windows Server 2003, the server side of the NT house has them as well.

XP Integration Windows 2000 Server came with a file named adminpak.msi, which would let you install all of the administrative tools for a 2000 network on a 2000 Pro desktop. I loved that, as NT Workstation never really did a great job as an administrator’s desktop and I always ended up running Server as my desktop OS. But 2000 Pro was a different story; get adminpak.msi on the Win2K Pro box and you could do all the server administration that you wanted. But then XP arrived. I was perfectly happy with my Win2K desktop, but it’s kind of my job to use the latest version of NT, so I upgraded to XP, only to immediately find that none of the server administration tools worked anymore—the only way to control my DNS server, AD domain controllers, DHCP server, and the like was by either keeping a Win2K machine around somewhere, walking over to the server to work on it, or just using Terminal Services to remotely control the server. It was irritating. Microsoft soon shipped a beta version of administrative tools that worked on XP, but I’m kind of leery of running my actual commercial network with beta tools, if you know what I mean. So it’s good news that Server 2003 brings a welcome addition: a new set of administrative tools that run fine on XP.

Server Understands XP Group Policies To my mind, XP’s two absolute best features from an administrator’s point of view were its remote control/support and software restriction capabilities. Both of those capabilities either absolutely require or considerably benefit from group policies, but Server 2000 knew nothing about them, and so required some tweaking to support XP-specific policies on a Windows 2000–based Active Directory. That’s all taken care of now.

New Free Servers: An E-Mail Server and SQL Server “Lite” Thank you, Microsoft. Not too many people remember this, but back when Server first came out, it wasn’t all that impressive in terms of performance. But over time, it took market share away from network OSes that were, in many ways, faster, more flexible, or more reliable. How’d they do it? Many reasons, but I’ve always thought that there were two biggies. First, NT used the Windows interface, which meant that once you’d mastered Solitaire you were well on the way to administering an NT Server. The second reason was that NT came with a lot of stuff free in the box. From the very beginning, NT contained software that most vendors charged for. At one time, most server OS vendors charged for the TCP/IP protocol, but NT always had it. Ditto remote access tools, or Macintosh support, or a Web server, FTP, and a dozen other things. In terms of features, Microsoft made NT an attractive proposition.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

GENERAL NETWORKING PLUSES

So I could never understand why they didn’t include an e-mail server. Well, okay, I understood it—they wanted to sell you MS-Mail (you in the back there, stop laughing) or Exchange, and didn’t want to offer a free alternative. But I’ve never understood that. Exchange is a mail server that, while powerful, is complex, difficult to set up, and expensive. Why not offer an e-mail server that is nothing more than an SMTP and POP3-based system? It would serve that five-person office well, and they’re probably not about to buy Exchange. Nor would it keep the 100-person (or 100,000-person) enterprise from buying Exchange, as they’re probably large enough that they want support of shared calendars, IMAP, mailbox forwarding, antivirus add-ons, and so on, and a super-basic POP3 service wouldn’t do it. I got my wish. Windows Server 2003 in all flavors includes a POP3 service. The other part, SMTP, has always existed, so between the two of them, you’ve got a complete low-end mail server. Again, there are no hooks for antivirus software, no way to set a mailbox to automatically forward somewhere else, and no way to create an autoresponse message for a mailbox a la, “Jack doesn’t work here anymore, please don’t send anymore mail here to his address,” but it may still do the job for you. The next goodie wasn’t on my wish list, but I’ll bet it was on a lot of other peoples’: a free database engine. Even better, it’s a free database engine that is a copy of SQL Server 2000, although with a “governor” and no administrative tools. For years, Microsoft has offered a thing called Microsoft Database Engine or MSDE. It was never generally available to NT users, but it was available to various groups of developers. The idea with MSDE was that Microsoft took SQL Server 2000—a fairly expensive piece of software—and crippled it in three ways: ◆

◆

◆

First, they limited the database size to 2GB. That may not sound like much, but a “real” application of any size could grow beyond that in not too much time. But it’s a great size for testing and developing database-driven apps, or for managing a database that will never get very big. Second, they put a “throttle” (Microsoft’s word) on it so that if more than five people access it, it slows down. Again, it’s a barrier to using this for member registration on a thousand-member Web site, but fine for testing and small networks. Finally, they do not ship any administrative tools for MSDE. If you want to do something as simple as changing the password on the default “sa” account, you’ll have to do some scripting.

None of that is intended to sound negative, even though it’s true the MSDE is a severely cut-down version of SQL Server 2000. The price is right and once you get past the basic lack of admin interface— the hard part—then you’ll find that it’s a pretty nice add-on.

General Networking Pluses XP’s new networking features made it to Windows Server 2003, with some extras as well.

NAT Traversal First, XP introduced NAT Traversal. For those who don’t know what that is, NAT Traversal tries to solve the problem of “how do I communicate from inside one NAT network to another?”

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

5

6

CHAPTER 1

WINDOWS SERVER 2003 OVERVIEW

More specifically: suppose you’ve got a cable modem or DSL connection with a connection sharing device of some kind, like a DSL router. The DSL router has two IP addresses. First, there’s the honest-to-God, fully routable IP address that it got from your Internet provider, connected to the DSL or cable modem connection. Then there’s the connection to a switch that you’ve got all of your internal machines connected to—the old Windows 9x boxes, NT machines, 2000 systems, Macintoshes, or whatever. The DSL router’s job is to share the one “legal” Internet address among several devices. But every device needs a unique IP address. Lots of devices, but just one IP address—what to do? As you may know, DSL routers solve this problem by giving all of the internal systems—those Windows, NT, 2000, and Mac machines—IP addresses from a block of addresses set aside to be nonroutable. Anyone can use them. Note By the way, if you’ve never worked with IP, don’t worry too much about this—read Chapter 6 on the basics of TCP/IP on Server 2003.

There are several of these nonroutable blocks, but most DSL routers seem to use the 192.168.1.x or 192.168.0.x subnets. The DSL routers then use something called network address translation or, more correctly, port address translation (again, see Chapter 6 if this isn’t familiar) to share the one routable address with all of the internal systems. How it does it is pretty simple: whenever an internal system wants to access the Internet, perhaps to browse some Web site, then that system just says to the DSL router, “Please forward this request to Internet address so-and-so,” as routers normally do. But the DSL router knows perfectly well that it can’t do that: if it says to the Internet, “Hey, someone at 192.168.1.3 has a request,” then the first Internet router to see the message will simply refuse to route it, as the address is in a range of addresses that are, by definition, NONroutable. So the DSL router doesn’t say “192.168.1.3 wants something”; instead, the DSL router substitutes its routable address. Then, when the answer to 192.168.1.3’s question comes back, the DSL router remembers which machine asked the question in the first place and routes the answer to 192.168.1.3. The result is that to the general Internet, that DSL router sure seems like a demanding system, when in fact it is simply busy because it is impersonating a bunch of systems. In any case, notice that it’s possible for an internal system (one with one of those 192.168.x.x addresses) to initiate a communication with a device on the public, routable Internet, but it’s NOT possible for a device on the public, routable Internet to initiate a conversation with an internal 192.168.x.x system. Here, then, is the problem. Suppose I’m sitting at a Windows 2000 Pro box in my home that has a 192.168.x.x address, accessing the Internet via my DSL router or cable modem sharing device. You’re sitting in your house, also using some kind of DSL router or cable modem sharing device to access the Internet. We meet on-line and decide to play some networkable game and start to set up our connection. One of us acts as the server and one as the client. The client then initiates communication with the server. That’s where the problem appears. I could initiate a communication to a routable address, or YOU could initiate a communication to a routable address, but neither of us has a routable address… and so we can’t communicate. (Note that some of you might be scratching your heads saying, “Mark, I don’t have that problem.” In that case, I’m guessing that you use your Windows 98 SE, Windows Me, or 2000-based system as the DSL or cable modem–sharing device. As you know if you read Chapter 6 of Mastering Windows 2000 Server, you can easily activate something called Internet Connection Sharing to

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

GENERAL NETWORKING PLUSES

make your 98 SE/Me/2000 device into a simple NAT router. But if you do your gaming while sitting at that box, then NAT isn’t a problem, as that particular computer has a legal IP address, recall, as it’s the device connected to the Internet.) How, then, to create a meeting of the minds in PC-land? With NAT Traversal. The idea is that if your DSL router (or other sharing device), your opponent’s sharing device, and your game software understand NAT Traversal, then the two sharing devices work out the details to allow 192.168.x.xto-192.168.x.x communications with no muss, fuss, or greasy aftertaste. And XP Pro’s version of Internet Connection Sharing supports NAT Traversal, so if you replaced your DSL router with an XP Pro (or Home) box, you’d have all the more online gaming options. (And of course it’s good for more than just gaming; you could use this for any peer-to-peer communications that must go through a NAT-type router, like Webcam-type videoconferencing—once there’s videoconferencing software that understands NAT Traversal.) NAT Traversal’s migration to Windows Server 2003 is, then, pretty good news.

IPSec NAT Traversal I discussed NAT Traversal as if it were mainly of interest to gamers, and I suppose that at first it was. But you could just as easily imagine 192-to-192 type network communications in business as well. Consider a business with two offices in different cities and about 50 employees in each location. They’d like to connect the offices but don’t want to have to buy a dedicated leased line or frame relay between the offices, so they get DSL in each location. In each location they end up with network addresses that look like 192.168.0. something, but they’d like to communicate from location to location. Their problem is, as you can see, exactly the same problem that the gamers in my earlier example face. So they could just put in NAT Traversal hardware and software and be done with it. But then they’d be transmitting office-to-office data in cleartext over the Internet. An OK thing in 1993, I suppose, but a definite no-no in these modern times. Running sensitive data over the Internet is exactly what IPSec (Internet Protocol Security) was built for. IPSec (also covered in Chapter 6) converts an IP connection into an encrypted IP communication. The only trouble is that IPSec and NAT don’t mix. Or didn’t, until Windows Server 2003. Windows Server 2003 includes a new kind of IPSec that is NAT Traversal–aware. So you can have as many 192 networks as you like, and they can all talk to one another, and securely. Of course, this isn’t free—you need firewalls and routers that are NAT Traversal–aware—which is probably one reason Microsoft has started selling network hardware, including some interesting wireless devices.

RRAS’s NBT Proxy Eliminates Network Neighborhood Problems Routing and Remote Access Service (RRAS) has always been a source of troubles, largely due to the fact that one of its main jobs is to allow networking over dial-up lines, and dial-up lines are noiseridden, unreliable things. Another RRAS problem stems from the fact that you normally use it to connect some remote computer, like a home PC, to a distant larger network, such as your company’s network, meaning that your home PC is now a network segment all by itself, and in effect the RRAS server has to act as router, authentication server, and a host of other things. A side effect of your home system being a network segment all its own is that Network Neighborhood or My Network Places doesn’t have much to show, as it normally displays the systems on the local segment. (I’m simplifying but that’s basically right.) That doesn’t mean that users cannot access

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

7

8

CHAPTER 1

WINDOWS SERVER 2003 OVERVIEW

servers on the corporate network; unless configured otherwise, a remote user can connect to any server at the office. But people aren’t comfortable using Find Computer or some other way to connect to a server, and unfortunately Network Neighborhood is the tool of choice for many when looking for a server—so an empty NetHood is disconcerting to many users. Seeing tons of computers in NetHood while in the office and none while at home troubles some users, but Windows Server 2003 can fix that. Server 2003’s RRAS server includes a feature called the NetBIOS over TCP/IP proxy or NBT proxy. This basically takes the Network Neighborhood that any system inside the office sees and ships it over to the dial-in system. Of course, in the long run users are going to have to get used to finding servers and resources by searching the Active Directory rather than browsing NetHood, but this provides a useful interim tool.

DNS Conditional Forwarding Supports Multidomain AD-Integrated DNS As you learned when creating your Windows 2000–based AD, or as you’ll learn when you create your Windows Server 2003–based AD, AD needs a sturdy and secure DNS infrastructure. A big part of the “secure” aspect of DNS comes from a DNS design called split-brain DNS where you essentially keep two sets of books, DNS-wise—a DNS server that the outside Internet sees, which holds the address information for your Web, mail, and FTP servers, and a separate DNS server (or a set of DNS servers) inside your intranet that serves AD’s needs. Split-brain DNS works by bypassing the normal process whereby a DNS server converts DNS names like www.bigfirm.biz to an IP address. And it works fine, except when joined with a very useful feature of Windows called Active Directory–integrated zones. You’ll learn more about this in Chapter 7, but basically AD-integrated zones let you secure a zone for a DNS domain (like bigfirm.biz) with one limitation: the DNS servers for bigfirm.biz must be domain controllers (DCs) for an Active Directory domain whose name is also bigfirm.biz. Where that presents a problem is the case wherein you want to run more than one Active Directory domain in your intranet. Each AD requires a DNS zone to back it up (and, again, if you’re not sure about what these things are, don’t worry, I’ll cover them in detail in Chapter 7, starting from the basics). If you want to use AD-integrated zones, however, then you’ll have to have a separate set of DNS servers for each domain… and that’s where the problem lies. It’s easy to keep a separate set of books on just one DNS domain, as you divide the world up into two areas: folks on the outside of your network, who only see your external DNS server’s information, and folks on your intranet, who see your internal server’s DNS information and incidentally can also see DNS information on the outside world—so even though the folks inside your intranet are being deceived, so to speak, about the contents of your internal Active Directory’s associated DNS data (bigfirm.biz in my example), they get the unfiltered DNS information about other DNS, like microsoft.com, whitehouse.gov, and the like. Now add that second internal domain; let’s call it acme.com. To make the bigfirm.biz folks see the correct separate set of books, you point all of their servers and workstations to the internal DNS servers that contain the internal-only version of the bigfirm.biz information. Recall that these servers must be Active Directory domain controllers for the bigfirm.biz AD domain. To support the people in acme.com, you’d set up a different set of DNS servers for your internal-only information for acme.com and point all of acme.com’s servers and workstations to those acme.com DNS servers. People in bigfirm.biz can, then, get the internal-only DNS information about bigfirm.biz, as well as the public DNS information for any other domain. People in acme.com can get the internal-only DNS information about acme.com, as well as the public DNS information for any other domain.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACTIVE DIRECTORY IMPROVEMENTS

Here’s the problem: if a bigfirm.biz member wants to log onto some resource on acme.com, then that bigfirm.biz-ite will have to find a domain controller for acme.com, as DCs handle logons. But you find DCs in Active Directory via DNS. A bigfirm.biz user, however, uses DNS servers that know the internal-only information about bigfirm.biz, not acme.com. So if someone in bigfirm.biz tries to look up a DC in his local DNS server, that local DNS server will end up asking the public DNS server for acme.com, “Where are your DCs?” The answer will be a puzzled look from the public DNS server for acme.com, as it has no clue what a DC is. There are workarounds for this, but Windows Server 2003 offers a terrific one: conditional DNS forwarding. It lets me set up the bigfirm.biz DNS servers by saying, “OK, you already know the internalonly information about bigfirm.biz. And you know that if you have to find out DNS information for someone else, like www.google.com or www.cnn.com, or the like, then you go search the public Internet. But here’s a new bit of information: on the off-chance that you ever need to find out information about a zone called acme.com, then go straight over to that server over there (pointing to the internalonly acme.com DNS servers) and it’ll have the answer.” A great new feature for folks rolling out Active Directory forests with more than one domain. You’ll see it at work in Chapters 7 and 8.

Active Directory Improvements For a first try, Windows 2000’s Active Directory was pretty good… not bad for a 1.0, Microsoft. (Of course, they did have Banyan and Novell’s directory services to learn from, but let’s ignore that for this discussion.) In Windows Server 2003, Microsoft dishes up a 1.1 version of AD that solves several irritating problems, makes running branch offices easier, and expands AD’s flexibility. While I don’t want this to sound negative, it’s a fact that Active Directory still suffers from most of its inflexibility—there is no simple way to rearrange the structure of an existing forest, to merge forests into one forest, or to break off a piece of a forest and make it a forest of its own. Don’t think that those scenarios are marginal or unusual ones—they’re not. The reorganizations that most organizations undergo every year or so will often require rearranging a forest. Two firms merging need to be able to merge their forests as well. And a firm divesting itself of a subsidiary would want to be able to detach one or more domains or trees from a forest. But perhaps that will appear in a future version of Server; let’s hope so. Meanwhile, the 2003 edition of AD has, again, some very good news. Here’s a look at its high points.

Forest-to-Forest Trusts Combining a bunch of AD domains into a forest offers two main benefits: first, those domains all automatically trust each other, and, second, the domains share a set of “super” domain controllers called global catalog (GC) servers, which are domain controllers that contain a subset of information not just about their own domains but about every single domain in the forest. Doing away with the unreliability of NT 4 trusts for the convenience and dependability of AD’s automatic trusts is a big win for AD users. But, as I suggested a few paragraphs back, AD forests were and are still pretty inflexible. So suppose you’re an organization that finds itself with more than one forest, and you need to get those forests to share things? Well, there’s always been the hard way—get a migration tool and copy all of the user accounts, machine accounts, and other objects from Forest 1 to Forest 2, then just plain delete Forest 1. The problem with that answer is that while migration tools are pretty nice, they don’t do the whole job and they’re a lot of work to get working.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

9

10

CHAPTER 1

WINDOWS SERVER 2003 OVERVIEW

With a Windows Server 2003–based forest, however, you have a new answer: forest root trusts. With these, you just build one new trust relationship between Forest 1 and Forest 2 and instantly every domain in Forest 1 trusts every domain in Forest 2 and vice versa. Cool; thank you, Redmond. But I said that forests had two main features—complete trust and a centralized database of forest information called the global catalog. A forest-to-forest trust gives us back the first benefits of a single forest; what about the second? Unfortunately, two forests that trust each other do not share a global catalog. That means that forest trusts will not let applications that are GC-dependent see the trusting forests as one single overall directory. What apps are GC-dependent? Well, the most prominent one is Exchange 2000: it really wants to see your organization as one big forest. Forest trusts don’t solve that problem. I was surprised to learn of another limitation to forest trusts: they’re not transitive. Interestingly enough, if Forest 1 trusts Forest 2 and Forest 2 trusts Forest 3, then Forest 1 does not trust Forest 3. Bummer. And none of this forest trust stuff works at all until you’ve upgraded every single DC in every single domain of both forests. So, overall the forest trusts are a good step forward… but not the whole story.

Group Replication Problem Solved It’s always been ironic that while Active Directory can support a far larger user list than could NT 4 domains, AD couldn’t support groups as large as NT 4. You can create literally millions of users in an AD, but because of a quirk in AD’s method of keeping domain controllers’ information consistent (“AD replication”) in combination with the way that group membership is stored in AD, you can’t put more than about 5,000 users into a group. In 2003’s AD, Microsoft restructured the way they store group membership, and now the sky’s the limit. It also solves another problem wherein it is possible in 2000’s AD that you and I work in the same world-wide company and you change a group’s membership while sitting in the Edenton office while I change that same group’s membership while sitting in the Port Angeles office, and one of our changes overwrites the other person’s changes. With 2003, that’s fixed. To get this benefit, you must upgrade all of the DCs in all of the domains in your forest.

Good News for Branch Offices Branch offices have always presented a problem for IT folks. Many firms have one or two large centralized locations and dozens (or hundreds!) of small offices housing a dozen or two employees. These small branch offices are important but expensive to run, as a firm typically has to install some kind of persistent connectivity—frame relay, DSL, T1, cable modem, or the like—to the branch office so that the employees there have access to the corporate intranet and potentially the Internet. As branch offices are typically served by only one WAN link and WAN links aren’t always so reliable, companies have to make some tough choices: do we put a domain controller on every site? Does each site need a DNS, WINS, DHCP, etc. server? If we put servers on a branch office site, will they do so much chattering over the WAN link with the servers in the central office that they’ll chew up a significant proportion of that link’s bandwidth? And most importantly, when the WAN link is down, how do we ensure that the employees in the branch office can still get logged in and remain productive? Server 2003 can’t solve all of those problems because, well, unreliable WAN connections aren’t Microsoft’s fault. But 2003 offers some changes that will make setting up and maintaining branch offices easier.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACTIVE DIRECTORY IMPROVEMENTS

Simplified Branch Office DC Installation

I’ve helped a number of firms get AD up and running. Sometimes, however, they call me back to help out with a particularly difficult part. In one case, it was the Case of the Dial-Up Office. This company had a branch office that did not have a persistent connection either to the Internet or to the head office; instead, they dialed up when necessary. And they were having trouble getting a domain controller set up in that branch office. Now, you see, to create a domain controller, you start from a regular old vanilla Windows Server, either vintage 2000 or 2003, and run a program called DCPROMO, a wizard that will convert a member server into a domain controller or will decommission a DC back to a member server. In order to create a new DC, you must have a live connection back to the main office, so before trying to set up the DC I dialed out to the Internet and from there established a connection to the “mothership” back at HQ. DCPROMO started out fine, accepting my credentials and okaying the idea of promoting this member server. But a new DC needs a copy of the Active Directory, so DCPROMO’s last act is to hook up with another DC and download the latest version of AD. This firm had a few thousand employees, so their AD was actually not too large—under 10MB. Did I mention that their phone line was a bit noisy? That it only connected at about 26 kilobits? And that it tended to disconnect at inconvenient times? Anyway, DCPROMO would try to start replicating and get partway through… and then the line would hang up. Sometimes a reboot and another DCPROMO would get us back to member server, where we could start all over again; in a couple of cases, I had to reinstall Win2K Server from scratch. After only about a day of trying, though, I found that the phone lines were quiet and clean enough around midnight to allow the initial replication to complete. Grrrr. I really would have welcomed Windows Server 2003 in that case. With Server 2003 you can take a backup of your AD domain database with you to the remote site, and DCPROMO then lets you start a new DC out from the backup of the AD, rather than forcing a complete initial replication over the WAN. From there, you connect the new DC up to that unreliable phone line, and all the DC must do is to replicate whatever’s changed in AD between when the backup occurred and now, which usually isn’t much. This feature does not require you to upgrade every DC in creation; in fact, this works fine if the very first Server 2003–based DC in your network is the one that you’re installing in that branch office. Branch Office Replication Control

Should you put a DC in a branch office or not? It’s not an easy question. On the one hand, having a local DC in a branch office means that when the WAN link is down the local users can still log on. On the other hand, having a local DC means that DC must keep a complete copy of the entire domain’s Active Directory database. So if there are 15 users in the branch office and 50,000 members of the domain, every time those 50,000 people change their passwords those changes must be replicated across the WAN link to your branch office’s DC. (That’s an example of what I meant when I said earlier that server communications can seriously burden the WAN links to branch offices.) AD has always tried to limit its effect on branch offices in a couple of ways. First, it uses a routing algorithm that is designed to enable it to get data from a DC in one office to a DC in another office in the least-cost way. Second, it compresses the data before moving it between DCs. Those both sound like good features, but Server 2003 improves upon them.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

11

12

CHAPTER 1

WINDOWS SERVER 2003 OVERVIEW

First, there is a large body of literature about optimal routing algorithms… but the Microsoft programmers working on AD in Windows 2000 didn’t employ them. Instead, they made up an algorithm all their own. (Why? I don’t know. But I do know that many firms, Microsoft included, are sometimes struck by what’s called the “NIH syndrome”—short for Not Invented Here. It refers to the fact that it’s more fun to sit down and reinvent your own wheel than it is to merely reimplement someone else’s wheel.) Microsoft found that AD bogs down when faced with more than a few hundred sites; implementing industry-standard algorithms shot that up into the multithousand-site range. Second, odd as it sounds, apparently some branch offices found that the CPU power required to compress and uncompress data outweighed any benefits gained from bandwidth recovery. So in Server 2003, Microsoft lets you choose to shut off intersite compression. Both of these features require that you upgrade every DC in every domain in your forest. Branch Office Logon Info Cacheable

When the WAN goes down, does everyone get a day off? Well, that’s essentially true if they need the WAN to do a logon. Windows 2000 and later systems require several ingredients in order to log on. First, of course, a workstation must be able to find a domain controller; that’s always been true. Second, Active Directory member machines need to be able to find a global catalog server in order to log a user on. It is, then, possible that you might have a local DC but not a local GC. In that case, a WAN failure means that you’d only be halfway to logon, so you’re logged on with “cached credentials.” One answer is to put a GC on every site, but that can be very expensive in terms of WAN bandwidth: GCs not only replicate from other DCs in their same domain, GCs also replicate from every other domain in the forest! AD 2003 offers a nice workaround: Server 2003–based DCs will locally cache the information that they need from a GC. So if you logged on yesterday from your branch office, your local DC collected enough information over the WAN from your GC that it was satisfied to let you log on. If the WAN’s down today then your local DC remembers that it logged you on yesterday, and logs you on today. The best part of this news is that it requires no other upgrades—the DC in your branch office can be the first Windows Server 2003 introduced into your enterprise and this will still work fine.

Domains Can Be Renamed One of 2000’s most annoying AD limitations was that it prevented you from renaming a domain; if Bell Atlantic had had an AD forest when it merged with GTE and was renamed Verizon, there would have been no way to rename an AD domain named bellatlantic.com to verizon.com. Now you can rename a domain, but it’s not a simple matter, even now. First, you will have to be completely Server 2003ed in the domain: every DC in the domain to be renamed (not all DCs in the forest, just the ones in the domain) must be running Windows Server 2003. And second, there are… well, I was going to write “… a few steps to perform in order to complete the domain renaming,” but the truth is that Microsoft has a white paper online explaining how to do it. The paper is 60 pages long. So it’s possible, just not easy, at least not yet.

AD Can Selectively Replicate Active Directory is a database, and domain controllers are database servers, just like systems running Access, Oracle, MySQL, or SQL Server and holding some other kind of database. (Well, not just like…

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

REMOTE ADMINISTRATION UPGRADES

DCs do not respond to SQL queries. Instead, their query language is LDAP.) While the AD database was originally designed for storing user accounts, machine accounts, and the like, there’s no reason application designers can’t take advantage of AD’s built-in database engine to store other information. Microsoft’s own programmers did just that when designing 2000’s DNS server. As you may know, 2000 introduced you to the option to create a DNS zone that was an Active Directory–integrated zone. A zone of that type stores the DNS info for your systems in the AD itself and replicates it along with the normal domain information from DC to DC. But only DCs get copies of the database, so if you choose AD-integrated DNS, all of your DNS servers must be DCs. But now consider: what if you had a lot of DCs, but only a few of them were DNS servers? Wouldn’t that be a bit wasteful? You’d use precious bandwidth to replicate DNS info to every DC, whether it used it or not. Server 2003 solves that problem with the notion of an application partition. Partitions are subsets of the AD that only replicate to a subset of DCs. Microsoft then applied that notion to their DNS servers, so in a network using AD-integrated zones only the DCs running DNS will get the DNS info. This feature doesn’t require any preparation; you get its benefit on any DC running Windows Server 2003.

Remote Administration Upgrades For years, remote administration and control of Microsoft operating systems drove me nuts. It seemed only Microsoft OSes required you to be physically sitting down at a computer in order to control the software running on it. Sure, there were third-party alternative tools like PCAnywhere or VNC, but remote control/admin always seemed like something that really needed to be “in the box,” integrated into the OS. Windows 2000, then, was a great advance, incorporating remote Telnet sessions and a remote control tool called Terminal Services that was a cut-down version of a program from a company named Citrix. Terminal Services only ran on Server, though, so remote control of 2000 Pro boxes was dicey. But then came XP and now Windows Server 2003. First, the workstation/desktop version of Windows Server 2003, Windows XP Professional, includes Microsoft’s adaptation of Citrix’s remote control product. It and the server version of Terminal Services are built around a tool called the Remote Desktop Protocol (RDP). Microsoft has improved RDP to make it run on slower connections, and I’m not exaggerating when I say that remote control over a 40-kilobit dial-up connection works very well, almost as well as sitting at the computer. RDP also matures in that it automatically gives your remote control session access to your local printers and drives, something that Terminal Services for Windows 2000 couldn’t do. It supports colors beyond the simple 8-bit, 256-color of Windows 2000’s RDP, and transports sound as well. Perhaps even better, Windows Server 2003 and XP repackage RDP in two forms: remote desktop support and remote assistance. These are ways to provide remote control or offer remote assistance but are nothing more than new user interfaces placed atop Terminal Services. If you’ve not used them yet for XP, I think you’re really going to like them on Windows Server 2003. Finally, Windows Server 2003 offers a completely new set of remote control tools in the form of Web pages. You can install a bunch of modules on your server that will let someone do approximately 80 percent of the administrative functions you’ll ever need, all through a secure Web connection. The bottom line is that we don’t have to put up with those Unix guys kicking sand in our faces telling us that their OS is more manageable!

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

13

14

CHAPTER 1

WINDOWS SERVER 2003 OVERVIEW

Command-Line Heaven Okay, I admit it, the command line is harder than the GUI. GUI-based administrative tools walk you through a process and offer tons of online help and wizards while they’re at it. The command line is definitely an acquired taste. But may I offer a very heartfelt bit of advice? Acquire the taste. You’ll be glad you did. Take a common problem that I hear about a lot: a private DNS root. Through a process that I’ll cover in Chapter 7, it’s possible to set up a DNS server that lives in its “own private Idaho,” and is unable to resolve names on the rest of the Internet. It happens through a common bit of misconfiguration. And it can be fixed from the GUI, with about two paragraphs of explanation. Or you can just open up a command line and type dnscmd /zonedelete /f .

Then press Enter and it’s done. (Most of the time, but I’m keeping this simple.) Command lines let you type a few dozen characters and accomplish amazing things. Just a few keystrokes can often accomplish quite a lot. But how’s that different from saying, “Use the GUI, and in a few dozen mouse clicks you can get a lot done?” Well, that’s true, you can. But the command line offers two more things: ◆

◆

First, simply opening a Telnet session lets you run one of those powerful command-line commands on a remote computer, so it’s a great way to do remote administration. “Wait a minute, Mark,” you say, “didn’t you just tell me a page or two back how well Terminal Services runs in low bandwidth?” Sure, but command-line sessions run in even lower bandwidth. Imagine administering your computer remotely with nothing more than your cell phone and either a wireless keyboard or a bit of patience and the phone dialing keyboard. It’s possible with command lines. Second, suppose you have some repetitive administrative job, something that needs doing pretty regularly or, worse, regularly at some inconvenient time, like 3 A.M. daily. It’s a task so simple that you could train a monkey to do it… if they’d only let you hire monkeys and give them administrator accounts. Instead, you can create an “e-monkey.” Figure out how to do the task from the command line. Then type those commands into an ASCII text file with Notepad. Give the file the extension .CMD. And whammo: you’ve just written a batch file that you can schedule to run at 3 A.M. Try writing a batch file that stores mouse clicks and you’ll see how neat the command line can be!

Windows 2000 made some great strides in offering better command-line tools, but didn’t go all the way. With Windows Server 2003, it’s actually possible to do about 98 percent of your administration from the command line.

Desktop Support Improvements Most of you don’t use Server as a Desktop operating system, so you wouldn’t expect much in the way of improvements to Desktop control, but recall that Windows Server 2003 incorporates all of the new things that came to XP. If keeping Desktops up and running is part of your job, then you’ll like what Windows Server 2003 brings, although in most cases you need XP on the Desktop to see Server 2003’s improvements. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

TIGHTENED SECURITY

Profiles and Policies When they first arrived, roaming profiles seemed like a great idea… but then we tried them. Slow, prone to breaking… auugh. But Windows 2000 made them more palatable, and so has Windows Server 2003. First of all, there’s a new group policy that you can apply to a machine (or machines) that says, “Ignore all roaming profiles.” This is terrific—now I can ensure that just my laptop and desktop get my roaming profile, by setting up all of the public access/shared systems and the servers to “ignore roamers.” Another group policy makes roaming profiles better for laptop users. Sometimes I’ll check into a hotel and find that it offers Ethernet connections to the Internet (yippee! I will sleep on a stone floor if it means I get high-speed Internet access), so I plug my laptop into the Ethernet and boot it up, only to realize that my stupid laptop is trying to suck my roaming profile over the Internet. A half-hour later, it gives up. Or at least that’s what used to happen. Now I just set the group policy on my laptop that stops and asks, “Do you want to download your roaming profile?” I say no and log on in seconds. (Of course, the laptop must be running XP.) Those are just two examples of the new things you can do to control profiles; there is a ton more, as a look at the Group Policy Editor (which you’ll meet in several places in the book) shows.

Software Restriction Group Policies Every help and support desk person has a little list of things she’d like to see. One is almost always, “I’d really like to keep users from running particular programs on the system.” (If you’re having trouble thinking of examples, then see if the names Morpheus or Kazaa ring any bells.) With XP desktops, you can do that. XP and Windows Server 2003 include a whole new set of group policies called software restriction policies. With them, you can tell a Desktop, “Nothing runs except Word, Internet Explorer, Outlook, and the Palm Desktop.” It’s pretty neat and pretty powerful, and you can learn more about it in Chapter 9.

The Group Policy Management Console (GPMC) After reading the last page, you may be shaking your head saying, “Yeah, that’s nice and all, but you’re talking about group policies? Those guys are a nightmare.” Yes, they can be, particularly when a group policy refuses to run—“Let’s see, I just created this policy that keeps Access from running on Ronnie’s desk and he can still run Access!” Several things might keep your new policy from running— Ronnie’s Desktop might not have refreshed policies, or it might have refreshed policies but your policy might have been overridden by another policy. You look and see that there are only 24 other policies that apply to Ronnie and his Desktop, so time to start sifting through policies… or not. Microsoft has been working on a really terrific group policy troubleshooting tool called Group Policy Management Console. It didn’t ship with Windows Server 2003, but as of this writing Microsoft expects to give it away free on their Web site by March/April 2003. You’ll learn more about it in Chapter 9.

Tightened Security Sometime in late 2001, two things occurred to Bill Gates: first, network security is important and, second, Microsoft software is buggy as heck when it comes to security (among other things), so a lot of Microsoft security is lacking a bit. So he derailed virtually all of Microsoft’s coding efforts for two months as Microsoft trained nearly everyone about security.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

15

16

CHAPTER 1

WINDOWS SERVER 2003 OVERVIEW

In the end, this was a good thing. NT has always had a reputation of being an insecure operating system, but it’s an inaccurate reputation. NT (3.1–4, and Windows 2000) is an extremely secure OS in that it provides the option to lock many things; a properly tweaked NT server is a secure server indeed. NT’s reputation comes, however, from the fact that a default installation leaves the vast majority of those locks unlocked. For Windows Server 2003, that changes. For example, NT 4 and Windows 2000 installed an unsecured Web server by default on every server you ever installed. Not a good idea, as we learned in June 2001 when a worm called Code Red infected millions of servers—though the Web server. (As I write this in late 2002, there are still thousands of servers out there infected with the Nimda virus, a year after Nimda’s arrival.) With Windows Server 2003, in contrast, you don’t get IIS unless you ask for it. And even then, it’s a pretty locked-down version of IIS. (You’ll learn how to set up IIS in Chapter 17.) To see another example, look at the NTFS permissions on the C: drive of any Windows Server 2003. Where the default permission for every previous version of NT was Everyone/Full Control—“C’mon in, y’all, we’re all friends here!”—Windows Server 2003 gives Everyone only Read and Execute permission on the root of C:. The Users group has more power, as it can read files and create folders on C:, but it cannot create new files on the root of C:. You can change all of this, of course, but by default Windows Server 2003 is a bit tighter security-wise than its predecessors. That’s a good thing. But it won’t be an unmixed blessing. I’m sure that at least once in your Windows Server 2003 career you will be sitting at the server trying to get something done but getting nowhere. You’ve got Help open, or a book at your side—this one, I hope!—clicking where the book says to click and dragging where the book says to drag, but it’s not working. In that case, you may be doing the right thing but lack the permissions to do it. So Windows Server 2003 offers you one more impediment to getting our jobs done: you’ll have to wend a maze of security to do some things. But don’t take that as a negative comment. It is simply a fact of life in the twenty-first century that there are tons of dirt bags out there and the Internet has now given them the chance to come knock at your door so we have no choice but to install locks on our doors. Yes, it was nice back in the days when we didn’t have to lock our doors or carry keys, but those days are gone forever. NT 5.2 changed, yes, but it was just changing with the times.

Reliability Continuing from the last section’s topic, what makes an OS secure? In addition to the traditional security topics, like the ones that I just discussed, there’s a more visceral sort of security—do you trust the thing not to crash on you? In general I have always found NT to be sturdier than its compatriots; I think that no one would argue with me when I say that it’s always been more reliable than Windows 3.x, 9x, and Me. I’d argue further that it was more reliable than the Mac, at least through OS 9.x. (OS/X is a completely different story; I think Apple did a great thing with OS/X—the result will be eventually be, I think, both Apple and Microsoft sometime in the future both offering OSes so reliable that we’ll actually trust those OSes implicitly. Unfortunately we’re not there yet. But I think it’s possible.) Windows 2000’s System File Protection and Driver Verifier made great strides in making Windows 2000 far sturdier than its NT 4 predecessor; XP took that further with System Restore, Application Verifier, and Driver Rollback. As with some other Windows Server 2003 features, they’re not exactly new, as they first appeared in XP, but they’re new to Server. Unfortunately, one of the three,

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

STORAGE NEWS

System Restore, apparently doesn’t come with Server, and that’s puzzling: it’s an XP tool that lets you roll back the entire state of a system to some time in the past, undoing the effects of installing some new unreliable program that’s made your previously reliable system wobbly. I don’t know why they left it out of Server; perhaps we’ll see it return with a future version of Server. Driver Verifier was—and is—a useful tool for checking up on new device drivers and other system-level programs. It was a great addition to 2000 and still is, with Windows Server 2003; smoking out problems with kernel-mode programs is far easier with its help. Application Verifier performs a similar service, but for user-mode programs. Have a program that ran fine under NT 4 or Windows 9x but won’t run under Windows Server 2003? Then run it under Application Verifier. When it fails, Application Verifier will tell you what caused it to fail and, even better, it can add information to the application that lets it run under Windows Server 2003. Another source of operating system instability can be new drivers. You’ve got the system running fine, but the vendor of one of your pieces of hardware comes out with a new driver. As it looks like you’re running smoothly, you’re leery about chancing it with a new driver… there must be some subtle bug that someone found that this updated driver fixes, but this new driver could make your system unstable … what to do? Well, Driver Verifier is a great way to check out a new driver, as it was in Windows 2000. But now it’s got a simple partner in Driver Rollback. You load a driver and decide that it’s no good… now, where did you put the old driver? Just go to Device Manager, find the device with the new driver, right-click it and choose Properties … you’ll see a new button, Rollback Driver. Like XP, Windows Server 2003 keeps the previous version of all drivers.

Storage News XP and Windows Server 2003 brought some much-needed fixes to NTFS and one great new feature: volume shadowing. In brief, volume shadowing lets you take snapshots of a file share. At predetermined times of the day, Windows Server 2003 will record the status of whatever it’s shadowing and let you roll back to that quickly and easily. For example, suppose you keep your important documents in a share \\serv01\ documents. You could tell Server 2003 to take snapshots—shadow copies is the Microsoft term—of the files in that share at 7 A.M., 10:30 A.M., noon, and 6 P.M. A few days later, at 10:15 A.M., you realize that you’ve accidentally deleted an important document. But all’s not lost; just fire up the shadow copy client software (included with Server 2003) and restore the 7 A.M. version of the document. A few hours’ work lost, but that’s all. And no need to go find the tape librarian and beg to get a tape with last night’s backup mounted. Volume shadowing lets you create a kind of imaginary copy of a file, with the state of that file frozen in time. That means that you can take shadow copies of open files and then back up the shadow copy! For example, suppose you have a SQL database that you need to back up every day, but there’s never a good time to stop the database server. No problem: take a shadow copy at 3 A.M. That copy does not change on a second-by-second basis, unlike your real SQL database file, so you can back it up at your leisure. I told you that NTFS got some other improvements; they include ◆

NTFS clusters can be any size, unlike Windows 2000, where their cluster size could not exceed 4KB or the volume could not be defragmented.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

17

18

CHAPTER 1

WINDOWS SERVER 2003 OVERVIEW

◆ ◆ ◆ ◆ ◆

A server can now host as many Dfs (Distributed File System) roots as you like; Windows 2000 only allowed each server to host just one root. Offline files can now cache encrypted files. You can set up encrypted files so that more than one person can view an encrypted file. You can now both compress and encrypt a file. EIDE drives can now run independently, meaning that you can run a small database server with two EIDE drives rather than SCSI drives—one drive for the database, the other for the transaction log. This was always possible in NT, but never made sense, as EIDE drives were limited to only run one at a time—if your SQL software said to the hardware, “Save these bytes to the database file and those bytes to the transaction log,” then in actuality the OS would make the EIDE drives take turns. It might first write the bytes to the drive holding the database file while the drive holding the transaction log cooled its heels, and then write to the transaction log while keeping the database idle. The techie term for this would be that EIDE drives are now asynchronous, at least when they are on different channels—for example, this works if one hard disk is on the primary EIDE channel and the other is on the secondary EIDE channel.

None of those are truly earth-shaking, but they’re all quite welcome improvements. Which brings me to my last point in this chapter…

Windows Server 2003: Not Yet or Good Bet? Should you upgrade? Is it worthwhile to move up to Windows Server 2003, Standard Edition? That’s a really tough question. On the one hand, it’s hard to point to any one feature that grabs you by the throat and says, “You gotta have me.” For some people it’ll be the new Active Directory stuff, either forest roots, domain renames, or the new branch office–friendly features. Or it might simply be that they’ve been waiting to go to a full-blown LDAP-based directory service like Active Directory for a while but were leery of the version 1 feel of Windows 2000’s AD. But are these reasons to toss out an already-existing infrastructure built on Windows 2000 Servers? Buying all of those server licenses might be a hard sell in a place with a lot of servers. For those with just a handful, then the upgrade might be simple, not too expensive, and the fact that you needn’t buy new client access licenses when upgrading to Windows Server 2003 has to make Server 2003 go down easier. But again 2003 seems to lack that one killer feature. Furthermore, as I wrote this book I found time and time again that some section of Windows Server 2003 didn’t do anything that Windows 2000 Server didn’t do but that Microsoft had changed the user interface, wizards, syntax or the like. As a result, much of the time that I spent researching the book was time spent trying to figure out how to do something that I’d already figured out in 2000! On the other hand, Server 2003 has a real preponderance of attractive features. Even the muchmaligned (by me, to tell the truth) XP user interface has been toned down in Windows Server 2003 and is pretty nice—it’s convenient in the Active Directory tools to select a group of users and do one operation on them, or to just drag and drop them between organization units. The more I work with Windows Server 2003, the more I like it. This is always true, of course—features that you first think are kinda okay soon become “man, do I miss them” when running an earlier version of the operating system. Some people will find particular small aspects compelling, as in the case of conditional DNS forwarding.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WINDOWS SERVER 2003: NOT YET OR GOOD BET?

I first met Windows Server 2003 in its beta 2 form in 2001, and I can’t say that I was impressed. But from beta 3 onward it’s grown on me and as I write this, just before its final release, I can say honestly that I will replace all of my Windows 2000 Servers with Windows Server 2003s, as soon as I can. That’s not to say that I think that all of you should do that—read the rest of the book and decide for yourself. As you can see, there’s a lot of fun new stuff to play with and learn about in Windows Server 2003. But Windows Server 2003 is sort of the second chapter in the second book in a series—NT 3.1, 3.5, 3.51, and 4 were basically chapters in the first book, and Windows 2000 was the first chapter in the second book. Some of you have been following along with the Server story and you’re ready for the new Server 2003 stuff; but for those of you just joining us, we’ve got the next chapter, which brings up to speed those who are new to Microsoft networking. So if you’re already NT-savvy, skip ahead to Chapter 3. If you’re new to the Microsoft networking game, or just want a short refresher, then turn the page and let’s review The Story So Far.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

19

Chapter 2

The Basics: Networking Software, Servers, and Security In a lot of ways, Windows Server 2003, Standard Edition (which I’ll call “Server 2003” or “2003” in this chapter) should be named “NT 2.1.” Anyone coming into the Microsoft networking story without any previous experience with some version of NT, Windows 2000, or Server 2003 probably feels just as lost as someone who gets dragged into a movie theater to see The Empire Strikes Back while knowing nothing of the original Star Wars. They end up asking things like, “Who is the tall guy with the black shiny mask and the bad attitude; and speaking of attitude, what is with that woman whose hairdo looks like she strapped a couple of Danishes on her head?” In this chapter, I’ll give you a bit of history on Server 2003 and then take a very high-altitude look at why we’re using Microsoft’s networking software in the first place. This is not intended to prepare you for a test on networking essentials, nor is it a complete book on NTs past and present. (When I say “NT,” remember that Windows Server 2003, Standard Edition is really just NT Server 5.2.) What I’m trying to accomplish in this chapter is to answer the questions: ◆ ◆

Why should I care about all of this networking stuff, anyway? Why does Microsoft’s networking software approach networking the way that it does? Here, I’m referring to the fact that much of why Server 2003 works the way that it does is simply because NT always did it that way—so knowing more about NT’s history makes 2003 make more sense.

What’s the Point of Networks and Networking? In a way, this chapter is penance for my youthful misdeeds. When I was in the seventh grade, I had a math teacher named Mr. Schtazle. Seventh-grade math was a kind of potpourri of mathematical topics—I recall one chapter that took pains to drill into our heads the difference between precision and accuracy—and I’d plague the poor man at the beginning of every chapter by asking him, “How will we use this?”—a slightly more-polite version of “why do

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

22

CHAPTER 2

THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

we care?” Well, nowadays I find that when I’m teaching a room full of people about Windows 2000, I’ve got to be careful to answer that question, “Why do you care?” even if it isn’t asked. Because if I don’t answer that, then many people in the room will leave the class with a pretty good notion of how to accomplish a bunch of tasks but not a really good feel for why they’d do the tasks in the first place. And you know what? Answering the “Why do I care?” question can be pretty rough some times. So, Mr. Schtazle, if you’re out there…my apologies. Let’s consider the two questions that I asked a paragraph or two back: ◆ ◆

Why network in the first place, and If we agree that networking is a good thing, why do we do it this way?

The answer to the first question will turn out to be pretty straightforward: Networking solves a set of problems for us. The answer to the question, “Why do we do it this way?” is a bit longer. First and foremost, you’re doing this to try to solve some problem that networking can help you with. Your company might want, for example, a great Web site, or to be able to send and receive e-mail, or a simple file and print server for a small office. These are the goals; a network is the means or tool to reach them. In short: The ultimate goal of any networking project is to provide some kind of service . Everything else is just a necessary evil—but there are a lot of those necessary evils! Second, there are many kinds of services that networks can provide, and every kind of service needs different software to make it work. For example, suppose you wanted to set up a Web site on the Internet. Network services, including Web sites, need two main pieces: a server piece and a client piece. To put up that great Web site, you’ll create the site itself with HTML and drop that HTML onto a Web server. One way to get a Web server is by taking one of your computers and putting a piece of software on that computer to make it function as a Web server. But that’s only half the story—in order for your customers to enjoy that Web server’s content, they will need a piece of client software called a Web browser. That’s our first networking piece: Every network service needs server software and client software. Third, you need to ensure that there’s a way for your information to get from your server to your clients, a physical system that the service can travel over. If the clients and servers are in the same building, then you only need a local area network (LAN), and setting that up only requires pulling wires through the building. If, however, you want to offer your service to the world, as in the case of a Web server, then you’ll need some kind of WAN (wide area network) connection to the Internet. In other cases, you’ll need a WAN connection, but not to the Internet: many organizations with more than one location connect those locations via private communications links with names like leased line, T1, or frame relay. That’s our next networking piece: Networks need connection hardware (switches, hubs, routers, modems) and links (phone lines, network cables, frame relay, DSL, cable modem, ISDN, etc.) or the clients can’t connect to the servers. Fourth, to provide a service over a network, your server and your clients must agree on how to transmit information over that network. That agreement is called a network protocol, and the one that you’ll most probably use in the Windows 2003 world is called the Transmission Control Protocol/ Internet Protocol (TCP/IP). You may have heard of it before, as it’s the network protocol that the Internet uses, but you needn’t be on the Internet to use it. In short: Clients and servers must speak the same network protocols. Fifth, once you’ve got the channels open, and before information starts flowing in both directions, you’ll almost certainly need to worry about security. When you use the tool that is networking, you

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WHAT’S THE POINT OF NETWORKS AND NETWORKING?

want to be sure it doesn’t increase your risk, and in fact you can shape the tool so it reduces hazards. Briefly: Networks need security. Sixth and finally, once you’ve set up that terrific network service, you need a way for people to find that great service. You do that with a “naming” system. Windows 2003 has two of them—one that appeared years ago before the first version of NT, and a newer (to NT, anyway) method that the Internet’s been using for years. The last network piece, then is that: Networks must provide a way for users to find their services. Let’s examine these pieces in order, take a closer look at why they work the way that they do, and get some insight into how Windows 2003 in particular handles them.

Network Client and Server Software The reason that we network computers in the first place is so that computers acting as clients can benefit from the services of computers acting as servers. For example, suppose you want to visit my Web site, www.minasi.com. Two of the ingredients that you’ll need to make that possible are software: ◆ ◆

You’ll need a computer running a program that knows how to request Web information and then how to receive it—in other words, a client application. I’ll need a computer running a program that knows how to listen for requests for Web information and then how to deliver that information—in other words, a server application.

As sometimes occurs too often in the computer business, you’ve got choices about both the client and the server. The Client Piece: A Web Browser

I’ve said that first you’ll need a computer, of course, one that’s running a Web browser program like Netscape Navigator or Internet Explorer. But let me rephrase that in basic network client-server terms. There is technically no such thing as “the World Wide Web.” Instead, there is an agreement about how to transfer text, pictures, and the like, and that agreement is called the HyperText Transfer Protocol—which is normally shortened to HTTP. The phrase World Wide Web just refers collectively to all of the HTTP servers on the Internet. When you think you’re surfing a Web page, what really happens is this: 1. Your client computer asks the Web server (oops, I meant the HTTP server) something like, “Do

you have any documents?” 2. The Web server responds by saying, “Here’s my default document,” a simple text file that is the so-called home page for that Web server. The Web server sends that file to your client using the HTTP protocol. 3. Once your client receives the text file, it notices that the page is full of references to other files. For example, if the home page that you requested has pictures on it, your Web browser (HTTP client) didn’t originally know to ask for them, so the Web server (HTTP server) didn’t send them. Your client notices the lack of the images and requests that the server send them, which it does—again using the HTTP protocol.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

23

24

CHAPTER 2

THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

Here, “HTTP client” just means a program that knows how to speak a language that transfers a particular kind of data—Web data. Your computer is deaf to the Web unless it knows how to request and receive data via HTTP. Notice what client means here. It doesn’t refer to you, or even to your computer. Instead, it just means a program that your computer runs. The Server Piece: A Web Server

Next, let’s consider what’s sitting on my side of the conversation. I’ll need a computer running a special piece of software that is designed to listen for your computer (or anyone else’s, for that matter) requesting to see my Web pages via the HTTP protocol, and that can respond to those requests by transferring those pages to the requesting client software. You might call such a piece of software an “HTTP server” program, although almost no one calls it by that name. You’d more commonly call it “Web server” software. There is a variety of Web server software that I might run on my Windows Server 2003 computer, but I’m most likely to run the one that comes free with Server 2003, a program called Internet Information Services (IIS) 6. Alternatively, I might find, download (probably using HTTP!), and install a popular piece of free Web server software called Apache. Once again, notice carefully what “server” means here. It does not really refer to the particular computer hardware that I’ve got stashed in my network room connected to the Internet. Instead, “server” means “the program running on Mark’s computer that listens for HTTP requests and knows how to fulfill them.” Now that I’ve gone through all of that, consider again the question that I asked at the beginning of the chapter—why are you bothering with a network? The answer is probably “because you want to offer a Web site, either internally or on the public Internet, and you that think that IIS is the best (highest-performance, cheapest, or some combination of the two) Web server software around”— which means that you must use Server 2003, as it’s the only operating system that supports IIS 6. (Or you could use an earlier version of Server and an earlier version of IIS, but why not go with the latest and greatest?) Other Types of Servers

I’ll tend to use the Web client-server example for this discussion. But I don’t want to lose sight of the fact that there are quite a few client-server systems, besides Web servers, that are in common use and that you may want to use 2003 to create. Returning to the theme of this chapter, then— “Why do I care or why do I need this stuff?”—networks offer several valuable services, and you may want to set up a computer to act as a server and offer some of those services. Here are a few besides the Web server example. File Servers File servers act as central places to store data files. Why put them on a server rather than just keep them on your local computer? Well, in some cases someone else created the file, and placing a file on a central server is a simple way to make the files available to others. The other good thing about storing files in a central location is that they’re more easily backed up that way. 2003 comes with file server software built in. Print Servers Print servers let you share printers. Not everyone wants to put a printer on their desk, and besides, if you share the printers, you can afford more expensive (and presumably better) models. 2003 comes with print server software built in. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WHAT’S THE POINT OF NETWORKS AND NETWORKING?

E-Mail Servers Mail servers are essential if you’re going to do e-mail. Some computer (or computers) must act as the post office, collecting e-mail from the local users and sending it to other mail servers across the Internet and acting as a receiving point for other mail servers to send mail destined for your organization. You can outsource this function by letting your ISP act as your mail server, but running your own mail server gives you more flexibility. (However, it does require a persistent connection to the Internet.) 2003’s new features include a basic e-mail server. Yes, it’s “basic” because Microsoft really wants to sell you Exchange as your mail server. But it’s not a bad server for many people’s needs. Group Scheduling Servers The centralized nature of servers means that they’re a great place to keep track of scarce resources like meeting rooms or your time. 2003 does not come with a scheduling server, as Microsoft wants to sell you Exchange to do that sort of thing. But there are alternatives to Exchange; there are some terrific Web-based scheduling tools that work great on 2003—for one example, take a look at www.mattkruse.com/scripts/calendar/ or other tools, like Lotus Notes. E-Commerce Online Stores If you’ve got something great to sell, then the Web’s one place to do it. There are thousands of online stores on the Web, and a good number of them run on 2003. While 2003 includes a Web server, it doesn’t include the other software that you’d need to create a complete online store. But there are a lot of consulting and programming firms that would be happy to help you create an online store atop 2003!

Networks Need Connection Hardware and Links If I want to offer a server service and ensure that you can enjoy that service, then we’ll both need to be physically attached to the same network—the same series of cables, satellite links, or whatever—or your computer’s requests will never get to my computer in the first place. That probably means that we’re both on that huge network-of-networks called the Internet, but we could just be working for the same company in a single wired building, or a multilocation firm connected by a private intranet. Now, notice that if I’m going to run a Web server, I’ll need to be connected to our common network (Internet or otherwise) persistently: I couldn’t decide to run a Web server out of my house and just dial in to the Internet now and then. Of course, if I’m only serving some private network that we share, then an Internet connection is unnecessary, as we already have connection to a common network. People who worry about the physical connection part of networking concern themselves with getting cables run through walls, calling the phone company to arrange for persistently connected data links of various kinds—links with names like DSL, cable modem, frame relay, leased lines, T1 or T3 lines—and then work with a family of hardware that helps get the bits going off in the right direction—devices with names like switches, hubs, and routers. Does 2003 help you with this part of the job? In some parts, it can. Switches and hubs are very basic, simple devices, and 2003 has nothing to do with them—although clearly 2003 depends on their presence in order to network! Routers are, however, more complex devices. You probably know that the market leader in the router world is a firm named Cisco Systems, but you may not know that a router is really just a small, single-purpose computer. If you wanted to, you could use a computer running Server 2003 to replace a Cisco router. Additionally, if you wanted to allow people outside your network to dial in to your network, you could use a Windows Server 2003 to make that possible. (It’s not the best answer, as you’ll see in Chapter 6, but it is possible.) Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

25

26

CHAPTER 2

THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

Clients and Servers Must Speak the Same Protocols But simply being connected to the same wire isn’t enough—we need a common communications language. If I were to pick up a phone and dial some number in Beijing, I’d have a physical connection with whatever poor soul picked the phone on the other end—but that would be the extent of our interaction. In the same way, computer networks need to agree on things like, “What’s the biggest block of data that I can ever send you?” and, “How shall I acknowledge that I actually got that block of data?” or, “Should I bother acknowledging receipt of data at all?” and hundreds of other questions. The answers to all of those questions are contained in the “network language” or, in network techie terms, the network transport protocol. It probably won’t surprise you that more than one network transport protocol exists, and over the years NT has generally supported three of them: ◆ ◆ ◆

NetBEUI (Network Basic Input/Output System Extended User Interface), an old Microsoft/ IBM/Sytek protocol designed to support small networks IPX/SPX (Internet Packet Exchange/Sequenced Packet Exchange), the protocol that Novell NetWare predominantly used for years TCP/IP (Transmission Control Protocol/Internet Protocol), the protocol of the Internet and intranets

Although you have three choices, it’s a good bet that your Microsoft software-based network uses TCP/IP. Why TCP/IP? Well, there have been some really great protocols over the years, but as the Internet uses TCP/IP and as the Internet is so popular, TCP/IP has sort of trumped the other protocols. In fact, it’s impossible to do a fair number of things that 2003 and its predecessors Windows 2000 and, to a lesser extent, Windows NT 4 are capable of without TCP/IP. So I’m going to assume for our discussion and indeed for most of this book that your network will use TCP/IP. Oh, and one more thing—once you’ve decided that TCP/IP is your network protocol of choice, then you’ll need to install several more servers to support TCP/IP’s infrastructure. And here again, when I say “more servers,” I’m not suggesting that you have to buy more PCs, although you might. What I mean is that you’ll have to install software on some computer or group of computers to perform three basic pieces of plumbing or infrastructure jobs: ◆ ◆ ◆

A Domain Naming System (DNS) server keeps track of the names of the computers in your network (an important task, believe it or not). A Dynamic Host Configuration Protocol (DHCP) server configures the specifics of TCP/IP on each computer in your network, both great and small. A Windows Internet Name Server (WINS) does something like what DNS does—keeps track of names—but isn’t really necessary on a “pure” Windows 2003 network—its main job is to support older Microsoft operating systems like Windows 9x, Me, and NT 3.x and 4.

You’ll learn more about the specifics of DNS, DHCP, and WINS in Chapter 7. I should point out that if you’re a one-person shop, then you might not need all of that, as your ISP might be handling it for you—but I’m assuming throughout this book that you are probably a network administrator/manager for a network of at least a few computers, and possibly for a tremendous number of computers.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WHAT’S THE POINT OF NETWORKS AND NETWORKING?

Keeping the Bad Guys Away: Security Once you’ve gotten the first four things done, then your job’s finished, in a sense—people can now read and write files on that file server, view pages on that Web server, print to that shared printer, set up meetings with you over your scheduling server, and so on. I mean, hey, networking’s all about sharing, so just open the doors and let ’em in! As you’ve probably realized, there’s a missing piece here: security. While there’s a lot to security, it basically boils down to two things: authentication and permissions. ◆ ◆

First, you want to be able to identify who’s entering your network. That’s authentication. Second, once you know for sure who you’re talking to—once you’ve authenticated—then you must be able to look up somewhere what that person is allowed to do, his permissions. For example, a network logon could figuratively go something like, “Okay, now I know you’re Jack…but I’ve been told to deny Jack access to everything.” Merely being authenticated doesn’t mean that you get access!

Authentication

The first part of security is called authentication, and you usually accomplish it through usernames and passwords, although as time goes on you’ll eventually use the more science-fiction means of authentication: One day, the computer may recognize you by your fingerprint, face, voice, retina blood vessel pattern, or some other item that’s distinctly you. The geek term for those authentication approaches is biometric. For now, however, it’s user accounts and passwords that identify users. I realize that nearly everyone who’s reading this book has undergone an authentication at some point—you’ve logged in to a network some time. It all sounds simple, doesn’t it? And yet user accounts and passwords present special problems. Storing Authentication Information

First, you’ll need some kind of program that lets administrators create user accounts and store them in a file. In their simplest form, user accounts consist of a database of usernames and passwords. That’s no big deal—it’s a very simply structured database, and there are tons of database programs out there—but don’t forget that you need to encrypt that information. Otherwise, there’s the possibility that someone could come along and steal the database file, take it home, and perhaps crack it for your user’s passwords. Just such a thing happened to NT 4. NT stored user information in a file named SAM. If you leave me in the same room as your server, then I can copy that SAM onto a floppy and take it off-site to analyze it. Wasn’t it encrypted? Well, yes, but sometimes encryption isn’t enough—a group of hackers figured out how to crack SAM’s encryption. With just a bit of work, anyone could extract passwords from an NT SAM. (Which is a good reason to keep your servers behind lock and key, so that it’s harder for someone to steal your account files.) Windows 2000- and 2003-based domains (a term I’ll define soon) use a more sophisticated encryption scheme on its user account/password file (which is named NTDS.DIT, not SAM), but unfortunately even that file can be cracked with some determination. Again, let me stress that this is only a danger if you let someone physically sit down at the servers that do logons, a set of servers called domain controllers, so don’t worry that 2003 isn’t secure. Any security person can tell you that you should never give the bad guys physical access to your important servers—lock ’em up! Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

27

28

CHAPTER 2

THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

The tool that lets administrators create, modify, or delete user accounts is called Active Directory Users and Computers. Active Directory refers to Windows 2000 and 2003’s system for storing usernames and passwords. It’s called a directory because directory is the current network lingo for “database of user accounts.” Personally, I think it’s kind of confusing—in my mind, directory conjures up visions of drive letters, like C:\DOS—but it’s the current argot, so it’s worth knowing. And, in case you’re wondering, the “Active” part is just Microsoft marketing; don’t look for any deep meaning there. (It’s not like Novell makes a product called Comatose Directory or Lethargic Directory.) Authenticating without Compromising Security

So you’ve got a server somewhere that contains the list of usernames and passwords. Those are only good if someone can use her username and password to be authenticated and get access to things on the network. So you need some way for a user sitting at her workstation computer to be recognized by that server. You’re already familiar with this recognition process: we call it logging on. Suppose I’m sitting at my Windows XP workstation and I want to get to some files on a file server named files-r-us.bigfirm.biz. Before files-r-us will give me access, I’ve got to submit myself for authentication—I’ve got to log on. One of the many programs that comes with every version of NT since version 3.1 is called winlogon.exe, and it’s the program that pops up when you first turn your workstation on, asking you to punch in your username, password, and domain. (Again, I’ll explain what a domain is in a minute.) So imagine that I’m trying to access some data on files-r-us. Files-r-us responds by asking my workstation, “What’s his name and password?” Now I’ve got a problem. You see, what I’d like to do is to just say over the network line, “This is Mark and his password is ‘swordfish.’” Then files-r-us can just look in its directory file of usernames and passwords and see if it has a user named Mark with a password of “swordfish.” If so, then it lets me in. If not, it doesn’t. Simple, eh? Well, there’s one flaw here—the part where my workstation passes “swordfish” over the network. A class of programs called “sniffers” can record and display any data that passes over a network wire. So passing passwords around on an unencrypted Ethernet cable isn’t a great idea. That means you’ve got another challenge: how to prove to a server across the network from you that you’ve got Mark’s password without actually showing that password to the server. Over time, networks have come up with different answers, but Active Directories, whether based on Windows 2000 or 2003, use an old authentication method called Kerberos which some folks at MIT first invented in the mid ’80s. It replaces an older method employed by NT 3.x and 4 called NTLM, which was short for NT LAN Manager, a reference to one of NT’s predecessors. What follows is an extremely simplified version of how Kerberos works. (It’s actually a wildly simplified description, but it’ll help you understand the more complete explanation that you’ll see in the next section.) Let’s return to files-r-us. I try to access its data, so files-r-us needs to first log me in. It does that by saying, “I’ll tell you how to access my data,” and sends me some instructions on how to get to its data. But the data is encrypted—with my password! In other words, anyone could claim to be me, and files-r-us would happily send these vital instructions-for-connection. But only I can decrypt those instructions, so only I can benefit from them. So files-r-us ensured that only someone with my password could gain access, without sending my password over the wire.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WHAT’S THE POINT OF NETWORKS AND NETWORKING?

Centralizing and Sharing User Account Information: Domains

But my simple example about trying to access one file server is, well, a bit too simple. Most companies will end up with more than one server, and in fact it’s not unusual to end up with dozens or hundreds of servers. And that leads to the following problem. Recall that I said a page or so back that if you’re going to employ user accounts, then you’ll need a file to store them in. But what if you have more than one server? What if in addition to the server named files-r-us.bigfirm.biz, I’ve also got a mail server named postoffice.bigfirm.biz and a Web server named www.bigfirm.biz? I might want to log in to any one of those three, so they all have to be able to accomplish logons. But now let’s examine what that actually means in terms of keeping track of user accounts. Should each server contain a complete copy of NTDS.DIT, the file containing the names and passwords for users? That might work, but it’d be a pain, for several reasons. First, NTDS.DIT can get pretty big, and I’d end up burning up a lot of disk space copying it to every server in my enterprise. Second, if servers are connected by low-speed WAN links, the process of copying the changes to NTDS.DIT to all of the servers on my network (a process called directory replication) would take up a lot of time and network bandwidth. Third, do I really want to have to create a network “storm” of file copying amongst the servers every time someone just changes his password? And finally, what about the issue of securing the NTDS.DIT file in the first place? If I copy NTDS.DIT to every single server in the enterprise, there are bound to be a few that are out in the open, not physically secured. It’d be easy for an intruder to copy the NTDS.DIT from a poorly secured computer and spirit it off-site, to crack it at leisure. The better idea that we’ve used in networks for years is to put the user directory, the NTDS.DIT, not on every single server, but instead on a relatively small subset of the servers. Those NTDS.DIT-holding servers then serve in the role of logon server, doing the job of authenticating for the other servers. In Microsoft parlance, a logon server is more commonly called a domain controller. So, to return to the example of accessing data on files-r-us, imagine that files-r-us is not a domain controller and doesn’t contain a copy of NTDS.DIT, and that another computer, vault.bigfirm.biz, is a domain controller and contains a copy of NTDS.DIT. In this newer arrangement, I don’t directly log into files-r-us but instead enlist the aid of vault.bigfirm.biz in order to authenticate with files-r-us. In a purely Active Directory network (which can only include Windows 2000, XP, and 2003 systems), vault.bigfirm.biz would help me log in to files-r-us with Kerberos. In order to understand how Kerberos works, you first need to understand that under Kerberos, not only do the users have passwords, the server programs do also. Thus, the file server program running on files-r-us has its own password. So both the user and the server each have passwords—remember that. When I tell my workstation to try to get some data from files-r-us, my workstation sees that it’ll need to get me logged in to files-r-us. It does that by asking the domain controller, vault, to give me something called a “ticket” to the file server service on files-r-us. The domain controller responds by handing my workstation an encrypted piece of data, which is the Kerberos ticket. The ticket can be decrypted with my password, making its contents a mystery to anyone but me (or my workstation, which obviously knows my password). My workstation decrypts the ticket, which contains two things. First, it contains a message saying “your special one-time-only password for accessing the file server at files-r-us is ‘opensesame.’” Second, it contains another encrypted message—but this one’s not encrypted with my password, so I can’t decrypt it! But my workstation knows to send it to the file server, which decrypts it successfully, as the file server has its own passwords. Once the file server receives and decrypts the part of the Kerberos ticket that I sent it, the file server

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

29

30

CHAPTER 2

THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

sees that that ticket piece says something like, “The special one-time-only password for communicating with Mark is ‘opensesame.’ And by the way, you should have gotten this message from Mark sometime between 10:45 A.M. and 10:50 A.M. from his IP address, which should be 117.39.82.3.” Once the file server gets its half of the Kerberos ticket, it knows a few things: ◆ ◆ ◆

The user claiming to be Mark who wants access to the file server is indeed Mark. Any messages from that now-authenticated person named Mark should have originated from IP address 117.39.82.3. If Mark and the file server really want to maintain a secure connection, they could even encrypt their communications using this shared—but secret—password, opensesame.

Security Roles and Definitions: Domains, Domain Controllers, and Member Servers

Armed with this information, I can define a few Microsoft networking terms. Domain You just saw an example where one machine (vault) let me log in to another machine (files-r-us). I haven’t mentioned this yet, but before I could get anywhere I needed to log in to the computer at my desk, my workstation—and when I first tried to log in to my workstation, it was once again vault.bigfirm.biz that authenticated me. Clearly, then, my workstation and files-r-us “trust” vault.bigfirm.biz in some fashion. The collection of machines that share the same list of user accounts, the same NTDS.DIT, is a domain. Or, to put it a bit more specifically: several computers hold a copy of NTDS.DIT and are willing to act as “logon servers” (domain controllers) with that NTDS.DIT. The collection of machines that are willing to accept logons from those domain controllers (in Microsoft terms, who “trust” those domain controllers) and the domain controllers themselves are collectively called a domain. So my workstation, vault, and files-r-us are all part of the same domain. Domain Controller A server, such as vault.bigfirm.biz, that contains a copy of the user account/password data, and that therefore can let users log in to servers, is a domain controller. Domain controllers exist to centralize the user account/password information so that you needn’t put the NTDS.DIT on every server. Member Server A machine that is running NT 3.x, 4.0, 2000, or Server 2003 but not acting as a domain controller will not contain a copy of NTDS.DIT and therefore can’t authenticate domain members. Such a machine is called a member server. Permissions and Access Control Lists (ACLs)

Once a server has determined that I am indeed me, does that mean that I’ll get access to the server’s information? Not necessarily. Authentication just identifies me. The next step in security is access control, also known as (depending on what network operating system you are using) rights, permissions, or privileges. Ever since its earliest versions, NT (which includes Windows Server 2003) has had a very flexible system of file and directory permissions. As you’ll see later in this book, you can exert very fine-grained control, such as specifying that Mary can read or write to a given file, that Bill can only read it, and that June cannot access the file at all. Don’t get the idea, however, that permissions

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WHAT’S THE POINT OF NETWORKS AND NETWORKING?

refer only to files. There are permissions to do things like create, modify, and destroy user accounts, and even permissions to create domains in the first place. The flexibility of these permissions is one of Microsoft networking’s great strengths. Just about everything in the Microsoft networking world has security on it. Want to read a file? You need the permissions to read it. Want to shut down the program that provides the Web server? You need the permissions to shut it down. Want to create a new user account on your network? You need the permissions to create a new user. These permissions are stored as a list. In the case of the file, the operating system sets aside a little space for every file that it creates, and keeps the permissions in that space. A set of permissions for a file, then, might look like ◆ ◆ ◆ ◆

A user named June can do anything that she wants to the file. Another user, Joe, can only read it. Any user in a group named Cube-dwellers can read or modify the file, but not delete it. The operating system can do anything that it wants to the file.

In Microsoft networking-speak, that list is called an access control list or, inevitably, ACL. Each of the four entries are called access control entries or ACEs. You will learn in this book that lots of things have ACLs, and adjusting those ACLs is how you configure security in your network. Access to Earlier Security Systems

The last challenge that Windows 2000 and 2003’s security designers faced was the so-called “legacy” support—ensuring that they could interact with the security systems built into Windows for Workgroups, Windows 9x, NT 3.x, and 4. I’ve described in very broad strokes how Kerberos works, but Windows and NT didn’t use anything like that and in fact couldn’t do Kerberos logons; Kerberos first appeared in the Microsoft networking world in February 2000, with the introduction of Windows 2000. Microsoft knew that you wouldn’t be very happy if they required you to throw away all of your old Windows 9x and NT systems before you could implement Active Directory, so Windows 2000, XP, and Server 2003 know a variety of logon methods—NTLM 1.2 for Windows 9x and NTLM 2.0 for NT 3.x and 4—in addition to Kerberos. It’s hard to overstate the importance of security. For example, in the past, one of Novell’s main advantages over NT was in the way that it stored user accounts and handled logins—Novell’s security was faster and more flexible. Sure, one could argue that Novell moved data around file servers more quickly, but not so much more quickly that anyone would really modify a buying decision. Basically, people were buying Novell for Novell’s security system, something called NetWare Directory Services (NDS). NDS was essentially a big-time user database, something with a more enterprise feel to it than NT’s older SAM-based system. In short, security is important.

Names: Finding Servers and Resources When PC-based networking first appeared, we didn’t do much Web work—the earliest common LAN functions were file and print services. So from the very beginning (all of 15 years ago) of PC-based networking, we’ve done file and print services; they’re the most basic network services. But now suppose that you’ve got a network with more than one server on it, and you want to find out

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

31

32

CHAPTER 2

THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

which server has a printer available for sharing, or you can’t remember which server holds that share called hrdocuments; how do you search for network functions? That’s one of the oldest problems in networking, and not just in Microsoft networking. Microsoft’s most current answer to the “how can I find resource X on the network?” question is to store that information in the Active Directory database. But they’re not there by any means yet and, even if you have an all-Windows 2003 and XP network (which is unlikely), you’ll find that by default the Active Directory isn’t all that much help in finding file and printer shares. I’m sure that’s going to change as new versions of NT appear, but for now, we Microsoft operating systems users are pretty much stuck with an old technology known colloquially as the Network Neighborhood or, in Windows 2000 and later, My Network Places. Here’s where it came from and how it works. How would you set up a system that provided a centralized directory of services on a network, a kind of “yellow pages” that lets a user quickly find a file share or shared printer? Microsoft networking uses a name server system called the computer browser or browse services—it has nothing at all to do with the Web, it’s had that name since before the Web existed—where you, the network administrator, don’t have to do anything; the name servers set themselves up automatically. Sounds good? Well, it is for small networks, but it gets troublesome for larger ones—which is why Microsoft is trying to phase it out. The servers in a Microsoft network that contain information about network services are called browse masters or master browsers. What’s different about the concept of Microsoft browse servers is that no one computer is fixed as the browse master. Instead, when your computer logs in to your network, it finds a browse master by broadcasting a request for one, saying, “Are there any browse masters out there?” The first browse master to hear the workstation (there can be multiple browse masters, as you’ll see) responds to the workstation by saying, “Just direct all your name service requests to me.” When a server starts up, it does the same thing. It broadcasts, “Are there any browse masters out there?” and when it finds one, it says to it, “I am a server with the following shares. Please add me to your list of servers.” The list of servers that a browse master maintains is called the browse list, not surprisingly. Tip This is the really irritating thing about the browse list: it’s broadcast-based. That means that if your network isn’t 100 percent broadcast-friendly, then you’ll sometimes end up with an incomplete list of servers on your network. So if you have a network built in more than one segment (and who doesn’t?), or you use some kinds of Ethernet switches rather than hubs, then you may experience missing servers in the browse list. That’s part of why Microsoft is trying to phase out the browse list. But for now, understand that the browse list is a largely lame and unreliable technology. You’ll see later on, in Chapter 7, that you can install a service called the Windows Internet Name Service (WINS) to reduce the chance that the browser breaks, but trust me—you’ll eventually come to a point where you’ve done everything that you can do, but the browser still doesn’t work. When that happens, don’t feel bad—we’ve all been there. I’ll suggest some ways to make it work better and reduce your dependence on the browser a bit later in this section.

By now, you may be wondering, “How come I’ve never seen one of these browse lists?” You have. If you ever worked with earlier versions of NT or with Windows for Workgroups, then you saw Figure 2.1 when you opened the File Manager and clicked Disk/Connect Network Drive.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WHAT’S THE POINT OF NETWORKS AND NETWORKING?

FIGURE 2.1 Sample browse list from Windows for Workgroups or Windows NT version 3.x

From Windows 9x or Windows NT 4, you can see a browse list by opening the Network Neighborhood folder, as in Figure 2.2. FIGURE 2.2 Sample browse list from Windows NT 4 or Windows 9x

From DOS or indeed any command line, you can see a browse list by typing net view or net view \\machinename. You see a screen like the one in Figure 2.3.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

33

34

CHAPTER 2

THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

FIGURE 2.3 Sample browse list from a command line

Note What’s with that \\ thing? Microsoft’s network software has, since 1985, used a way of writing the names of servers and of shares on servers called a Universal Naming Convention or UNC. It looks like \\servername\ sharename. So, for example, if I had a server named bigserver that contained a file share called mydata, I’d refer to that share as \\bigserver\mydata—that would be the UNC for that share. You’ll learn more about this in Chapter 11, on file shares, but I wanted to explain the mystifying \\ briefly here. And by the way, you pronounce “\\” as “whackwhack” in the Microsoft world. Now, to my way of thinking, that’d mean that a regular forward slash— / —would be pronounced “backwhack” in Microsoftese, but I’ve never gotten confirmation on that.

Each figure shows you the list of servers available: Aldebaran, Artemis, and Astro, just to list a few. Other servers—Daffy and MWM66—appear only in some of the browse lists because a few minutes passed between taking the screen shots, and a few “test” servers went up or down in those few minutes. In all three cases, the workstations that these screens were taken from got their browse lists from a local browse master. You can drill down further into these browse lists, as well. In Windows 9x/Me, Windows NT 4, 2000, XP, or Server 2003 (in 2000, XP, or Server 2003, open My Network Places), you can double-click any one of those servers and see the list of shares that the servers offer; that too, is information from the browse list. In Windows for Workgroups or Windows NT 3.x, you’d just click a server once, and the list of its shares would appear in the bottom pane of the dialog box. From DOS or any other command line, you’d get the list of servers by typing net view, as you’ve already seen, and then you get the list of shares for any given server by typing net view \\servername, where servername is the name of the server whose shares you want to see. When Browse Lists Get Too Large: Workgroups to the Rescue

As I’ve described them so far, browse lists seem pretty convenient. But in the little test network that I used for the previous screen shots, you saw only a few servers. Hell, everything works fine on small networks. Now let’s talk about your network. Sit down at a corporate network of any size and you see dozens, hundreds, or thousands of servers. Scrolling down through a 500-server browse list would be a bit

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WHAT’S THE POINT OF NETWORKS AND NETWORKING?

time-consuming—to say nothing of how much work the browse master would have to do to keep it up-to-date! The problem to solve is, then, managing the size of the browse list. There are two ways to do that: ◆ ◆

Reduce the number of servers in your enterprise. Divide the enterprise-wide browse list into several smaller browse lists called workgroups.

Disable Peer-to-Peer Sharing on Workstations

The first answer is actually a bit off the main topic, but let me digress for a moment and talk about it before returning to the main item: workgroups. When I say, “Reduce the number of servers,” I’m talking about an unfortunate side effect of running Windows for Workgroups, Windows 9x/ME, Windows NT, 2000, or XP workstations—they all have the capability to become peer-to-peer servers. The browse masters don’t distinguish between industrial-strength servers running NT Server and low-octane peer-to-peer servers, so you could end up with a browse list that’s supposed to only list your servers, but actually lists all of your servers and workstations. In general, I think peer-to-peer networking is a bad idea. If a piece of data is important enough to be used by two employees, then it’s a company asset that should be backed up regularly and so should go on a managed file server, not a desktop machine that’s probably backed up once a decade. My recommendation is this: Disable the peer-to-peer sharing option on your Windows for Workgroups, Windows 9x/ME, Windows NT, 2000, and XP workstations. How you do this depends on the operating system of the workstations in question. In NT 3.x and 4, open the Control Panel and then the Services applet; locate the service called Server and stop it, as well as disabling it for future reboots. In Windows 9x, go to Control Panel/Network/File and Print Sharing and make sure both options, to share files and printers, are unchecked. In Windows for Workgroups, make sure the sharing control in Network Setup is set not to enable file or printer sharing. In Windows 2000 and later, right-click My Computer and choose Manage, then find the Services folder and stop the Server service. (You’ll see more about doing this later in the book.) Not only will your network have less traffic—workstations will no longer have delusions of serverdom, so they won’t be chattering at the browse master all of the time—but not loading the server part of the workstation’s operating system saves RAM on the workstation. Divide the Browse List into Workgroups

The other approach to keeping a browse list to a manageable size is to subdivide it in some way. That’s a reasonable thing to suggest if you realize that, no matter how large an organization seems to be, it’s usually composed of lots of smaller groups, such as Manufacturing, Sales, Marketing, Accounting, Finance, Personnel, Senior Management, and so on. Each of those groups can be called workgroups, and you can pretty much chop up your enterprise into workgroups in any way you like (but a rule of thumb says that a workgroup should be a group of people for whom 95 percent of the data generated by that group stays within that group). From a more network-technical point of view, the minimum definition of a workgroup is just a group of workstations that share a browse list. (That’s my definition, not Microsoft’s.) The idea is that when someone in Accounting opens up her browse list, you want her to see just the Accounting servers, not the Manufacturing servers, as she has no use for the Manufacturing servers. (Besides,

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

35

36

CHAPTER 2

THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

there’s a good chance that she doesn’t have permission to access the Manufacturing servers anyway— but I’ll get to workgroups and security in a little bit.) How do you join a workgroup? See the sidebar “How Do I Join a Workgroup?” How Do I Join a Workgroup? Generally, all you need to do is to tell the networking software on your workstations and servers that they’re members of a given workgroup. There isn’t any “security” in being part of a workgroup—you pretty much just declare yourself a member and you are a member. (As a matter of fact, if you misspell the name of the workgroup, you end up accidentally founding a whole new workgroup all by yourself, which I’m sure was not your intention!) Specifically, you designate which workgroup you’re a member of in one of the following ways: From a DOS or Windows for Workgroups workstation In the [network] section of the SYSTEM.INI file you’ll find a WORKGROUP=parameter. (You’ll have a SYSTEM.INI even if you’re just running DOS, because the network client software creates one.) You can also set the workgroup from the MS-DOS Network Client Setup program, or in the Windows for Workgroups’ Network applet of the Control Panel. From Windows 9x Open the Control Panel and double-click the Network icon. In the property sheet that you see, click the Identification tab. You see the place to fill in the workgroup name. On Windows NT 3.x Open the Control Panel and double-click the Network applet. You’ll see a button labeled Domain or Workgroup. (NT has a kind of confusing way of blurring workgroups and domains, which I’ll make clearer later in this chapter.) Click that button, and you can change the workgroup you’re a member of. Again, NT complicates choosing a workgroup somewhat, so read the rest of this chapter if you want to change an NT workgroup. On Windows NT 4 Open the Control Panel and double-click the Network applet. Like Windows 9x, Windows NT 4 has a property sheet with an Identification tab. Click Change to change the workgroup. Again, with NT you may see no references to workgroups at all; instead you see references to domains. Read on to understand the differences. On Windows 2000 If you’re a member of a domain, then do not join a workgroup—I’ll explain that in a minute. Otherwise, right-click My Computer and choose Properties. Click the Network Identification tab and then the button labeled Properties. Fill in a new workgroup in the field named Workgroup; then close the dialog box and reboot. On Windows XP and Server 2003 Right-click My Computer and choose Properties. (You may have to click the Start button to find My Computer.) Click the tab labeled Computer Name, then the button labeled Change. In the resulting dialog box, you’ll see the choice to become a “Member of:” either a domain or a workgroup. Click the radio button next to Workgroup and fill in the workgroup name, then close the dialog box and reboot.

Note Workgroup names are like Windows 9x and NT 3.x/4.x machine names and can be up to 15 characters long.

So, to review what you’ve seen so far: ◆

Network browse lists allow a user at a workstation to see all of the servers on the network, and from there to see all of the shares on a given server.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WHAT’S THE POINT OF NETWORKS AND NETWORKING?

◆ ◆ ◆ ◆

Browse lists can get fairly long, so you can partition your entire network into workgroups, which are just groups of people that share a browse list. When you request a browse list, you don’t get the entire list of servers in your enterprise network, you only get the list of servers within your workgroup. Each workgroup has one or more servers that act as gatherers of browse information. They’re called browse masters or master browsers, and they’re picked automatically. Machines that are only workstations and don’t act as servers even in a peer-to-peer capacity do not appear on browse lists.

As the question of what machines go on a browse list and what machines don’t is important to the length of a browse list, let me list the kinds of machines that can act as servers in a Microsoft enterprise network: ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆

Windows 3.x (with the Workgroup Add-On for MS-DOS clients) DOS (with Workgroup Add-On for MS-DOS clients) Windows for Workgroups Windows 9x/Me NT Workstation NT Server Windows 2000 Professional Windows Server 2003

How Do I View a Browse List? Microsoft has built different browse programs into its various network client software. From a DOS or NT/2000/XP/2003 Command Line Type net view. That shows you the list of servers. You can view the shares on a given server by typing net view \\servername. To see the browse list for a workgroup other than your own, type net view /workgroup:workgroupname. From NT, 2000, XP or Server 2003, don’t use /workgroup: in the command; instead, use /domain:. From Windows for Workgroups or Windows NT 3.x Open the File Manager, click Drive, and then click Connect Network Drive. You’ll see a window with two panes. The browse list for your workgroup and a list of the other workgroups on the network appears as the list of possible servers in the top pane and, when you click a server, that server’s shares appear in the bottom pane. To see the browse list for a workgroup other than your own, double-click the name of the workgroup in the top pane. From Windows 9x or Windows NT 4 Open the Network Neighborhood folder. You’ll see the servers in your workgroup represented as PC icons in a folder. Double-click one of the servers, and a folder will open up showing you the shares. To see the browse list for a workgroup other than your own, double-click the Entire Network icon and you’ll see a list of workgroups. On Windows NT 4, click Entire Network and then Microsoft Network, and you’ll get a list of the other workgroups. Continued on next page

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

37

38

CHAPTER 2

THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

How Do I View a Browse List? (continued) From Windows 2000 If your system is in a workgroup, open My Network Places and then the icon labeled Computers Near Me. If your system is part of a domain, then that icon isn’t available. Instead, open My Network Places and the icon labeled Entire Network, then the icon named Microsoft Windows Network. You’ll see one or more icons representing the workgroups on your network—open the one representing your workgroup and you’ll see your workgroup’s browse list. From Windows XP or Server 2003 Open My Network Places. It might be on your desktop, or it might be on the Start menu, or you might have to right-click the Desktop and choose Properties, then click the Desktop tab, followed by the Customize Desktop button, then check the box next to My Network Places and click OK twice. My Network Places will be on your desktop. Once you have My Network Places open, then you’ll either see a Network Task on the left of the folder labeled View Workgroup Computers or you might have an icon labeled Entire Network, in which case you should double-click that, then double-click Microsoft Windows Network. You’ll then see an icon of three PCs representing your workgroup—click that and you’ll get your workgroup’s browse list.

As it’s an unusual product, let me just explain that the Workgroup Add-On for MS-DOS is a separate Microsoft product that lets you use a DOS machine as a peer-to-peer server. (Also, it’s pretty old, so I have no idea where you’d get a copy these days.) Again, I recommend that you disable file and print sharing on all of these machines except, of course, for the machines dedicated to the task of being servers, all of which are probably running NT Server. And once you’re in a workgroup, you’ll no doubt want to see your browse list; the sidebar “How Do I View a Browse List?” tells you the specifics. Now, if you tried that on a working network, then you might have gotten one of NT and family’s less helpful responses, like “System error 1230 has occurred.” That gives me the chance to offer another important bit of advice for anyone using a modern Microsoft operating system: how to convert a numeric error code into a bit of explanatory English text—see the sidebar for more information. How to Convert a Numeric Error Code to English Text Just type net helpmsg number, where number is the error code. For example, you’ll probably stumble across error 5 now and then: “access is denied.” It means that you didn’t have the right to do something that you tried to do. Another common one is error 53, “the network path was not found.” It means that you tried to access some server that the system can’t find or, as is usually the case for me, you misspelled the server’s name.

Before leaving the topic of the browser, let me offer one more piece of advice: try to avoid it, as it’s unreliable. If your users need access to particular file shares, then you can deliver access to those shares in a few ways. First, you can map file shares, which means that you can create imaginary drive letters on your user’s workstations. In other words, if the user often uses \\server1\compdata, then you could set up her workstation so that she’d see a new drive V: which isn’t a local hard disk— although it looks like a local hard disk—but is instead a network drive. Or you could simply create a shortcut to the UNC on her desktop. You’ll learn how to do both of those things in Chapter 11.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

SO WHY USE NT/2000/SERVER 2003?

Summary: The Necessary Evils I hope in this section that I’ve provided a bit of an answer to the question, “Why do we have to worry about all of this stuff just to get a mail server up and running?” ◆ ◆ ◆

◆

◆

First, you need a piece of server software that can accomplish whatever it is that you’re trying to do—Web server, mail server, or whatever. Next, you need to be compatible with and connected to a physical network that connects to your clients—either the public Internet or a private network of some kind. Then your server must move its data around in the same way that your clients’ machines do, using the same network language or protocol, probably TCP/IP. TCP/IP itself will require some server functions as well, to maintain it. It wouldn’t be necessary in a perfect world, but in our imperfect world your network needs to protect its data with a security system, and in today’s world that unfortunately means an elaborate security system. Finally, you’ll need some way of finding what you put in that network, once you’ve got it working. Active Directory will become that way in the future, but for now it’s a kludgy thing called the Computer Browser that you see in My Network Places.

So presumably you now see why your network needs so many moving parts. Why buy them from Microsoft?

So Why Use NT/2000/Server 2003? I hope that by now I’ve convinced you that networking seems like a good thing. But you could build your network atop any number of operating systems, including Unix, Linux, Novell NetWare, IBM’s OS/400 or MVS, or Compaq’s VMS, just to name a few. Why NT or its most recent incarnation, Windows Server 2003? Well, understand when I answer that question that (1) I’m not from Microsoft, (2) I’m not here to sell NT/2000/2003 to you, I’m just here to tell you how to make it work, and (3) the reality of the matter is that every one of the OSes that I just named are good products that have not only their adherents and detractors, but that also have many solid positive features. After decades of business computer use, the market has filtered out both the truly terrible products and some perfectly good but inadequately marketed products, leaving only products that are at least competent (and always well-marketed). So if you want to read that Server 2003 is not only your best choice, but also that you’re a total fool to try to use anything else, then I’m afraid you’ve come to the wrong place. Yes, I like NT, including its latest incarnation (Server 2003), but it’s not the only answer. But it is a very good answer. Here’s why.

It’s the Market Leader Most stats that I see say that the Microsoft family of operating systems has the largest market share— 43 percent of servers according to the last set of numbers that I saw. Being part of the biggest market share means that it’s easier to find consultants, support, and third-party tools. Oh, and it also means that there’s plenty of demand for your services once you become an expert!

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

39

40

CHAPTER 2

THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

Its Familiar GUI Makes It Easier to Get Started The fact that Windows Server 2003 uses a GUI that is basically the same as Wintendo—oops, I meant Windows 9x/Me—means that hundreds of millions of people already know how to navigate the 2003 Desktop. Yes, some things have been moved around, but in general once you know Windows, you know how to get around on 2003. In contrast, I have recently done a lot of work with Linux and, while it’s a quite powerful operating system, the user interface is not for novices; even its multitude of GUIs are still clumsy, although that’ll probably change with time. (That’s not to say that you shouldn’t use Linux—just that I think the Microsoft OSes have an easier-to-use GUI.) With 2003, you can often figure out how to solve a problem by noodling around in the GUI—it lends itself more to exploration than would an operating system that relies mainly upon command-line commands to control it.

Many Tools Come “in the Box” When NT 3.1 first came out, it was pretty amazing that it came with a dial-in module and a host of other goodies that you had to buy separately in order to run its competition at the time, Novell NetWare. NT had a free TCP/IP stack when many other OSes were charging big bucks for it, a free Web server, and so on. Since then, other server operating systems have continued to include more and more things with the basic operating system—for example, the variety of tools that comes with Linux is nothing short of stunning—but Microsoft has kept the heat on the competition by including a variety of new tools with every release. At this point, the basic version of Server 2003 includes (in addition to its basic functionality of a file and print server) a Web server, an FTP server, a sophisticated Internet router, automated workstation rollout tools (Remote Installation Services), centralized software distribution tools (Group Policies), a two-level disk storage system (Remote Storage Manager), encryption (Encrypted File System), an e-mail server, a SQL-based database server and lots of other tools. Not all of the tools are stellar; for example, the disk quota system, which allows you to keep any given user from stealing all of the disk space on the shared file servers, is pretty lame. But because Server 2003 provides at least a basic quota functionality, the many shops that are trying to minimize the number of vendors they deal with can get an awful lot of their networking needs met in just one package: Server 2003. When you view Microsoft products, bear in mind that you usually won’t encounter really cuttingedge tools; in my judgment, that’s not Microsoft’s market niche. Instead, they seem to focus on incrementally improving existing products, as well as adding new tools by imitating competitors. Not being the first on the block can sometimes be a pretty good thing, as you get to watch the competition’s mistakes. Very little in Windows Server 2003 is truly never-seen-before-in-the-world new. Instead, it’s a distillation of a lot of other people’s good ideas. Yes, some may see that as stealing other people’s good ideas, and there’s some merit to that view. And Microsoft has what some might call an unfair advantage in that they’ve got enough money to keep trying and trying and trying; for example, their first two networking products, MS-NET and LAN Manager, were pretty weak compared to the competition’s, but they had the money and tenacity to keep slugging away it, finally releasing the far-better NT product. Another example of this strategy occurred in 2001, with Microsoft’s release of the Pocket PC 2002 operating system. They’re trying to crush the PalmOS guys in the palmtop market, and they’ve made two weak attempts with Windows CE 1.0 and 2.0, but

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

A BRIEF HISTORY OF NT

they’re learning. I don’t know if Pocket PC will beat PalmOS—as a long-time Palm user, I tend to think not—but they’ll definitely steal more of PalmOS’s market share with Pocket PC than they ever did with Windows CE. And while Microsoft’s detractors like to paint Microsoft as nothing but a bunch of rip-off artists, it’s actually hard to find who originated these ideas. Some say that Microsoft stole Novell and Apple’s best ideas; well, Novell certainly didn’t invent networking, and their IPX/SPX protocol is blatant “theft” of a Xerox protocol. Apple didn’t invent the GUI that Microsoft supposedly stole—Xerox did. (Hmmm, maybe there’s a pattern here.) Nor is Active Directory a rip-off of an original Novell product, Netware Directory Services—NDS is based on a directory standard called X.500 and terms that many people think that Novell invented, like “organizational unit,” are X.500 terms. In any case, it is something of a comfort for people to be able to buy a single product that is a decent fit for just about all of their networking needs, instead of looking for the best of breed in each area. Why? Anyone who’s ever tried to troubleshoot a multivendor network problem knows why: Both vendors just point the finger at the other vendor and say, “That’s him—he’s the guy causing your problem.” (They’re hoping you’ll get tired and go away. Most of us do, sadly.) In contrast, the same people are developing all of 2003’s pieces; so you have to believe that at some point someone would have noticed if they didn’t fit together. Or that if someone didn’t notice it before they shipped, they’ll get around to fixing it afterward. In sum, why use 2003? It’s fairly reliable, it does most of what you want a network operating system to do, it’s reasonably priced, and enough other people use it that you’re probably not going to go terribly wrong.

A Brief History of NT Let’s finish this chapter with a look at how NT has grown and changed since its early days. Even in the early 1980s, Bill Gates knew that networking was a key to owning the computer business. So, on April 15, 1985, Microsoft released its first networking product, a tool called MS-NET, and its companion operating system, DOS 3.10. Most people knew about the new DOS and were puzzled at its apparent lack of new features. What it contained, however, were architectural changes to DOS that made it a bit friendlier to the idea of networks. Now, Microsoft wasn’t big enough at that time to create much hoopla about a new network operating system, so they let others sell it—no matter how high or low you looked, you couldn’t buy a product called MS-NET. Instead, it sold mainly as an IBM product under the name of the IBM PC Network Support Program; IBM viewed it as little more than some software to go along with their PC Network LAN boards and, later, their Token Ring cards. The server software was DOS-based, offered minimal security, and, to be honest, performed terribly. (Believe me, I know; I used to install them for people.) But the software had two main effects on the market. First, the fact that IBM sold a LAN product legitimized the whole industry. IBM made it possible for others to make a living selling network products. And that led to the second effect: the growth of Novell. Once IBM legitimized the idea of a LAN, most companies responded by going out and getting the LAN operating system that offered the best bang for the buck. That was an easy decision: NetWare. In the early days of networking, Novell established itself as the performance leader. You could effectively serve about twice as many workstations with Novell NetWare as you could with any of the MS-NET products. So Novell prospered.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

41

42

CHAPTER 2

THE BASICS: NETWORKING SOFTWARE, SERVERS, AND SECURITY

As time went on, however, Microsoft got better at building network products. 3Com, wanting to offer a product that was compatible with the IBM PC Network software, licensed MS-NET and resold it as their 3+ software. 3Com knew quite a bit about networking, however, and recognized the limitations of MS-NET. So 3Com reworked MS-NET to improve its performance, a fact that didn’t escape Microsoft’s attention. From 1985 to 1988, Microsoft worked on their second generation of networking software. The software was based on their OS/2 version 1 operating system. (Remember, Microsoft was the main driving force behind OS/2 from 1985 through early 1990. Steve Ballmer, Microsoft’s number two guy, promised publicly in 1988 that Microsoft would “go the distance with OS/2.” Hey, the world changes and you’ve got to change with it, right?) Seeing the good work that 3Com did with MS-NET, Microsoft worked as a partner with 3Com to build the next generation of LAN software. Called Microsoft LAN Manager, this network server software was built atop the more powerful OS/2 operating system. As with the earlier MS-NET, Microsoft’s intention was never to directly market LAN Manager. Instead, they envisioned IBM, 3Com, Compaq, and others selling it. IBM did indeed sell LAN Manager (they still do in the guise of OS/2 LAN Server). 3Com sold LAN Manager for years as 3+Open but found little profit in it and got out of the software business. In late 1990, Compaq announced that they would not sell LAN Manager because it was too complex a product for their dealers to explain, sell, and support. Microsoft decided then that if LAN Manager was to be sold, they’d have to do the selling, so on the very same day as the Compaq withdrawal, they announced that they would begin selling LAN Manager directly. Note Interesting side note: Ten years after Compaq decided that their sales force couldn’t sell network software, they reversed direction and said that they’d sell a special version of Windows 2000 called Datacenter Server. It’s special because you cannot buy it from Microsoft—you must buy it preinstalled on specially certified vendor hardware. In other words, the hardware vendors (Compaq’s not the only one selling Datacenter) now believe that they can sell complex network operating systems. I wish them the best of luck, but stay tuned to see the outcome of this particular marketing maneuver!

LAN Manager in its first incarnation still wasn’t half the product that Novell NetWare was, but it was getting there. LAN Manager 2 greatly closed the gap, and in fact, on some benchmarks LAN Manager outpaced Novell NetWare. Additionally, LAN Manager included administrative and security features that brought it even closer to Novell NetWare in the minds of many network managers. Slowly, LAN Manager gained about a 20 percent share of the network market. When Microsoft designed LAN Manager, however, they designed it for the 286 chip (more accurately, I should say again that LAN Manager was built atop OS/2 1.x, and OS/2 1.x was built for the 286 chip). LAN Manager’s 286 foundation hampered its performance and sales. In contrast, Novell designed their premier products (NetWare 3 and 4) to use the full capabilities of the 386 and later processors. Microsoft’s breakup with IBM delayed the release of a 386-based product and, in a sense, Microsoft never released the 386-based product. Instead of continuing to climb the ladder of Intel processor capabilities, Microsoft decided to build a processor-independent operating system that would sit in roughly the same market position as Unix. It could then be implemented for the 386 and later chips, and it also could run well on other processors, such as the PowerPC, Alpha, and MIPS chips. Microsoft called this new operating system NT, for new technology. Not only would NT serve as a workstation operating system, it would also

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

A BRIEF HISTORY OF NT

arrive in a network server version to be called LAN Manager NT. No products ever shipped with that name, but the wallpaper that NT Server displays when no one is logged in is called LANMANNT.BMP to this day. In August 1993, Microsoft released LAN Manager NT with the name NT Advanced Server. In a shameless marketing move, they labeled it version 3.1 in order to match the version numbers of the Windows desktop products. This first version of NT Advanced Server performed quite well. However, it was memory-hungry, lacked Novell connectivity, and had only the most basic TCP/IP connectivity. September 1994 brought a new version and a new name: Microsoft Windows NT Server version 3.5. Version 3.5 was mainly a “polish” of 3.1; it was less memory-hungry, it included Novell and TCP/IP connectivity right in the box, and it included Windows for Workgroups versions of the administrative tools so network administrators could work from a Workgroup machine rather than an NT machine. Where many vendors would spend 13 months adding silly bells and whistles, NT 3.5 showed that the Microsoft folks had spent most of their time fine-tuning the operating system, trimming its memory requirements, and speeding it up. In October 1995 came NT version 3.51, which mainly brought support for PCMCIA cards (a real boon for us traveling instructor types), file compression, and a raft of bug fixes. NT version 4, 1996’s edition of NT, got a newer Windows 95–like face and a bunch of new features, but no really radical networking changes. Under the hood, NT 4 wasn’t much different from NT 3.51. From mid 1996 to early 2000, no new versions of NT appeared, an “upgrade drought” such as we’d not seen in quite some time from Microsoft. Then, in February 2000, Windows 2000 (“NT 5.0”) shipped. 2000 included a whole lot of new stuff, but perhaps the most significant was a new way of storing and organizing user accounts and related information: Active Directory domains. Closely following AD in importance was the then-new notion of group policies, something that you’ll see has become quite important to anyone wanting to run a network based on XP and Server 2003. The next version of NT shipped in pieces for the first time since 1993. First NT Workstation 5.1 or, as it’s better known, XP Professional and its lesser sibling, XP Home. Microsoft intended to follow up with the server version of NT 5.1, but events conspired to compel them to wait a bit longer, and produce NT Server 5.2—that is, Windows Server 2003. As you read in the last chapter, it’s a “1.1” version of Windows 2000, a welcome improvement to 2000’s fit and finish. That’s not the end of the story for NT. Sometime in 2004 or 2005, we will see a re-unified NT (5.3? 6.0? Time will tell) code-named Longhorn. That in turn will pave the way for yet another version of NT, code-named Blackcomb, but let’s wait for another edition or two of this book to cover that product. Well, I hope this chapter wasn’t boring for those already expert in NT—I did warn you!—and helped bring the newbies up to speed. No matter what version of NT you’re running, however, you’ll need to configure it. And there are, as there always have been, two main ways to do it. The preferred way is through the GUI with windowed programs that offer help and a bit of error-checking, or its somewhat more complex relatives, the command-line tools. The less-preferred, but often necessary, way is to directly tweak some setting in its lair … a place called the Registry. The next two chapters introduce these two configuration approaches.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

43

Chapter 3

Configuring Windows Server: The Microsoft Management Console In Windows 2000 we saw a significant departure from the NT 4 user interface. Windows Server, however, simply builds on the Windows 2000 interface, with a few enhancements here and there. If you’ve been working with Windows 2000 for a while now, Server 2003 looks a little different from 2000 at first glance, but don’t let the empty Desktop and the new Start menu fool you. Most of your tools are where they were in Windows 2000, and the Microsoft Management Console (MMC) still reigns supreme, with a full array of administrative tools and build-your-own administrator tool capabilities. After a brief detour to make your Desktop more administrator-friendly, we’ll take a look at the MMC framework and the prepackaged admin tools. Then you’ll learn how to customize a MMC console to fit your needs.

Fixing the Server 2003 GUI Although the Windows Server GUI isn’t all that different from Windows 2000, there are a few annoyances (I mean inconveniences) for those of us who are used to the Windows 2000 UI. For one thing, the Desktop is now empty of My Computer and My Network Places and the ever-present Internet Explorer. Only the Recycle Bin remains. If it weren’t for the Start menu and Taskbar, you could be sitting at a Mac. Also, the Start menu has been redesigned, which isn’t a bad thing, except for a couple of nuisances. For one, the Run link has been moved from its former home right above the Shut Down and Log Off options to the adjacent column. If, like me, you are accustomed to rapidly launching programs from Start/Run by entering the program file name (for example, Start/ Run/CMD or Start/Run/COMPMGMT.MSC), this change can be a little disorienting. Another little nerve plucker is the new Start menu’s way of putting links to your most recently used programs right above the place where the Run link used to be. Even worse, the list keeps changing as you work. Overall, the changes to the UI are for the better. Several NT 4 applets that were missing from Control Panel in Windows 2000 have reappeared, though sometimes with different names. The Start menu has been redesigned to make it easy to access your most commonly used programs. The empty Desktop acknowledges that users want to customize their Desktops to fit their own requirements and work style. However, this user wants My Computer and My Network Places and Internet Explorer

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

46

CHAPTER 3

CONFIGURING WINDOWS SERVER: THE MICROSOFT MANAGEMENT CONSOLE

on the Desktop so I can right-click and get to my destination with as little navigation as possible. This user has decided to stick with the new Start menu, but many admins would rather have the classic Start menu back, at least in the beginning. So the first thing you may want to do is restore those icons to your Desktop and change back to the classic Start menu.

Restoring your Desktop Icons and Start Menu To restore the My Computer and My Network Places icons to your Desktop, right-click the Desktop and choose Properties, or click the Start menu, slide over to the Control Panel, and click Display when Control Panel expands. Go to the Desktop tab (take a moment to check out the lovely new background pictures), and click Customize Desktop at the bottom left (see Figure 3.1). FIGURE 3.1 The Desktop tab in the Display applet

To show My Computer and My Network Places on your Desktop, check the boxes next to those items in the Desktop Items window (shown in Figure 3.2) and click OK. You can also choose to display My Documents and Internet Explorer on your Desktop. To change the Start menu back to the Windows 2000 style, right-click the Start menu and choose Properties. Alternately, you can right-click the Taskbar and choose Properties, then go to the Start Menu tab. Choose the radio button for the Classic Start Menu (see Figure 3.3) and click OK. Note If you configure your Display applet to show My Computer on the Desktop, you can still right-click it and choose Manage, which launches the Computer Management Tool, or choose Properties to access System Properties. Likewise, after putting it back on the Desktop, right-click My Network Places and choose Properties to launch the Network Connections applet.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

FIXING THE SERVER 2003 GUI

FIGURE 3.2 Customize your Desktop items.

FIGURE 3.3 The Start Menu Properties tab

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

47

48

CHAPTER 3

CONFIGURING WINDOWS SERVER: THE MICROSOFT MANAGEMENT CONSOLE

Finally, if you like the new Start menu in general, but don’t like every little thing about it, you may be able fix it to suit you. Just click the corresponding Customize button in the Taskbar and Start Menu Properties applet to see your options. For instance, many items on the new Start menu can be configured to act either as menus (they expand when you hover your mouse over them) or links (they open in a new window when you click them) or to not display at all.

Setting Administrator-Friendly Folder Options For administrators, the default folder options for Explorer can also be annoying. The context-sensitive task links that appear on the left side of every window may be helpful to newbies, but they are just a waste of space to me. Additionally, whenever I want to go do some maintenance in the Program Files or System directories, I’ve got to click past patronizing user-proofing screens that essentially say, “Hey, look, buddy, you’re probably too stupid to mess with these files, are you sure you want to see this directory?” I need to see the hidden and system files, and in general, Details view is best for maintenance operations. Additionally, I’ve never found the address bar or standard buttons of much value in administrative tasks; they just rob me of screen space. The first thing that I must do, then, when faced with a new system is to get Explorer into “administrator-friendly” mode. To save you time, here are the steps: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.

Open My Computer. From its menu bar, choose Tools/Folder Options. In the General tab, under Tasks, choose Use Windows Classic Folders. Click the View tab. Check the box labeled Display the Full Path in the Title Bar. Click the radio button labeled Show Hidden Files and Folders. Uncheck the box labeled Hide File Extensions for Known File Types. Uncheck the box labeled Hide Protected Operating System Files (Recommended) and click Yes when it asks you to confirm your choice. Click OK. Back in the main My Computer folder, click View/Details. Right-click any blank space to the right of the menu bar and uncheck Standard Buttons. Right-click any blank space to the right of the menu bar and uncheck Address Bar. Click the close icon on the My Computer window—the icon in the upper right corner that looks like an X.

Now reopen My Computer and apply those settings to all folders: 1. Click Tools/Folder Options. 2. Click the View tab. 3. Click the button toward the top of the page labeled Apply to All Folders. 4. Click Yes to confirm the message.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

A MICROSOFT MANAGEMENT CONSOLE PRIMER

5. Click OK to close Folder Options. 6. Close My Computer.

Without all those empty calories, Explorer is now a lean, mean administrator’s machine. To make it even leaner, you can navigate to individual folders and select Choose Details from the View menu to add or remove the details you want to see for that folder. For example, you might want to see the file system types for each logical drive in My Computer, or you might not want to see the lengthy service descriptions in the Control Panel.

A Microsoft Management Console Primer To master Windows Server administration, you must master the Microsoft Management Console. In this section, I’ll discuss the key MMC terms you should know, briefly look at the Computer Management console to illustrate these terms, and, finally, introduce you to creating your own MMC-based administrative tools.

What Is This MMC Thing? Before Windows 2000 came onto the scene, NT administrators had to master multiple administration tools plus independent third-party tools. With all the different menus, buttons, toolbars, wizards, tabs, HTML, Java (you get the picture), mastering a new tool’s concepts took second place to learning how to navigate the software. NT Administrative software also lacked granularity. There was no simplified version of User Manager for Domains for Account Operators to use, and no way to hide sensitive menu items for those without full administrator rights. Administrative folks would typically install the full set of NT administrator tools on their workstations, whether they needed them all or not; if administrators failed to guard access to their desktops, or if regular users were permitted to log on to these administrative workstations, then anyone with the ability and knowledge could gain access to the entire range of management tools—not smart. The Microsoft Management Console (MMC) was designed to overcome these limitations and accommodate the requirements of today’s increasingly complex networks. MMC is a framework for management applications, offering a unified administrative interface for Microsoft and third-party management tools. MMC doesn’t replace management applications; it integrates them into one single interface. There are no inherent management functions in MMC at all. It uses component tools called snap-ins, which do all the work. MMC provides a user interface; it doesn’t change how the snap-ins function. MMC Key Benefits

MMC offers the following benefits: ◆ ◆ ◆

You only have to learn one interface to drive a whole mess of tools. Third-party (ISV) tools are now using MMC snap-ins. IBM, HP, Seagate, and Symantec are all using the MMC framework to build admin tools for their products. You can build your own consoles, which is practical and fun. Admins can even create shortcuts on the console to non-MMC tools like executables, URLs, wizards, and scripts.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

49

50

CHAPTER 3

CONFIGURING WINDOWS SERVER: THE MICROSOFT MANAGEMENT CONSOLE

◆ ◆

By customizing MMC consoles, admins can delegate tasks to underlings without giving them access to all functions and without confusing them with a big scary tool. Help in MMC is context sensitive; it displays help subjects for only the appropriate components.

What’s New with MMC?

If you’ve been using MMC-based tools for a while now, you’ll notice a few minor changes in the new version (MMC 2 version 5.2). Many of these are enhancements to the Active Directory management tools: ◆ ◆

◆ ◆

◆

In all of the console tools, the Console menu is now renamed the File menu, which makes good sense and is consistent with other Microsoft tools. MMC snap-ins now have “drag-and-drop” capabilities. You’ll notice this most in the Active Directory tools if you need to move user, group or system accounts from one organizational unit to another. You can now select multiple objects and perform the same operation on them or edit the properties for them all. This enhancement is long overdue, in my opinion. In the Active Directory Users and Computers snap-in, the ability to save and re-use queries simplifies documentation and reporting as well as preparations for complex operations like upgrades or restructuring the Active Directory. In addition to editing multiple objects, you can now reset access control list (ACL) permissions to the default, show the effective permissions for an object, and show the parent of an inherited permission.

What Can’t You Do with MMC (non-MMC Tools)?

When I said that MMC offers a unified interface for administration, I didn’t mean that all administrative tools in Server 2003 are MMC-based. Many system-level functions are accessed using wizards, hypertext applications like Manage Your Server, or plain old executables. In general, you will use a wizard or hypertext app to add or remove new software and services or to set system-level options locally. Then, once a new service (DNS, Remote Access, DHCP, Active Directory) is installed, you can use an MMC tool to remotely configure it and monitor its activity. Let’s also not forget all the new command-line tools that Microsoft has written for Server 2003. On the other hand, because MMC tools can be created and customized, you can integrate non-MMC apps into the MMC interface by creating links to them in your custom tools. In “Building Your Own MMC Tools,” you’ll do just that.

MMC Terms to Know This section defines important terms you’ll need to know when working with MMC. A console, in MMC-speak, is made up of one or more administrative tools in an MMC framework. The admin tools that are included with Server 2003, like Active Directory Users and Computers, are console files. You can configure your own console files without any programming tools—you needn’t be a C or Visual Basic programmer, as I’ll discuss a bit later. The saved console file is a Microsoft saved console (MSC) file and it carries the .MSC extension.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

A MICROSOFT MANAGEMENT CONSOLE PRIMER

It’s important to distinguish between the Microsoft Management Console and console tools. The terms console and tool are sometimes used interchangeably when discussing MMC. Strictly speaking though, a console is not a tool, and as I pointed out in the previous section, not all tools are consoles. MMC.EXE is a program that presents administrators (and others creating console tools) with a blank console to work with. When you create a Microsoft Word document, you first load the program (WINWORD.EXE), then create or modify documents within that context. Similarly, you create MMC tools by first loading a blank console (MMC.EXE) and then creating a customized “document” based on the available options and add-ins. In this way, MMC provides a framework for your tool, and the new console you create is the finished product. Snap-ins (also called plug-ins) are the administrative tools that can be added to the console. For example, the DHCP admin tool is a snap-in, and so is the Disk Defragmenter. Snap-ins can be created by Microsoft or by other software vendors. (You do need programming skills to make these, in other words.) A snap-in can contain subcomponents called nodes, or containers, or even leaves, in some cases. Although you can load multiple snap-ins in a single console, most of the prepackaged administrative tools contain only a single snap-in (including the Computer Management tool, COMPMGMT.MSC). An extension is basically a snap-in that can’t live by itself on the console but depends on a stand-alone snap-in. It adds some type of functionality to a snap-in. Sometimes the same code is implemented as both a snap-in and an extension. For example, the Event Viewer is a stand-alone snap-in, but it’s also implemented as an extension to the Computer Management snap-in. The key point is that extensions are optional. You can choose not to load them. For example, Local Users and Groups is an extension to the Computer Management snap-in. If you remove the extension from the COMPMGMT.MSC file used by your support folk, or simply don’t include it in a custom console that uses the snap-in, those who use the tool won’t have the option to create or manage users and groups with the tool. They won’t even see it. (Please note that this will not prevent them from creating users and groups by other means, if they have the correct administrative privileges.) To create a new MSC file, customize an existing MSC file or create one from a blank console. The MMC.EXE plus the defined snap-ins, views and custom tasks create the tool interface. Although it’s possible to open multiple tools simultaneously, each one runs in a single instance of the MMC.EXE process. To see what I mean, open an MSC file and check out the Task Manager while it’s running— you only see the MMC.EXE process running, not the MSC file, just as you see WINWORD.EXE running in Task Manager, but not the Word document’s name. However, you can open separate nodes in separate windows within the tool. You could have separate windows open to the Event Viewer and the Device Manager within the same tool, for instance. By default, prepackaged console tools open in User mode. Changes cannot be made to the console design. You can’t add or remove snap-ins, for example. To create or customize a console, use Author mode. When a user is running a tool and not configuring it, it should be running in one of the User modes. When a tool is running in Author mode, additional items will appear on the File and Action menus. Also, the Favorites menu doesn’t appear in User mode consoles. Favorites can only be configured in Author mode. Figure 3.4 shows a sample console tool, with the parts of the interface labeled. This console is running in Author mode to show all the parts of the MMC interface. This is a custom console, but to open any existing tool in Author mode, invoke it from the Start/Run dialog box with the /a switch. Alternately, right-click the tool’s icon and choose Author to open it in Author mode. This does work with the links to tools in the Administrative Tools group, but remember not to overwrite the original file!

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

51

52

CHAPTER 3

CONFIGURING WINDOWS SERVER: THE MICROSOFT MANAGEMENT CONSOLE

FIGURE 3.4 Anatomy of a console tool

Console Window

Main MMC Window

Toolbar Console Root

Details Pane

Console Window Console Tree

In addition to its traditional functions (New, Open, Save, Save As) the File menu in the Main window is used to add and remove snap-ins and set console options. The Action menu and the Toolbar are context sensitive and will reflect the options of the selected snap-in tool or component. The Favorites menu functions like the Favorites menu in Explorer; however it stores only links to locations in the console tree. The hierarchical list of items shown by default in the left pane is called the console tree, and at the top is the console root. The right pane is called the details pane. Snap-ins appear as nodes on the console tree. The contents of the details pane change with the item selected on the console tree.

The Computer Management Console Now it’s time to practice the new MMC terms you’ve learned as we take a look at the Computer Management console. COMPMGMT.MSC is the main tool for administering a single server, local or remote. If you only have one or two Server 2003 servers on your network (and are not implementing Active Directory), the Computer Management console contains most of the tools you’ll need. You’ll find Computer Management in the Administrative Tools program group, or right-click My Computer on the Start menu and choose Manage. Using Computer Management Remotely There are several ways to use COMPMGMT.MSC to manage remote servers on your network: ◆

Run COMPMGMT.MSC with the switch /COMPUTER=COMPUTERNAME.

◆

If you are working in an Active Directory context, within Active Directory Users and Computers, right-click the machine’s icon and choose Manage. Continued on next page

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

A MICROSOFT MANAGEMENT CONSOLE PRIMER

Using Computer Management Remotely (continued) ◆

Open Computer Manager and highlight Computer Management (local) at the root of the console, then right-click and choose Connect to Another Computer.

◆

If you are creating a custom console that includes the Computer Management snap-in, specify the remote server the tool will point to when you add the snap-in, or check the box that allows you to specify the remote computer at the command line, as described in the first option.

There are three nodes in the Computer Management console tree: System Tools, Storage, and Services and Applications (see Figure 3.5). Notice that the tool manages the local machine by default; to connect to other computers on the network, highlight the Computer Management icon at the root of the tree, right-click, and choose Connect to Another Computer. You can also choose Connect to Another Computer from the Action menu, but right-clicking an object in the console tree reveals both the Action and View menu options, so it’s more efficient. FIGURE 3.5 The Computer Management console tree

Expand the nodes in the Computer Management console tree to reveal the configuration tools and objects, as shown in Figure 3.6. Most of the core functions are under System Tools. FIGURE 3.6 The expanded Computer Management console tree

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

53

54

CHAPTER 3

CONFIGURING WINDOWS SERVER: THE MICROSOFT MANAGEMENT CONSOLE

Note To manage NT 4 or Windows 98 boxes remotely with COMPMGMT.MSC, install the Windows Management Instrumentation (WMI) Version 1.5 Core Components on the legacy system. This is available as a download (WMICORE.EXE) from Microsoft’s Web site. The WMI add-on component is available for Windows 9x and NT 4. Windows Me, 2000, and XP include WMI.

In the System Tools node, you can perform the following tasks: ◆

◆ ◆

◆ ◆

View events and manage the event logs. The Event Viewer is available as a snap-in, an extension to the Computer Management tool (as shown here), or as a stand-alone prepackaged tool (EVENTVWR.MSC). Some services, such as DNS and Active Directory, have their own logs and these will appear in the details pane if the service is installed on the system. Manage shared folders. View, create, and manage shares; view sessions and open files; and disconnect sessions. Create and manage local users and groups (Chapter 9 is all about creating and managing users and groups). If the system is a domain controller running Active Directory, however, the local users and groups extension will not load. Set up performance logs and alerts (see Chapter 18 for specifics on configuring performance alerts). Manage devices. This version of Device Manager functions in read-only mode when it’s looking at remote systems, but it’s still a good resource if you want an overview of the remote system’s hardware or are troubleshooting a resource conflict.

Tip For a better (but still read-only) look at a remote system’s hardware and software configuration information, run MSINFO32.EXE. This little tool is powerful and includes options to run a search, view a history of changes, print out system information, or export the data to a file.

The Storage node includes options for managing removable storage (CD-ROMs and CD Jukeboxes, for example), along with the Disk Defragmenter tool and the Disk Management tool for managing disks, partitions, and volumes. The Logical Drives extension that was present in the Windows 2000 version of this tool is gone now. The Services and Applications node includes, at a minimum, telephony settings, services configuration, and an indexing extension. As new services are installed on the system, the components available in the Services and Applications node will change. For instance, if the server is a DHCP server or is running DNS, the appropriate management tools will appear under Services and Applications—otherwise, you won’t see them. I’m quite fond of this feature; when I’m checking out a server for the first time, I can determine what key services are installed on the system and look at the configuration for those services using the same tool.

Other MMC Tools If you’re like me, you don’t want to get carpal tunnel syndrome just trying to open something from the Administrative Tools group. If you want to have quick and easy access to your tools, and you prefer to use Start/Run as much as possible to open programs, it’s nice to know their filenames. To save your hands and your sanity, Table 3.1 lists most of the core MSC filenames. Keep in mind that some

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

A MICROSOFT MANAGEMENT CONSOLE PRIMER

tools, like DNS and DHCP, may not be available on the system until the corresponding service is installed. Also, remember to include the program extension in the Start/Run box. For example, entering just DSA to open Active Directory Users & Computers doesn’t work. You’ll need to enter DSA.MSC.

TABLE 3.1: CORE MSC FILES MSC Filename

Common Name

AZMAN.MSC

Authorization Manager

CERTMGR.MSC

Certificates snap-in

CERTSRV.MSC

Certificate Services

CERTTMPL.MSC

Certificate Templates

CIADV.MSC

Indexing Service

COMPMGMT.MSC

Computer Management

DCPOL.MSC

Domain Controller Security Policy

DEVMGMT.MSC

Device Manager

DFRG.MSC

Disk Defragmenter

DFSGUI.MSC

Distributed File System

DHCPMGMT.MSC

DHCP Manager

DISKMGMT.MSC

Disk Management

DNSMGMT.MSC

DNS Manager

DOMAIN.MSC

Active Directory Domains & Trusts

DOMPOL.MSC

Domain Security Policy

DSA.MSC

Active Directory Users & Computers

DSSITE.MSC

Active Directory Sites & Services

EVENTVWR.MSC

Event Viewer

FXSADMIN.MSC

Fax Service Manager

FILESVR.MSC

File Server Management

FSMGMT.MSC

Shared Folders

GPEDIT.MSC

Group Policy Editor

IAS.MSC

Internet Authentication Service

IIS.MSC

Internet Information Services Continued on next page

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

55

56

CHAPTER 3

CONFIGURING WINDOWS SERVER: THE MICROSOFT MANAGEMENT CONSOLE

TABLE 3.1: CORE MSC FILES (continued) MSC Filename

Common Name

LUSRMGR.MSC

Local Users and Groups

NTMSMGR.MSC

Removable Storage Manager

NTMSOPRQ.MSC

Removable Storage Operator Requests

PERFMON.MSC

Performance Monitor

RRASMGMT.MSC

Routing and Remote Access

RSOP.MSC

Resultant Set of Policy

SECPOL.MSC

Local Security Policy

SERVICES.MSC

Services Configuration

TAPIMGMT.MSC

Telephony

TSCC.MSC

Terminal Services

TSMMC.MSC

Remote Desktops

WMIMGMT.MSC

Windows Management Instrumentation

Most of the tools listed in Table 3.1 are found in the \Windows\system32 directory and are therefore in the default search path; you’ll have no problem running them from a command line or using Start/ Run. A couple, however, are found in other directories that are not included in the default search path. The tool to manage Internet Information Services (IIS.MSC) is a good example; it’s found in \Windows\system32\inetsrv. If you need to run any of these tools on a regular basis, and they aren’t in your search path and you still don’t want to use the Start menu (we admins can be stubborn), you have several options to make these tools more readily accessible. You can copy the tool(s) to the \Windows\system32 directory; or if you don’t mind a cluttered Desktop, just create Desktop shortcuts to the tools. Another approach is to change the search path to include the directories that contain your tools. This is a bit more of a pain; you’ll need to open the System applet and go to the Advanced tab, then choose the Environmental Variables button to edit the system variable called Path. Oh, yes, and then reboot. Is it worth it? Many don’t think so. In the past, I used this strategy: I copied all the tools I needed to a separate directory, and then added that directory to the search path. That way I didn’t have to edit the path variable multiple times. You may think this is a lot of trouble just to use a couple of tools, but after you install a bunch of third-party tools on your server you may change your mind. They’ll probably all use their own installation directories.

Building Your Own MMC Tools If the existing MMC tools don’t fit your needs exactly, you can create a customized tool with your most frequently used components. Creating your own admin tool is easy using the MMC framework and snap-ins provided by Microsoft and third-party software vendors.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BUILDING YOUR OWN MMC TOOLS

Although it’s quite simple to create a customized MMC tool, there are so many options for customizing that I can’t tell the full story here. Nevertheless, no discussion of MMC would be complete without an example or two of authoring administration tools.

Building a Simple Microsoft Saved Console To configure your own custom admin tool, open a blank MMC in Author mode by opening Start/Run and typing mmc.exe. This will open up an untitled console (Console1) and display a generic console root, shown in Figure 3.7. You can now open existing MSC files (just as you open DOC files in Word or XLS files in Excel) by choosing Open from the File menu. These files will automatically open in Author mode if you open them in a blank console. If you wish to open and fiddle with existing MSC files, most (but not all) of them are in the \Windows\system32 directory. Just be sure to leave the original MSC files intact; you might need them again. In the example that follows, you’ll be creating a tool from scratch, starting with a blank console and loading snap-ins. FIGURE 3.7 A generic console root

Suppose you need a tool for hardware management and troubleshooting. To create it, follow these steps: 1. Start by renaming the console root Hardware Tools; right-click the console root and choose

Rename (you can perform this step later if you prefer). 2. Now you’re ready to add snap-ins. Choose Add/Remove Snap-in from the File menu in

the Main window. As you can see in Figure 3.8, you must choose where to add the snap-in. Right now, it’s only possible to add snap-ins to the console root (now called Hardware Tools), but you can group related tools by first adding folders to the console root. Folders are implemented as snap-ins, permitting you to organize tools into groups on the console tree.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

57

58

CHAPTER 3

CONFIGURING WINDOWS SERVER: THE MICROSOFT MANAGEMENT CONSOLE

FIGURE 3.8 Choosing where to add snap-ins

3. To add folders to the console root, choose the Add button to open the Add Standalone

Snap-In dialog box (see Figure 3.9). You’ll now see both dialog boxes, sort of cascaded. Items chosen from the list in the Add Standalone Snap-In dialog box will appear in the list of snap-ins in the parent dialog box. Scroll through the list until you see the Folder snap-in. Choose Add, and the folder appears in your list of snap-ins in the Add/Remove Snap-In dialog box. Choose Add again and you’ll see two. Now close the Add Standalone Snap-In dialog box to return to Add/Remove Snap-In, and click OK to close it. 4. Back at the console in progress, right-click the folders to rename them. Figure 3.10 shows a Hardware Tools console with three folders, renamed to Disk Tools, Other Tools, and Web Sites. 5. The Web Sites folder will contain snap-ins that are hyperlinks to hardware vendor and support sites. To add links to the Web Sites container, open the Add/Remove Snap-In dialog again (choose Add/Remove Snap-In from the File menu), select the Web Sites folder as the container, choose Add, then scroll through the list until you find Link to Web Address. Click the Add button, and follow the wizard prompts to create a new Internet shortcut; simply fill in the URL and give the shortcut a friendly name. Choose Close and then OK to close the Add/Remove Snap-In page and return to the console. Now when you select the link in the console tree, the Web page will appear within the details pane. You can surf

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BUILDING YOUR OWN MMC TOOLS

the Web from within the console, although technically you’ll need links to leave that particular site. FIGURE 3.9 The Add Standalone Snap-In dialog box

FIGURE 3.10 Customizing the console

To add tools to the other folders, follow the same process and choose the appropriate tools from the list of snap-ins available. Some third-party software vendors are now implementing their tools as snap-ins, so this list will expand and vary with the system configuration and software installed. Some tools will prompt you to select a computer to manage. Others, such as the Event Viewer snap-in, also present the option to choose the machine when you start the tool from the command line, as shown in Figure 3.11. To specify a remote system to manage when you open the tool, enter FILENAME.MSC /computer=computername in the Start/Run box or at a command prompt.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

59

60

CHAPTER 3

CONFIGURING WINDOWS SERVER: THE MICROSOFT MANAGEMENT CONSOLE

FIGURE 3.11 Selecting a computer for the snap-in to manage

While adding the stand-alone snap-ins, be sure to check out the available extensions for them. It’s interesting to note that the Computer Management snap-in components are all implemented as extensions (see Figure 3.12), although most of these also exist as stand-alone snap-ins. When loading the Computer Management snap-in, you have the option to deselect the extensions that aren’t needed for your custom tool. All available extensions are added by default. FIGURE 3.12 Select or deselect extensions

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BUILDING YOUR OWN MMC TOOLS

In Figure 3.13, you can see what your final tool could look like: a customized Hardware Tools console. This one consists of a Disk Tools folder (with Defragmenter and Disk Management), a folder called Other Tools that includes the Device Manager and the Event Viewer, and a Web Sites folder that can be filled with helpful hardware support links. To save the custom console, choose Save from the File menu, name the file and click Save. Now the MSC file is ready to use. FIGURE 3.13 A custom Hardware Tools console

Designing Tools with Taskpad Views It’s possible to design simple views of an MMC tool for junior administrators, foregoing their need to learn the different tools and navigate the console tree nodes. You might also wish to present a limited set of tasks and hide others that are normally available in a regular MMC tool view. Taskpad views fill this need and allow you to create a tool that looks like the one shown in Figure 3.14. This tool presents a limited set of tasks instead of the entire console tree structure. Now novice administrators can perform delegated tasks without drilling down through the tree, expanding and collapsing, hoping to find the right tool. Instead, they can click the icon and go right to the task. Taskpad views are HTML-based pages that can include links to console menu commands, wizards, scripts, simple executables, even URLs. At least one snap-in is required to create a taskpad view, although you can create links to tasks that are unrelated to the snap-in, such as scripts. To include menu command and property page tasks, however, the corresponding snap-in must be loaded beforehand. Before designing a console with taskpad views, or any type of console for that matter, put your thinking cap on and visualize the tool you need. What tasks will the tool include? Which snap-ins will be required? You’ll need to be somewhat familiar with the available snap-ins and their functions. Will your tool include only one taskpad view with a bunch of tasks in a single window? Or do you need a tool with several tabs, each containing a set of related tasks? Figure 3.14 shows a tool with

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

61

62

CHAPTER 3

CONFIGURING WINDOWS SERVER: THE MICROSOFT MANAGEMENT CONSOLE

only one taskpad view; tasks are all together in one window, and the console tree is hidden from the user. Figure 3.15 illustrates a multiple taskpad tool with several different tabs, perhaps for a more experienced support person who needs to perform several different types of tasks. FIGURE 3.14 A simple taskpad tool

FIGURE 3.15 A multiple taskpad tool

There are a couple of possible strategies for creating taskpad views. One is to assemble a specific set of tasks into one or more taskpad views. For example, when the tool is opened, you might see a single taskpad view called Routine Admin Tasks with links labeled Create New User or Create New Share. If you click the link called Create New User, the dialog box or wizard to create new users appears. In a tool like this, you might want to prevent users from navigating around, so you hide the console tree and present only the taskpad view. Another technique is to create taskpad views for particular items in the tree; for example, a taskpad for Users and Groups, another for Shared Folders, and a third for the Event Viewer. Again, you might choose to hide the actual console tree and normal views for this tool. In that case, you should create a main taskpad with links to other taskpads located at different branches of the tree. Imagine a taskpad view called Main Taskpad, which contains links called Open Services and Manage IIS. Click the former and another taskpad appears, with a list of services and links to stop, start, or restart

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BUILDING YOUR OWN MMC TOOLS

a service. You can use the Forward and Back buttons on the toolbar (as you do in Explorer) to return to the Main Taskpad view. Alternately, you might choose to present these taskpad views in addition to the normal views without hiding the console tree. In this case, the taskpad will enhance the functionality of the console tool by presenting a set of simple task options (for people who don’t like playing Marco Polo in admin tools) without imposing any limitations on what the user can see or access. Whichever approach you choose, keep in mind that taskpad views are meant to simplify and facilitate the use of a console. They can even limit, to some extent, the administrative options that are presented. However, you should not consider them a foolproof way to prevent admin types from performing certain tasks. Even if they can’t get around the limitations of the custom console, which is by no means certain, they may have access to other tools that are not restricted. The best way to restrict another admin’s power is to use all of the other built-in security options that are available in appropriate combinations: security group memberships, rights, group policies, and delegation are some of the more reliable tools for this purpose. Don’t rely on a customized, locked-down console tool instead. In this section, you will create a Main Taskpad view for the Computer Management snap-in and then create links to tasks. Then you will set up taskpad views for particular items in the console tree, with links from the Main Taskpad. Finally, you will customize the tool’s interface to hide the console tree and present a simplified set of options to the user. Creating Taskpad Views

Once you’ve decided which tasks your user or admin person will perform with this tool and identified the necessary snap-ins, you are ready to create the console. To keep things simple in this example, use the Computer Management snap-in to create a view and a select set of tasks. Open a blank console as described earlier (Start/Run and enter mmc.exe) and load the Computer Management snap-in. You can also use an existing console that contains the necessary snap-in as long as you open it in Author mode. Although many of the Computer Management extensions, such as the Event Viewer and Device Manager, can be added as standalone snap-ins, the Computer Management snap-in has a special capability that will facilitate remote management, as you’ll see in a moment. As you load the snap-in you may want to point it to your file server and select the option to specify a server to manage when starting the tool from the command link (this option was shown back in Figure 3.11). If you choose not to do this, you can still connect to remote systems, but the tool will always point to the local computer when it initiates. To create a taskpad view at the top of the Computer Management node, follow these steps: 1. Select the Computer Management node in the console tree, right-click it to see a context

menu (or pull down the Action menu), and choose New Taskpad View. You will always add, delete or modify taskpad views by first navigating to the node in the console tree where the taskpad is anchored. For instance, if you have a taskpad view created for the Event Viewer, select the Event Viewer node on the tree (the taskpad will display when the node is selected) and then select your option from the context menu or the Action menu. 2. The New Taskpad View Wizard appears. Click Next to continue. 3. Select the style of the taskpad view (see Figure 3.16). Do you want the Taskpad View to also display the actual items that would normally appear in the details pane (such as a list of

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

63

64

CHAPTER 3

CONFIGURING WINDOWS SERVER: THE MICROSOFT MANAGEMENT CONSOLE

users or a list of services)? If so, choose to display either a vertical list (to accommodate lots of columns) or a horizontal list (for longer lists). In this case, you want to create a view of links and don’t want to see the details pane information, so choose No List. If you were to choose a list type, however, you would use the List Size drop-down menu to determine how much of the window can be taken up by the list. By default, the “normal” details pane will not be accessible to the viewer once the Taskpad View is created. However, if you want to make the normal details pane available, deselect the option Hide Standard Tab. The standard details pane will then be viewable by clicking the Standard tab. Now, select the style you want for your task descriptions. If you need a longer explanation to appear alongside the link, choose Text. However, for this example you want more room for task links and a description that pops up when you hover over the link, so choose InfoTip. Choose Next to continue. FIGURE 3.16 Configuring taskpad display

4. In the next screen (Figure 3.17), you must decide whether to apply the view to the selected tree

item only or to any other tree item of the same type. If you choose the latter, you have the option to change the default details pane display for those items to the taskpad view (although the normal view will still be accessible through the Standard tab if it’s not hidden). Choose to apply the view only to the selected tree item. This taskpad view will only display when the Computer Management root node is selected. Choose Next. 5. The final step is to supply a name for your taskpad (I called mine Main Taskpad) and an optional description. The description you supply will appear under the title in the details pane. That’s it! In the final screen of the wizard, you have the option to kick off the New Task Wizard and start creating tasks (uncheck the box beside Start New Task Wizard to avoid creating a new task for now). Click Finish to close the wizard and create the new taskpad view.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BUILDING YOUR OWN MMC TOOLS

FIGURE 3.17 Selecting a taskpad target

Figure 3.18 shows your new taskpad before any tasks are created. Notice the tabs at the bottom of the details pane that allow you to move between the taskpad view and the standard view of the details pane. In a moment, I’ll show you how to hide the console tree on the left and remove the Standard view tab to achieve the look and feel of the console shown back in Figure 3.14. FIGURE 3.18 A console with a taskpad view

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

65

66

CHAPTER 3

CONFIGURING WINDOWS SERVER: THE MICROSOFT MANAGEMENT CONSOLE

If you want to create multiple taskpad views, as shown in Figure 3.15, follow steps 1–5 again. You can create additional taskpad views at the same place on the console tree or at other points on the tree. To create a taskpad view for Event Viewer, for example, just navigate down to that node and create the taskpad from there. To remove a taskpad view, select it and choose Delete Taskpad View from the context menu or from the Action menu. Be aware that wherever you have multiple taskpads anchored at the same place on the console tree, you must select the target taskpad’s tab before you can delete or edit it. To make changes to an existing taskpad, select Edit Taskpad View from the context menu or from the Action menu. In the taskpad view property page (Figure 3.19), you can change the style of the view and add, remove, or modify tasks. FIGURE 3.19 The taskpad property page

Creating Tasks

The New Taskpad View Wizard will automatically kick off the Start New Task Wizard if you don’t uncheck the box in the last screen of the wizard. Another way to create tasks is by choosing Edit Taskpad View from the Action menu. From the taskpad properties page (shown in Figure 3.19), move to the Tasks tab and click New to start the New Task Wizard. The following steps illustrate how to create a task link for the Connect to Another Computer command: 1. In the New Task Wizard, click Next to begin creating a new task. Click a radio button to

choose whether the task will be a menu command (from the context or Action menu in the

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BUILDING YOUR OWN MMC TOOLS

console), a shell command, or a navigation command, which points to a link in the Favorites tab (see Figure 3.20). Although menu commands are limited to the functions of a loaded snap-in, a shell command could be an executable (like a wizard), a script, or even a URL. In any of these cases, the shell command task kicks off the command called. So think of it as a shortcut or a link to something outside of the tool. For example, you can create a shell command task to open a related Help (CHM) file or to run a disk usage report script. You’ll create a menu command in this example, but if you choose to create a shell command at another time, you’ll need to specify the path to the command and any command-line parameters (also called switches or arguments), the “start in” directory, and whether the command should run in a normal window, minimized, or maximized. Figure 3.21 shows the command-line task dialog box. FIGURE 3.20 Creating a new task

Tip One really neat feature of the shell command task is that little right arrow you see beside the parameters option in Figure 3.21. Some snap-ins and extensions support passing variable values to scripts. To see the variables you can use in that context, click the right arrow. Highlight one of the variables to add it to the list of command-line parameters. Note In contrast to shell command tasks, which refer to commands outside the tool, navigation command tasks are shortcuts to places within the console. For instance, if you want a shortcut to the Disk Defragmenter, find and select it on the console tree, then add it to the tool’s favorites ( just choose Add to Favorites from the Favorites menu). Then, when you create your navigation task, choose the Disk Defragmenter from the list of existing favorites. Once the shortcut is created, clicking the task icon opens the Disk Defragmenter tool.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

67

68

CHAPTER 3

CONFIGURING WINDOWS SERVER: THE MICROSOFT MANAGEMENT CONSOLE

FIGURE 3.21 Creating a shell command task

2. After choosing to create a menu command, select a source for the command in the next screen

(see Figure 3.22) and choose a command from those available on the right. You can choose whether the source of the command will be an item in the details pane or a specific item in the console tree. In this case, you are creating the latter, a tree item task. Now you’ll see the Computer Management node in the left pane, and Connect to Another Computer is among the available commands on the right. Highlight Connect to Another Computer and click Next. FIGURE 3.22 Selecting a menu command

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BUILDING YOUR OWN MMC TOOLS

3. Give the task a name and a description. The description you supply will either appear alongside

the task icon or pop up when you hover over it, depending on the style choice you made for the taskpad. Click Next. 4. In the next screen (shown in Figure 3.23), choose a task symbol. Unfortunately, the selection of symbols is pretty limited. Some tasks have recommended symbols; highlight a symbol to see its common meanings. Or you might find a custom icon you like better by browsing to \Windows\system32\shell32.dll. Select a symbol and click Next. FIGURE 3.23 Choosing an icon for the task

5. The wizard confirms your task creation (see Figure 3.24), displaying a list of created tasks and

giving you the option to run the wizard again to create another task. Click Finish, then click OK to close the taskpad property page. The new task will appear in the taskpad as a link. Click the link once to run it. 6. For practice, run the New Task Wizard again, creating a new menu command based on another tree item. In the New Task Wizard, scroll through the Computer Management tree and locate Shares under System Tools/Shared Folders. The task you’re looking for is New Share. Running this command will kick off the Share a Folder Wizard. Now your taskpad should look something like the one shown in Figure 3.25. Using the tasks you’ve created, you can connect to a remote machine and create a shared folder on it. For the sake of completeness, the taskpad shown in Figure 3.25 also includes a shell command task (Run Disk Usage Report) and a Navigation task (Open Disk Defragmenter).

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

69

70

CHAPTER 3

CONFIGURING WINDOWS SERVER: THE MICROSOFT MANAGEMENT CONSOLE

FIGURE 3.24 Completing the New Task Wizard

FIGURE 3.25 A taskpad with tasks

Steps 1 through 5 illustrate how to create a task to connect to another computer, which is important if the tool is to function remotely. This is why the Computer Management snap-in was used instead of the individual component snap-ins. When adding individual component snap-ins like the Event Viewer and Services, the Connect to Another Computer function is also available, but each snap-in has to be pointed to a remote computer separately. If you use the Computer Management snap-in, you can easily change the focus for the entire tree of tools at once. Otherwise, you might find yourself looking at your local Event Viewer while stopping and starting services on a remote machine.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BUILDING YOUR OWN MMC TOOLS

Notes on Taskpad Views and Menu Commands

In the example of creating a taskpad, you had the choice in step 4 to apply the view to the selected tree item only or to any other tree item of the same type. When a taskpad view is applied to the selected tree item, it will only be visible when you navigate to that node in the console tree or use a link such as a Favorite to get there. When a taskpad view applies to other tree items of the same type, different event logs, for instance, it will display the same taskpad view and tasks no matter what log is selected for viewing in the details pane. A taskpad view created for the Application log, configured to display for all items of the same type, will also be accessible when you look at the Security log or the System log. Also, when you’re choosing a menu command source in the New Task Wizard, tree item tasks can point to any item on the tree, but detail pane choices are limited to operations you could perform by right-clicking an item in the details pane at that particular place on the tree. The command applies to the selected item. It also follows that detail pane commands don’t work unless you actually choose to display the details pane list when you create the taskpad. So why would you want to create task links that are limited to the command options in the details pane at all? Isn’t it quicker to right-click? Isn’t right-clicking a universal skill at this point? Well, this capability could be useful if you need to frequently perform the same tasks on different items in the list. As an example of the preceding points (selected tree versus same type views, and tree item menu commands versus detail pane commands), you’ll create a taskpad view for an event log and create the following tasks: view the details of a particular log entry, refresh the log view, archive the log, clear the log, and open an archived log file. I would use the Services tool as an example (start service, pause service, etc.) but Microsoft beat me to it: there’s already an extended view of Services that covers those functions. 1. First, open the Event Viewer and select one of the event logs. Choose New Taskpad View

from the Action menu. The wizard will open. Click Next to continue. 2. Select your display options for the taskpad. There will be a long list of log entries, so a vertical

3.

4.

5. 6.

list is appropriate, although selecting a horizontal list will allocate more room to display the columns. I recommend leaving the task description style on InfoTip, as this will allow more room for task links. Click Next. Choose to apply the taskpad view to all tree items of the same type, and to change the default display to this taskpad view. These are the default settings for new taskpad views. Choose Next. Give the taskpad a name (I called mine Log Options) and a description, which will appear under the name in the details pane. Click Finish to create the taskpad and start the New Task Wizard (if you leave the box checked, it’s selected by default). To create a task, click Next in the New Task Wizard. Choose to create a menu command and click Next. This time, in the Shortcut Menu Command page, you’ll choose your command from the list in the details pane for the log you selected. As you can see in Figure 3.26, the log entry context-menu commands are also available. Select Properties (it doesn’t matter what entry is selected on the source side at this point) and click Next.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

71

72

CHAPTER 3

CONFIGURING WINDOWS SERVER: THE MICROSOFT MANAGEMENT CONSOLE

FIGURE 3.26 Creating a detail pane command task

7. Name the task View This Entry. Click Next. Now choose an icon from the list, click Next,

click Finish in the confirmation page, and you’re done. 8. Run the New Task Wizard again to create each of the remaining tasks, but change your selec-

tion in the Shortcut Menu Command page to select a tree item task (shown in Figure 3.27). The menu commands to use are Refresh, Save Log File As, Clear All Events, and Open Log File. Name these Refresh Log View, Archive this Log, Clear this Log, and Open Archived Log File, in that order. FIGURE 3.27 Creating a tree item task

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BUILDING YOUR OWN MMC TOOLS

Figure 3.28 shows the final taskpad with tasks. Now when you navigate to any of the event logs in the Event Viewer, the taskpad displays the list of log entries, and the tasks you’ve created appear to the left (or under) the entries. This effectively illustrates the difference between tree item tasks and detail pane command tasks; to view a particular log entry (a detail pane command), you must first select it from the list and choose View This Entry. To archive the log or refresh the log view, however, just click the link; the context for the command has already been established. FIGURE 3.28 The final Event Log taskpad

Customizing the Console Interface

Now that you’ve loaded snap-ins and created customized taskpad views and task links, you can give your customized tool a simplified look and feel by hiding the console tree and the navigation tabs that allow end users to move between the standard and the taskpad view of the detail pane. You know, that reminds me, if you hide the console tree and the navigation tabs, lock the tool down, and prevent the user of the tool from navigating the console tree, they have no way of getting down to the Log Options taskpad you created in the earlier example. They’ll be stuck at the Main Taskpad. So, before you customize the console interface, you need a task in the Main Taskpad that acts as a link to the Log Options taskpad. There are two ways to accomplish this, and both seem to work equally well. The first way to create a link to another taskpad is to navigate down to the log while the console tree is visible in Author mode and add that location to the list of Favorites. Then, create a navigation task in the Main Taskpad and select the Favorite as the destination. The Favorites link must exist, however, before you can create a navigation task for it. Remember, though, if you are hiding the console tree altogether, you’ll need to create a Favorite and a corresponding link for each log you want the user to access.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

73

74

CHAPTER 3

CONFIGURING WINDOWS SERVER: THE MICROSOFT MANAGEMENT CONSOLE

If you don’t want to use the Favorites method, create a menu command task in the Main Taskpad and select as the source a tree item task. Navigate to the log and select the command Open (shown in Figure 3.29). Or choose New Window from Here to open the log in a new window. Name the task Open Application Log, for example. If the taskpad is configured to be the default display, that’s all you need to do. From the Main Taskpad, the user needs only to click the link Open Application Log to go to the Log Options taskpad. Just as with the Favorites method, you’ll need to create a link for each log. Of course, you can create a link to the Event Viewer instead of the individual log, and users can then select the log they are interested in viewing, but you won’t have the same fine-grained control. It’s also possible to create a taskpad consisting entirely of links to other taskpads, which in turn link to other taskpads on the console tree, if you feel up to it. As I said in the beginning of this section, the options are too numerous to cover them completely in this book. FIGURE 3.29 Creating a task to open a console taskpad view

A final word before you lock down the console: just as you would create a home link on a Web site to prevent a user from getting stuck on a particular page, it’s a good idea to create links back to the main taskpad on second- or third-tier taskpads. This is especially true if you intend to hide the console tree and the toolbar because the forward and back buttons will not be available. To customize the console interface, choose Customize from the View menu. Figure 3.30 shows the view options, with default values. Items are shown when the boxes are checked and hidden when they are cleared. As you uncheck selections, you can see the changes being updated in the console. Hide the Console tree to achieve that single window appearance. Clear the Standard Menus check box to hide the Action, View, and Favorites menus. Removing the Action menu prevents the user from selecting an item and pulling down the Action menu to see a complete set of task options, but they can still access the context menu by right-clicking an item. If you clear the check box labeled

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BUILDING YOUR OWN MMC TOOLS

Standard Toolbar, the toolbar with the forward and back buttons disappears (along with the Show/Hide Console Tree, Export List, and Help buttons). Remember that you need those buttons if the tool has to navigate the tree. Consider our earlier example of the Main Taskpad with a link to the Application log taskpad. If the Standard toolbar is removed, you cannot return to the Main Taskpad from the Application Log taskpad without a link. If the console tool is only running wizards or scripts, however, removing the navigation buttons won’t be a problem. To really simplify the window, clear both the Status Bar and the Description Bar check boxes (the status bar is displayed by default, but the description bar is not). Clear the Taskpad Navigation Tabs check box to remove the tabs from the bottom of the details pane; without access to the Standard view, users will only be able to view the taskpads you’ve created. FIGURE 3.30 Customizing the console view

Each snap-in can have its own menu items and toolbar buttons. To hide these for all snap-ins in the tool, clear the two check boxes in the Snap-In section of the dialog box. You can’t pick and choose which toolbars and buttons to hide; you either hide them for all snap-ins or reveal them for all snap-ins.

Packaging Up the Tool for Users When the tool is ready to be published, choose Options from the Console menu of the Main window and change the tool’s name (from Console1 to something descriptive), as shown in Figure 3.31. The new name will now appear in the title bar. You might also want to assign a different icon than the generic MMC icon. Finally, assign a default mode to the MSC file. Use one of the three User modes to prevent changes to the tool, such as adding and removing snap-ins or editing taskpads. The three different User modes represent varying degrees of restrictions, including whether the user can open multiple windows. Limited Access Single Window is the most restrictive. Notice the two configuration check boxes at the bottom of Figure 3.31. Check Do Not Save Changes to This Console to prevent users from saving any changes they make to the console. Users can customize views by default. To prevent this, uncheck the box that says Allow the User to Customize Views. You

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

75

76

CHAPTER 3

CONFIGURING WINDOWS SERVER: THE MICROSOFT MANAGEMENT CONSOLE

haven’t locked down anything at all until you do this. Otherwise, the user can open up Customize View by clicking the Console icon at the top left of the window and undo all your modifications. Choose OK to close the Options dialog box, then save the console as an MSC file if you haven’t already. FIGURE 3.31 The Console Options dialog box

Figure 3.32 shows a basic admin tool running in User mode with limited access and a single window. The console tree and taskpad navigation tabs, as well as the Action and View menus, are hidden. This tool does reveal the Standard toolbar, however, since it’s necessary to be able to go forward and back in the tool. Too bad you can’t hide some buttons and not others. FIGURE 3.32 The final product

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BUILDING YOUR OWN MMC TOOLS

Warning A locked down MMC tool is not to be relied on as a security or control measure. Control a user’s actions using appropriate group memberships, rights and object permissions, and with delegation.

Distributing the Tool When the tool is finished, distribute it as you would a normal file; e-mail it to someone, put it on the network file server in a shared folder, or use Active Directory services to publish it. Appropriate administrative permissions for the tasks and access to the snap-ins, either on the local machine or on the network, are required to use the tool. Unfortunately, the version of MMC distributed with Windows 2000 and prior versions of Windows client systems will not run tools created using MMC 2 Version 5.2. They will run only on other Server 2003 systems and Windows XP. Windows Server and XP can run consoles created on Windows 2000 systems, however.

Editing a Custom Console Tool Making changes to the console is easy, even when the tool opens in User mode by default. The tool can be opened in Author mode using one of several methods: ◆ ◆ ◆

Open the tool using Start/Run and enter the filename with the /a switch. Right-click the file’s icon and choose Author. Open a blank console using Start/Run and enter mmc.exe, then choose Open from the Console menu to pull up any MSC file in Author mode.

How can you keep others from making changes to the tool using these tricks? Chapter 9 explains how to restrict access to Author mode, and even particular snap-ins, using group policies. In this chapter, you learned how to gracefully weather the minor user interface changes introduced with Windows Server 2003. We also explored the Microsoft Management Console and learned a few of its inner secrets. Now you are ready to unleash the real power of MMC by using its authoring features to create consoles that fit the needs of your MIS/IT department.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

77

Chapter 4

Configuring Windows Server: The Windows Server 2003 Registry Any explanation of how to solve problems and get things done in Server 2003 (or indeed any version of NT) will soon turn to a bit of software fiddling called “modifying the Registry” or “hacking the Registry.” This chapter explains exactly what the Registry is, why you care about it, and how to work with it. If you’ve already worked with Windows 9x, Me, or, again, any previous version of NT, then this will be old stuff. But the newcomers should read carefully! Anyone who works with Server 2003, whether as a user or as an administrator, makes a fair number of adjustments to it—from the small ones, such as changing a background color, to larger ones, like changing a network IP address. Similarly, when you use an application, you inevitably end up configuring it as well, directing it where to save files, how the application should start up, whether to automatically run macros, and the like. And, of course, when you reboot a computer or whenever you start up an application, you expect your configurations to still be in effect—the things that you tell an operating system or application to do should survive a reboot. But where are these customizations stored? Over the years, different operating systems have answered that question in different ways. Windows 2 and 2.1 actually stored a lot of their configuration information inside their own program files, which unbelievably meant that every time you made a change like installing a new video card, the Windows Setup program would build an entirely new copy of Windows with that driver’s information embedded in the Windows program itself! Not every configuration change in Windows 2.x required a rebuild of the operating system, thankfully, as Windows 2.x and then 3.x used ASCII text files with names like WIN.INI, SYSTEM.INI, CONTROL.INI, and so on to store configuration information. INI files weren’t a bad thing overall—their ASCII nature made changing them simple, a task for Notepad or an easy-to-write BASIC program—but the growing complexity of Windows in both its 9x and Windows NT incarnations created a need to be able to store more complex configuration information. Microsoft’s answer to that increased need arrived with the first version of NT, Windows NT 3.1, in the summer of 1993. The answer was a group of files with the collective name of the Registry.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

80

CHAPTER 4

CONFIGURING WINDOWS SERVER: THE WINDOWS SERVER 2003 REGISTRY

(Microsoft always capitalizes it—the Registry—so I will, too, but it always seems a bit overdone, don’t you think?) The Registry is terrific in that it’s one big database that contains all of the Server 2003 configuration information. Everything’s there, from color settings to local user account’s passwords. (Not domain users—those are in the separate files that store the Active Directory database. And by the way, you can’t just look in the Registry to see local passwords—they’re encrypted.) Even better, the Registry uses a fault-tolerant approach to writing data to ensure that the Registry remains intact even if there’s a power failure in the middle of a Registry update. So you’ve just got to like the Registry. Except, of course, for the annoying parts about it, including its cryptic organization and excessively complex structure. But read on and see what you think.

What Is the Registry? The Registry is a hierarchical (that is, tree-structured) database of settings that describe your user account, the hardware of the server machine, and your applications. Any time you make some change with the Control Panel or some MMC snap-in, the effect of that change is usually stored in the Registry. (I say “usually” because some information is stored in the Active Directory, which is separate from the Registry.)

The Registry Stores Most of a Computer’s “State” If you can make changes to your system and they’re then stored in the Registry, you might ask, “Who cares? What’s the value of the Registry?” Well, consider how much time you spend configuring a new workstation or server. If that machine died for some reason, you’d want to set up another machine to replace the now-dead one—do you really want to spend all that time reconfiguring the replacement machine to look like the original? No, of course not. You would much prefer to be able to just put Server 2003 on the new machine and then restore all of the preferences and settings in one fell swoop, and you can do that, if you’ve got a backup of the old machine’s Registry. Then all you need do is to put Server 2003 on the replacement machine and restore the old machine’s Registry to the new machine. That, then, is the Registry’s first value: when backed up, it preserves much of a machine’s “state.”

The Registry Stores Dynamic Hardware Information Preserving user settings is nice, but it’s not the Registry’s sole value. In addition to storing the settings that you’ve made in the Registry, Server 2003 saves many settings that you never see, such as dynamic settings that Server makes to itself every time it boots—for example, whenever Server 2003 boots, it creates a census of the hardware attached to it and stores that census in the Registry. The Registry also contains internal adjustments that Server’s designers preset with the intention that you would never touch them—and that’s where the fun begins, at least for us noodlers.

The Registry Is the Only Way to Make Some System Adjustments Ninety-nine point nine percent of 2003’s settings are of no interest whatsoever. But a few are quite powerful and largely undocumented or documented solely by obscure Knowledge Base articles. The occult nature of these Registry settings has predictably become the source of countless “tips and tricks” about how to tune up NT’s, 2000’s, XP’s and now Windows Server 2003’s performance or how to solve some knotty problem. Perhaps the most remarkable of these appeared a few years ago when NT internals expert Mark Russinovich discovered that the only real difference between

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

REGISTRY TERMINOLOGY

NT Workstation 3.51 and NT Server 3.51 was a few Registry settings! Twiddling the Registry, then, is often of value to Windows troubleshooters. The tough part about working with the Registry is in grasping the programs and terminology used in editing the Registry. You’re just supposed to understand sentences like these: If you are trying to determine why your user profile did not download properly, then you should activate USERENV.DLL’s logging feature and examine the log that it creates in \Windows\Debug\UserMode\ Userenv.log. To enable USERENV.DLL logging, go to the subkey HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows NT\CurrentVersion\Winlogon and add a new entry called UserenvDebugLevel of type REG_DWORD. Set its value to 30002 hex and reboot the system. Sentences like these are a major reason for this chapter. You will come across phrases like that in Microsoft literature, magazine articles, and even parts of this book. Much of that information contains useful advice that will make you a better network administrator if you understand how to carry it out—in fact, these snippets are incredibly useful if you’ve got a busy network and people are having trouble logging in. My goal for this chapter, then, is to give you a feel for the Registry, how to edit it, and when to leave it alone.

Registry Terminology What did that stuff with all the backslashes mean? To get an insight, let’s look at the Registry. You can see it by running the program REGEDIT.EXE (it’s in the \Windows directory); just click Start/Run and fill in REGEDIT.EXE or simply REGEDIT. Run Regedit and click the HKEY_LOCAL_MACHINE window. You’ll see a screen like the one in Figure 4.1. FIGURE 4.1 Registry Editor screen

The terms to know in order to understand the Registry are subtree, key, value, data type, and hive. Warning While looking around in the Registry, please do not make any changes unless you truly want them! Because Regedit is an “editor,” you might think that it’s like Notepad or Word in that none of your changes actually take effect until you choose to Save them–but that is not the case at all. Make a change in Regedit and Regedit changes the Registry immediately. And, worse yet, there is no “undo” key for Regedit changes. So please… until you know what you’re doing, look–but don’t touch! (Unless you like re-installing from scratch, that is.)

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

81

82

CHAPTER 4

CONFIGURING WINDOWS SERVER: THE WINDOWS SERVER 2003 REGISTRY

Subtrees A first look at Regedit can be a bit misleading, as it looks an awful lot like a directory/folder structure on a hard disk—so you may think that you’re seeing some hidden directories somewhere. But you’re not. Regedit’s view of the Registry represents the logical structure of the Registry far better than it represents the physical locations. (If you just can’t wait to find out where the Registry physically resides, then here’s the quick overview: some of the Registry lives in files called hives; the rest of it doesn’t exist anywhere on disk at all, as it’s dynamic data that gets recreated whenever you reboot the server.) Notice that under the My Computer icon, Regedit shows five folder icons; those icons represent logical groupings of Registry information called subtrees. Table 4.1 has an overview of what’s in those subtrees. TABLE 4.2: THE FIVE SUBTREES OF THE REGISTRY Subtree

Description

HKEY_LOCAL_MACHINE

Contains information about the hardware currently installed in the machine and the settings for systems running on the machine. This key, and HKEY_ CURRENT_USER, contain most of the important Registry configuration information. This key contains the information specific to your computer; the next one contains information specific to you, your user account. This subtree is used so often that it has a common abbreviation, HKLM.

HKEY_CURRENT_USER

Contains the user settings and preferences for the person currently logged on to the computer. These settings include things like how you like your desktop arranged as well as settings for particular applications, like Word or Visio. This key’s common use leads to it having the abbreviation HKCU.

HKEY_USERS

Contains a pointer to the HKEY_CURRENT_USER subtree and also to a profile called the DEFAULT profile. The DEFAULT profile describes how the machine behaves when no one’s logged on. For example, if instead of a blue background you wanted a machine to display a green background when no one was logged on, or if you wanted to display a particular wallpaper when no one was logged on (which I’ve found quite useful for keeping clear in my mind which machine was which when using a keyboard switch or just a table full of identical-looking machines), then you’d modify that DEFAULT profile.

HKEY_CLASSES_ROOT

Holds the file associations, information that tells the system, “Whenever the user double-clicks a file with the extension .BMP in Windows Explorer, start up PBRUSH.EXE to view the file.” It also contains the OLE registration database, the old REG.DAT from Windows 3.x. This is actually a redundant subtree, as all its information is found in the HKEY_LOCAL_MACHINE subtree. It also gets placed in the HKEY_CURRENT_USER\SOFTWARE\CLASSES key.

HKEY_CURRENT_CONFIG

Contains configuration information for the particular hardware configuration you booted up with.

In general, you’ll do most of your work in the first two subtrees. Some Registry entries are specific to a machine (HKEY_LOCAL_MACHINE, HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG), and some are

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

REGISTRY TERMINOLOGY

specific to a user (HKEY_USERS, HKEY_CURRENT_USER, as well as other Registry files that are in the \Documents and Settings\USER ID directories, which you’ll meet later—but for now, just understand that the \Documents and Settings folder is where Windows 2000 and later machines store user preference information). That’s important, and it’s a great strength of the Registry’s structure. The entries relevant to a particular machine should, of course, physically reside on that machine. But what about the settings relevant to a user: the background colors you like, the programs you want to see in your Start menu, the sounds you want on the system? These shouldn’t be tied to any one computer; they should be able to move around the network with that user. Indeed, they can. As with NT 4, Windows 2000, and XP, Windows Server 2003 supports the idea that “roving users” can have their personal settings follow them around the network via roaming profiles, which you will learn more about in Chapter 9.

Registry Keys In Figure 4.1, you saw the Registry Editor display the Registry’s sections as folders under a top-level PC icon. The whole window looks like Windows Explorer. In Explorer, those folders represented subdirectories, as I suggested before. In Regedit, however, they separate information into sections. (If you ever worked on the old Windows 3.x systems, then this is kind of similar to the way old Windows INI files had sections whose names were surrounded by square brackets, names like [386enh], [network], [boot], and the like.) Even though their icons look like folders, most people don’t speak of “Registry folders”—the folders are called Registry keys. You’ll see more folder icons inside other folder icons and so, so it’s logical that you’ll sometimes hear the word “subkey.” In most cases the terms “subkey” and “key” can be used interchangeably. To examine one example key, open up the SYSTEM key under HKLM; simply click the plus sign to the left of HKEY_LOCAL_MACHINE, then click the plus sign next to the System key. It contains subkeys named ControlSet001, ControlSet002, CurrentControlSet, Select, and Setup, and CurrentControlSet is further subkeyed into Control and Services. Notice, by the way, the key called CurrentControlSet. It’s very important. Almost every time you modify your system’s configuration, you do it with a subkey within the CurrentControlSet subkey.

Key-Naming Conventions The tree of keys gets pretty big as you drill down through the many layers. CurrentControlSet, for example, has dozens of keys, each of which can have keys/subkeys. (Remember, the two terms are basically interchangeable.) Identifying a given subkey is important, so Microsoft has adopted a naming convention that looks just like the one used for directory trees. CurrentControlSet’s fully specified name would be, then, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet. In this book, however, I’ll just call it CurrentControlSet to keep key names from getting too long to fit on a single line.

Value Entries, Names, Values, and Data Types If I drill down through CurrentControlSet, I find the subkey Services, and within Services, there are many subkeys. In Figure 4.2, I have opened and highlighted one of those subkeys—the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

83

84

CHAPTER 4

CONFIGURING WINDOWS SERVER: THE WINDOWS SERVER 2003 REGISTRY

FIGURE 4.2 The Parameters key of CurrentControlSet\ Services\Browser

In the right pane of Regedit, you can see several lines broken into three parts; two of them look like IsDomainMaster MaintainServerList

REG_SZ REG_SZ

FALSE Yes

These are examples of two system settings; on this particular computer, a setting called is set to FALSE and MaintainServerList is set to Yes.

IsDomainMaster

Note As to what exactly those things mean, look to Chapter 18’s discussion of the browser. It would be really great if you could right-click every line like the two above in the Registry and get a little Help message about what that line does and what modifying it would do, but nothing like that exists. That’s why there are so many books on the Registry!

Each line like IsDomainMaster REG_SZ FALSE is called a value entry. The three parts are called name, data type, and value, respectively. In this example, IsDomainMaster is the name, REG_SZ is the data type, and FALSE is the value. Microsoft notes that each value entry cannot exceed about 1MB in size. It’s hard to imagine one that size, but it’s worth mentioning. What is that REG_SZ stuff? It’s an identifier to the Registry of what kind of data to expect: numbers, messages, yes/no values, and the like. Microsoft defines five data types in the Registry Editor (although others could be defined later), shown in Table 4.2. Those who first met the Registry with Windows 95 will notice a few differences here. Windows 95 has six subtrees, but only three data types—string, which encompasses REG_SZ, REG_MULTI_SZ, and REG_EXPAND_SZ; dword, which is the same as REG_DWORD; and binary, which is identical to REG_BINARY. And if you’re wondering how on earth you’ll figure out what data type to assign to a new Registry value, don’t worry about it; if you read somewhere to use a particular new value entry, you’ll be told what data type to use. Failing that, I usually just guess REG_SZ if it’s textual in nature, REG_DWORD if it’s numeric.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WORKING WITH THE REGISTRY: AN EXAMPLE

TABLE 4.3: DATA TYPES AS DEFINED BY THE REGISTRY EDITOR Data Type

Description

REG_BINARY

Raw binary data. Data of this type usually doesn’t make sense when you look at it with the Registry Editor. Binary data shows up in hardware setup information. If there is an alternative way to enter this data other than via the Registry Editor—and I’ll discuss that in a page or two—then do it that way. Editing binary data can get you in trouble if you don’t know what you’re doing. The data is usually represented in hex for simplicity’s sake.

REG_DWORD

Another binary data type, but it is 4 bytes long.

REG_EXPAND_SZ

A character string of variable size, it’s often information understandable by humans, like path statements or messages. It is “expandable” in that it may contain information that will change at runtime, like %username%—a system batch variable that will be of different sizes for different people’s names.

REG_MULTI_SZ

Another string type, but it allows you to enter a number of parameters in this one value entry. The parameters are separated by binary zeroes (nulls).

REG_SZ

A simple string.

Working with the Registry: An Example Now, I know you want to get in there and try it out despite the warnings, so here’s an innocuous example. Remember, it’s only innocuous if you follow the example to the letter; otherwise, it will soon be time to get out your installation disks. That’s not just boilerplate. Don’t get mad at me if you blow up your server because you didn’t pay attention. Actually, you may be able to avoid a reinstallation if the thing that you modified was in the CurrentControlSet key; Server 2003 knows that you often mess around in there, and so it keeps a spare. In that case, you can reboot the server and, when the boot menu prompts “Please select the operating system to start:,” press F8 for the Windows Advanced Options menu. (If you don’t have a boot menu—as would be the case if Server 2003 is the only OS on your disk—then it’s a bit of a video game, I’m afraid; try to press F8 just as the initial power-on screen for your computer appears. With a little practice it becomes easier.) One of the options you’ll get will be Last Known Good Configuration (Your Most Recent Settings That Worked). That doesn’t restore the entire Registry; it just restores the control set. Fortunately, the current control set is a lot of the Registry. It doesn’t include user-specific settings, however, like, “What color should the screen be?” Thus, if you were to set all of your screen colors to black, rendering the screen black on black (and therefore less than readable), rebooting and choosing Last Known Good Configuration wouldn’t help you. In any case, let’s try something out, something relatively harmless. Let’s change the name of the company that you gave Server 2003 when you installed it. Suppose I decided to change my company’s name from MR&D to Bigfirm, the example that I use in much of this book. Suppose I’d already installed a bunch of Server 2003 machines and filled in MR&D when prompted for an organization. Suppose also that I want to change that so the Help/About dialog boxes say that I’m Mark Minasi of Bigfirm, but I don’t feel like reinstalling. Fortunately, the Registry Editor lets me change company names without reinstalling: 1. Open the Registry Editor. From the Start menu, choose Run.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

85

86

CHAPTER 4

CONFIGURING WINDOWS SERVER: THE WINDOWS SERVER 2003 REGISTRY

2. In the command line, type regedit and press Enter. 3. Open the HKEY_LOCAL_MACHINE folder. Inside that you’ll find a folder called SOFTWARE; open

that. Inside that you’ll find a folder named Microsoft; open that. Inside the Microsoft folder you’ll find a folder named Windows NT; open that and you will see a folder named CurrentVersion. Click it and you’ll see something like Figure 4.3. FIGURE 4.3 HKEY_LOCAL_ MACHINE\SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion

4. In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion you can see,

among other things, value entries named RegisteredOrganization and RegisteredOwner. Mine say MR&D and Mark, but yours will say different things. 5. Double-click RegisteredOrganization, and a String Editor screen appears. You’ll see something like Figure 4.4. FIGURE 4.4 Registry string editor

6. Highlight the old value and replace it with Bigfirm. Click OK, and close up the Registry

Editor. Do the same thing with Mark in RegisteredOwner, changing it to Mark Minasi.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

EVEN MORE CAUTIONS ABOUT EDITING THE REGISTRY

Now click Help/About for any program—even the Registry Editor will do—and you’ll see that your organization is now MR&D. Warning I remind you again: click all you like; you will not find a Save button or an Undo button. When you edit the Registry, it’s immediate and it’s forever. So, once again, be careful when you mess with the Registry.

How Do You Find Registry Keys? How did I know to go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion in order to change my organization name? I found it by poking around the Registry. Regedit let me do it with its neat Find feature. I figured that the word “Name” would appear a lot in the Registry, so looking for a field with my name called “Name” didn’t sound promising. But “Organization” isn’t as common, so I figured I’d try it. Here’s how you can, too: 1. Start Regedit if you haven’t already. 2. Click the My Computer icon in Regedit. 3. Click Edit/Find and a Find dialog box will appear that looks like Figure 4.5. FIGURE 4.5 Regedit’s Find dialog box

4. In the Find What text field, type in organization. Note that Regedit will search key names,

value entry names, and the actual data in value entries. There is a lot more data in the Registry than there are key and value entry names, so skip searching data whenever possible; uncheck the Data check box and click Find Next. On my system the first hit I got was for a key called MSExtOrganization, which was clearly not what I wanted, so I pressed F3 to tell Regedit to find the next match. Several false hits later, I found RegisteredOrganization. But how else can I find Registry keys? Microsoft’s Knowledge Base and white papers are great sources of useful Registry keys. Random Web searches can sometimes turn up some pretty neat stuff—or, as is usually the case with random Web searches, neat-sounding stuff that doesn’t work.

Even More Cautions about Editing the Registry If you’re just learning about the Registry, you’re probably eager to wade right in and modify a value entry. Before you do, however, let me just talk a bit about using caution when you manipulate the Registry. (I know I’ve mentioned it before, but it’s important, so I’m mentioning it again.)

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

87

88

CHAPTER 4

CONFIGURING WINDOWS SERVER: THE WINDOWS SERVER 2003 REGISTRY

The vast majority of Registry items correspond to some setting in the Control Panel, Active Directory Users and Computers, or some MMC snap-in. For example, you just saw how you can change the RegisteredOrganization directly via the Registry Editor. I only picked that example, however, because it was fairly illustrative and simple to understand. In general, don’t use the Registry Editor to modify a value that can be modified in some other way. For example, suppose I choose to set a background color on my screen to medium gray. That color is represented as a triplet of numbers: 128 128 128. How did I know what those color values meant? Because they’re the same as Windows 3.x color values. Color values in Windows are expressed as number triplets. Each number is an integer from 0 to 255. If I input a value greater than 255, the Registry Editor would neither know nor care that I was punching in an illegal color value. Now, in the case of colors, that probably wouldn’t crash the system. In the case of other items, however, the system could easily be rendered unusable. For example, I’m running Server 2003 on a system with just a single Pentium III processor, so the Registry reflects that, noting in one of the HARDWARE keys that 2003 is running in a “uniprocessor” mode. Altering that to a multiprocessor mode wouldn’t be a very good idea. Why, then, am I bothering to tell you about the Registry Editor? Three reasons. First, there are settings—important ones—that can only be altered via the Registry Editor, so there’s no getting around the fact that a Server 2003 expert has to be proficient in the Editor. Second, you can use the Registry Editor to change system value entries on remote computers. To use a very simple example: I’m at location A and I want to change the background color on the server at location B. To do that I have to physically travel to location B in order to run the Control Panel on the computer at that location. Instead of doing that, however, I can just start up the Registry Editor, choose Registry/Select Computer, and edit the Registry of the remote computer. (This is a lot less true than it once was with earlier versions of Server, as 2000 Server and Server 2003 have some very good remote control tools; but I’m sure that there will be instances where this is still useful advice.) This assumes that you have the security access to change the Registry of the remote computer— that is, you’re a member of the Administrators group on that computer. Third, Server 2003 comes with a couple of programs named regini.exe and reg.exe that let you write scripts to modify Registries. Such a tool is quite powerful; in theory, you could write a REGINI script to completely reconfigure a Server setup. Again, however, before you start messing with that program, please be sure that you have become proficient with the Registry. I’ve explained the various kinds of mischief that you can cause working by hand with the Registry Editor. Imagine what kinds of automated disasters you could start at 2.5GHz with a bad REGINI script! And while I’ve mentioned REG, I should mention that it does a whole bunch of things—it will search your Registry, do automated search-and-replace (think how quickly you could destroy a Registry with that!), automate creating and deleting keys and value entries, and import and export Registry data. Do a reg /? for more info. By the way, there’s another way to automate Registry changes through REGEDIT. You can create an ASCII text file with the desired Registry changes, then use an undocumented /s (for “silent”) switch to introduce the changes. The file has a particular format. The first line must be Windows Registry Editor Version 5.00, followed by a blank line. Then you enter a line with the full name of the Registry key that contains the value that you want to modify, surrounded by square brackets. Then type a line for each value that you want to modify, with the name of the value, an equal sign, and the desired value. Strings should be surrounded by quotes, and numbers—as in the DWORD type—should be prefixed by Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WHERE THE REGISTRY LIVES: HIVES

DWORD:;

for example, consider the following file:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion] “RegisteredOrganization”=”MR&D” “NumberOfLicenses”=dword:00000003\

The first line identifies the file as a set of Registry changes. That first line is probably to keep someone from accidentally feeding some random file to REGEDIT, causing untold havoc from just an ill-thought-out mouse click. Then there’s a blank line and then the description in square brackets. The line afterward sets the RegisteredOrganization, as described earlier, and the final entry is just an imaginary setting that I created just to show how to do a number. If I put those five lines— it’s five, remember the blank line—into a file and called it mystuff.reg, I could make REGEDIT modify the Registry with it like so: Regedit /s mystuff.reg

And by the way, here’s a useful tip: if you use REGEDIT’s export function (Registry/Export Registry File), the resulting exported file is ASCII and is in the proper format for using /s to apply the values to another computer.

Where the Registry Lives: Hives The Registry is mostly contained in a set of files called the hives. (“Mostly” because some of it is built automatically every time you boot up your system. For example, Server doesn’t know what devices are on a SCSI chain until you boot.) Hives are binary files, so there’s no way to look at them without a special editor of some kind, like the Registry Editor. Hives are, however, an easy way to load or back up a sizable part of the Registry. Most, although not all, of the Registry is stored in hive files. They’re not hidden, system, or read-only, but they are always open, so you’re kind of limited in what you can do with them.

A Look at the Hive Files The machine-specific hive files are in the \WINDOWS\system32\config directory. The user-specific hive files are in the \Documents and Settings\username directories. (Actually, that’s where local user settings go; people with “roaming profiles”—discussed in Chapter 9—also store copies of their NTUSER.DAT on a network share.) You can see the hive files that correspond to parts of the subtree listed in Table 4.3.

TABLE 4.4: HIVE FILES Subtree/Key

Filename

HKEY_LOCAL_MACHINE\SAM

SAM (primary) and SAM.LOG (backup)

HKEY_LOCAL_MACHINE\SECURITY

SECURITY (primary) and SECURITY.LOG (backup) Continued on next page

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

89

90

CHAPTER 4

CONFIGURING WINDOWS SERVER: THE WINDOWS SERVER 2003 REGISTRY

TABLE 4.4: HIVE FILES (continued) Subtree/Key

Filename

HKEY_LOCAL_MACHINE\SOFTWARE

SOFTWARE (primary) and SOFTWARE.LOG (backup)

HKEY_LOCAL_MACHINE\SYSTEM

SYSTEM (primary) and SYSTEM.ALT (backup)

HKEY_USERS\DEFAULT

DEFAULT (primary) and DEFAULT.LOG (backup)

HKEY_USERS\Security ID

NTUSER.DAT

HKEY_CURRENT_USER

NTUSER.DAT

HKEY_CLASSES_ROOT

(Created from current control set at boot time)

Table 4.3 needs a few notes to clarify it. First, about the HKEY_CLASSES_ROOT subtree: It is copied from HKEY_KEY_LOCAL_MACHINE\SOFTWARE\Classes at boot time. The file exists for use by 16-bit Windows applications. While you’re logged on to Server 2003, however, the two keys are linked; if you make a change to one, the change is reflected in the other. The local user profiles live in \Documents and Settings\username, where each user gets a directory named username. For example, I’ve got a user account named mark, so there’s a directory named \Documents and Settings\mark on my computer. If I look in it, I find the files ntuser.dat and ntuser.dat.log. To summarize, then, the core of the Registry is the four Ss and DEFAULT: ◆

SAM

◆

SECURITY

◆

SYSTEM

◆

SOFTWARE

SAM contains the user database; SECURITY complements SAM by containing information such as whether a server is a member server or a domain controller, what the name of its domain is, and the like. Domain controllers do not have SAM files, but workstations (XP, 2000 Professional, etc.) and member servers all have SAMs. SYSTEM contains configuration information like what drivers and system programs the computer uses, which should be loaded on boot-up, and how their parameters are set. SOFTWARE tends to contain more overall configuration information about the larger software modules in the system, configuration information that does not vary from user to user. And then every user has an NTUSER.DAT with their specific application preferences in it. One question remains about the hive files, however. Why do all the files have a paired file with the extension .LOG? Read on.

Fault Tolerance in the Registry Notice that every hive file has another file with the same name but the extension .LOG. That’s really useful because Server 2003 (and in fact every version of NT) uses it to protect the Registry during updates.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

REGISTRY PERMISSIONS

Whenever a hive file is to be changed, the change is first written into its LOG file. The LOG file isn’t actually a backup file; it’s more a journal of changes to the primary file. Once the description of the change to the hive file is complete, the journal file is written to disk. When I say “written to disk,” I mean written to disk. Often, a disk write ends up hanging around in the disk cache for a while, but this write is “flushed” to disk. Then the system makes the changes to the hive file based on the information in the journal file. If the system crashes during the hive write operation, there is enough information in the journal file to “roll back” the hive to its previous position. The exception to this procedure comes with the SYSTEM hive. The SYSTEM hive is really important because it contains the CurrentControlSet. For that reason, the backup file for SYSTEM, SYSTEM.ALT, is a complete backup of SYSTEM. If one file is damaged, the system can use the other to boot. Notice that HKEY_LOCAL_MACHINE\HARDWARE does not have a hive. That’s because the key is rebuilt each time you boot so Server 2003 can adapt itself to changes in computer hardware. The Plug and Play Manager, which runs at boot time, gathers the information that Server needs to create HKEY_LOCAL_MACHINE\HARDWARE. Confused about where all the keys come from? You’ll find a recap in Table 4.4. It’s similar to Table 4.3, but it’s more specific about how the keys are built at boot time. TABLE 4.5: CONSTRUCTION OF KEYS AT BOOT TIME Key

How It’s Constructed at Boot Time

HKEY_LOCAL_MACHINE: HARDWARE

Plug and Play Manager

SAM

SAM hive file

SECURITY

SECURITY hive file

SOFTWARE

SOFTWARE hive file

SYSTEM

SYSTEM hive file

HKEY_CLASSES_ROOT

SYSTEM hive file, Classes subkey

HKEY_USERS_DEFAULT

DEFAULT hive file

HKEY_USERS\Sxxx

Particular user’s NTUSER.DAT file

HKEY_CURRENT_USER

Particular user’s NTUSER.DAT file

Registry Permissions Clearly you wouldn’t want just anybody messing with your Registry. So how is it secured? With permissions. Recall in Chapter 2 that you read that things in Server 2003—and let me get technical and stop saying “things,” and instead say “objects”—can have access control lists or ACLs associated with them. You can view and change these ACLs—assuming you have the proper permissions!—in Regedit by right-clicking any folder and choosing Permissions.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

91

92

CHAPTER 4

CONFIGURING WINDOWS SERVER: THE WINDOWS SERVER 2003 REGISTRY

As time goes on, Microsoft learns more about how to properly secure Server from outside attacks. Many Microsoft security patches are nothing more than just adjustments to the ACLs on some Registry key.

Remote Registry Modification You can modify another computer’s Registry, perhaps to repair it or to do some simple kind of remote maintenance, by loading that computer’s Registry. Regedit lets you do that simply; just click File/Connect Network Registry, and Regedit then asks for the name of the remote computer. You fill in the name, click OK and, if necessary, Regedit will ask for a username and password with permissions to access the remote computer’s Registry. Once Regedit is satisfied that you’re Da Man permission-wise, you get a new icon under your My Computer icon and the HKEY_LOCAL_MACHINE and HKEY_USERS subtrees of that remote computer. (The others don’t show up, as they’re all either dynamic or are simply mappings to subsets of the other subtrees.) You can then edit the remote computer’s Registry as if you were there. When done, just click File/Disconnect Network Registry and Regedit breaks the connection. You can also load a particular hive with the Load Hive or Unload Hive commands. More specifically, you can load or unload the hives only for HKEY_USERS and HKEY_LOCAL_MACHINE. Here’s how: 1. 2. 3. 4.

Start Regedit. Under My Computer, click either the HKEY_LOCAL_MACHINE folder or the HKEY_USERS folder. Click File/Load Hive. In the resulting dialog box, point to the exact hive file itself—a particular NTUSER.DAT on a share somewhere.

The hive shows up as another key. You can then edit it and use File/Unload Hive to disconnect from it. Warning And I know you’re getting tired of me reminding you, but I have to point out that Unload is not the same as Save. Those changes you made happened immediately.

Again, the Load Hive option appears only if you’ve selected one of those two subtrees. Unload Hive is available only if you’ve selected a subkey of one of those two subtrees. Why, specifically, would you load a hive or a remote Registry? In my experience, you typically load a hive in order to get to a user’s profile. Suppose a user has set up all of the colors as black on black and made understanding the screen impossible. You could load the hive that corresponds to that user, modify it, and then unload it. You could load and save hive files to a floppy disk, walk the floppy over to a malfunctioning machine, and load the hive onto the machine’s hard disk, potentially repairing a system problem. This wasn’t possible if you used NTFS on the boot disk of an NT 4 system unless you had multiple copies of NT 4—there wasn’t an easy way to get to a system with an NTFS boot drive. Under Windows 2000, XP, and Server 2003, however, you can go to the advanced boot options and boot to a command prompt even if the system’s damaged. There is yet another way to control Registries remotely, through something called system policies, which are covered in Chapter 9.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKING UP AND RESTORING A REGISTRY

Backing Up and Restoring a Registry By now, it should be pretty clear that the Registry is an important piece of information and that it should be protected. It protects itself pretty well with its LOG files, but how can you back it up? Unfortunately, the fact that Registry hive files are always open makes it tough to back up the Registry since most backup utilities are stymied by open files. The NTBackup program that comes with Server 2003 works well, and, while it’s a bit primitive, it can back up the Registry hive files. So if you use NTBackup—and it’s pretty good, when you consider its price—then you should tell it to back up your Registry every night. NT 4 had a terrific tool named RDISK that would back up your entire Registry with just a few keystrokes, but that’s nowhere to be found in Windows 2000 or later, including Server 2003. The replacement for RDISK can be found in the Backup program, which offers to create a System Repair Disk, just as RDISK did, through these steps: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Launch Backup (Start/Programs/Accessories/System Tools/Backup). Click the Backup tab. Make sure all directories and files are unchecked. Look under My Computer’s list of drives; the last option will be System State; check that. Next to the list box labeled Backup Media or File Name, fill in a filename or click Browse and choose a filename; this is where the Registry backup will go. Click the Start Backup button. In the next dialog box, click the Advanced button. Uncheck Automatically Backup System Protected Files with the System State. Click OK to dismiss the dialog box. Click Start Backup. Backup will then save the Registry. You can restore the Registry with Backup as well.

What if you want to back up only a portion of the Registry? As you’ve already read, Server 2003 includes a program called REG.EXE. It will, among other things, let you back up the Registry from the command line and while the system is running—but only one subtree at a time. It looks like REG SAVE HKLM\subtreename destination, where destination is the place that you want the backup to go, and the subtree names are, of course, SECURITY, SAM, SYSTEM, and SOFTWARE in the case of HKEY_LOCAL_MACHINE. Note also the abbreviation: REG accepts HKLM in place of HKEY_LOCAL_MACHINE, HKCU in place of HKEY_ CURRENT_USER, HKCR in place of HKEY_CLASSES_ROOT, and HKCC in place of HKEY_CURRENT_CONFIGURATION. A complete Registry backup to a directory named C:\RB would, then, require several lines: Reg save HKCR c:\rb\hkcr Reg save HKCC\Software c:\rb\hkccsoft Reg save hkcc\system c:\rb\hkccsys

And so on. You’d restore the Registry with REG as well. No one wants to play around in the Registry, but in real life, most network administrators will find a bit of Registry spelunking to be the only answer to many problems. Knowing how the Registry is organized and what tools are available to modify it will prove valuable to all Server repair folks.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

93

Chapter 5

Setting Up and Rolling Out Windows Server 2003 Every new version of Windows or its big brother, NT, is a mixed blessing. We usually get more capabilities, but also more complexity. Now, you’d think that a more complex operating system would be more complex to set up, but here’s a case where Microsoft has done a pretty decent job, as their setup routines get better and better with each OS version. If you’ve ever set up an NT 4 system, then you’re probably used to struggling with Setup to get it to accept third-party hardware drivers, but Plug and Play—which first appeared in Windows 2000 in the NT family and Server 2003 still has—largely solves that problem. Older NT required us to decide whether a computer would be a domain controller at setup time, but as with Windows 2000, all servers are born equal—you don’t have to decide which will be domain controllers until after the servers are deployed. Even better, Server 2003 comes with a variety of tools to assist you in rolling out servers unattended. You can script an install, as before, but scripts are easier. If you choose to use a disk-cloning routine like Ghost or Drive Image, Server 2003 includes an updated version of Sysprep, the utility that solves the duplicate SID problem that made many people chary of using cloners. And Server 2003 also includes my personal favorite rollout routine, the Remote Installation Service. Even if you’re not interested in scripting, cloning, or RIS, you’ll still like Server 2003’s Setup routine for its simplicity. The hard part comes when you want not only a stable, reliable installation, but also a repeatable process. This repeatable process will allow one-stop shopping for all of your installation needs and give you that clean and efficient install every time. However, to produce those perfect results time and time again, the planning and preparation phase of the install becomes even more important. Failure to properly plan out an install will most certainly result in a reinstall. Throughout this chapter, I’ll cover key fundamental planning steps, help you prepare your system for Server 2003, run through an install, and, finally, troubleshoot the mess we got ourselves into.

Planning and Preparation As it’s gotten on in years, NT has become more complex; putting an NT 3.1 system side by side with a Windows Server 2003 reveals that the OS’s complexity has probably grown by more than a factor of ten. Complexity means options and options require planning.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

96

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

Well, I guess that’s not right—options don’t really require planning. So long as, that is, you don’t mind frequently reinstalling the operating system… Server 2003’s Setup is indeed better designed than earlier Setups, but it’ll still go far more smoothly with a bit of planning. So stay with me in this section and I promise you’ll end up saving time overall.

System Hardware Requirements Once again, Microsoft has upped the ante on system requirements. Let’s see what you’ll need, minimum, to build a system with decent performance. CPU Needs

While you can get Server 2003 running on something as slow as a 266MHz system, I strongly recommend at least a 1GHz system. Of course, 2GHz would be better, as would multiple processors. But one gig will do, provided you have lots of RAM. Which brings me to… RAM Requirements

We tend to think of CPUs as determining a system’s speed, but as has always been the case for the NT family, having enough RAM to give the OS a lot of elbow room is every bit as important in ensuring snappy performance in a server. But how much memory should you have? That’s a tough question because it depends on what you want to do with the server: a simple file and print server might run just fine with 256MB of RAM, where a system running SQL Server, Exchange, IIS, and the like probably needs at least a couple of gigabytes of RAM to run well. But even though it’s impossible for me to tell you a priori how much RAM you’ll need, let me offer this advice: put at least a gigabyte of RAM on any Windows Server 2003 that you build, more if you can. If you turn your server on and the lights don’t dim, then you haven’t put enough RAM in the system! (Just kidding…) More memory means more places for the memory hardware to fail, however, and that’s why you need error-correcting code or ECC memory. You may recall something called parity, a set of circuits attached to memory systems of PCs in the ‘80s whose job was to monitor the memory and detect data loss in a PC’s RAM. Such data loss could be caused by a bad memory chip, and you can find bad chips by testing your RAM with a good RAM tester program like CheckIt or QAPlus before deploying the server. But even perfect RAM chips can fall prey to random events that cause data loss; static electricity, power surges, and, believe it or not, infrequent extremely low-level radioactivity from the memory chips themselves can damage memory data. (Don’t worry, you won’t get cancer or mutations from your memory chips. Many, many everyday things in our world are mildly radioactive: the bricks cladding your house and, indeed, most kinds of ceramic produce an extremely small amount of radioactivity. Memory chips produce a radioactive particle once in a great while, and when they do, that particle may happen to cross paths with a location in memory—and when that happens, the memory bit may be flipped from a 0 to a 1 or vice versa.) In any case, parity was kind of frustrating in that it could detect that something was wrong, but it didn’t know what was wrong. PCs with parity memory were usually designed to simply shut down the PC when a memory error was detected using the parity method (which the error message would usually incorrectly call “a parity error” rather than a “memory error”—after all, if parity detected the memory error, then parity was working fine!), and shutting down an entire system just because parity discovered one damaged bit is a trifle extreme. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PLANNING AND PREPARATION

In contrast, most modern Pentium II-and-later–based systems (which, again, include the Xeon, Celeron, and of course the Pentium III and 4) can go a step further and implement ECC. ECC is cool because it not only detects memory errors, it corrects them automatically. So when that stray alpha particle or (more likely) power glitch scrambles a bit, ECC finds that problem and fixes it without ever bothering you. Now you may be wondering, “How much would such a wonderful feature cost?” Well, back in the old days, I worked on minicomputer systems with ECC that cost thousands of dollars. But most Pentium II–based systems can do it for about $20 per 128MB of RAM. Here’s the trick: most PC memories these days are implemented as synchronous dynamic random access memory, or SDRAM, packages. SDRAMs come in a 64-bit version or a 72-bit version. The difference in price between ECC and non-ECC RAM is small—about $25 on a gigabyte of RAM, when last I checked. That’s a pretty good price for a “data insurance policy.” Tip Recently I’ve noticed that people selling RAM don’t label it as “64-bit” or “72-bit”; rather, they’ve taken to calling all memory modules “64-bit” and then adding the phrase “w/ECC” or the like. If you’re in doubt about what you’re buying, insist that a phrase like “with enabled ECC memory” or something similar be in the invoice. And yes, you have to insist on that. I flatly cannot understand why anyone sells any PC system nowadays without ECC, but the majority of systems are still without the benefit of ECC.

You may have to go into your system’s setup BIOS in order to turn on the ECC feature. Not all systems activate ECC by default. Storage Requirements

A basic bare-bones installation of Windows Server 2003, Standard Edition chews up about 1.5GB of space on a hard disk. Of course, you’ll want to put things on the disk other than the OS, so you’ll need more than that—how much more is up to you based on what you want to do with the server. But if you’re just planning on building a system to play around with to get to know the OS better, I found a 4GB C: drive to be about the right size. Server 2003 brings some terrific news about inexpensive EIDE drives in that they are now treated asynchronously. Here’s what that means in English: throughout computing history, it’s often made better sense to buy a bunch of smaller drives instead of one large drive. That’s because each hard disk has its own independent set of read/write heads. More than one drive means more than one set of read/write heads, which means that it’s easier for the computer software to do more than one thing at a time. For example, you could often speed up an NT server by spreading its paging file across several separate physical hard disks. Unfortunately, that advice only worked with SCSI drives. The driver for EIDE drives, atapi.sys, couldn’t “juggle”—if you told it to simultaneously work with two or more EIDE drives, it would instead just alternate between the drives. Whatever software you were running would work fine; it would just run more slowly than it would if the EIDE driver could juggle. With Server 2003, that changes, and the atapi.sys driver is more facile. EIDE drives can run simultaneously, so long as they are on different EIDE channels. That’s not to say that I don’t recommend SCSI drives for servers—they’re almost always a better answer than EIDE—but for those on a severe budget, EIDE drives now look like an okay idea, where in earlier versions of Server, EIDE drives were a terrible idea.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

97

98

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

A bootable CD-ROM drive, although not required, is always highly recommended. A time always comes when your server crashes and you need a reinstall fast. Rather than scrambling for boot disks to get you connected to your installation source on the network, you simply pop the CD in and off you go. A network-bootable system—one that supports the Preboot Execution Environment (PXE) standard, version 0.99C or later—would be a real plus. This lets you set up a computer to boot from the network. You’ll like having this feature because it makes installing Server (or XP, for that matter) from a central RIS server much easier. All of your hardware requirements can be further summed up by referencing the Hardware Compatibility List (HCL). Every piece of hardware in your system should be on the list. Anything not on the list could generate problems from application failures to system crashes and probably won’t even install at all. Why? Most likely, if your hardware is not on the list, you will have a hard time locating a driver. Should you happen to have an OEM driver that came with the hardware, you are risking system instability because Microsoft hasn’t tested or guaranteed it to work. Why do you care? Because if you get on the phone to Microsoft and give them the requisite $245 in order to get them to help you with a problem, and then you tell them that you’ve got hardware that’s not on the HCL, the Microsoft support person gets to say, “Golly, I’m sorry, your stuff isn’t on the HCL, that’s the problem,” and hang up. Result: a free quarter kilobuck for Bill and no solution for you. If you trust the manufacturer of the hardware who provided the driver to have fully tested it with all aspects of Server 2003, fine. Be cautious, though. The best recommendation is that if you are buying new hardware, consult the list first. You can find the HCL on your Server CD ( \Support\HCL.txt) or on the Web at ftp://ftp.microsoft.com/services/whql/HCL/.

Preparing the Hardware Once you have your hardware, I strongly recommend that you get it working and compatible first. Throughout the process, Setup will examine, activate, reexamine, configure, poke, and prod at every piece of hardware in your system that it can find. This is where the Plug-and-Play intricacies come in. If everything in your system is true Plug and Play, this process should go off without a hitch. Mix in a few older devices that don’t fit this bill and you could get some serious problems, including complete setup failure. In this section, we’ll do whatever we can to avoid these problems before we even launch Setup.

Preparing the BIOS Most machines have highly configurable BIOSes, which can really play an important role in how Server 2003 operates. For the pre-Setup phase, you can look for obvious settings that may interfere with your installation. Your boot device order may need customizing to allow you to boot to the CD. This, I find, is one of the most convenient ways to do an install. But then again, if you weren’t expecting the CD to be bootable, you could inadvertently keep rebooting into the initial install phase from the CD over and over again, thinking you were getting the hard drive. Nothing major, but it has happened to the best of us. The most important parts of the BIOS you’ll prepare are Plug-and-Play configuration and interrupt reservations. Because most systems capable of running Server 2003 are fairly modern by default, this step is a little bit easier. The problem comes when you try to add older, non-Plug-and-Play components into your Plug-and-Play system. For example, you may have a non-Plug-and-Play device

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PLANNING AND PREPARATION

that is an old ISA network adapter, hard-coded for interrupt 10. When your Plug-and-Play devices come online, let’s say that you may have one that prefers to initialize on interrupt 10, not knowing that your ISA card will soon request the same. As soon as the driver initializes the ISA card, there’s conflict. The best thing to do is to configure interrupt 10 under your Plug-and-Play BIOS settings to be reserved for a non-Plug-and-Play card. This tells any Plug-and-Play device to leave that interrupt alone. But now you have the problem of determining what those interrupts are before you start the install. Your non-Plug-and-Play device may have a configuration disk that programs it for specific settings. There may be jumpers on the hardware. Most troublesome, there may be no obvious clue as to what it is set for. In this case, a DOS-level hardware analyzer may be required to identify those resources being used. Tip Actually, let me rephrase that last topic sentence. The best thing to do is to only buy Plug-and-Play–compatible hardware for your server. Period.

Once you have identified and recorded all required hardware information, return to your BIOS configuration. You may have a Plug-and-Play configuration screen that lets you define whether certain interrupts are available for general use—including being allocated by Plug-and-Play boards— or whether they should be reserved for ISA boards. Since non-Plug-and-Play boards are generally not BIOS-aware, they will continue to use the interrupt that has been reserved, but note that when your Plug-and-Play boards initialize, they will be denied the resource usage as defined by the BIOS. In most cases, the procedure of reserving resources through the BIOS will allow all hardware to work in harmony. If not, you may find it necessary to remove all nonessential, non-Plug-and-Play devices from your system before you begin. Then, once you have a successful install, add your hardware. Again, though, let me stress: if all of your hardware is Plug-and-Play, then you will probably have no trouble at all—so avoid that old non-PnP stuff as much as possible!

Partitioning In my opinion, planning the partitioning scheme seems to be one of the most overlooked portions of the installation process. Although Server 2003 gives you some more advanced features for managing your partitions after the install, what you decide on prior to the install will most likely stick with you throughout the life of your server. Knowing what type of server you are building plays a tremendously big part in the planning process. Let’s go back to our simple member server that serves out several shared directories and a few print queues. You may find it more convenient in the long run to keep your data on one partition and the system on another. In that case, you only need enough space for the OS, with a little breathing room—my suggestion is a 4GB partition minimum for the OS. If you are intending to use the Remote Installation Services, then be sure to set aside a big partition solely for its use. RIS cannot store system images on either the system partition (the partition that the system boots from, usually C:) or the boot partition (the one containing \windows). (And yes, the definition of “boot” and “system” partitions is completely backward, but then remember that this is an operating system where you click Start to stop it.) At this point, as both drive space and drives are cheap, I tend to buy more than one disk drive even for the smallest systems. Even my low-end EIDE-using servers have at least two hard disks—a 20GB drive that I make C: and put programs on, and a much larger other drive (120GB minimum) for data. And please note that I wrote that sentence in late 2002, so if you’re reading this in 2004, when the smallest hard disk you can buy will be 300GB, keep the time context in mind!

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

99

100

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

Filesystems How to format your drives—NTFS, FAT, or FAT32? Nowadays, it’s a slam-dunk: NTFS. It’s secure, resilient, and fast. Yes, people tell me now and then that FAT32 is faster for large sequential reads and writes as proven by some benchmark, but I suspect that benchmark was done a long time ago in the days of slow drives, slow processors, and little RAM; I simply cannot create a scenario where FAT32 mops the floor with NTFS. In the absence of a strong performance difference, I can’t imagine why anyone would use anything but NTFS on a Server 2003 server. The most compelling argument in favor of a FAT C: drive on NT 4 for me was recovery. If I made C: a FAT drive and something went wrong, then I could boot a DOS/Windows 9x bootable floppy and fix things—DOS can’t read NTFS drives. But versions of NT from Windows 2000 on include something called the Recovery Console, which is basically a DOS for NTFS repair tool—you’ll learn more about it in Chapter 19. Note Speaking of that, you’ll sometimes hear people say that NTFS-formatted drives are the way to go (which I agree with) because they’re entirely secure (which I don’t agree with). The reasoning is that an NTFS drive supposedly can’t be read by booting up a DOS diskette, so someone sitting down at your server can’t just boot a DOS floppy and see your files. As nice as it sounds, this is a bogus argument because there are several approaches to reading NTFS drives when booted from a floppy running either DOS or Linux. The point is that if you let someone physically sit down at your server and boot a floppy, then you’ve got a serious security problem. No operating system can protect a server from a physical attack. I mean, it doesn’t matter how good your passwords are: if I want to damage your network and can get to your server, then I don’t need passwords to drop the server out of an eighth-story window.

One final point about file systems: if you do create a server on a FAT drive, you always have the option to convert the file system to NTFS later; just open up a command line and type convert /fs:ntfs. There is not, by the way, an option to convert back to FAT, so don’t make the change to NTFS unless you’re sure that it’s the way that you want to go!

Server Name This seems like a no-brainer, but it’s a good idea to plan your naming convention. There are two ways that most people make living with server names difficult. The first is underestimating the importance of server names. The second is overdoing it when it comes to a standard convention. By underestimating naming conventions, you end up with server names like GEORGE, ELROY, JUDY, and ASTRO on your network. This is fine for a small office LAN that will never grow too far beyond your ability to remember these names. When you start getting more than those few servers, it gets difficult to remember who is what. Sometimes people overdo standard conventions by defining so many formats, items, and indexes into the name that it becomes just as confusing. Some of the things people put in a name is the server’s geographic location, building location, room number, role, and an index. For example, a server in Annapolis residing in the Commerce Center building that is an Exchange server might be named ANNCCBEXC01. This information is fine, but keep it to useful information that resembles the important features in your network. Does your network and its users really care what building the server is in? What about the city? What if you add another Exchange server in the courthouse? That would be named ANNCRTEXC01. Perhaps a better method here would be to put the EXC first. Simplicity is key. You may want to define your network into systems and that’s it. If you had two

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PLANNING AND PREPARATION

Exchange systems, one for the Commerce Department and one for the Treasury Department, you may want COMMAIL01 and TREMAIL01. This may allow a better grouping of servers. The bottom line here is to really think about it. Get the customers and the people who will manage the network involved. Get a consensus on what is important and what is not important. Although you can easily change the name of the server later, you can’t easily change the hundreds or thousands of users’ workstations that connect to it. Note Here’s an interesting improvement: in earlier versions of NT it was a fairly bad idea to name workstations and user accounts the same—putting Joe on a machine named Joe led to the domain containing two accounts named JOE, both a user account and a machine account. That gave NT a bit of heartburn. But ever since Windows 2000, NT solves that problem by assigning machines account names ending in $, so Joe’s workstation’s account wouldn’t be JOE, it’d be JOE$. You do not see this $ in most domain tools, but it’s there.

Network Connection and Options Not knowing your network configuration ahead of time isn’t usually going to be a showstopper. Knowing it can save you time though. Protocols

Ever since NT 3.5, Microsoft has been trying to chivvy us into abandoning NetBEUI and making our networks 100 percent TCP/IP. Don’t get me wrong, I think it’s a great idea, but they’ve had to move slowly because lots of networks used NetBEUI, and because Windows 95 clients never ran very well with just TCP/IP—a few things like Network Neighborhood ran better with NetBEUI than with TCP/IP on 95. With Server 2003, Microsoft takes things a step or two further. First, as with Windows 2000, the only protocol that Server 2003 installs by default is TCP/IP. But Server 2003 is new in that it doesn’t even offer NetBEUI as a protocol option, offering only IPX and AppleTalk as TCP/IP alternatives. NetBEUI is available on the Server 2003 CD in the \VALUEADD\MSFT\ NET\NETBEUI folder, but you’ve got to do a bit of looking to find it! So if your network still has a bit of residual NetBEUI, now’s the time to do a little spring cleaning and go TCP/IP all the way. Setting up TCP/IP requires knowing a few things about your system—what its IP address, subnet mask, default gateway, and preferred DNS server will be, for starters, or will you instead use DHCP? (If you’re not clear on what those things are, take a look at Chapters 6 and 7.) Find out this protocol info ahead of time—those network gurus are never around when you need them in mid-install. Domain Membership

Almost every server will be a member of a domain rather than a workgroup, and in early versions of Windows NT you had to make some serious you’d-better-get-this-right-the-first-time-there’s-nogoing-back decisions at Setup time. Ever since Windows 2000, however, there’s a bit less pressure. In the pre-2000 days, you had to decide at Setup time whether a system was a domain controller or just a member server. With 2000 and later versions of Server, you needn’t answer that question now; instead, all systems come out of Setup as member servers and you can decide to change any of them to domain controllers later with a program called DCPROMO, which you’ll meet in Chapter 8. You can, however, join an existing domain from Setup. If you want to do that, you will need to have a computer account created in the domain. A computer account is almost identical to a user account, and like a user account, it resides in the accounts database held with the domain controllers. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

101

102

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

If the server is a member of a domain, it can assign rights and permissions to users belonging to its member domain or any of its trusted domains. This is important to your users. They should log in once to the network and never have to be asked for a password again. If the server resides in a workgroup, then the ability to give rights to domain users is out of the question, causing multiple login points. Upgrading Domain Controllers

Speaking of domain membership, here’s an important note about domain controllers. If you are thinking of upgrading an NT 4 box that is acting as a domain controller, then I urge you to think once and twice before upgrading. You can cavalierly upgrade just about any other computer, but the domain controllers need some planning, or you’ll be very, very sorry! You see, upgrading an NT 4 domain controller has an important side effect: it upgrades your NT 4 domain to an Active Directory—the Windows 2000 Server and Server 2003 name for a domain. Server 2003’s Setup doesn’t allow you to upgrade any of your backup domain controllers until you’ve upgraded the primary domain controller. So you might want to think twice before simply upgrading your existing DCs. Personally, I prefer a domain upgrade technique called “clean and pristine,” and I’ll discuss it in Chapter 8, the Active Directory chapter. You might want to read up to that chapter before doing any NT-to-Server 2003 surgery on your domain controllers. Basically, however, I advocate building a brand-new, empty Active Directory domain built atop either Windows 2000 Server or Server 2003 systems, then moving the user accounts over to that domain, leaving your old NT 4 domains in place “just in case” as you migrate. For small domains, however—say, 500 users or fewer—you may not have to do that much work, and an in-place upgrade to Active Directory may be an acceptable option. More on that in Chapter 8. Networking Components

These are the additional services to be installed, like Internet Information Services and DNS Server. This is where I like to say things like “Ooh… Quality of Service Admission Control Protocol… sounds neat, gimme that.” That’s exactly what we shouldn’t say. Don’t overdo it here. Every option selected installs another service or utility that will consume more resources on your server, and more software in your system means more places where bugs could lurk—and that means more potential places for viruses to attack. Keep those servers as lean and mean as you can by minimizing the amount of software running on them! Also be aware of the effect certain services may have on the rest of your network. Some services will require clients to be connected explicitly to a given server. On the other hand, some, like DHCP Server, act on a broadcast level and can affect clients just by being present. In addition, most services, also just by being present, have an adverse effect on available system resources. Hard-disk space is consumed for additional files, memory is taken up by loading more programs, and processor cycles are consumed by running excessive services that really don’t have anything to do with what your server is intended to do. Unless you will specifically be using the service on this particular server, don’t install these additional components. Server Licensing

Licensing options remain pretty much the same as they have since NT 3.51. You are given per-seat or per-server licensing modes: ◆

Per-seat licensing requires that every client on the network that accesses your server has its own license. This is the easiest method of adding up your licensing, because you only Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PLANNING AND PREPARATION

◆

account for how many clients you have; you don’t need to worry about either concurrent connections from those clients into a single server or to how many servers each client holds a connection. Per-server licensing differs in that each client-to-server connection requires a license. If a client connects to 25 different servers, that client will take up 1 license on each server, totaling 25 licenses. You may know this as a “concurrent use license.” It’s simpler because it’s easy to track—once that 26th person tries to attach, he’s just denied the connection—but it’s usually more expensive because you then have to buy a bunch of licenses for each server.

Which way to go? Well, the short answer is: Per-seat is almost always the right technique. But if you want more details… Warning Let me stress that licensing is not so much a technological issue as it is a legal issue. I’m not a lawyer and therefore not qualified to be your sole advisor about software licensing. The following is just my layman’s understanding of a legal issue. Do not make all of your licensing decisions based on information in this book. Microsoft’s licensing is so complex that you can ask the same licensing question of four people and get five answers. So the best you can do is to equip yourself with the facts and then go buy the licenses from some firm that sells Microsoft stuff.

Per-seat is usually the cheapest licensing method if you have more than one server. Under per-seat licensing, you buy a client access license, or CAL, for every computer that will attach to your enterprise’s servers. Again, that’s computer, not person. So if Joe Manager reads his Exchange mail from the computer on his desktop sometimes, reads it on the road with his laptop sometimes, and once in a while comes in through the firewall from home, then you need to buy three licenses for Joe Manager. Surprised? Most people are. On the one hand, it means that if three people share a computer, then those folks only need one CAL. On the other hand, nowadays everyone has one or more computers, so CALs start to add up. By the way, CALs list for around $40, although you can buy them in bulk more cheaply and large organizations usually have some kind of an unlimited-client deal. But you don’t want to run afoul of the software watchdogs, so if you go with per-seat licensing, then be darn sure that you’ve got every computer covered! (And, sadly, that may mean that you have to disallow employees from checking their e-mail or using other corporate resources from their home, unless they’re using a company-issued laptop.) Per-server licensing is simpler. You tell a server that you’ve purchased some number of CALs. The server’s Licensing Service (a built-in part of Windows Server 2003) then keeps track of how many people are connected to the server at any moment. If you have X licenses and the X+1st person tries to attach to the server, that person is denied access. This sounds simple, but the problem is that you’ve got to buy a CAL for each connection for each server. For example, suppose you have 4 servers, 25 employees, and 40 workstation PCs—there are more PCs than employees because of laptops and “general access” PCs. Suppose your goal is that all 25 employees can access any and all servers at any time. Under per-server licensing, you’d have to buy 25 CALs for each server, or 100 CALs total. Under per-seat licensing, you’d license each of the machines—all 40 of them—with a CAL. That one CAL would enable someone sitting at a machine to access any and all of the servers, no matter how many domains your system contains. Thus, in this case, 40 CALs would do the trick. In general, you’ll find that per-seat is the cheaper way to go, but again, be careful about remembering to license all of the laptops and (possibly) home PCs.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

103

104

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

Most likely, especially in larger environments, the licensing has already been worked out ahead of time. Prior to starting your first install, make sure that your licensing is best suited not just for your network, but also for the way your clients use the network. Note Note, however, that if you already have Windows 2000 Server CALs, then you need not purchase upgraded CALs—2000 Server CALs are fine for Server 2003–based networks. Upgrade or Fresh Install?

Finally, you need to decide whether you will be upgrading an existing operating system or performing a clean install. This can be a real toughie. On the one hand, if you’ve got a server that’s already running a bunch of services, and each one took quite some time to get just so, then running Setup as an upgrade is pretty attractive. On the other hand, if you’re upgrading a system that will be working for some time to come, then it’s awfully appealing to use the fact that you’re changing the operating system as an excuse to also clean house, starting from ground zero and building a nice new system uncluttered by who-knows-what old data or programs that are just hanging around. Personally, I do a clean install whenever possible. But the key words there are “whenever possible.” If I really have about two hours to get an install done before the server’s got to be up and ready in a production environment, then an upgrade’s the way to go. But if I have a bit more time, I go with a clean install. Cleanly installed systems take time to tweak to whatever standards you’re using in your organization. Furthermore, I’ve had, well, spotty results from upgrades. In my experience upgrading from NT 3.1 to 3.5 (I lost my printer shares), 3.5 to 3.51 (some domain controllers simply refused to work), and 3.51 to 4 (several miscellaneous problems), I’ve run into problems. Having said that, I should in all honesty say that pretty much all of my NT 4-to-2000 upgrades were pretty smooth, so perhaps Microsoft has gotten the hang of upgrades. If you do upgrade, however, be sure to defragment your disk when you get done, and use the free pagedfrg.exe utility from www.sysinternals.com—it defrags your pagefile, a large and important file on your system. If you’ve decided on a clean install, there isn’t much more you need to do. If you’re running an upgrade, there are still a few considerations. The last thing you want to do is upgrade a cluttered system and carry over any issues that belong to the clutter. Many people sit in front of the server so much that they install their mail client, office suite, and other programs and utilities that are not related to what the server is supposed to be doing. These should all be uninstalled before running an upgrade. Look at your services on the server. Any third-party services, such as antivirus, Web publishing, disk defragmenting, or other types of software, should also be removed prior to beginning an upgrade. By doing so, there is much less to get in the way of your upgrade.

Setting Up and Installing Now that we have analyzed the life out of planning for an install, let’s get to it. Setup runs in three stages. First, the Preinstall Setup Wizard runs; you’ll only see this if you’re installing Server 2003 from inside NT 4 or Windows 2000 Server—that is, if you’ve popped the Server 2003 install CD into a system already running NT 4 or Win2K. This process defines those options that configure how to do the install. The second stage is the text-based setup, which simply defines where to install. Finally, the

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

SETTING UP AND INSTALLING

graphical-based setup stage, also called a setup wizard, customizes everything from installed protocols and services to computer name and domain membership to the system time and date. After this final stage is complete, your server should be ready for final cleanup.

Preinstallation: Phase 1 You install Windows Server 2003 from a set of files on your installation CD, the files in the I386 directory. As with all installations, though, there’s the very important question, “How do I make my computer able to see, copy, and execute these files?” The size of I386 means that you can’t put the whole operating system on a floppy. (Those days are waaaay gone forever.) Instead, you’ll have to deliver the files to your computer in one of several ways: ◆

◆ ◆ ◆

Put I386 on a bootable CD-ROM disc. This is how it ships from Microsoft. It’s easy to just boot the CD and follow the prompts, but this method won’t work for every system because some systems lack CDs, and some older systems have CD drives but cannot boot from them. Thankfully, this is not a very common problem, but it does pop up now and then. Put I386 on a shared volume on the network. This works, but you then have to somehow get the computer booted up enough to access network shares. We’ll talk more about this later. Set up a Remote Installation Services (RIS) server and set up your computer to boot to the RIS server with a Preboot eXEcution (PXE) client. I’ll cover that in the later section on RIS. Set up a simpler operating system (DOS or Windows 98 without the GUI, for example) on the computer, copy I386 to the computer’s local hard disk, and start Setup from inside the simpler operating system. You’ll see how to do this when we discuss the winnt.exe and winnt32.exe commands.

NT and 2000 veterans may be waiting for me to list the last option: start from boot floppies. For systems that had CD-ROM drives but could not boot from them, NT and 2000 could generate four floppies that could “wake the computer up” enough to read the CD-ROM drive and commence Setup. That’s no longer available under Server 2003. From MS-DOS, Windows 3.1, or Windows for Workgroups 3.11, you will need to start your setup in the DOS-based mode found with winnt.exe. Or, from Windows 9x, you can start in Safe Mode Command Prompt and run winnt.exe after issuing the LOCK command. From a Windows 9x system, or earlier versions of NT, you’ll launch the installation from the winnt32.exe. This GUI version of the setup executable gives you that user-friendly, yes-or-no click method of initiating the install. For this example, I’m using the drive letter F: as the CD source on an Intel-based system. To follow along, select Start/Run and enter the following: F:\I386\winnt32.exe

When Upgrading

If you have a system that can be upgraded to Server 2003, you will immediately reach the prompt to decide whether to run a clean install or an upgrade. If you do not have an upgrade-capable machine, you will be informed that an upgrade is not available, and the upgrade option will be grayed out. Note Only Windows NT 4 and Windows 2000 servers can be upgraded to Windows Server 2003.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

105

106

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

If running an upgrade, you’ll see an overall list of things that Setup will do, as well as a Welcome to Windows Setup opening wizard screen where you first choose whether to do an upgrade or not. You’ll then see the License Agreement screen, where you click I Accept This Agreement. But do take a minute to read it—most people don’t realize that in agreeing you assent to becoming an organ donor if Bill Gates needs a transplant. Okay, I’m kidding, but seriously you really should read this End User License Agreement or EULA (pronounced “yoola”) and every other one that you agree to…some of them are pretty scary! Following the license agreement, Setup will ask for the 25-character product key, presuming that you have a version of Server 2003 that requires that. Larger organizations will have CD-ROMS with the niftier corporate version of Setup, which does not require a product key. Next you’ll see something new to Server’s Setup program: Get Updated Setup Files. (New to Server, but XP’s done it since 2001.) The idea here—which is an great one, in my opinion—is that Microsoft realizes that over time bugs and security holes appear; in fact, it’s downright scary to install Windows 2000 on a system that’s attached to the Internet, as some IIS worms will actually find it and infect it before you’re even finished installing the silly thing! The updated Setup files (or Dynamic Update, as it’s called) let you pull down installation files that are newer than the ones on your CD, files that would be prepatched against the worm du jour. Now, of course, those files can be pretty large; as I write this there aren’t really any downloadable Setup files to speak of, but I’m sure in time you’ll need to download a few hundred megabytes of updated files. That’s why you’ll like that you can collect the dynamic update files to a share on your network and then tell Setup to use those files from a local share, rather than making you do a day-long download every time you install Server 2003. I’ll cover more on dynamic updates later in this chapter. Once you’ve told Setup whether or not to use dynamic updates, it goes out and checks for any particular items that might cause trouble with the installation. That’ll look something like Figure 5.1. FIGURE 5.1 Setup troubles

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

SETTING UP AND INSTALLING

You’ll likely get at least a few warnings; read them, and if they’re no problem just click past them to continue Setup. If you have a real showstopper, as in my figure, then Setup will just stop. Let me say again: read those warnings and errors! Microsoft does a pretty good job of explaining what they mean and how to address them. For example, note the IIS one—believe it or not, Setup disables IIS unless you’ve run their IIS Lockdown Tool, something that I personally don’t care for, or unless you make a Registry change. While an automatic Next is often the answer for wizards, it’s not in this case. Imagine running what seems to be a simple upgrade on your Web server, only to find that the Web server doesn’t work anymore! Once you’ve gotten past the warnings, assuming that you have any, then the system doesn’t ask you much else—upgrades don’t require a lot of interaction. When Installing Fresh

If, on the other hand, you started Setup from inside NT 4 or Win2K Server, then you will initially see the same things just described in “When Upgrading.” But in a fresh install, unlike an upgrade, Setup will then need a bunch of answers from you. Following the Product Key page, you get the Windows Setup page. This lets you set the desired language and accessibility settings. Copy Installation Files from This Folder Refers to the place from which you will be installing Windows Server 2003. This is useful if you’re installing from a folder where you’ve precopied all of the I386 files. If you’re installing from the CD, then you typically needn’t worry about this. Copy to This Folder on My Hard Drive Tells Setup what directory to install Server 2003 to. This defaults to \Windows (note the new directory—no more winnt!) but it can be changed to another directory if you want. If you intend to install multiple copies of Server on a system, then use a different directory name. This field won’t take the drive letter. Note that if you’re upgrading from 2000 or NT, you’ll end up with two OSes—one in \winnt and one in \windows. That can pose some problems, so either tell it to put the OS in \winnt so it’ll overwrite the old one, or skip starting Setup from inside the old OS and just boot from the CD and wipe the hard disk clean before installing Windows Server 2003. Copy All Installation Files from the Setup CD Creates a complete setup source on one of your local hard drives under the directory \$win_nt$.~ls. Under this directory, you will find the I386 source you are so familiar with. Note Most systems won’t need the Copy All Installation Files option selected. Server 2003 will do a pretty good job of loading the right drivers to reconnect you to your source after the reboot. However, if you fail to find your source for the text-based setup, this option will get you back on track.

I Want to Choose the Install Drive Letter and Partition During Setup Allows you to define which partition you will be installing Server 2003 in. Select it and you will get a prompt following the reboot to choose your partition. Accessibility Options Those available for Setup include the Narrator and Magnifier. By selecting these options now, the tools will be available during the next installation phase.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

107

108

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

After this page in the wizard, Setup asks about dynamic updates, and then copies the installation files to your hard disk. Setup’s now ready for the text-based portion of Setup, and it’ll prompt you for a reboot. Anatomy of a Machine Ready for Setup, Phase 2 Ever wonder what makes a system continue along its setup path after a reboot? Or have you ever started into the second phase of the setup, had all sorts of problems, and wanted to start from scratch? It will help to know exactly what causes the second phase to start upon reboot so you can easily remove it later. These components are going to be present on your system after completion of the preinstallation phase of the setup: ◆

On the boot partition, a directory named $win_nt$.~bt has been created.

◆

All critical Server 2003 boot files, including enough drivers to access the network or CD source, have been copied to the $win_nt$.~bt directory.

◆

In the $win_nt$.~bt directory, a file named winnt.sif contains the information you provided from the first phase of the setup.

◆

The Server 2003 boot files have been copied to the boot partition (unless you’ve overridden them with a winnt or winnt32 option) if not already present. The system is now Server 2003–bootable. (Note that when I say “boot” I mean it in the standard this-is-the-drive-that-the-computer-boots-from meaning, rather than Microsoft’s “official” definition—for some reason, they define the partition that contains the bulk of the operating system files as the “boot” partition, and the partition that you boot from as the “system” partition. Don’t ask me why.)

◆

The boot.ini is configured to default to the $win_nt$.~bt\bootsect.dat after 5 seconds.

Text-Based Setup: Phase 2 The text-based portion of Server 2003 Setup is very similar to Windows 2000’s text Setup. You get your welcome screen, make a few selections on where you want to do your install, and then you sit back and watch the Setup program copy a whole bunch of files. It’s a really simple click-Next-tocontinue process, but there are some gotchas hiding in there, so I’ll go through it a bit at a time. Note This is the first phase you’ll see if you’re installing by booting from the CD-ROM.

As soon as your machine boots into the text-based portion of Setup, you may notice a prompt at the bottom of the screen that tells you to press F6 if you need to install additional SCSI or RAID drivers. If you don’t want these additional drivers, just wait a few seconds and it will go away. But if your system has a SCSI or RAID controller that you know isn’t going to initialize without an OEM-provided driver, you’ll need to watch this part of Setup closely and hit F6. The install starts off with a Welcome to Setup screen. You have the choice to set up Server 2003, repair an existing Server 2003 installation, or quit. The Press F3 to Quit option will live with you throughout this phase of the setup. If at any time during this phase you decide that you want to abort your setup attempt, this will be your escape route. Upon this exit, your system will be rebooted, but be aware that your boot.ini file will not have been changed. Subsequent reboots will still by default cause your machine to restart the setup after 5 seconds at the boot menu. To get rid of this

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

SETTING UP AND INSTALLING

permanently, edit your boot.ini to reflect the default equal to your other operating system boot path of choice. My machine looked like the following: [Boot Loader] Timeout=5 Default=C:\$win_nt$.~bt\bootsect.dat [Operating Systems] multi(0)disk(0)rdisk(0)partition(2)\winnt="Microsoft Windows 2000 Server"/fastdetect C:\="Microsoft Windows 98" C:\$win_nt$.~bt\bootsect.dat="Microsoft Windows Server 2003 Setup"

To restore my machine to its original boot preferences, I changed the Default line back to my Windows 2000 Server boot selection and deleted the entire Windows Server 2003 Setup option. Consequently, my boot.ini looked like this: [Boot Loader] Timeout=5 Default=multi(0)disk(0)rdisk(0)partition(2)\winnt [Operating Systems] multi(0)disk(0)rdisk(0)partition(2)\winnt="Microsoft Windows 2000 Server"/fastdetect C:\="Microsoft Windows 98"

Press Enter, and if you already have some NT-family operating system running on this computer then Setup will ask if you want to repair it. As we’re installing fresh, press ESC to continue. That’ll take you to the Disk Partitioning and Installation Location Selection screen. Be careful here. There are two things to do. The most obvious is the selection of the partition in which you want Server 2003 installed. Highlight the partition where you would like Server 2003 installed, and press Enter. Let’s take this a step further. Beneath this screen is a very handy disk-partitioning utility. From here, you can completely redo your partitioning scheme. You can delete existing partitions, create new partitions out of unpartitioned space, and format partitions in either the NTFS or FAT format file systems. Note You can find more information on disk partitioning in Chapter 10.

Before we begin partitioning our drives, let’s go back to the planning session we had earlier. Suppose for the sake of example that we want a 1GB Windows 98 C: partition, a 2GB system partition on drive D:, and a 4GB data partition on drive E:. Just to give us all the necessary scenarios to describe how the setup phase partitions drives, we’ll assume we have a current partition scheme of a 1GB C: with Windows 98, a 1GB D:, a 2GB E:, and a 3GB F: partition. To go from a 1-1-2-3 gigabyte partition scheme to a 1-2-4 gigabyte partition scheme, we are forced to delete almost all partitions, since we cannot reorder partitions. In other words, we cannot massage our existing second partition of 1GB into a 2GB partition without giving it more room first. Let’s start by deleting the 1GB D: partition. Use the arrows to highlight the D: partition, and press D to delete. A confirmation screen will appear asking you to now either press L to continue the partition deletion or Escape to abort.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

109

110

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

Warning Always take this opportunity to second-guess yourself. Once you press L to confirm the deletion of the partition, your partition and everything that was on it is gone. Ask yourself what data is on the D: drive. Make sure you can afford to lose it all. Do you have a backup of the data? If it contains a previous Server installation, do you have a backup of the security and accounts databases? If rebuilding a domain controller, have you promoted someone else to PDC? Do you have a recent Emergency Repair Disk available? If you are 100-percent confident that you don’t need anything on the partition, press L.

When you come back to the main Disk Partitioning screen, you’ll see that the second partition of 1GB is now marked as unpartitioned space. Of course, it does no good to repartition this space now because the most you’ll get is 1GB again. That would defeat the purpose of the exercise. You need 2GB. So move on down the list to what was the 2GB E: partition and delete it in the same fashion. When you return to the main screen again, after confirming the deletion of the 2GB partition, you’ll find that the adjacent, unpartitioned spaces have turned into a single block of unpartitioned space equaling 3GB. Just to keep it simple, we now have our 1GB C:, a 3GB unpartitioned space from our combined, deleted 1GB and 2GB partitions, and a remaining 3GB partition. At this point, we’ll go ahead and create our new 2GB D: partition. Highlight the 3GB free space and press C for create. You’ll move into a new screen where you’re shown the total available space within which you can create a partition and are asked how large a partition you want to make. By default, the maximum available space is filled in: 3GB. We want to drop that down to 2GB. Press Enter and presto! We have a 2GB new (unformatted) partition, followed by our remaining 1GB that we left out and the 3GB data partition. After we delete our 3GB partition, it will melt into the adjacent 1GB partition, forming a 4GB unpartitioned space. We can create the new 4GB space and we’re set with partitioning anyway. Now we still have to format our partition before we can use it. To format a partition, highlight the space listed as New (Unformatted) and press Enter to select the partition as your Server 2003 installation directory. Really, you’re not selecting a partition to format; you’re just selecting a partition in which to install Server 2003. If Setup finds that your chosen installation partition is not formatted, you’ll get an additional screen to do just that. You are shown options to format FAT or NTFS, and now Server 2003 includes the options to do “quick formats” in each case. Once again, return to our planning phase of the setup. We should already know what format we want. Once the format is complete, we continue onward with the installation. Tip If you want only to partition and format drives without continuing to do an installation, you can always choose to go backward after the format and select another partition to format or install to, or you can simply exit the installation program.

Setup will now examine your disks. This examination is not an intensive look into the reliability of your disk. It merely runs a CHKDSK-like utility to verify a clean file and directory structure. After the examination, Setup will copy all Server 2003 installation files to your chosen install location. Finally, the system will ready itself for the graphical setup phase and reboot. Changes from NT 4’s Text-Based Setup If you’re used to NT 4 servers and haven’t previously done a setup of either 2000 or Server 2003, then you’ll notice some things missing from this phase of the Windows 2000 setup compared to the setup for previous versions of Windows NT. You no longer get the options to define the following: ◆

Basic PC type Continued on next page Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

SETTING UP AND INSTALLING

Changes from NT 4’s Text-Based Setup (continued) ◆

Video system

◆

Keyboard

◆

Country layout for keyboard (defined in phase 1)

◆

Mouse

They’re not necessary anymore because Server 2003 (and 2000, for that matter) supports Plug and Play.

Graphical-Based Setup: Phase 3 As soon as you boot into the graphical-based setup phase of the install, Server 2003 will run a Plugand-Play detection phase to configure all your hardware. This can take quite a while, and because disk formatting and file copying (both in Phase 2) take some time and Setup reboots itself and moves directly to the PnP detection phase, I just walk away for a half-hour when the system starts formatting. By the time I come back, the format, copy, and PnP detection’s done, and I can start answering the wizard’s questions. Plug and Play, Regional and Language, and Name and Organization Screens

Something you’ll really like about Server 2003 and, for that matter, XP and 2000, is that their PnP engine isn’t as annoying as Windows 98’s—if it can’t find a matching driver, Server 2003 doesn’t stop in its tracks and say, “Find me a driver or I won’t do anything else.” Instead, you just see a question mark in Device Manager, and you can go find a driver and give it to Server 2003 at your leisure. As always, though, it’s a good idea to check the Hardware Compatibility List (HCL) at www.microsoft.com/ hcl/default.asp for the most up-to-date list. Tip If you have a device that isn’t supported on the HCL or doesn’t have a prepackaged device driver on the CD, you can use the /copysource or /copydir switch to copy an additional directory to be used during the setup. This can make your device drivers available for detection. Look for more details in “Performing Unattended Installs” later in this chapter.

Did you take my advice and go do something else while Setup formats the disk, copies the files, and runs the PnP detection? (Try something like computing the first prime number with more than a million digits or designing a working faster-than-light starship. You’ll have ample time.) Then, when you return, you’ll first see the Regional and Language Options screen. Set it as you like and click Next. (What’s that you say? “No Setup war stories about this page, Mark?” Okay, I have to sheepishly admit that as an American I live in the land of Defaultia—that is, all of the default language and regional (currency, date format, keyboard configuration) settings are American. So as a Defaultian I don’t honestly have much in the way of advice here, sorry.) Next is the Name and Organization dialog. The name and organization listed here show who the product is registered to; it isn’t used for anything related to the computer name or other means of defining the server on the network. Product Keys and Windows Product Activation

Click Next and you’ll get the Product Key screen, where you’ll type in the 25-character product key that came with your system. As I noted in my discussion of upgrades, your copy of Windows

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

111

112

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

Server 2003 may not require this if you’re one of the lucky dogs who work for a big company and get the no-product-key CDs. If you do have to enter a product key, though, then get ready for a new Setup irritation, a brandnew Server feature called Windows Product Activation. You may know it from XP, but this is the first time that it’s appeared in Server. It’s a Microsoft copy protection scheme, and here’s how it works. When you get a copy of Server 2003, you also get a 25-character product key. Server 2003 tells you when you first run it that you must “activate” it. If you don’t activate it within some number of days—14 days on the copy that I’m working with, but I’ve seen different numbers on different copies of XP, so I presume that Server 2003’s got different activation limits as well—then it stops running. Activating Server is pretty easy, just a few mouse clicks and you needn’t even tell Microsoft anything about yourself. Your server first inventories the hardware on your server and boils that down to a 50-digit number. Your server then goes out over the Internet to a Microsoft database somewhere and says, “Hi, I’m a copy of Server with a product key of [whatever your 25-character product key is]. Have you seen me before?” If no one has ever activated a copy of Server with this particular product key, then the database server just says, “No, you’re fine, I’ll remember your hardware configuration,” and you’re activated. But what if the database server does have a record that says that someone activated a copy of Server with that product key before? Then one of two things are happening, at least in Microsoft’s eyes: either you’ve reinstalled Server 2003 onto the same hardware, and you just need to be reactivated, or someone’s trying to put the same copy of Server on two different machines. So the database server looks at the 50-digit hardware description value that it already has for that particular product key. If the hardware description matches or is very close to the one stored in the database, then the database server tells your copy of Server to go ahead and activate (reactivate, actually) itself. But if the hardware description value already in the database is sufficiently different from the one that the wants-tobe-activated server sent to the database server, then the database server sends a “do not activate” message to your computer. And, by the way, every time your computer boots, it computes that hardware description value and compares it to your system’s state upon the last boot. Again, if your system’s hardware is too different, then it’ll force you to reactivate, or at least to try to reactivate. How different is “different?” Suppose you have to change the hardware in your system—how much can you change it before it refuses to run? The answer is, no one knows but Microsoft, and they’re not talking. As XP’s been out for a while, people have come up with some heuristics, but here’s one hard fact that Microsoft let out: your base hardware value resets every 120 days. Therefore, if you only make one major change every 120 days, then your system will never come to believe that it should be deactivated. And in case you’re wondering, yes, this is incredibly annoying. But there are a few workarounds. First, if you’re going to rebuild your system, back up \windows\system32\wpa.dbl. It’s the file that your system uses when it boots to assure itself that you’re properly activated, and it also contains the hardware information. It’s encrypted with the RC4 algorithm, so apparently it’s not anything that you can look at. But if you back up wpa.dbl, reinstall your operating system, and restore wpa.dbl to sytem32 and reboot, then in my experience it doesn’t annoy you about having to reactivate. Second, if you did change a lot of hardware and your system requires you to reactivate, then go ahead and try. If it fails—it probably will—then the activation program gives you a toll-free number

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

SETTING UP AND INSTALLING

to call Microsoft where Allen Neiman, the Microsoft guy who is the mad scientist behind all this, assured me, “We’ll trust you,” and reset the database so that you can activate. Now, I’ve never had to actually do this (thank God), but from what I’m told, you have to read the 25-character product key as well as the 50-digit hardware description value (the activation program will furnish it) over the phone to a Microsoft employee, who then reads you back a 42-digit number that you will then type into the activation program. Sounds like real fun; I can’t wait until I have to do it. Licensing, Names, and Passwords

Once you’ve punched in the product key and clicked Next, the next dialog configures your licensing options, which are the same as previous versions of NT. There is per-seat licensing and per-server licensing. Per-seat usually makes more sense than per-server, but we’ve discussed licensing earlier— enter whatever makes sense for your network. After you click Next comes the computer name and administrator password definition. Setup offers a bizarre combination of letters and numbers based on your organization name, which you may want to change, unless of course you really want your servers called CX-7352RR35. You’ve also got to set a password to the local administrator’s account. Between the worms, viruses, and legions of disgruntled unemployed IT people who’ve decided to take up a career hacking, you’ve kind of got no choice these days but to put good passwords on your accounts, and the local administrator is no exception. Server 2003 helps you do that by suggesting that you use a “complex” password—six or more characters and a combination of at least three of the following: uppercase, lowercase, numbers, and punctuation. You don’t have to use a complex password, but if you don’t, Setup asks if you’re sure. Warning And if you’re thinking of being really lazy and setting a blank password, you might not want to—one of Server 2003’s new features is that accounts with blank passwords will not work over the network!

No matter what password you give the administrator, though, make sure you can remember it. I get tons of letters from people who say that they (1) did not create any other administrative accounts and (2) forgot the administrator’s password. They then hope that I can help them. I can’t. Winternals (www.winternals.com) has a neat program named ERD Commander that can reset the administrator’s password, but when last I checked it cost just under $400. I really want to stress how important this is. On a clean install, the administrator account is the only way to log in. Don’t forget this. But do pick good passwords. If a hacker’s going to try to crack into your system by guessing a password, then make his work harder by using a complex password. Then be sure to write that Administrator password on a sticky note and put it on the side of your monitor so you won’t forget it. (Just kidding.) Keeping Time—Time Zones Are Important!

Next you’ll see the date and time settings. By default, Microsoft figures that everything is in Pacific time, which is, I guess, in keeping with their Redmond-centric way of thinking—perhaps they want to free us from the tyranny of the Green Witch or whatever the name of those GMT guys are. What I’ve always found odd, though, is that Microsoft sometimes uses a city to represent every time zone, and for Pacific, it’s Tijuana. Now, I’ve got nothing against Tijuana, but I could name a few more important cities in the Pacific time zone. Like Fresno.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

113

114

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

Seriously, this dialog is important because of Active Directory, assuming that you will be or are using it. In order for AD logons to succeed, workstations and member servers (which have to log on) must have their internal system clocks pretty well synchronized with the system clocks on domain controllers (which do the logging on of people and machines)—in fact if a DC’s time is more than five minutes out of sync with another computer’s time, then that DC can’t log that computer on. What gets some folks in trouble, then, is that they say, “The heck with the time zone,” and just set the clock to the local time. But Active Directory doesn’t care about time zones; it does all of its internal work in universal time—all time is in Greenwich (there’s that Green Witch again) Mean Time or Zulu time. So suppose a domain controller (call it DC) and a workstation (call it WS) are in New York. It’s 9 A.M. The DC’s clock is set to 9 A.M., and its time zone is set to Eastern. Meanwhile, the workstation’s clock is set to 9 A.M., but its time zone is set to Pacific. Both clocks look like they’re at the same time, but they’re not. Even though their clocks both show 9 A.M., the DC thinks it’s 2 P.M. GMT (Eastern time is five hours behind GMT for most of the year) and the WS thinks it’s 5 P.M. GMT. That’s three hours’ difference between their internal clocks, so the workstation can never successfully authenticate with the DC. So set your time zones properly! Networking Settings

After adjusting the time settings, Setup rattles the disk drives for a couple of minutes, announcing that it is “installing the network.” The network settings give you two choices: typical and custom. The typical settings assume that you will want the Client for Microsoft Networks, TCP/IP using DHCP addressing, and File and Print Sharing. By choosing custom settings, you can add, remove, or customize protocols, clients, and services. If you want to assign static IP information, highlight TCP/IP and click Configure. By clicking the Add button, you will be given a choice of Client, Protocol, or Service. You can add more clients, like Client for Novell Networks; more protocols, like AppleTalk, IPV6; or more services. At the Workgroup or Computer Domain selection page, you can join either a workgroup or domain by selecting the appropriate radio button and typing the workgroup or domain name in the corresponding box. If you join a domain, you must have an account created for your machine name. You can do this two ways. The first way is to select the Create Computer Account button. After clicking OK to join the domain, you will be asked to enter an administrative account name and password. This account must be one with either Administrator or Account Operator rights. If you’re using an account from the domain you are joining, enter the account name and password. If you’re using an account from a trusted domain of the one you are joining, type the full domain and account name in the DOMAIN\ USERNAME format. This will inform the validating domain controller of the location of your account. The account creation will be initiated from the server you are installing. The second method is to not select Create Computer Account but have one created ahead of time. You may want to employ this method if the person running the install doesn’t have the appropriate rights and doesn’t want to have to hunt down an administrator when this step comes up. In this scenario, go to Server Manager for the NT 4 domain on which you want to add the server and select Computer/Add to Domain, or go to Active Directory Users and Computers and select New/Computer. Select NT Workstation or Server and type the name of the computer. During the installation of the server, leave the Create Computer Account option unselected, enter the correct domain name, and you should be set.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

SETTING UP AND INSTALLING

Because of security concerns, though, the computer account you create will change its password immediately upon a successful joining of the domain. This means that if, for some reason, you redo a clean install of a machine that already has a computer account, you can’t have your new install assume that account. You must either delete and re-create the account with the same name, or build the new server with a different name. Computer Accounts Computer accounts are just like user accounts, and you can see them in the Active Directory Users and Computers tool (which we’ll discuss in Chapter 8) or in Server Manager on NT 3.x and 4. If you have enabled auditing of successful account management on the domain, you will see an Account Manager security event #624 logged in the PDC of an NT 4 domain or a similar event on any DC of an AD domain. A 624 event is a “create user account” event. Let’s say you create a computer account for a new server named CADDY in the LAB domain. Under the details of the security event, the account name that was created will show as CADDY$. This CADDY$ account will be used for all communication between the server and the domain, such as validating user passwords. Once the new server and the PDC “shake hands,” the server will initiate a password change for the CADDY$ account. Every 7 days thereafter, the server will again initiate a password change. The same procedure of account and password maintenance is used between domains for trust relationships. So why is changing a password such a big deal? Well, the server is going to assign permissions to its resources based on domain user accounts. The server isn’t going to blindly trust that anyone who claims to be from the LAB domain is a valid user; it wants to make certain that they are in fact a LAB user from the real LAB domain. By having this unique account with a highly secured password, the server can do just that. If the server asks the LAB domain to validate a user but the LAB domain doesn’t recognize the correct CADDY$ account and password, authentication fails. This makes it nearly impossible to transport a server out of its domain and gain access to its data.

Once you’ve clicked Next, Setup starts actually, well, setting up. The system will reboot and you’ve got a working server. The boot.ini will now be changed to reflect the new Server 2003 install as the default boot option. There is, however, one more step that can optionally be done here. If you need to run another program, perhaps a setup program for some utility or application, then you can tell Setup to run it automatically, using the winnt32.exe command-line parameter /cmd:command. (Of course, using this command-line parameter means that you needed to add that /cmd option when you started running Setup, so if you’ve been doing Setup while following along, this advice is a bit late.) This could be used to run a batch file or utility to perform such tasks as transferring user data, installing programs, or other means of further automating your installs. (This is covered in more detail later in this chapter in the section on unattended installs.) The system will now reboot into a full-fledged Server 2003 operating system. Tip But if it doesn’t, then try running WINNT32 with its debug switches, WINNT32 /debug2, /debug3, or /debug4, which offer more information. Debug3 gives more information than debug2 and, in case you’re wondering, debug1 is just the default. The log file is in \windows\winnt32.log, or you can add a colon and the name of a log file, as in winnt32 /debug4:whathappenedanyway.log.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

115

116

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

Postinstallation Procedures After the installation is complete, there are still a few more steps to perform to finalize the server and prep it for production: ◆

On the first reboot, the Manage Your Server page will pop up automatically. It will identify the last few steps that must be completed to configure your server based on the additional network components you installed. It will also ask you some questions about your existing network to help you determine whether you want to install an Active Directory. I personally find the Manage Your Server page unhelpful and tend to just close it, but that’s just my opinion— try it if you like. I’ll show you how to manage your server with as few of those dumb wizards as possible!

Note See Chapter 8 for more information about Active Directory and when and how to launch the Active Directory Installation Wizard, DCPROMO. ◆

◆

◆

◆

Check your device manager for undetected or nonfunctioning hardware components. If you removed any hardware prior to the install due to conflicts, add them back in now. Before you are truly done with the install, every piece of hardware should work properly. You’ll want to finalize your disk partitions. In many clean install scenarios, you may have unpartitioned space left on your hard drive. Refer to Chapter 10 and take care of these partitions now. For most new installations using TCP/IP, a DHCP address will be in effect. This may not be a standard practice for production servers. If necessary, acquire and configure the appropriate static TCP/IP information. See Chapters 6 and 7 about TCP/IP and related services. In many larger network environments, certain services, utilities, tools, or other programs are loaded on all servers. For example, some sites may utilize enterprise management tools that require the usage of an agent that runs on the server to collect and pass information up to a management console. Most likely, some sort of backup software will need to be installed also. Find out what additional software is needed and install it now.

Tip You always want to completely configure a server and install all of its additional components before it goes into production. By production, I mean the point at which the first user connects to the server. Since many additional services, configurations, and software components will require a reboot, you’ll want this out of the way up front to avoid further disruptions of your users’ work. ◆

◆

Run through the Control Panel applets to set all server configurations the way they should be for the long haul. Especially noteworthy are the System Control Panel settings for the pagefile and maximum Registry size. At this point, you may get the urge to walk away. Well, hold on just a minute. Too many times, people make some last-minute changes, like the Control Panel settings, and leave it at that. Even though you were never told to reboot the system—your changes were instantly accepted—there may be some unexpected side effects the next time you reboot. Just in case, give it another reboot now, before your users begin counting on the server being available.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

TROUBLESHOOTING AN INSTALLATION

◆

◆ ◆

If the system is a dual-boot machine, which is usually not the case on a server, boot into all operating systems to make sure the system integrity is intact and all data is available from all required operating systems. Once the system itself is complete, create an automated recovery disk. And as an extra safeguard, you may also want to run a full backup. Finally, a step we rarely perform is documenting the server. Ask yourself if anyone else could take care of the server should you decide to take a week off for a golf vacation. If there are any special things you have to do, like restart a service every day, it should be documented. This is a step you must take before you can consider your operating system “installed.” See Chapter 19, which covers preparing for and recovering from server failures, for more details.

At this point, you should have a production-ready server and a method for creating this same server time and time again. It seems like a lot of extra work is required in addition to actually installing Server 2003, but it is well worth the trouble.

Troubleshooting an Installation Server 2003 produces a relatively smooth installation. Plug and Play helps in many ways by eliminating the need to know and preconfigure all of your hardware prior to launching an install. There will be a few instances where you will have problems, though. We discussed failed hardware components earlier. If your system locks up during the hardware detection and configuration phase, you have something that does not play nicely in the sandbox. Sometimes it will be obvious which component is the culprit. Sometimes it won’t be so easy. Start with the obvious methods of troubleshooting—the /debug setup parameter discussed in the “Command-Line Automation” section later in this chapter. This will definitely help identify where the install goes wrong. The next step is to either resolve or work around the problem. If you have hardware conflicts causing problems with your install, you have a couple of options. First, you could configure the hardware and BIOS, as was discussed earlier in “Preparing the Hardware,” to get along with the other hardware. Maybe the troublesome hardware is a sound card that refuses to accept the detection phase. Rather than spend x amount of time trying to get it to work, pull it out of the system. Get the Server software running first. Then add the component later. Let’s say you completely blow an install at some point. You want to start over from scratch, but you don’t want to format your partition and lose potential data. There are three things on your hard drive related to the install that you will want to clean up before starting over: ◆ ◆ ◆

The $win_nt$.~ls directory if you copied all files to the system The $win_nt$.~bt directory A line in your boot.ini pointing to $win_nt$.~bt\bootsect.dat

Removing these entries will make your system completely forget that an install was ever happening, allowing you to start over at square one. Be careful when modifying the boot.ini. If you’re reverting to an old operating system, make sure your boot.ini default is put back to the way it was. Leaving an entry pointing simply to C:\ will let your DOS or Windows 9x operating system’s files boot the system. Here’s a sample boot.ini file for a dual-boot Server 2003 and Windows 98 machine: [boot loader] timeout=30 Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

117

118

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

default=C:\ [operating systems] multi(0)disk(0)rdisk(0)partition(2)\windows="Microsoft Windows Server 2003" C:\="Microsoft Windows 98"

The [boot loader] section defines how your boot menu will act. This example shows a time-out of 30 seconds, at which point the default operating system on C:\ will be booted. Once the boot process continues to the C:\, it will require the standard boot files of that operating system. In Windows 98’s case, that is the MSDOS.sys and IO.sys. The [operating systems] section defines the selection menu and where the operating system corresponding to each choice resides. Here, Windows 98 resides in C:\, and Server 2003 resides on multi(0)disk(0)rdisk(0)partition(2)\windows. This translates into the \winnt directory of the disk and partition defined by the address of multi(0)disk(0)rdisk(0)partition(2). (And in case you’re wondering, no, I wouldn’t put 98 on a disk with Server— this is just an easy-to-follow example. Note See Chapter 10, “Managing Windows Server Storage,” for complete details on how logical drives are defined in Server 2003. Note In the unlikely event that you have put both 98 and Server on the same system (perhaps for testing) and you want to get rid of the Server 2003 boot menu altogether and return to your single bootup in Windows 9x, you must delete the boot.ini, NTDetect, and NTLDR from your boot partition. After they are gone, you will need to re-SYS your boot partition to make it fully DOS- or Windows 9x–bootable again. The best way to make sure this will work is to first boot into your DOS or Windows 9x operating system, format a bootable floppy, and copy sys.com to the floppy. Delete the Server 2003 boot files just listed, reboot your system to the floppy, and run a SYS C: command.

The Recovery Console Server 2003 has a nifty new Recovery Console that can go miles farther than the old methods of fixing broken installations. Take this scenario—one that I’ve dealt with numerous times. An important system file gets corrupted…umm, deleted. You know how it goes, “Let’s see, NTFS.SYS, I never use NTFS.SYS, let’s just delete it to make more space.” The next time you reboot, the system won’t come up. Go figure. Now you need to copy a new NTFS.SYS to your hard disk. You make a bootable floppy, put NTFS.SYS on it, reboot to the floppy, and find out that your system partition is NTFS. We all know that you can’t boot to a DOS floppy and access an NTFS partition. Enter the Recovery Console. What is the Recovery Console? It is a scaled-down cross between a DOS command-line environment, certain Server 2003 Setup functions, and partition-correcting utilities, all with the capability to access NTFS partitions. The first thing you need to do is get into the Recovery Console. There are two ways to do this. First, you can launch the WINNT32 Setup program with the /cmdcons parameter. A brief setup routine and file-copying session will take place to create your console. Once completed, your boot.ini will reflect a new operating system selection, Microsoft Windows Server 2003 Command Console. Simply boot your machine and then select that menu item. Of course, this method would only work if you had the foresight to install the console before the system broke down. If you haven’t created it ahead of time, don’t worry, you can get there from the normal setup routine.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

TROUBLESHOOTING AN INSTALLATION

Launch Setup as you normally would—from the CD, the boot floppies, whatever you prefer. At the Welcome to Setup screen, select the Repair option. From there, you will get the option to repair your installation using either the emergency repair process or the Recovery Console, and off you go. Once you enter the console, you get a selection of all Server 2003 installations on the system. Enter the number of the installation you want to work on and press Enter. Note When entering the console from Setup, you go straight into the console. When entering the console from your boot menu, you’ll need to press F6 at the Press F6 prompt to install SCSI drivers. This will let you access your SCSI hard drives or CD-ROMs that require a driver.

The next step is validation. One of the major differences between the FAT and NTFS filesystems is security. Even though you can see the NTFS partitions now, you still need to have access to the filesystem. The console will ask you to enter the Administrator password. After you enter the password, you are dropped at a command prompt in the systemroot directory of the installation you chose. Simple! Well, now what? You’re at this command prompt. What do you do with a command-prompt-only version of Server 2003? Start off with a HELP command, which shows you a list of all available commands. You can do things like copy files, change directories, format drives, and other typical DOS-like file operations. To resolve the current problem, you just copy your NTFS.SYS from your floppy to your Windows Server 2003 installation folder and you should be back in business. In addition, there are some other commands that can help you get your server back up and running: DISKPART This command will launch a disk partitioning utility almost identical to the utility we used during the text-based phase of setup. FIXBOOT This command will make a new boot sector on your drive of choice and make that partition your new boot partition. If you happened to destroy your boot sector information and can’t boot at all, this may be your best bet. FIXMBR

This command will repair the master boot record on the selected drive.

DISABLE If you are having problems with a device that is not letting Server boot completely—let’s say you accidentally changed a device’s startup parameter or installed a new service that keeps killing your system—the DISABLE command will let you prevent that service or device from starting. ENABLE This is just the opposite of DISABLE. Let’s say you disabled an important boot device; reenabling it may be the easiest solution. LISTSVC Both the DISABLE and ENABLE commands require that you tell it which service or device to alter. This command will give you a list of all devices and services. SYSTEMROOT This command gives you a quick return path back to your systemroot directory without having to fight those long, pesky CD commands. It also helps you when you forget which drive and directory your chosen Server 2003 installation resides in. LOGON The logon command takes you back to your first prompt of the Recovery Console so you can choose another installation to repair. HELP

In case you can’t remember the command, this is a nice little reminder.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

119

120

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

Now that you know what the Recovery Console does, let’s run through a couple of examples. We’ll take the first example from our earlier scenario, a known missing or corrupt NTFS.SYS. Once we’ve logged in to the Recovery Console for our Server installation and copied a fresh NTFS.SYS to our A: drive, we need to copy it to our systemroot directory. We should already be in the systemroot directory, but just to be sure, we type systemroot. Now, we type copy A:\NTFS.SYS. Easy, huh? Here’s another problem. We have recently installed a new service named RudysNeatVirusScanner. It is set to start automatically during boot up, but as soon as it does, blue screen! Into our Recovery Console we go. At the prompt, type listsvc. We should see, among our many devices and services, RudysNeatVirusScanner service set to automatic. Now, we type disable RudysNeatVirusScanner. Next time we reboot into Server, we should get in just fine and should probably uninstall the problem software. The Recovery Console is a handy utility that can get you out of a lot of trouble. Once you have installed Server 2003, it might not be a bad idea to run the winnt32.exe with the /cmdcons parameter. This won’t actually launch Setup, just configure the console. You will always have the console available in your boot menu, although it won’t be set as default.

Performing Unattended Installs: An Overview Got 50 servers to install? Getting a little tired of shoving CD-ROMs into drives and baby-sitting the setup process, answering the same dumb questions over and over again? Then you need to learn about unattended installs! An unattended install is simply a method of providing the answers for the setup questions before they are asked in order to automate the installation process. There is no other difference in the install itself. But why do you need to automate? Usually, automation is most beneficial in large networks where Server 2003 machines will frequently be built. By automating these installs, numerous hours can be spared that would otherwise be spent sitting at the console. Another benefit of unattended installs is that they can be run by non-experts and produce the same wonderful results every time. This could help in those environments where the only on-site server operator is not an experienced administrator. Rather than spend hours walking them through an install to your specifications, you can merely give them a single command line and be done with it. Microsoft provides three different tools to make it possible for you to do unattended installations, and I’ll explain them to you in the remainder of this chapter. Before getting into the details of these tools, however, I want to provide some perspective on how you’d use these tools. I’ll cover three major areas: ◆ ◆ ◆

Scripting installations Using Remote Installation Services Using Sysprep

Scripting In its simplest form, a script is just a file that preanswers all of those questions that Setup asks—what shall we call the computer, what is your name, what’s the product ID value, that sort of thing. So what’s to learn? Well, first of all, you have to learn the language of scripts; like most computer things, scripts have a specific syntax that you must follow or they won’t work. It’s not a hard syntax—I don’t

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PERFORMING UNATTENDED INSTALLS: AN OVERVIEW

want to scare you away—but there’s a syntax nonetheless. Microsoft has made your script-writing job pretty easy, in that they’ve included with Server 2003 a program that asks you some questions and then spits out a script. It’s only a basic one, and you’ll have to add a few lines to make it useful, but it’s a good start. Once you’ve done a little scripting, however, you’ll soon want more flexibility and power out of the scripting language—and you can get it. There’s a whole next level of scripting power via what are called the OEMPreinstall options, and you’ll learn them next.

Delivery: CD-ROM or RIS All a great script does is to save you having to answer questions while running Setup—but first you’ve got to get Setup running in the first place. The next set of tools simplifies the process of delivering all of the setup files to the new PC to begin with. The simplest way to start up a setup is to shove a CD into the computer’s CD-ROM drive and then boot from the CD. But how to supply the script? With a trick, as you’ll see—put the script on a floppy disk and call the script winnt.sif. But who wants to walk around with a CD-ROM, and, besides, what if you want to deploy more than just the operating system? Well, under NT 4, you’d have to create a network share that contained all of the NT installation files, then you’d have to figure out how to get a computer with nothing on its hard disk connected to the network in the first place. Windows Server 2003 (and 2000, for that matter) again simplifies matters with a tool called Remote Installation Services (RIS). With RIS, you can store prebuilt Windows 2000, XP, and Server 2003 installation files and scripts on a server—a RIS server. Then RIS eliminates the need to wonder how you’re going to get your new computer attached to the network in the first place by supporting a network boot standard that many new computers support called PXE, the Preboot Execution Environment. And if you don’t have a PXE-compliant computer, that’s not a problem; RIS can generate a generic floppy disk that will allow most desktops and some laptops (laptops are the weak point here, as you’ll see) to connect to a RIS server, with no built-in PXE support needed. And if you’re a current Windows 2000 RIS expert, then you might be thinking, “Wait a minute, Mark—RIS only distributes 2000 Professional. You can’t use it to deliver Server.” But you can, actually; that’s one of Server 2003’s new features.

Sysprep For some folks, the two things that I’ve just described—scripting and delivering setups—is the slow way to do things. Many firms prefer to first create a computer that looks just exactly as they’d like all of their computers to look. Then they create hundreds of exact duplicates of that prototype computer, “cloning” the prototype’s hard disk, and in the process quickly roll out hundreds of readyto-work desktop or server computers. The only problem with this method is that until the advent of 2000, Microsoft didn’t support people who do that, as cloning results in computers that lack unique SIDs, security identifiers. But, as of 2000, Microsoft has a tool that makes a prototype computer “clonable,” called Sysprep. And, as you’d imagine, it’s gotten better with Server 2003. Now we’re almost ready to get into the details of scripting—but before we do, let’s take a quick look at the program that starts off a Server 2003 Setup in the first place or, rather, the two programs that start a Windows Server 2003 Setup: winnt.exe and winnt32.exe.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

121

122

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

Command-Line Automation: Controlling WINNT[32] When you simply boot a system from the CD-ROM, then you’re not aware of the name of the program that starts off the setup process. But you can also initiate a Windows Server 2003 setup from the command line with one of two commands: winnt32.exe if you’re starting the setup from a computer that’s already running Windows NT or later, or winnt.exe for a system running DOS or Windows 3.x or 9x. Note Someone always e-mails me to correct me, saying that you use winnt32.exe for Windows 9x. Not me. I boot 9x systems to Safe Mode Command Prompt, use the LOCK command to lock the C: drive, and install. There you need winnt.exe.

The command-line parameters of these programs tell the Setup program where your source installation files are, where you want to install Server, where your answer file is located, and other information needed to prepare for the setup. A command-line parameter can also be used to copy an additional folder to your setup source so that those files will be available during the installation. This is handy when you have OEM drivers for the hardware you want to install during the setup rather than waiting until afterward. Before you start using command-line parameters, it is important to really understand them. They can have a very profound impact on the installation process, so let’s go over the WINNT32 options: /checkupgradeonly Whenever Setup begins, it checks to see if an upgrade is possible. Setup will not attempt to actually run the install. /cmd:command This option will launch the given command line before the setup process has completed, which will allow you to perform some additional customization or launch other programs. /cmdcons If you have a failed installation on your system, this option will add a Recovery Console item to your boot.ini operating system selection menu. /copydir:folder When you’re doing automated installs for a large number of machines, this may be one of the most useful options in your arsenal. How many times have you been stopped in the middle of an installation because your network card drivers are, well, on the network? You resort to copying files to a floppy, spend 10 minutes trying to find one, format it, copy files, and hike them back to your server. What a bother. The /copydir option can really help you out here. It will copy the specified folder to your installation directory during setup—while you’re still connected to your network. /copysource:folder Similar to the /copydir option, the /copysource option copies a specified folder to your installation directory. The major difference between the two is that the /copysource directory is deleted after setup is complete. /debug[level][:filename] You can tell Setup to log debugging information to a given file based on the following criteria. Level 0 logs severe errors only, 1 adds regular errors, 2 includes warnings, 3 adds all informational messages, and 4 incorporates detailed information about the setup for complete debugging purposes. For example, you could use /debug3:setuplog.txt. /dudisable

This option lets you skip the dynamic update part of Setup.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PERFORMING UNATTENDED INSTALLS: AN OVERVIEW

/duprepare:path containing CAB files with updates This is not a command that you’d run at Setup. Instead, you use this to prepare a directory that contains updates so that when you do run Setup on a system, you can use the /dushare option to point Setup to these updates. This is a pretty new process in the Microsoft OS world and the instructions on how to do this change regularly, but the most current details are at www.download.windowsupdate.com/msdownload/update/ v3/static/DUProcedure/Dynamic%20Update.htm. You don’t go to the regular windowsupdate .microsoft.com location to download fixes en masse; instead, you go to windowsupdate.microsoft .com/catalog. /dushare:path to share created by duprepare Once WINNT32 /duprepare has reconfigured the patch and update files that you downloaded from Windows Update, you can set up a new computer and simultaneously apply the latest patches with the /dushare: option. /m:folder This option can be dangerous. When the setup process begins to copy files, the /m option tells it to look in the specified folder first. If that folder contains files to be used in setup, those files be will used. If the files are not present, they will be retrieved from the regular installation source. This can be helpful if a hotfix or alternative version of a file that you choose to use for every install (rather than the default version on the CD) is available. Instead of running your install and then running an update or replacing files, you can use /m and perform these tasks in one swift step. /makelocalsource Have you ever had problems reconnecting to your installation source after you’ve rebooted and started the setup? This could be due to things like Setup not recognizing your CD-ROM or network card. This option tells Setup to copy the entire source to your hard drive so that you can guarantee it will be available later. /noreboot There may be times when you want to launch the first stage of Setup, get your machine ready for the installation, but not reboot quite yet. This option will bypass the screen at the end of the first setup wizard and return you to your existing operating system without a reboot. When you do reboot, though, Setup will continue. /s:sourcepath This seems like a redundant switch. You’ve already found your source path if you’ve gotten as far as launching the setup. Setup even knows where it’s coming from. This parameter does help identify where your source is—the I386 directory—but it also does something better. You can specify multiple source paths and have Setup copy files from each simultaneously. This can really save you time if you have a slow CD and a slow network. Be careful, though; the first source path identified must be available or Setup will fail. /syspart:drive Another very powerful option here when you’re considering mass deployments is the /syspart parameter. This will start your setup to the specified drive and mark that drive as active. Once Setup is complete, you can physically take that hard drive out of the system, place it in a new system, and boot right into Setup. You must use the /tempdrive parameter with /syspart. /tempdrive:drive Setup will use the specified tempdrive to place temporary setup files. If you have space concerns with drives or merely a preference on where you want temporary files to go, use this parameter.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

123

124

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

/unattend The /unattend option will do an automated, no-input-required upgrade of your previous operating system. All configurations and settings of the old operating system will be used for the upgrade. /unattend[num]:answer_file This launches one of the most powerful features of unattended installations: the answer file. The answer file is a text file containing any or all answers to be used throughout the entire setup process. I’ll talk about building the answer file in the next section. If your current operating system is Windows 2000, you can also specify a time delay for the reboot, determined by [num]. /udf:id[,udf_file] One of the problems with automated installations is that you can’t fully automate an install unless you provide a name for the server, and all servers—all machines for that matter— on your network must have a unique name. This requires that you either enter the name during the setup or use an answer file on all machines, giving them the same name. Neither of those are viable options. The /udf parameter allows you to specify unique information about each installation based on the file specified in the UDF file—uniqueness database file. Here’s how it works. In the UDF file, there is a listing of names and a section matching each name with computerspecific information. Usually the computer-specific information will be just the computer name, but anything you put in this file will override the same entry in the answer file. Take a look at a sample UDF file named unattend.udf: ;SetupMgrTag [UniqueIds] BS01=UserData BS02=UserData BS03=UserData BS04=UserData BS05=UserData [BS01:UserData] ComputerName=BS01 [BS02:UserData] ComputerName=BS02 [BS03:UserData] ComputerName=BS03 [BS04:UserData] ComputerName=BS04 [BS05:UserData] ComputerName=BS05

I have five specified, unique computers defined—BS01 through BS05. If I’m sitting down to install a machine for BS03, I would send the /udf:BS03,unattend.udf parameter. The Setup program will look in the UDF file and have any entries under the BS03 section override those in the standard answer file. So if the ComputerName entry in the answer file is BSxx, Setup will substitute BS03 in its place for my installation. Those are all of the possible command-line parameters that you can feed the WINNT32 program. To better see how they work, let’s try a few samples of running WINNT32 from the CD located in F:.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PERFORMING UNATTENDED INSTALLS: AN OVERVIEW

We are installing to a server that is very specific about using OEM drivers for the network card. If we start the setup and reboot, the default drivers with Windows Server 2003 won’t get us back online. We’ll use the /copysource option to copy down our drivers from the network folder of Z:\NIC\OEM. Just to be on the safe side, we also want to use a /makelocalsource option so we have all files available for use. We’ll launch the following command: F:\I386\winnt32 /copysource:z:\nic\oem /makelocalsource

During the first phase of Setup, the entire z:\nic\oem directory will be copied to the hard drive to be used during the installation. Once completed, the directory will be removed to free up our space again. We will also get a complete copy of the I386 directory copied to our local installation source. Between the two, we should have no problems with the installation not being able to find files. Now, we want to launch a setup using an answer file named C:\w2k\setup\unattend.txt and a uniqueness database file named C:\w2k\setup\unattend.udf. To keep parity with the earlier scenario, we’ll install this machine with the BS03 ID. In this case, we run this command: F:\I386\winnt32 /unattend:c:\w2k\setup\unattend.txt /udf:BS03,c:\w2k\setup\unattend.udf

WINNT supports a subset of those options—/s, /t, /u, and /udf—as well as these /e:

Specifies a command to execute after Setup finishes

/a

Enables accessibility options

/r:

Tells Setup to copy a folder to the target machine, leaving it in place after Setup finishes

/rx:

Like /r:, but deletes the folder after Setup finishes

Scripts, Part I: Basic Answer Files with Setup Manager The easiest way to get started with scripts is to let a program called Setup Manager build one for you. Installing Setup Manager

Setup Manager isn’t installed by default—here’s how to get it. Insert the Server 2003 CD into your computer’s CD drive. Open the folder named Support and, inside that, another folder named Tools. In Support\Tools, you’ll see a file named deploy.cab. Double-click it to open it. Select all of the files in deploy.cab, right-click, and choose Copy. Create a directory named DepTools on your computer’s hard disk. Right-click the DepTools folder and choose Paste. 6. Open the DepTools folder and double-click the Setupmgr.exe icon. 1. 2. 3. 4. 5.

Running Setup Manager

That starts up Setup Manager, which is a wizard and therefore starts off with a Welcome screen. Click Next to get past it and you’ll see a screen like Figure 5.2. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

125

126

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

FIGURE 5.2 New file or modify an old one?

As you can see, Setup Manager will either create a new script file or edit an existing one. Warning In general, I recommend that you never use Setup Manager to edit an existing script, because when starting up Setup Manager to change just one thing in a script, I find that it sometimes gets a bit rambunctious and decides whatthehey, while I’m here why don’t I fix all of these other bad ideas that I see in this script?

Tell it that you’re creating a new script and choose Next. You’ll see a screen like Figure 5.3. FIGURE 5.3 What kind of script?

Setup Manager can build scripts that you can use either for a simple unattended install, for RIS, or for Sysprep. We’re doing just a simple install, so choose that and click Next. You’ll then see a screen like Figure 5.4. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PERFORMING UNATTENDED INSTALLS: AN OVERVIEW

FIGURE 5.4 What flavor?

Setup Manager will create scripts to install either Professional or Server in any of their incarnations (except Datacenter); choose Windows .NET Standard Server and click Next to see Figure 5.5. FIGURE 5.5 Just how hands-off?

This screen advises Setup Manager how thorough it should be in creating the script. In theory, choosing Fully Automated will cause Setup Manager to fill in enough information that you can just start an install using WINNT or WINNT32, walk away for 45 minutes, return, and be done. In actual fact, you’ll have to include a few other things, as you’ll see. Choose Fully Automated and click Next to see a screen like Figure 5.6.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

127

128

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

FIGURE 5.6 Configuring a distribution share

One approach to automated rollouts involves copying all of the installation files to a share on the network; Microsoft calls this the distribution share, and Setup Manager will help you create one if you like. We’re just looking to create an answer file here, though, so choose Set Up from a CD and click Next to see Figure 5.7. FIGURE 5.7 Agreeing to the EULA

From this point on, the Setup Wizard mainly asks the same kinds of questions that Setup has already asked, so I’ll go through them quickly. First, there’s the end-user license agreement (EULA). As with every other piece of software nowadays—both Microsoft and non-Microsoft—Server 2003 comes with a sign-it-or-else “contract” called a software license. The point of the software license is to

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PERFORMING UNATTENDED INSTALLS: AN OVERVIEW

give the software vendor more ability to restrict what you do with the software than they’d normally get from copyright laws. By agreeing to it here, you avoid having the Setup program stop and ask you to agree to the EULA in mid-install. Check the box and click Next to fill in your name and organization, and then Next to configure the display settings, Next for time zone, Next for product key, Next to fill in the client licensing option, per-seat or per-server. Click Next to see Figure 5.8 and set the computer name. FIGURE 5.8 Machine names and automatic UDFs

You can enter a name and click Add, or you can, as I have, check the Automatically Generate Computer Names… check box. Computer names aren’t very interesting, but what is interesting is that you can use the Setup Manager to create a UDF, like the one you saw earlier in this chapter; if you enter more than one name, that’s how to make this answer file useful. Click Next to see Figure 5.9. FIGURE 5.9 Setting the admin password

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

129

130

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

This is really good news for anyone who’s built an answer file in the past. Most of it’s self-explanatory, but notice the new check box that says Encrypt the Administrator Password in the Answer File. Very cool—now we don’t have to worry about people looking in the scripts and seeing the admin’s password! Click Next to see Figure 5.10. FIGURE 5.10 Typical or custom network settings?

You’ll usually choose Typical Settings, but let me take a moment and point out one of Setup Manager’s strengths. If you decide to take Server 2003’s default networking settings, then you’ll get a pretty basic setup script—you’ll use DHCP to get your IP address (and if you don’t know what DHCP is, don’t worry, I’ll be explaining it in the next few chapters—for now, just understand that it makes the process of setting up the TCP/IP software on a computer far easier). But what if you didn’t want to use DHCP for configuration—what if you wanted to script an install with a specific set of TCP/IP configuration parameters, like a specific IP address? Here’s where Setup Manager shines. Perhaps it’s the fact that I seem to be afflicted with AFS (After-Forty Syndrome), but I can never remember the combination of script commands needed to specify an IP address. So I cheat by just running Setup Manager and telling it to set up a simple script for a system with a prespecified IP address. I can then look at the resulting script and cut and paste to create my desired script. That’s not to say that Setup Manager knows how to create every possible kind of script, but it’s pretty smart, making it a kind of automated cheat sheet. Anyway, after deciding to do typical network settings and clicking Next, you’ll get a panel that lets you specify whether you’re going to join a domain or a workgroup. Click Next to see a new screen for Server 2003’s Setup Manager, as in Figure 5.11. With this very useful screen, Setup Manager lets you choose what does and doesn’t get installed on your system, a real, real plus! Instead of just automatically installing (for example) the Index Service on every system when only two or three systems in your whole enterprise need it, this lets you just say no to every component but the ones that you need. This is an improvement over Windows 2000’s Setup Manager, which made you do this answer file-tweaking by hand. Go through it, make your changes, and click Next.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PERFORMING UNATTENDED INSTALLS: AN OVERVIEW

FIGURE 5.11 Choosing components

If you’ve got a modem, you’ll be asked about Telephony settings; fill them in and click Next. You can then adjust Regional Settings—keyboard, currency, that kind of thing and, in the next panel, language support. (Things we Defaultians must shamefully admit that we don’t know jack about.) Then you get to set up the Browser. It really irritates me that every time I set up a new computer and start Internet Explorer for the first time, it jumps out to MSN; I’ve always wanted to say to NT, 2000, and now Server 2003’s Setup programs, “Look, I swear, I will never ever use MSN in my entire life—so stop making me either wait for MSN to load or have to click the Stop button!” When I start up a browser, I want it to start immediately, so my home page is “about:blank.” I can make that happen in an answer file with the following commands: [Branding] BrandIEUsingUnattended = Yes [URL] Home_Page = about:blank

But I don’t have to mess with the answer file to do this, as Setup Manager gives me those options. The next page lets you specify an installation folder—whether to put the files in \ windows, \winnt, or whatever you want. Administrators will love the next screen, as you can see in Figure 5.12. Set this up, and your users will log in already set to use a networked printer. The next two screens are a bit out of order, in my opinion. The first one specifies things that go in the Run Once Registry key. This lets you enter commands that you want run the first time that the computer has rebooted after completing Setup. You’d use this to tell your new copy of Server 2003 to do something like run DCPROMO to create a domain controller automatically, or perhaps to kick off a SQL Server installation. The screen after that lets you specify additional commands, which are commands to execute at the end of Setup. This can be useful if you want to do something like automatically install the Recovery Console; the command would be e:\i386\winnt32 /cmdcons

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

131

132

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

FIGURE 5.12 Preconfiguring network printers

The only problem with this is the e:—I typed that for example, but what actual drive letter will your CD-ROM end up being at the end of Setup? On a complex system, this might not be obvious. In any case, this seems out of place to me because these commands execute before the Run Once commands—wouldn’t you think the panels would appear in something resembling the order in which they occur? Finally, Setup Manager will ask you where to put the answer file, and what to call it. Click OK and you’ll then be able to exit the Setup Manager. Examining Setup Manager’s Script

The script that Setup Manager created for me looks like this: ;SetupMgrTag [Data] AutoPartition=1 MsDosInitiated="0" UnattendedInstall="Yes" [Unattended] UnattendMode=FullUnattended OemSkipEula=Yes OemPreinstall=No TargetPath=\WINDOWS [GuiUnattended] AdminPassword=43e140893084ea91cd85ddec2cd0905daf4d42d86df9ebd57b0641c94aa4c438 EncryptedAdminPassword=Yes OEMSkipRegional=1 TimeZone=35 OemSkipWelcome=1

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PERFORMING UNATTENDED INSTALLS: AN OVERVIEW

[UserData] ProductKey=11111-22222-33333-44444-55555 FullName="Mark Minasi" OrgName="MR&D" ComputerName=* [Display] BitsPerPel=16 Xresolution=1280 YResolution=1024 [LicenseFilePrintData] AutoMode=PerSeat [Components] accessopt=Off calc=On charmap=On clipbook=On deskpaper=On templates=On mousepoint=On paint=On freecell=Off hearts=Off zonegames=Off minesweeper=Off solitaire=Off spider=Off indexsrv_system=On msnexplr=Off certsrv=Off certsrv_client=Off certsrv_server=Off iis_www=On iis_ftp=Off iis_smtp=On iis_smtp_docs=On iis_nntp=Off iis_nntp_docs=Off reminst=Off rstorage=On TerminalServer=On wms=Off wms_admin_asp=Off wms_admin_mmc=Off wms_server=Off chat=On

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

133

134

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

dialer=On hypertrm=On cdplayer=On mplay=On media_clips=On media_utopia=On rec=On vol=On [GuiRunOnce] Command0="rundll32 printui.dll,PrintUIEntry /in /n \\pserve\hplj24" [Networking] InstallDefaultComponents=Yes [Identification] JoinDomain=bigfirm.biz DomainAdmin=admindude DomainAdminPassword=hihihihi

This is a pretty basic script. Notice that an answer file is like a typical INI file, around since the early days of Windows; it’s a simple ASCII file that you could, if you wanted to, create with Notepad. There are sections of the file that are broken up into groups; they’re identified by their headers and surrounded by square brackets, like [HEADER1]. Within each section are different settings and the corresponding values to be used during the setup, formatted as ITEM=VALUE. The first section is called [Data] and it’s pretty much boilerplate, simple you-gotta-have-them instructions. MSDOSInitiated should equal 0 if you’re doing an install from the CD-ROM, or 1 if you’re doing an RIS install. AutoPartition must be equal to 1, or Setup will stop and ask you which partition to install Server 2003 into. UnattendedInstall should be, um, obvious. The [Unattended] section tells Setup what level of user interaction to expect, and you see FullUnattended, which is the script-syntax equivalent of the Fully Automated option we chose from Setup Manager. OEMSkipEula just says “don’t make him accept the license agreement.” OEMPreinstall is a very powerful command that you’ll meet later. Turning on the OEMPreinstall features will, as you’ll see, unlock a whole bunch of extra automated setup capabilities—but for now, let’s stick with the basics; “no” leaves those features off. [GUIUnattended] controls the second, graphical part of Setup, answering many of the questions that section asks. Without OEMSkipWelcome=1, Setup would stop at the beginning of Setup and ask if you want to continue. (Now, what part of FullUnattended did you not understand, Setup Manager?) Note AdminPassword= and that big long string—that’s my password, encrypted. Set it to just *— that is, asterisk—to make it blank, although I don’t know why you’d do that nowadays. [UserData] lets you brand the PC with your name and organization, and the name of a PC. “ComputerName=*” tells Setup to cook up a name for this machine. Windows 2000 vets may recall that the command for the product key used to be ProductID; now it’s ProductKey, as you see. (And no, that ProductKey doesn’t work!) [Display] sets up the video display. [LicenseFilePrintData] just specifies how you’re going to license the clients. [Components] is a simple, if lengthy, list of all of the things that you can

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PERFORMING UNATTENDED INSTALLS: AN OVERVIEW

choose to install or not install on a Server 2003 system. As you’d guess, you tell Setup to install or not to install with “On” or “Off,” which would lead you (incorrectly) to believe that everything gets installed but is turned off. [GuiRunOnce] contains our printer setup command. [Networking] is simple in this example; it just says to take the defaults. Look at the [Identification] section, and let’s consider what that does. You want to join this computer to a domain, and of course you’ll need at least some level of administrative control to do that. That’s what that administrative name and password are for—to give Setup the authorization to create a computer account. But obviously you might not be too happy about the idea of putting the account name and password of a domain administrator into an unencrypted ASCII file. Fortunately, you can create a lower-power administrator that can only create and destroy machine accounts—it can’t mess with user accounts or anything else on the domain—and you’ll learn how to do that at the end of the chapter.

Improving Setup Manager’s Script We didn’t ask Setup Manager to do anything fancy, which is why we got a pretty short script—I just wanted to create a basic script. But you might want to add one command: Repartition. You might want to add the command Repartition=Yes, which goes in [Unattended]. This command tells Setup to delete all partitions on the first physical drive and create one big NTFS drive. If you don’t use the Repartition command, then you have to either prebuild the partitions on the computer somehow (there are third-party tools that can do that) or accept that Setup will stop partway through the text portion and prompt you to ask which partition to place Server 2003 on.

Getting the Script Ready to Try Want to try this out? Add the Repartition command that I just mentioned and, of course, make whatever changes will work in your system. If this is just a simple tryout then you might not want to join a domain; in that case, change the [Identification] section so that it looks like this: [Identification] JoinWorkgroup=(your workgroup name--anything will do)

Then you’ll need just a few ingredients: ◆ ◆

First, of course, you’ll need a computer. Note that as I’ve included the Repartition=Yes command, this will blow away any partitions on its first physical hard disk. Next, you’ll need to copy your script file to a floppy. The floppy needn’t be bootable. Rename the script file name to winnt.sif. That’s a “magic” name—if you name it something else, then this won’t work. Put the floppy in the A: drive.

Note Please note that if you have told Explorer on your system to hide file extensions, the filename looks like unattend rather than unattend.txt. Now and then someone will not realize that the filename is actually unattend.txt rather than unattend, and when they try to rename the file to winnt.sif, Explorer renames it instead to winnt.sif.txt. Now, it still looks like winnt.sif in Explorer, but its real name is winnt.sif.txt. So be sure to tell Explorer to show you file extensions before renaming unattend.txt to winnt.sif.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

135

136

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

◆ ◆

After that, insert the Server 2003 installation CD in the CD-ROM drive. Finally, in your computer’s BIOS, you need to rearrange the boot order.

Ideally, you’d like a system that lets you tell it to first boot from the CD-ROM and then, if that wasn’t bootable, to try the C: drive, and only if those two weren’t available, to boot from A:. Now, with the CD-ROM in its drive and the floppy in the A: drive, boot the system. It’ll ask you to press a key to boot from the CD-ROM and, if you don’t, then it boots from the hard disk. Then you just walk away. What’s going on? A trick built into Windows 2000 and later versions of NT. If it boots from its setup CD, it then looks on the A: drive for a file named winnt.sif. If it finds one then it presumes that the winnt.sif file is the script that it should use to do an unattended install. Pretty neat, eh? Hey, stay tuned, it gets even better.

Improving the Script More Once you’ve got a basic script like that working, you can take it considerably further, as the script language is pretty extensive. Look back in the directory where you copied the files from deploy.cab and you’ll see a large WordPad document named unattend.doc—a roughly 180-page document— that documents all of the scripting parameters. Here are a couple suggestions. Move Documents and Settings

Windows 2000 and later OSes store the user profiles by default in a directory C:\Documents and Settings; if you want to move that, then add the line ProfilesDir=path to put the profiles somewhere else. Preconfigure Internet Explorer

As I mentioned a few pages back, you can configure Internet Explorer in the script as well. For example, here’s a piece from a script that I use: [FavoritesEx] Title1="Mark Minasi Home Page.url" URL1="http://www.minasi.com" [Branding] BrandIEUsingUnattended=Yes [URL] Home_Page=about:blank

The first section preloads my home page into my Favorites. The second just warns Setup that we’ll be configuring IE via a script, and the third section defines my home page as about:blank. Now, for those of you who are IEAK (Internet Explorer Administration Kit) wizards, then your hard work isn’t wasted—there’s a script setting that tells Setup to find the file containing your IEAK settings and then to apply them. (Run Setup Manager and you’ll see the option.) Postinstall Polishing: Adding Support and Branding Info

Now that you’ve got your system set up, let’s add a bit of branding and support info. (Truthfully, the branding info is a bit silly—though fun—but the support info isn’t silly, it’s useful.)

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PERFORMING UNATTENDED INSTALLS: AN OVERVIEW

Try this: log in to your Server 2003 system as Administrator (that’s probably the only account you’ve got built yet anyway), and find the icon on the Desktop labeled My Computer in the upperleft corner. Right-click it and choose Properties. You’ll see a multitabbed properties page like the one you’ve seen elsewhere in Windows. You can add a picture (or any bitmap) to it in the empty space on the left side, like so: ◆ ◆ ◆

Take any bitmap that’s roughly 175 × 175 pixels. Name it oemlogo.bmp. Place it in \windows\system32 or \winnt\system32, whichever you’ve got the OS in.

Next, let’s add some support information. You can “brand” a computer to describe its model, and also add an arbitrary set of lines of text for support information by including a file in \winnt\system32 named oeminfo.ini. This is an ASCII text file with two sections, [General] and [Support Information]. It looks like this: [General] Manufacturer=<descriptive vendor name> Model=<particular model> [Support Information] Line1= Line2=<second line of text> Line3=

For example, you might have an oeminfo.ini file that looks like the following: [General] Manufacturer=Clonetronics Model=DeskWidget 820 (60GB disk, 733 Processor) [Support Information] Line1=For Tech Support call: Line2=(555) 555-1212 Line3=After hours, call Bill Line4=(If you can find him)

Try it and you’ll see that it works quite well and can be a useful way to “brand” a system.

Scripts, Part II: Distribution Shares and $OEM$ You’ve seen that one way to start an unattended install is to shove a floppy and a CD into a system, boot, and walk away. But that’s really only of value if you just want to install the operating system with the basics. Next, let’s see how to load a whole bunch of new software, and also do some other great stuff, including installing applications on top of the OS. Starting a Setup with WINNT/WINNT32

Like previous versions of NT, Server 2003 ships on a CD and includes a large directory called I386. Inside I386 are a pair of programs that you’ve already met, winnt.exe and winnt32.exe. As you’ve already read, one way to start Windows Server 2003’s Setup program is to just type winnt or winnt32

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

137

138

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

with a sequence of options. You could, then, install Server on a system this way (I don’t recommend it, although there’s a good reason why I’m explaining it): 1. 2. 3. 4.

Clean up about 2GB of space on a drive on a computer’s hard disk. Copy the I386 directory on the CD and its subdirectories to the drive with 2GB or more space. Change directories over to the copied I386 directory that is now on the computer’s local hard disk. Open a command line and type either winnt or winnt32 with whatever options are appropriate at the time, depending on what kind of install you want to do. (And, again, use WINNT if you’re currently running DOS or Windows 9x, WINNT32 to start a Server 2003 Setup from inside NT, 2000, XP, or Server 2003.)

WINNT[32] and Distribution Shares

Now, why did I explain this to you if I recommend that you not use it? Because many people do use a variation on this theme. Over the years, many of us have done WINNT/WINNT32 installs not by copying I386 to the target machine, but instead by putting I386 on a shared folder (called a distribution share or distribution folder) on a file server. Then you walk over to the machine that you want to put Server 2003 on, connect to the file share, and type winnt or winnt32. Summarized, then, the idea with a distribution share is that you first copy the I386 files over to some share on the network; then to put Server 2003 on a new machine, you just walk over to the machine, log in to the network, connect to the distribution share, run the WINNT program in the share, and Setup starts. You can, of course, script an installation this way as well, and so the whole process can become basically unattended. The Chicken and the Egg

The only problem with this whole approach has always been that part about taking a brand-new machine and logging in to the network with it—namely, how the blazes do you do it? Computers with empty hard disks don’t know jack about networks (at least, not usually—stay tuned for the RIS section to see the alternative), so simply stuffing an Ethernet card into a new PC and hooking it up to the company network accomplishes nothing besides making another LED on the Ethernet switches light up. You need a network stack—protocols, a network file client, all that kind of stuff. It’s always sort of been true that “you need to be on the network to be able to connect to the software that you’ll need to install in order to get onto the network.” Kind of a chicken-and-egg thing. Microsoft used to offer a two-floppy set of code called the MS-DOS Client for Microsoft Networks that helped a bit. You’d first stick DOS on the new machine, then load the MS-DOS Client for Microsoft Networks, then reboot the system. That would let you log in to a domain and from there attach to a distribution share—but it was an awful lot of installing just to start off the Setup programs for NT 4 or later OSes. Worse yet, the Client didn’t include drivers for any NICs built after the Punic Wars, so you always had to hunt around for a set of DOS-compatible drivers for the modern network card in your computer. With a bit of luck and determination, I was sometimes able to fit the whole mess onto a floppy, and that wasn’t so bad—just boot the new computer from the A: drive and I’d be connected to the network. Of course, I had to reengineer the floppy for every different model of NIC, which partially explains why I (a) only bought 3Com Ethernet cards for years and (b) resisted going to 100-megabit Ethernet a year or two longer than I should have—I was reluctant to have to create a new network boot floppy.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PERFORMING UNATTENDED INSTALLS: AN OVERVIEW

Where does that leave you nowadays? Well, to my knowledge, Microsoft doesn’t distribute the Client anymore. You can solve the how-do-I-get-to-the-distribution-share in the first place problem in one of three ways: ◆

◆

◆

Find an old copy of the MS-DOS Client for Microsoft Networks and cook up network boot floppies. (And please don’t e-mail me, I can’t distribute them—they’re copyrighted.) There are some useful bootable disk images at www.bootdisk.com; it’s worth a moment or two to see if they’ve got one you can use. Given that many new systems ship with Wintendo (Win 9x) on them anyway, you already have a network-aware operating system sitting on your new computer’s hard disk. Use that to connect to the distribution share. A lot of new computers have the ability to do a PXE or “network boot.” Windows 2000 and Server 2003’s Remote Installation Services (RIS) is built to support PXE boots, and so can let a computer with even an empty hard disk get to an RIS server and then install Server 2003 from a server. Fortunately, Server 2003’s RIS can roll out not only Professional but Server images as well—an upgrade from Windows 2000!

Extending I386: Preinstalling Service Packs

Let’s presume, then, that you’ve figured a way to get your workstations attached to a network distribution share. Now we can start reaping the benefits of doing installs from a share on a hard disk rather than a CD-ROM: we can add to the data on the CD. The first terrific thing that we can do is to preinstall service packs. You can typically download a service pack as one big EXE. As I write this, there aren’t any service packs for Windows Server 2003— it’s just been released!—but assuming that Server 2003’s service packs continue to work as 2000 and XP’s do, this should work. First, download the service pack; let’s call it sp20031.exe, although I have no idea what Microsoft will call Server 2003’s service packs. You can attach a service pack to Server 2003’s I386, “assimilating” it so that when you do an installation from that I386, you instantly have a copy of Server 2003 with some service pack installed, rather than having to first install Server 2003 and then apply the service pack. Here’s how. 1. Create a directory on a server’s hard disk and copy the I386 folder to it. Let’s say, for example,

that you put it in C:\I386. 2. Put the sp20031.exe file on that computer’s disk (it doesn’t matter where and please remember, that’s a hypothetical filename), open a command line, and type sp20031 -x to extract all of the service pack files. It’ll ask you where to put them, so specify a directory wherever it makes sense for you. Let’s just say you tell it to put the files in C:\SP. 3. Once sp20031 has extracted itself, look in the directory that sp20031 created, C:\SP, to find a directory named C:\SP\I386\update. In there you’ll find a program named update.exe. 4. Run update.exe with the -s option and point it at the drive containing I386, not the I386 directory itself. For example, if you put I386 on C:, then type c:\sp\i386 update -s:c:\ to put the service pack files into C:\I386. Microsoft says that the -s stands for “slipstream,” but I tend to think that it stands for “aSsimilate,” as that’s what the service pack does—assimilates itself into the I386. Notice that, because the

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

139

140

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

service pack will only take the name of the directory above I386 as an input, you really must store the data from the CD’s I386 folder in a folder also named I386. This isn’t a great hardship—most distribution shares I’ve ever seen are named I386—but now there’s a reason that you really have to call the directory I386. Tip Now that you’ve seen how to automatically install a service pack, you’re probably wondering how to automatically add the latest hotfixes. I’ll show you how to do that in the upcoming section “Tell Setup to Run Commands with cmdlines.txt.” $OEM$: More I386 Power

Look back at my example script and you’ll see, in the [Unattended] section, a command OEMPreinstall=No. Let’s change that No to Yes and unlock a bunch of convenient unattended setup features: ◆ ◆ ◆ ◆

You can tell Setup to create directories and files on the newly installed machine. You can tell Setup to run any number of commands at the end of setup—for example, commands to tell Setup to install other applications. You can supply Setup with newer device drivers than the ones that ship with Server 2003, or device drivers for hardware that didn’t even exist when Server 2003 shipped. You can specify that you want to install a particular Hardware Abstraction Layer (HAL). You wouldn’t do this very often (so I’m not going to cover the topic any further), but once in a while you’ll try to build a setup script for a system that needs a custom HAL, and this is the only way to tell Setup to use it while unattended.

Here’s how to use the power of $OEM$. Inside an I386 directory, create a directory named $OEM$. For example, suppose you’d copied the I386 directory to the E: drive and then perhaps slipstreamed a service pack onto it. Before starting to do installs from that E:\I386 directory, create a directory named E:\I386\$OEM$. We’ll do our work in the following sections in that directory. Setup Bitmaps and Logos

While the Setup program runs on a user’s machine, you might want to include instructions or information on the screen. You can do that with the [OEM_Ads] section. Create a section in your script with a logo= and a background= command, like so: [OEM_Ads] logo=ourlogo.bmp background=backgrnd.bmp

Place the files ourlogo.bmp and backgrnd.bmp in the \I386\$OEM$ directory. They must be simple Windows-type bitmap files—you can’t use GIF or JPEG files. The background file will display as the background, centered on the Setup screen. Don’t use a bitmap larger than 640×480, as that’s the resolution that Setup runs in. And by the way, here’s an important tip: Try out the bitmap and logo before using it for a user’s system install. Setup puts a couple of big dialog boxes up that obscure most of the background, so if you actually want to pass along some information, then you’ll have to be careful about where you place the info on the bitmap or logo; otherwise, the information won’t be readable.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PERFORMING UNATTENDED INSTALLS: AN OVERVIEW

Create Directories and Copy Files

If you create a directory inside $OEM$ with a one-letter name, like I386\$OEM$\E or I386\$OEM$\D, then Setup will copy any file (or directory) in that directory to the drive letter of the same name on the newly installed computer. For example, suppose I want my computers to all have a directory on C: called Data, which will contain a file named basic.txt. Let’s assume that I’ve got the I386 distribution share on a server, on its D: drive, so I’ve got the setup files in D:\I386. To ensure that every new system created from this share has a directory named C:\Data and containing the basic.txt file, all I need do is this: ◆ ◆ ◆

Create a directory named D:\I386\$OEM$\C. Create a directory inside that directory named Data -D:\I386\$OEM$\C\Data. Place the basic.txt file inside the D:\I386\$OEM$\C\Data directory.

$OEM$ also has a few “magic” directory names that you can exploit to place files into the system folders. First, there’s the $$ directory. Anything in I386\$OEM$\$$ goes to winnt. What’s the value of that? Well, when you’re writing an installation script, you might not know beforehand which drive winnt will go on. Rather than having to create a directory named I386\$OEM$\C\winnt and then accidentally try to use that to put files in winnt on a system that puts its operating system on the D: drive, putting files in I386\$OEM$\$$ will ensure that those files will end up in winnt on the drive that contains the operating system. So, for example, if you liked the idea of including support information on your system, then recall that you store the support and branding information in a file named oeminfo.ini, which must sit in \winnt\system32. You could create an oeminfo.ini file and then place it in a distribution share at I386\$OEM$\$$\system32, and the file would then automatically get copied to the system32 directory of any newly installed systems. You’d be ensuring that every new system gets the support information without requiring any extra work on your part.

Including Updated Drivers

Every version of Server includes a pretty large collection of drivers in its initial offering. But from the minute they ship a version of server, boatloads of new hardware appear, so as a version of Server gets older, it’ll be more and more likely that either you have a piece of hardware that didn’t exist at the time of that version’s birth (and therefore that version lacks a driver for it), or the hardware’s manufacturer has created a newer and better driver—and Server 2003 is no exception. You can automate the process of telling Server 2003 to use a new or updated driver, using the OEMPnPDrivers command. Create the directories for new or updated drivers in $OEM$\$1\, then specify them in OEMPnPDriversPath. For example, suppose I’ve got some new video and audio drivers, and I place the new video drivers into a directory named I386\$OEM$\$1\newvid. Then I put the new audio drivers in I386\$OEM$\$1\newaud. I can then tell Setup to look for them by adding this line to the [Unattended] section of my setup script: OEMPnPDriversPath="newvid; newaud"

Notice that we describe directories by their path below $OEM$\$1. Don’t include I386\$OEM$\$1 in the path.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

141

142

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

Warning Note that you should keep the list of directories to 40 or fewer characters. This is a limitation of OEMPnPDriversPath. But don’t make them single-character directory names, or Setup will try to create files on drive C:, D:, E:, etc., on the target machine! Tell Setup to Run Commands with cmdlines.txt

Once your system is set up, you might want to install some applications beyond the basic operating system, or you might want to delete some little-used files that Setup leaves behind, or you might want to accomplish any number of other small tasks. You can do that with a file named cmdlines.txt, which must be located in the $OEM$ directory. cmdlines.txt is just a list of command-line commands that you want Setup to execute. That may sound to you as if I’m suggesting that cmdlines.txt is an old DOS-style batch file, but it isn’t. For some reason, it needs a specific format. The first line must be [Commands] on a line all by itself. Then, you list the commands that you want Setup to run—but you must surround the commands with double quotes. For example, consider this example cmdlines.txt file: [Commands] "msiexec /i \\server\share\somefile.msi" "regedit /s myhacks.reg"

As you see, the first line is just [Commands]. Then, the second line is the first command that you want Setup to run. If you’ve never heard of MSIEXEC, then let me introduce you—it’s a command that you’ll use a lot when building cmdlines.txt files. You see, under Windows 2000, XP, and Server 2003, you install an application using a service called the Windows Installer service. Instead of installing programs with a traditional setup.exe program, you install programs by handing a “package” to the Installer. This package is the collection of files that you need to run the program, as well as a set of instructions about how to install the program—“this file goes here, this icon goes on the Start menu, create these Registry entries”—and the Installer looks at the instruction file (which, by convention, has the extension .msi) and carries out its instructions. (You’ll learn more about this in the chapter on software deployment; I’m just giving you the barest of sketches about how it works here.) Normally you deploy an MSI-type package using Active Directory, as you’ll learn a bit later in this book. But if you want to install an application from the command line, then you’ll use a program called msiexec.exe. The /i option says to install the program from its MSI, silently. Again, you’ll learn more about where you get MSI files from a bit later in the book—I just thought that an msiexec /i example would be useful. Tip In order to make this work, msiexec.exe must be in the $OEM$ directory; copy it from a functioning Windows 2000 or later OS.

The second command may be familiar to experts in any NT version from 4 on. Sometimes the easiest way to set up NT, 2000, or Server 2003 to work exactly the way you want is to apply a bunch of Registry hacks. The REGEDIT command offers a pretty neat command-line way to modify the Registry. For example, I find the AutoRun feature of CD-ROMs really annoying. I don’t want Server 2003 offering to install every time I pop the Server 2003 CD into a drive just to get a file or two. Now, I could

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PERFORMING UNATTENDED INSTALLS: AN OVERVIEW

shut off AutoRun by opening up a Registry Editor, navigating down to HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\Cdrom, and then editing the entry labeled AutoRun, setting its value to 0. But I don’t want to hand-edit the Registry—and that’s where REGEDIT comes to the rescue. Just create a four-line ASCII file (call it CDFix.reg) with these contents: REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] "AutoRun"=dword:00000000

Note the blank line between REGEDIT4 and [HKEY; you need that. Now open up a command line and tell REGEDIT to apply this change by typing regedit /s cdfix.reg; the /s means, “Shut up and do it!” so you won’t get a message. But reboot your NT or later machine and you’ll find that AutoRun is now disabled. Notice how what I could call the REGEDIT “command language” works: the first line is REGEDIT4, then a blank line, then you indicate what key you want to work with, in brackets, and then the value entry. And that line starting with [HKEY_LOCAL_MACHINE is just one line when typed, no matter how long. You can put a whole bunch of changes into a single file, or create different .reg files and apply them sequentially. As with msiexec.exe, be sure to put regedit.exe in the $OEM$ folder, or this won’t work. And you may be wondering, how did I figure out how to create a file in “REGEDIT format?” Simple. I just highlighted a key that I wanted to apply and then exported it. The exported file turned out to be a simple ASCII format—and an import showed that REGEDIT imports files in the same format as it exports. Using CMDLINES.TXT to Install the Latest Hotfixes

Here’s an even more valuable use for cmdlines.txt: preinstalling hotfixes. Hotfixes are files that fix some critical problem in NT 4 or later, things that will eventually make their way into the next service pack but that Microsoft felt were important enough that they couldn’t wait for the next service pack. You can find them by going to www.microsoft.com/security and then clicking the Security Bulletins link. Now, that works as of the time that I am writing this, but Microsoft is fond of rearranging their Web site, so if that doesn’t work, then just do a search for “security bulletins” on their site and you’ll find them. For step 1, download them and collect them into the $OEM$ directory. They’ll have names like q329834_WXP_SP2_ENU.exe, which tells you ◆ ◆ ◆ ◆

that you can find out about what this fixes in Knowledge Base article 329834, that you apply this to Windows XP Pro (WXP), that it is post-Service Pack 2, and that it works on the version of the operating system that is localized for English.

If you’ve ever applied a hotfix, then you know that you just run it as a program, which is nice and simple. But what’s not so simple is that every time you install a hotfix, the stupid hotfix insists that you reboot the computer. Let’s see, 16 hotfixes in the post-SP2 world (to use XP as an example)… figure a minute a reboot… I’ve only got 1000 computers to do this on. Naaah. But there’s good news. Fortunately, most hotfixes written since mid-2002 have two options, -q and -z, that tell the hotfixes to install quietly and not to force a reboot.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

143

144

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

Now, if you ever did this with Windows 2000, then you may be expecting me to next talk about a utility called qchain.exe, which arranges hotfixes on your system. But I’ve got some good news for you… QCHAIN is no longer necessary on Windows XP or Server 2003. So just apply the hotfixes and you’ll be up to date. Make sure that all of the hotfixes are in the $OEM$ directory. Then modify cmdlines.txt to invoke each of the hotfixes with the - q -z options, and finally run qchain.exe. A simplified cmdlines.txt with four imaginary hotfixes—I’ll spare you the 16-liner that I actually use— might look like this: [Commands] "msiexec /i \\server\share\somefile.msi" "regedit /s myhacks.reg" "q302755_w2k_sp3_x86_en.exe -q –z" "q303984_w2k_sp3_x86_en.exe -q –z" "q301625_w2k_sp3_x86_en.exe -q –z"

Notice, as I’ve said before, that you must surround the commands in quotes. Pretty nifty, eh? I used to roll out test machines without hotfixes mostly because I felt that it took too much time, but too many of those machines fell prey to the Worm of the Week. Now I’m (relatively) secure from the first power-up. I hope I’ve convinced you that $OEM$ holds some pretty powerful capabilities. If you use it and the OEMPreinstall=Yes command, then you can extend the power of an unattended installation pretty far. GUIRunOnce

I haven’t included this section in my example scripts yet, but I should mention that you can include a section, [GUIRunOnce], in a setup script. It tells Server 2003 to finish installing and then to reboot. Once Server 2003 reboots, it then lets you log in. Once you’ve logged in, Setup runs the commands in GUIRunOnce—typically these are setup commands for applications. They run under whatever user account you logged in as, so if you’re installing something that requires Administrator-level privileges, then be sure to log in with a powerful-enough account. Items in the [GUIRunOnce] section must be surrounded by quotes. One example that I’ve seen of GUIRunOnce’s power is the automatic starting and running of DCPROMO, the program that creates domain controllers. You’ll learn more about DCPROMO in Chapter 8. So you can see that you can do pretty neat things with scripts and the OEMPreinstall features. But don’t let me oversell this; let’s remember that there’s still that chicken-and-egg problem of “how do I get on the network to get to the network share in the first place?” We’ll solve that problem next, with Remote Installation Services, or RIS.

Installing Server 2003 with Remote Installation Services Well, by now, you’ve probably tried shoving the CD-ROM into some computer’s drive and installing Server 2003. You may well have had some luck at it and found that after a bit of twiddling, you could make it work quite well. “Cool,” you might have thought, “Installing Server 2003 will be a snap.”

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

But then, you probably realized that you’d have to do it for several hundred machines. Let’s see now, doing the exact same set of twiddling several hundred times would take…well, more patience and time than many of us have. It would be nice to be able to spend a fair amount of time on just one computer, getting it just right, and then to “photocopy” that configuration onto dozens or hundreds of other computers. And for years, many of us did just that. Back when I worked in training labs teaching Windows 3 running atop DOS 5, it was a simple matter to just boot up a workstation with a floppy containing the Novell client software, format the workstation’s C: drive, and then XCOPY an entire drive image from a Novell shared volume onto the workstation. The whole process was completely automated once I got it started, and took no more than about 20 minutes. Later on, with the advent of bigger operating systems like Windows 95, drive copier programs like Ghost and Drive Image Pro came out. These drive copiers didn’t care what files were on a computer; they’d just copy a physical hard disk or partitions from that hard disk to a network folder for you. Then you could set up a new computer to look just like the prototypic computer by booting the new computer from a floppy and then pulling down the Ghost or Ghost-like (would that be “Ghostly”?) image. That worked fine for Windows, but not for NT, as NT is secure, and so each computer with NT installed on it has long and machine-specific strings of numbers embedded in it, numbers called security IDs, or SIDs. Cloning one machine’s NT image onto thousands of machines would lead to thousands of machines with identical SIDs. While that might not sound terrible, it could have some very bizarre side effects. For example, suppose you start up a new PC with a cloned copy of NT Workstation or Windows 2000 Professional on it, logging in the first time as the default administrator. The first order of business is then to create a local user account for yourself. But inside NT, that account would get an SID. As this is the first account created besides the built-in Administrator and Guest accounts, that account’s SID will be the first available in the range of SIDs on this machine. Now imagine that Janice down the hall, who has a machine containing the exact same cloned image on her system, also logs in to her new machine as its default administrator and creates herself an account. It’ll have a different name than your account—but that won’t matter. NT doesn’t really care what your name is; it cares what your SID is. And what value SID does Janice have? Well, as it’s the first created account, you guessed it—her account now has the same SID as yours. What does that mean? Well, suppose you made your local account an Administrator account. That means that when she’s logged in to her own machine with her own account, she can use Windows 2000’s remote control tools to do administrator-like things to your system over the network. That’s not a good thing, unless you and Janice are really good buddies. As a result, disk-cloning vendors have come up with “SID scrambler” programs. You copy the cloned image onto a new machine and then run the SID scrambler. It creates a unique set of SIDs on the newly cloned machine and all should be well. Microsoft, however, says that the SID scramblers from the two big players, Symantec’s Ghost and PowerQuest’s Drive Image Pro, won’t do the whole job. I honestly don’t know if this true or if it’s just Microsoft… well, being Microsoft. In any case, now Microsoft has a method for rolling out a single workstation image to dozens, hundreds, or thousands of machines while simultaneously ensuring that each machine has a unique SID. It’s a tool called the Remote Installation Services (RIS). In this section, you’ll learn how to set it up and how to get those images out to all of those PCs hungering for an operating system.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

145

146

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

RIS solves the other big rollout problem, as well: the “how do I get a computer with nothing on its hard disk connected to the network so that I can do a network-based install?” problem. You’ll see how to do that in this section, but before I go further, let me offer this warning: Warning I’ve included RIS in this chapter because it’s a rollout and deployment tool, but RIS won’t work unless you have an Active Directory infrastructure in place and some knowledge of another infrastructure tool called the Dynamic Host Configuration Protocol (DHCP) and are also comfortable with file and directory permissions on NTFS disk drives. If any of that sounds a bit scary, then just skip this RIS section and go on to the Sysprep section. Then, once you’ve gotten through the TCP/IP and Active Directory chapters, come revisit this section.

RIS Overview RIS lets you designate a server or a set of servers as RIS servers. A RIS server contains the files necessary to install Windows 2000, XP, or Server 2003 onto a computer from across the network. RIS can deliver an operating system to a waiting PC in one of three formats: Simple I386-based Installation In this simplest form, RIS is just a place to store the installation files for various versions of NT from Win2K on. How is it different from just putting I386 onto a directory on any old file server and then sharing that directory? Not very much, except in one important way: it solves the “how do I get to the network in the first place?” problem. You can go to the PC that you intend to put 2000, XP, or Server 2003 on and boot it with just one floppy, and you’ll be off and running, no messing around with the DOS Client for Networks or the like. Of course, once this installation starts up, you must sit at the computer and answer all of Setup’s questions, baby-sitting the computer while Setup runs. Scripted I386 Install This installation is like the preceding situation, with the added benefit of unattended installation. You just go out to the target PC, boot the floppy, and away it goes. These first two options are called flat image format images. (If you’ve been using this since Windows 2000 then you’ll recall that they were called “CD images” in 2000.) Complete System Image with Minimal Setup Interaction This option is really the more interesting option for many people. You build an entire prototypical machine running Windows 2000 Pro or Server, XP, or Server 2003, complete with applications. Then you use RIS to create an image of that machine on a RIS server. You then boot the target PC with a RIS-built floppy again, and RIS transfers the entire disk image, complete with operating system and applications, to the target PC. It’s not entirely hands-off, however, as it needs a bit of machine-specific customization: you need to punch in a unique machine name, for example. This kind of image is called a RIPrep image format image.

New-to-Server 2003 RIS Goodies RIS was neat under Windows 2000, but Windows Server 2003 offers several bits of good news. First, as I’ve mentioned already, 2000 only deployed Windows 2000 Professional images. Server 2003’s RIS will roll out Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, Windows XP Home, or Windows Server 2003 images. Great news (and it’s about time)! Second, as you’ve already learned, RIS is a neat way to roll out operating systems to computers. But getting those computers to talk to a RIS server requires that the computers (call them “RIS

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

clients”) be built in a particular way. Without this RIS client support, also called PXE support, you can’t use RIS to put an OS on a computer. But RIS has always had a workaround in that it will create a floppy disk that will support network cards for client systems that aren’t set up to get the benefits of RIS. That floppy has been revised for Server 2003 to support a wider range of systems. Finally, RIS under Windows 2000 always had the annoying feature of sending your password in cleartext over the network cable when you first logged on. It only happened once, but it was still a bad idea security-wise. RIS for Server 2003 and its revised clients now encrypt passwords before putting them on the wire.

RIS Limitations Before getting too excited about RIS—it’s nice, but the Ghost guys needn’t worry about being put out of business—let’s look at what it can’t do. RIS Clients Must Have Particular PCI Network Cards; Some Laptops Won’t Work

I’ll cover this later, but you can only get a RIS system image onto a computer that knows how to ask for one, and the only way that a system knows how to ask is if the system supports something called the Preboot Execution Environment (PXE) protocol, version 0.99C or later. If you’ve seen computers that can be “network managed,” then there’s a good chance that the computer has PXE support in its BIOS. In addition to PXE support, you’ll need a NIC that works with PXE. No ISA NIC that I know of supports PXE, and I’ve only heard rumor of PCMCIA/PC Card/CardBus laptop NICs that support PXE. Most PXE-compatible NICs are PCI cards. Laptops aren’t completely shut out, as some laptops now ship with an integrated NIC built to the “mini PCI” specification— I’ve seen some IBM ThinkPads that fit in this category. Such a laptop might be RIS-compatible. (And believe me, RIS’s convenience is sufficiently great that PXE/mini-PCI compliance will be a “must-have” characteristic of all of my future laptops!) In Server 2003 and later, you’ll find that many laptops come with an integrated Ethernet card; again, take a moment and ask the vendor two questions: first, is it mini-PCI (rather than PCMCIA) and, second, does it support “network boot?” If so, the chances are good that such a machine will work with RIS. What if your computer doesn’t support PXE? RIS comes with a program called RBFG.exe, the Remote Disk Boot Generator (RDBG). (It was Remote Boot Floppy Generator in 2000 but Microsoft renamed the program without renaming its file, so the program’s abbreviation is RDBG but its file name is rbfg.exe.). It’s a program that lets your computer support PXE, so long as your computer has one of the particular 32 NICs that RBFG.exe supports. It’s annoying that RIS doesn’t really support pre–year 2000 laptops and most pre-1998 desktops, but truthfully that’s often the case with Windows technologies: the coolest features of any version of Windows often require some new technology. I often find myself telling audiences that “the latest version of NT will solve many of your existing problems; all you have to do to get those benefits is to replace all of your hardware and software!” Certain Services Keep RIS from Working

It’s great that Server 2003 lets us use RIS on both servers and workstations—2000’s RIS didn’t—but you can’t use RIS on every kind of server. You can’t, as far as I can see, use RIS on a server that is acting as a DHCP or RIS server, or on a server that acts as a domain controller.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

147

148

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

RIS Can Only Image the C: Drive

When you build a prototype computer whose image you will then propagate all over the enterprise, you’d better build a computer with just one hard-disk partition C:. RIS will merely copy the C: drive and whatever’s on it. RIS Has a Fairly Sparse Administrative UI

While RIS doesn’t require a lot of administration, there are few tasks that you’ll do frequently, and RIS doesn’t provide a very good way to do them. For example, if you had a RIS server that contained many system images, but you didn’t want every user to see every possible image (which is very likely— odds are that you’d have one image for the accounting folks, another for the programmers, and so on), then the only way to restrict the choice of images that a user sees is through NTFS permissions rather than via some simple administrative interface. RIS Seems Not to Work on Multihomed Systems

I’ve been using RIS on Windows 2000 for years and Server 2003 for a while and in both cases I have found that putting RIS on a system with more than one NIC is simply asking for trouble. I have no idea why this is, but I’ve run into far too may situations where I’ve got an up-and-running (in theory) RIS server that simply cannot see any clients. Other things work fine on the server, but RIS is just plain deaf on multihomed systems. I may simply be doing something wrong, but in my experience multihomed RIS servers are not reliable, so I don’t recommend them.

Steps to Making RIS Work The first time you set up a RIS server, it can seem a bit complicated if you’re not ready for it, as RIS is a bit different from other Server 2003 services. What I’m referring to is that to install most Server 2003 network services, like IIS or WINS, you just install them on a server, reboot the server (and many times you needn’t even reboot), and you’re done. Setting up RIS on a server, however, requires fiddling a bit with Active Directory. Tip Before you can use RIS, you must have Active Directory running. It seems to work fine with either a 2000-based or Server 2003–based AD, but you need AD. As you’ll learn later or you might already know, you can’t have AD without a functioning DNS server that supports RFC 2782 SRV records and RFC 2136 dynamic updates, as described in Chapter 8. Warning In order to explain how to set up RIS, I’ll need to assume that you already know what a DHCP server is. If, however, you have not worked with previous versions of NT and so probably don’t know DHCP, then don’t worry about it—just skip this section until you’ve learned about TCP/IP, DHCP, and Active Directory in the next few chapters, then return to this section. (And in that case, please accept my apologies for making you jump around the book.)

To get a RIS server working, follow these steps: 1. Set up a Server 2003 system and make it a member of an Active Directory domain. The server

must have a fairly large NTFS drive available, and that drive can’t be the boot drive or the drive containing the operating system. (When I say “drive” here I mean “partition.” You needn’t have two physical hard disks for a RIS server, but you do need to have at least two logical drives.) 2. Authorize the soon-to-be-RIS server in the Active Directory as a Dynamic Host Configuration Protocol (DHCP) server, even though it’s not a DHCP server. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

3. Add the Remote Installation Services service to the server and reboot it. 4. Run RISetup, the Remote Installation Setup Wizard, to prepare the large drive for receiving

RIS images and to put an initial image on the drive—it’s just a simple copy of I386. 5. At that point, the RIS server is ready. You can add new images to it with a wizard called RIPrep. We’ll examine each of these steps in the following pages.

Getting Ready for RIS RIS’s job is to let you take a PC with an empty hard disk, attach the PC to your enterprise network, put a RIS-created floppy disk into the PC’s A: drive, and boot the PC. The small program on the floppy disk is just smart enough to get an IP address for the PC, then locate an Active Directory domain controller and ask the Active Directory domain controller where to find a RIS server. Once the PC finds the RIS server, it can then start the process of pulling down a particular system image so that the PC becomes useful. Necessary Infrastructure

But RIS needs some infrastructure to make all of this work right. The PC gets an IP address from a DHCP server, so you’ll need at least one DHCP server running in your enterprise to make RIS work. (In case you’ve never worked with an IP-based NT network before, DHCP’s job is to automatically assign unique network addresses to each server and workstation on the network. TCP/IP requires that every machine have a unique IP address, or the network software just doesn’t work.) Once it has an IP address, the PC finds an Active Directory server by looking it up in DNS—so you’ll need a DNS server. And the PC can’t query an Active Directory domain controller for the location of a RIS server unless you’ve got an Active Directory domain controller—so you’ll need an Active Directory–based domain (as opposed to a bunch of Server 2003s in a domain built out of NT 4 domain controllers). Of course, if you’re running an Active Directory–based domain, then you’ve got to have DNS running, so the simplified list of things you’ll need before RIS will work is an Active Directory–based domain and at least one DHCP server. A Drive for SIS

Furthermore, the RIS server needs a partition to store the RIS images. For some reason, RIS will not store images on the boot partition—which is usually drive C:—or the system partition, which is the drive that contains \windows and the other NT system files. Note Please, don’t write me letters explaining to me that Microsoft’s definition of “boot drive” is the one that contains \winnt or \windows, and their definition of “system drive” is the drive that you boot from. I know that’s what they call it, but it makes no sense, so I’m going to tend to say “system drive” for the one with the operating system, and “boot drive” for the drive that you boot from. I know, that’s not what Microsoft told you, but to quote John Candy from the movie Planes, Trains, and Automobiles, “If they told you that wolverines made great pets, would you believe that too?”

I found this you-need-a-drive-that-is-neither-system-nor-boot thing kind of frustrating the first time I went to set up RIS, as the server that I intended to put RIS on had only two drive letters and Windows 2000 (this was back when I first tried RIS, under Win2K) installed on the D: drive. C: was the boot, D: the system, and so RIS wouldn’t install. I reinstalled Windows 2000 on the C: drive, freeing

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

149

150

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

up D:, and RIS worked fine. You can have other things on RIS’s drive, like files of other types; you just can’t have the system files on the drive. Remember that while RIS will make an image of whatever filesystem is on the original workstation, it must be placed onto an NTFS partition on the server. While it’s not entirely clear to me why RIS is allergic to system files, there’s a very good reason why it wants a drive pretty much to itself. Imagine a RIS server that contained 20 system images—how much space would that need? Well, Windows 2000 Professional (to use the example of one OS that RIS supports) takes up about 450MB on a hard disk, so let’s be generous and say that the applications added to the image only total 50MB, leading to a 500MB image; it’s just easier to calculate this way. Ten half-gigabyte images totals 5 gigabytes. But now let’s look more closely at those 10 images. The vast majority of the files in the images are identical: For example, each image contains a file named Drivers.cab that’s nearly 50MB in size, and the file is exactly the same for each of the 10 images. That’s a terrible waste of space—500MB to store 10 identical copies of a 50MB file! RIS solves that problem with a service called the Single Instance Store, or SIS. SIS is a service called the SIS Space Groveler (is that a great service name, or what?) that runs in the background and searches the directory that RIS uses to store system images looking for duplicate files. It then frees up space by deleting the duplicate files, putting in their place a directory entry that makes it appear as if the duplicate is still in place. In actuality, however, the duplicate is no more than a sort of pointer to the complete copy of the file. Clearly a trick like this will require a bit of magic, and that magic comes from a combination of the NTFS of SIS and Windows 2000 and later—that dedicated-toRIS drive must be an NTFS volume. Extending SIS: Side Notes

It’s a shame that SIS only loads as part of RIS; I could easily imagine many cases wherein recovering space from duplicate files could be beneficial, such as in the case of a server containing hundreds of users’ home directories—there’s likely to be plenty of duplication there. Actually, if you’re feeling a bit brave, then you actually can get SIS to run on other drives, according to Knowledge Base article 226545. It says that SIS identifies which drives to do its magic on by looking for three things: ◆ ◆ ◆

First, the drive must be an NTFS drive. Second, the drive must contain a hidden folder in its root named SIS Common Store. Finally, that SIS Common Store folder must contain a file named MaxIndex.

I honestly have not tried this myself, but I pass along the information in case it’s of help. So, for example, to apply SIS to any given file server, just install the RIS service on that system (even if you do not intend to make the server a RIS server), place a hidden folder named SIS Common Store in the root of whatever drive you want SIS to work on, and don’t forget MaxIndex. While I’m on the subject of advanced SIS maintenance, here’s another tidbit from the Knowledge Base, article 272149. You can, if you want to, tell SIS to ignore a particular directory in this way: 1. Start up a Registry-editing tool. 2. Navigate to the key named HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Groveler\ExcludedPaths.

3. Create a new value entry with any name that you like, of type REG_SZ. 4. In the data for that value entry, include the name of the directory without the drive letter. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

For example, suppose I wanted SIS to ignore a directory named mystuff on a SIS volume. I’d just go to the key named above and create a new value entry. I could call that value entry NoMyStuff. I’d make it of type REG_SZ, and in the entry I would place the string “\mystuff.” Then either I’d have to reboot to see the changes take effect, or I’d have to stop and start the SIS Space Groveler service. Warning Be aware, however, that I’m told that unless you back up this drive with a backup program that is SIS-aware, then SIS drives aren’t backed up properly. Sometimes the backup program thinks that it’s backing up a file, but it actually just backs up SIS’s pointer to a drive. Restoring that pointer without the file is usually not helpful.

Authorizing RIS in Active Directory Microsoft figured—probably rightly—that you wouldn’t want just anybody putting a RIS server on the network. So before you can get the RIS service working on a server, that server must be authorized in the Active Directory. For some reason, however, you don’t authorize it as a RIS server; you authorize it as a DHCP server. To do that, find a DHCP server and log in to it with an account that is a member of the Enterprise Administrators domain group. Click Start/Programs/Administrative Tools/DHCP. Click Action on the menu bar, and you’ll see the option Manage Authorized Servers; click that and you’ll see an option. Manage Authorized Servers. You then see the list of currently authorized DHCP servers like the one in Figure 5.13. FIGURE 5.13 List of current authorized servers

Here, you see that I’ve already got a server authorized named dun.win2ktest.com. Click Authorize and you’ll get a dialog box like the one in Figure 5.14, letting you punch in the IP address of the server that you’re going to make into a RIS server. FIGURE 5.14 Entering IP address of RIS server

Click OK, and it’ll confirm your choice, as Figure 5.15 shows.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

151

152

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

FIGURE 5.15 Confirming the new server

Note If you don’t know the IP address of the soon-to-be RIS server, go over to that server and log in to it. Then open a command prompt (Start/Programs/Command Prompt), type ipconfig, and press Enter. It will report the IP address; if you have several IP addresses, take the one in the section labeled Ethernet Adapter Local Area Connection rather than PPP Adapter.

Now that Active Directory is ready for RIS, let’s get RIS ready.

Installing RIS Next, you’ll put the RIS service on the server: 1. Log in to the server that you want to add RIS to, using an Administrator account, and open

the Control Panel (Start/Settings/Control Panel). 2. Start the Add/Remove Programs applet. 3. Choose the Add/Remove Windows Components icon. 4. A wizard screen labeled Welcome to the Windows Components Wizard will appear; click

Next and it will show you the optional server components, as you see in Figure 5.16. FIGURE 5.16 Windows Components screen

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

5. Scroll down and check the box labeled Remote Installation Services. Then click Next

and Finish. 6. You’ll be prompted to reboot, so reboot the server.

Running RISETUP When installing most Server 2003 services, you just choose the option in Windows Components, wait for the Control Panel to pull the new service off I386, reboot the computer, and it’s up and running. RIS is a bit more work than that, however, as RIS must claim its drive and set up SIS. For good measure, RIS also creates a first image. That first image is the simplest one possible—it’s just a copy of the I386 directory from the Windows Server 2003 CD-ROM, Standard Edition. (You could alternatively offer it XP Pro, XP Home, 2000 Server, or Professional. For that matter, you could offer it any version of Server 2003 as well.) Log in to the would-be RIS server with an administrative account and run RISETUP (either from a command prompt or click Start/Run, fill in risetup, and press Enter) and the Remote Installation Services Setup Wizard starts. The initial screen is shown in Figure 5.17. FIGURE 5.17 RISetup initial screen

Click Next and the wizard will quickly scan your drives looking for a likely place to keep RIS’s files. In my case, it found drive F:. It wants to create a directory named RemoteInstall, as you can see in Figure 5.18. After you click Next, RISetup will ask you if you want the server to respond to requests from PCs for operating systems, as shown in Figure 5.19. Inasmuch as you don’t have any useful images on the RIS server at the moment, tell the server not to respond to those requests.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

153

154

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

FIGURE 5.18 Suggested location for RIS images

FIGURE 5.19 Telling RIS to ignore requests until we’re done configuring it

Click Next and, as you can see in Figure 5.20, RIS will ask where to find an I386 of some type. Now’s a good time to pop the Windows 2000 Professional, Server 2003, XP Pro, or whatever kind of disc you like into your CD-ROM drive. Alternatively, if you have some operating system’s I386 directory on one of your hard disks, you can point RISetup there. (Think how useful this

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

is—you can pre-load a service pack onto an I386 on a hard disk and RIS then rolls your pre-SPed images!) Click Next and you’ll get the screen you see in Figure 5.21. FIGURE 5.20 Looking for a set of installation files

FIGURE 5.21 Folder name for the simple I386 option

Recall that a RIS server can have many images on it. Each image gets a folder within the RemoteInstall folder. This first, simple I386 image needs a name too, and RISetup suggests just Windows, which is probably fine for our needs. Click Next to continue and you’ll see a screen in which

you can describe the image, as shown in Figure 5.22.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

155

156

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

FIGURE 5.22 Describing the simple image

When someone plugs a new machine into the network and boots from the RIS-prepared boot floppy, he may be offered several choices of OS images to download. (After all, one of the things that RIS is supposed to offer is the ability to keep a bunch of images around for different uses.) This screen lets you add some descriptive text. Click Next and you’ll get a summary “this-is-your-lastchance” screen like the one in Figure 5.23. FIGURE 5.23 Checking on the settings

Click Finish and go away for a while. A screen like Figure 5.24 will appear. As you see from the screen, RISetup has a lot to do. It copies the I386 files over to its local folder, starts SIS, and does other housekeeping. Expect it to take 10 minutes or so at least.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

FIGURE 5.24 Progress indication screen

Checking That RIS Is Running RIS is a mite sparse on administrative interfaces, as you’ll see, so it can be hard to be 100 percent sure whether it’s up or not. The best way to see if RIS is running is to go to the Services snap-in (Start/ Run and type services.msc or look under Services in Computer Management) and look to see that these services are running: ◆ ◆ ◆

Remote Installation Single Instance Storage Groveler Trivial FTP Daemon

You’ll also see a number of events in the Event Viewer’s Application log: ◆ ◆ ◆ ◆ ◆

An Information event ID 4096 from Groveler An Information event ID 100 from ESENT An Information event ID 1003 from BINLSVC An Information event ID 1024 from BINLSVC Finally, an Information event ID 4097 from Groveler

Now, to look at these events, you’d think that everything is hunky-dory with RIS, and perhaps indeed it is. But remember that you have to approve RIS in Active Directory as if it were a DHCP server. If you don’t do that, you still get all of those comforting-looking events in the Application log. To see if RIS is actually not running because it’s not approved as a DHCP server in AD, flip over to the System log, where you’ll see an event ID 1046 from DhcpServer like this: The DHCP/BINL service on the local machine, belonging to the WindowsAdministrative domain win2ktest.com, has determined that it is not authorized to start.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

157

158

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

It has stopped servicing clients. The following are some possible reasons for this...

And it then goes on to enumerate some possible reasons, but basically it’s time to ensure that your RIS server can contact the AD and that it’s approved as a DHCP server. After authorizing a RIS server in DHCP, then in theory all you need do is to restart the Remote Installation Service on the RIS server, but in my experience it’s best to reboot the RIS server.

Enabling RIS for Clients Amazingly, after RISetup does its work, the RIS server does not reboot! But it’s time to put the RIS server to work, or at least to respond to requests for I386 installs. Make sure you are logged in as a domain administrator at the RIS server, then click Start/Run, fill in DSA.MSC, and press Enter. If the RIS server happens to be a domain controller, then it’s even easier—just click Start/Programs/ Administrative Tools/Active Directory Users and Computers. (Notice that you’ve got to start the DSA from Start/Run because for some reason Setup installs the Active Directory tools on all servers, but only puts entries for those tools on the Start/Programs menus of domain controllers.) In the left pane of the window, you’ll see an icon depicting several computers, intended to represent your domain. Open it (double-click or click the plus sign) and it’ll open to some folders, including one named Computers. It’s likely that your RIS server is there. Right-click the RIS computer’s icon and choose Properties. You’ll then see a properties page. On the property page, you’ll see several tabs, with one labeled Remote Install. Click that and you’ll see a page like the one in Figure 5.25. There’s not much in the way of an administrative and management interface for RIS, just this page and a few tabs on the Advanced screen, which you’ll see a bit later. FIGURE 5.25 Remote Install tab of the properties page for RIS server

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

On this screen, there’s not all that much to do except to turn it on. Check Respond to Client Computers Requesting Service, and it’s ready to go!

Installing an OS on a Workstation from the RIS Server It’s working; let’s give it a try. The RIS server is up on the network and the Active Directory knows about it. Suppose I have a computer that I want to put some RIS-compatible OS on (call it the target computer); these are the steps. The target computer gets the attention of the RIS server through something called the Preboot Execution Environment protocol, abbreviated PXE and pronounced “pixie.” Some computer vendors sell PCs with PXE in the BIOS. To connect a PXE-equipped PC to a RIS server, you don’t even need a floppy disk; you just plug it into the network, turn it on, and you’ll eventually get a prompt like “boot from the network y/n?” If you let it boot from the network, it’ll first seek out a DHCP server, then find an Active Directory server with DNS, and kick off RIS—all the code for doing that is in the PC’s BIOS ROM. Note You may have to adjust your system’s CMOS settings in order to tell it to try to boot from PXE rather than the hard disk, floppy, or CD-ROM. Exactly how you do that depends on your system. On my IBM T21 ThinkPad, I press F12 when I turn on the computer to tell it to choose to boot from the Intel Boot Agent. I’ve seen Dells where you tell it to boot “fromMBA.” Basically, though, here’s the approach: start up your system’s BIOS setup routine. You’ll usually (sorry for the weasel words, but this does vary from system to system, and not every system even allows you to do a PXE boot) see an option to arrange the boot order. On my T21, I get the five options for devices to boot from: the floppy, the hard disk, the CD-ROM, the Intel Boot Agent, and Network Boot, which I haven’t found a use for yet. I can then rearrange the boot order, so as to tell my system, “First try to boot from the Intel Boot Agent, and if that’s not available then try the CD-ROM, and if that doesn’t work then boot from the hard disk, and if that doesn’t work then boot from the floppy, and never try to boot from Network Boot.”

What’s that you say, your system isn’t PXE compliant? Well, you’re not barred from the RIS fun; you’ve got two ways to make your system a possible RIS client. First, you could buy a PCI NIC that has a ROM on it that contains a PXE client. Believe it or not, I’ve got a bunch of five-year-old test machines that run 400MHz Pentiums and they’re all PXE-bootable. How do I accomplish this? I just bought the “managed” versions of the Intel and 3Com Ethernet cards and replaced my old NICs with the new “managed” NICs. “Managed” usually means there’s a PXE-compatible boot ROM on the board, so I’m instantly PXE-friendly. But if you don’t feel like buying a new NIC, all’s not lost. Microsoft includes a utility with RIS that will generate bootable floppy disks that replace the PXE BIOS for the PXE-deaf among us. It’s called RBFG.exe, and you’ll find it on any RIS server in the \RemoteInstall\Admin\I386 directory. Run it and you’ll see a screen like Figure 5.26. Running it is pretty simple—just put a floppy into A: and click the Create Disk button. A great improvement over its older cousin, the Network Client Administrator, the Remote Boot Disk Generator (RBDG) doesn’t require that you provide it with blank floppies. That’s the good news. The bad news is that this will only work if your computer has PCI expansion slots and one of the 32 supported PCI network cards. (The good news is that under 2000 it was only 25 network cards.) Fifteen years’ experience with network software has made me conservative enough that almost all of my NICs are made by 3Com—not because I think 3Com makes a better card, but because I don’t

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

159

160

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

want to have to search after drivers—and so RBDG supports all of my machines. But that might not be the case for all of your systems. FIGURE 5.26 Remote Boot Disk Generator dialog box

Actually, let me take that back. Not all of my systems will work with an RBDG floppy—my older laptops won’t. As I mentioned earlier, only systems with mini-PCI type integrated network cards have a prayer of being supported. The Server 2003 flavor of RBDG has, however, a mini-PCI driver for 3Com NICs, which is good if your laptop has that kind of NIC. My newer laptops, however, have either the Intel mini-PCI or the Realtek mini-PCI. Does that leave me out? No, because fortunately my laptops not only have mini-PCI cards in them, they also have PXE clients in their ROMs, so, again, all’s not lost if your system doesn’t have one of the Magic 32 NICs in it. There’s some more bad news about RBDG. What about the fact that new network cards appear all of the time? It’s not unreasonable at all to suggest that a year after Server 2003’s release you might find yourself trying to install an OS on a system with a brand-spanking-new network card that RBDG simply doesn’t know how to handle. How do you introduce RBDG to a new set of drivers? Unfortunately, you can’t. Microsoft promised back in the Windows 2000 days that they would “periodically” update RBDG.exe, but the fact is that they never did. So let me say again that you may never need a PXE boot disk if you’re buying new computers. Any computer with a PXE BIOS and an integrated NIC can use RIS without any floppies at all—these computers have been designed to support RIS, so to speak, and so won’t need a floppy. As time goes on, it’s reasonable to hope that more and more computers will be “net-bootable.” In any case, if you generate a PXE boot disk, stick it into the target machine and boot the machine. You’ll see a screen with something like the following text: Microsoft Windows Remote Installation Boot Floppy Copyright 2001 Lanworks Technologies Co. a subsidiary of 3Com Corporation All rights reserved. 3Com 3C90XB / 3C90XC EtherLink PC Node: 00105AE2859F DHCP... TFTP................. Press F12 for network service boot

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

Press F12, and a text screen appears that says: Welcome to the Client Installation wizard. This wizard helps you quickly and easily set up a new operating system on your computer. You can also use this wizard to keep your computer up-to-date and to troubleshoot computer hardware problems. In the wizard, you are asked to use a valid user name, password, and domain name to log in to the network. If you do not have this information, contact your network administrator before continuing. Press Enter to continue

You are looking here at some client software downloaded from the RIS server called the Client Install Wizard. Look back to the first screen and notice the TFTP with all the periods after it—that was the Trivial File Transfer Protocol transferring a very simple text-based operating system to your computer. Tip But what if you don’t get a response from PXE? If your system just searches and searches for DHCP but gets no response, then check your network switches. I once worked at a site where we couldn’t get a PXE boot to work to save our lives. Then someone noticed that the Ethernet switches had a feature called “minimal spanning tree” enabled. Apparently it filtered or slowed down the DHCPDISCOVER broadcasts that the workstation did to find a DHCP server, and so the workstation never got an IP address from DHCP. So check your network infrastructure before you assume that a RIS client has bad hardware. And if it still doesn’t work, then think about putting a network packet analyzer on the network segment so that you can watch the DHCP/TFTP process. Also check the NIC. I had one RIS server that worked perfectly for 90 percent of my workstations, but 10 percent just plain couldn’t see it. The problem? It had a 10-megabit NIC and they had a 100-megabit NIC. Why that should trouble some 100Mb NICs and not others is a mystery to me, but you might want to be careful about matching 100Mb client NICs with 100Mb NICs on RIS servers. As I’ve said earlier, avoid multi-NIC systems for RIS servers.

What’s kind of interesting about this initial RIS setup screen is that the introductory screen, and all of the other text screens that you’ll see from the Client Install Wizard, are built on a slightly modified version of HTML. You can see the “source code” for that first screen by looking on the RIS server in \RemoteInstall\OSChooser\English directory and examining the file named welcome.osc. It looks like the following: <META KEY=ENTER HREF="LOGIN"> <META KEY=F3 ACTION="REBOOT"> <META KEY=ESC HREF="LOGIN"> <META KEY=F1 HREF="LOGIN"> <TITLE> Client Installation Wizard Welcome

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

161

162

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

Welcome to the Client Installation wizard. This wizard helps you quickly and easily set up a new operating system on your computer. You can also use this wizard to keep your computer up-to-date and to troubleshoot computer hardware problems.

In the wizard, you are asked to use a valid user name, password, and domain name to log in to the network. If you do not have this information, contact your network administrator before continuing.

If you’ve got any familiarity with HTML, then understanding this is simple—things surrounded by angle brackets <> are tags, commands to the computer. They’re often in pairs like right and left parentheses— starts the “program,” ends it. That forward slash ( / ) indicates that it’s the end of a command—for example, <TITLE> Client Installation Wizard indicates that there’s a command, <TITLE> (which, as you can guess, puts a title in the screen), then there’s the text that’s supposed to go into the title, and then , which says, “That’s the end of the title text.” Again, they’re like left and right parentheses. The <META KEY> commands tell the wizard what to do when you press particular keys. <META KEY=ENTER HREF="LOGIN"> means, “When the user presses the Enter key, run the program login.osc.” <META KEY=F3 ACTION="REBOOT"> means that if the user presses the F3 key, then just reboot the system. My intent here isn’t to document the entire programming language—Microsoft hasn’t completely documented it yet, to my knowledge—but to point out that you could easily change the generic welcome text to something customized to your particular company. Anyway, once you press Enter, you’re prompted for a username, password, and domain. The account that you log in with must have the ability to create new computer accounts. You’ll next be advised that the process will delete any data on the existing hard disk: The following settings will be applied to this computer installation. Verify these settings before continuing. Computer account: ADMINMARK1 Global Unique ID: 0000000000000000000000105AE2859F Server supporting this computer: CADOTNET To begin Setup, press Enter. If you are using the Remote Installation Services boot floppy, remove the floppy diskette from the drive and press Enter to continue.

Here, the RIS client software has chosen a name for the computer, ADMINMARK1, that it constructed by taking my login name—ADMINMARK was the account I used at the time—and adding a number to it. The Global Unique ID, or GUID (pronounced “gwid”), is just an ID number that RIS assigned to that computer. PXE-capable machines all have a GUID built right into them, but machines using RIS boot floppies get a GUID constructed for them consisting of 20 hex zeros followed by their NIC’s MAC address. Finally, the Client Install Wizard tells you the name of the RIS server that it’s getting its image from. Once you press Enter to confirm, pop the floppy out of

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

the A: drive and walk away for a half hour or so. When you return, whatever OS you chose will be installed completely hands-off on the machine. RIS sets the system up like so: ◆ ◆ ◆

The new machine joins the RIS server’s domain. RIS repartitions the machine’s hard disk into just one large partition and formats that partition as NTFS, no matter how the drive was previously partitioned. The new system has all of the settings you’d find in a typical install.

Want to change any of that? Then you’ll need to create some system images.

Creating a System Image with RIPrep Even doing a no-frills installation on a new system with RIS is pretty nice. But it would be nicer to provide not only a vanilla operating system but perhaps a few settings and certainly an application or two—now, that would make the Ghost guys sweat! (But not sweat all that much, as you’ll see. Ghost is still better than RIS. But Ghost costs money, and RIS comes free with Server from the 2000 edition onward.) You can do such a thing, creating what’s called a RIPrep image format image. Here’s how you do it: 1. Set up a prototypical Win2K, XP, or Server 2003 system as you’d like it. Make sure that

all of the code and data are on drive C:—no other drives will be copied by RIS. 2. Run the Remote Installation Preparation Wizard (RIPrep), which strips the SIDs off the prototypical machine. 3. Once the image is on the RIS server, it’s available to new systems for installation. For my example, I’ve installed Office 2000 onto an XP Professional workstation. To create the RIPrep image, I log in to that prototypical machine with a domain administrator account. I then open up My Network Places and navigate over to my RIS server, the machine named CADOTNET. RIS creates a share called REMINST on every RIS server. I open REMINST, then I open up the folder inside labeled Admin, and then I open the folder inside that labeled I386. Inside is a file named riprep.exe. I double-click it and see the opening screen, as shown in Figure 5.27. Click Next to see the screen shown in Figure 5.28. FIGURE 5.27 Opening screen of RIPrep

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

163

164

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

FIGURE 5.28 Choosing the destination RIS server

You can send the resulting image to any RIS server; I’ll choose the one I’ve been working with, the server named cadotnet, and click Next, which leads to the screen in Figure 5.29. FIGURE 5.29 Naming the new folder

As with the CD image that RISetup insisted upon, this new image will need a folder name. Once I name the folder and click Next, a screen in which I add a description appears, as shown in Figure 5.30. Now, for RIS 2000 veterans, the next screen or two might be a surprise. RIPRep checks over the system looking for any showstoppers or warnings. For example, you can’t use RIS on a server acting as a domain controller, RIS server, or DHCP server. Because RIS will remove all existing local security information, you probably won’t be able to do much with local profiles, as you’ll see in Figure 5.31. Then RIPrep spends a few screens telling you that it’s going to shut down a few services and suggesting that you shut down any programs that you’re running, and finally, it confirms your choices, as you see in Figure 5.32.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

FIGURE 5.30 Describing the new folder

FIGURE 5.31 Profiles might not work warning

FIGURE 5.32 Final Riprep confirmation

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

165

166

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

Reconfiguring the Prototype After transferring the system image to the RIS server, you’re directed to reboot the prototype. You’ll then see something odd—it looks as if the prototype is running Setup all over again! In order to make the prototype’s image usable to RIS, RIPrep scrubs all of the user-specific settings and SIDs off the machine. Once you reboot, your system runs a kind of “mini-setup” to restore that information. Once the system reboots, you’ll be prompted to do the following: ◆ ◆

◆ ◆ ◆ ◆ ◆ ◆

Agree to the license agreement. In a move designed to irritate even the calmest administrator, you must re-enter the 25-digit product key (on those versions of Server that require a product key); you will also have to re-activate your copy of Server. Choose a keyboard and localization. Fill in a username and organization. Specify a computer name and password for the default Administrator account. Pick a time zone. Decide whether to do typical or custom network settings. Join either a workgroup or domain.

The mini-setup doesn’t take nearly as long as Setup did, however, as it’s not necessary to run Plug and Play. Nevertheless, it is a real time-waster.

Creating a “Flat” or “CD-ROM” Image Using RIS’s Ghost-like way of putting a complete system image on ice is useful, but I’m kind of partial to doing simple scripted installs, and RIS can do it my way as well. All I need do is to place an I386 for whatever OS I want to deploy on the RIS server, and then any RIS client will see an option to install from that I386. This is useful for two reasons. First, as I’ve said, it’s a nice way to be able to kick off installs from a central server (the RIS server), allowing me to store all of my installation files and scripts on one box. Second, being able to store I386es on my RIS server lets me store I386es that have already had a service pack slipstreamed onto them, as I’ve suggested before. Let’s see how to put an I386 from XP Professional onto my RIS server. I’ll slipstream Service Pack 1 onto it. First, let’s get the slipstreamed copy of XP’s I386 onto the RIS server’s hard disk. I’ve already talked about how to do this in this chapter, but here’s a reminder. First, copy the I386 from an XP Pro installation CD onto the RIS server’s hard disk; call it C:\XPPro\I386. Then expand XP’s Service Pack 1 and use the update.exe program to slipstream the service pack onto that I386: update -s:c:\xppro\

Next, get the I386 image in C:\XPPro\ into the RIS server: 1. Start up Active Directory Users and Computers (it’s either on your Start menu as Start/

Programs/Administrative Tools/Active Directory Users and Computers, or click Start, then Run, type DSA.MSC, and press Enter).

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

2. Open the folder labeled Computers and find the RIS server. Right-click its icon and choose

Properties, then click the tab labeled Remote Install. 3. At the bottom of that tab, you’ll see a button labeled Advanced Settings; click it. You’ll see another properties page with three tabs labeled New Clients, Images, and Tools. Click the Images tab and you’ll see something like Figure 5.33. FIGURE 5.33 Listing of images on your RIS server

4. You’ll see a listing of the images that your RIS server has. If you’ve just installed it, then you’ll

probably only have one image, with a name like Windows .NET Standard Server. Click the Add button at the bottom of the page and you’ll see a screen like Figure 5.34. FIGURE 5.34 Adding a new image

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

167

168

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

5. Notice that RIS lets you create an “image” simply by writing a script and associating that with

an existing I386 directory, or it’ll let you introduce a whole new I386 directory, as I’ve checked. Choose Add a New Installation Image and click Next. 6. This starts off a wizard that basically just asks you where to find the image ( C:\Xppro\I386, in this example); click Next and it’ll ask you what to call the new folder, as you see in Figure 5.35. FIGURE 5.35 What to call the new folder

7. Here, I’ve called it XP-SP1. That means that the I386 files will go on my RIS server’s SIS drive

into a folder named \RemoteInstall\Setup\English\Images\XP-SP1. Click Next and RIS will want a “friendly name” for this image, as you saw when you created other RIS images. Click Next from that and you’ll see a question about the “client installation screens,” as you see in Figure 5.36. FIGURE 5.36 What to do with the client installation screens

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

8. The client installation screens are the HTML-like files that control what the user sees when

first connecting to the RIS server. I’d just leave them as is, as you see on the screen. Click Next a couple more times and RIS will copy the I386 into the \RemoteInstall\Setup\English\ Images\XP-SP1 directory (or whatever you named it) and add that image to its list of images.

Creating a Scripted Image One subtype of “flat” images is a scripted image. By default when you install an I386 image like the one you just did, then RIS installs it hands-off, with no user intervention. How, you might wonder, does it do that? Well, it turns out that RIS has a prebuilt answer file like the winnt.sif that we built earlier in this chapter. That basic script installs the defaults and joins a system to the domain. But where is that script? I just told you that XP-SP1 got its own folder on the RIS server in \RemoteInstall\Setup\English\Images\XP-SP1 folder. Inside that folder is a folder named \RemoteInstall\ Setup\English\Images\XP-SP1\I386\Templates, which contains a file named RISTNDRD.SIF. It’s a script like the ones that you’ve seen so far, although not exactly the same; you may recall that Setup Manager offered as one of its options the ability to create a RIS script. But you may not want to go with the no-frills RISTNDRD.SIF script. You may make your own customized one; but how to introduce it to RIS? Very simply; RIS sees a script as an image all itself. Just start up the wizard to add a new image, as you just read how to do. But instead of choosing Add a New Installation Image, choose Associate a New Answer File to an Existing Image when in the wizard panel shown back in Figure 5.34.

Delivering a RIPrep Image to a Target PC Now that you know how to create a system image, a flat image consisting of a new I386, or a flat image consisting of a new script, how do you deliver that image to a target PC? In exactly the same way that you got the first one onto a target PC. Either press F12 when the PXE ROM tells you to or boot from an RBDG-generated floppy. Note You do not need to build a separate RBDG-generated floppy for each system. You can build just one and carry it with you, using it to start as many different RIS image transfers as you’d like. Or, as you’ve already read, your newer systems may already have PXE boot abilities in their BIOS, and you therefore don’t need a floppy to get a RIS install started.

Now that you’ve got more than one image on your server, the Client Installation Wizard will offer you one more screen. After you log in, it’ll list the available images and their descriptions, allowing you to choose one. Then, as before, it’ll remind you that it’s about to destroy any data on the hard disk and, from there, all you need do is to pop that RBDG floppy out of the floppy drive, walk away, and come back in a half-hour—the entire install is hands-off. Warning Once again, don’t take the “this will zap the hard disk” warning lightly. If (for example) your RIPrep image is based on a system with a 1500MB C: drive formatted as FAT32, then RIS will repartition and reformat the C: drive of the target PC to 1500MB and FAT32 no matter how the drive was partitioned on the target PC before. RIS will leave any remaining space unpartitioned.

Authorizing Users to Let RIS Create New Computer Accounts The idea, then, with RIS is this: Joe comes into your office and tells you that his computer’s hosed, and would you reinstall his operating systems and applications when you get a chance? You reply that Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

169

170

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

you’ve got an even better idea and hand him an RBDG floppy. You tell him to boot it, press F12 when prompted, then log in to the Client Installation Wizard and choose the Standard Productivity Desktop option, an image that you’ve built with all of the company’s standard desktop software— Office, Palm’s HotSync software, and Lotus Organizer. Now, if Joe goes back and tries this, he’ll see an error message like this: The user Joe currently logged in to this computer does not have the permissions needed to create a computer account or modify the computer account NEWPC (NEWPC$) within the domain apex.com. This error may also indicate that the server CADOTNET supporting this client cannot contact the directory service to perform the operation. Restart this computer and try again. If the problem persists, contact your network administrator for assistance.

What’s going on here is that, in the process of installing the RIS image on Joe’s machine, RIS must also create a machine account—remember, in domains, machines have accounts just as people do— and not just any old user can create machine accounts. By the way, he also has to be able to delete machine accounts, as there’s probably already a machine account floating around that has the same name as the one he’s about to create, as well as a few other machine permissions. But what permissions does he need? Joining a machine to a domain is actually sort of complicated. Here’s what’s going on: ◆

◆

First, not just anyone can tell a given workstation that it’s going to join a domain. Only someone with a local administrator account can tell a machine to join a domain. Therefore, if you’ve got a machine that’s already installed and you want to join it to a domain, you should first log on as someone who’s a member of the machine’s local Administrators group. And remember that just because you’re an administrator on one machine, you may not be one on another. Second, it’s one thing for a machine to want to join a domain; it’s quite another for a domain to be willing to accept that machine as a member. Joining a machine to a domain, then, requires help from someone with a certain amount of administrative power not on the machine, but on the domain. That’s why when you’re joining a machine to a domain the machine will pop up a dialog box asking you to log in. What it’s saying here is, “Okay, I [the machine] accept that you have the authority to tell me to join this domain, but this isn’t going to work unless you have the authority to tell the domain to accept me; can you give me the name and password of a domain account that can do that?”

Those are the basics. But in many cases we’re not just installing, we’re reinstalling. That adds a subtle but important wrinkle. Suppose you have a workstation named MYPC. It’s gone south and you decide that just blowing up the system and reinstalling it is the way to go. You’ve got a RIS-bootable system, and so you kick off a RIS boot. Now, by default RIS comes up with some goofy machine name for you automatically, but you don’t like that, and so you modify RIS’s scripts (I’ll show you how in a bit) to let you specify a particular machine name. Of course, you choose MYPC. The RIS install goes all right for a while, but then it stops and says that it can’t join you to the domain. To make things even stranger, it occurs

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

to you that you first installed this system with RIS and gave your system the name MYPC at the time, and RIS took that without a complaint. What’s different? What’s different is that the first time, RIS only had to create a brand new machine account named “MYPC$.” (Remember that machines get account names equal to the machine name with a $ tacked on the end.) That only required the power to create a new machine account. And, as it turns out, regular old nonadministrative users have the ability to create 10 machine accounts in their lifetime. (Don’t ask me why Microsoft set it up that way, I have no idea.) But they don’t have the power to delete machine accounts. Or change the passwords on machine accounts. When you tried to reinstall an OS on MYPC and tried to join a domain as MYPC, then the domain looked around and said to itself, “Hmmm, that’s not right… there’s already a MYPC account. I don’t want to overwrite some poor machine’s account,” and denied the request. What you were really asking the domain to do was to first delete the MYPC account (or simply change its password, depending on what OS you’re using), and your regular old user account didn’t have the power to do either of those things. But you can change that. If you like, you can create a whole new group called Installers. Then we’ll give the group the power to change machine passwords and delete machine accounts. Then, when Joe wants to reinstall his computer, all you have to do is to just put him in the Installers group for the day. When his system is reinstalled, just take him out of the Installers group. Now, creating the Installers group will be a bit of a lengthy procedure, but you’ll only have to do it once. Note This is a neat example of something that you’re going to learn in an upcoming chapter about Active Directory. Active Directory lets you create groups of administrators with sets of powers that you can control very finely. It’s part of a process called delegation, and we’ll take it up in detail in the Active Directory chapter.

Creating the Installers Group You’ll find creating the Installers group easiest while sitting at a domain controller: 1. Log in using an account with domain administrator rights and then start the Directory Service

2. 3.

4. 5.

Administrator DSA.MSC by clicking Start/Administrative Tools/Active Directory Users and Computers. In the left pane, you’ll see an icon representing your domain with a plus sign next to it; click the plus sign to expand the domain. Next, create the Installers group. Right-click the Users folder and choose New/Group. That raises a dialog box called Create New Object–(Group). In the field Name of New Group, type in Installers. This will create a global group named Installers, which is what you want, so click OK and the dialog will close. Back in the DSA’s menu, click View/Advanced Features. That will show the Security tab on the properties page, which will be essential to give Installers the permissions that it needs. Next, you’re going to give the Installers group the ability to create new computer accounts and by default computer accounts go in a folder labeled Computers, so right-click the folder, icon labeled Computers and choose Properties. You’ll get a dialog box named Computers Properties.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

171

172

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

6. Click the Security tab in the properties page. Installers doesn’t currently have any permissions,

7.

8. 9.

10.

11.

12.

13. 14. 15.

so you’ll need to add a record for them. Click the Add button and you’ll now see a dialog named Select Users, Computers, or Groups. Type in Installers and then, just for good measure, click Check Names. It’ll think about it for a second. Once it’s checked that there is indeed a group called Installers, Installers will be underlined. Click OK. Back in the Computer properties page, find Installers in the Name list box and click it, then click the Advanced button. You’ll see a dialog box labeled Advanced Security Settings for Computers. Again, locate Installers—this part of the operating system isn’t intended for regular old users, so the UI’s a bit convoluted here—to indicate the Installers record that you created. It’ll currently have some very basic permission like Read or the like. Click the Edit button. Now you’ll see a dialog named Permission Entry for Computers. Scroll down in the list box labeled Permissions to find the Create Computer Objects permission. You’ll see two columns of check boxes, one labeled Allow and the other Deny. Check the Allow box. Click OK to clear the Permission Entry for Computer Objects dialog box. That permission made the folders accept the new machine objects. But once created, Installers have very limited control over the machine accounts themselves. They can delete or modify machine accounts, but only the ones that they created. Now, if you only want users to have the power to reset machine accounts that they created, you can stop here and skip down to step 14. But if you want Installers to be able to reset even machine accounts that they did not install, then let’s keep going. From the Access Control Settings for Computers dialog box, click Add, choose Installers again, and click OK. The Permission Entry for Computers dialog box then appears. Click the Apply Onto drop-down list box and choose Computer Objects. Check the Allow box next to the Write All Properties, Change Password, and Reset Password permissions. In the lower left corner of the page, check the box that says Apply These Permissions to Objects and/or Containers within This Container Only. Click OK and you’ll return to the Advanced Security Settings for Computers dialog box. Scroll down in the Permission Entries list box and you’ll see that there are now two or five new entries for Installers, depending on how much power you decided to give Installers. Click OK to dismiss the Advanced Security Settings dialog box. Click OK to dismiss the Computers properties page.

Now that that’s done, you can put Joe into the Installers group: 1. 2. 3. 4. 5.

Open the Users folder and locate the Installers group. Right-click Installers and choose Properties. Click the Members tab. Click the Add button. Find Joe’s account, click Joe, click OK, and then click OK again.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

Finally done. Yes, that was a bit of work, but worth it in the end, I think.

Restricting RIS Image Choices Once you turn Joe loose with that floppy, you might not want him accidentally loading the wrong image. He might just decide that he’d love to download the Programmer’s Workstation image, complete with the C++ and Java compilers, interactive debuggers, and the like—none of which he has any use for. You can, as it turns out, keep him from seeing all of the images on the RIS server. But you’d never guess how you do it. The RIS server has a set of directories that exist in \RemoteInstall\Setup\English\Images. If you’ve got a simple I386 installation called Windows, then its image is in \RemoteInstall\Setup\English\ Images\Windows. Each RIS image, then, has a directory inside \RemoteInstall\Setup\English\Images; remember that. Each image contains a folder named I386, which contains yet another folder named Templates. That folder contains a file named with the extension .sif. It’s an answer file that RIS uses to be able to do the installation without any user intervention. So, for example, if you have an image called Programmers, there’s an SIF file in \RemoteInstall\Setup\English\Images\I386\Templates. The way that you keep Joe out of the Programmers image is to set the NTFS permissions on the SIF file so that he’s denied Read access. Once RIS sees that he’s not supposed to see the file, the Programmers image won’t even be offered to him.

Advanced RIS Those are the basics about Remote Installation Services. But before you go running off to take advantage of them, you should know about some fine points. Advanced RIS I: Using $OEM$

Once you start getting a bit fancy with your RIS-based installs, you’ll soon pine for the power of the $OEM$ folder. So you might tunnel down into your \RemoteInstall\Setup\English\Images\ whateveryoucalledit\I386 folder and place an $OEM$ folder inside that I386 folder, hoping to see some of $OEM$’s power transferred to RIS. But it won’t work. The problem? For some bizarre reason, RIS installs need the $OEM$ folder at the same directory level as I386, not inside it. So, for example, if I created an image folder just called serverinst, then I’d place the $OEM$ folder at \RemoteInstall\Setup\English\Images\serverinst\$OEM$, not \RemoteInstall\ Setup\English\Images\serverinst\I386\$OEM$. Advanced RIS II: Building RIS Scripts

If you’ve built a few RIS flat images, then you know that by default RIS will wipe the first physical hard disk on a target computer, make that first drive one big NTFS volume, and do a mainly unattended installation of your OS—“mainly” because it’ll prompt you for a product key. Unattended is good; mainly unattended isn’t. So let’s see how to script a RIS install. As with the winnt.sif-style scripts, you can use the Setup Manager to create RIS scripts. But I find that the Setup Manager isn’t much help here. I pretty much use Setup Manager to create a basic script, then I hand-adjust it, as you saw earlier in this chapter.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

173

174

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

But there’s no need to have Setup Manager create a basic script for RIS—you see, every RIS install gets its own basic script, called ristndrd.sif. Look in the I386 directory of any RIS image directory and you’ll see a directory named Templates. Inside that is a file named ristndrd.sif. Mine looks like the following. [data] floppyless = "1" msdosinitiated = "1" OriSrc = "\\%SERVERNAME%\RemInst\%INSTALLPATH%\%MACHINETYPE%" OriTyp = "4" LocalSourceOnCD = 1 DisableAdminAccountOnDomainJoin = 1 [SetupData] OsLoadOptions = "/noguiboot /fastdetect" SetupSourceDevice = "\Device\LanmanRedirector\%SERVERNAME%\RemInst\%INSTALLPATH%" [Unattended] OemPreinstall = no FileSystem = LeaveAlone ExtendOEMPartition = 0 TargetPath = \WINDOWS OemSkipEula = yes InstallFilesPath = "\\%SERVERNAME%\RemInst\%INSTALLPATH%\%MACHINETYPE%" LegacyNIC = 1 [UserData] FullName = "%USERFIRSTNAME% %USERLASTNAME%" OrgName = "%ORGNAME%" ComputerName = %MACHINENAME% [GuiUnattended] OemSkipWelcome = 1 OemSkipRegional = 1 TimeZone = %TIMEZONE% AdminPassword = "*" [LicenseFilePrintData] AutoMode = PerSeat [Display] BitsPerPel = 16 XResolution = 800 YResolution = 600 VRefresh = 60 [Networking]

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

[NetServices] MS_Server=params.MS_PSched [Identification] JoinDomain = %MACHINEDOMAIN% DoOldStyleDomainJoin = Yes [RemoteInstall] Repartition = Yes UseWholeDisk = Yes [OSChooser] Description ="Microsoft Windows .NET Standard Server" Help ="Automatically installs Microsoft Windows .NET Standard Server without prompting the user for input." LaunchFile = "%INSTALLPATH%\%MACHINETYPE%\templates\startrom.com" ImageType =Flat Version="5.1 (0)"

This won’t need all that much in the way of changes because, after all, it’s already able to direct an almost-unattended installation. But here are a few changes that I made to make my Server-installing RIS image more useful for me. First, I added a ProductKey= line to the [UserData] section. That kept it from stopping to prompt me for a product key. Next, I changed OEMPreinstall=No to OEMPreinstall=Yes, so I could then set up an $OEM$ directory (at the same directory level as I386, recall, not inside I386) and get the benefits of $OEM$— cmdlines.txt, preloaded files and directories, extra driver directories, and so on. That also let me include an [OEM_Ads] section to specify background and logo bitmaps for the install—not necessary items, but I like them and clients like when I set them up, as it makes an install look like a “company brand” install rather than a Microsoft commercial. Then I changed the [Identification] section. RIS normally uses some command that refers to an “oldstyledomainjoin” that seems to work fine if you let RIS pick the machine name, but if you want to pick your own, then it seems not to work unless you do it by specifying a user account and password that can create and destroy machine accounts. Again, it needn’t be an actual domain administrator—just someone from the Installers group will do fine. Then I changed the [Display] section so that the systems come up on 1024×768 resolution rather than the unwieldy 640×480. I used [Components], as before, to remove the games and to enable Terminal Services, and [FavoritesEx] to preconfigure defaults for Internet Explorer. I ended up with a script that looks like this; I have highlighted the lines that I added or modified: [data] floppyless = "1" msdosinitiated = "1" OriSrc = "\\%SERVERNAME%\RemInst\%INSTALLPATH%\%MACHINETYPE%" OriTyp = "4" LocalSourceOnCD = 1 DisableAdminAccountOnDomainJoin = 1

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

175

176

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

[OEM_Ads] background=backg.bmp logo=logo.bmp [SetupData] OsLoadOptions = "/noguiboot /fastdetect" SetupSourceDevice = "\Device\LanmanRedirector\%SERVERNAME%\RemInst\%INSTALLPATH%" [Unattended] OemPreinstall = yes FileSystem = LeaveAlone ExtendOEMPartition = 0 TargetPath = \WINDOWS OemSkipEula = yes InstallFilesPath = "\\%SERVERNAME%\RemInst\%INSTALLPATH%\%MACHINETYPE%" LegacyNIC = 1 [UserData] FullName = "%USERFIRSTNAME% %USERLASTNAME%" OrgName = "%ORGNAME%" ComputerName = %MACHINENAME% ProductKey="11111-22222-33333-44444-55555" [GuiUnattended] OemSkipWelcome = 1 OemSkipRegional = 1 TimeZone = %TIMEZONE% AdminPassword = "*" [LicenseFilePrintData] AutoMode = PerSeat [Display] ConfigureAtLogon = 0 BitsPerPel = 16 XResolution = 1024 YResolution = 768 VRefresh = 72 AutoConfirm = 1 [Networking] [NetServices] MS_Server=params.MS_PSched [Identification] JoinDomain=%MACHINEDOMAIN% DomainAdmin=machineguy DomainAdminPassword=swordfish

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

[RemoteInstall] [data] floppyless = "1" msdosinitiated = "1" OriSrc = "\\%SERVERNAME%\RemInst\%INSTALLPATH%\%MACHINETYPE%" OriTyp = "4" LocalSourceOnCD = 1 [SetupData] OsLoadOptions = "/noguiboot /fastdetect" SetupSourceDevice = "\Device\LanmanRedirector\%SERVERNAME% \RemInst\%INSTALLPATH%" [Components] Solitaire=Off Minesweeper=Off Pinball=Off [FavoritesEx] Title1="Mark Minasi Home Page.url" URL1="http://www.minasi.com" [Branding] BrandIEUsingUnattended=Yes [URL] Home_Page=about:blank

Now, how did I make that change take effect? Simple—I made the changes to the ristndrd.sif file and just resaved ristndrd.sif to its original location. Alternatively, I could have written another script and then gone to the Advanced button of the RIS page on Active Directory Users and Computers, as you saw me do a few pages back. If I wanted to, I could have any number of scripts all doing unattended installs from the same Server I386 directory. Advanced RIS III: Modifying the Client Wizard

If you implemented something like the preceding script, then you might have noticed a sort of annoying thing about RIS: machine names. By default—and it takes a bit of doing to defeat the default, so to speak—RIS names the first machine that you install yourusername1, the second yourusername2, and so on. For example, I just started a RIS install of a server and, when the Client Installation Wizard asked me to log in, I logged in as ADMINMARK so RIS named the server ADMINMARK1. I’d much prefer it if the Client Installation Wizard would just ask me what to call the server. Look back to the line in the ristndrd.sif script that names the server: ComputerName = %MACHINENAME%

So, clearly some kind of environment variable is set by RIS, and the value in the environment variable is then used to name the machine. As a matter of fact, a close look at ristndrd.sif shows several of these environment variables—%MACHINEDOMAIN%, %TIMEZONE%, %ORGNAME% and the like—that RIS somehow constructs and then passes to the Setup routine on a computer that RIS installs. Is there a way for us to directly control those variables, and therefore to have greater control over how RIS installs the server? Yes. As a matter of fact, you can even create new environment

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

177

178

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

variables—but to see how that works, let’s go back and reexamine all of those .osc files. On your RIS server, there’s a directory named \RemoteInstall\Oschooser\English. In that directory, you’ll find (on my system, anyway) 45 text files with the extension .osc. I don’t pretend to understand entirely how they work, but here’s what I’ve pieced together from a variety of sources. When you first connect to a RIS server, you get a screen driven by the file welcome.osc. Let’s revisit that file: <META KEY=ENTER HREF="LOGIN"> <META KEY=F3 ACTION="REBOOT"> <META KEY=ESC HREF="LOGIN"> <META KEY=F1 HREF="LOGIN"> <TITLE> Client Installation Wizard Welcome

Welcome to the Client Installation wizard. This wizard helps you quickly and easily set up a new operating system on your computer. You can also use this wizard to keep your computer up-to-date and to troubleshoot computer hardware problems.

In the wizard, you are asked to use a valid user name, password, and domain name to log on to the network. If you do not have this information, contact your network administrator before continuing.

First, notice the <META> commands. They define what happens when you press one key or another. I’ve seen two variations on the <META> command—the HREF and the ACTION variations. For example, <META KEY=ENTER HREF="LOGIN">

This tells the Client Installation Wizard that if the user presses the Enter key, then the wizard should next find and load the file login.osc. Like an HTML “” tag, it provides a link to another OSC file. But now consider this <META> command: <META KEY=F3 ACTION="REBOOT">

This time, pressing F3 doesn’t take you to a file reboot.osc. Instead, “REBOOT” means just what it sounds like—it tells the wizard to reboot the computer. Other ACTION= values that I’ve seen include LOGIN Takes the information on the screen (this shows up in the wizard panel that asks you to log in) and tries to log in to an Active Directory domain.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

ENUM IMAGES This seems to tell RIS to take all of the operating system images available on this server and only show users the options that they have access to—remember that you can keep users from seeing images by adjusting the file and directory permissions on that image. Clearly, then, the job of welcome.osc is to get you to press Enter so that you’ll next go to That looks like this:

login.osc.

<TITLE> Client Installation Wizard Logon <META KEY=F3 ACTION="REBOOT"> <META KEY=F1 HREF="LOGINHLP"> <META KEY=ESC HREF="LOGIN"> <META ACTION="LOGIN">

Type a valid user name, password, and domain name. You may use the Internet-style logon format (for example: [email protected]).

Press the TAB key to move between the User name, Password, and Domain name fields.

You are connected to %SERVERNAME%

Looking at the <META>s up top shows that they either reboot you, get help, or—<META ACTION=“LOGIN”>—commence the Active Directory logon. But where do we go next? To see that, look at the

command as well as the next four lines. This defines a simple “form” on the screen. The form gathers three pieces of information—your username, your password, and the name of the domain that your account is a member of. Here, then, is what this

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

179

180

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

command is doing: first, it collects values for USERNAME, PASSWORD, and USERDOMAIN. Then, once you press Enter to indicate that you’re done entering those values, the form moves you along to “CHOICE.” But what is CHOICE? Well, apparently the “ACTION=” parameter means something a little different in a than it does in a <META>, as it just takes you to the screen defined by choice.osc. But here’s where things get a bit weird. Here’s what’s in choice.osc: <META KEY=F3 ACTION="REBOOT"> <META KEY=F1 HREF="CHOICHLP"> <META SERVER ACTION="DNRESET"> <META SERVER ACTION="FILTER CHOICE"> <TITLE>Client Installation Wizard Main Menu

Use the arrow keys to select one of the following options:

Description: <TIPAREA>

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

Here’s the weird part: I’ve never seen this screen appear, no matter how I set up RIS. But I did notice that a screen flashes by very quickly with the words Main Menu in its upper-right corner (one of the benefits of working with slow machines is, I suppose, that you can see a little more of what they’re up to—with a 2GHz box, I might not have seen the Main Menu) before moving to a screen that is clearly created by a different file, oschoice.osc. I theorized that the two <META SERVER> commands were the things causing me to skip ahead to oschoice.osc, so I tried removing them, and my Client Installation Wizard did indeed stop at a screen labeled Main Menu. Even better, one of the options in the Main Menu was to specify my machine’s name! Why, then, did Microsoft write choice.osc so that it always zips past any user input? I haven’t a clue. But if you remove the two lines, as I did, and choose the Main Menu option Automatic Setup, then the script seems to say that next the wizard panel osauto.osc should load. It’s just one line: <META SERVER ACTION="CHECKGUID OSCHOICE DUPAUTO">

Which seems to tell the system to run the oschoice.osc panel, so let’s look at that next: <META KEY=F3 ACTION="REBOOT"> <META KEY=ESC HREF="CHOICE"> <META SERVER ACTION="ENUM IMAGES"> <TITLE> Client Installation Wizard OS Choices

Use the arrow keys to select one of the following operating systems:

Description: <TIPAREA>

This seems to figure out which images you’re eligible to install. It appears the server passes the list of images to a form (

) through a variable called %OPTIONS%. Whichever you choose goes into an environmental variable called SIF, and it appears to next take you to warning.osc—which basically just puts up a “warning, you’re about to blow away anything on the hard disk, are you sure?” kind of message; when you press Enter, it takes you to install.osc, which looks like this: <META KEY=ESC ACTION="REBOOT">

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

181

182

CHAPTER 5

SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

<META KEY=ENTER ACTION="REBOOT"> <TITLE> Client Installation Wizard Installation Information

The following settings will be applied to this computer installation. Verify these settings before continuing.

Computer account: %MACHINENAME%

Global Unique ID: %GUID%

Server supporting this computer: %SERVERNAME%

To begin Setup, press ENTER. If you are using the Remote Installation Services boot floppy, remove the floppy diskette from the drive and press ENTER to continue.

This panel also basically just displays some information. But notice something odd about the <META> commands—they say that no matter whether you press ESC or Enter, you’ll reboot. But you’d think that “reboot” would, well, reboot the computer—which would sort of abort the whole RIS process. But no—on this particular panel, “reboot” means “full speed ahead!” for the RIS install. So, we’ve seen that a standard RIS install progresses from welcome.osc to login.osc to choice.osc (in “stealth” mode) to osauto.osc (also “stealthed”) to oschoice.osc to warning.osc and then finally to install.osc. Here’s where I’m going to make use of this to control the machine name: I’ll add an extra panel between oschoice.osc and warning.osc and include a form that gives the user the ability to enter a machine name. Looking back at oschoice.osc, you recall that we got from oschoice.osc to warning.osc by way of the form in oschoice.osc: the command. That’s where I’ll break the chain from oschoice.osc to warning.osc, by modifying that one item in oschoice.osc from to . Using the other .osc files as a model, I then come up with this file, which I name pickname.osc: <META KEY=ESC ACTION="REBOOT"> <META KEY=F3 HREF="OSCHOICE"> <TITLE>Client Installation Wizard Choosing Names

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES

Machine Name:
%OPTIONS%

This is a footer

CDONTS reported an error:” & Err.Description & “.

” ‘ ‘ Second mail: A piece of HTML mail ‘ Set objNewMail = Server.CreateObject(“CDONTS.NewMail”) objNewMail.From = fromaddr objNewMail.To = toaddr objNewMail.Subject = “Simple HTML mail test” objNewMail.Body = HTML objNewMail.BodyFormat = 0 ‘1=text, 0=HTML objNewMail.MailFormat = 0 objNewMail.Importance = 1 objNewMail.Send if Err <> 0 Then Response.write “

CDONTS reported an error:” & Err.Description & “.

and

elements of the document, which may not correctly characterize that document. Click the other tab, Tracking, and you’ll see a page like the one in Figure 17.104.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1417

1418

CHAPTER 17

TCP/IP SERVER SERVICES (IIS, NNTP, TELNET, SMTP, POP3, AND FTP)

FIGURE 17.103 Indexing Service properties

FIGURE 17.104 Tracking tab in Indexing Service properties

The Tracking tab just includes one check box, Add Network Share Alias Automatically, and it’s checked by default. This ensures that if Indexing Service indexes a drive that it sees as a mapped drive letter, it remembers not only the drive letter, but the entire UNC. For example, if you’ve mapped \\server01\data to X: and indexed X:, then Indexing Service would remember that those files are

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

CONFIGURING AND TROUBLESHOOTING INDEXING SERVICE AND BUILDING WEB-BASED QUERY PAGES

available at \\server01\data even if you don’t have that UNC mapped back to X: when you try to retrieve the indexed documents. Standard Catalogs

Even if you’ve never used Indexing Service before, you’re likely to already see two catalogs: one called System and, if you’re running a Web server on the computer, another catalog called Web. As their names suggest, they index system information and whatever content there is on your Web server. Personally, the first thing I do is to delete both of them. Having my entire Web site as well as every hard disk on my server indexed gives me the heebie-jeebies. I mean, why not just make it easy for crackers to spy on my system once they’ve cracked Indexing Service? My feeling is that I’ll decide what gets indexed on my system, thanks very much. To delete a catalog, you must stop the Indexing Service. Then just left-click the catalog and press the Delete key, or right-click the catalog and choose the Delete option from the context menu. Creating a Catalog

You create a catalog in Indexing Service by right-clicking the Indexing Service icon and choosing New and then Catalog to raise a dialog like the one in Figure 17.105. FIGURE 17.105 Creating a new catalog

This dialog box, labeled Add Catalog, contains just two text fields: Name and Location. In Name, just fill in the descriptive name of your catalog—no spaces allowed! This name doesn’t have to relate in any way to the name of the directory that you’re going to index. For example, I named the catalog for my online newsletters “Newsletters” even though they don’t reside in a directory named Newsletters. Location is the location of the catalog files, not the files to be cataloged. This was what I was talking about a while back: specify a location for your catalog that is different from the location to be cataloged. For example, if I were indexing newsletters in a directory named C:\Newsletters, I might put the catalog’s location in, say, C:\Newsletter Index. But no matter where you put the catalog, remember not to put it in wwwroot or anywhere under that directory. If Indexing Service is off when you create the catalog, you’ll get a dialog to that effect: “Catalog will remain offline until Indexing Service is restarted.” No surprise there. Tell It What to Catalog, and What Not To

Now Indexing Service knows that you want to catalog something, but it doesn’t know what. So add one or more directories to its list of things to index. Right-click the catalog’s icon and choose New/Directory and you’ll see a dialog box like the one in Figure 17.106.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1419

1420

CHAPTER 17

TCP/IP SERVER SERVICES (IIS, NNTP, TELNET, SMTP, POP3, AND FTP)

FIGURE 17.106 Adding a directory to the catalog

That dialog asks you to fill in the path and, if relevant, the UNC of the directory to catalog. If the directory points to a network resource, type in a username and password to be used to access the directory. Next to that is an odd-looking set of radio buttons asking, “Include in Index?” Is this about the dumbest question you can imagine, or what? Here you are, adding a directory to a catalog—whose sole function in life is to index data, and this dialog asks if you want to index the data. What were they thinking? Well, Indexing Service not only indexes the top level of the directory that you specify, but any subdirectories as well. So suppose I’ve decided to index C:\Newsletters, as it contains my old newsletters. But suppose that inside the C:\Newsletters directory is a C:\Newsletters\ In-Progress directory, where I keep my newsletters that I’m still working on. Well, by default, Indexing Service would catalog that directory as well—so a well-placed query would let you see my newsletters before I’m even finished writing them! That’s not what I want, so I might add C:\Newsletters, as I’ve described, and then add C:\Newsletters\In-Progress—and then tell Indexing Service not to include C:\Newsletters\In-Progress in the catalog. The net effect would be to defeat Indexing Service’s natural inclination to index everything in C:\Newsletters, even my work-in-progress directory. You can also block Indexing Service from cataloging a file or directory by using that file or directory’s advanced attributes. Locate the file or directory in Windows Explorer or My Computer, right-click the file or directory, choose Properties, and then click the Advanced button in the General tab to open the Advanced Attributes dialog box (shown in Figure 17.107). FIGURE 17.107 A folder’s advanced attributes

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

CONFIGURING AND TROUBLESHOOTING INDEXING SERVICE AND BUILDING WEB-BASED QUERY PAGES

Uncheck the option labeled For Fast Searching, and the folder will be essentially invisible to Indexing Service. Consider File Permissions, or Your Catalog Won’t Work

Sometimes security gets in the way of Indexing Service. So take a minute and consider the file and directory permissions on the things that you want to index. When I first used Indexing Service, it drove me absolutely crazy. It could index many files, but not the ones that I wanted—not the ones on my Web server. I set up a pristine new computer, built a catalog on it with copies of the exact same data files that I wanted to index, and it worked…but not on my Web server. Then it dawned on me: I’d monkeyed with the directory permissions on my server. My original plan had been to adjust the permissions so that the IUSR account didn’t have access to parts of the disk that it had no need to have. But in the process of disconnecting some directory permissions from inheriting permissions from their parent directory, I cleared all previous permissions. Including the System account. But, as you’ve already learned, the Indexing Service runs under the System account. And therein lay the problem. I’d set up the catalog right; I’d just denied Indexing Service the ability to actually read the files that I wanted it to index. Now, in my defense, let me just squawk a bit that it’d have been nice if Microsoft offered a verbose logging feature of Indexing Service, where I’d have gotten a clue a bit earlier…but it was still dumb on my part. So let’s stop for a minute and consider permissions. ◆ ◆

Indexing Service needs to be able to read whatever you want cataloged, so make sure that System can read whatever you’re cataloging. Indexing Service needs to be able to write and modify its catalog, so be sure that System can write, read, and modify whatever directory you’ve put the catalog in.

But we’re not done yet. Eventually you will want to query that catalog, using either the query tool built into the snap-in, which I’ll show you in a minute, or perhaps through a Web interface. Before releasing the answers to a query, Indexing Service checks that the asker has the permissions to see the answer. So let’s see what that means for my example of a Web-based search engine for my online newsletters. Suppose the newsletter directory gave System Full Control permissions, but denied the IUSR account all access. What would happen? Well, Indexing Service would build the catalog for the newsletter directory just fine. And if I logged onto the server as an administrator and queried that catalog with some command-line tool or the built-in one that I’ll show you in a minute, then perhaps the query would work fine. But from the Web-based interface, the query failed—why? Indexing Service sees that the IUSR account isn’t allowed to see that data. In my experience, security is a major cause of failed queries, so keep it in mind when using Indexing Service–based tools.

Using the Catalog: Querying Indexing Service from Computer Management Once you’ve created that catalog, how do you try it out? You use a tool built into the Computer Management tool, under the Indexing Service icon, called Query the Catalog, as you see in Figure 17.108.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1421

1422

CHAPTER 17

TCP/IP SERVER SERVICES (IIS, NNTP, TELNET, SMTP, POP3, AND FTP)

FIGURE 17.108 Sample Indexing Service query

As you see in that figure, you’ll see a field where you can type in your query words next to a button labeled Search. The query tool will show you all of your hits and provide hyperlinks that you can click to view the files that matched your query. This isn’t really an all-purpose tool, as it’s cumbersome to search a catalog unless you’re physically seated at the server whose Indexing Service hosts that catalog. But it’s a great debugging tool because it’s a quick-and-dirty way to find out if your catalog is working. And because you’re usually running it while logged in as an administrator, you typically do that test query with maximum permissions. Then, if you try the same query from a Web page and it fails while the Query the Catalog tool succeeds, you can be pretty sure that the problem lies with permissions rather than with something else. Using the Catalog: The Query Language

But how do you address queries? Indexing Service has its own built-in query language that’s pretty extensive but also pretty ugly. You can get the whole scoop in the Indexing Service help file, \Windows\help\is.chm. Open the top-level booklet icon, Indexing Service, and inside that you’ll see another booklet, Concepts. Inside there you’ll find another booklet entitled Using Indexing Service, and finally, below that, is a topic called Making Queries. In this section, I’ll just offer a short summary of the Indexing Service’s query language and provide a few examples. Simple Words

Of course, you can type just one word and Indexing Service will look for that. Searching for “Kerberos” will turn up any document with the word “Kerberos” in it. Indexing Service seems not to care about case—“kerberos” would turn up the same hits as “Kerberos.” Word Variations Work, Too

Indexing Service understands variations on words. For example, if you search for “patches,” then you’ll not only get hits that match “patches,” you’ll also get hits that match simply “patch” or “patching.” To do an exact search, surround the search with double quotes. Thus, if you type patches, you’ll get patch, patches, patching, and the like, but typing patches will match only that exact phrase.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

CONFIGURING AND TROUBLESHOOTING INDEXING SERVICE AND BUILDING WEB-BASED QUERY PAGES

Wildcards Are Harder

But recall that Indexing Service tries to understand text not merely as a sequence of characters, but instead as a series of words, so searching for “Kerb” would not yield any hits that matched “Kerberos.” How, then, to do wildcards? By giving Indexing Service what Microsoft calls a phrase, wherein you surround your query with {phrase} and {/phrase}; it’s sort of HTML-ish. The asterisk is the generic wildcard, as always, so to search for any line that contains “Kerb,” type {phrase}Kerb{/phrase}

In theory, you can make Unix-style regular expressions work by surrounding them with {regex} and {/regex}, but I’ve not been successful making them work. Logical Operators

Indexing Service also understands AND, OR, NOT, and parentheses. You could search for: “domain controller” and (kerberos or “LAN Manager”)

It also understands NEAR, but only in a very lame way—NEAR is defined as “within 50 words” and, no matter what the docs say, it’s not possible to redefine. So this works: “domain controller” near Kerberos

It’s a pretty powerful language—it’s just a little cryptic. Filtering “Noise” Words Via noise.enu—And, Or, Numerals, Etc.

A large number of the words in English text are simple words that you probably would never search on: and, or, also, have, could, and the like. You don’t want your catalog to track every single use of those words. So Indexing Service includes a file called noise.enu in \winnt\system32. It’s a simple ASCII file listing “noise” words—words not to index. You can change it to include (or exclude) any word, as you like. It’s called noise.enu because it lists the English noise words. Look in \winnt\system32 and you’ll also see noise.esn (Spanish), noise.deu (German), and noise.ita (Italian), among others.

Using the Catalog: Querying Indexing Service from the Web Now that you have a working catalog and can query it from the Query the Catalog option in the Indexing Service node of Computer Management, how do you let the rest of the world (or maybe just the rest of your intranet) query the catalog? With a Web-based query client. While this isn’t a programming text—nor am I an expert programmer—here’s a very bare-bones, stripped-down set of Web pages that you can modify and put up to let people query some catalog. Getting Ready

For this example, let me assume that you’re going to index files in a directory called Newsletters, which sits in your wwwroot directory. (Yes, you can do this for files that aren’t in wwwroot, but this is simplest.) You have already: ◆ ◆ ◆

Set up IIS on a computer (with all the current security patches, please!) Created a directory named Newsletters inside \Inetpub\wwwroot Placed a few text, HTML, or Office documents in \Inetpub\wwwroot\Newsletters

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1423

1424

CHAPTER 17

TCP/IP SERVER SERVICES (IIS, NNTP, TELNET, SMTP, POP3, AND FTP)

◆ ◆ ◆

Started Indexing Service on that computer Created a catalog called Newsletters, which indexes the Newsletters directory inside wwwroot Tested that queries to it work with Query the Catalog

Creating the HTML

You’ll need two files: ask.htm, which contains a form that lets people type in their queries, and find.asp, which takes the information collected in ask.htm, executes the query, and returns the answers. Ask.htm is pretty short, as you can see in Listing 17.2. LISTING 17.2: THE ASK.HTM FILE <TITLE>Search Newsletter Archive
Type in your query

This just prompts you to “Type in your query,” then packages your query in a variable called SearchString, and then calls another HTML page called find.asp. (Both ask.htm and find.asp should be in your wwwroot directory.) Find.asp is a bit more complex (see Listing 17.3), as it must first perform the query and then format it nicely for the user. LISTING 17.3: THE FIND.ASP FILE <TITLE>Search Results <% ‘Set the search parameters ‘The following line is a comment; it shows how you’d restrict the search ‘To just a directory “folderinnews” inside Newsletters. ‘FormScope = “/folderinnews”

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

CONFIGURING AND TROUBLESHOOTING INDEXING SERVICE AND BUILDING WEB-BASED QUERY PAGES

‘These lines set the search parameters FormScope = “/”PageSize = 1000 MaxRecords=1000 SearchString = Request.Form(“SearchString”) CatalogToSearch = “Newsletters” SearchRankOrder=”rank[d]” OrigSearch=SearchString ‘ ‘ Create query object set Q = Server.CreateObject(“ixsso.Query”) set util = Server.CreateObject(“ixsso.Util”) Q.Query = SearchString Q.Catalog = CatalogToSearch Q.SortBy = SearchRankOrder Q.Columns = “DocTitle, vpath, filename, size, write, characterization, rank, directory, path” Q.MaxRecords = MaxRecords ‘util.AddScopeToQuery Q, FormScope, “deep” ‘ ‘ Do query ‘ set RS = Q.CreateRecordSet(“nonsequential”) RS.PageSize = PageSize response.write “
Your search for ” & OrigSearch & “ yielded “ If RS.RecordCount=0 then response.write “no results.” If RS.RecordCount=1 then response.write “1 result:” If RS.RecordCount>1 then response.write RS.RecordCount & “ results:” response.write “
” response.write “” response.write “” ‘Display the results Do While Not RS.EOF ‘ loop through the results. ‘ Build a hyperlink to the document hlink = “” & RS(“doctitle”) & “” ‘ Display attributesresponse.write “” ‘Get the next result RS.MoveNext Loop ‘end of DO WHILE loop response.write “
Doctitle Vpath Filename Size Write Characterization Rank Directory Path
” & hlink & “ ” & RS(“Vpath”) & “ ”

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1425

1426

CHAPTER 17

TCP/IP SERVER SERVICES (IIS, NNTP, TELNET, SMTP, POP3, AND FTP)

response.write RS(“filename”) & “ ” & RS(“size”) & “ ” & RS(“write”) response.write “ ” & RS(“characterization”) & “ ” & RS(“rank”) response.write “ ” & RS(“directory”) & “ ” & RS(“path”) & “
” set rs=nothing set q=nothing set util=nothing %>

If you just want to try these out, then type the lines into Notepad and copy the files to your wwwroot directory. While still sitting at that computer, open up Internet Explorer, type http://localhost/ask.htm, press Enter, and you’ll see your form come up. How the Query Code Works

To understand find.asp—which, again, is a very stripped-down query page—let’s take it in pieces. The first part, through the command, is just HTML. After that, you see this: <% ‘Set the search parameters ‘The following line is a comment; it shows how you’d restrict the search to ‘just a directory “folderinnews” inside Newsletters. ‘FormScope = “/folderinnews” ‘These lines set the search parameters FormScope = “/” PageSize = 1000 MaxRecords=1000 SearchString = Request.Form(“SearchString”) CatalogToSearch = “Newsletters” SearchRankOrder=”rank[d]” OrigSearch=SearchString

That line with just the <% tells the IIS server that a program is starting. Lines that begin with a single quote are just ignored by the server; they’re comments. The next bunch of lines sets the parameters for the search. FormScope lets you tell Indexing Service that you don’t want to search an entire directory, just a subdirectory. If, for example, you had a directory called \inetpub\wwwroot\ newsletters\goodstuff and you wanted the search to only look in the \goodstuff directory, then you’d change the line to Formscope = “/goodstuff”

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

CONFIGURING AND TROUBLESHOOTING INDEXING SERVICE AND BUILDING WEB-BASED QUERY PAGES

PageSize and MaxRecords restrict the search, limiting the number of hits that Indexing Service reports. SearchString just retrieves the search text. CatalogToSearch, of course, says to search “Newsletters.” If there were other catalogs on this server, then you’d change this variable to point the search elsewhere. SearchRankOrder just says to report them from the best to the worst match. OrigSearch is just for programming convenience. The next set of lines forms and executes the query: ‘ Create query object set Q = Server.CreateObject(“ixsso.Query”) set util = Server.CreateObject(“ixsso.Util”) Q.Query = SearchString Q.Catalog = CatalogToSearch Q.SortBy = SearchRankOrder Q.Columns = “DocTitle, vpath, filename, size, write, characterization, rank, directory, path” Q.MaxRecords = MaxRecords ‘ util.AddScopeToQuery Q, FormScope, “deep” ‘ ‘ Do query ‘ set RS = Q.CreateRecordSet(“nonsequential”) RS.PageSize = PageSize

The piece toward the top is just “boilerplate,” the particular magic words that you must say to ask Indexing Service a question. Note, however, types of “objects”—that’s the programmer word for them—in the ServerCreateObject commands. The first in particular, ixsso.Query, is the built-in set of routines that controls queries. To find all of the developer documentation about it, search msdn.microsoft.com for “ixsso.query.” Controlling a Query: What to Retrieve

If you did that search, you’d see that the “query” method of the “ixsso” object—I’m so glad the developers kept it simple for us—has attributes with names like Query, Catalog, SortBy, and so on. You needn’t look that stuff up unless you want to extend this example; I’ve already done most of the work. But you do have to fill those attributes with values, and that’s what the Q.Query=, Q.Catalog=, and nearby lines do—they just transfer the values that we set up top into a place where Indexing Service can find it. A couple of the lines need a bit more explaining. First, notice the Q.Columns= line; that tells Indexing Service exactly which data to retrieve. ◆ ◆

DocTitle is the title, if the file has one. HTML files have titles; ASCII files don’t; Office files can have titles. Vpath is the relative path from the top of the catalog. In other words, you’re looking in a directory called \Inetpub\wwwroot\newsletters for files, but what if the files are in a directory inside that directory? Vpath would show that. If it turns up a file named \Inetpub\wwwroot\newsletters\ goodfiles\hints.txt, then the Vpath would be goodfiles, as it’s the subdirectory inside the catalog. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1427

1428

CHAPTER 17

TCP/IP SERVER SERVICES (IIS, NNTP, TELNET, SMTP, POP3, AND FTP)

◆ ◆ ◆ ◆ ◆ ◆ ◆

Filename is, logically, the filename—hints.txt in the previous example. Size is the size in bytes. Write is the date the file was last written to. Characterization is the “abstract” that Indexing Service can optionally create. Rank is a numeric score that Indexing Service uses to rate how well something matches a query. Directory is the complete directory path of the file d:\inetpub\wwwroot\Newsletters\goodfiles in the example. Path is the combination of the filename and the directory; in the example, it’d be d:\inetpub\ wwwroot\Newsletters\goodfiles\hints.txt.

You can see the entire list of columns in a catalog in the Indexing Service snap-in in Computer Management. Under the icon for the catalog itself there is a folder named Properties. Look in there and you’ll see the entire list of a catalog’s properties or, as the query calls it, columns. (Most of them are of no value—the preceding list is about all you’d probably want.) Controlling a Query: Where to Look

Second, note the comment that starts util.AddScope. This tells Indexing Service two things about the search: first, which directory in the catalog should it search and, second, should it search at that directory level, or search that directory and the directories inside of it? Recall that Indexing Service automatically catalogs as far down as the directory structure goes; this command doesn’t affect that. Instead, it reflects the fact that Indexing Service doesn’t automatically show all of its cards when you make a query—it only reveals what the query asks for. Suppose you’ve got that directory structure that I mentioned before, \Inetpub\wwwroot\Newsletters\ goodfiles\hints.txt. Suppose also that you chose this time to index the whole wwwroot directory. What would that mean for the scope of the search? Without an AddScopeToQuery command, Indexing Service will only show results that it found in the top-level directory of the catalog, \Inetpub\wwwroot. To search the whole directory and the directories inside it, including \Inetpub\ wwwroot\Newsletters, \Inetpub\wwwroot\Newsletters\goodfiles, and whatever else is in there, you’d use this command: util.AddScopeToQuery Q, “/”, “deep”

That says that the query defined by the object Q should start at the top—“/”—and should search all directories. The “deep” keyword is the part that says to search the directories inside the directories. But what if you only wanted to search \Inetpub\wwwroot\Newsletters? Then you’d use a scope of /Newsletters—note that this uses the forward slash rather than backslash. The command would look like this: util.AddScopeToQuery Q, “/Newsletters”, “shallow”

Finally, what if you wanted to restrict the search to keep it out of the \Inetpub\wwwroot directory and start searching at \Inetpub\wwwroot\Newsletters, but also search directories below Newsletters? Then you’d do this: util.AddScopeToQuery Q, “/Newsletters”, “deep”

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

CONFIGURING AND TROUBLESHOOTING INDEXING SERVICE AND BUILDING WEB-BASED QUERY PAGES

It’s a really good idea to restrict your query scopes—you’ll be surprised what Indexing Service turns up! For example, if you did index your entire Web site, then you’d probably be exposing things like code in progress, old code, or notes to yourself, much of which you might not want publicly visible. To finish examining find.asp, the set RS= line tells IIS where to put the output of the query: into an object called a “record set” that I’ve unimaginatively called “RS.” And finally, the rest of the program just loops through the returned values and creates a table that reports what it found. The three commands that say “set something=nothing” recover memory on the IIS server.

Troubleshooting Failed Queries When you first get started with building your search pages and catalogs, you’ll probably turn up a lot of failed queries. They can be frustrating; here’s what to check: Permissions SYSTEM must have read access to the data to be cataloged, full control of the directory where the catalog is stored, and, Microsoft adds (although I’ve not checked it), that SYSTEM must also have full control to the root of the drive where the catalog is stored. But the querying person must also have the permissions to see the documents, or Indexing Service won’t even display it. So, for example, if your query fails from your Web browser, try logging onto the server as an administrator and try the query tool in Computer Management. If that works and the Web browser doesn’t, chances are good that IUSR doesn’t have the permissions necessary to see the data. And when you’re testing your Web-based app, make sure that you’re not logged on as an administrator of the domain. Depending on how you have IIS set up, it may try to get you the catalog info as IUSR and, when that fails, it may automatically try again using your currently logged-on credentials as an administrator, and succeed. But non-admins won’t be able to access the data. Check the query syntax syntax you know works.

It’s a bizarre language. Make sure you have a few simple queries whose

Be patient Indexing Service is built to run in the background, which means that when you’re fussing with it, the indexing part of Indexing Service goes to sleep, waiting for the server to quiet down before it does its work. Get a cup of coffee or check your e-mail, give it a few minutes, and then try again. Dump the catalog and start over Stop the Indexing Service, then right-click the icon for the catalog, and choose All Tasks/Empty Catalog. Then restart the Indexing Service. You start out with a fresh catalog this way, and you know that no old junk’s sitting around in it. Go to the directories and files that you want to catalog, right-click them and choose Properties, then click the Advanced button There’s a check box on the resulting dialog box labeled For Fast Searching, Allow Indexing Service to Index This Folder. It’s checked by default, but if someone’s unchecked it, then Indexing Service will skip it altogether. By now, you should not only have a working catalog, but also a nifty Web-based front end for it. Indexing Service is pretty cool once you get it set up, but, as always with complex tools, it’s the initial setup that’s the pain.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1429

1430

CHAPTER 17

TCP/IP SERVER SERVICES (IIS, NNTP, TELNET, SMTP, POP3, AND FTP)

Windows Server 2003 Internet Security: Some Thoughts A security engineer at a major tier-one ISP recently told me his opinion of Windows NT in regard to security. “It’s an exploit in a box,” he told me, very matter of factly, and you know what? Even though he’s a “Unix guy,” he was absolutely right. Windows NT was extremely permissive in its default configurations. However, Windows 2000 Server made a bunch of improvements in the security arena, and Windows Server 2003 is the most secure operating system that they’ve ever published. But does that mean that you should simply accept it with its default configuration? In the pages that follow, I’ll walk through some items that you should be certain to secure on your Windows Server in order to protect it even more. Although the security suggestions that follow will help secure your system, it is important to realize that there is no quick fix for Internet security. Entire volumes are published on the subject, much more than I could possibly cover in the pages of this book. There are, however, several types of actions you can take to detect and/or deter an outside attack. In this section, I’ll talk about deterring and detecting attacks and cover security recommendations for three primary areas: accounts, file and print sharing, and network services. Whether “security” is officially part of your job description or not, the twenty-first century seems to have a few new truths about it. First, we seem to be running a lot more Web servers than before. Even simple network-attached appliances like JetDirect modules or 3Com’s Lanmodem make you control them via a Web interface, which means that—you guessed it—they’ve all got a Web server built into them. But what’s the second truth of the twenty-first century? Virus- and worm-writing jerks the world over have targeted IIS. So anyone running an IIS-based Web server should understand that it is very likely that his or her system will be attacked by a worm; such an attack is a near certainty. But there’s a third and final truth here: If you put an insecure Web server on a network, then you aren’t merely a neutral party in the ongoing war between the worm-writing weasels and systems administrators; rather, you are helping the weasels. To see what I mean by that, let’s look at who would get hurt if I set up a Web server but didn’t protect it from a worm. Worms like Code Red, Code Blue, Nimda, and their successors do several things. First, they usually rewrite and damage Web pages. That means that if I don’t do anything to protect my Web server from infection, then I may be hurt, in that I must restore my Web pages to their predefacement state. But what if I’ve put a system on the Internet that runs a Web server, but only because I installed with the defaults? In that case, I shouldn’t care whether a worm attacks the Web server, should I? Of course I should, because of the second effect of a worm. Once planted in a Web server, worms seek out other Web servers to infect. That means that my unwitting Web server might end up as the vehicle that some weasel uses to infect an important Web server. At minimum, that’s certainly not nice and I would prefer not to be a vector of e-infection; at worst, I might even be sued over it. Even worse, a worm has a third effect: it chomps bandwidth. There have been days when so many copies of a given worm are busy scanning IP addresses trying to find potential victim servers that they have significantly slowed down the Internet. The bottom line is this: If I’ve put an unsecured computer on the Internet, then I’ve put a loaded weapon into the hands of a network criminal. I’ve aided and abetted one of the bad guys. I worry that as more and more home users get high-speed DSL and cable-modem connections, and as those home users’ operating systems get more and more sophisticated, that it will be possible for one cleverly written worm to simply shut the Internet down. Edmund Burke is credited with saying that all that

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WINDOWS SERVER 2003 INTERNET SECURITY: SOME THOUGHTS

is required for evil to triumph is for a “few good men to do nothing.” Let’s update that to say that all that is required for the weasels to destroy or severely damage an important artery of communication— the Internet—is for a few otherwise-good people to get lazy about securing their operating system’s Web servers. The most important point here, however, is that you can do some very simple, basic things to secure your IIS servers; let’s see how.

Disable IIS If You Aren’t Using It Probably the most effective and simplest way to secure your server is to disable unnecessary services. You can test if a computer is running a Web server in a few simple ways. First, check its services in Computer Management: right-click My Computer, choose Manage, then locate the object labeled Services and Applications and click the plus sign next to it. That should reveal, among other things, an object named Services; click it and the right panel will show the services that your computer is running. You’ll see that there isn’t a service called IIS or Internet Information Service or anything like that; it’s called World Wide Web Publishing Service. Right-click it, choose Properties, and you’ll get a property page that lets you stop the service. But that only stops the Web server for now—reboot, and it’ll probably start up all by itself. You can change that by clicking a drop-down list box labeled Startup Type, which offers you three choices: Automatic (which starts the service up at boot time), Manual (which does not start the service at boot time but lets you turn it on when you feel like it), or Disabled (which doesn’t start the service and doesn’t give you the option to start it). Just choose Disabled if you don’t want this server to be a Web server, and then click OK. Windows Server 2003 makes this less of a problem, as it discontinues Microsoft’s practice of automatically installing a Web server on every system. Additionally, IIS 6 first comes up in a very “locked-down” mode, making it harder to attack an IIS 6 server whose administrator has chosen all of the defaults for it.

Get and Apply the Latest Service Packs and Hotfixes Whenever a new worm appears, people castigate Microsoft for being “unprepared” for this latest attack, and administrators everywhere bemoan Windows’ “terrible security.” Just about anyone who’s ever been hit by an IIS-based worm could have avoided the infection had he just kept up-to-date with Microsoft’s patches. (Up-to-date Web servers were safe from Code Red, Blue, and Nimda, for example.) The problem is that most of us are a bit sloppy about getting around to downloading and applying the latest patches, and for years that wasn’t really a problem. Unfortunately, our modern-day “world of worms” has made staying on top of patches mandatory. Windows Server 2003 makes it easier than ever to stay up to date on service packs, patches, and hotfixes. The Autoupdate feature, available in the System applet, lets you configure a server to automatically check for updates and download them when they are released. Or you can use the Windows Update Web site (http://windowsupdate.microsoft.com) to scan your system, review and then install updates. But service packs aren’t the end of your update task. Stay up to date on the latest developments by checking out the security bulletins that you can find at www.microsoft.com/technet/treeview/ default.asp?url=/technet/security/current.asp. This site gets rearranged on a regular basis, so if that doesn’t work, just search for “security bulletin” on the microsoft.com site. The Security Bulletins site offers a notification service when new bulletins are issued, and access to the Microsoft

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1431

1432

CHAPTER 17

TCP/IP SERVER SERVICES (IIS, NNTP, TELNET, SMTP, POP3, AND FTP)

Baseline Security Analyzer (MBSA) tool, which scans a system for vulnerabilities and missing hotfixes. The patches released from the bulletin site are EXE files with names like Q329390_WXP_ SP2_X86_ENU.exe. The first part refers to the Knowledge Base article that explains what the patch does, WXP clearly says that it’s a Windows XP patch, and SP2 means that it is a post–Service Pack 2 fix and that this patch will eventually be part of Service Pack 3. Note Microsoft is retiring the “Q” naming scheme for Knowledge Base articles. Articles previously named “QXXXXX” will retain the same number, but without the “Q” prefix.

Simplifying Hotfix Application If you’ve ever downloaded and applied a hotfix, then you’re probably shaking your head and thinking, “Has this guy ever actually done this?” But, wait, give me a chance. Hotfixes are a pain for two reasons. First, there are a lot of them. It’s not unusual to see a couple or three dozen hotfixes that you need to apply even if you have the most recent service pack. Second, try applying one and you’ll see that most of them force you to reboot after you apply them. So let’s see, first I download the 18 relevant hotfixes. Then I apply the first one and wait for my system to reboot, then I do the second, and… wait a minute, you mean that I’ve got to do that for all of my computers? And then how do I check which computers have and don’t have a given set of hotfixes? Thankfully, Microsoft has offered a couple of programs to simplify the process, qchain.exe and hfnetchk.exe. You can find the link for qchain.exe at Knowledge Base article 296861, or if that article’s gone by the time that you read this, then search for “qchain.exe.” You can find hfnetchk.exe at article Q303215, or, again, if that doesn’t exist when you look for it, search on the program’s name. qchain lets you apply a whole bunch of hotfixes all at once. You invoke the hotfixes—each with the options -m, -z, unattended, and don’t force reboot—and then qchain rearranges them on disk and in the Registry so that they don’t conflict with one another. Then you can reboot. For example, suppose you had some hotfixes with the names q335825_w2k_sp3.exe, qf843615_w2k_sp3.exe, and q745622_w2k_sp3.exe (all imaginary hotfix names, by the way). You could put them on a server named srv1 on a share called patches, and then put the hotfixes, qchain.exe, and a batch file to install the patches in that share. The batch file could look something like this: set lc=\\srv1\patches\ %lc%q335825_w2k_sp3.exe -z -m %lc%qf843615_w2k_sp3.exe -z -m %lc%q745622_w2k_sp3.exe -z -m %lc%qchain mylog.txt

Create the batch file by opening up Notepad and typing those lines into Notepad, but don’t type the names of the imaginary hotfixes; instead, type one line for each of the hotfixes that you’ve got in that directory, prefixing them with “%lc%” and adding “-z -m” to the end. Then save them as applypatches.bat, again in that share. Now you can, from any machine on the network, just type \\svr1\patches\applypatches.bat

and it’ll apply all of the patches. You can then reboot the system, and it’ll be up-to-date. But how do you check later to see what hotfixes have been applied to a given system and if it’s still up-to-date? That’s where hfnetchck.exe helps out. In its simplest form, you just run hfnetchk.exe on a system without any options. It then contacts the Microsoft site, downloads information about the latest

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WINDOWS SERVER 2003 INTERNET SECURITY: SOME THOUGHTS

hotfixes, and checks that your system has those hotfixes. It’ll then report about hotfixes that Microsoft thinks that you should have but that you don’t. You can run it with the -v, verbose, switch to find out why hfnetchk thinks that you don’t have a given hotfix. There are a few that apparently don’t leave enough of a fingerprint behind for hfnetchk to be able to verify whether or not you actually have the hotfix installed, like one that appeared in 2001 named MS01-022. Apparently you could apply it all that you wanted, but hfnetchk couldn’t find it. But running hfnetchk -v could allay your fears: WARNING MS01-022 Q296441 The XML file does not contain any file or registry details for this patch. As a result, this tool is unable to confirm that this patch has been applied. Please verify patch installation or refer to Q303215 for more information.

In other words, hfnetchk is saying, “Well, I can’t prove that this is here, so I won’t say that it’s there…but I couldn’t prove it in either case.”

Use IIS and NTFS Permissions When the bad guys get control of your IIS server, the system sees them as one of two user accounts— either the IUSR account or the System account. If they’re running a script or a Web page, then they’re the IUSR account. Intruders can only act as the System account in those cases where IIS has some pretty egregious bug and the intruder exploits that bug. Let me underscore that point: visitors to your Web site are actually logged into your Web server’s security system, whether it’s a local SAM or a domain-based Active Directory. Such so-called “anonymous” Web visitors are logged in as the IUSR account. Armed with that knowledge, you can recruit NTFS to help you secure your system. Unlike Windows 2000 and earlier systems, which set all of their NTFS permissions to Everyone/Full Control (of course IUSR is a member of Everyone), Windows Server 2003 sets more restrictive permissions on disk resources: 1. The wwwroot directory only grants the IUSR account NTFS permissions to read and list folder

contents. This will work fine unless there is a script in wwwroot, in which case you need to grant execute permissions as well. You’ll only need to give IUSR write permissions on any directories that Web-based scripts use to write files to. 2. In the Windows directory, IUSR has the same permissions as Authenticated Users: read, execute, and list folder contents. 3. Throughout the rest of the server’s hard disk, IUSR has no access permissions. Tip Your system might need somewhat different permissions. Microsoft has a pretty nitty-gritty Knowledge Base article about required IIS 5 permissions at 271071. As far as I know, they haven’t updated it for IIS 6 yet.

Now, you might be running some set of programs or scripts that require different permissions than the defaults; work with the content folks to find out what permissions you need for each directory but, again, in my experience IIS works very well with extremely minimal permissions for IUSR.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1433

1434

CHAPTER 17

TCP/IP SERVER SERVICES (IIS, NNTP, TELNET, SMTP, POP3, AND FTP)

But IIS itself also has a set of permissions that you can use to secure your Web site. They work in tandem with NTFS permissions in the same way that file-sharing permissions work with NTFS permissions: both apply and the most restrictive ones win. IIS permissions are simpler and less flexible than NTFS permissions, as they apply to everyone accessing a site—there’s no way, for example, to say that the IIS read permission (which is different from the familiar NTFS read permission) should be granted to Administrators and denied to everyone else. Instead, you just check the Read box and every visitor gets it. Although the default IIS permissions are more restrictive in IIS 6 than they were in IIS 5, you should still check out the Execute Permissions box for every directory in your Web site. My site was once composed of a basic wwwroot directory that contained a bunch of directories, most of which contained only static HTML pages and images. I was surprised to find that the IIS permission on all of those directories was scripts and executables! To view a given directory’s IIS permissions, just open up the site in the IIS administration snap-in, and you’ll see a folder icon for each directory. Right-click the folder and choose Properties, and you’ll see the IIS permissions for that directory in the Directory, Home Directory, or Virtual Directory tab, depending on the context.

Disable Indexing The Indexing Service is not installed by default in Windows Server 2003, but if you do install it, delete the two default catalogs named Web and System to prevent automatic indexing of all your hard drives and Web sites. Only create catalogs for folders you explicitly want indexed, and keep in mind that all files and subfolders will be indexed from that point in the directory structure. Be sure to disable indexing for any subfolders with content you don’t want to include in the catalog. Consider taking the extra precaution of explicitly disabling indexing for all other files and directories on your hard disks. I know this seems like overkill, but there are some directories that you don’t ever want to be indexed, even if some bright-eyed administrator later decides that it would be a good idea to index all the hard drives on the server. Mail directories would fall into this category. Imagine doing an innocent search and having the query return a confidential e-mail from the accounting department on salary reviews!

Disable All Nonessential Ports In Chapter 6, you learned how to enable TCP/IP filtering to close particular ports on the server. Consider doing this for your Web servers. But remember, if you close all incoming ports except for 80 and 443, then you won’t be able to do remote administration of your computer. You can close ports from the GUI in the Advanced properties of the TCP/IP protocol, or use IPSec, as you saw in Chapter 6.

Move wwwroot By default, IIS puts its wwwroot directory on the same drive as the operating system, in the \Inetpub directory. Some particularly badly written worms can’t even find your Web site to attack it unless the site is in Inetpub. So moving the root of your document directories will provide some small protection.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WINDOWS SERVER 2003 INTERNET SECURITY: SOME THOUGHTS

Get Rid of the IIS Admin, Documentation, Web-Based Printing, Extra Directories, and Samples IIS ships with a whole bunch of sample files and extra doodads. Many are useful, but they’re also potential security holes. For example, there is a Web-based administration tool for IIS. If someone cracks that, they own your Web site. Don’t install it. It’s not installed by default with the rest of IIS. If it is installed, get rid of it from the Control Panel in Add/Remove Programs/Windows Components. Highlight the Web Application Server option and click the Details button. From here, choose Internet Information Services (IIS) and then the Details button again. Uncheck Remote Administration (HTML), which you’ll find among the list of World Wide Web server components. And while you’re at it, if you don’t use FrontPage-based Webs, then uncheck the box next to FrontPage Server 2002 Extensions. Personally, I find the FrontPage bots to be fragile, so I avoid them altogether. I would also take this opportunity to remove anything else I don’t need. Then click Next, OK, and Finish until you’re out of Add/Remove Programs. Back in the IIS snap-in, go ahead and also delete the Microsoft SharePoint Administration site, as well as the Printers folder (in the default Web site) to get rid of Web-based printing. In fact, before I start using a newly built IIS system, I just delete everything in wwwroot.

Disable Unnecessary Services on Your Servers You can safely shut down unused services on Web servers or, for that matter, shut them down on any server—it saves CPU power and RAM, and closes any potential security holes that those services might contain. Here are some other services that you might disable or remove using Add/Remove Programs in the Control Panel: Server service This isn’t a generic service required by all server services; instead, it’s just the file and print server service. And while it’s true that Web servers are a kind of file server, they do not necessarily need a working file server service. FTP service If you need this to let Web authors upload content changes, then enable it. But be careful about running anonymous FTP sites; you’d hate to find out that you accidentally let the bad guys store their stuff on your FTP site. Consider using WebDAV instead of FTP for uploading content. Simple Mail Transport Protocol If your Web site doesn’t do automated mail-outs, stop this service; SMTP holes have been giving Unix administrators fits for years. Routing and Remote Access Service WebDAV A sort of twenty-first-century upgrade to FTP server, it lets you do what basically looks like normal file sharing over HTTP. It’s far better than FTP, but you have to wonder if it’s secure. If you’re not using it, get rid of it. (It’s off by default.) One way to make sure that it stays off is to deny the Everyone group access to winnt\system32\inetsrv\httpext.dll. But you know which service I’d really like to kill? The GUI. It sucks up all kinds of CPU and RAM, and what do I need it for when my Web server is just sitting in the corner waiting for requests? Maybe in Windows 2015, I guess. Here the Linux guys have the right idea.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1435

1436

CHAPTER 17

TCP/IP SERVER SERVICES (IIS, NNTP, TELNET, SMTP, POP3, AND FTP)

Consider Disabling Microsoft File and Print Sharing The same file and print sharing protocols that let you build file/print servers in your organization let you share files and printers over the Internet as well. You might want to disable that service—the Server service. Here’s why. First of all, what is it that you want to secure? I’ll assume it is your data. Because you don’t want an outside intruder to be able to destroy data on your servers or lock you out of your own network, let’s consider this question: How could someone get access to your data? Assume that you weren’t even running a Web or FTP server; consider what an attacker could do just to a simple file/print server that’s exposed to the Internet. Attacks could come in the following forms: ◆ ◆ ◆

◆ ◆

◆

Someone with read access to your files could steal company information. Someone with write access to your files could modify or delete them. Someone with write access could use your file servers to store their own personal data—data they might not want to keep on their own computers, perhaps because the data is unlawful to have, like someone else’s credit card numbers. Someone with write access could cripple your servers by filling up their free space with nonsense files, crashing the servers. Presumably someone could crash your mail servers by sending thousands of automatically generated pieces of mail to the servers. Enough mail messages will fill the hard disks of those servers as well. Access to your print servers could, again, let intruders fill up the print servers’ hard disks with spooled files, as well as cause your printers to run out of paper.

Eliminate Nonessential ISAPI ISAPI filters are an IIS-specific alternative to scripts and CGI programs. They were introduced back in IIS 2 and allow IIS to support some very fast extensions to basic Web functionality, like Active Server Pages. You can see your site’s ISAPI filters from the ISAPI Filters tab of the properties pages. Take a look at the file extensions associated with various ISAPI filters. Unless you or another admin added some ISAPI filters at some point, the only one you are likely to see is the ASP.NET filter, which is defined in the master properties for all Web sites. If there are others, though, and you don’t see any files with that given extension in your Web site pages, then just delete the reference to that ISAPI filter. Code Red looked for an extension .IDA; had the ISAPI filter for IDA not been in place, then the virus would have gotten a Page Not Found, and wouldn’t have infected that server.

Detecting Outside Attacks Windows Server 2003 comes with some built-in tools to make detecting attacks easier. You can do the following: ◆ ◆ ◆

Audit failed logons. Use the Performance Monitor to alert you when logon failures exceed some reasonable value. Periodically log network activity levels. If all of a sudden your network gets really busy at 3 A.M. for no good reason, then look closely into exactly what’s going on at 3 A.M. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WINDOWS SERVER 2003 INTERNET SECURITY: SOME THOUGHTS

In addition to these, consider reviewing your IIS log files (found in \Windows\system32\logfiles) periodically. If you’ve been getting 100 hits a day and suddenly it’s 10,000 hits a day, something is up. These logs also record source IP addresses for hits; you may be able to identify vulnerability scanning patterns by frequency and by the pages requested, and then notify the ISP or organization that administers the source addresses of any suspicious activity. There are some very good log analyzer tools available for Web servers; some are even free.

Deterring Attacks The main steps to take to deter attacks include the following: Don’t use obvious passwords. Don’t enable Guest accounts on Internet-connected machines. Rename the built-in Administrator account. Don’t let the built-in Administrator account access the servers over the network. Lock out users after a certain number of failed attempts. Make passwords expire after a certain length of time. Install a firewall to filter out UDP ports 136 and 137, used for Microsoft networking commands such as net use. 8. Install Web, news, and FTP servers on a separate machine in their own domains, with no trust links to other domains. Even better, install each Internet-accessible box as a stand-alone system with no ties to any internal domain. Sure, it’s a pain to administer local accounts for FTP users and such, but the system can be locked down more radically since there’s no need to communicate with domain controllers. This way, a compromised Web server doesn’t have to mean a compromised Active Directory domain. 9. Don’t put any services on your DNS servers except for DNS. 1. 2. 3. 4. 5. 6. 7.

It seems to me that only by directly accessing your file servers through the normal net use interface, via an NFS interface, or through an FTP service would someone be able to read or write data on your computers over the Internet. I’ll assume that you’re not going to run NFS, that you’ll put the FTP server where compromising it won’t matter, and that you’ll focus on the file server interface. In a nutshell, here’s the scenario that you should worry about. Suppose I know that you have a server named S01 whose IP address is 253.12.12.9 and that it has a share on it named SECRET. I just create an LMHOSTS file with one line in it, like so: 253.12.12.9 S01

Now I can type net use X: \\s01\secret, and my Internet-connected PC sends a request to 253.12.12.9 for access to the share. Assuming the Guest account isn’t enabled on S01, then S01 will first ask my PC, “Who are you?” I’ll see that as a request for a username and password. When I respond with a valid username and password from the server’s domain, I’m in. Actually, this is how I access my network’s resources from across the Internet when I’m on a client site—two seconds’ work with an LMHOSTS file, a net use, and I’m accessing my home directory from thousands of miles away.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1437

1438

CHAPTER 17

TCP/IP SERVER SERVICES (IIS, NNTP, TELNET, SMTP, POP3, AND FTP)

To do that, I needed to know: ◆ ◆ ◆ ◆

A valid username on my network The password for that account The IP address of a server on the domain The name of a share on the domain

All right, suppose I want to hack some company with the name bigfirm.com. Where do I start? Step one is to find out what its range of IP addresses is. That’s easy. Just telnet to internic.net, type whois bigfirm.com, and you’ll get the network number and responsible person for that network. (You can alternatively run a Web-based search page with your Web browser; point it to www.internic.net.) You’ll also get the IP address of their DNS name servers. The other way to find this information would be to type: nslookup set type=all bigfirm.com

Bigfirm will dump the names and addresses of their DNS servers and their mail servers. Because there has to be a secondary DNS server to make the InterNIC happy, there will be at least two name servers. Now, bigfirm is probably thinking—the way most of us do—“It doesn’t take much CPU power to run a DNS server. Let’s put some shared directories there, too.” As Jane Slimeball Hacker, I’m thinking, “Cool—fresh meat.” You see, you’ve got no choice but to publish two of your IP addresses, the addresses of your DNS server and its backup. So don’t put anything else on it. Once, I would suggest to firms that they just run DNS on old, slow machines. That’s not an option anymore, as we now need dynamic DNS, which means you’re running Windows 2000 on a system and DNS on that system. It’s a shame to make a server solely a DNS server, but it might not be a bad idea from a security point of view. Now suppose you’re smart and there’s nothing else on the DNS servers. So I have to fish a bit, but that’s not hard, as whois told me your range of IP addresses. I’m a slimeball, but I’m a thorough slimeball (after all, I don’t have a life, so I’ve got lots of time), and I’m willing to try all of your IP addresses to find out which ones have servers. There are even, believe it or not, freeware programs for Windows systems that will scan a range of IP addresses looking for machines attached to those addresses. Alternatively, it’s a simple matter to create an LMHOSTS file that includes a NetBIOS name for every possible IP address. For example, if I know that you have class C network 200.200.200.0, then I can create an LMHOSTS file with NetBIOS named N1, which equals 200.200.200.1; N2 equals 200.200.200.2, and so on. Then I need only do a net view \\servername for each name from N1 through N254. The IP addresses that have a computer attached to them running the server service will be the ones that challenge me for a name and password. The ones that don’t won’t respond at all. What can you do? Not terribly much, except to be sure that the default Administrator accounts on those systems aren’t blank—no sense in making things too easy. And it sure offers some incentive for getting rid of your old machines and applications and getting your enterprise off NetBIOS, doesn’t it?

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WINDOWS SERVER 2003 INTERNET SECURITY: SOME THOUGHTS

Next, I’m looking for a user account name or two. How can I get this? I don’t think you can do a net user remotely without contacting the domain controller, which means you’ll have to have a domain ID and password to get net user to work from the outside—whew, that’s one less thing to worry about! But there is a way to find at least some usernames. When a user logs in to a Windows system, the machine registers not only its own machine name on the network, but the user’s name as well. It does that so alerts with that name on them can get to the proper user. For example, suppose you’ve asked the Performance Monitor to alert you in your username of JILL02 if a server gets low on free space. How does the network know where you are? It’s quite simple. When you log in, the Messenger Service—assuming that it’s running—registers your username as one of the NetBIOS names attached to your workstation. Assuming you are logged on to a server whose IP address is 200.200.200.200, anyone doing an nbtstat -A 200.200.200.200 would not only see the computer’s name, they’d see your name as well. So, supposing that someone named paulad was logged in at the 200.200.200.200 machine (that’s physically logged in, not connected over the network), a look at the NBTSTAT output would show me that there’s a user named paulad who’s logged in. So now I have a username—and probably the username of an administrative account, since paulad is logged in to a server; good news for Joe Hacker. What can you do about that? Disable the Messenger Service, and the name never gets registered. And, by the way, speaking of NBTSTAT, if you run an nbtstat -A and the name MSBROWSE shows up, you’ve found a browse master. There’s a good chance that a browse master is a domain controller, right? So maybe it’s a good idea to set MaintainServerList=No for the domain controllers; you make that change in HKLM\System\CurrentControlSet\ Services\Browser\Parameters. Just let the other servers handle the browse master part; you’ll remove a clue that a hacker could use. Unfortunately, however, all domain controllers have other names registered to them that pretty much identify them as domain controllers. Now that I have a username, I need a password. Now that’s a problem. Even if I could physically attach my computer to your network, I wouldn’t get a password with a network sniffer—NT uses a challenge/response approach to password verification. When you try to log in to an NT domain, the domain controller sends your workstation a random number that your workstation then applies to your password using some kind of hashing function, a mathematical function that produces a number when supplied with two inputs. The result is what gets sent over the network, not the password. (As I said earlier, there is one exception to this rule; when you change your password, the new password does go over the network to the server, but that’s pretty rare.) Where do I get the password? I can do one of two things. First, taking what I know about the user, I can try to guess a password. Second, I can run a program that tries to log in repeatedly, using as passwords every word in the dictionary—this is sometimes known as a dictionary hack. The defense against this should be obvious. First, don’t use easy-to-guess passwords. Use more than one word with a character between it, like fungus#polygon. Second, don’t make it easy for people to try a lot of random passwords: Lock them out after five bad tries. That leads me to a note about the Administrator account. Windows Server 2003 extends the lockout policy to include the Administrator account. After five bad login attempts, by default, the Administrator account can only be used to log in locally at the domain controllers, not remotely or over the network. If the lockout policy didn’t apply to the Administrator account (and it didn’t in Windows 2000, not without a Resource Kit utility called passprop.exe), then no matter how

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1439

1440

CHAPTER 17

TCP/IP SERVER SERVICES (IIS, NNTP, TELNET, SMTP, POP3, AND FTP)

many times you tried to log on with a bad password, the Administrator account wouldn’t lock. The slimeballs on the Internet could spend all of their free time trying to figure out your Administrator password. To protect the Administrator password further, rename the account. Don’t leave it as Administrator. Second, limit its powers. You cannot delete the Administrator account, nor can you disable it. But you can remove its right to access the server over the network. By removing this right, you force someone with the Administrator password to physically sit down at the server in order to control that server. Unfortunately, that won’t be easy, because the ability to log in to a server locally is granted to the Administrators group, and the Administrator account is a member of that group. You aren’t allowed to remove the Administrator account from the Administrators group, so all you can do, I suppose, is to remove the entire Administrators group’s right. Then just grant the individual administrative accounts the Log On over the Network right. Now, these measures—disabling Guest, renaming Administrator, removing Administrator’s right to log in over the network, locking out repeated penetration attempts, setting Performance Monitor to alert you to excessive failed logon attempts, using well-chosen passwords—may be sufficient, and you’ve no doubt noticed that they’re all options that don’t cost a dime. But if you want greater security, then look into a firewall. The firewall doesn’t have to do much, but it has one really important job: to filter out two ports on UDP. UDP (User Datagram Protocol) is the sister protocol to TCP; just as there is a TCP/IP, there is also a UDP/IP. TCP is connection oriented, whereas UDP is not connection oriented; it just drops messages on the network like messages in a bottle, hoping that they’ll get where they should go. Whenever you execute a Microsoft networking command, such as net use or net view, you are running an application that sends commands to a server using UDP and UDP port numbers 136 and 137. Ports are software interfaces that are used to identify particular servers; for example, when you send mail from your desktop, you usually use TCP port number 25, and when you receive mail from your desktop, you usually do it on TCP port 110. Web browsers listen on TCP port 80, in another example. Firewalls are powerful and sometimes complex devices. Once you install them, they have a million setup options and you’re likely to wonder if you’ve caught all the ones you need. Running NetBIOS over IP services happens on UDP ports 136 and 137; tell your firewall to filter those and it’s impossible for someone to access normal file server services. Securing Accounts

Since an account is required to perform most actions on a Windows Server 2003, it would make sense that the accounts database should be the first line of security for any publicly connected server. Try starting with the following suggestions to harden your accounts database a bit more: ◆

◆

Set a minimum password length of 8 characters. This one should be pretty straightforward: short passwords = easy to guess, long passwords = harder to guess. On any publicly connected system, a minimum password length of no less than 8 characters should be enforced. Set a minimum password age of 2 days. Microsoft’s secure Web server recommendations call for setting a minimum password age of 2 days. This means that if someone—authorized or not—changes a password, that password cannot be changed again until 48 hours have passed. This is designed to catch situations where an attacker might know a user’s password and attempt to change it temporarily for a specific purpose, with the intention of changing it back immediately afterward, going unnoticed.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WINDOWS SERVER 2003 INTERNET SECURITY: SOME THOUGHTS

◆

◆

◆

◆ ◆

◆

◆

◆

Set a maximum password age of 42 days. Again, common sense security practices dictate that no password should be kept forever. Therefore, setting a maximum password age of no more than 42 days is a good security precaution. Depending on your specific needs, you could set this to an even shorter interval if necessary. Keep the last 24 passwords. When used in combination with the maximum and minimum password ages, this prevents anyone from reusing any of the last 24 passwords used for an account. This is designed to defeat a common habit by some administrators of simply flipping back and forth between a few different passwords each time a change is required. Set an account lockout policy. If I could only make one recommendation for securing a publicly connected system, it would be that there must be an account lockout policy in place. In other words, if x number of invalid login attempts occur within y minutes, then the account should be locked out for a duration of z minutes/hours/days. You can use your own values for x, y, and z, but this is one of the most valuable security precautions you can take! Require complex passwords. You read how to do this in Chapter 9. Assign the Deny Access to This Computer from the Network right to the Administrator account. Windows servers know whether an account is logging in from over the network or from the keyboard or mouse (or through a Terminal Services session). If you have physical access to your IIS server whenever you need it, you should strongly consider removing this right from your Administrator account. By default, most any hacker is going to know that Administrator is the default account to go after on any system, so removing this right will make it impossible to connect to the server over the network as the Administrator. This will restrict you to managing your system at the console only (or through a Terminal Server session), but it’s a small price to pay for making sure that no one connects to your server over the Internet as Administrator. For more information on granting/revoking user rights, please see Chapter 9. Rename the Administrator account. As I mentioned in the last paragraph, everyone knows that the Administrator account is the default account on any Windows Server 2003 with the most privileges. Hackers want to “get Admin,” so make it more difficult by renaming your Administrator account to something else—maybe something like “God,” “root,” “ToothFairy,” or something equally obscure. Some people have commented to me that this is not useful advice because it’s relatively simple to actually find out the default administrator’s name, and I’d have to agree that it’s easy for a determined hacker to get that information. But there are many attacks that rely on very simply built scripts or programs, and many of those programs aren’t built to be very sophisticated—they assume that your home Web directory is Inetpub\wwwroot, that your administrator is named Administrator, and the like. Renaming the account will slow those guys down. Create a “bait” Administrator account. If you do decide to rename your Administrator account, an additional step you can take is to create a bait Administrator account on your system. Start by renaming your Administrator account to something else. Then create a new account and call it Administrator. Give it an extremely obscure password, disable the account, and make the account is a member of the Guests group only. That way, hackers can spend (and waste) their time hacking away at an Administrator account that won’t yield anything if they do get the password. Disable the Guest account. By default, Windows Server 2003 will disable the default Guest account that is installed. It’s worth double-checking this account to make sure that it is still disabled.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1441

1442

CHAPTER 17

TCP/IP SERVER SERVICES (IIS, NNTP, TELNET, SMTP, POP3, AND FTP)

Securing File and Print Sharing

By default, Windows Server 2003 assumes that you’d like to enable file and print sharing on each of the interface cards installed in your server. If you have a server with multiple NICs (one for the public Internet and one for your internal network), you can disable file and print sharing on the public interface very easily. To disable file and print sharing, start up Control Panel/Network and Dial-Up Connections and find the icon for your public interface. Right-click the public interface, then uncheck the box for File and Print Sharing for Microsoft Networks. You can test to make sure this works by mapping to a share on your server before changing this setting and then mapping to a share on your server after changing this setting. Just for kicks, if you wanted to try to “decoy” someone who might compromise your system, you could put in decoy winnt and inetpub directories and if anyone hacked into your system, they’d simply be hacking at a dummy installation.

Don’t Forget Hazards from Within Finally, remember that, all too often, the bad guys aren’t outside the walls; they’re right inside the company with you. Here are a few thoughts to consider about internal attackers. Internal Users Can Easily Get a List of User IDs

Earlier in this book, you learned how to configure a set of home directories. First, you create a share called USERS on an NTFS volume, giving the Everyone group or, better, the Domain Users group, full control permissions. Then you set the top-level directory permissions to read and execute, and assign Domain Users no file permissions at all. Users need to read and execute to navigate from the top-level directory to their individual home directories. Then you set the file and directory permissions for each directory to full control for each particular user. The problem is that there’s no way to keep a user from moving up to the top-level directory and seeing the names of all of the users’ home directories. Result: Now that user has a list of all of the users’ IDs, hacking is made a bit easier. Additionally, any user on an NT Workstation ,Windows 2000 Professional, or XP Professional machine can type net user/domain and get a list of users in the workstation’s domain. Again, these are mainly things you’re concerned about for internal users, but inside hacking is probably more prevalent than outside hacking. Internal Users Can Easily Crash Shared Volumes

If you haven’t enabled disk quotas, any user with write access to a volume can, either accidentally or purposefully, write as much data to a shared volume as the volume can hold. The result is that now there’s no space left for other users. Worse yet, if that’s the volume that holds the pagefile, then the pagefile can’t grow in size, which might crash Windows altogether. It wasn’t SMB file and print sharing that built the Internet or that builds e-businesses—it was and is the Web. Almost anyone working with servers will find herself the proud administrator of a Web server or two—whether she wanted to be or not. Just a bit of work can make those servers run well and run safely.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

Chapter 18

Tuning and Monitoring Your Windows Server Network If a server isn’t performing well—if it seems unresponsive or if you’re getting funny error messages—then you could install more memory or add another processor and hope for the best. Alternatively, you could try to find out what was going on and address that question specifically. Why is the server slow? Is it running short of memory? Has someone tapped into your computer and is running unauthorized processes on it? If you ask the right questions of the tuning and monitoring tools, then you may find out the answers. Whether you use the graphical tools or write scripts to reach performance or event monitoring data, the trick to using performance monitoring tools effectively is asking the right questions. These tools are not omnipotent gods, but more like slightly dim-witted genies. Like such genies, performance monitoring tools are very literal-minded little cusses. They may be able to give you the answers if you ask—depends on what you want to know and whether that information is exposed by the tools—but only if you ask correctly. If you ask the wrong questions you’ll drown in a sea of irrelevant data. (Somewhat less metaphorically, if you ask indiscriminate questions you’ll slow down your servers and/or clog your network’s bandwidth with unimportant queries, not to mention get a bunch of information that you can’t use and which can cloud the important stuff.) Thus, in this chapter I’ll talk about the genies—er, performance monitoring and event viewing tools— that come with Server 2003 and give you background to help you figure out which questions to ask the oracle. Once that’s done, I’ll discuss the tuning you can do based on the information you gathered. Note This chapter will focus on how to gather and evaluate performance information using the graphical and command-line tools built into Server 2003. However, the performance monitoring tools accessible from the MMC are Windows Management Instrumentation (WMI) providers, meaning that it’s also possible to gather performance information through one of Server 2003’s supported scripting languages—VBScript or JScript.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1444

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

Roundup of Tuning Support Tools and What to Do with Them Before I get into a description of how to use these tools, here’s a quick tour of the monitoring tools that come with Server 2003: ◆ ◆ ◆ ◆

System Monitor Performance Logs and Alerts Event Viewer Task Manager

Note Server 2003 also has a Network Monitor tool that’s a crippled version of the one included with Microsoft System Management Server. Unfortunately, it can only monitor data traveling between the monitored computer and the rest of the network, not network traffic in general.

System Monitor The System Monitor in Server 2003 is very similar to the tool by the same name in Windows 2000. When you open the System Monitor, you’ll see that it has two components: a Performance Monitor– like tool called the System Monitor that displays real-time performance statistics and Performance Logs and Alerts, which is the System Monitor’s logging function. Tip To open the System Monitor quickly, type perfmon (the executable name of the System Monitor) into Run. Server 2003 will start the Performance tool with the System Monitor screen active.

With the System Monitor, you can do the following: ◆ ◆ ◆ ◆ ◆

Provide a simple, visual view of your servers’ vital signs (one that looks great on a PowerPoint presentation of why you need more hardware) in charts or reports Output real-time system monitoring information to a browser Keep an eye on how processes are using processor time, memory, disk space, and other server resources Log network data over time and export that data to a file that you can import into a spreadsheet for further analysis Open saved logs to review historical data

Performance Logs and Alerts The other half of the Performance tools is the Performance Logs and Alerts, which takes over the logging functions of NT 4’s Performance Monitor. You can do the following using the logging function: ◆ ◆ ◆

Monitor system stress and performance over a period of time, instead of watching the current output Automatically keep track of minimum, maximum, average, and current values of critical system values Send alerts to the Event log, notify someone, or run a program when counters exceed the tolerances you set or when important events occur Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ROUNDUP OF TUNING SUPPORT TOOLS AND WHAT TO DO WITH THEM

Event Viewer The Event Viewer (located in the Administrative Tools program group) maintains several separate event logs on the server: ◆ ◆ ◆ ◆ ◆ ◆

System log Security log Application log DNS Server log File Replication Service log Directory Service log

Note The Event Viewer for member servers in the domain displays only the Application log, System log, and Security log.

The System log records the starting and stopping of services and any system-related events. This is where you’ll find out that time synching isn’t working, that the DHCP server has successfully cleaned up its database, or that a print job was successfully completed. If you see a message box telling you that something didn’t work and to check the Event Monitor for more details, the System log is the first place to look. If there are noninformational messages here, don’t ignore them! The Security log records any audited events that relate to security issues, such as users accessing files or changing the Security Accounts Database. In Windows 2000, you had to explicitly turn on security logging. In Server 2003, it’s turned on by default. The Application log records application-specific events that aren’t far-reaching enough to make it into the System log. The name of this log might be misleading. It’s not about user applications so much as about licensing, the BINL service used to back Remote Installation Services (see Chapter 20, “Installing and Managing Remote Access Service in Windows Server”), backups, the successful (or unsuccessful) application of security policies, performance library issues, and the like. You’ll find the System, Application, and Security logs on any Server 2003 computer. The remaining logs only apply to computers that need them because of their role in the network. The DNS Server log (found, as you’d expect, on the DNS server) records events associated with resolving computer names to or from IP addresses. The File Replication Service log lists events relating to the File Replication Service, and the Directory Service log records events related to domain controllers keeping up with the security database.

Windows Task Manager The Task Manager gives you a way to monitor the general state of the server without going to the trouble of creating a customized chart with the System Monitor. In Server 2003, the Task Manager has five tabs: Applications Displays the applications separate from the core OS that are running on the server and shows whether they’re running or not responding. Processes Lists the image names of the processes running on the server, including those processes that are part of the core OS, and shows statistics about the resources allocated to those processes.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1445

1446

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

Note For those not familiar with the distinction between an application, a process, and an image name, allow me to digress for a minute. The executable name of an application (e.g., MYAPP.EXE) is known to Server 2003 as its image name. A process is a collection of resources allocated to some executable portion—a thread—of that image. An image may have one or more processes supporting it, depending on how the developer split the code up.

Performance Networking Users

Displays current processor and memory usage. Displays the current network utilization for the server’s connection to the network.

Lists the current local and remote Desktop sessions connected to the server.

You can use the Task Manager not only to gather information about a server, but to interact with it and resolve some problems. For example, if the server seems sluggish, you can open the Task Manager and turn to the Performance tab to get a real-time view of processor usage. If the chart there indicates that the processor is running full-time, you can turn to the Processes tab to see which process is taking up all the processor time and find out from the Applications tab whether an application has stopped responding and needs to be shut down.

Observing Performance Patterns with the System Monitor If you can’t measure it, you can’t tune it. As noted earlier, the System Monitor is the graphical display tool in Server 2003’s collection of monitoring tools. To use it, you’ll need to be familiar with objects, instances, and counters. Object Any system component that possesses a set of measurable properties. An object can be a physical part of the system (such as the memory or the processor), a logical component (such as a disk volume), or a software element (such as a process or a thread). Instance

Shows how many occurrences of an object are available in the system.

Counter Represents one measurable characteristic of an object. For example, the Processor object has several counters, including the percentage of processor time in use and the percentage of time the processor spends in Privileged and User modes. Written out, the object name comes first, then the counter name. For example, System Monitor opens with a sample chart of three commonly monitored object counters: Memory: Pages/sec, Physical Disk: Avg Disk Queue Length, and Processor: % Processor Time. Server 2003 contains hundreds of counters to track system data, such as the number of network packets transmitted per second, the percentage of time a processor spends in User mode versus Kernel mode, and the number of pages swapped in and out of memory per second. You’ll also need to be familiar with the various types of output that the System Monitor can produce—graphs, histograms, and reports—to know when each would be most useful. Graph By default, System Monitor displays its output in a line graph. This way of presenting data makes it easy to identify spikes in the data and show trends over time. Graphs always show current values, whether working from real-time or logged data. Histogram Histograms display current values for counters in a bar chart. They’re very useful for visually comparing values—say, the percentage of time that the processor on three separate servers

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

OBSERVING PERFORMANCE PATTERNS WITH THE SYSTEM MONITOR

is busy. By default, histograms show current values when working from real-time data and average values when working from logged data. Report Reports display the objects and counters being monitored and their current value (in text). They’re useful for getting an exact value, since you don’t need to interpret a graph or histogram to find out what the current value is—you can just read the text on the screen. By default, reports show current values when working from real-time data and average values when working from logged data. New to Server 2003: Command-Line Performance Logging Tools Windows 2000 offered only graphical tools for working with performance logs. In Server 2003 (and Windows XP), you also have command-line performance logging tools. Logman lets you create and manage performance logs from the command line, and relog allows you to take existing performance logs and change the sampling rate and file format. You can monitor performance data and create new counter logs with typeperf. And, using tracerpt, you can convert trace logs into a CSV file and/or summary report.

Creating a Chart Every System Monitor chart is a custom collection of counters to monitor. To add a counter to the chart, open the Add Counters dialog box by clicking the button in the toolbar that has a plus sign (+) on it or right-clicking in the chart display window and choosing Add Counters from the context menu. This will open the dialog box shown in Figure 18.1. FIGURE 18.1 Add counters to the System Monitor.

Adding counters to a chart is easy. Choose a performance object, then pick one of its performance counters. If there’s more than one instance of the object (for example, if the server has more than one processor), then you’ll have the choice of monitoring counters for all objects of that class or only a specific one. Click the Add button, and that counter will be added to the chart and will show up in the System Monitor, as in Figure 18.2.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1447

1448

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

Note Installing some software on servers may add performance objects and counters to the list. For example, installing MetaFrame (helper software used to enhance the capabilities of a Server 2003 application server) adds objects and counters for monitoring remote sessions using MetaFrame. FIGURE 18.2 System Monitor output

Adding counters may be easy, but choosing the counters to add and interpreting what you’re seeing requires a bit more work. Let’s take a look at how you could pick counters to monitor. Note The System Monitor’s Add Counters dialog box has an Explain button you can click to show more information about the currently highlighted counter. However, the information that’s displayed isn’t always all that useful—especially for the counters new to Server 2003—and not always strictly accurate. Use the information in the Explain text box as a starting point for further research if you need details about what a counter’s monitoring, not as the final word.

Incidentally, I’ve described here how to add counters to monitor on the current computer. As I’ll explain a little later in this chapter, you can also—and you frequently should—monitor other computers with the System Monitor. The procedure for adding the counters is identical to adding counters to monitor locally, however. Choosing Objects and Counters to Monitor

When you first open the Add Counters dialog box, it’s easy to get information overload. I haven’t yet been bored enough to count all the counters for all the objects, but there must be thousands. Even if you just look at the objects, how do you tell which of the dozens available is the one you want? It’s not easy, and to make the performance monitoring useful at all, you’ll need to be selective. Monitoring all the counters would give you more information than you could possibly handle. You need to know what to look for.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

OBSERVING PERFORMANCE PATTERNS WITH THE SYSTEM MONITOR

Let me set the following scenario: You have a network up and running. But with time, the network seems to be slowing down. People are complaining. The Powers That Be start applying pressure on you to find out what’s wrong and to find it out now. What can you do? Well, the obvious thing to do is to throw hardware at the problem, right? Go buy more memory, an extra processor if the servers support multiple processors and have slots available; get a faster network card; get a faster disk. Jacking up, say, the processor speed may get you a faster server. But if the problem is lack of memory, getting a faster processor won’t really help. You tune a troubled server by locating and removing its bottlenecks as much as you can. Eventually, you will bump into the limits of performance improvements, so the trick is to find the most effective performance improvements and apply them. What I want to do next is to (1) introduce you to the art of tuning, (2) point out the most likely causes of problems for file servers and application servers in particular, and (3) recommend a few objects and counters that you can monitor to keep an eye on your server performance with minimum trouble. A server’s job on the network will influence the counters that are important to it: IIS Servers serving Active Server Pages (ASP) or SMTP servers providing e-mail will call on entire object classes that you can ignore on servers not performing those roles. If a server has no printer directly attached, then you needn’t monitor the print queue object counters. However, there are four big sources of performance bottlenecks common to any server: ◆ ◆ ◆ ◆

Memory Disk subsystem Network card and software Processor

Resolving Memory Bottlenecks

The biggest performance drain on a Server 2003 system is memory. Windows applications are memory-hungry, and the operating system itself is memory-hungry—although, thankfully, the jump in resource demands between Windows 2000 and Server 2003 is nowhere near as dramatic as the jump between NT and Windows 2000—in fact, Server 2003 has changed the way it uses memory to make it more efficient. Still, if you install Server 2003 with the bare minimum of memory and then actually try to use it as a server, you’re not going to be happy with the result. When you’re monitoring memory, you’re actually monitoring both physical memory and hard disk access. The reason has to do with how Windows operating systems eke the most use possible out of physical memory—some of the apparent contents of that physical memory are actually on disk, in what’s called virtual memory. Virtual memory is a result of what Dorothy Parker would have said if she had been a network administrator: you can never be too rich, too thin, or have too much RAM installed. No matter how much you have, it seems, physical memory can’t keep up with the data storage needs of Server 2003 and any applications it’s running. Therefore, Windows operating systems use virtual memory, a kind of memory simulation that allows the server to support more applications and data in memory than it actually has physical memory to support. Regardless of the amount of physical memory installed, Win32 operating systems support up to 4GB of virtual memory space—2GB to be shared among all system-level processes and 2GB for the exclusive use of each user process running on the server. The memory manager is responsible for organizing each process’s access to virtual memory so that processes don’t write on each other’s data in physical memory.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1449

1450

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

Note One of the reasons Server 2003 needs so much memory is because it uses a big chunk (25 percent or so) of this memory for cacheing recently used file data. Servers that aren’t file servers don’t need to do this. In the “Basic Tuning Stuff” section later in this chapter I’ll explain how to make a server stop thinking of itself as a file server and start giving you back some memory.

Virtual memory works like this: When an application is loaded into memory, it stores its data in physical memory to store data it needs to run and present user files. As more and more applications (and the operating system) use RAM to store data, things start getting crowded. To allow applications to keep their important data in physical memory where they can get to it more or less instantly, the memory manager shuffles less important data to a file on disk called the paging file. The applications don’t care whether data is stored in RAM or the paging file, the applications just keep referring to the data according to the virtual address where it was originally stored. Among the memory manager’s many jobs is the task of keeping track of how the virtual memory storage area corresponds to the physical memory storage area, since it is almost inevitable that the physical storage area for memory will change. What kind of data is stored in memory? Several kinds, actually: ◆

Each application (and the operating system) has a working set that is the sum of all the data that application is currently working with. The memory manager can trim working sets if there’s a shortage of physical memory. But the smaller an application’s working set, the slower the application will run, because it’s going to have to keep requesting data back from the paging file, and paging data back into memory takes time.

Note If you’re using Terminal Services (see Chapter 16), then there will also be a per-session working set. ◆

◆

◆

Page table entries (PTEs) are structures the memory manager needs to map each user process’s virtual address space to an area of physical memory. The memory manager needs this map to see how each process is using its view of the 2GB of user virtual memory addresses and to keep processes from overwriting each other’s memory. Some operating system data must remain in memory all the time and cannot be paged to disk. The range of virtual memory addresses called the nonpaged pool stores this data. The paged pool stores operating system data that can be paged to disk. The system cache is the data used by the entire operating system kept in RAM for quick access. The System Monitor Help describes the system cache as though it were synonymous with the disk cache, but it’s not—the disk cache of recently used on-disk data and disk data structure is one part of the entire system cache.

The Server 2003 memory manager allocates memory to the system and user processes by first reserving it for the process that needs it (defining a range of virtual memory addresses for later use) and then committing it (ensuring that a place in the paging file is available to store the data the process wants to put in those virtual memory addresses). Processes can reserve all the memory they want, but when it comes time to commit that memory, some on-disk storage must be available to back it. Server 2003 has to assume that all user data will move to the paging file at some time. When a process is done with

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

OBSERVING PERFORMANCE PATTERNS WITH THE SYSTEM MONITOR

memory, it’s supposed to give it back to the system to be marked as available for other processes— free it. Some processes do the opposite, taking more and more memory even though they’re not using it or just not giving back memory that they’re not using anymore until you reboot the machine. This is a result of buggy programming and is called a memory leak. Memory leaks are frustrating because they starve other processes without giving you any gain at all. Give them enough time, and memory leaks will shut down your server from lack of resources. The only way to reclaim this memory is by rebooting the computer. Processes can’t use data that’s stored on disk, so when an application calls on data that the memory manager has paged to disk, the memory manager tracks down the data’s current location and executes a hard page fault to send that data to RAM where the memory controller can retrieve it for the application. Something similar happens if the memory manager moved data from one location in RAM to another, except that retrieving this data—called a soft page fault—takes less time than retrieving data from the hard disk. The end result of a soft or hard page fault is the same, however: even if data has been moved to a location other than the one the application expects, the application gets its data with no more than a little finger drumming at the slight delay. To the process, it looks as though the data was in memory all the time, but it really wasn’t. There is one catch to the paging file: disks are slower than RAM. You measure access times (the time required to read or write data) on RAM in nanoseconds (billionths of a second) and on disk in milliseconds (thousandths of a second). So, although you can’t escape paging—Server 2003 is designed to use it, and it will, no matter how much RAM you install—you will improve server performance if you seek to minimize the amount of time your server spends on hard page faults. That’s not everything there is to know about virtual memory, but it’s enough to make people avoid you. The important memory counters are described in Table 18.1. You can use this information to help you read other memory counters, too.

TABLE 18.1: IMPORTANT MEMORY COUNTERS Counter

Description

What This Tells You

Memory: Available Bytes

Records the memory currently available on the server.

A low value may indicate that your server is low on memory or that one of the programs is experiencing memory leaks (especially if the number keeps decreasing). You should always have 4MB or more available. If you don’t, then check for memory leaks or add more memory.

Memory: Commit Limit

Records the amount of memory that can be committed without extending the paging file. You can increase the paging file up to the limit of available space on the volume.

Extending the paging file is an expensive procedure (and requires processor time), so it’s a good idea to do this as little as possible. Make the paging file as large as you think you’ll need—at least 2.5x the size of RAM you have installed. Continued on next page

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1451

1452

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

TABLE 18.1: IMPORTANT MEMORY COUNTERS (continued) Counter

Description

What This Tells You

Memory: Committed Bytes

Records the amount of memory committed to processes running on the server.

Records the amount of used RAM that requires space in the paging file in case the data must be paged to disk. Therefore, this is memory in use and unavailable to other processes, not just reserved in case a process needs it.

Memory: Pages Input/sec

Records the rate at which pages of data are written to RAM from the paging file to resolve page faults.

As this value describes hard page faults (the Page Faults counter includes soft page faults, which pull data from another area of memory and don’t incur much of a hit), it’s a good measure of how often you’re having to pull data back from disk.

Memory: Pages Output/sec

Records the rate at which pages of data are written to the paging file to free RAM.

If the server seems to be running more slowly than it used to, monitor this counter. A high rate may indicate that the server doesn’t have enough RAM to support all the data that the running applications need to keep handy.

Memory: Pages/sec

Records the current rate at which pages (4KB chunks of data on an x86 system, 8KB on an Alpha system) are read from disk back into physical memory to satisfy a hard page fault or are written to disk to free RAM.

A value of more than 20 pages per second implies a lot of paging and suggests that your server needs more memory.

Paging File: % Usage

Records the percentage of the paging file currently in use.

If this value approaches 100 percent, then you need to reduce the pressure on the paging file, either by enlarging the file or adding more RAM. Although the memory manager will make the paging file larger if necessary, doing so takes up processor cycles, and the memory manager will only increase the paging file’s size as needed immediately. It’s better to increase the size of the paging file manually.

Paging File: Usage Peak

Records the peak size of the paging file.

If this value is close to the maximum size of the paging file, you need to either enlarge the paging file or add more RAM. A high value implies that the paging file isn’t big enough to hold all the data it must. Continued on next page

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

OBSERVING PERFORMANCE PATTERNS WITH THE SYSTEM MONITOR

TABLE 18.1: IMPORTANT MEMORY COUNTERS (continued) Counter

Description

What This Tells You

Physical Disk: % Disk Time

Records the percentage of time the disk spends servicing read or write requests.

Monitor this value for the physical disk that the paging file(s) are located on. If this amount seems to be increasing, check paging file usage and consider adding more memory.

Physical Disk: Avg Disk Queue Length

Records the average number of read and write requests waiting for the disk during the selected interval.

If this number is increasing at the same time the number of Memory: Page Reads/sec is increasing, that indicates that a lot of paging is going on. Monitor this value for the physical disk that the paging file(s) are located on.

Physical Disk: Avg Disk sec/Transfer

Records the length of time it takes the disk to transfer data to or from disk.

Monitor this value for the physical disk that the paging file(s) are located on to find out how responsive those disks are. This information may encourage you to move the paging file to a faster disk.

Process: Private Bytes

Records the virtual memory committed to that process.

This counter shows you how much memory a process (for all practical purposes, an application) is using. Especially if you’re monitoring a terminal server, consider moving demanding applications to the client side or to a server dedicated to those applications, to prevent other processes from being starved for memory.

Process: Working Set

Records the amount of RAM that the process is using to store data. The larger the working set, the more memory the process is consuming.

If a process’s working set increases over a period when you’re not doing anything with it (for example, over a weekend), the process may be experiencing a memory leak.

Note Notice that not all the counters you’ll be monitoring for memory usage are in the Memory object.

Memory is complicated. Examining other potential server bottlenecks is, thankfully, a bit simpler. Resolving Processor Bottlenecks

If you look at the counters available for the Processor object, you’ll see a lot of counters for DPC and APC objects, some percentages of User and Privileged execution time, and so forth. Most of these won’t help you much with server tuning. The DPC counters refer to deferred procedure calls (DPCs), functions that perform a system task that is less essential than the currently executing system task, but

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1453

1454

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

which can grab a little processor time while the more important task is waiting for information that isn’t yet ready. The APC counters refer to asynchronous procedure calls (APCs), which provide a way for user programs and system code to execute code using the memory allocated to a specific application, and at a low level of priority. Basically, APCs interrupt an application that’s using the processor to make it do something else without going through the usually necessary rigamarole of shutting down the application’s access to the processor. In a broad sense, the counters for User and Privileged time refer to the percentage of time that the processor is spending executing instructions for user applications and system functions, respectively. Again, this isn’t information you can use for a lot of system tuning unless you’re interested in the time that Server 2003 spends executing system code in contrast to user code. The information you can use for system tuning lies in the % Processor time and the Interrupts counters. Processor: % Processor Time tells you the percentage of time that the selected processor is doing something other than executing its “marking time” thread, the system Idle thread. Ideally, the processor is supposed to spend most of its time executing the Idle thread, because if that’s the case, then the processor is available when it’s needed. If Processor: % Processor Time rises above 75 percent on average, then that processor is working pretty hard and the server might benefit from a faster processor or an additional processor—and from you tracking down whatever it is that’s using up all those processor cycles. Interrupts/sec and % Interrupt time tell you how much time the processor is spending interrupting itself to handle requests from its hardware (network cards, video cards, keyboards, and so forth). If the value of Interrupts/sec exceeds 3500, then more than likely something’s going wrong, either a buggy program or a board spewing out spurious interrupts. One common cause of excessive interrupts is badly designed device drivers. Are you running any beta device drivers? I’ve seen beta video drivers that spew out thousands of interrupts per second. You can test this by running the standard VGA driver and comparing the interrupts before and after. Another source of excessive interrupts is timer-driver programs. Some years ago, one network manager I know was seeing 4000 interrupts/ second on a fairly quiet 486-based file server. After some playing around with the system, he realized that he was opening Schedule+ in his Startup group. He shut it down, and his interrupts/second dropped to a normal rate. Note I’d like to tell you that there’s a System Monitor counter that lets you track interrupts/second on a program-byprogram basis, but there isn’t—much of this is just trial and error. Now and then I see a board that sends out a blizzard of interrupts if it’s failing or, sometimes, when it’s just cold. You might see this when you turn a workstation on Monday morning and it acts strangely for half an hour, then settles down. Resolving Disk Bottlenecks

The hard disks on your servers represent another potential sticking point for server production. For file servers, the bottleneck is obvious: the whole point of a file server is to grab data and pass it to the network for distribution. For application servers, the disk problem is more related to paging because of the memory burden that applications incur. If you’re running SQL Server or Exchange or supporting terminal server sessions, it’s easy to run up against the amount of memory installed in the server— and when that happens, the server goes after your disk drive to support virtual memory.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

OBSERVING PERFORMANCE PATTERNS WITH THE SYSTEM MONITOR

There are a lot of counters for physical disks, but most of them don’t tell you much in diagnostic terms except to help you see whether the disks are living up to their specifications. A couple that do are in Table 18.2. TABLE 18.2: IMPORTANT PHYSICAL DISK COUNTERS Counter

Description

What This Counter Tells You

Physical Disk: % Disk Time

Reports the percentage of time the physical disk is busy.

If it’s busy more than 90 percent of the time, then it’s too busy—you’ll improve performance if you get another disk or do less with that one.

Physical Disk: Current Disk Queue Length

Reports the current number of data transfer operations waiting for the specified physical disk (or all disks, if you choose) to handle them.

This value should be as small as possible. A high value indicates that disk waits are impacting users.

The counters in Table 18.2 can also apply to logical disks (C: drive, E: drive, and so on, as opposed to Disk 0 or Disk 1, which identify physical disks). However, you may not need the logical disk counters for the performance monitoring described in Table 18.2. You’ve already got counters telling you how many jobs are waiting in the physical disk queue at any given time and how often the disk is busy; monitoring logical disks instead of physical disks won’t really tell you anything you didn’t already know, since what you’re looking at is disk stress. Logical disk counters are more useful when it comes to performance metrics such as Free Megabytes, which shows the amount of free space remaining on the selected disk. Another logical disk counter you might find useful for logical disks is Split IO/Sec, which keeps track of the number of split input/output actions on the disk. This counter is useful because a high number of split writes or reads (meaning that the disk controller is having to read from or write to more than one place on the disk during a single I/O action) can indicate a fragmented disk. Resolving Network Bottlenecks

Your network’s apparent speed (not what it’s rated at, but how responsive it is) is a function of how much traffic there is on the network and how quickly the server can process user requests. First, how busy is the network? You’ll need to monitor the transport protocols you’re running on the server. Recall that TCP/IP has several different parts—it’s a suite of protocols, not a single one like NetBEUI—and the parts do different things. So, for example, a lot of IP datagrams tells you that your network card is getting a lot of regular (that is, data-related) traffic. A suddenly large number of ICMP datagrams could signify problems—or suggest that someone is pinging the heck out of your server. Look for differences in traffic levels, both on the protocol level and for the entire network card (you can monitor both). Are you getting transmission errors for inbound or outbound network traffic? How busy is the local network segment?

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1455

1456

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

Second, how busy is the server? Is it seeing logon errors? How quickly are people logging in at different times of day? How many files are open on the server? If it’s a terminal server session, how many users is it supporting? If it’s an FTP server, then how many connections are you having to maintain? Is the server experiencing nonpaged pool failures, failing to allocate memory to components that need nonpaged memory because there’s too little RAM installed on the system? Note You can only get accurate network segment data if you have the Network Monitor for SMS installed. The Network Monitor that comes with Server 2003 only monitors data going to and from the monitored server. Therefore, you can get pretty much the same information from Network Interface that you can from Network Segment.

Lots of questions. I’d suggest that you poke around the performance objects a bit to look for specific counters you want to monitor for your server, but Table 18.3 includes some of the more common counters you should watch.

TABLE 18.3: IMPORTANT NETWORK-RELATED COUNTERS Counter

Description

What This Counter Tells You

Server: Bytes Total/sec

Reports the rate at which the server is sending and receiving network data.

The total of bytes going in and out of the server per second gives you a pretty good indication of how busy the server is. If you do something to change the server load, like adding another server of that kind or added load balancing to the network, you can monitor this value to see whether the change actually did any good.

Server: Files Open

Reports the current number of files open at the moment of reporting. This is a current total, not a total of all the files that have been opened during a given time.

This counter indicates the traffic load a file server is experiencing. Sadly, there’s no way to monitor file openings on a per-user or per-file basis.

Server: Pool Non-paged Failures

Reports the number of errors the server is reporting as it tries to allocate nonpaged pool.

Nonpaged pool is an area of virtual memory whose contents cannot be paged to disk because they must be ready immediately when called on—no time for page faults. Lots of errors suggests that the server is running low on RAM and you’ll need to add more.

Server: Server Sessions

Reports the number of current connections to the server.

This counter may not tell you how busy the server is, but it can tell you how popular it is—especially if it’s popular at an hour when no one should be accessing the server at all.

Network Interface: Bytes Total/sec

Reports the rate at which the network card is sending and receiving network data.

If this rate is significantly lower than what you’d expect, given the speed of your network and network card, it’s time to do a little investigating to see whether something’s wrong with the card.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

OBSERVING PERFORMANCE PATTERNS WITH THE SYSTEM MONITOR

Tip If your server is an Internet server of some kind (e-mail, FTP, Web, etc.), be sure to monitor the counters appropriate to its function.

Be sure to also monitor installed protocols for error conditions or heavy traffic at odd times.

Remote Performance Monitoring There’s one big problem with running the Performance Monitor on a server: the Performance Monitor itself consumes resources, and thus skews the resource-usage reports on a server. Consider monitoring servers remotely. If you do, then you’ll use a little network bandwidth but fewer resources on the monitored machine—and you’ll get a more accurate reading, because you’re not stressing the server by running the monitor on it. Tip The only time it’s to your benefit to run Performance Monitor locally is when you’re monitoring counters related to network traffic. Monitoring remotely will increase network traffic and skew the results.

Setting up remote performance monitoring is quite simple. When you’re adding a counter to the monitor, you have a choice between adding the counter for the local machine or another one. You can monitor any generation of NT computer, so if you’ve got a mixed environment it doesn’t matter. When you connect to a remote computer, the counters available to that computer will be visible, so it doesn’t matter which counters are available on the computer from which you’re running Performance Monitor. You can even use Win2K Professional or Windows XP workstations to do the monitoring, so you don’t have to tie up a server for this task. Make sure you’ve selected Select Counters from Computer, and type in the name of the computer you want to monitor with two preceding backslashes, like this: \\Serpent. (There’s no Browse feature, so you have to know the name of the server you want to monitor. Annoyingly, Performance Monitor doesn’t consistently “remember” the names of remote servers that it has monitored previously. Sometimes it does, and sometimes it develops amnesia. However, it is generally able to find servers across trusted domains, even if you can’t specify a server’s domain.) Warning Type server names carefully. If you mistype, it takes the System Monitor a while to discover that the server you’ve specified does not exist on the network.

When you’re done choosing the counter you want to monitor, add it as you normally would and close the dialog box. The remote computer’s counter will be added to the list and identified by the computer name (see Figure 18.3). One of the cool things about doing remote performance monitoring is that it lets you compare server stress easily. If you select the same performance counter on two servers, you can compare the stress on those two servers. Warning As explained in Chapter 16, Server 2003 supports remote server administration using Terminal Services. Do not try to run the Performance Monitor from a Remote Administration session. You’re still running the monitor on the server and consuming server resources—you’re just watching from a different computer.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1457

1458

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

FIGURE 18.3 Performance counters to remote computers will be displayed alongside local ones.

Saving Chart Data When you’ve identified the counters you want to monitor, you can save that information and reuse it later, either to monitor again (on the principle that what you need to monitor once, you almost certainly will need to monitor again) or to make them into an HTML file that you can display in a browser. To save chart settings, right-click somewhere in the Performance Monitor’s display of current counters. From the context menu that appears, choose Save As to save the data, and you’ll be prompted for the name of the HTML file. (This data will always be saved as a hypertext document.) The default folder is the My Documents folder for the person currently logged in, but you can browse for another folder as you would with any Save As operation. Type a name for the file, and it’s saved. If you open the file, it will open in your browser as shown in Figure 18.4. The cool part about this is that the file you’re opening here will continue to display the monitored data. So long as the System Monitor is still running, you can dynamically update the output in this HTML chart. Why do it this way rather than just running the System Monitor? Mostly so you can streamline the UI. As you can see in Figure 18.4, the HTML view shows only the monitor, not the entire System Monitor tool. To update the view steadily, click the Freeze Display button (the red button with the white X on it) in the browser to disable it. You’ll see a warning that all current data will be cleared from the display; click OK. The display will clear and the browser will fill with the updated Performance Monitor data. To manually update the data (perhaps if you’re making a presentation and don’t want people to be distracted watching the updates to the output), then keep the Freeze Display button activated and click the Update Data button (the camera between the Freeze Display and Help buttons). After the first freeze/unfreeze action, the chart data will remain displayed in the browser.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

LOGGING PERFORMANCE DATA

FIGURE 18.4 A saved Performance Monitor chart opened in Internet Explorer

What about reusing this data in a later Performance Monitor session? I’ll talk more about how to use this data in the next section, “Logging Performance Data.”

Logging Performance Data Knowing how the server is performing now is useful, but knowing how the server was performing last week or two months ago can also be useful, since previous records can give you a reality check for current performance. The Server 2003 Performance Logs and Alerts section of the System Monitor works much like the tool of the same name in Windows 2000. Using a combination of commadelimited and tab-delimited files and HTML documents, you can pass information between the Performance Monitor and the Logs and Alerts—or even pass it to another application that can accept comma-delimited or tab-delimited files, such as Excel. The System Monitor supports three types of logs: counter logs, trace logs, and alert logs. Counter logs record data from local or remote computers about hardware usage and system service activity. Trace logs are event driven, recording monitored data such as disk I/O or page faults. When a traced event occurs, it’s recorded in the log. Alert logs take counter and trace logs one step further. They monitor counters that you specify and wait for them to exceed user-defined tolerances. When this happens, the event is logged. You can also set up an alert log to do something when the event happens, like send a message alerting someone to the situation, or run an application. You’ll often use logs in combination— for example, using a counter log to develop a “normal” baseline for a server and then creating an alert log to notify you when the server’s activity falls outside that normal range. Note You can either set up perpetual logging or log only for a preset period of time so you aren’t overwhelmed with data.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1459

1460

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

Creating Logs To create a log, turn to the Performance Logs and Alerts section of the System Monitor. Open the folder for the type of log you want, so that its contents (or lack thereof) are displayed in the right details window. Right-click empty space in the Details window and choose an option for creating a new log from the shortcut menu that appears. What happens from here depends on the type of log you’re creating: a counter log, a trace log, or an alert log. Note As an administrator, you’ll use counter logs and alert logs most often.

Counter logs record system counters, like static versions of the performance logs we’ve discussed so far in this chapter. You can save the log data in a binary file that will open in System Monitor (looking like real-time data) or in a text (comma-delimited or tab-delimited) file that you can open in a spreadsheet application. Trace logs keep track of data according to the part of the operating system that collects it. Unlike counter logs, which just record at regular intervals, trace logs are event-driven. They also provide a more general and less granular view of system activity than counter logs do—for example, rather than monitoring Physical Disk object counters, a trace log will monitor disk input and output. Trace logs can also draw information from nonsystem providers such as the Local Security Authority or the Active Directory Service to get information. To log some information (such as kernel monitoring information), you must either be logged in as the server’s local administrator or use RunAs—accessible while setting up the trace log—to do the logging in the appropriate security context. To read a trace log without writing an interpreter or getting the TRACELOG tool from the Windows 2000 Resource Kit, you’ll need to process it with the tracerpt tool found in Server 2003 and Windows XP. Alert logs are like counter logs but taken one step further. Counter logs just collect data. Alert logs monitor performance object data for selected counters, using the same UI used for monitoring performance objects, but they assess those counters against tolerances that you set when creating the log. In other words, with an alert log you don’t collect all the data for the selected counters; alerts are only logged when the performance data falls outside the acceptable range. Alert logs are kept in the Application log of a server’s Event Viewer. Counter Logs

If you’re starting from scratch, choose the New Log Settings option. Provide a unique descriptive name for the log in the box provided. Click OK, and you’ll see the General tab of the log property sheet as shown in Figure 18.5. Tip It’s acceptable to put blanks in the names of performance logs, but if you plan to manage those logs from the command line you’ll simplify your life if you don’t. Including blanks in the log name means that you’ll need to put the filename in quotes.

You aren’t yet monitoring anything. You have two options for adding counters to the log. To add individual counters, click the Add Counters button to open the same window you used to add counters to the System Monitor. To monitor all the counters for an object in the log, click the Add Objects button to see a list of all available objects for the selected server (see Figure 18.6). If you choose one of these objects, then you’ll record activity for all counters associated with that object.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

LOGGING PERFORMANCE DATA

FIGURE 18.5 When you create a new log, it will contain no counters to monitor.

FIGURE 18.6 Adding objects and all their counters to a counter log

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1461

1462

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

To begin, click the Add button, and you’ll open the same Select Counters dialog box you used to add counters to a Performance Monitor chart. Make sure you’ve selected the computer that you want to log. As with charting, logging takes up resources on a server, so consider running logs remotely. Whichever option you go with—most often, you’ll probably want to add individual counters—the counters you selected will now be added to the Counters list on the General tab. Back in the General tab, you can edit the sampling interval from its default of 15 seconds. The Sample Data Every box will accept an integer between 1 and 10,000, and the drop-down list of time units supports seconds, minutes, hours, or days. Pick an interval based on the duration of your expected logging time—the longer the period you’re logging for, the wider you’ll probably want the interval to be so you can see trends. The shorter the sampling interval, the more processing time the sampling will take and the more datapoints you’ll have. Note You can reuse Performance Monitor counters that you’ve previously saved as an HTML file. If you plan to do so, start the creation process by choosing New Log Settings From from the context menu. You’ll be prompted to provide the name of the saved file. After that, the process will work exactly as it does for creating a new counter log file from scratch. The General tab will display the counters used in the saved Performance Monitor file.

Turn to the Log Files tab (see Figure 18.7) to edit file settings for the log. FIGURE 18.7 Edit file settings to control file type, size, and name.

Most of these options are fairly self-explanatory, but let’s take a quick tour: ◆

By default, logs are stored in a Perflogs folder on the server’s boot partition. Unless you regularly back up this location, you might want to put the logs somewhere else for safekeeping.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

LOGGING PERFORMANCE DATA

◆ ◆

◆ ◆

◆

The name of the log is the filename. It must conform to the naming convention of the filesystem where you’re storing the log. The auto filename suffix is an extension to the log filename that allows you to identify logs by their name, if you maintain more than one log with the same filename. The nnnnnn naming means that the files will be numbered in order (the first serial number determines the first number that will be used). Other options identify the file by the date it was created, whether by year; month, day, and hour; or some other mechanism. Open the drop-down list to find the naming convention that works best for you. The log file comment will appear next to the list of log names in the folder, so add a comment if the log file requires further description. Unless you specify otherwise, the file is a binary file that will open in System Monitor, but you can also save the data as a binary circular file, comma-delimited file (CSV), or tabdelimited file (TSV). CSVs and TSVs can both be opened in text editors or spreadsheet applications such as Microsoft Excel for analysis. The only limitation to CSV and TSV logs is that they must log all at once—they can’t accommodate logs that start and stop. Binary and binary circular files (both of which have .BLG extensions) are for recording data intermittently, when data collection may stop and then resume while the log is recording data. The binary files create sequential lists of all events, while the binary circular files record data continuously to the same log file so that previously written records are overwritten when new data is available. Choose whether to limit the log file size. If you’re planning to log for only a certain period of time (specified on the Schedule tab), then you may not want to limit the log’s size, so you don’t lose any of the data you choose to save. However, if you don’t plan to choose an automatic ending time, it might not be a bad idea to limit the log size so you don’t get more data than you can usefully examine.

When you’ve edited all the file settings, turn to the Schedule tab (see Figure 18.8) to finish creating the counter log file. Normally, the log is set to start as soon as you finish—that is, it’s set to start automatically at the time you started creating the log, which means it will begin logging as soon as you finish setting up options. If you’re trying to gather information about server information under circumstances that you know will apply at a specific time, you can choose to either manually start the log or specify a specific date and time the log should start. Unless you specify otherwise, the log will keep collecting data until you shut it off manually. To schedule a stopping time or logging duration, select the After radio button and specify the time or period for which you want to log. In this same dialog box, you can also tell the System Monitor to restart the log when the preset period is ended (as you might do if you wanted to compare data from several different times of day) and provide a command or batch file to run when the log is completed. Click OK, and the new log will appear in the Details side of the Counter Logs folder. Its icon will be red until the log starts collecting data, either at the time you specified on the Schedule tab or when you right-click the log object and choose Start from the context menu.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1463

1464

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

FIGURE 18.8 Editing scheduling settings for the log file

You can also monitor performance data from the command line, using typeperf. In its most basic form, it’s another form of System Monitor, spitting out performance data into the command window from which you initiated the logging. For example, typing this on computer BETANET typeperf "\Processor(_Total)\% Processor Time"

gives you output like this: "(PDH-CSV 4.0)","\\BETANET\Processor(0)\% Processor Time" "10/01/2002 17:24:28.272","1.000000" "10/01/2002 17:24:29.274","9.000000" "10/01/2002 17:24:30.275","2.000000" "10/01/2002 17:24:31.277","0.000000" "10/01/2002 17:24:32.278","0.000000" "10/01/2002 17:24:33.279","4.000000" "10/01/2002 17:24:34.281","1.000000" "10/01/2002 17:24:35.282","0.000000" "10/01/2002 17:24:36.284","2.000000" "10/01/2002 17:24:37.285","8.000000" "10/01/2002 17:24:38.287","0.000000" "10/01/2002 17:24:39.288","1.000000" "10/01/2002 17:24:40.289","1.000000" "10/01/2002 17:24:41.291","0.000000" "10/01/2002 17:24:42.292","1.000000"

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

LOGGING PERFORMANCE DATA

Warning You must watch the command syntax very carefully. Yes, you really need that underscore before “Total”, but if you’re specifying a particular processor (0, to monitor the first one) then you should not have the underscore. If you leave out a space—or add an extra one—when naming the counters, you’ll see a warning that the counter isn’t accessible and there are no valid counters for the monitoring you proposed.

You can monitor more than one counter by enclosing both counters in quotation marks: typeperf "\Processor(0)\% Processor Time" "\Processor(0)\Interrupts/sec"

The counters will be displayed in the order you gave them to typeperf, like this: "(PDH-CSV 4.0)","\\BETANET\Processor(0)\% Processor Time","\\BETANET\Processor(0)\Interrupts/sec" "10/01/2002 17:41:17.594","9.000000","109.830447" "10/01/2002 17:41:18.595","0.000000","105.844672" "10/01/2002 17:41:19.596","0.000000","108.843920" "10/01/2002 17:41:20.598","0.000000","110.840128" "10/01/2002 17:41:21.599","0.000000","109.838443" "10/01/2002 17:41:22.601","2.000000","167.760419" "10/01/2002 17:41:23.602","0.000000","122.818836" "10/01/2002 17:41:24.604","0.000000","125.822315" "10/01/2002 17:41:25.605","0.000000","107.850406" "10/01/2002 17:41:26.606","0.000000","108.841461" "10/01/2002 17:41:27.608","0.000000","130.810447" "10/01/2002 17:41:28.609","2.000000","117.829948" "10/01/2002 17:41:29.611","6.000000","107.844991" "10/01/2002 17:41:30.612","0.000000","106.846337" "10/01/2002 17:41:31.614","0.000000","105.847418" "10/01/2002 17:41:32.615","0.000000","109.840925" "10/01/2002 17:41:33.617","0.000000","108.844831" "10/01/2002 17:41:34.618","0.000000","114.838308" "10/01/2002 17:41:35.619","0.000000","116.827087" "10/01/2002 17:41:36.621","0.000000","108.842918" "10/01/2002 17:41:37.622","0.000000","111.839624"

You can also monitor a remote computer by including its name in the counter argument. For example typeperf "\\Gamma\Processor(0)\% Processor Time"

will monitor Processor: % Processor Time on the server named Gamma—even though Gamma is running Windows 2000 and therefore does not locally support typeperf. To stop monitoring the selected counters, type Ctrl+C. Stopping the monitoring may take a minute, especially if you mistyped the instance identifier and are therefore getting weird output suggesting that the processor is busy –1 percent of the time. As you are probably beginning to suspect, the real value of typeperf is not in its ability to send performance logging output to a command window. It’s much more useful as a shortcut to making counter logs without using the GUI. Table 18.4 lists the switches for this command.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1465

1466

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

TABLE 18.4: SWITCHES FOR THE TYPEPERF COMMAND-LINE LOGGING TOOL Switch

Meaning

-f

Output file format, with the default of CSV (comma-delimited file).

-cf

The file containing the performance counters to monitor. Each counter must be on its own line.

-si <[[hh:]mm:]ss>

Time between samples, with a default value of one second.

-o

Path of the output file or SQL database. If you don’t specify an output file, the output is displayed in the command window from which you launched typeperf.

-q [object]

List installed counters (no instances). To list counters for one object, include the object name, such as Processor.

-qx [object]

List installed counters with instances. To list counters for one object, include the object name, such as Processor.

-sc <samples>

Number of samples to collect. Unless you specify otherwise, typeperf will keep sampling until you press Ctrl+C.

-config

Settings file containing command options.

-s

Server to monitor if you don’t specify a server in the counter path. You do not need to specify a server if you are monitoring the local computer. To log counters on more than one server, you’re best off including the server path with the performance object to monitor.

-y

Answer yes to all questions (such as whether or not to overwrite files) without prompting.

These switches make typeperf much more useful and a lot simpler to work with. First off, let’s skip that pesky parameter bit—it’s too hard to type accurately. Rather than type the counters you want to monitor as part of the command, collect them with the -qx switch and write them to a text file with the -o switch. For example, the following will write all instances of the LogicalDisk object into f:\perflogs\diskcount.txt: typeperf -qx LogicalDisk -o f:\perflogs\diskcount.txt

The file now contains neatly formatted counters for all instances of the LogicalDisk object, nicely formatted (one per line) in the way that typeperf requires. However, you don’t need to monitor all these counters, so delete the ones you don’t want. You’ll need to do that manually, but when you’ve edited the file and saved it as diskcounted.txt, you can point to that file with the -cf switch and then create a printed log (called output.csv) of the results of monitoring those counters, like this: typeperf -cf f:\perflogs\diskcounted.txt -o f:\perflogs\output.csv

Note Writing output to a file not only makes it easier to keep and format the log data, but it makes Server 2003 more responsive when you press Ctrl+C to end the logging. While typeperf is writing to the file, the command window will show a spinning cursor.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

LOGGING PERFORMANCE DATA

Finally, you can refine this logging a bit further to use a different file format ( -f), change the sampling rate (-si), stop monitoring after collecting 50 samples (-sc), and direct typeperf to another server to collect performance data (-s). The following example will save the log as a tab-delimited file, take a sample every 5 seconds, stop logging after 50 samples, and check data for server \\Gamma: typeperf -cf f:\perflogs\diskcounted.txt -si 5 -sc 50 -f tsv -o f:\perflogs\Goutput.tsv

Trace Logs

Trace logs are more of an application or database developer’s tool, testing to see how often a selected event occurs and logging the time, the thread ID that initiated the event, and the user data. To create a new trace log, right-click the Trace Logs icon in the right pane to open the context menu. As with counter logs, you can choose to either start from a saved Performance Monitor chart (New Log Settings From) or create a new log from scratch (New Log Settings). Type a unique name for the trace log when prompted (in this case, I’ve named it NetLogon), and click OK. When you do so, you’ll see the General tab in Figure 18.9. FIGURE 18.9 Choose counters for the TraceNetLogontrace log.

As you can see from this figure, you can collect data from two different types of providers. (A provider is just what it sounds like: something that provides information to an external application. In this case, the external application is the trace logging tool.). Services such as Kerberos can also send data to a trace log. The available nonsystem providers are visible when you select nonsystem providers to log and then click the Add button. From the list in the box that appears, you can pick available providers, such as the Active Directory service or Kerberos.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1467

1468

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

Tip File I/O and page faults are not normally included in the trace log because of the very high values they’re likely to register—a lot of I/O and page faults happen on a server operating normally. Microsoft recommends limiting the log to two hours if you want to include that data in the log.

The Log Files tab of the trace log creator works the same way the one for counter logs does, except that your options are between a circular trace file (one that starts writing over itself) and a sequential one (where all data is appended to the end of the file). So does the scheduler—pick a time and date for the trace log to begin, or choose to begin it manually. Tip If you can’t start a trace log, check the Application log of the Event Viewer. Some providers require a local administrator’s account name and password to let their data be logged.

The trace log creator includes one tab not in the counter log creator: Advanced (see Figure 18.10). Trace logs don’t log data in real time; they store it in buffers until the buffers are full. Edit the settings here to make the buffers smaller or larger or to force the buffers to write to the logs at a definite interval. (Since trace logs are event driven, buffering the events before putting them into the log shouldn’t matter.) FIGURE 18.10 You can edit the size of the buffers reserved for a trace log.

When you’ve edited all the trace log settings, click OK to return to the System Monitor. The log file will appear in the list. Its icon will be red until the log is running, then it’ll turn green when it starts automatically or when you start it by right-clicking it and choosing Start. Alert Logs

Finally, you can use Performance Monitor to keep track of failed logon attempts (Server: Errors Logon), file access attempts, and other types of attempted access that can indicate someone’s trying to break into the network. That’s what alert logs are for. After all, you don’t just want to know about this stuff after the fact, you want to know when it’s happening. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

LOGGING PERFORMANCE DATA

The initial stages of creating an alert log are much like those of creating a trace or counter log. Open the Alert Logs folder so that its contents are displayed on the right side of the System Monitor tool. Right-click anywhere in the blank area on the right of the display and choose New Alert Settings to define new counters to log or New Alert Settings From to open a saved Performance Monitor file and use its counters. Choose a name for the new alert, then click OK to open the alert log’s property sheet (see Figure 18.11). FIGURE 18.11 General tab of the alert log’s property sheet

Assuming you’re creating this log from new data, you’ll need to add counters to the log as you did for a counter log. Click the Add button to open the Add Counters dialog box, and choose the computer and performance counters you want to monitor. When you’re done making selections (remember, you can add as many counters as you like by clicking the Add button), click Close to return to the General tab. The counters will show up in the list. So far, creating an alert log hasn’t been any different from creating a counter log, but we haven’t yet gotten to the good stuff. Below the list of added counters, you’ll need to specify tolerances for each counter you choose. When the counter exceeds those tolerances, Performance Logging will add an entry to the alert log. For example, say that you added Terminal Services: Total Sessions to the log so you know whenever someone logs onto a server via RDP. In that case, you’d set the upper tolerance to 1—or 2, if you want to be able to log into the server yourself. Note In this example, the System Monitor will keep sending messages and recording events until the number of remote sessions is below the alert threshold. Bear that in mind when setting up alerts.

Notice that the default sampling interval for alert logs (five seconds) is much shorter than the one for counter logs. This is because of the different nature of the log—it’s assumed that you’re a little

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1469

1470

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

more concerned about the contents of this one. Use the drop-down lists to edit the sampling intervals if you need to. The alert log will only record events where the tolerances were breached, so you don’t have to worry about drowning in data, but more frequent monitoring takes a toll on the server. The scheduling tab for alert logs works just like the one you used to configure counter and trace logs—just pick a date and time to begin and end the log, or choose to start and stop it manually— but the Action tab (see Figure 18.12) is something new. From this tab, you’ll need to tell the System Monitor what you want it to do when it generates an alert. FIGURE 18.12 Edit alert log action settings.

Normally, System Monitor just adds an entry to the Event Viewer’s application Event log. If the alert isn’t something that you need to know about right away, then you can leave it at that. More important alerts, however, like those generated by unauthorized logins in a pattern that suggests that the network is being hacked, or a severe shortage of memory, may require immediate action. From the Action tab, you can tell System Monitor to send a message to your computer when writing an entry in the alert log or even to have it run a specific application that you can use to resolve the problem. Use this tab to send arguments to the application. Once again, when you’re done editing the alert log’s properties, click OK to add it to the Alert Logs folder. When it’s running, its icon will be green.

Editing Log Settings You can edit any log’s settings by right-clicking its icon and opening its properties sheet in the same way that you created the log in the first place. However, in Server 2003 you can also edit log properties from the command line, using the new relog tool that allows you to change the sampling rate and file format of existing logs. Relog allows you to take existing performance logs and change the sampling rate and file format.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

LOGGING PERFORMANCE DATA

Viewing Log Data Setting up the log data is the easy part, once you know what you want to monitor. Reading and interpreting that data is harder. The method of viewing log output depends on the type of log and its file format. Counter Logs

Recall that when you’re creating counter logs, you have a choice about how to present the data. The default option is to save the data in a binary log file (BLG) that you can examine from System Monitor. To see this data, click the icon on the System Monitor that has the database symbol (a cylinder) on it and browse to the location where you saved the log file when setting it up. This will open the contents of the log like a static performance monitoring chart, so you can see what performance was like at a given time without having to be on the spot at that moment. Charts are nice, but there will also be times when you want to view the information in a spreadsheet so you can manipulate the way it’s presented. To do so, save the log data in a tab-delimited (TSV) or comma-delimited file (CSV) that you can open with a spreadsheet application such as Microsoft Excel. To view the data, just open the file with Excel. If the log is still active, you’ll see an error message telling you that another user or application is using the data, but you can open it as a read-only document or click the Notify option to open the file—you just can’t save it to its current name while the log is still writing to the file. From there, you can use Excel’s charting tools to massage the data to make a good presentation. Alert Logs

Alert logs don’t go into a regular file but directly to the Event Viewer’s Application log (see Figure 18.13). When the counters exceed the tolerances you’ve set up, Server 2003 will add an Information record to the Application Event log. FIGURE 18.13 Output of an alert log

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1471

1472

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

Of course, for more serious alerts, you’ll have to set up the alert log to e-mail you or send a message to the location on the network where you’re logged in so that you know that the alert occurred. Trace Logs

Server 2003 (and other Windows Server operating systems) doesn’t come with any program that can read the ETL files created when you make a trace log. You can view the contents of a trace log without writing an interpreter, but to do so you’ll need to use tracerpt to convert the output to commadelimited file (CSV). Luckily, it’s a pretty simple tool, with only the switches in Table 18.5.

TABLE 18.5: SWITCHES FOR THE TRACERPT TOOL -o [filename]

Text (CSV) output file. Default is dumpfile.csv.

-summary [filename]

The name of the summary file for the trace log. The default is summary.txt.

-report [filename]

Text output report file. Default is workload.txt.

-rt <session_name [session_name ...]>

Real-time Event Trace Session data source, used to generate a readable log from real-time data instead of a converted log.

-config

Settings file containing command options.

-y

Answer yes to all questions (such as whether or not to overwrite files) without prompting.

For example, running tracerpt trace1_000003.etl -o tracelog.csv -summary tracesum.txt

yields the following output: Input ---------------File(s): trace1_000003.etl

Output ---------------Text (CSV): Summary:

tracelog.csv tracesum.txt

The command completed successfully.

Troubleshooting Performance Monitoring Performance monitoring doesn’t always work as expected. The reasons for this vary with the situation.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WHATTHEHECKHAPPENED? TROUBLESHOOTING WITH THE EVENT VIEWER

The descriptions for the counters can be misleading or inaccurate, so you may not be measuring what you think you’re measuring—I’ve pointed out a couple of instances that I’ve noticed. Since there are thousands of counters, I’m sure that I haven’t caught them all. Be as specific as possible when monitoring particular instances, and make sure that you know which instance you’re monitoring—for example, be sure of physical and logical disk identifiers before you begin monitoring disk activity. Similarly, it is very difficult to get any real process or thread information with the System Monitor, because the tool identifies processes and threads by instance, not by PID or TID. (There are Process: ID Process and Thread: ID Thread counters. They don’t work. To get PID and TID information, you need to use the Task Manager.) If a server is running more than one instance of the same image, it is very difficult to tell which one you’re collecting the data for. You could collect data for all instances of a particular image—say, EXCEL.EXE—but that doesn’t help you figure out usage patters for a particular instance. Since histograms and reports display averages by default when working from logged data, be careful not to let unexpected zeros and spikes skew those averages. A value of zero doesn’t necessarily mean that the real value is zero. Rather, it may mean that the service you’re monitoring (if applicable) is not running—check the Services tool in Computer Management or the Event Viewer to make sure that a service that should be running but isn’t reporting any data hasn’t stopped. If you’re remotely monitoring a server, make sure that you can get to it—particularly if you’re opening a saved console that someone else set up for you; they might have permissions that you do not, and all you’ll know is that you can’t get any information about the remote server. Similarly, spikes might be part of the normal routine for a server and require investigation, or they might reflect an aberration. For example, say you’re trying to find out how stressed a domain controller’s processor is during an average hour. If you make that average hour at 8 A.M. when everyone is getting to work and logging in, you’ll probably get a result different from the one you see when monitoring at 2–3 P.M. If logged averages are high, check the graph and look for spikes that can throw off the average, and consider lengthening the monitored period to put spikes into perspective.

Whattheheckhappened? Troubleshooting with the Event Viewer Server 2003 defines an event as any significant occurrence in the system or in an application that users should be aware of and have the chance to log. Critical events—those that can impact server availability—deserve immediate notifications, which is why you’ll see “low on virtual memory” announcements on your monitor without asking for them. Less-critical but still important events are recorded in the Event Viewer, a tool in the Administrative Tools program group. You can log just about any kind of event on a server: file and directory access, services starting (or failing to start), unexpected conditions on the server, or, as discussed earlier, alert logs based on System Monitor data. And you’ll need these logs. Any time that something strange starts happening on a server, those event log entries are your first key to finding out what went wrong and how to fix it.

Understanding Log Types The Event Viewer can display six types of logs. All servers will accumulate system, security, and application events. System events are generated by system components or related services and drivers.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1473

1474

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

Security events record changes to any security settings or any audited access such as attempts to open files or folders. You can monitor both successful and failed security events. Application logs contain events generated by applications, installed printers, or (as you’ve seen) alert logs. The Application log is a good place to look for important events not related to the core functioning of the OS or its services, but important nonetheless. If you set up event logging with administrative scripts, the events you record will also be in the Application log. Three other logs—Directory Service, DNS Server, and File Replication Service—are for keeping track of AD-related events. The Directory Service log entries record information regarding the NT Directory Service (NTDS), problems connecting to the global catalog, and any issues regarding Active Directory in your network. The DNS Server entries record any events related to running the Directory Name Service in your Active Directory. Finally, the File Replication log entries record any notable events that took place while the domain controller attempted to update other domain controllers. To view any log, open the Event Viewer. From the left pane showing the log types, click the type you want to view. The display in the right pane will change to show the log’s contents.

Viewing Remote Event Log Data You can connect to any Windows server with an account in your domain (or in another, trusted domain). To do so, right-click the main Event Viewer folder in the left pane of the tool. From the context menu that appears, choose Connect to Another Computer. You’ll see a dialog box that looks like the one in Figure 18.14. FIGURE 18.14 Enter the name of a remote computer to manage.

Type the name of the computer you want to monitor (for example, sandworm—you don’t need backslashes) and then click OK. If the new computer is accessible across a low-speed connection, right-click the log you want to view (not the remote server, the actual log), and then click Properties. Near the bottom of the General tab, check the box for low-speed connection. If you’re not sure of a remote server’s name, you can browse for it in an NT or Active Directory domain. Instead of typing a server’s name and clicking OK, click the Browse button to open the Select Computer dialog box. If you’re unsure of a remote computer’s name, the first dialog box is unlikely to help you, so click the Advanced button to open the dialog box in Figure 18.15.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WHATTHEHECKHAPPENED? TROUBLESHOOTING WITH THE EVENT VIEWER

FIGURE 18.15 Browsing a domain for a computer account

From here, click the Locations button to choose a domain, and then click the Find Now button to list the computer accounts in that domain. Note You can only connect to the logs of computers that have a computer account in the selected domain and are currently connected to the network. All computer accounts will be listed, even if a particular computer is offline at the moment.

When you’ve chosen a computer, click OK, and then click OK again back in the Select Computer dialog box. The Event Viewer information displayed will now be the remote computer’s. To reconnect to the local computer, just open the Select Computer dialog box again and pick the option for monitoring the local computer.

Reading Log Entries There are five categories of log entries, each identifiable by an icon: ◆

Information events describe the successful completion of a task, such as the beginning of a service. If you’re using Alert logging, information events in the Application log may also indicate that an alert’s been triggered, so don’t assume that all information events are benign.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1475

1476

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

◆ ◆ ◆

Warning events aren’t necessarily fatal—they describe unexpected behavior that might point to future problems if not corrected. Error events describe fatal errors that mean a task failed. Error events may lead to data loss; they always mean that the server wasn’t able to do something you asked it to do. Success events describe an audited security event completed as requested—for example, a machine account’s login.

Tip Some third-party services record successful initialization as a success event instead of an information event. ◆

Failed events describe an audited security event that the server could not complete as requested. Failed security events can point to attempts to hack the computer, or may signify that a service does not have the permissions it needs to do something that it’s supposed to do.

Each entry also includes the following information pertinent to the event: ◆ ◆ ◆ ◆ ◆

Date and time logged Object logging the event (such as the service that failed to start) Computer name of the server where the event was generated and, if applicable, the name of the person responsible for generating the event If applicable, the category of event, which won’t tell you much—it’s for the internal use of whatever server component logged the event Event number describing the event type

Tip You can search for event numbers at www.eventid.net to find out what a particular event number means, since the descriptions for events aren’t always very clear. This Web site doesn’t have all event ID information, but it’s a good place to start when trying to track down problems.

Double-click any event in any log to open its property sheet (see Figure 18.16) and see more information about the event. The explanation is sometimes more than a little cryptic or is incomplete, but sometimes—and this gets easier with practice—you can glean useful information from the explanations of the events. Troubleshooting with the Event Viewer takes a little practice. For best results, you’ll need to know what your system looks like when it’s running normally so you can more easily identify the events that indicate something is broken. Reading the Event Viewer on a regular basis also lets you find out about problems you may not have known you had, like misconfigured services, undetected because no one’s using them much, or a drive running low on disk space. If a server seems to be acting oddly, then check the Event Viewer for warnings or informational messages that may explain what’s going on. For example, reading the System log once helped me find a rogue program running on a server that I hadn’t properly firewalled. A terminal server refusing connections because of a lack of licenses will also log this information in the System log, as will a service that can’t start. (You’ll still have to track down why the service won’t start, but knowing that it didn’t will help you figure out why a server isn’t acting as expected.) And if a printer isn’t appearing in a terminal session, the System log may indicate the reason.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WHATTHEHECKHAPPENED? TROUBLESHOOTING WITH THE EVENT VIEWER

FIGURE 18.16 Event details for a System log entry

Managing and Archiving Log Contents That’s what you’re looking at in the Event Viewer. Managing all that data can be a task unto itself. Discarding Old Data

The Event Viewer logs will keep filling up according to their settings. After a while (and, if you’re recording something that happens a lot, “a while” may not be long), they get full. Unless you specify otherwise, an Event log cannot get any bigger than 16384KB (up from 512KB in Windows 2000). To keep the data fresh, the Event Viewer normally overwrites events as it needs to keep the log under that size, overwriting the oldest data first. To edit this, open the property sheet for a log by right-clicking its icon and choosing Properties. Turn to the General tab shown in Figure 18.17. Most of these settings are pretty clear—from here, you can edit the maximum size of the log, the way in which old entries are overwritten (or not) and whether to clear an existing log and start over. Warning If you click the Clear Log button on this tab, you’ll delete all the entries in that log (Event Viewer will prompt you to save them). Save logs before clearing them if you think you might need the data again. Filtering Data

Normally, the Event Viewer will display all records that it’s collected, with the most recent entries at the top of the log. You can simplify the view of all this data by applying filters to the logged data. Filters don’t affect what information is logged, only how it’s displayed. To filter a log’s events, right-click the log’s icon in the left pane and choose Filter from the View menu. You’ll see the Filter tab shown in Figure 18.18. Choose the filtering options you want, described in Table 18.6. Only event logs with the options you specify (you can apply as many as you like) will appear in the Event log once you’ve applied the filter. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1477

1478

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

FIGURE 18.17 Edit the settings governing how data is discarded when the log is full.

FIGURE 18.18 Filter data to display only pertinent information.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

WHATTHEHECKHAPPENED? TROUBLESHOOTING WITH THE EVENT VIEWER

TABLE 18.6: FILTERING OPTIONS FOR EVENT LOGGING Option

Description

Category

Includes all events within a given category. This filter is most useful for security events, as most system events do not belong to any category and the application categories are numbered, with no keys.

Computer

Includes all events on that particular computer. As the computer in question is the one you’re monitoring and you can only display one computer’s Event log at a time, it’s not clear to me why this filter is part of the Event Viewer.

Error

Includes all error events, which are requested tasks that the server was unable to complete for some reason.

Event ID

Includes all events with the event ID you specify. You can only specify one event ID at a time—you can’t, for example, filter the Event log to display both event ID 7000 and event ID 4002.

Event Source

Displays events stemming from a source you specify (a driver, system component, or service).

Failure Audit

Displays failed security events such as opening a file or changing a security setting. The events this will include depend on the security and auditing settings for the domain or computer.

Information

Displays information events. Information events typically mean that everything worked as planned, but you can use information events to reassure yourself that yes, that service started as planned, so it couldn’t be a problem there.

Success Audit

Displays successful security events such as opening a file or changing a security setting. The events this will include depend on the security and auditing settings for the domain or computer.

User

Displays events that are associated with a particular user, generally the user working at the console when the event was generated. Not all events have a user associated with them—this is mostly a system log thing.

View From and To

Use these boxes to specify a range of events to display. Unless you tell it otherwise, the Event log will display all events in the log from the oldest to the newest, but you can provide starting and finishing dates and times.

Warning

Includes warning events, which tell you that something didn’t go as expected (or, for alert logs, that a counter exceeded the tolerance you set up) but that the problem isn’t immediately critical.

Filters work like Boolean AND statements, not OR statements. That is, if you specify event ID 7000 and check the Error box, then the log will only display entries that are errors associated with event ID 7000, not all errors and all entries with event ID 7000.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1479

1480

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

Tip Want to view all data of a certain type but aren’t sure how to filter the Event log? Click the column heading that corresponds to the type of data you want to view, and the log will sort its entries based on that type. For example, if you want to see all the entries associated with the Browser service, click the header for the Source column. All entries related to the Browser service will be grouped together. Saving and Retrieving Log Data

Like I said, logs get full. You may want the data in them for future reference, however, so you don’t necessarily want to just clear all log file entries. To save a log file, right-click the log’s icon in the left pane of the Event Viewer. From the context menu, choose Save Log File As. A dialog box will open; type the name of the log, click Save, and you’re done. You can now clear the file to begin logging afresh. To open a saved log, right-click the Event Viewer icon in the left pane and choose Open Log File. Browse for the EVT file containing the saved log, choose a log type (this isn’t an option) and a display name, and click Open. When you’ve loaded the saved Event log, it will appear alongside the other event logs as shown in Figure 18.19. FIGURE 18.19 Loaded event logs don’t replace existing log files of the same type, they supplement them.

Quick Looks: Using the Task Manager The tools we’ve talked about so far are good for gathering information for the long term, but setting them up and finding the relevant data takes a little time. When you want to get a quick view of the State of the Computer, the Task Manager is the way to go. It requires almost no preparation, gives you an easy way to determine which applications are hogging resources—as well as providing a shortcut to shutting down runaways—and generally offers you an instantaneous look at how the server is operating. You can’t save or log data with the Task Manager, but you can see how the server is performing without having to set up performance counters. I use the Task Manager frequently on both servers and workstations. Just keep in mind that you cannot use the Task Manager to monitor a remote

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

QUICK LOOKS: USING THE TASK MANAGER

computer, and this tool uses server resources. I will leave it running on a not-too-stressed workstation, but I won’t leave it running on a server. To get to the Task Manager, press Ctrl+Alt+Del to bring up the Windows Security dialog box, and click the Task Manager button. This tool has five tabs: Performance, Applications, Processes, Networking, and Users. Tip If you’re remotely administering a server using RDP, press Ctrl+Alt+End to open the Windows Security dialog box.

Processor and Memory Usage Graphically, the Performance tab in Figure 18.20 is pretty easy to interpret. FIGURE 18.20 Get a visual snapshot of the server with the Task Manager’s Performance tab.

Processor-wise, the server was recently very stressed but is now better, and it’s using a moderate amount of memory at the moment—overall, the server’s in pretty good shape. This graphical data is collected from the time I open the Task Manager, so it will take a minute or two to get much of a snapshot of current processor and memory usage. The text on the bottom of the page takes a little more interpretation. In the Totals section in the upper left, the Processes count is a rough estimate of the number of executable files (not just user applications, but any executable file, including service images and files supporting the operating system) running on the server. The Threads count represents the number of executable threads that are using those process resources and contending for processor time. The Handles count represents the number of connections that the processes have to system resources such as internal timers. Moving to the right, the Physical Memory section gives you a little

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1481

1482

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

more useful information: how much memory is available on the computer and how much of it is currently in use. This memory count includes only the installed RAM in the computer, not the paging file. The Kernel Memory section on the bottom right shows how much memory kernel processes are using, and how much is paged to disk. Finally, the Commit Charge section in the bottom left shows how much memory is committed to particular processes and is not available to other processes.

Application-Specific Information The Applications tab of the Task Manager shows (some of ) the executable files running on the computer, along with the data files they have open (if applicable). As you can see from Figure 18.21, you can use the buttons on this tab to navigate to running applications or end runaway applications— a hung program will show a status of Not Responding. You can also right-click individual applications to change their window state (maximized or minimized), switch to them, close them, or find their process on the Processes tab. Note If an application crashes and is in the middle of being debugged, you can’t end it until the debugger is done gathering information, and if closing the application causes the application to open a window prompting you for information (perhaps to save a file) then you’ll need to either answer the prompt or choose the End Now option when prompted to override the application’s prompt. Generally speaking, you’re better off closing the application normally if you can. FIGURE 18.21 The Applications tab shows running applications and any data files they have open.

Process-Level Information The Processes tab in the Task Manager (see Figure 18.22) takes the basic information presented with the Applications tab and significantly expands on it. The Image Name column shows the

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

QUICK LOOKS: USING THE TASK MANAGER

executable files associated with the applications on the Applications tab and displays all the operating system executables—that CSRSS.EXE file is the Win32 subsystem. The PID column shows the process ID for that executable, the identifier for the process created to support the needs of that executable. The OS identifies running processes both by the name of the executable file they’re supporting and by their Process ID. The CPU column shows the processor that each executable is using; in a single-processor system this won’t tell you anything you don’t already know, but in a multiprocessor system could be useful. The CPU Time column, which you can add as described below, on the other hand, shows you useful information—you can tell which executables are using the most CPU time. If all is going well, then the System Idle Process should be at the top of the list when you’re sorting for CPU time. The Mem Usage column shows the size of the working set for each executable. However, since this total includes shared pages, you can’t add all these numbers up to get a complete count of the RAM installed in a particular computer. FIGURE 18.22 Use the Processes tab to find out how much memory or processor time an executable file is using.

Tip To sort the data displayed on the Processes tab, click the appropriate column head.

This is only a small sample of the data available to you when it comes to getting a current snapshot of the computer. When the Processes tab is in the foreground, the View menu in the Task Manager has a Select Columns option. Pick this menu item, and you’ll see a dialog box like the one in Figure 18.23. The selected boxes will be listed on the Processes tab. For example, notice that my Processes tab does not have a Session ID column, whereas yours may. (This option will only be available if you install Terminal Services.) This column is used on servers

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1483

1484

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

with Terminal Services enabled, whether in Remote Administration or Application Server mode, to identify the session in which a particular executable file is running. FIGURE 18.23 You can choose additional perprocess information to monitor.

Note By default, the Task Manager will display processes only for the console session (Session 0), but it can display process information for all connections to the server, whether from the console or via RDP. Clear the check box on the Processes tab to get a more streamlined view of the server, or select it if you want to know what executables are running in all sessions, whether visible to you or not.

I find myself using the Processes tab most often of all the parts of the Task Manager. It’s a very easy way to find out what’s active on your server quickly, without mucking around with adding counters or checking the Event log. If you see something that looks like an ongoing problem, then you can set up logging in the System Monitor. You can also kill processes from this tab—just right-click the process and choose End Process—or End Process Tree to kill a process and every other process it spawned.

Network Information The Networking tab in the Task Manager (see Figure 18.24) displays the current state of all virtual network adapters in the server, whether they’re responding, and how much of their network capacity is currently in use. This network information applies only to traffic going to and from the currently connected server, so it’s not much of a tool for general network diagnostics. It can help you track down server-specific network problems, however.

User Session Information Because Terminal Services is enabled on all Server 2003 computers, the Task Manager now includes a Users tab that you can use to keep track of those remote sessions. From this tab (see Figure 18.25) you can see the session ID for each session (including the console, which will have Session ID 0), the username for the person who’s logged in, the status of that session (Active or Disconnected) and the name of the computer they’re running the remote session from. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

QUICK LOOKS: USING THE TASK MANAGER

FIGURE 18.24 The Networking tab displays connection status for all virtual networks on a server.

FIGURE 18.25 Use the Users tab to monitor and manage remote connections to the server.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1485

1486

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

This tab will come in handy in several ways. First of all, a Server 2003 only supports a maximum of one console and two remote administrative sessions—and disconnected sessions count toward that total. This tab can show you how many remote connections are currently running on the server and show you their status, as well as let you communicate with those sessions. You can send a message to an active session by right-clicking the session and choosing Send Message from the context menu. A dialog box opens, in which you can type a short message—perhaps asking one administrator to log off the console because the server has accepted the maximum number of connections and someone else needs to log on. When you send a message to a session, it will immediately pop up on the screen of that session. If another administrator is having trouble with the server, you can take over their session from the Task Manager. Right-click their active session, choose Connect from the context menu, and type their password, and you’ll take over that session. (Doing this will kick the other user out; to shadow a session, you’ll need to use the Remote Control tool in Terminal Services Manager.) Because connecting to a session disconnects your own session, you cannot connect to a session from the console; you must be working from a remote administration session yourself. You can, however, connect to the console session—you’ll just lock it. Finally, if someone has disconnected from their session and you need to reclaim the session, you can log them off their session. Right-click the session and choose Log Off. The Task Manager will ask if you’re sure about logging off the selected user. Click Yes, and you’ll boot that person off the server. Note For more information about working with terminal sessions (including more options for sending messages to remote sessions and connecting to them), see Chapter 16.

Basic Tuning Stuff So far, we’ve talked a lot about how to collect information from a server using the System Monitor, the Event Viewer, and the Task Manager, but not so much about how you can exploit this information to make your servers run more efficiently. Let’s open the Control Panel and see what settings you can edit now that you know a little better what state of health your servers are in.

Optimizing Server Processing Power Windows NT Server 4 and NT Workstation had several obvious differences, but one of the major differences wasn’t obvious. The core files required to run NT Server and NT Workstation were and are the same, but at boot time the OS looks in the Registry key HKLM\System\CurrentControlSet\ Control\ProductOptions. Run REGEDT32 and look in that key, and, among other information, you’ll see a value for Product Type. That value was (and is—this hasn’t changed) since NT 4: WinNT for workstations (e.g., Windows XP), LanmanNT for domain controllers, and ServerNT for server computers.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BASIC TUNING STUFF

Why does this value matter? Based on the value of this key, NTLDR makes some decisions about how to configure the system, including runtime policy decisions such as how operating system components and user processes contend for memory and even how the processes contend for CPU time. The most obvious result of this is that server operating systems give a little more time to the application in the foreground than the ones in the background, but they generally assume that all applications on the server need more or less equal time. But workstation operating systems give a lot more time to the application in the foreground, on the premise that the application you’re directly interacting with is the one you want to be most responsive. If you ran, say, Microsoft Word from a Server 2003 machine, it would run rather less efficiently than if you ran the application from XP Professional. This is because even when you were typing into Word, the server would be a little distracted, checking with any other running processes to make sure they were happy and getting enough processor time. Windows Server 2003 is meant to be a server, not a workstation supporting the needs of one person. Note You could edit the Performance settings in the System applet of the Control Panel, but I’m talking about the way the operating systems were set to run under normal conditions.

Ah, but what about Terminal Services? It’s a server, but a server of a very special kind, since it’s providing computing resources to a bunch of client machines. For that reason, Terminal Services should give more time to foreground applications than to background applications and services, as the foreground applications are the most important to the overall performance of the server. If Terminal Services is running and you’ve set up the application server role, then the operating system is optimized for running foreground applications. (You’ve got another option of installing Terminal Services only for remote administration of the server, in which case the server is optimized for fulfilling server functions.) Under rare circumstances, however, you may want to give equal time to all running applications even when the server is supporting user applications. To do so while still running Terminal Services in Application Server mode, open the System applet in the Control Panel. Turn to the Advanced tab, click the Settings button in the Performance area, and turn to the Advanced tab to open the dialog box you see in Figure 18.26. In the Application Response section, make sure the Background option is selected. This tells the server to give all running applications equal access to processor cycles. This may make your foreground applications a little more jerky, but other applications will respond to user requests more smoothly. Warning Generally speaking, you should not edit the Application Response options setting; this is for the exceptional case. When you use Terminal Services in Remote Administration mode, processor time will remain equally distributed among running applications, so you won’t need to edit this setting then.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1487

1488

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

FIGURE 18.26 Edit performance options.

Editing Virtual Memory Settings While you’re in the Performance dialog box of the System applet, click the Change button in the Virtual Memory section to take a look at the paging file settings (see Figure 18.27). The default location for the paging file is on the root of the same logical drive where you installed Server 2003. This isn’t always the best place for it, however. Generally speaking, your server will be happier if its paging file is on a separate disk from the operating system files. Paging files are good candidates for disk fragmentation, and a fragmented disk is not a fast disk—not good when you’re trying to use an operating system from that disk. To move the paging file from its original location, open the dialog box shown in Figure 18.26 and select the local drive where you want the paging file to go. Type in a minimum and maximum size for the paging file in the boxes provided. Also, select the drive where the paging file was and zero it out. For what should be obvious reasons, you can’t put the paging file on a network-accessible drive. And although removable drives will show up in the list of local drives that you could put a paging file on, they’re displayed with a free space of 0MB, so you can’t put the drives there. Tip Try to make sure that the paging file is as large as it needs to be from the beginning. Although it will get bigger as needed, the process of making the file get bigger is resource-intensive. You’ll get better performance if you make the minimum size of the paging file something resembling its necessary size.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BASIC TUNING STUFF

FIGURE 18.27 Virtual memory settings for Server 2003

When you finish, the size of the new paging file should be shown in the Paging File Size column next to the right drive, and that space in the original drive should be blank. Click the Set button to establish the paging file. You’ll need to restart the server, but once you do, the paging file will be moved to the new location. What if you zero out the original page file but forget to specify the location of a new one? You’ll be prompted to reboot the computer as usual for changing the size of the paging file. However, when you reboot, the server will be extremely unresponsive. You must follow the instructions here (and also provided on the nastygram) for creating a new paging file on the appropriate disk. Your server will work until you do this, but it will start with no virtual memory. The new paging file will grow slowly as needed, probably causing you to run low on virtual memory from time to time, and using a ton of processor cycles to grow the paging file. In other words, don’t delete the paging file without creating a new one unless you want to see how the server will operate in low-memory conditions.

Turning Off Silly Visual Effects Okay, maybe this is just me being a Luddite, but in my view a server needs to be fast, not spending cycles on fancy visual effects when opening and closing windows. (Fancy visual effects will also impact performance in remote administration sessions.) Therefore, I keep visual effects to an absolute minimum—even easier, now that Server 2003’s picked up better command-line support. By default, Server 2003 is actually pretty smart about visual effects. If you stick with the defaults, it only uses one effect. In case someone turns on more bells and whistles, you can turn this off from the Visual Effects tab, which is available on the same Advanced tab that let you reach Application Response. In

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1489

1490

CHAPTER 18

TUNING AND MONITORING YOUR WINDOWS SERVER NETWORK

the dialog box shown in Figure 18.28, make sure that the server is tuned for Adjust for Best Performance and keep those boxes unchecked. FIGURE 18.28 Keep visual effects to a minimum on servers.

Tuning the System Cache Server 2003’s default memory settings reflect NT’s legacy as a file-sharing NOS. By default, it’s set up with a large system cache, which is a range of virtual memory addresses reserved for holding recently used data related to file sharing, whether from hard disks, CD-ROMs, or network-accessible drives. The cache includes any data related to file reads and writes, including file contents, read and write activity to a file, or the metadata that describes a drive’s structure and organization. The system cache has a range of virtual memory addresses dedicated to it, with the exact size of the range depending on the amount of physical memory installed in the server. Just as the size of the paging file increases as you install more physical memory, the system cache does, too. Note You can see how much physical memory your server’s system cache is using by monitoring the value of Memory: System Cache Resident Bytes. Although the System Monitor has a counter called Memory: Cache Bytes, this counter doesn’t actually reflect just the System Cache working set. It reflects the entire system working set, including paged pool and any driver code and kernel data that can be paged to disk. System Cache memory usage is also visible from the Performance tab of the Task Manager.

If a server’s supporting file sharing, then it needs this big reserved virtual memory space. However, cacheing all that data may cause a lot of disk thrashing as the data goes in and out of physical memory.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BASIC TUNING STUFF

If a particular server isn’t doing file sharing, you can save yourself some physical memory by changing the memory usage parameters for network use. To do so, open Network Connections from the Control Panel. Right-click Local Area Connection and open its property sheet. Select File and Printer Sharing for Microsoft Networks, and open that service’s property sheet as shown in Figure 18.29. FIGURE 18.29 Server Optimization options

The default setting is Maximize Data Throughput for File Sharing. If you’re not using the server to share files, change this setting to Maximize Data Throughput for Network Applications, or to Balance. (The Minimize Memory Used setting is only a good idea for servers serving a very few users, like fewer than 10.) This should reduce the amount of paging to disk that your server’s doing.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1491

Chapter 19

Preparing for and Recovering from Server Failures Coincidence, gremlins, or incentive from The Powers That Be to do my homework? The day I planned to start working on this chapter, one server on my network stopped booting. I’d been out of town for a few days and so I’d shut all the computers on the network down (power in Virginia is notoriously chancy during the summer months). Came back, booted up the server, and it worked fine. Added support for an additional transport protocol, and rebooted as required. This time, the system couldn’t find a bootable device. Uh-oh. Why did this happen? Dead hard disk? Something disconnected? NetBEUI ate my hard disk when I installed it? (Geez—when Microsoft makes TCP/IP the default transport protocol, they’re not kidding around, are they?) The initial question, however, wasn’t “What happened?” but “How badly is this going to screw me up?” Regardless of the reason why the machine didn’t boot, the fact remains that it didn’t. Had this been a production server instead of a test machine, I would have been in a world of hurt. Or could have been, if I hadn’t been prepared for this kind of eventuality. There’s nothing quite like that sinking feeling when a server dies. You can’t always prevent this from happening; sometimes, you’re just stuck with the whims of the malignant forces in the universe. What you can do is either fix the problem or recover from it. That—and how to prevent problems when you can—is what I’ll talk about in the course of this chapter. In this chapter, I’ll cover the following: ◆ ◆ ◆ ◆ ◆ ◆ ◆

The importance of redundancy in a fault-resistant server and network Some basics of preventing preventable disasters How to use the Windows Backup tools to create manual and automatic backups How to use the System Information tool to isolate hardware problems What’s going on when your computer boots The use of the recovery tools found in Server 2003 Disaster recovery tips

Let’s start with some ways to avoid some disasters in the first place.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1494

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

Preventing Stupid Accidents Deliberate external attacks on your network are frustrating, but at least they allow you to get mad at someone else. It’s the preventable infiltrations or server crashes that lead to the most gray hair. To keep your servers running and secure, you need to do the following: ◆ ◆

◆ ◆

◆ ◆

Keep multiple copies of important data and important server roles such as domain controllers. Physically secure your network. If the bad guys (and the careless good guys) or Mother Nature can’t get to your network hardware, it’s a lot harder for them to damage it. The degree to which you can physically secure your network varies—not all of us have the option of running our fiber cable through concrete pipe—but you can, at least, keep the servers behind a locked door. Protect your network’s user and system data with a good backup strategy. Prepare for the worst with a point-by-point disaster recovery plan that anyone in your organization can follow. Don’t depend on one person knowing how to return the network to working order—that one person may be unavailable when the time comes to restore the network. Understand how your server works so you can troubleshoot problems and perhaps prevent more problems in the future. Install the service packs and patches that Microsoft issues. I know this may shock you, but Windows products have flaws. (Other operating systems also have flaws, but we’re talking about Windows here.) Microsoft issues patches for these flaws, but if you never install these patches, they’re useless.

When something goes wrong with your system, think noninvasive. Step 1 is not popping the top on the server. Three of your most valuable troubleshooting implements are the OS installation CD, data and system state backups, and your notebook, in which you record every change you make to the network and record resolutions to problems. (The brain is Tool 3A. Sometimes it shuts off in times of stress, so you rely on the notebook.) When the time comes for troubleshooting, that notebook will be an invaluable diagnostic tool and a cheat sheet for “I know I’ve seen this before. How did I fix it last time?” A basic concern in any computer security system is the need for physical security, a blanket term for the many ways in which you can protect your server and network from physical harm: stupid accidents, environmental—er—“incidents,” and theft. Entire books have been devoted to the question of how to physically secure a network, so I’m not going to cover everything here. What follows is an outline of the kinds of protection you should be looking for, both physical and logical. Note Protecting your network is a never-ending process; every safeguard has a counter. You can’t protect yourself from every possible disaster, so you have to come up with a balance between how much it would cost you to recover from a disaster, how likely it is that you’ll be hit by that particular disaster, and how much the protection costs. If protecting your data costs more than the data is worth, then it’s time to relax a little.

Redundancy: The First Line of Defense This is a theme that has come up several times in the course of this book, but it’s worth repeating here: a redundant server—or network—is a fault-resistant server or network. You can be redundant at several layers. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PREVENTING STUPID ACCIDENTS

On the server, protect important data with fault-tolerant volumes, whether with software, as discussed in Chapter 10, or in hardware. The pros and cons of the various RAID types supported in Server 2003 are also discussed in Chapter 10. As you’ll see there, RAID 5 gives you the most protected storage space for the number of disks involved, but mirroring is less processor-intensive than the RAID 5 protection supported in software. Do not put important data on any multidisk volume that is not fault tolerant unless you are backing it up early and often. Although multivolume disks can improve performance and make a larger single volume, if one disk in the volume dies, the entire volume is inaccessible. Since having more disks increases the chance that any one disk will die at any given time, multidisk volumes are more vulnerable to disk failure than single-disk volumes. To protect data from complete server failures, not just disk failures, you can choose to replicate it across the network. The same principle of redundancy applies to the network. As you’ll see in this chapter, having multiple domain controllers can simplify your restore process if you lose a DC. Rather than having to restore the domain structure from backups or completely rebuild it, you can let the usual replication take care of the restoration for you. Of course, if you’re restoring a more recent version of the directory structure, you can choose to propagate those changes to the other domain controllers, but the bottom line is that having more than one domain controller allows you to keep the domain working while getting a failed domain controller back on line. The same principle applies to WINS servers (for name resolution) and DHCP servers. You don’t want two DHCP servers actually dispensing IP addresses, but you do want a backup of the scope. See Chapter 7 for more about WINS and DHCP. Finally, if you’re using Windows Server 2003, Enterprise Edition (or a third-party clustering solution) you can use clustering to keep vital servers from going down. There are two main types of clustering. Load-balancing clustering distributes requests among clustered servers to keep the—well, to keep the server load balanced so one server isn’t hammered while another one is standing idle. Fault-tolerant clustering can actually transfer connections from a failed server to one that’s standing ready for new connections.

Power-Protect Servers Always use a UPS to power-protect servers and network hardware such as hubs and routers. This will protect the backbone of your network from power surges and dirty power. Power protection also will help prevent data loss and will let you shut down the servers in an orderly fashion (or shut down the servers automatically). Personally, I’ve had very good luck with APC’s UPSes (strictly speaking, SPSes) for workstations and test servers, but the Web server that cannot go down is protected with a true UPS (a Powerware Prestige XT, if you’re interested). For those who don’t know, a switched power supply has a very short (under 4ms) break when switching from line power to battery power— not enough to be noticeable for most computers. An uninterrupted power supply cycles all power through the battery even if line power is available, so if the line power fails there is no switching time. Most devices you see sold as UPSes are SPSes. Warning Don’t ground only the server room, ground the entire office. Grounding only the server room is equivalent to putting a giant “KICK ME” sign on your servers, as they’ll be the easiest path to ground.

What about client-side power protection? At one time, UPSes were so expensive that it wasn’t cost-effective to protect each client station. These days, you can get a low-end UPS for less than

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1495

1496

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

$100, so think about the investment to give user machines power protection and a little bit of time to save documents and shut down. Power strips with surge protectors don’t do the trick. Because of their high tolerance for voltage—they’ll pass jolts that will damage a PC—power strips are a convenient way of plugging several devices into one outlet, but not a power-protection mechanism. Tip Don’t plug a printer into a UPS designed for a computer only. First, it won’t hurt the printer to lose power suddenly and if the power goes out, printing documents is probably not a vital concern. Second, laser printers draw far more power than a PC and will drain the battery life too quickly. Do plug a monitor into the UPS. Although the monitor draws power, you’ll need it to shut down the computer gracefully.

Speaking of client power protection, one advantage to running Terminal Services instead of a traditional desktop environment is that you don’t have to worry about power-protecting a Windows terminal—at least not for reasons of protecting data. If a Terminal Services client computer loses power, the client’s session is disconnected, not terminated. That is, all client applications and data remain active and in memory on the terminal server so long as the server is running. When you power the client back up and reconnect the session, it will be exactly as it was when it was disconnected. In other words, a power outage on the client will cause no data loss as long as the terminal server is protected. For more information about Terminal Services in Server 2003, turn to Chapter 16. For extreme quick-and-dirty power protection for network client machines, tie five knots in each computer’s power cord, as close to the wall as you can. If lightning strikes the wiring, the concentration of current within the loop of the knot will kill the cord and thus break the lightning’s path to the client machine. I know that this one is hard to believe, but it really works. As Mark tells it: During the summer of 1990, a massive electrical storm hit Washington, D.C. (where Mark lived at the time). I had tied knots in the cords of all of the computers in the house beforehand but hadn’t thought to do this to the television. During the storm, one of my neighbor’s houses took a direct lightning hit and a huge power surge hit my house’s wiring. The cords of all the computers were warmed up a bit, but the power surge never touched the computers themselves. The television was another matter. The surge traveled straight through the cord to the TV’s innards and rendered the television DOA. I couldn’t have asked for a better test, although at the time I wasn’t in a mood to appreciate the benefits of having had a control group.

Environmental Concerns Reduce the likelihood of Bad Things happening to your servers by keeping them away from potential problems. Look for evidence of old leaks in the ceiling, and keep equipment away from them—an old leak could become a present leak. Make sure that the server room is climate-controlled. The air conditioning used for the rest of the office might not be sufficient in an enclosed room, given all the heat that computers emit. And don’t position any computer in direct sunlight. Finally, avoid introducing new contaminants around the servers. Although it may be impossible to keep people from eating or drinking near their workstations, you can—and should—keep food out of the server room. If your office permits smoking, don’t smoke or let other people smoke around the servers or workstations. Smoke particles inside a hard disk can chew up its surface.

Limit Access to Servers Most people using the network don’t have a valid reason to do anything to a server (except a terminal server, of course, and then they’re only using it remotely). One way to keep people away from your

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PREVENTING STUPID ACCIDENTS

servers is to lock said servers in a separate room to which only trusted people have access—and you can make that even more secure by using a card-key system that records the identities and in-and-out times of the people entering the locked room, if necessary. If people can’t get near the servers, they can’t: ◆ ◆ ◆

Reboot or shut down the server manually. Steal data-containing hard disks from the server. Reinstall the OS and thus have the chance to create a new Administrator account with full access to the server.

User permissions that prevent a person from shutting down a server from the console don’t prevent that same person from shutting down a server with the Big Switch. Therefore, if locking up the servers isn’t an option, you can physically disable the Reset button and/or the A: drive so that people can’t just shut down the server unless they have permissions to do so. Note An OS-dependent protection utility such as floplock (in the NT 4 Resource Kit) doesn’t prevent people from using the floppy drives from another operating system or from booting from a floppy, because the OS isn’t yet loaded when you’re booting. If you want to disable the floppy drives for all operating systems, edit the BIOS to remove support for floppy drives (this setting is typically in the Standard BIOS setup) and password-protect the machine for booting. Alternatively, use a keyboard-video-mouse switch with long cables so you can keep the monitor isolated from the server to which you’re providing access.

Use Passwords Effectively Server 2003’s security is built on user authentication. When you log in to a domain, your username and password are compared with the information stored in the Active Directory on the domain controller. Once you’re authenticated on the network, you’re assigned a security token that contains a list of your rights and permissions based on your user identity and group membership. Whenever you try to do something—read a file, install an application, whatever—the security manager compares your rights and permissions with what you want to do, and permits or denies access based on the results of that comparison. The only thing that keeps people from impersonating each other, therefore, is the password on their accounts. Once someone has an account’s password, they can use that account and all the rights and permissions associated with it. Passwords are the biggest port of entry into your network. Why Passwords Are Vulnerable

Previous editions of this book included some tips on creating hard-to-crack passwords. The widespread availability of password-cracking programs such as L0phtCrack (now more innocuously known as LC3) renders most of these tips semi-obsolete for stopping anyone who really wants to break in and who can get physical access to the server because they give anyone with access to the network an extremely powerful tool for cracking passwords. LC3, for example, can retrieve password hashes from the Registry or even from the network. Once the tool has the password file, it extracts the password hashes (encrypted passwords) and performs a series of three attacks to decrypt the hash: Dictionary attack In a dictionary attack, LC3 tests all the words in a dictionary or word file (the tool itself comes with an optional word file) until it finds a match.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1497

1498

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

Hybrid attack If the dictionary attack doesn’t produce results, the next step is to see whether the user took a known word and added numbers or other characters to it, so as to foil a dictionary attack. Brute force attack The final stage is a brute force attack, in which the password hash is compared against every key combination possible. Brute force attacks take much longer (sometimes days—depends on how fast the computer doing the cracking is) than either of the other two attacks, but they can eventually crack just about any password using characters found only on a standard keyboard. Just about any password is vulnerable to a brute force attack if given enough time. “Enough time” may mean a couple of days even on a fast computer, but if the cracker has the password hashes, then the delay won’t stop the cracker unless people change their passwords during the cracking process. Note The longer and more complicated a password is, the longer it will take to crack it—and the more likely that your user base will write down passwords. You’ll need to balance the need for complex passwords with the reality that if you make them too complex they’ll be unusable or compromised by people writing them down.

All that said, passwords are far from useless. You’ll notice that using a tool such as LC3 requires physical access to the server or to the network. The answer? Keep untrusted people off the network. Protect the Administrators account, only giving Administrator rights to the most trusted people. If your network is connected to the Internet, close TCP/IP ports that you don’t need, and audit failed attempts to connect to the gateway from the Internet. For the people on the inside who do have access to the network, institute a zero-tolerance policy for password-cracking tools for anyone without a really good reason to have them, and don’t set up e-mail to execute attachments automatically, since some malicious software will execute not only with the permissions of the person currently logged in (as software normally does) but can give itself elevated privileges, allowing the software to execute as though a member of Administrators or Domain Administrators was logged in—and thus wreak all kinds of havoc. Note Although servers would seem to be safe from an elevated privileges attack (since users are not likely to be logged in at the console, and administrators won’t pick up their e-mail there), terminal servers, in particular, are vulnerable to them because ordinary users do effectively log on locally. Keeping Out the Idle Curious

Your network’s security is threatened not only by the actively malicious, but also by the idle curious. Password-choosing schemes are best for keeping out those people who aren’t interested enough to get serious about breaking into someone’s account, but will go poking through Joe Blow’s files in his private home directory if Joe makes it easy for them. To keep these people out of other people’s accounts, follow the guidelines for choosing passwords below. They won’t foil LC3, but they’ll foil someone guessing passwords. Impose Password Policies Passwords must be of a minimum length, changed regularly (but not too regularly, to avoid people reusing passwords too often), and shouldn’t be reused often. Set policies to require passwords to include numerals and other nonletter characters, and take advantage of the fact that passwords are CasEs3nSitiVe (hint, hint).

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

Don’t Let People Use Easy-to-Guess Passwords No personal names, spouse’s names, dog’s names, or other easy associations. Ideally, passwords should not reflect that person’s job, either. A few years ago, a friend of mine doing network security for one department of the Pentagon told me that he’d had to institute this rule after discovering that the analysts in his division had all chosen passwords based on the names of battleships—words directly related to their division’s mission. Don’t Write Down Passwords The most difficult password in the world will do no good if it’s on a sticky note on the base of the monitor or under the keyboard. This is the dilemma inherent to all password protection. If you make passwords easy to remember, they’re often easy to guess. Make them too hard to remember or require too many of them, and users will start writing them down. Delete or Disable Unused Accounts An unused account is an account that isn’t getting its password changed regularly and doesn’t have someone using it who might notice something strange going on. If you’ll need an account later, but not now, disable it so as to retain its security ID while making it impossible to use at the moment. If you’ll never need an account again (perhaps for someone who has left the company), delete it. Note If you delete an account and then re-create it, the account will have a new security ID even if it has the same username and password as the original account. You’ll have to re-create all user rights and permissions from scratch.

If passwords don’t supply enough security, you can replace or supplement them with other means of validation. Biometric devices can scan retinas or (less intrusively) fingerprints and provide a second layer of security that confirms the person supplying the password is the person authorized to do so. Another alternative is the token-generating tools that create a token (with a smart card or similar device) to be supplied along with the password; the password won’t work unless it’s the proper token. In short, passwords are a good start, but you needn’t rely solely on them.

Backup Programs and Approaches Security from intrusion is important, but so is security from data loss. Backups are your first line of defense against server failures and your last recourse when all else fails. When it comes right down to it, the data on your servers is the important part. The box is replaceable, and you can reinstall the operating system if you need to. What you can’t replace is the data on the drive. And if you lose that data and can’t get it back, your company’s life is probably over. To help you protect your company’s most important asset, Server 2003 comes with a version of Windows Backup, complete with support for a wider array of backup destinations and an integrated scheduler. Using this backup program, you can back up either to files or to tapes or create files for system recovery.

Basic Data Backups Backup is in the System Tools section of the Accessories folder. Open the Backup application, and you’ll begin the Backup or Restore Wizard. Let’s start with a backup. After the opening screen, you’ll see the screen shown in Figure 19.1, asking you whether you’d like to back up or restore files. Choose to back up.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1499

1500

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

FIGURE 19.1 The simple wizard can accommodate either backups or restorations.

Next, you’ll need to choose the range of data to back up. As you can see in Figure 19.2, in Server 2003, you’ve got two options—to back up everything and make a system recovery disk, or choose the individual files you want to back up. (Domain controllers will have a third option—backing up only the System State data.) For now, pick the option that allows you to choose the files. FIGURE 19.2 Backing up selected files

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

In the next window, you can drill down to find the files and folders you want to back up, whether on the local computer, the network, or even in trusted domains (see Figure 19.3). This is a list of the assigned drive letters of all partitions. The drives listed are logical drives, not physical drives. You can sort the available drives by clicking the headings of the Name, Total Size, or Free Space. This list includes all drives on the server, not just fixed or local drives. FIGURE 19.3 Backing up the contents of the Win2K folder

You may have to do a little exploring to find the files you want to back up. Perhaps you think that the Applications drive (drive D:) is the one with the data you want to protect, but you’re not sure. You can find out for sure by double-clicking the drive to see its folders. If you want to, you can drill down yet further within those folders to expose the subfolders, all the way down to file level. When you find the appropriate folder, you can deselect any object within this folder and prevent it from being backed up. If you do so, the check mark in the folder’s box will be gray, instead of the blue that indicates all its contents are selected. Similarly, the box next to the logical drive that a selected folder is stored on will have a gray check mark indicating that part of its contents are selected for backup, but not all. You can choose as many different files and folders on as many different drives as you like to be part of a backup set. They don’t have to be juxtaposed or arranged in any kind of logical form, but they will retain their location on the final backup media. You can’t, however, choose to back up all files of a certain type, regardless of location. Backup is organized by location, not by file type. You can’t check boxes next to any structures except files or folders—this keeps you from accidentally choosing to back up all the shared files in a domain, for example. Tip If you’re backing up network drives or backing up to a network location, make sure this network location is available at the time you run the backup. This is really an issue with scheduled backups, but it can be a frustrating one if it catches you off guard.

Next, choose a location for the backup using the dialog box in Figure 19.4. If you’ve got a tape drive, you’ll be able to back up to tape; otherwise, you’ll need to choose a location for the backup file (.BKF).

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1501

1502

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

By default, the backup file is named Backup.bkf and stored in My Documents for whomever is logged in and performing the backup, but you can click the Browse button to choose an alternative backup location. The first time you run Backup, you will need to choose a backup location. FIGURE 19.4 Choosing a backup location

Once you’ve told Windows Backup where to put the backup file, click Next to display the final screen that displays your backup options (see Figure 19.5). If you click the Finish button, you’ll start the backup. FIGURE 19.5 The final screen of the wizard displays the current backup settings.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

That’s a basic backup, using all the default options. If you want a little more control over how the backup is performed (that is, the options for How and When), click the Advanced button before clicking Finish to start the second part of the wizard and decide on the options listed in Table 19.1. TABLE 19.1: ADVANCED BACKUP OPTIONS Option

Default Setting

What It Means

What type of backup should be performed?

Normal

You can choose from normal, copy, incremental, differential, or daily backups. These backup types are described later, under “Choosing a Backup Type.”

Verify data?

No

Verifying a backup compares the data on the backup media with the source media to make sure that the data was copied correctly. Verifying a backup takes some additional time, but I’d do it anyway—it’s a good way of getting a record that the data was written as expected.

Use hardware compression?

No

This option is only available if you’re backing up to tape. If you choose it, then the tape will have a higher capacity than it would have had otherwise.

Append or replace existing backup sets?

Append

If the backup media already contains a backup, you have the option of either replacing that backup or adding the present backup to the catalog. The option you choose depends on which is more important to you: keeping the backup media uncluttered so you can easily find the backup set for restoration or maintaining multiple backup sets. I’d suggest replacing full backups (although you should always archive at least one full backup in case something happens to the current one) and appending incremental and differential backups.

Restrict access?

No

If you’ve chosen to replace any backup sets already on the media, you can choose whether to restrict access to those sets to members of the Administrators group and the person creating the backups.

What is the name of the backup and the media?

Time and date backup was created

Provide a name for the backup set. If you’re using new media, or replacing the data on existing media, you can choose a new name for the tape or file.

When should the backup run?

Now

You can choose to run the backup now or pick a time at which it should run. If you’re backing up a server, then you’ll almost certainly want to schedule it for later, when people aren’t using the data.

Back up migrated remote storage data?

No

This option backs up rarely used files that have been automatically archived in remote storage.

Disable volume shadow copy?

No

Volume shadow copying allows files to be backed up while in use.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1503

1504

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

The only Advanced backup option that might cause you any trouble is the scheduling tool, which I’ll cover later in the section “Scheduling Automated Backups.” When you’ve finished choosing options, you’ll see the Finish screen again, showing the updated options.

Advanced Backup Options Let’s look at these advanced backup options in some more detail. Open the Backup tool in Advanced mode (this will make it look like the Backup tool in Windows 2000) and choose Tools/Options to open the tabbed Options dialog box. Note Settings you choose from this tabbed dialog box will apply to all backups. To set advanced options on for individual backups, click the Advanced button on the last page of the Backup or Restore Wizard. Choosing a Backup Type

The default backup type for Windows Backup is Normal, which is a not-very-descriptive way of saying that Windows Backup performs full backups (copies all files and resets the archive bit on all copied files) unless told otherwise. If you turn to the Backup Type tab shown in Figure 19.6, you can choose one of the options described in Table 19.2. FIGURE 19.6 Choose a new backup type if you don’t want to perform full backups.

Note The archive bit is a hidden file attribute applied to a file when it’s created or edited. It’s used to tell a backup or copy utility, “Hey, this file has changed.” Resetting the archive bit removes the archive bit from a file; setting the bit adds it.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

TABLE 19.2: SUPPORTED BACKUP TYPES Backup Type

Description

Normal

Copies all selected files and then resets the archive bit

Incremental

Copies all selected files with the archive bit set and resets the bit

Differential

Copies all selected files with the archive bit set but does not reset the bit

Daily

Copies all selected files that were edited the day the backup was performed

Copy

Copies all selected files but does not reset the archive bit

You can use these backup types in combination to back up files completely and efficiently. The longest interval you’ll want to have between backups is probably a day—lose more than a day’s worth of work, and you’re in big trouble. (Losing a day’s worth of work is bad enough, which is why companies with really critical data use RAID to protect their data, as discussed in Chapter 10.) Running a normal backup every day takes up a lot of time and space, so you can run a normal backup at regular intervals, perhaps once a week, but supplement this weekly full backup with a daily differential or incremental backup. Running a daily differential backup gives you a daily copy of all the files that have changed since the last full backup; incremental backups copy all the files that have their archive bit set. Either differential or incremental backups work well as a supplement to a regular normal backup. I find differential backups easier to perform and restore because restoring a server becomes a matter of restoring the most recent normal backup and the last differential one. Restoring incremental backups is a slower process, as you must restore each incremental backup made since the last full backup individually. However, incremental backups take less time to perform than differential backups. Daily backups aren’t really a method of preserving data, but more a way of quickly finding files that you’re currently using and transferring them to other media. You might find it useful to run a daily backup on a user’s files to copy the ones he needs to a laptop for a business trip, if the client isn’t using Win2K Pro or Windows XP (or they’re using a common computer) and so doesn’t have the option of using Offline Files. Copying files is only useful if you want to make a complete copy of all selected files without resetting the archive bit. A copy action like that is a way of copying files to a new location. Choosing a Logging Type

Backup logs are a useful troubleshooting tool. If something goes wrong with the backup, then you can inspect a text-based log to see what went wrong. In fact, it’s a good idea to at least scan the backup logs produced after each backup to make sure that the procedure went as expected. How much information do you log? Normally, Backup logs only errors and important events, but if you turn to the Backup Log tab of the Options dialog box (see Figure 19.7), you can choose not to log (bad idea, as that disables a troubleshooting tool) or to log everything (also a bad idea for anything other than a daily or perhaps incremental backup, as it will make your logs so big that it will be hard to find errors). Unless you need a complete record for some reason, the summary log option (the default) is probably your best bet.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1505

1506

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

FIGURE 19.7 Choose a logging option.

Which Files Do You Want to Back Up?

Even if you’re running a full backup, you don’t necessarily want to save everything. For example, do you really need to preserve the contents of the paging file? Probably not. For this reason, Windows Backup does not normally back up any files that don’t contain real data—a user cache, a page file, temporary Internet files for the person running the backup, and the like. You can edit this list from the Exclude Files tab of the Options dialog box (see Figure 19.8). The Add New and Remove buttons on this tab are pretty self-explanatory. Unless you have real reason to remove one of the already excluded files from the list, I suggest that you leave them alone, as the files listed are not really anything you need to back up. To add files to exclude from the backup, click the upper Add New button to display the dialog box shown in Figure 19.9. The list in the upper half of the dialog box contains all the file types recognized by the server. You have to know the extension for the type of file you want to exclude from the backup, but many of the extensions are labeled so you can be sure that you’ve got the right one. (If an extension isn’t labeled and you don’t recognize it as an application file extension, files of that type are probably part of the operating system and can be reinstalled. Just be sure to check before you exclude the files from the backup.) In the Registered File Type list, click the file type that you don’t want to back up, Ctrl+clicking to select more than one option at a time. When you click OK, you’ll see your selection(s) added to the list of excluded file types. For example, if you don’t want to back up any application files (on the principle that you can reinstall the applications if necessary), then you’d find .exe in the list, highlight it, and click OK. The Custom File Mask text box is for extensions that aren’t registered file types (ones you’ve created yourself for certain files) or for filtering files by name. The syntax for this file mask depends

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

on whether you’re filtering by filename or extension. If you want to eliminate all files named abc. from the backup, then type abc in the box—no asterisks necessary. To eliminate all files with the extension .abc, then type .abc (note the period) in the box. FIGURE 19.8 Change the files to exclude, or edit the settings for excluded files.

FIGURE 19.9 Choose from registered file types, or type in custom extensions.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1507

1508

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

Note You must enter each custom file mask separately. If you enter two at once—say, for .abc files and .def files—then you’re telling Backup to skip all files with the extension .abc.def. Using semicolons or other punctuation to separate the entries doesn’t work.

By default, your file mask will apply to the entire C: drive. To edit this to apply to a different drive or only a specific folder, type in a new path or click the Browse button to open a file tree (see Figure 19.10) from which you can choose the path you want the mask to apply to. You can choose drives either on the local machine or on network-accessible drives. FIGURE 19.10 Browse for the path to apply a file mask to.

When you click OK to exit the Add Excluded Files dialog box, the path information will be listed with the file types to be excluded on the Exclude Files tab. The file types you’ve excluded will apply to all users. If you’d like to exclude file types only for the person currently logged in (there’s no way to specify another user or a group), then click the Add New button for the bottom window of the Exclude Files tab. You’ll enter the same Add Excluded Files box that you saw previously, and it works the same way. The only difference is that the files you exclude will only apply to the ones you own. For example, if I chose to exclude .doc files for myself, then everyone else’s .doc files would be backed up, but mine (the ones I created and own) would not. Tip The per-user masking depends on current file ownership, so if a file was created by Joe but Jane took ownership of it, the file would still be backed up if Joe added it to his personal file mask, but not if Jane did. It doesn’t matter whether Joe, Jane, or Fred is running the backup: So long as Jane owns that file, then it’s excluded from the backup.

Notice that the exclude tool really only excludes files—you can’t use it to include only files with certain extensions in the backup. Sadly, there doesn’t seem to be any way to specify that only certain files should be backed up. Even the command-line utility NTBACKUP (which I’ll discuss a little later in the “Scheduling Automated Backups” section) doesn’t accept wildcards.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

General Backup Options

The General tab of the Options dialog box contains the options explained in Table 19.3. These options control the settings that really don’t fit anywhere else in the categories of options. TABLE 19.3: GENERAL OPTIONS FOR BACKUP AND RESTORE OPERATIONS Option

Default Setting

What It Means

Compute selection information before backup and restore operations.

Enabled

This is a confusingly worded way of saying that Backup will count the files and folders to be backed up or restored before actually performing the operation. I’d leave this enabled; it doesn’t add much to the time required to run the operation, and this information can save you from backing up or restoring the wrong volume or backing up to media that’s too small.

Use the catalogs on the media to speed up building restore catalogs on disk.

Enabled

This is the fastest way for Windows Backup to create a list of all the files and folders in the backup. You should only disable this option if you’re restoring data from several tapes and don’t have the one with the catalog (the first tape) or if the catalog is damaged. With this option disabled, Windows Backup will scan the entire backup set and attempt to build its own catalog. Since reading tapes is a slow process, this could take a long time for a large backup set—perhaps hours.

Verify data after the backup completes.

Disabled

This compares the data on the disk with the data on the backup media after the backup has been completed and records any differences. Although verifying adds some time to a backup, I’d recommend doing it. It’s a good way to be sure that files were written correctly.

Back up the contents of mounted drives.

Enabled

Normally, mounted drives (logical drives mapped to a path on another logical drive—read Chapter 10 to learn more about them) can be backed up like other media. If you check this box, the data won’t be backed up—just the path information.

Show alert message when I start Backup and Removable Storage Management is not running.

Enabled

If the Removable Storage Management (RSM) service isn’t running, you can start it from the Services object in the System Tools folder of Local Computer Management. This service must be running for you to back up files onto RSM media such as tape drives.

Show alert message when I start Backup and there is compatible Import Media available.

Enabled

If this box is checked and you add new RSM storage media, Backup will display a message on startup saying that it’s found more media for the Import pool (to which files can be archived). Continued on next page

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1509

1510

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

TABLE 19.3: GENERAL OPTIONS FOR BACKUP AND RESTORE OPERATIONS (continued) Option

Default Setting

What It Means

Show alert message when new media is inserted into Removable Storage.

Enabled

If this box is checked, Backup will display a dialog box when it detects new RSM media.

Always move new import media to the Backup media pool.

Disabled

If this box is checked, Backup will assume that any new media it detects should be added to the Backup media pool, and thus be available for backups.

Note Removable Storage Management is used with tape drives and other archiving media. If you normally back up to a file on any kind of disk (including a removable disk like a Jaz drive) instead of tape, you don’t have to worry about the Removable Storage Management settings. Saving Backup Options

You can define settings for a backup job and save them to be used later or reused at your discretion. To do so, make sure that you’ve chosen the files to back up. Then, in the Advanced view of the Backup utility, choose Job/Save Selections. You’ll see a Save Selections dialog box prompting you to save the backup script (normally saved in %systemroot%\Documents and Settings\%username%\Local Settings\Application Data\Microsoft\Windows NT\NT Backup\data). If you load a saved backup script when you have files and folders selected for backup, Backup will ask whether you want to use the currently selected folders or clear them. Clear them to load the backup script, and you’ll be ready to run the backup job.

Scheduling Automated Backups To be safe, you should back up data servers at least once a day. Trouble is, the best time to back up is late at night when everyone’s off the network. With NT 4, you could use the AT command or WinAT utility to schedule backups created from the command line. Beginning with Windows 2000, you had the choice of two backup-scheduling methods, one using the GUI, and one using the AT command for running scripted backups created with an updated command-line version of NTBackup.exe. There are a few ways you can schedule jobs from Windows Backup: ◆

◆

In the Backup Wizard one of the Advanced options asks whether you want to run the backup you’ve created now or schedule it for later. If you choose to schedule it for later, you’ll be taken to the Schedule Job dialog box, which I’ll discuss in a minute. In Windows Backup, when you create a backup job from the Backup tab and click the Start Backup button, you’ll see a dialog box that prompts you for the name of the backup and allows you to start the backup now or schedule it for later (see Figure 19.11). If you click the Schedule button, you’ll be taken to the Schedule Job dialog box. If you’re creating a new backup job, you must save the backup and provide the username and password of the account used to run it before you can save the backup settings.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

FIGURE 19.11 When creating a backup job, you have the option of running it immediately or running it at a later time.

◆

If you’re creating a new backup job, you can turn to the Schedule Jobs tab, where you’ll see a month calendar like the one shown in Figure 19.12. To create and schedule a backup job from the Schedule Jobs tab, click the Add Job button in the lower-right corner of the screen to start a Backup Wizard similar to the one described earlier under “Basic Backup Procedures”—the only difference between the two wizards is that this one includes the advanced options in the main wizard, rather than through the Advanced button on the wizard’s final screen. One of the options you’ll be presented with is the choice of running the backup now or later, with the default time for “later” being midnight of the day you set up the backup job. To schedule a job, select Later and click the Set Schedule button to open the scheduler.

FIGURE 19.12 The Schedule Jobs tab of Windows Backup

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1511

1512

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

No matter how you get to it, the Schedule tab of the Schedule Job dialog box looks like Figure 19.13. The basic options are pretty straightforward. Choose the interval at which you want the backup job to run (once, daily, weekly, monthly, at system startup, at logon, or when the computer is idle) and the starting time and date. If you select the Show Multiple Schedules check box at the bottom of the screen, a new drop-down list will appear at the top of this dialog box, showing the varying intervals and starting times that you’ve chosen for this job. FIGURE 19.13 Choose a time and frequency for the backup job.

Tip If you want to run a backup job biweekly (once every two weeks), show multiple schedules and create two monthly backup jobs that start on different days.

The Advanced button takes you to the Advanced Schedule Options (see Figure 19.14), which apply only if you want to repeat the backup job, apart from any interval that you set in the main scheduling screen. Most often, you won’t need to touch these options. You don’t need to use them for scheduling jobs at regular intervals; this set of options would be more useful for a shorter task and one that might actually need to be run every 10 minutes or so. (Frequent backups are a Good Thing, but let’s not get carried away.) More likely, you’ll use the Settings tab back in the main Schedule Job dialog box (see Figure 19.15). From here, you can specify how long the job should run (a backup job that lasts more than 72 hours seems suboptimal) and whether the job should be deleted from the list of tasks when it’s done unless it’s supposed to run again. The Idle Time settings apply to interaction from the console—keyboard or mouse input—so they shouldn’t prevent a backup job from running on a server being accessed from the network.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

FIGURE 19.14 Advanced backup scheduling options

FIGURE 19.15 Configure job settings for the scheduled backup.

Tip With the volume shadow copy service, Backup can now back up open files.

The final options in the Settings tab, on battery use, aren’t likely to apply to a server unless you frequently use laptops as servers. These settings help you conserve battery power by not running nonessential tasks when your power supply is limited. Accessing the hard disk takes a lot of power, so backups are an especially draining task when the power is low. When you’ve finished adding jobs to the scheduler, they’ll appear on the Schedule Jobs tab’s calendar, as shown in Figure 19.16.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1513

1514

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

FIGURE 19.16 Scheduled jobs appear in the calendar.

You’re not stuck with the options for a scheduled job once it’s created. To edit the settings for a scheduled job, just click its icon in the calendar to open the Scheduled Job dialog box shown in Figure 19.17. To delete the job, just click the Delete button. FIGURE 19.17 You can edit all job settings even after the job is added to the task list.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

Click the Properties button to edit the timing and settings for the backup job. The Schedule and Settings tabs that appear are the same ones you saw when scheduling the job. The Task tab that also appears, however, is new. Here, you can choose a different job to run at the scheduled time, specify a different user account in whose context the job should run, and create some identifying information for the job.

Backing Up to Tape Windows 2000 introduced a whole new layer of software called the Removable Storage Manager (RSM). You wouldn’t think that you’d need to know anything about RSM to do backups, but RSM is the basis of Windows 2000’s and Server 2003’s backup and archival capabilities. A backup program needs both drivers for the storage devices it works with and the intelligence to control those devices. NT 4’s backup program directly managed the tape drives it worked with (as you may recall, NT 4’s backup program only worked with a tape drive—you couldn’t even start the program unless you had a tape drive installed). So long as you were happy with NT 4’s choices, this was fine, but NT 4 was designed in a day when hard disks were a lot smaller than they are now. For example, NT 4’s backup program did not support DAT autoloaders, systems where there’s usually only one tape drive (although there can be more) with a built-in capacity to store and automatically load or unload several other tapes. If you wanted to use a DAT autoloader, you needed a third-party backup program that knew how to handle it. Note If it’s not clear why you’d want an autoloader, a tape drive that can automatically insert and eject a stack of tapes, then you’ve never done regular backups on a hard disk (or a group of disks) whose capacity is greater than your tape drive’s. For instance, 4-mm DAT drives are pretty good, fairly fast, and reliable…but only store about 8GB. To back up an entire 40GB hard disk using DAT drives, you’ll need to baby-sit a backup program that prompts you every now and then to “please insert tape 4….” I’ll pass.

One way to make NT 4’s backup program more flexible about its storage would be to create special tape-emulating drivers that would make any storage appear to be a tape drive. That is, even if the storage were, say, a CD-RW drive, then it could accept tape-related commands such as “rewind” and “retension” even though it can’t use them. However, to my knowledge no such drivers exist. RSM performs a similar function by abstracting the interface not just to tape drives but to all removable storage. Backup doesn’t manage its storage, RSM does. Note Even though they’re not RSM aware, NT 4–era backup programs will generally run on Windows 2000. However, they won’t back up anything that employs the new features of NTFS: encrypted files, Single Instance Store volumes, or sparse files.

Although it’s an intrinsic part of Backup, RSM also supports any program that uses removable storage, such as the archiving capabilities that back hard disk space with offline storage. In other words, RSM is not just about making backups work, but that’s the part I’ll focus on here. RSM Concepts: Physical Locations, Libraries, Drives, Media

To use the RSM-enabled features of backup, you’ll need to know a physical location from a library from a drive from media. You can see the GUI interface for the Removable Storage Manager in Manage Computer. Right-click My Computer and choose Manage, then open up the icon labeled Storage, and you’ll see something like Figure 19.18. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1515

1516

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

FIGURE 19.18 RSM before any backups

This computer has just two removable storage devices—a standard EIDE-connected CD-ROM drive and a DLT1 tape drive. There are no tapes in the DLT1 drive and NTBACKUP has never run on this system (you’ll see why I mention that in a minute). Notice that under the Removable Storage level, there are four objects: ◆

Media Pools

◆

Physical Locations

◆

Work Queue

◆

Operator Requests

I’m going to skip the last two and just focus on the first two because they apply to backing up. Physical Locations = Mechanical Drives

Of these two, Physical Locations is the easier to understand. In Figure 19.18, I expanded it, so you can see three objects—a drive icon representing the CD-ROM ( ATAPI CD-ROM DRIVE-40X), one representing the tape drive (QUANTUM DLT7000 SCSI Sequential Device), and one labeled Off-Line Media. Physical Locations, therefore, are the drives that RSM can manage. Not the media in those drives, but the drives. Library = “Autoloader” or “Stand-Alone Drive”

When I right-click either the CD-ROM or the tape and choose Properties, I get a properties page describing not the drive, but the drive’s interface. I’ll also see a lot of references to the device as a

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

library. There is, for example, no button or check box to disable the device; instead, you’d see an Enable Library check box and unchecking it would disable the device. To RSM, a library is one or more drives that have an automatic changer for their tapes, cartridges, discs, or whatever. (For shorthand, I’ll call them generically tapes.) As you can see, Microsoft has upped the ante on its definition of the “basic removable storage doodad.” Where it once was a tape, now it’s a tape library, one or more tape drives and zero or more changers, the little robotic hands. My humble DLT tape drive is, then, a library consisting of one tape drive and zero changers. (Yeah, it’s kind of simple. I couldn’t afford that really cool HP autoloader with four drives and capacity to hold 60 tapes—$46,000 was a bit out of my budget—so I’ll stick to DLT for the moment.) Microsoft even has a name for a zero-changer, one-tape-drive library: a stand-alone library. That’s not just a CD-ROM on your system, my friend, it’s an optical stand-alone library. Notice also that in addition to my DLT and CD-ROM “libraries,” I have a third one called my Off-Line Media library. Off-line media is Microsoft’s way of describing wherever you store tapes when they’re not in your drives. So tapes sitting in a desk drawer or on a shelf are in a library. This may sound odd, but it kind of makes sense once you adopt the RSM way of thinking. RSM’s main job actually seems to be a kind of database that lets you keep track of your tapes. As you’ll see, this database keeps track of the following information about tapes: ◆ ◆ ◆ ◆

Where they are physically located—on a shelf, in an autoloader waiting to be inserted into a drive, actually in a drive What program wrote them What sort of drive can read and write them What data is on them

RSM really only secondarily concerns itself with the specifics of what sort of drives you have. Calling them all libraries allows you to concern yourself with where your data are, not where your tapes or CDs are. This information is not just available from the GUI; RSM has a command-line tool called RSM.EXE. To get the list of your libraries, just type rsm view /tlibrary. That gets a result like this: LIBRARY Off-line Media ATAPI CD-ROM DRIVE-40X QUANTUM DLT7000 SCSI Sequential Device The command completed successfully.

Notice the odd spacing—there is no space between /t and library. We’ll use rsm view /t again— the /t means “type of thing to view” —and its odd syntax requires no spaces between /t and the parameter describing what you want to view. As with other things in Server 2003, though, those names are just the human-friendly names. Under the hood, the OS really identifies things by globally unique IDs (GUIDs), and sometimes you’ll need to know what they are, as you’ll see later. You can find that out by adding the /guiddisplay switch, like this: C:\>rsm view /tlibrary /guiddisplay

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1517

1518

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

LIBRARY Off-line Media D49F02AE9CEA46BFB58E51AB6C7FE262 ATAPI CD-ROM DRIVE-40X 6043C178219841208E034076D0566885 QUANTUM DLT7000 SCSI Sequential Device E30ADF03E8014BA4BB824AD69B39FBE7 The command completed successfully. C:\>

Media = Tapes, Cartridges, CD-ROM Discs, Etc.

Within the CD-ROM and tape drive objects there are then, in turn, two objects, Media and Drives. Drives of course refers to the physical drive. But media needs some defining. To RSM, media means anything that you put into a drive. Tapes go in tape drives, so tapes are media. CD-ROMs go into CD-ROM drives, so they’re media. But media doesn’t mean a type of media, it means particular instances of media. As I suggested before, RSM’s job seems to be to maintain a database that keeps track of every single tape that you ever shove into one of your tape drives. The folder labeled Media under a drive’s icon in the Physical Locations object will contain an object representing the particular tape, cartridge, or disc sitting in your drive at that moment. For example, if I insert a CD into my CD-ROM drive and click the Media folder under ATAPI CD-ROM... then I’ll see something like Figure 19.19. Notice that under Loaded Media it says STREETS9. That refers to a piece of software, as this is the installation CD for a mapping program. FIGURE 19.19 CD-ROM as media

Note In truth, RSM isn’t very useful for CD-ROMs; this is just an example of how it works that you can try out on almost any system. As I’ve said before, NTBACKUP cannot use CD-R, CD-RW, DVD-RW, or DVD+RW drives.

I can easily use the GUI to see that my CD-ROM drive contains a CD whose label is STREETS9, but I’m going to want to be able to retrieve that kind of information from the command line; for that, I’ll use more of RSM.EXE. To get information on a particular tape, I’ll use the physical_media option on the rsm view command. But just typing rsm view /tphysical_media won’t do the job—that will display every bit of removable media on the system at the moment. (Admittedly that’s not a real

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

problem on this computer, as it only contains one bit of removable media, the CD. But let’s see how to do it on more real-world systems.) To narrow the scope of rsm view /tphysical_media, I’ll add a parameter, /cg for “container GUID.” As I’m trying to find the GUID of the CD-ROM disc sitting in the CD-ROM drive at the moment, the container is the CD-ROM drive. As you saw a moment ago, I get that with the rsm view /tlibrary /guiddisplay command. As you can see here, to find out about the media in the drive, I’ll just plug the drive’s GUID into the command like this: C:\>rsm view /tphysical_media /cg6043C178219841208E034076D0566885 PHYSICAL_MEDIA STREETS9 The command completed successfully.

Tip If you’re wondering how you can accurately type a GUID, don’t worry. To type that command, I highlighted the GUID from the rsm view /tlibrary /guiddisplay output and pressed Enter, which puts the highlighted text into the Clipboard. Then I typed rsm view /tphysical_media /cg, clicked the icon in the upper-left corner of the window to drop the Control Menu for that window, then chose Edit/Paste.

Note that as with the parameters following /t, I typed the GUID after the /cg command without any spaces after the /cg. Note also that if I needed to retrieve the GUID of the media (which we’ll want to do later in with tapes), I could have added the logical_media command. You can drill down even further than a given tape—physical media contain one or more partitions, and partitions contain one or more logical_media. In each case, you’d just use /guiddisplay to get the GUID of the container and then feed that with /cg as the GUID of the container to view. Media Pools: Classifying Tapes

Thus far, I haven’t shown you much of anything that has to do with tapes, so let’s pop a tape into the drive and see what happens. Note that this is a new tape, fresh out of the box. It’s never been introduced to this drive, or to NTBACKUP, before. After inserting the tape and waiting for the tape drive to settle down, I right-click the QUANTUM DLT7000... drive and choose Refresh to force RSM to reexamine the drive’s status. I then click the Media Pools folder under the tape and see a screen like Figure 19.20. Notice that a few things happened. First, the Free, Import, and Unrecognized media pools (I’ll get to what they are in a minute) now have a DLT folder underneath them, where previously they only had a CD-ROM folder there. Second, the Media folder for the tape drive now contains something called “7” that is said to be in Drive 0 in a media pool called Unrecognized\DLT; its state is reported to be Idle, New. And sure enough, clicking the DLT folder under the Unrecognized folder in the Media Pools object shows another item named 7—it’s the same tape—in that folder. (If you’re not crazy about naming a tape “7,” then fear not. The later section “Renaming a Tape” explains how to change a tape’s name.)

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1519

1520

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

FIGURE 19.20 Remote Storage Manager after inserting new tape

Basically, this is RSM-ese for “this tape is unformatted.” That’s not exactly right, as DLT tapes ship formatted, but RSM wants to write a bit of identifying data onto the tape. I can do that by rightclicking the tape’s icon in the right pane; I’ll get a menu that offers Eject, Mount, Prepare, and Dismount. I choose Prepare and see a dialog box that says: This operation will destroy the data on the media and move it to a Free media pool. Are you sure you want to write a Free media label on the selected medium?

I choose Yes and get another confirmation message: Are you sure you want to write a Free media label on 7?

What are you, hard of hearing, RSM? I click Yes again and the tape’s media pool changes to Free\DLT and its state goes to Loaded, Unprepared while the tape spins for a few minutes. It finally finishes whatever it does when “preparing” the tape, and the tape ends up in Free\DLT in a state of Idle, Available. Note There is not, as far as I can see, a command-line tool in RSM.EXE that will prepare never-before-used tapes. But that won’t be a problem since NTBACKUP has a /um option that automatically erases and prepares tapes before backing up.

Now I can explain the next RSM concept, media pools. Remember that RSM is a database of tapes. Even if you just shove a tape into a drive once, prepare it, remove it, bury it in a mine shaft, and never look at it again, RSM remembers that tape. Remember also that the RSM word for a tape is media.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

RSM wants to organize the media that it has met into categories and, by default, it categorizes media in one of three ways: ◆ ◆

◆

Free media are tapes that RSM has “prepared” but that don’t have any data on them. They’re waiting to be used by some RSM-aware application such as NTBACKUP. Import media are tapes that RSM recognizes as having been prepared by RSM on this or some other machine in the past. They’re RSM tapes, all right, but they’re not blank (so they don’t go into Free). They’re also not associated with a particular RSM-aware application. As you will soon see, RSM-aware applications create their own media pools, and RSM will then be able to categorize some media as neither Free, Import, or Unrecognized—they’ll be categorized as Backup tapes, ArcServe tapes, BackupExec tapes, or the like. So Import is a kind of catch-all category meaning, “This tape has been prepared, so it doesn’t go into Unrecognized, it’s not blank, so it doesn’t go into Free, so some application has worked with it before, but I don’t remember it, so it’ll stay here in Import until the user decides to drop it into some application’s folder.” Unrecognized media have not been prepared to work with RSM. RSM can’t do anything with them until they are.

This will make a lot more sense once we get an RSM-aware application running. When I run NTBACKUP for the first time, that causes it to introduce itself to RSM, and tells RSM to create a new fourth media pool called Backup. Now that I’ve run Windows 2000’s backup program, any tape that NTBACKUP writes to will become essentially the “property” of NTBACKUP. As a matter of fact, if I had media sitting in the Import media pool that had been originally created by NTBACKUP on some other system, then the first time that I started up NTBACKUP I’d have gotten the dialog box that you see in Figure 19.21. FIGURE 19.21 Should Backup be able to claim old backup tapes?

Even if you don’t allow NTBACKUP to import the media now, you can do it by hand later; you can just drag any media item out of one media pool and drop it into another. (Of course, if you try to drop it into Free, then you’ll get a warning that dropping it into Free will cause RSM to erase it.) Managing Media in RSM

That’s an overview of how RSM works—it tracks particular tapes, giving each one a GUID (which changes whenever you “prepare” a tape) and categorizing it in either an application’s media pool

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1521

1522

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

(Backup on most systems, but if you’ve purchased other RSM-aware apps then you might have more than one application media pool), or one of the “holding tanks”: Free, Import, or Unrecognized. Understand also that you can move media between media pools even if the actual physical tape isn’t currently in the tape drive; the tape doesn’t know and doesn’t care which media pool it belongs to. Tapes do, however, carry on them the mark of their associated RSM-aware application, which is why you can take a tape created on one system, pop it into another Server 2003 system, and it will immediately be recognized as having already been seen by RSM and NTBACKUP will recognize that this tape contains data written by NTBACKUP. We’re just about done with RSM and almost ready to tackle NTBACKUP. Renaming a Tape

As intuitive names for my first tape go, “7” is not ranking high. So how about I give it a more useful name? I intend to use this tape as one of two tapes that I’ll store differential backups on, so I’ll rename it “Diff1.” To do so, I’ll right-click the tape and choose Properties. The General tab has a text field that includes the name of the tape. For some reason, renaming the tape doesn’t seem to be enough to convince NTBACKUP that the tape has a new name. In my experience, you need to then put the tape in the Free media pool so that it is reinitialized. Warning Moving the tape to the Free media pool deletes any data on the tape, so don’t do this if there is any data on the tape that you’d miss! Moving a Tape to Free

Sometimes you won’t be able to move a tape from the Backup media pool to the Free media pool. You must first “deallocate” it. Now, finding where to deallocate a tape may be a challenge. You’ve already seen that by right-clicking a media object you’ll get a drop-down context menu that includes four actions—Eject, Prepare, Mount, and Unmount. Below that is a submenu, All Tasks, which on most MMCs would just repeat Eject, Prepare, Mount, Unmount. But this one includes a fifth option…Deallocate. So to free an existing tape, first right-click it and choose All Tasks/Deallocate, and then drag it to Free. (And along the way, say “yes” to all of the “are you sure?” messages.) Ejecting a Tape from the Command Line

We’ve been going over RSM to get ready to do backups and command-line backups in particular. Over the years I’ve seen people write batch files for handling backups, and some folks like to end off the backup process with an eject command. I guess it makes for a slightly more secure backup because once the tape’s ejected, then there’s no hacker on earth who can convince the tape drive to reinsert the tape. (That’s not true for autoloaders, of course, but it is for stand-alone drives, at least in my experience.) So how do you tell NTBACKUP to eject your tape? With RSM. The command looks like this: rsm eject /pf”name of tape to eject” /ast art

Or alternatively: rsm eject /pgGUID /astart

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

In the first case, you fill in the media’s name; in the second, you fill in its GUID. Note that if you let NTBACKUP prepare the tape, then it’ll have a name like Media created 1/4/2003 at 5:21 PM - 1, and for the command to work right, you’ll need to type in the media name precisely. The only real problem with this is that you probably want a fairly generic “eject” batch file, but both versions of rsm eject are very tape specific: You’ve got to either know the name of the particular tape, or know the tape’s GUID. Unless you intend to use the very same tape night after night, then this won’t be too useful. But consider: ◆ ◆

The GUID of the tape drive won’t vary from day to day. If you have the tape drive’s GUID, you can use rsm view /tphysical_media to get the GUID of the particular tape in the drive at that moment.

Here’s how to put all of that together into a batch file that needs only to know the GUID of the drive in order to eject any tape in that drive. If you don’t know how batch files work internally, then don’t worry about following this—I’ll have a ready-made batch file prepared at the end of this section that you can just type in and use (replacing my GUID with the one for your tape drive, of course). My plan for the batch file will be that I’ll use rsm view to retrieve the tape’s GUID and put it in a variable %tguid%. Then I’ll just issue the rsm eject command with the /pg option, specifying the GUID of the tape. I can do all that with just three lines (the second one is broken but should be all on one line): set drvguid=E30ADF03E8014BA4BB824AD69B39FBE7 FOR /F “usebackq” %%i IN (‘rsm view /tphysical_media /cg%drvguid% /b /guiddisplay’) DO set x=%%i rsm eject /pg%X% /astart

In the first line, I’m just filling up an environment variable named drvguid. That long value that I’m stuffing in it, E30ADF03E8014BA4BB824AD69B39FBE7, is the GUID of my DLT drive. Yours will be different, so use rsm view /tlibrary /guiddisplay to get the particular GUID for your tape drive and replace my drive’s GUID with yours in that line. In the second line, I’m executing the command rsm view /tphysical_media /cg to get the GUID of the tape in the drive. But, as you’ve already seen, you must provide the GUID of a container for that to work—that’s what %drvguid% does. You filled in your drive’s GUID in the line before and that gets inserted before the command executes. The /guiddisplay /b says to display the GUID, and the /b option says to show only the GUID. That makes life easier, as it’s only the GUID that I want. The result of that—the GUID—goes into a variable named %x. (The two percent signs are required syntax for the FOR command.) Once I’ve got the GUID for the tape in X, then I can construct the last line, which executes an eject command for the tape whose GUID is in X. Here are the steps to creating and using this batch file: 1. Get the GUID of your tape drive. From the command line, type rsm view /tlibrary /guiddisplay. You’ll see a line for all of the removable devices on your system, including CD-ROMs. The name of the device should make clear which one is your tape drive. Grab the GUID next to that device’s name—again, you can copy this value by selecting it and pressing Enter.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1523

1524

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

2. Open up Notepad and type in the batch file as you see in the previous text. In the first line,

substitute your drive’s GUID in place of E30ADF03E8014BA4BB824AD69B39FBE7. Note that the single quotes in the second line are backquotes. On many keyboards they are on the same key as the tilde (~). 3. Save the file in the WINNT directory as tapeeject.cmd. Try it out by opening up a command line and typing tapeeject. The tape should eject. Tip If you want to run tapeeject from inside a batch file, then don’t just put the line tapeeject in the batch file; instead, use call tapeeject, or the batch file will end when tapeeject ends. Refreshing a Tape from the Command Line

Sometimes you’ll pop a tape into a drive and try to do something with it from the GUI or the command line, and the command fails—the system acts as if there is no tape in the drive. There are two possible reasons for that. First, remember, you’re working with tapes here—they’re not the fastest things in the world. When you pop a tape in, the drive may take a minute or two to figure the tape out. Second, RSM for some reason doesn’t always automatically figure out that you just put a tape in a drive. The drive knows that it’s there, it’s just RSM that doesn’t know. So it never hurts to smack RSM upside the head before trying to do something—that’s called refreshing. You can refresh just about any object in the RSM by right-clicking it and choosing Refresh. But if you’re about to run a batch job to automatically back up a system, then you want a command-line method to do that. RSM lets you do that with an rsm refresh command. It looks like this: rsm refresh /lf“drive name”

or rsm refresh /lgdrive-GUID

So, for example, my drive could be refreshed either with this: rsm refresh /lf”QUANTUM DLT7000 SCSI Sequential Device”

or rsm refresh /lgE30ADF03E8014BA4BB824AD69B39FBE7

Notice that the drive name needs quotes and the spelling must be exact; the GUID, on the other hand, must be exact but does not need quotes.

Automating Tape Backups You’ve seen that Backup manages tapes through RSM, and you’ve seen RSM’s notions of libraries, physical media, and media pools—and that it assigns GUIDs to everything, and how much it relies upon those GUIDs. That was all necessary preparation for controlling NTBACKUP from the command line. The basic idea with automating NTBACKUP is simple: Write a batch file that wakes up the NTBACKUP.EXE program and tells it to back up to tape. Then use the Schedule service—the AT.EXE command—to tell the operating system to run that batch file whenever you want it run—daily, every other day, or whatever. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

The hardest part is usually writing the batch file. It’s typically just one line, a long invocation of the NTBACKUP command. That’s what I’m going to focus on here. As you can see in Table 19.4, these options are fairly complex. But I’m going to simplify them as much as possible, starting from a very basic command and then adding things as we go. TABLE 19.4: NTBACKUP OPTIONS Argument

Function

backup

Tells NTBACKUP that you’re running a backup operation. You must include this argument.

systemstate

Specifies that all System State data should be backed up and sets the backup type to normal or copy.

bks file name

This is the name of the selection information file in which the backup will be stored (if you’re backing up to a file instead of a tape). More than one backup can go in the same BKS file, if you choose to append backups. You must create this file from the GUI before referencing it from the command line.

/j “job name”

Tells NTBACKUP the name of the backup job.

/p “pool name”

Tells NTBACKUP which media pool (a logical grouping of removable media, such as a tape library) to copy the backup files to. If you’re using Backup, this will be the Backup media pool. You won’t use this option with /g or /t, as those switches specify that a certain tape should be used; with /f, which specifies the name of a file to back up to; or with /a because you must append backup files to a specific tape, not an entire media pool.

/g “guid name”

Specifies the GUID of the tape that will be overwritten or appended with this backup job. Don’t use this switch with /p, as that specifies that NTBACKUP should back up to a media pool instead of a particular tape. The GUID must be in quotes and hyphenated, so that it looks like this: “b471ff3b-101f43bc-9d15-ffb7176cf2f3”; those demarcations must be respected— 8 characters, hyphen, 4, hyphen, 4, hyphen, 4, hyphen, 12 characters.

/t “tape name”

Specifies the media name of the tape that will be overwritten or appended with this backup job. Don’t use this switch with /p, as this specifies that NTBACKUP will use a media pool instead of a particular tape.

/n “new tape name”

Specifies the new tape name of the tape that will be overwritten or appended with this backup job. Use this switch to name a tape, but use it sparingly. Don’t use this switch with /p, as this specifies that NTBACKUP will use a media pool instead of a particular tape. You also can’t use this switch with /a because you can’t append data onto a tape that is new or that you’re renaming. Finally, it’s best not to use this switch with /um since that switch is for unattended tape backups, and it may work best to let Backup name the tape on its own.

/f “file name”

Specifies the path and name of the file in which the backup will be copied. As this switch directs the backup to a file, not a tape or media pool, you can’t use it with any of the switches specific to removable media: /p, /t, or /n. Continued on next page

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1525

1526

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

TABLE 19.4: NTBACKUP OPTIONS (continued) Argument

Function

/d “description”

Specifies the description of the backup set, such as “Full backup of SERPENT on 1/20/03.”

/ds “server name”

Backs up the directory service on the specified Microsoft Exchange server.

/is “server name”

Backs up the information store on the specified Microsoft Exchange server.

/a

Appends the backup set to any data on the media. If backing up to a tape, you must use this switch with either /g or /t to specify the tape you want to append to. You can’t use this switch with /p, as you must append to a specific tape, not an entire media pool.

/v:yes or no

Specifies whether the backup procedure should be verified or not. Verifying the data (making sure the data in the backup matches the source) takes a little time, but reassures you that the data was written correctly.

/r:yes or no

Specifies whether the tape should be available only to its owner/creator and members of the Administrators group.

/l:f or s or n

Tells NTBACKUP what kind of log file to create: full (logging every copied file), summary (logging only important events and errors), or none (in which case the backup won’t be logged).

/m backuptype

Tells NTBACKUP what kind of backup to run: normal, copy, incremental, differential, or daily.

/rs:yes or no

Tells NTBACKUP whether to back up the removable storage database that records the location of archived files. If you’re using removable storage, you should back up this database regularly to make sure that you can retrieve archived files.

/hc:on or off

Tells NTBACKUP whether to use hardware compression (available only if you’re backing up to a tape drive, and then only if that tape drive supports it—most do). Go ahead and use hardware compression if it’s available, as it will allow you to get more use out of your tapes.

/SNAP: on or off

Specifies whether or not the backup should use volume shadow copying to back up open files. By default, it will.

Forget all the options for a minute. The basic NTBACKUP command looks like this: ntbackup backup directory tapedrive

directory is, of course, the name of the directory (or UNC) to back up. tapedrive is the name of the tape drive to do the backup to. Leave that off, and the command will just not run—and it doesn’t even tell you why unless you look for and read the log files. You specify a tape drive in one of two ways: ◆

/t “name”

◆

/p

◆

/g

as in /t “Tape created on Tuesday” “media-type” as in /p “DLT” “guid name” as in /g “b471ff3b-101f-43bc-9d15-ffb7176cf2f3” Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

By the way, notice that RSM likes to add - 1 to tape names (apparently assuming that you have more than one tape in a set), but that name won’t work with NTBACKUP. If you’d created a tape called mytape, then it’d show up in the GUI as mytape - 1—but when you use the /t option, leave the extra - 1 off. That is, use /t “mytape”, not /t “mytape - 1”. To identify a tape by its GUID, you must use the GUID of the logical_media inside the partition inside the physical_media that is inside the library. You’ll use /t and /p for different purposes. /t with /a permits you to append new backup sets to an existing tape without deleting the existing ones (which /p doesn’t allow) but requires that you know the name of the tape in the drive. /p in combination with /um doesn’t need the name of the tape in the drive, as it just tells NTBACKUP, “Whatever’s in there, just wipe it clean and start over!” A Command-Line Backup Strategy

For years, I’ve used a simple backup strategy for servers: Once a week I do a full backup, and every other day I do a differential backup. It’s simple to automate with just a little manual work. I keep two tapes: the differential tape, which I leave in the drive for most of the week, and the full backup tape, which I only leave in the drive over Sunday night. (Yes, I rotate tapes, but I’m simplifying this explanation.) Here’s how it works: Every Sunday morning, I remove the differential tape from my server’s tape drive and put it aside. Then I insert a tape for a full system backup. On Monday morning, I remove that tape, which now has a full system backup on it, and reinsert the differential tape. Using the Schedule service, I set up three events: ◆ ◆

◆

On Sunday night/early Monday morning, I schedule NTBACKUP to back up my server’s files (a “normal” backup), but first to wipe clean anything on the hard disk. On Monday night/Tuesday morning, I schedule NTBACKUP to do a differential backup of my server’s files, but first to wipe clean anything on the hard disk. (This reinitializes the differential tape each week.) On the other evenings, I schedule NTBACKUP to do a differential backup of my server’s files, but tell it to append the new backup set to the existing ones on the tape. That way, I have backup sets that represent the state of the network for every day of the week.

Furthermore, let’s make this example a bit more complicated—and more useful in the real world—by specifying that the only directories that I want to back up are C:\DATA, C:\USERS, and D:\REPORTS. The Weekly Backup

For this backup, I want the drive wiped clean. What command does that? ntbackup backup /p /um. In its simplest form, that would look like this: ntbackup backup directories /p “DLT” /um

Remember that your drive may not be a DLT; other possible values might be 4mm DDS, Travan, or others. Just look in the folder created under your Backup media pool to find out your drive’s type. But we’re not out of the woods yet. How do I specify three different directories to back up? QIC,

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1527

1528

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

Using a Backup Selection File

You could write a batch file that called ntbackup three times, but that’s too much work. Instead, open up Notepad and type the names of the directories that you want to back up, one to a line: C:\data\ c:\users\ d:\reports\

Then click Save As and specify that the file’s name is c:\myfiles.bks, but don’t save yet—in the Save As box, go to the Encoding box and choose Unicode. Warning This is very important. You don’t have to save it in C:\, you needn’t give it the extension .bks—but you’ve got to save it in Unicode, or NTBACKUP simply will not read it.

Now run NTBACKUP as before, but instead of specifying a directory, specify your backup selection filename prefixed by an @ sign. If the directory’s name includes spaces, then you’ll need to surround the name with quotes. The command looks like this so far: ntbackup backup @c:\myfiles.bks /p “DLT” /UM

Choosing Logging Levels

At least until I’m sure that this thing works, I’d be happier with an extensive log. You can set logging levels with the /l: option: /l:s provides only summaries (and is the default), /l:f provides full logs, and /l:n produces no logs at all. Hardware Compression

In theory I can get 80GB of data on this tape if I turn on hardware compression. You control that with the /hc: option—it’s either /hc:on or /hc:off. Verification

In general, I find that I distrust computers when it comes to my data. So I don’t mind the extra time required to stop, rewind, and verify backups. You control verification with either /v:yes or /v:no. (Why /hc uses on or off and /v uses yes and no is known only to the Microsoft developers.) Append or Replace?

In this particular case, I want to overwrite any existing backup sets, replacing any on the tape. That’s the default behavior, so there’s nothing to do. If I wanted the system to append its backup set to any existing sets then I’d add /a. You can’t do /a if you’ve used /p, but you can use /a in combination with /t. Name the Tape

By default RSM and NTBACKUP name the tape by its date and time of “creation,” but you can give it any other name by adding the parameter /n followed by a name.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

Back Up the Registry?

Adding the parameter systemstate will cause NTBACKUP to back up the System State data. The other options can go just about anywhere, but systemstate must go after the word backup and before the backup selection file’s name. Put it all together and you’ve got a command like this (all on one line): ntbackup backup systemstate @c:\myfiles.bks /p “DLT” /UM /l:f /hc:on /v:yes

Create the Batch File

Finally, let’s put the Schedule service to work. Put that line (with your site-specific modifications, of course) into a batch file called c:\fullback.cmd. Then open up a command line, type this: at 2:00 /interactive /every:Monday c:\fullback.cmd

and press Enter. Now at 2 A.M. every Monday morning, your system will do a normal backup of the directories that you specified in c:\myfiles.bks. How Do I Know It Worked?

NTBACKUP writes ASCII text files called backup01.txt through backup10.txt, maintaining logs of the last 10 times that NTBACKUP ran. (It starts reusing files once it gets to backup1.txt.) You cannot, unfortunately, control either the number of log files that it keeps (it’s 10) or where it puts them. NTBACKUP stores the logs in \Documents and Settings\username\Local Settings\Application Data\Microsoft\Windows NT\NTbackup\Data…and it’s that username thing that’ll give you fits. When you’re logged in as you, Joeadmin, then the logs go to \Documents and Settings\joeadmin\ Local Settings\Application Data\Microsoft\Windows NT\NTbackup\Data. But when the Schedule service starts the process—that is, when you’re automatically scheduling a backup—it writes the logs to in \Documents and Settings\Default User\Local Settings\Application Data\Microsoft \Windows NT\NTbackup\Data. And don’t be surprised if you have more than one of those directories— you might find that you’ve got a directory named \Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows NT\NTbackup\Data and \Documents and Settings\ Default User.WINNT\Local Settings\Application Data\Microsoft\Windows NT\NTbackup\Data. Just look in both directories and find the one with the more recent log files—those are the ones you want. The Differential Backup

You set up the differential backup basically the same way as the normal backups, but instead of /p /um you’ll use /t and a tape name—we don’t want to overwrite the tapes. So you’ll need to standardize the name for the tape; I use diff1, and append a week’s differentials together, so my batch file looks like this: ntbackup backup systemstate @c:\myfiles.bks /t “diff1” /a /l:f /hc:on /v:yes

I save that as c:\diffback.cmd and tell Schedule to run it every day but Monday morning: at 2:00 /interactive /every:T,W,Th,F,S,Su c:\diffback.cmd

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1529

1530

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

And if you wanted to be really snazzy, then you could build a slightly different version that runs only on Tuesday that erases the tape first—use /p /um for that one, if you like. Making RSM and NTBACKUP Share Information

As I said earlier, RSM and NTBACKUP don’t always see eye to eye on how to present data. RSM thinks that all tape sets have more than one tape in them, so it names tapes with a 1 at the end. NTBACKUP won’t recognize the name if the 1 is there, so you have to delete the 1 before including the RSM-reported name in a batch file. Similarly, RSM reports GUIDs as unbroken strings. NTBACKUP, on the other hand, is very exacting about the way it wants to see GUIDs: It wants you to type them as 8 characters, hyphen, 4, hyphen, 4, hyphen, 4, hyphen, 12 characters. That is, the GUID RSM reports as b471ff3b101f43bc9d15ffb7176cf2f3 needs to become b471ff3b-101f-43bc9d15-ffb7176cf2f3 for NTBACKUP to use it. Having tired of counting characters and inserting hyphens at appropriate intervals, I wrote a batch file that will grab GUID data from RSM, format it so that NTBACKUP likes it, then starts a differential backup. Just be sure to supply your own GUIDs when using this batch file! @echo off set drvguid=E30ADF03E8014BA4BB824AD69B39FBE7 FOR /F “usebackq delims==” %%i IN (‘rsm view /tphysical_media /cg%drvguid% /guiddisplay /b’) DO set tapeguid=%%i FOR /F “usebackq delims==” %%i IN (‘rsm view /tpartition /cg%tapeguid% /guiddisplay /b’) DO set partguid=%%i FOR /F “usebackq delims==” %%i IN (‘rsm view /tlogical_media /cg%partguid% /guiddisplay /b’) DO set logguid=%%i set p1=%logguid:~0,8% set p2=%logguid:~8,4% set p3=%logguid:~12,4% set p4=%logguid:~16,4% set p5=%logguid:~20,12% set bkguid=%p1%-%p2%-%p3%-%p4%-%p5% ntbackup backup @c:\batch\files.bks /g “%bkguid%” /a /v:yes /hc:on /m differential

Advice for Building Your Batch Files

Now, you’ll probably end up trying different things in your batch files and will have different needs than I do. So you’ll have to craft your own solutions, which means trial and error. There is nothing more frustrating than checking your logs in the morning only to find that for some mysterious reason nothing seems to have happened at all. Here’s a methodology for making command-line backups tractable. Try everything out from the command line first Unless you’re really good, you’ll hit a few syntax snags along the way. Trying your commands out on the command line gives you immediate feedback so that you can work out the bugs quickly. Build the command line gradually

Start from the most minimal command possible, such as or the like. Crawl before you try walking and walk

ntbackup backup c:\testfiles /p “dlt” /um

before you try flying.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

Keep track of what worked and what didn’t You may have hardware that’s cranky about some command and truthfully all tape drives are a bit flaky—something that works today may not work tomorrow unless you clean the tape or restart RSM. When you’ve got a command that works, make sure you’ve got its exact syntax saved somewhere. I use Notepad files as my logs when I’m experimenting. I use copy and paste to provide a simple log of the output from my commands. Once you have the command line perfect, make a batch file Just copy and paste the command line into Notepad, save it with the .cmd extension and you’re a batch file builder. Then invoke the batch file by its name—if you called the Notepad file c:\dotape.cmd, then open up a command line and type c:\dotape.cmd and make sure that it still works. If it doesn’t, then check that any paths needed in the command are there. Try the batch file with at Once you’ve got the batch file running so that it works as expected from the command line, test it with the Schedule service. From a command line, type at time /interactive batchfilename and press Enter. For time just punch in a time a minute or two in the future—you don’t want to have to wait forever. (Remember that the Schedule service uses a 24-hour clock, so 3 P.M. should be entered as 15:00.) If it doesn’t work, then make sure that you entered the full path of the batch file. Once the bugs are out, tell at to run the backup regularly Rerun the at command, but add the /every: information so that it knows which days to run the command.

Viewing Backup Logs Unless you specify otherwise, every time you back up, the Backup application creates a backup log. To see the contents of these logs, you can click the Report button in the dialog box that tells you that the backup is complete. Alternatively, to pick any log to view, choose Report from the Tools menu in Backup. You’ll see a list of backups, as shown in Figure 19.22. FIGURE 19.22 Choose a backup log to view.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1531

1532

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

In the Backup Reports dialog box, find the report you want based on its job name or time and date stamp, and click the View button. The log will open in Notepad and provide output something such as this very simple example: Backup Status Operation: Backup Active backup destination: File Media name: "Backup.bkf created 1/11/2003 at 9:37 AM" Backup (via shadow copy) of "C: " Backup set #3 on media #1 Backup description: "Set created 1/11/2003 at 9:37 AM" Media name: "Backup.bkf created 1/9/2003 at 12:24 PM" Backup Type: Normal Backup started on 1/11/2003 at 9:37 AM. Backup completed on 1/11/2003 at 9:37 AM. Directories: 4 Files: 2 Bytes: 743 Time: 1 second

Notice that in this log you can see what folders and directories were backed up, how long it took to run the backup, and whether any errors occurred. Scan these reports after completing backups so you can identify any problems before you need to restore data from those backups. By the way—there’s something new here in Server 2003. The backed-up folder contained an open file. In Windows 2000, this would have netted me an error message telling me that a file was skipped because it was in use. In Server 2003, Backup uses the volume shadow copying service (if you’ve left it enabled), so it will copy even an open file. (Any changes saved after the file was copied didn’t make it into the backup, obviously, but at least I’ve got the core file.)

Restoring Data Backups don’t do you a lot of good unless you can put them back on the server from where they came. To restore files, open Windows Backup again. You can either run the Restore Wizard or turn to the Restore tab. Warning NTFS 5 uses some file attributes not found in FAT or the Windows NT version of NTFS. You may not be able to restore some data that was originally stored on an NTFS 5 volume to a downlevel volume (FAT, FAT32, or NTFS with NT 4). For example, if you back up encrypted files and then try to restore them to a FAT volume, you’ll see an error message telling you that the restore destination doesn’t support some system features of the original, so some files (the encrypted ones) won’t be restored. What actually happens is that the file’s restored, but it no longer has the encryption attribute. Basic Restoration Techniques

To restore files from the Restore Wizard, start Backup and choose to restore files, or (using Advanced View) turn to the Restore and Manage Media tab of Backup. You’ll see the usual Welcome

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

screen. Click through it, and you’ll be prompted to pick the media you want to restore from (see Figure 19.23). The options available will depend on what kind of media you’ve backed up to. FIGURE 19.23 Available media for restoration

The backup sets on the media will be listed as folders, described according to volume backed up, size, type of backup, and description. Note If a backup operation was aborted for any reason—by Windows Backup or by the user—you will not be able to restore it. Such backups will still appear in the catalog but will have a question mark where their size should be. This is one more reason to ensure you can restore backups before you need them.

Double-click a set to catalog it, and you’ll be able to browse its contents. Check the boxes next to the files and folders in the backup set that you want to restore. As with selecting files for backup, a checked folder with all contents selected will have a blue check mark; if you’ve only selected certain files within the folder, its check mark will be gray. Note If there are any errors within the folders of a backup set, the folder will have a red exclamation point on it and the corrupted file will have another exclamation point. You will not be able to restore any damaged files.

When you finish picking files to restore, the wizard will display a screen listing the current restore options. Click Back to edit any file or media settings, or click the Advanced button to specify a new restoration location or change the file restoration options for preexisting files and remote storage information. Warning The Advanced options that you choose will apply to all future restoration operations until you change them again. For example, if you edit the options so that the files on the hard disk are always replaced with the files from the backup, that option will remain in place until you manually change it to another one. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1533

1534

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

Where Should Files Be Restored?

Unless you tell it otherwise, Windows Backup restores files to their original location. But what if you’re restoring data to a new drive with a drive letter that’s different from the original? Or you want to put the contents of a daily backup on a Zip disk? From the first screen of the advanced section of the Backup Wizard you can choose from three location options: ◆ ◆ ◆

Original location Alternate location (files and folders will be restored, folder structure intact, to the location you specify) Single folder (files will all be put within a single folder in the folder you specify, and the original folder structure will be lost)

If you tell Windows Backup to restore the files to an alternate location or to a single folder, then the wizard will display a text box where you type (or browse for) the restore path. You can only restore data to an alternate location, not system configuration information such as the Registry. Any system configuration files must go back to their original locations. Tip To edit this option without running the Restore Wizard, turn to the Restore and Manage Media tab of Backup. In the lower-left corner of this tab is a drop-down list of the restoration location options. System State data must always be restored to its original location. What If a File with That Name Already Exists?

The second screen in the advanced section of the Backup Wizard tells Windows Backup what to do if a file with the same name as the file being restored already exists on the volume. Normally, Windows Backup will not replace the file on the existing media, on the principle that if you already have the file, you shouldn’t need to replace it. However, sometimes you’ll want the file from the backup, not the one on the hard disk. For example, a Word document with a macro virus may be present on the hard disk, but you don’t want the infected file. To cope with some of the situations in which you might want to replace the file already on the hard disk, Backup supports three replacement options: ◆ ◆ ◆

Do not replace the file on the disk (the default). Replace the file on the disk if it’s older than the file on the backup. Always replace the file on the disk with the one on the backup.

Sadly, Windows Backup does not have an option to prompt you if it discovers a duplicate file on the media that you’re restoring data to, or to restore the file but give it a new name on the volume if a file with the same name already exists. That would have been handy for those times when you’re restoring corrupted files but don’t necessarily want to replace every file that already exists on disk. Tip To edit this option without running the Restore Wizard, choose Options from the Tools menu in Windows Backup. Turn to the Restore tab and choose the file replacement you want to use. What Other Data Should Be Restored?

The next screen in the advanced section of the Restore Wizard asks what non-data information you want to replace (see Figure 19.24).

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

FIGURE 19.24 The non-data information that you can restore depends on the file system the original data was stored in. FAT volumes only let you restore the RSM database.

If you’re restoring data backed up from an NTFS 5 volume to an NTFS 5 volume, Backup will normally restore all NTFS-related data: security settings, mount points, and junction points pointing to externally stored data. Replicated or clustered data will also normally have their settings preserved. What happens if you tell Windows Backup to not restore the settings? Depends on whether the file already exists on disk: ◆ ◆

If the file exists in the location that you backed it up to, then the security settings attached to the file on disk will be applied, even if you’re replacing the file. If the file does not exist on disk (if you’re replacing a deleted file, for example) and you choose to not restore security settings, then the restored file will give the administrator of the local server and the system account full control—and wipe out any previous settings.

Note Notice that the way security settings are restored means that if you elect not to restore security settings to a file that Everyone had access to, you’ll need to explicitly grant that permission again.

Junction points are physical locations on a mounted NTFS volume that point to another area of the disk or to another disk. They’re used when you choose to mount a new volume to an empty folder on an NTFS volume instead of assigning that folder a drive letter. Normally, Backup will restore both the junction points and the files and folders to which they point. If you check the box that tells it to restore only the points, not the data, you may lose access to the data. When you’ve picked all the Advanced settings, click the Finish button on the last page of the wizard. If restoring from a backup file, Windows Backup will prompt you for the name of the file,

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1535

1536

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

then complete the restoration. During the process of restoring the files to disk, Windows Backup will display a Restore Progress dialog box. Viewing Restore Logs

When a restore operation is over, the Restore Progress dialog box will remain open. Click the Report button to open the restore report in Notepad. Alternatively, you can choose Report from the Tools menu and pick the report you want from the list of available reports. The restoration report will be appended to the backup report originally created for that job, so if you don’t see the information you’re looking for right away, page down for it. Restoring Configuration Settings

The process of restoring configuration data is much the same as restoring any other data—when prompted to do so, pick the System State folder from the backup set and start the restoration. However, restoring System State data isn’t as simple as restoring user data. If you restore System State data to its original location (that is, you don’t specify an alternate location for it), then Windows Backup will replace the System State data currently on your computer with the System State data you’re restoring. However, if you restore the System State data to an alternate location, only the Registry files, SYSVOL directory files, and system boot files are restored to the alternate location. You can’t restore the Active Directory services database, Certificate Services database, or COM+ Class Registration database to an alternate location. Note In order to restore the System State data on a domain controller, you must first start your computer in Directory Services Restore mode, available from the Advanced Start menu when you boot the OS. See the next section “Backing Up and Restoring the Active Directory” for details.

Backing Up and Restoring the Active Directory As I said earlier in this chapter, when you choose to back up the System State data on a computer, the contents of System State depend on the role of the computer you’re backing up. If the computer is a domain controller, then System State includes the Active Directory. Backing up the Active Directory is pretty simple—you choose to back up the System State data on a domain controller. Restoring it, however, is not as simple as restoring user data, especially if you need to restore data from a backup that’s older than the current data in the Active Directory. In this section, I’ll talk about how to back up the Active Directory, how long you can store it, and how to restore it—or pieces of it. Backing Up the Active Directory

You can take a snapshot of the Active Directory at any time by backing up a domain controller’s System State data, either from the command line or with the graphical Backup tool. To back up Active Directory, you must be a member of the Backup Operators group, the local Administrators group, or a group that’s been given the right to back up the System State data. Restoring the Active Directory

To begin restoring Active Directory information, you’ll boot the computer into Directory Services Restore Mode (to do so, press F8 while the domain controller is rebooting and choose this option from the Advanced Options menu that appears). You can perform an authoritative restore on either

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

all or part of the Active Directory. I’ll discuss the Advanced Options boot menu later in this chapter, but because one of its menu items is crucial to restoring the Active Directory, I’m going to leap ahead a bit, returning to this topic later. When you choose this option, it will kick you back to the main boot menu, showing in text at the bottom of the screen that you’re in DSRM. The system will boot in Safe Mode with Networking, run CHKDSK on all the volumes, and then present the logon screen for you to log in as the local machine’s administrator. Once you’re in, run the Restore Wizard, choosing the backup set containing the system data. Most of the way, this operation looks like restoring any data. However, when you’re clicking through the advanced options, you’ll come to the screen in Figure 19.25. Don’t just blindly click through this screen, as the options you pick here—specifically, the last option you pick here—determine what kind of restoration operation you’re performing. FIGURE 19.25 Advanced options for restoring System State data

Let me digress for a moment. A normal file restore operation restores all files, including Active Directory objects, with their original update sequence numbers (USNs). The AD replication system uses the USNs to detect and replicate changes to the Active Directory to all of the domain controllers on the network. The Active Directory replication system updates old data with newer data from other domain controllers. For normal operations, this is fine. It has one sticking point, though: Normally, any Active Directory data that you restore will retain its original USN used by the AD replication system to detect and spread AD changes among the domain controllers in your domain. Because of this, any data restored in nonauthoritative mode (would that be in “peon mode”?) looks like old data and won’t get propagated to the other domain controllers. Not only that, but the Active Directory replication

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1537

1538

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

system will replace that restored data with the “newer” data from the other domain controllers, if any exists. If you’re trying to replace bad current data with good old data, this obviously isn’t what you want to happen. Authoritative restore solves this problem, forcing the domain to accept the older data and overwrite the new. Before doing an authoritative restore, consider what effect this will have on the domain. When you restore the Active Directory database, you’re restoring the following, among other things (see Chapter 8 for a complete description of what the Active Directory is and what objects it contains): ◆ ◆ ◆ ◆

User and machine accounts User and machine account passwords Groups and organizational units Trust relationships (or lack thereof) with other domains

However, what you’re not doing is removing any new accounts you created since backing up the Active Directory. The AD isn’t a big lump with a single USN, but a directory of objects, each with its own USN. You can pick and choose pieces of the Active Directory to restore. Also, if you perform an authoritative restore to a domain containing other domain controllers, any objects you created in the naming context (in this example, the domain naming context) after making the backup will remain in the Active Directory. Say, for example, that on Monday you create an account for ChristaA (which is then replicated to the other domain controllers in the domain), then back up. On Tuesday you create an account for Christa—also replicated to the rest of the domain. On Wednesday, you delete the ChristaA account. On Thursday, you perform an authoritative restore from the backup you made on Monday. Both the ChristaA and Christa accounts will exist in the domain, not just the ChristaA account you backed up, because the two accounts have unique USNs—they’re different objects. Types of Restoration Actions

The way you should restore Active Directory data depends on what kind of restoration you want to complete. Restoring the entire domain from scratch and must therefore replicate the data across all domain controllers? Restoring a single domain controller and do not want that data replicated to any other domain controllers? Restoring particular data in the Active Directory? Each of these actions requires a different kind of restoration process. To restore the entire domain from scratch—to restore the first copy of all replicated data and use that as the basis for further replication—you’ll perform a primary restore. From the screen shown in Figure 19.25, choose to mark the restored data as the primary data for all replicas. This will cause all the restored Active Directory data to overwrite any other directory services information in the domain. To get a domain controller in a working domain back online, restore its System State data, but do not check the final box making this domain controller the primary source of replicated data. This is called a normal restore. Each object in the Active Directory will keep its original USN number. (In case it’s not obvious why you’re restoring it at all when some of the data may be overwritten from other domain controllers, consider that it’s unlikely that every single object in the Active Directory has

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BACKUP PROGRAMS AND APPROACHES

changed since you backed up the System State data, and it’s a lot quicker to replicate a few changes here and there than it is to replicate the entire Active Directory.) So far, we’ve looked at all-or-nothing scenarios: making the entire restored Active Directory the primary source, or none of it. However, you may need to restore part of the Active Directory; for example, if someone accidentally deletes an organizational unit and with it all the computer or user objects within that OU. To selectively restore parts of the Active Directory as primary replication sources, you’ll need to perform an authoritative restore. This is a two-part process. First, you perform a normal restore. Next—and before you reboot the server—you run NTDSUTIL, a command-line utility that lets you mark selective pieces of the Active Directory for primary restore. Understanding Tombstone Lifetimes and Backup Lives

Tombstone lifetime sounds like an oxymoron. It’s actually a property of the Active Directory Directory Service (NTDS, for NT Directory Service—same thing) object, representing the number of days that a deleted object will exist as a “ghost” in the Active Directory before it’s deleted. Tombstoned objects are still replicated but appear in the Active Directory as deleted. A housekeeping process called the garbage collector runs every 12 hours on each server to delete objects whose tombstone lifetimes have expired. (Personally, I would have called it the “sexton” to keep the metaphor going—garbage collectors don’t normally have much to do with tombstones, or if they do I don’t want to know about it.) Left to itself, the default tombstone lifetime is 60 days. So what does this have to do with the useful lifetime of an Active Directory backup? Simply put, you can’t restore data from a backup image older than the tombstone lifetime. If you did, the restored objects would be too old to trigger Active Directory replication and thus never be replicated to other domain controllers, and the restored domain controller would never get the replication data required to delete the objects—the records of those objects being deleted would have been removed by the garbage collector. The result would be an inconsistent Active Directory on the local server, which misses the point of a domainwide database of available resources. In short, don’t restore the Active Directory from backups more than 60 days old if you have not explicitly increased the tombstone lifetime. If you’re trying to restore a domain controller and your only backups are older than the 60-day default limit, then you have two choices. If you have at least one domain controller still up and running and its Active Directory information is good, then you have nothing to worry about—just restore the domain controller, and the remaining domain controller with good Active Directory information will replicate its data to the newly restored domain controller. If you’re having to rebuild the domain from scratch, then you can pick an outdated backup, restore it to a domain controller, and replicate the other servers from the restored one. If you must restore an older Active Directory backup to a working domain (although I’d hate to think of what could happen to your domain that you had to lose more than 60 days of changes to get it back to working order), then you can force the change by editing the tombstone date. Because .TombstoneLifetime is a property of the NTDS ADSI object, you can modify it with a script or with an AD editor such as ADSIEDIT.MSC or LDP.EXE. If you do, then you can make the tombstone lifetime older than the available backup. At that point, you’ll need to perform an authoritative restore to force the replication of this old backup to the other domain controllers since this information will be stamped as being too old for replication.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1539

1540

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

Restoring Part of the Active Directory

As I said earlier, you can use DSRM to restore individual parts of the database, not just the whole thing. For example, you could restore an accidentally deleted machine account for a domain controller. To do so, boot to DSRM and restore the System State data, then run NTDSUTIL for an authoritative restore. This time, though, instead of typing restore database, choose to restore part of it, like this (all on one line): restore subtree “cn=domain_controller,ou=Domain Controllers,dc=domain_name,dc=xxx”

Here domain_controller is the computer name of the domain controller, domain_name is the domain name the domain controller resides in, and xxx is the top-level domain name of the domain controller, such as com, org, or net. NTDSUTIL will ask you if you’re sure you want to perform an authoritative restore. When you click Yes, NTDSUTIL will open the directory information tree (DIT), note the last time it was updated and the number of entries that need updating, then read through the restore subtree command backward to find the domain, the organizational unit, and finally the computer name you want to restore. When you’re done with this, type quit to exit authoritative restore and then quit again to exit NTDSUTIL, then reboot the domain controller. Tip If you don’t know the name of the part of the Active Directory that you want to restore, use ADSIEDIT.MSC or LDP to find the name. You’ll need to enter the name exactly.

Troubleshooting Hardware with the System Information Tool If you want current nuts-and-bolts information about the hardware in your servers, you can dig out those PDF files you printed from the Web sites and read all your handwritten notes about configuration changes that you made. For those less than thrilled about this idea, there’s the System Information tool available from the Support section of Help. Using this tool, you can view the following on either the local computer or any Server 2003 or Win2K computer: ◆ ◆ ◆ ◆

A system summary showing you the basic hardware and software configuration of the server Hardware resources used on the server Configuration information for the hardware Information about all parts of the server software environment

Tip Typing winmsd or msinfo32 from Run will start the System Information tool. For those who don’t remember, MSD was the original Microsoft Diagnostics tool, which became WinMSD in Windows.

The System Information tool isn’t 100-percent accurate—as I wandered through it, I found a couple of minor pieces of misinformation—but it’s close. And it provides a lot more information than WinMSD ever did and in a reasonably organized manner. Read on to learn how to use this tool to inventory and monitor servers.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

TROUBLESHOOTING HARDWARE WITH THE SYSTEM INFORMATION TOOL

System Summary The system summary information is just that—a snapshot of your system, such as the one shown in Figure 19.26. The information is roughly that which used to be on the Version tab of NT 4’s WinMSD, with the addition of BIOS version and some memory information. You can’t change the data here, just see what the situation is. About the only information you need pay special attention to is the available memory. You can get memory information in many places around the operating system (the Task Manager is another tool that you can use for this), but here it is in black and white: how much physical and virtual memory you have available and have remaining. FIGURE 19.26 System summary information for a Server 2003 computer

Hardware Resources The Hardware Resources folder (see Figure 19.27) lists all the resources that might be used by the hardware in your services and shows what hardware actually is using those resources, as described in Table 19.5. Why is this information important? Basically, everything in Table 19.5 represents either a channel for devices to pass information to the processor for processing or a storage place for such data while it’s waiting for processor time. Each channel must have its own hotline to the processor so that when the processor responds to a call for processing (an interrupt), it knows whose data it’s crunching and can pass back the results accordingly. Some devices can share some kinds of channels; IRQs, for example, can be shared by some modern hardware. But memory storage areas cannot be shared, and not all channels can be shared. If you suspect that two or more devices are using the same resources and can’t share, then you can use this tool to find out.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1541

1542

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

FIGURE 19.27 The Hardware Resources folder with the contents of one folder showing

TABLE 19.5: RESOURCES USED BY SERVER HARDWARE Resource Type

Description

Conflicts/Sharing

Lists the components either sharing an IRQ or in conflict over one. Components sharing an IRQ should be working fine (or if they’re not, the IRQ in common shouldn’t be the problem). If multiple devices are in conflict over an IRQ, however, then one or all won’t work.

DMA

Direct Memory Access (DMA) channels are rarely required; most often these days, they’re used by audio devices. Basically, the DMA chips on the motherboard can move data from a device to RAM without the CPU having to be involved in the process. Any device that can use DMA needs its own DMA channel as its dedicated path for data moving.

Forced Hardware

Lists older devices not supporting Plug and Play that require specific IRQs.

I/O

Shows what devices are using what parts of virtual memory for storage. The information here is similar to what’s in the Memory folder but is taken from the perspective of the memory, not the devices using it.

IRQs

Interrupt request lines, or IRQs, represent each device’s hotline to the processor. IRQs are like DMA channels in that they’re specific to a given device, but are unlike them in that they don’t take care of the process of shoving data to the processor— the processor must still be involved. Some devices can share IRQs.

Memory

Shows the I/O buffer areas that each device is using to store data waiting for processing. Essentially, these buffer areas are mailboxes that the processor can use both to pick up data waiting for it and to drop off instructions for the device to which that I/O area belongs. Each device must have its own I/O area so that the CPU will drop off the appropriate instructions to each device. It’s going to cause no end of confusion if the processor asks the network card to play a sound.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

TROUBLESHOOTING HARDWARE WITH THE SYSTEM INFORMATION TOOL

Components The Hardware Resources folder looks at the types of resources available and shows you what devices are using them. The Components folder’s approach (Figure 19.28) is the opposite—you look at the devices installed and see what resources they’re using. But not only resources. The properties pages for the installed devices provide just about all information relevant to a piece of hardware, including resources used, driver versions, and the type of device it is. FIGURE 19.28 The contents of the IDE section of the Components folder

Note The Components folder is a list of all possible devices, not actual devices. For example, even if your server doesn’t have a modem installed, it will still have a Modem folder.

The exact data within a given object in the Components folder depends heavily on what the device it represents does. For example, the data for the display reports information such as the color density, refresh rate and resolution, video adapter’s name, and other display-related information. The network’s folder has three subfolders: one for the adapter, one for protocols used, and one for Winsock version information. Storage media show their size, media type, compression data, and so forth. There’s even a section for problem devices, listing any devices that the OS can tell aren’t working as expected. For instance, at one time I had a SCSI removable drive attached to this server. After I removed the drive, the OS still expected to find it, so it’s now listed in the Problem Devices folder.

Software Environment The information in the Software Environment folder (Figure 19.29) describes all of the software running on the system, who’s using it, and what files and services are loaded. It includes the components listed in Table 19.6.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1543

1544

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

FIGURE 19.29 The Software Environment

folder with one folder open

TABLE 19.6: SYSTEM PARTS DESCRIBED IN THE SOFTWARE ENVIRONMENT FOLDER System Part

Description

System Drivers

Lists all the system drivers. Each driver lists a brief description, its type (kernel driver or file system driver), its state (whether stopped or running), its start mode, its status (all drivers are OK) and whether it can be stopped or paused.

Signed Drivers

Lists all the signed drivers installed on the server and information about them, including whether they really are signed (the options are Yes and Not Available), the device class (e.g., NET for network drivers), the driver version (available only for signed drives), the manufacturer, the INF name, and (theoretically) the driver name. “Theoretically” because this information is available for neither signed nor unsigned drivers.

Environment Variables

Lists all the environment variables for the server, including the processor identification, location of all temporary files, path information for system files, and OS version.

Print Jobs

Lists all currently running print jobs.

Network Connections

Lists all current network connections and the drive letters they’re mapped to (if applicable).

Running Tasks

Lists all the executable files run by the services running on the server. File path, version, file size, and file date are all listed here. If you want to know what version of a given EXE you’ve got, this is where to look. Continued on next page

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

TROUBLESHOOTING HARDWARE WITH THE SYSTEM INFORMATION TOOL

TABLE 19.6: SYSTEM PARTS DESCRIBED IN THE SOFTWARE ENVIRONMENT FOLDER (continued) System Part

Description

Loaded Modules

Like the Running Tasks folder, except that it lists all dynamic link libraries in memory. Version, size, file date, manufacturer, and path information are all displayed. If you want to know what version of a given DLL you’ve got, this is where to look.

Services

Lists all the (nonboot or system) services available on the server by name. The state of each service, its start mode (manual, automatic, or disabled), and its type are all shown.

Program Groups

Lists all the groups available from the Start menu. The view shows the users for whom the groups are customized (this information is stored as part of each user’s profile, so you may have several different listings of the same program group, each associated with a different user). Terminal server profile associations will be displayed here.

Startup Programs

Lists all the programs configured to run at system startup.

OLE Registration

Shows all the object linking and embedding associations used to open data files in the right kind of application.

Windows Error Reporting

Lists some errors appearing in the Event Log, their type (e.g., DHCP errors or hanging applications) and some details for the error.

Internet Settings As you can see in Figure 19.30 and Table 19.7, all the settings for IE are listed in the Internet although (as with the other settings in the

Explorer folder within the Internet Settings folder, System Summary folder) you can’t change any of them.

FIGURE 19.30 Contents of the Internet Explorer folder

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1545

1546

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

TABLE 19.7: SYSTEM CONFIGURATION SETTINGS IN THE INTERNET EXPLORER FOLDER System Part

Description

Summary

Lists basic version and path information about IE. The most useful information indicates the degree of encryption IE is set up to use, which printers are set up to work with IE, whether the Content Advisor (ratings software) is on, and whether the Internet Explorer Administration Kit is installed.

File Versions

Lists all the files installed that support IE, including their version number, date, size, path, and the company supplying them. If a file is expected but not present, it’s still listed, but its version is recorded as “file missing.”

Connectivity

Lists the connection settings for the browser. Most of what’s here applies to proxy server settings, but also listed is whether the dialer is set up to kick in when you start IE.

Cache

Lists the objects in the IE cache (stored when you view online content so that when you need the images again they can be loaded from the cache). It also lists the size of the cache.

Content

Lists the content controls in place on your IE setup. Again, it’s indicating whether the Content Advisor is enabled. Any certificates in place (your own or someone else’s) are also listed here.

Security

Lists the security settings you have in place for different site classes: trusted, local intranet, Internet, and restricted.

Saving System Configuration Information All this information is great, but sometimes it won’t help you get the answers you need to resolve problems with the server. That doesn’t mean that it can’t get someone else the answers they need to fix problems. The System Information tool lets you save and load configuration information. Using this capability, you can save your server’s configuration to a text file or system information file. You can then e-mail that file to a tech support person who has Server 2003 installed (or not, but if not they’ll have to read the text file) and can then load the file and view your computer’s information as if they were connected to the server. Tip To save only part of the system information, select the part you want to save before starting the save procedure. For example, to save only information related to the network card’s configuration, make sure that folder is selected in the left pane. Saving and Opening System Information Files

To save information as a file, open the File menu in the System Information tool and choose Save. In the dialog box that appears, type a name for the file (it will have an . nfo extension, just as these files did in Windows 2000) and click Save. The server will chug away for a minute or two as it inventories your system (so that the saved file reflects the most current information), and then store the file in your My Documents folder unless you specify otherwise. The file isn’t too big—mine is 198KB—so

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

TROUBLESHOOTING HARDWARE WITH THE SYSTEM INFORMATION TOOL

you can fit it onto a floppy if necessary. To open a saved file, choose Open from the File menu, browse for the file, and—get this—open it. (I detail this mostly because opening saved files in Windows 2000 was something of a pain. It’s much simpler in Server 2003.) Saving System Information as Text

Saving system information as a text file works much the same way as saving it as an NFO file. In the System Information tool, choose Export from the File menu. Again, the default location is the My Documents folder. When you click the Save button, the server will inventory itself to make sure that the most current settings are saved, then put them into a TXT file that you can read with an editor such as Notepad. It’s a long file; this is a partial dump of the information I collected from one server: Directory User Name Time Zone Daylight Savings Time Total Physical Memory Available Physical Memory Total Virtual Memory Available Virtual Memory Page File Space Page File

C:\WINNT REDROOM\ChristaA Eastern Standard Time Eastern Daylight Time 130612 kbytes 14572 kbytes 2097024 kbytes 1988656 kbytes 311252 kbytes C:\pagefile.sys

Needless to say, I’d rather analyze the data from an organized system information file than from a 225KB ASCII file, but the fact that you can save the information as text means that you can give someone your system configuration for analysis without them being able to read NFO files. Saving Information from the Command Line

You don’t have to open the graphical tool if all you want to do is create a system information log. Msinfo32.exe supports the command-line switches shown in Table 19.8 to generate a local or remote system information file. TABLE 19.8: WINMSD COMMAND-LINE OPTIONS Switch

Description

/?

Displays Help

/msinfo_file

Opens the specified saved file

/nfo filename

Outputs an NFO file with the specified filename and quits

/report filename

Outputs a text-format file to the specified filename and quits

/computer computername

Connects to the specified computer

/categories catlist

Displays or outputs the specified categories

/category catlist

Sets the focus to a specific category at startup

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1547

1548

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

So, for example, typing msinfo32.exe /nfo g:\tools\report.nfo will generate a complete copy of the local computer’s system information and store it as an NFO file in G:\tools. (Notice that I must include the file suffix even though I’ve specified that I want to create an NFO file— winmsd isn’t smart enough to generate the suffix information on its own.) When I open this file on any computer with the MMC installed, it will show up as the local system information. If I wanted to create a text report (again, I don’t recommend doing this unless you simply have no other options— it’s too long), then I’d type the command like this: misinfo32.exe /report g:\tools\report.txt. Note Generating the report takes a few minutes, even on a fast computer.

Troubleshooting the Boot Process The operating system includes several tools that can help you recover from problems related to the operating system, but these tools are no good if you can’t get to the Advanced Options menu (discussed later) available at boot time for troubleshooting or get the Setup menu to recognize that your server does, in fact, have a hard disk. In this section, I’ll describe the steps the server follows to boot, including the outward manifestations of those steps so you can figure out which step went wrong.

Prequel: The Hardware Must Work Before you can even attack the problem of “What’s wrong with the operating system?” you must make sure that it’s not a problem of “What’s wrong with the server?” You will not be able to boot the server at all if either of the following are true: ◆ ◆

The boot drive, the boot drive’s disk controller, or the cable connecting the two is malfunctioning or incorrectly set up. The processor or the motherboard is dead.

Other hardware can give you problems, but these are the two that will really stop you in your tracks. To isolate the problem, watch and see where the problem appears: ◆ ◆ ◆ ◆

◆ ◆

A computer that does not boot at all, does not make noise, does not do anything at all, probably has a dead (or turned off) power supply or a dead power cord. A computer that will start its fan but doesn’t do anything beyond that probably has a problem with its motherboard. A computer that will count up memory but isn’t displaying anything on the monitor (you can hear it, but you can’t see it) and beeps at you probably has a problem with the video card. A computer that starts to load the operating system (in this example) and then blue-screens before displaying the logon screen may be having memory problems. Bad device drivers are also a possibility. A computer that will boot and find the CD and floppy but doesn’t find the hard disk controller probably has a problem with the hard disk controller. A computer that will boot and identify the hard disk controller but doesn’t find a bootable hard disk probably has a hard disk problem. If you’re still not positive and you have a spare system around, swap in an easy part of the computer, such as the hard disk controller, if you’re not sure whether the problem lies in the disk or the controller. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

TROUBLESHOOTING THE BOOT PROCESS

Tip Keep an eye on the fans in your servers. Those fans are vital to keeping delicate components cool. A cooked computer is a dead computer, sooner or later. A company called PC Power and Cooling (www.pcpowercooling.com) makes a temperature sensor, the 110 Alert, that fits inside a PC and squawks when the internal temperature rises above 110 degrees.

Finally—is the server plugged in? Is its UPS turned on? I know, I know—but check.

Using the Advanced Options Menu If it’s not the hardware, then what if it’s the operating system? No matter how careful you are, mistakes sometimes happen or something just goes wrong. In such a case, you’ll need to fix your installation, hopefully without reinstalling the operating system. Sometimes you have to reinstall to make things right again, but it’s definitely something to be avoided, since restoring a server back to its original greatness is generally a bit more comprehensive than just running Setup and blasting by all the defaults. When installing isn’t the only option, I prefer to spend my time doing something a little more useful. If you’ve made some change to your operating system that makes it unusable, all is not lost—so long as the system will boot at all and can recognize the hard disk that the operating system is installed on. The Advanced Options menu gives you several methods for fixing or debugging a broken operating system. You get to this menu by pressing F8 when the boot menu appears, or (if Server 2003 is the only available operating system) by pressing it when the OS is loading—early on, please. Do so, and you’ll see a text menu like the following: Windows Advanced Options Menu Please Select an option: Safe Mode Safe Mode with Networking Safe Mode with Command Prompt Enable Boot Logging Enable VGA Mode Last Known Good Configuration (your most recent settings that worked) Directory Services Restore Mode (Windows domain controllers Only) Debugging Mode Start Windows Normally Reboot Return to OS Choices Menu

Incidentally, the Advanced Options menu is one more reason why, any time you’re running a dualboot computer supporting two versions of NT (e.g., NT and Server 2003), you must install the older one first. If you install the older OS second, then you may not see the prompt to press F8 to open the Windows Advanced Options menu, the “Starting Windows” progress bar at the bottom of the screen, or the proper startup graphic. The problem is that NT 4 overwrites the shared Windows boot files (Ntldr and Ntdetect.com). To fix this, boot from the installation CD-ROM. At the Windows Setup screen, press R to repair the Windows installation. Then, press C to use Recovery Console. Copy the Ntldr and Ntdetect.com files from the I386 folder on the CD-ROM to the root folder of the boot drive.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1549

1550

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

I discussed Directory Services Restore Mode earlier in “Backing Up and Restoring the Active Directory.” Let’s take a look at the other modes.

Using Safe Mode Options The various forms of Safe Mode—with networking, without networking, with command prompt— load a minimal version of the operating system with only the drivers and files needed to support that minimal version (such as NTOSKRNL). These tools can be handy when something is preventing your system from booting and you suspect an errant driver. Whichever mode you choose, during boot, the OS will display a list of all the drivers and services as they’re loading. When you log out, the machine will restart as usual. Safe Mode

Safe Mode starts the OS with only the drivers and services required to boot the computer. No network drivers are loaded, and network-dependent services are changed to start option 3 (meaning that they’re set for manual starting) but can’t be started even from the Services section of the MMC or with net start. Use this version of Safe Mode to fix problems related to network services that are keeping the computer from working at all. Safe Mode with Networking

Safe Mode with Networking is what it sounds like—a pared-down version of the OS that includes network support. Use this version when you need network support and you’re sure that the network drivers are not causing any problems. When you boot the computer into Directory Services Restore Mode, it’s booting into Safe Mode with Networking. Safe Mode with Command Prompt

If you’re expecting Safe Mode with Command Prompt to be a strictly command-line version of Server 2003, you’re mistaken. When you boot to this option, you’ll see a list of the files that the OS is loading, and then the graphical interface will appear, running in 640 ×480. Ηowever, rather than loading the Desktop, Server 2003 will use the command prompt for its shell . Safe Mode with Command Prompt is a network-disabled version of Server 2003 that replaces the Explorer.exe shell normally used with cmd.exe. You can do anything on the local computer that you can do in the usual shell—you can even run GUI applications, if you don’t mind them running with a maximum resolution of 640×480 and 16 colors, with no working network services. But everything you do you must start from the command prompt or from the Task Manager (still available if you press Ctrl+Alt+Delete). Use Safe Mode with Command Prompt to run a stand-alone version of Server 2003 when something is wrong with Explorer that keeps the OS from starting. You can run Explorer from this mode and gain access to the graphical Desktop, if you like, but you’re not dependent on it as you are in the other versions of Safe Mode. If you don’t open Explorer, you can shut down the server with the shutdown command. Tip To get a complete list of all the commands supported from the command prompt, type help | more. (You can just type help, but there’s more commands than will fit on a single screen.) To get help with the syntax of a specific command, type commandname /?.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

TROUBLESHOOTING THE BOOT PROCESS

Please note that Safe Mode with Command Prompt is not the same thing as the Recovery Console, which I’ll get to shortly. I’ve seen some confusion about this and want to make sure that the difference is clear. Safe Mode with Command Prompt is a minimal version of the OS that uses cmd.exe as the default shell (operating environment) but can run any graphical tool so long as you know the command to invoke it. The Recovery Console is for resolving problems that can keep the computer from booting at all. It supports only a subset of commands and cannot run graphical utilities under any circumstances.

The Last Known Good Configuration One purpose of the Last Known Good Configuration option is to save you from your better ideas. For example, one time I thought I’d try installing the CD-burning software designed for a Windows 98 computer on a Windows 2000 Professional computer. While installing, I saw an error warning me that the software was not designed for Windows 2000, but I persevered. (Rules? Ha! We spit at rules.) Everything went smoothly, and I finished installing the tool. Feeling a little smug, I rebooted when prompted. And Windows 2000 refused to start and instead displayed a blue screen. I stopped feeling smug. Instead, I rebooted again, pressed F8 to display the Advanced Options menu, and chose to boot to the Last Known Good Configuration—the configuration that had been in place the last time I’d been logged into the computer. The computer unloaded the new driver, I booted successfully, and life was good. So long as the change you made produced no system-critical errors (at the time, that is— as you can see, it’s okay if the change you made prevents the OS from starting up properly), and you successfully booted and logged in to the server once before you ran into the problem, all is not lost. You can load the Last Known Good Configuration and choose from three different system start-up options: ◆ ◆ ◆

Using the current configuration Using the Last Known Good Configuration—loaded the last time the server successfully booted and you started a session from the console Restarting the computer

Understanding How Last Known Good Works

The Last Known Good Configuration option works because of the way NT-based operating systems maintain configuration information. Every time you boot the computer and log in, the configuration information for the local machine is stored in HKLM\System\CurrentControlSet. The OS also stores a backup copy of this information and assigns it a number for organization purposes. This backup is used should the default set of configuration information—the current set—become corrupted and unusable. Server 2003 stores several copies of the configuration information, numbering them consecutively (see Figure 19.31). Another numbered set is maintained as a Last Known Good Configuration, to be used if the default configuration set becomes unusable. You can’t tell from the numbers which configuration set your server is currently using. To find this information, look in the \Select key in HKLM\System (see Figure 19.32). There are four values here: Current, Default, Failed, and LastKnownGood. If you restart the machine and boot normally (that is, without using the Advanced Options menu), then the Default control set will be used. The value

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1551

1552

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

of Failed is the configuration set that had been the default when you chose to start the machine from the Last Known Good Configuration menu. Because you told the OS to not start with that configuration set, it’s now marked as Failed even if nothing is actually wrong with it. FIGURE 19.31 Contents of HKLM\System

FIGURE 19.32 The \Select key displays all current control sets.

Repairing a Server with the Last Known Good Configuration

That’s just background so that you know what’s happening; you don’t have to tweak the Registry to make the Last Known Good option work. If you do something that keeps the computer from starting normally, do not log on and try to fix it right away. Instead, restart the computer and follow these steps: 1. When the system has finished recognizing its hardware (and displays the boot menu if more

than one OS is available), press F8 to open the Advanced Options menu. 2. Choose Last Known Good from the boot menu and press Enter. The boot menu will now reappear with the words Last Known Good Configuration at the bottom of the screen. This is to

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

TROUBLESHOOTING THE BOOT PROCESS

remind you that, by loading that option, you’re choosing to reverse all nonsecurity-related changes made to the Registry during the last session. As I mentioned in my earlier example, this includes unloading drivers installed during the previous session. Server 2003 will start with the settings with which you started your last session. After you log in, you’ll see an information message telling you that Server 2003 couldn’t start with the current configuration and is starting with a previously saved configuration. The Last Known Good option can’t always help you. It applies only so long as you have never logged in with the new configuration, but have logged in at least once, and can boot the computer now. That means that it won’t work if any of the following apply: ◆ ◆ ◆

◆ ◆

You have never logged in successfully (that is, if you’re just installing the OS). You edited the server’s configuration, rebooted, and logged in successfully, and now want to restore your system to the way it was before the change. The change that you want to reverse is not related to control set information. You can’t remove changes to user profiles or system policies with the Last Known Good menu, for example. Passwords are also unaffected by the Last Known Good option, so you can’t use this option to recover from a forgotten Administrator’s password. The system boots, someone logs in (even with automatic logon), and the system hangs or the problem you wanted to avoid still exists. The system won’t boot at all and is unable to get to the boot menu.

Enable VGA Mode Those familiar with NT Server will remember that in previous versions of the operating system, the boot menu had two entries for each instance of NT installed on the computer: one with whatever graphics settings you’d chosen and one designed to run in vanilla VGA mode. There was a good reason for this. In NT 3.1, there was no VGA mode, and if you set up the wrong driver and logged in (making the Last Known Good option useless), then you had to go through a complicated sequence of keystrokes to navigate blindly to the Display applet in the Control Panel and fix things. This gave you a terrific sense of accomplishment when it actually worked, but it made video problems more than a little painful to resolve. The VGA option is no longer in the main menu, however. To get to it, you must press F8 at boot time and choose Enable VGA Mode from the Advanced Options menu. Use this option if you’ve installed a bad video driver and need to correct the problem. Unlike the Last Known Good menu, this option will work at any time, not just before you’ve successfully logged in.

Enable Boot Logging Enabling boot logging from the Advanced Options menu starts Windows as usual, except that it creates a file called NTBTlog.txt and stores it in the top of your system root directory. The output will look like this snippet: Microsoft (R) Windows (R) Version 5.2 (Build 3663) 11 11 2002 15:53:05.500 Loaded driver \WINDOWS\system32\ntoskrnl.exe Loaded driver \WINDOWS\system32\hal.dll

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1553

1554

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

Loaded driver \WINDOWS\system32\KDCOM.DLL Loaded driver \WINDOWS\system32\BOOTVID.dll Loaded driver pci.sys Loaded driver isapnp.sys Loaded driver intelide.sys Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Loaded driver MountMgr.sys Loaded driver ftdisk.sys Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS Loaded driver dmload.sys Loaded driver dmio.sys Loaded driver PartMgr.sys Loaded driver VolSnap.sys Loaded driver atapi.sys Loaded driver disk.sys Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS Loaded driver Dfs.sys Loaded driver KSecDD.sys Loaded driver Ntfs.sys Loaded driver NDIS.sys Loaded driver Mup.sys Loaded driver crcdisk.sys Did not load driver Audio Codecs Did not load driver Legacy Audio Drivers Did not load driver Media Control Devices Did not load driver Legacy Video Capture Devices Did not load driver Video Codecs

If you’re running into problems, then you can check this log to see what drivers did—and did not—load. It’s normal for some drivers to not load; they’re available, but if you haven’t got anything running that requires them, the OS won’t start them, so as to save memory. But if your network, for example, isn’t working, you can scan the list of drivers to make sure that NDIS.SYS is present. Tip At a time when the server is working normally, enable boot logging and save the output under another name, noting the date and any new changes to the server. (You can do this pretty easily—all filesystems in Server 2003 support long filenames.) If something does go wrong with the machine, you can compare the healthy boot record with the sick one to find the discrepancy.

Debugging Mode This final option in the Advanced Options menu, Debugging Mode, sends debugging information to a computer connected to a Windows 2000 computer you’re booting via the serial port. The basic gist of this is that it’s a way to monitor the progress of a server’s boot from another server.

Preparing for Recovery If the situation is too dire for any of the Advanced Options menu options to help you, all is not lost. Before it’s time to reinstall, it’s time to drag out one the recovery tools: the emergency repair disk or the Recovery Console, both of which are available through the Repair option in Setup. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PREPARING FOR RECOVERY

Installing the Recovery Console How do you get to the recovery tools? You can install the Recovery Console from the Windows 2000 installation CD. Open the Run tool in the Start menu and type d:\i386\winnt32 /cmdcons where d: is the drive letter of your installation CD. The first time you do this, the setup program will display the message box shown in Figure 19.33. FIGURE 19.33 Initial screen for installing the Recovery Console

Setup will copy some files from the installation CD (or, if you have a live connection to the Internet, from the Microsoft Web site), then prompt you to restart the computer. The Recovery Console will be in the Startup menu (the text menu you see when you start up the computer) when you reboot, listed as Microsoft Windows Recovery Console. To start it, just choose that option before the 30-second time-out to whatever your default startup option is. Tip If you install the system partition as FAT and then think, “Huh. I have this Recovery Console that I could use to repair the system partition, so I’m going to install the Recovery Console and then convert that partition to NTFS,” you aren’t going to like the results. The Recovery Console uses different support files for NTFS and FAT partitions, so if you install it and then convert the system partition to NTFS, the computer will hang when you choose that option from the boot menu. Convert first, then install the Recovery Console.

Incidentally, you can install the Recovery Console onto NT computers as well. If you do so, then you can use NTFS to format the system partition without worrying that you won’t be able to reach this partition if you can’t boot normally. Why isn’t it a default option to install the Recovery Console when you install the core OS? Good question—it’s so useful that you’d think it would be installed by default or that at least you’d have the option of doing so during Setup. The problem is that installing the Recovery Console deletes necessary files from the $win_nt$.~bt folder and thus prevents the existing Setup process from completing if the Setup process you’re using writes that folder to the disk. You can install the Recovery Console from within another operating system if you experience a problem that prevents Setup from continuing and that the Recovery Console could fix, such as a damaged master boot record (MBR). You can also preinstall the Recovery Console by running the winnt32 /cmdcons command from the installation CD-ROM to place the files on the local hard disk. The only catch is that you must do this to a volume contained on a single physical disk, even if you later plan to mirror the system partition for system security. You can’t perform a clean installation of Server 2003 onto a currently mirrored partition, and installing the Recovery Console has the same restriction.

Creating the Automated System Recovery Disk Every time you successfully edit your system’s configuration, you should back the configuration up against the time when you unsuccessfully edit the settings. This backup disk is called the Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1555

1556

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

automated system recovery (ASR) disk. (It used to be the “emergency repair disk”, but I’m guessing some focus group somewhere decided that that was too scary a name.) Tip Re-create the automated system recovery disk after you have successfully booted with the new configuration information. This way, you’ll know that the configuration you’re backing up works. Know Thy Recovery Disk It’s important that you realize that the ASR disk you get with Server 2003 is different from the NT 4 emergency repair disk. The ASR disk does not include Registry data—probably because people could easily have a Security key file too big to fit on a disk. You can replace parts of the system Registry from the Recovery Console, if you update the information in the RegBack folder on a regular basis. (The original files are in the \Config folder; the backups in \Repair\RegBack.) Just don’t expect to have that information anywhere if you don’t back it up when creating the ASR. Curious about what you do with the ASR Disk? Turn to the next section.

To create the ASR disk, follow these steps: 1. Run the Backup utility found in Accessories/System Tools. On the initial screen of the utility,

you’ll find buttons for three wizards: Backup Wizard, Restore Wizard, and Automated System Recovery Wizard. Click the latter button. 2. Choose a backup location for a complete system state backup of your computer. Do not choose the floppy disk—it won’t all fit. You’ll need a fair chunk of space for all the System State data. 3. After Backup is finished, insert a blank, formatted floppy disk in drive A: and press OK when prompted to let the wizard copy files to the disk. Backup will copy the System State data, service information, and disk configuration information to the backup location and asr.sif, asrpnp.sif, and setup.log to the disk. The files are not bootable—this isn’t a boot disk. Those are system information files, like those used to install the OS. Basically, the SIF files.

Creating a Boot Floppy The ASR disk is not a bootable disk. If you want to make a floppy that you can use to load the OS when it won’t load off the hard disk, you’ll have to copy those files to a floppy. That floppy will not be machine-specific so long as all computers have the OS installed in the same directory, so you can keep it in your panic kit, and it’s filesystem-independent. A boot floppy is useful in any of the following situations: ◆ ◆

Corrupted boot sector Corrupted master boot record (MBR)

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PREPARING FOR RECOVERY

◆ ◆ ◆

Boot virus infections that keep the machine from booting Missing or corrupt NTLDR or NTDetect.com Incorrect NTBootdd.sys driver

Oddly enough, although making an NT boot floppy has been common practice for years, there’s still no utility in the OS that you can employ to make one. (You can create Setup disks from the \bootdisk\makeboot command on the installation CD, but that’s not the same thing. Those are Setup disks, this is a boot floppy, like a DOS boot floppy with autoexec.bat and config.sys on it.) The Windows NT floppy disk must include the files NTLDR, NTDetect.com, boot.ini, and the correct device driver for your hard drive. Creating a Boot Floppy from the CD

If you don’t have another Server 2003 box around but do have the installation CD, then you can get the files you need. Copy the NTDetect.com and NTLDR files from the i386 folder on the CD-ROM to the new disk. Rename the NTLDR file to setupldr.bin. The next step is to create the boot.ini file that the OS uses to determine which operating system it should load and where that operating system is located. boot.ini files are just text files. For example, the following works for a single partition IDE drive with Server 2003 installed under \winnt; the exact value in the [operating systems] section depends upon the configuration of the Windows NT System you want to boot: [boot loader] timeout=30 Default= multi(0)disk(0)rdisk(0)partition(1)\winnt [operating systems] multi(0)disk(0)rdisk(0)partition(1)\winnt=”Server 2003 ”

WINNT, in this case, is the name of the system root directory. Tip If your computer boots from a SCSI hard drive, replace the multi(0) with scsi(0). If you are using scsi(x) in the boot.ini, copy the correct device driver for the SCSI controller in use on the computer, and then rename it on the floppy to NTBootdd.sys. If you are using multi(x) in boot.ini, you do not need to do this. Creating a Boot Floppy from Another Computer

If you have a working copy of Server 2003 around, you can copy the files you need from it. Format a floppy disk using the ORMAT command on the working computer. Do a full format, not a quick format. Next, copy NTLDR and NTDetect.com from the computer to the floppy. Both NTLDR and NTDetect.com are in the root directory of the system folder. Next, create a boot.ini file or copy one from a running computer (it’s also in the root directory of the system folder) and modify it to match the computer you are trying to access. Tip You’ll need to edit the options on the View tab of Folder options (available from the folder’s Tools menu) to stop hiding protected operating system files such as NTLDR, NTDetect.com, and boot.ini. Just choosing to show hidden files and folders won’t show this file.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1557

1558

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

Repairing—or Recovering—a Damaged Installation The Last Known Good menu and the Safe Mode boot options aren’t always enough to get a wounded installation back on its feet again. You still have some options before reinstalling, though. As I discussed in the previous section, Server 2003 offers two repair tools: the Recovery Console and automated system recovery. Both work on volumes formatted with either FAT or NTFS; one of the cool things about the Recovery Console is that you can format a system partition with NTFS for greater security but still have access to troubleshooting tools.

Understanding Repair Options The two repair options aren’t identical. Automated system recovery is a simple procedure for those times when you don’t know precisely what the problem is, but you want to fix it and get on with your life. There’s little finesse involved: You start installing the OS; when asked whether you’re doing a real installation or a repair, you choose to repair; and then you pop in the ASR disk and let Setup repair files that are different from the ones originally installed. (There’s a little more to it than that, but that’s the basic story. I’ll go through the procedure a bit later in “Using the ASR Disk.”) So long as you haven’t replaced any drivers or DLLs in your system folders with new ones, you can safely choose to restore all system files to their originals, and you’ll still get your installation back as you left it—just fixed. The Recovery Console is a little more complicated. Rather than a means of restoring damaged files, it’s a command-line utility from which you can perform a variety of tasks: ◆ ◆ ◆ ◆ ◆

Copy system files from a floppy disk or CD to a hard disk (although not from a hard disk to a floppy disk) Start and stop services Read and write data in the system directory on the local hard disk Format disks Repartition disks

Use the Recovery Console when you know precisely what’s wrong and what you want to accomplish. If you don’t know what’s wrong, this is not an easy way of finding out. In short, if your installation is dead and you’re not sure why, then use the ASR disk to see whether restoring the original installation files will fix the problem. If you know what the problem is—like, for example, a bad or missing SYS file or a runaway service—then you can use the Recovery Console to copy the missing file to its new location without changing any other files. If you didn’t set up the Recovery Console before the OS became unbootable (or you want to run the ASR disk utility), then you’ll need to run Setup from the installation CD. After Setup has copied all the files it needs to access the hardware it needs to run Setup, it will ask you whether you want to install the OS, repair it, or exit Setup. Choose R to open the Windows Repair Options menu, from which you can repair an installation either with the Recovery Console (press C) or with the automated system recovery disk (press F2).

Using the Recovery Console When you choose to run the Recovery Console, it will scan the disk and find any installations of Windows NT-based operating systems on the disk. Pick the one you want to repair. Type the

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

REPAIRING—OR RECOVERING—A DAMAGED INSTALLATION

number of the option you want, and supply the password for the Administrator account—not the account of someone in the Administrators group, the Administrator account. So long as the SAM database is present and you can be properly authenticated, you’re in. (If it’s not, then you need to restore the backed-up Registry files you stored in %systemroot%\repair\regback before you can use the Recovery Console.) Tip On the off chance that you have a dual-boot NT/Server 2003 computer, you can repair Windows NT Server 4 installations on dual-boot computers with the Recovery Console even though NT does not come with the Recovery Console. Start the Repair Console as you normally would. When it returns the list of found NT installations, pick the NT 4 one.

Although it looks like an ordinary command prompt, the Recovery Console is not the command prompt that you can open from the Accessories folder. First, it supports only a few commands and only locally—this is not a network tool, and you can’t run just any command-line program or utility on it. Second, those commands are specialized for this interface and only perform a limited set of functions. By default, the wildcard options in the copy command don’t work in the console; by default, you can only copy files from removable media to the system partition (but not the other way around—you can’t use the console to back up files to other media); and although you can move to other logical drives on the hard disk, by default you can’t read files on any partition other than the system partition—or even perform a dir function on them. If you try, you’ll get an Access Denied error. (As you’ll see, you can change some of the security settings to make the Recovery Console more useful, but these are the defaults.) The Recovery Console is not a command-line version of Server 2003, cool as that would be. Note Sadly, the Recovery Console does not include a command-line version of REGEDIT, like Windows 9x does.

You can’t back up files. You can’t read the contents of any directory not in the system root. You can’t use wildcards. You can’t edit security information. What can you do with the Recovery Console? Quite a lot, actually, if recovery is what interests you. As you can see in Table 19.9, the Recovery Console is a set of commands you can use to manipulate the files and structure of the system partition. As you can see, a lot of functions with duplicate commands use the same syntax; unless I specify otherwise, there’s no difference between the two commands. TABLE 19.9: SUPPORTED RECOVERY CONSOLE COMMANDS Command Name

Function

attrib

Changes the attributes of a selected file or folder.

batch

Runs the commands specified in a text file so that you can complete many tasks in a single step.

cd or chdir

Displays the name of the current directory, or changes directories. Typing cd.. closes the current directory and moves you up one in the tree.

chkdsk

Runs CheckDisk.

cls

Wipes the screen of any previous output. Continued on next page

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1559

1560

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

TABLE 19.9: SUPPORTED RECOVERY CONSOLE COMMANDS (continued) Command Name

Function

copy or extract

Copies files from removable media to the system folders on the hard disk. Does not accept wildcards.

del or delete

Deletes one or more files (does not accept wildcards).

dir

Lists the contents of the current or selected directory.

disable

Disables the named service or driver.

diskpart

Replaces the FDISK tool with which you’re probably familiar. Creates or deletes disk partitions. Only use this command on basic disks—it can damage dynamic disks.

enable

Enables the named service or driver.

expand

Expands a compressed installation file (one with a .cab extension) onto the local fixed disk. Only works if you’re running the Recovery Console from the installation CD.

fixboot

Writes a new partition boot sector on the system partition.

fixmbr

Writes a new master boot record (MBR) for the partition boot sector.

format

Formats the selected disk.

listsvc

Lists all the services running on the server installation.

logon

If you have multiple Server 2003 installations on the local hard disk, you can use this command to pick the installation you want to repair.

map

Displays the drive letter mappings currently in place. Handy for getting the information you need to use DISKPART. Only lists drives found in the partition table, not volumes listed only in the dynamic disks volume database.

md or mkdir

Creates a directory.

more, type

Displays the contents of the chosen text file.

rd or rmdir

Deletes a directory.

rename or ren

Renames a single file.

set

When enabled, allows you to display or modify four security settings governing file and folder access.

systemroot

Makes the current directory the system root of the drive you’re logged in to.

Type

Displays a text file’s contents to the screen of the Recovery Console.

Warning If you thought the Registry Editor was potentially dangerous, the Recovery Console is just as bad or worse. You can really screw up your system here, to the point that the only thing to do is reinstall and reload your backups. There’s no Undo feature, not all the commands ask for confirmation, and there’s no Read-Only setting such as the one in REGEDT32. If you’re not used to working from the command line, review what you want to do and the tools you need to do it before you open the console, and practice on a test system before attempting any real recovery.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

REPAIRING—OR RECOVERING—A DAMAGED INSTALLATION

Some of the commands in Table 19.9 will look familiar to old DOS hands, but many of them work a little differently from the way they did under DOS, using a slightly different syntax or only working under specific circumstances. Let’s take a look at how you can use these commands to get things back up and running. Before You Begin: Fix the Security Settings

Did you notice that I said by default you can’t copy files to external media and by default you can’t access any partition other than the system partition? The weasel wording wasn’t accidental. Normally, from the Recovery Console you can only use the following folders: ◆ ◆ ◆ ◆

The root folder The %SystemRoot% folder and the subfolders of the Windows installation you are currently logged in to The Cmdcons folder Removable media drives such as CD-ROM drives

You also can’t use wildcards with commands that would normally support them or copy data to disks. Bah. Let’s use the SET command to make the Recovery Console a bit more flexible. This command allows you to display or modify four environment options: Option

Default Setting

Description

AllowWildCards

FALSE

Controls whether you can use wildcards with some commands (such as del .tmp)

AllowAllPaths

FALSE

Controls whether you can change directories (with the cd command) to include all folders on all local drives

AllowRemovableMedia

FALSE

Controls whether you can copy files from the hard disk to a floppy disk or other recognized removable media

NoCopyPrompt

FALSE

Controls whether you can copy files without being prompted to continue when you are overwriting an existing file

Oho—so you run set AllowAllPaths = TRUE (don’t forget the spaces around the equal sign) and you can navigate anywhere on the local disk, right? Almost right. Before you ever start the Recovery Console, you need to edit some security settings before the SET command will work. Depending on what kind of computer this is—a server or a domain controller—go to the Security Configuration and Analysis snap-in in the MMC, the Domain Controller Security Policy in Administrative Tools, the Domain Security Policy in Administrative Tools, or the Local Security Policy in Administrative Tools. Whichever tool you choose, look under Computer Configuration\Windows Settings\Security Settings\Security Options and locate the two security policies pertaining to Recovery Console: Recovery Console: Allow Automatic Administrative Logon and Recovery Console: Allow floppy copy and access to all drives and all folders. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1561

1562

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

The first policy allows you to start Recovery Console without prompting for the administrative password stored in the local computer’s account database. (That’s kind of handy, but it does represent a security risk and I don’t think it’s a good idea.) The second policy enables the SET command while you are using Recovery Console. If you enable this policy, you can change any of the four environment variables to TRUE during a Recovery Console session. After you enable the security policy, it must be applied (possibly across the domain) before becoming the effective policy on the local computer. This is necessary before the SET command is truly enabled and available for use during a Recovery Console session. To make it snappy, you can run secedit /refreshpolicy machine_policy to force a refresh of the local computer’s policy after performing the policy change described previously. After the local policy is refreshed and the enabled Recovery Console security policy is in effect, you should be able to start Recovery Console and use the SET command to enable any of the four environment options. One last thing: You need to run SET every time you run the Recovery Console—it won’t remember that you changed any settings from their defaults. Tip Put the SET commands you want to apply to your Recovery Console sessions in a batch file so you can run the batch file with the BATCH command when you start the Recovery Console. Enabling and Disabling Services

Why would you need to enable or disable services from the command line? Therein lies a tale. Lo these many years ago, I bought a new PC. Installed Windows NT Server; ran the installation program for the 3Com network card in the server. Life was good. Until I rebooted the computer. You see, a diagnostic program was part of the setup for the NIC—an unavoidable part that you could not choose to not install. (Trust me: I tried, on several computers with the same set of hardware.) Whenever I started up NT, this diagnostic program would scan the system and display a message that a newer version of my NIC’s driver was available—did I want to use the new driver? Click OK or Cancel, and the message box would close for a second and then reopen, with the same message. Add to this that the searching and displaying was using up 100 percent of CPU time for a 350MHz Pentium II doing nothing else but running the diagnostic. Running the Task Manager (when I could get a spare cycle here or there to open it) didn’t help because the program wouldn’t shut down even when I killed the process. Note Worried about this happening to you? Although I’ve run into several people who’ve had the same problem with one version of the driver for the 3Com 3C905X Ethernet 10Base-T card, this issue seems to be fixed in the driver published in April 1999. Other than this glitch, I’ve been very happy with these NICs.

Okay, I figured—the problem is a runaway service, so if I can shut down the service I will resolve the problem. But shutting down the service is hard when you’re clicking OK in a repeatedly reappearing dialog box and then frantically grabbing CPU cycles to open the Control Panel and then Services before the dialog box opens and the processor usage starts running at 100 percent again. In this case, I was finally able to get to the Services applet, find the service (named 3Com Diagnostics or some such, so identifying the problem child wasn’t hard), and then stop and disable it.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

REPAIRING—OR RECOVERING—A DAMAGED INSTALLATION

Problem solved. But it took a lot of time and mouse-clicking to get to that point. A tool that would enable me to boot to the command prompt and disable that service without having to work around the cycle-eating message box would have been nice. And that’s where the services-related tools in the Recovery Console come in. The first step to fixing a problem like this is running the listsvc utility. There are no arguments to this—just type listsvc from the command prompt, and the Recovery Console will display a list of all the services and drivers currently installed, a short description of what they are, and their start type (boot, automatic, manual, system, or disabled). Seeing all the services will probably take a few pages of screen, but the services are listed alphabetically, so you can find the one you want fairly easily. Write down its name. Tip The names of services and drivers are not case sensitive.

Once you’ve found the suspected problem child, it’s time for the disable command. The syntax is simple: disable servicename. The Recovery Console will then notify you that it found the Registry entry for this service (or tell you that it can’t find an entry for this service, in which case you need to check your spelling and try again). It will also display the current start type and new start type for the service. Write down the current start type for the service in case you want to start it again. To make the change take effect, type exit to leave the Recovery Console and restart the computer. See whether disabling that service fixed the problem. If it did, then you’re home free. (Not sure how you’d know? Depends on what the problem was. In the case of the runaway 3Com diagnostics, the fix was pretty immediate. As soon as I turned off the service, the problem disappeared.) If it didn’t, then you can return to the console, enable that service, and try something else. You don’t have to disable a service to keep it from running when the OS starts, however. Instead, you could change its start type from automatic to manual. To do so, or to reenable a service you disabled, you’ll need to use the enable command. Like disable, enable’s syntax is simple: enable servicename. If run on a disabled service, using this syntax will enable the service and restore it to whatever its start type was when it was disabled. To change a service’s start type without disabling it, add the new start type to the end of the enable command, like this: enable servicename start_type

where start_type is one of the options in Table 19.10. TABLE 19.10: START TYPES Start Type

Meaning

Service_boot_start

Boot

Service_system_start

System

Service_demand_start

Manual

Service_auto_start

Automatic

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1563

1564

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

So, for example, instead of disabling the 3Com diagnostic service, I could have changed its start type from automatic to manual. That way, I could have started it at any time, but it wouldn’t start automatically. Replacing Damaged Files

Perhaps the problem isn’t a runaway driver or service, but a corrupted part of the operating system, as in error messages that say Bad or Missing NTOSKRNL.EXE. In such a case, you may need to replace all or part of your operating system (although, if we’re talking about more than a few files here or you aren’t sure what’s broken, it might be time for an automated system recovery). The tools most likely to apply to this scenario are the ones to create and delete directories, rename files, change attributes, and copy or extract files from other media. Creating directories is simple. The command syntax is as follows: md [drive:]path mkdir [drive:]path

where drive: is the drive letter of the drive on which you want to create the folder, if it’s not the current one, and path is the name of the directory you want to create. Just make sure that, if you don’t spell out the location of the new directory, you’re currently in the place where the new directory should be created. The syntax for the rmdir and rd commands (for deleting directories) is the same as that for md. The only part of directory deletion that you have to watch is that you can’t delete directories unless they’re empty, with no subdirectories. If you try, you’ll get an error message telling you that the directory is not empty, and there’s no switch to make rd act like deltree (an old DOS command that would delete subdirectories). Before you delete a directory, run the dir command to check out its contents and make sure that you really do want to remove it. Conveniently, dir displays all files, hidden or not, and shows their attributes. Rather than deleting entire directories, however, you’re more likely to need to replace individual files. That’s where copy and extract come in. The copy command is what it sounds like: a method of copying a file from one location to another, with the caveat I’ve mentioned before that you can only copy to the system directory, not copy files from the system directory to removable media such as a Jaz drive. The syntax for copying files is simple: copy source [destination]

where source is the name of the original file and destination is the directory where you’re pasting the original (along with a new name, if you need it). If you don’t specify a directory, the file will be copied to the directory from which you’re running the command. The extract utility works the same way as copy and uses the same syntax, with one exception: You can only use extract if you started the Recovery Console from the Repair option in Setup. Neither copying utility supports wildcards (so you can’t copy the entire contents of a directory very easily), but copy automatically decompresses compressed installation files for you. Both utilities will alert you if a file with the name of the one you’re pasting already exists in that location. If you’re not sure that you want to replace an existing file, try renaming it and then copying the new file to the relevant location. The syntax for rename is as follows: rename [drive:][path] filename1 filename2

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

REPAIRING—OR RECOVERING—A DAMAGED INSTALLATION

rename works only on single files, and the renamed file must be in the same place as the original. That is, you can’t use this command to move files. To do that, you’d need to use copy.

Fixing Boot Sectors and Boot Records

Your computer uses a couple of pieces of information to navigate your hard disk. Those two pieces are the boot sector and the master boot record (MBR). Most of the time, these pieces are pretty safe, but some things (such as some viruses) can target and infect them, or they can be lost. In such a case, you’ll need a way to restore them. First, a little background. The partition boot sector contains the information that the file system uses to access the volume. The MBR (discussed next) examines the information in the boot sector to load the boot loader. The boot sector contains the following information: ◆ ◆ ◆ ◆ ◆

A jump instruction The name and version of the operating system files (such as Server 2003) A data structure called the BIOS Parameter Block, which describes the physical characteristics of the partition A data structure called the BIOS Extended Parameter Block, which describes the location of the master file table for NTFS volumes The bootstrap code

Most of the information in the boot sector describes the physical characteristics of the disk (for example, the number of sectors per track and clusters per sector), in addition to the location of the file allocation table (for FAT volumes) or the master file table (for NTFS volumes). The layout and exact information included in the boot sector depends on the disk format used. Given that a disk may have more than one partition, how does the hard disk know where to find the different partitions? The first sector on every hard disk (whether the hard disk has an operating system on it or not) contains that disk’s MBR. The MBR contains the partition table for that disk and a small amount of code used to read the partition table and find the system partition for that hard disk. Once it finds that partition, the MBR loads a copy of that partition’s boot sector into memory. If the disk is not bootable (has no system partition), the code never gets used and the boot sector is not loaded. In short, a hard disk needs a functioning MBR to boot. The MBR is in the same place on every hard disk, so it’s potentially an easy virus target. Okay—all that said, to write a new boot sector to a drive, type fixboot. This will write a new boot sector to the current boot drive. To create a new MBR, type fixmbr. Deleting, Creating, and Formatting Partitions

The Recovery Console includes tools not only for fixing the OS, but for completely wiping things out and starting over. With these tools you can repartition and reformat your hard disk. Partitioning is setting up logical divisions of the disk; formatting is placing a file system on those drives so you can store data on them. Warning You probably already know this, but just in case you’ve forgotten, repartitioning and formatting are destructive. Any data on the hard disk you’ve reformatted or repartitioned is history. Keep your backups. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1565

1566

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

Before you start formatting or repartitioning, you might want to take a look at what you’ve already got in place. The Recovery Console’s map command can help you do that. Type map at the command prompt, and you’ll see output like the following: ? C: ? E: H: G: ? A: D:

FAT16 NTFS NTFS

0MB 1028MB 3310MB 1028MB 1028MB 1028MB 227MB

Device\HardDisk0\Partition0 Device\HardDisk0\Partition1 Device\HardDisk0\Partition0 Device\HardDisk0\Partition2 Device\HardDisk0\Partition3 Device\HardDisk0\Partition4 Device\HardDisk0\Partition0 Device\Floppy0 Device\CDROM0

Tip If you’re running MAP on a dynamic disk, only volumes created before you updated the disk (that is, volumes that were originally primary partitions or logical drives) will show up. MAP reads the partition table, and dynamic volumes created on dynamic disks are not in the partition table.

You can see from this that logical drive G: on the hard disk hasn’t been formatted because it’s not showing any file system. To format it, you would use the following syntax: format g: [/q] [/fs:filesystem]

Here, /q tells format to do a quick format (not checking for bad sectors), and the /fs switch is for specifying the file system to use. You don’t have to specify a file system (your options are NTFS, FAT32, and FAT), but if you don’t, Win2K will format it to NTFS. When you run this command, Win2K will tell you that all data on that drive will be lost and ask you to confirm that the format should proceed. Do so, and a few seconds later you will have a newly formatted drive. Tip You can convert a FAT partition to NTFS, but you cannot convert an NTFS partition to FAT.

You can format the G: drive safely, or at least without affecting any other logical drives. What you can’t do, even before formatting, is repartition to make the G: drive bigger, perhaps giving it some of that space that isn’t used on the disk. To do that, you need to boot the Disk Administrator and make G: part of a volume and then extend that volume—anyway, it’s all in Chapter 10. If you do want to repartition the disk to reorganize its structure, run DISKPART. Warning DISKPART can damage your partition table if you’ve upgraded the disk to a dynamic disk. Do not modify the structure of dynamic disks unless you are using the Disk Management tool.

When you’re done with the Recovery Console, type exit and press Enter. The computer will reboot.

Using Automated System Recovery Those who’ve read previous versions of this book may recall that the Windows 2000 recovery process using the ERD was fairly involved, requiring you to choose manual or fast repair to restore the system from the Registry backup. Automated System Recovery is more automatic than using the ERD was

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PLANNING FOR DISASTER RECOVERY

with NT or Windows 2000. To make it work, you’ll need the original installation CD and the ASR disk you created using the process described earlier in the “Creating the Automated System Recovery Disk” section. Start Setup on the damaged computer, then press F2 at the beginning of text-mode Setup when prompted at the bottom of the screen. (You’ll see this prompt right after the prompt to press F6 to install third-party disk drivers.) Setup will start formatting the disk as it would during a typical Setup operation. Next, Setup will copy the files to the Windows installation folders and load the configuration files. The computer will reboot and boot to Server 2003, going through the first stage of graphical Setup. So far, the process is very similar to a typical Setup and you may find yourself wondering if you picked the right option. Fear not—after completing the first stage of graphical Setup, the recovery process will automatically begin Backup and start a Restore operation from the backup you created when making the ASR disk. This is a nonauthoritative restore of System State data, so if you’re restoring a domain controller you’ll need to use NTDSUTIL as described previously to make it authoritative for the domain. Also, since this backup only copied System State data, you’ll need to restore any of that data separately. The computer will reboot again, but this time normally. That’s it—the computer is restored with all the settings that were in place at the time of your backup, even to the display resolution.

Planning for Disaster Recovery Sometimes using the Last Known Good Configuration or the Recovery Console doesn’t fix your problems. Hard disk failures or natural disasters require a bit more in the way of hard-core disaster recovery. What does disaster recovery mean? Essentially, it’s exactly what it sounds like: a way of recovering from disaster—at best, turning a potential disaster into a minor inconvenience. Disaster can mean anything: theft, flood, an earthquake, a virus, or anything else that keeps you from being able to access your data. After all, it’s not really the server that’s important. Although a server may be expensive, it is replaceable. Your data, on the other hand, is either difficult or impossible to recover. Could you reproduce your client mailing list from memory? What about the corporate accounts?

Creating a Disaster Recovery Plan The most important part of a disaster recovery plan is identifying what “disaster” means to you and your company. Obviously, permanently losing all of your company’s data would be a disaster, but what else would? How about your installation becoming inaccessible for a week or longer? When planning for disaster, think about all the conditions that could render your data or your workplace unreachable and plan accordingly.

Implementing Disaster Recovery Okay, it’s 2:00 P.M. on Thursday, and you get a report that an important server has died. What do you do? Write Things Down

Immediately write down everything that everyone tells you: what happened, when it happened, who gave you the information, and anything else that happened at the same time that might possibly be

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1567

1568

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

related. Do not trust it to memory. First, you’re apt to be a bit stressed at this point. Second, if it happened once, it could happen again—and if you write down the results of your interviews, you may not have to start from scratch. Check the Event Logs

If you can get to them, look at the security and event logs on the server to see if you can tell what happened right before the server crashed. If you’re using directory replication to maintain a physically identical file server (also known as a hot start server because it’s ready to go whenever you need it), the log information may be on the replicated server, even if you can’t get to the original. Ascertain the Cause of the Failure and Fix It

“Easy for you to say,” I hear someone muttering. It can be done, however. Once you know what events happened, it becomes easier to find out what they happened to. Find Out If It’s a Software Problem

Is it a software problem? If it is, have you changed the configuration? If you’ve changed something, rebooted, and been unable to boot, it’s time to use the Last Known Good Configuration discussed earlier. If you can boot but the operating system won’t function properly, use the automated system recovery disk to restore the hardware configuration. If you have another server with a Server 2003 installation identical to the server that failed, switch servers and see if the backup server works before you reinstall the operating system. If the hot start server doesn’t work, you could be facing a network problem. Find Out If It’s a Hardware Problem

Is it a hardware problem? If you have a hot start server around the office, put it in place of the failed server and see if you can bring the network back up. If so, the problem lies with the dead server, and you can fix or replace it while you have the other one in place. If not, check the network’s cabling. If one drive from a fault tolerant stripe set or mirror set has died, the system should still be fine (if the drive that died is not the one with the system partition on it), but you should still fix the set anyway. Striping and mirroring gives you access to your data while the missing data is being regenerated, but if something else happens to the set before you regenerate the missing data, you’re sunk, because the set can only deal with one error at a time. If necessary, reload the backups.

Make a Recovery “Coloring Book” No matter how much you know about reformatting SCSI drives or rebuilding boot sectors byte by byte, I guarantee you that the fastest way to recover from a disaster will often turn out to be a threestep process: replacing the bad hard disk and attendant hardware, installing a fresh copy of NT Server on the new hard disk, and restoring the data on the disk. That sounds simple, but it’s amazing how complex it can be in the heat of battle. Let’s see, I’m reinstalling Server 2003, but what was the name of the domain? What IP address does the domain controller get? What’s the WINS server address? Which services went on this server? What was the administrator’s password set to?

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PLANNING FOR DISASTER RECOVERY

At my shop, we decided to sit down and write a step-by-step, click-by-click instruction manual. It tells future network administrators which buttons to click and what text to type in the unlikely event that they ever need to take a new machine and rebuild our domain controller on it. Just for an example, we have a primary domain controller on one of our domains that (as the logon traffic is relatively light) is also our DHCP, WINS, and DNS server. So, suppose the machine goes up in smoke, leaving us nothing but backup tapes—how do we rebuild that machine? We sat down and wrote out exactly what to do: ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆

Install Server 2003 on a new machine. Restore the SAM and SECURITY databases. Install DHCP on the machine. Restore the old DHCP database to the machine. Install WINS on the machine. Restore the WINS database. Install the DNS server on the machine. Restore our DNS zones and records. Restore the user data.

Assume that the person who’ll be doing this knows nothing more than how to click a mouse and shove CDs into drives—someone with oatmeal for brains. Sound insulting? It’s not; I like to think of myself as of at least basic intelligence, but under pressure I sometimes just don’t think as well as I need to—oatmeal’s as good as it gets, and if I’m really pressed my brains have the power of unidentified goo. If you’re good under pressure, that’s great—but making the disaster recovery guide an easy read is also a big help to your coworkers. Tip An easier and less error-prone solution is to create unattended installations for key servers, either using answer files or Remote Installation Services. See Chapter 5 for more information about unattended installations.

Don’t underestimate how long this will take: Putting the whole document together took two research assistants a couple of weeks, and it ended up being a 100+ page Word document! (Part of the reason why it was so large is that it made lavish use of screen shots wherever possible, and yours should, too. Just click the window you want to include in your document, press Alt+Prtsc, choose Edit/Paste Special in Word, choose Bitmap, and uncheck Float over Text.) Warning Once you finish the document, be careful where you keep it. The document will contain the keys to your network: usernames of domain administrator accounts, the passwords of those accounts, and the like.

Making Sure the Plan Works The first casualty of war isn’t always the truth—it’s often the battle plan itself. The most crucial part of any disaster recovery plan is making sure that it works down to the last detail. Don’t just check the hardware; check everything. When a server crashes, backups do no good at all if they are locked in a cabinet to which only the business manager has the keys and the business manager is on vacation in Tahiti.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1569

1570

CHAPTER 19

PREPARING FOR AND RECOVERING FROM SERVER FAILURES

In the interest of having your plan actually work, make sure you know the answers to the following questions. Who Has the Keys?

Who has the keys to the backups and/or the file server case? The example mentioned previously of the business manager having the only set of keys is an unacceptable situation, for reasons that should be painfully obvious. At any given time, someone must have access to the backups. You could set up a rotating schedule of duty, where one person who has the keys is always on call, and the keys are passed on to the next person when a shift is up. However, that solution is not foolproof. If there’s an emergency, the person on call could forget to hand the keys off to the next person, or the person on call could be rendered inaccessible through a dead beeper battery or downed telephone line. Better to trust two people with the keys to the backups and server so that if the person on call can’t be reached, you have a backup key person. Calling in the Marines: Disaster Recovery Services Disaster recovery isn’t always fully successful. Perhaps your backups don’t work or have themselves been destroyed. One more option remains before you have to tell everyone that everything they were working on for the past month is irretrievably gone: data recovery centers. Data recovery centers are staffed by people who are expert at getting data off media (most often hard disks, but not always) that can’t be accessed by normal means. Not all data recovery centers are the same. Some data recovery centers (in fact, the first data recovery centers) are staffed with people who are really, really good at getting dead hard disks back up and running. Using their skill, they can resuscitate the dead drive, copy its contents to other media, and then return the data—on the new media—to you. Other data recovery services can retrieve data not recoverable with ordinary methods. These services operate at a binary level, reading the data from the dead media (sometimes even opening the hard disk, if the problem is serious enough) and then copying the data to your preferred media. Turnaround time is typically no more than a day or two, plus the shipping time. The cost of data recovery depends on the following: ◆

The method of recovery used (the places that just fix hard disks tend to be cheaper but can’t always recover the data)

◆

The turnaround time requested

◆

The amount of data recovered

Consider storing irreplaceable data on a different physical drive from data you can easily replace. A data recovery service can’t selectively restore data. That is, if the data files and the system files are stored on a single physical disk, you can’t save yourself a little money by asking the center only to recover the data files, even if the data is on two different logical partitions. Until recently, you had to send the hard disk to the data recovery center to have its data retrieved, and this meant not having the data for at least a couple of days. Remote data recovery services can fix some softwarerelated problems without requiring you to ship the drive anywhere or even take it out of the computer case. Using a direct dial-up connection, the data recovery center may be able to fix the problem across the telephone line.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

PLANNING FOR DISASTER RECOVERY

Is Special Software Required for the Backups?

Must any special software be loaded for the backups to work? I once nearly gave myself heart failure when, after repartitioning a hard disk and reinstalling the operating system, I attempted to restore the backups that I’d made before wiping out all the data on the file server’s hard disk. The backups wouldn’t work. After much frustration, I figured out that Service Pack 2 had been installed on the server. I reinstalled the service pack from my copy on another computer, and the backups worked. I just wish I had figured that out several hours earlier. Do the Backups Work, and Can You Restore Them?

Do the backups work, and do you know how to restore them? Verifying backups takes a little longer than just backing them up, but if you verify, you know that what’s on the tape matches what’s on the drive. So, as far as restoring goes, practice restoring files before you have a problem. Learning to do it right is a lot easier if you don’t have to learn under pressure, and if you restore files periodically, you know that the files backed up okay. Have Users Backed Up Their Own Work?

In the interest of preventing your operation from coming to a complete halt while you’re fixing the downed network, it might not be a bad idea to have people store a copy of whatever they’re working on, and the application needed to run it, on their workstation. People who only work on one or two things at a time could still work while you’re getting the server back online. Disasters shouldn’t happen, but they sometimes do. With the proper preventive planning beforehand, they can become entertaining war stories, rather than sources of battle fatigue.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1571

Chapter 20

Installing and Managing Remote Access Service in Windows Server 2003 It seems like it was only a few years ago that the concept of remote computing or dial-up connectivity was relatively unknown. As far as most of the world was concerned, there was no such thing as the Internet, the idea of telecommuting hadn’t been born yet, and e-mail didn’t exist. Remote connectivity and dial-up modems were vague, mysterious technologies as far as the average person was concerned. Once considered the tools of businesses and technically oriented individuals to simply get “data” from one location to another, these concepts have now become part of even Grandma’s everyday life. Technology has changed the world in some remarkable ways, but the most amazing way is how “connected” people are these days (or, at least, they can be if they want to). Home computers are becoming more and more common, and the average home consumer can buy a dial-up modem just as easily as a toaster or CD player. Employees are being equipped with everything from laptops to palmtops and being sent out on the road, with the expectation that they should be just as connected on the road as they are when they’re in the office. For better or for worse, this onslaught of technology has brought with it a demand for easy connectivity—anytime, anywhere. These demands have put a heavy burden on the backs of system administrators. Not only does the typical administrator have to handle day-to-day support issues within the office, but with so much work happening outside the office an already difficult job seems impossible at times. Unfortunately, there isn’t a magical solution for everyone yet (I doubt there ever will be), but Microsoft’s Remote Access Service (RAS) has been designed and improved over the years to help administrators deal with some of these demands. Originally developed in the early days of Windows NT, RAS was initially bundled as part of the base operating system. I’ve always felt the reason for this (at least partially) was to give NT a competitive advantage against other network operating systems out on the market—namely Novell. When remote computing was first starting to take off, Novell was the primary player in the Network Operating System market and they had developed add-on products like NetWare Connect to support dial-up connections to NetWare networks. Products like NetWare Connect worked well and

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1574

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

gave users the connectivity they needed, but these products had to be purchased separately and the license costs often increased in direct proportion to the number of simultaneous dial-in connections that needed to be supported. While I can’t be absolutely certain this is the reason Microsoft chose to bundle RAS with the operating system for free, it certainly seems like a reasonable assumption. As many recent court cases have highlighted, “bundling” is a popular Microsoft tactic to gain market share. Personally, I know of at least a few organizations that started deploying NT in its early days simply because of the number of things that were included for free with the operating system—things they would have had to pay extra for with any other network operating system. Whatever the reasons were, NT began to take off, and RAS capabilities grew with each new version of the operating system. Microsoft has improved RAS with each new version of Windows NT to the point where it has grown into a full-featured remote access platform capable of handling even the most demanding environments. By the time Windows NT 4 was released, RAS was a solid, reliable part of the NT operating system. The Internet was a few years along in its transition from the government and education environment into the commercial world, and it was becoming more common for people to try to leverage their investments in Internet connectivity to meet their remote access needs. With the release of NT 4, Microsoft included support for Point-to-Point Tunneling Protocol as a means of encapsulating RAS packets and sending them over the Internet instead of a modem. The phrase “virtual private networking” started becoming a buzzword in the vocabulary of network administrators, and Microsoft improved on the virtual private networking capabilities of NT 4 by later releasing a routing update called Routing and Remote Access Service (RRAS). With the advent of Windows Server 2003, Microsoft has put together the most comprehensive set of remote access capabilities to date, consolidating all the previous technologies and capacities in an easy-to-use interface. But with so many options available, at times it can be hard to know which solution is your best choice. In the pages that follow, I’ll discuss what some of your options are, some common scenarios you will probably run into, and the solutions for those problems.

Common Applications for Remote Access Service For the purposes of this text, we’ll assume that Remote Access Service is divided into two distinct functions: accepting inbound calls and placing outbound calls. Microsoft now commonly refers to the latter as Dial-Up Networking (DUN for short), and receiving inbound calls has pretty much always been referred to as Remote Access Service (or RAS). Even though RAS and DUN share some of the same setup and installation routines, when you see a reference to DUN, you can assume it is for an outbound call. With that clarification taken care of, let’s take a look at some of the tasks you can accomplish with the Remote Access Service in Windows Server 2003.

Connecting Clients to the Internet One of the more commonly used capabilities of Dial-Up Networking is to allow your computer to dial in to an ISP—usually via Point-to-Point Protocol (PPP)—and communicate with distant servers and hosts across the Internet. Although this might commonly be used for simple browsing and file transfers on a server, it is becoming common for e-mail and proxy servers to function entirely over dial-up connections to the Internet.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

COMMON APPLICATIONS FOR REMOTE ACCESS SERVICE

Windows 2000 Server included several functional improvements over previous versions of Windows NT for dial-up networking on the client side. Features such as demand dialing, reestablishing failed links, and the ability to repetitively dial unresponsive numbers made Win2K dial-up networking a pretty robust platform for establishing Internet connections and for keeping them online. Windows Server 2003 adds even more new features to the RAS environment. The introduction of Point to Point Protocol over Ethernet (PPPoE) drivers allows you to utilize your broadband connection for demand-dial connections. There are a few other improvements as well, including the ability to make your NAT interfaces work with Basic Firewall, the addition of support for L2TP/IPSec connections which originate from VPN clients located behind a NAT (network address translation) network, support for preshared keys using L2TP/IPSec authentication, and broadcast name resolution by a NetBT proxy located on the VPN server for networks which are operating without WINS or DNS. But first, I’ll talk about the basics of RAS and why we need it.

Accepting Incoming Calls from Remote Clients Traveling workers, telecommuters, and late-night workaholics all share one thing in common: they all eventually need access to corporate resources from remote locations. Remote Access Service can serve as a platform to get these users connected to your internal networks and servers. Whether you need to allow access to your NT network, Novell servers, Unix hosts, or any other internal devices, RAS can act as a universal gateway for all your inbound communication needs. By accepting inbound connections from several different devices (analog, ISDN, X.25, VPN) and routing the traffic to your internal network, RAS can provide seamless networking for your users. Workstations dialed into a network over RAS will work exactly the same as they would if they were connected directly to the network (albeit a bit slower—more on that later).

Connecting to a Private Network In addition to connecting a Windows Server 2003 to the Internet, it’s often necessary to connect one network to another—perhaps to transfer data to suppliers or clients. In any case, Windows Server 2003 can be connected to another private network just as easily as to the Internet and take advantage of the same link-reliability features.

Acting as an Internet Gateway In response to popular demand, Microsoft added the capability for a Windows 2000 or Server 2003 to share an Internet connection among clients connected to an internal network. By the addition of NAT capabilities, Windows can act as a sort of proxy for getting internal clients connected to the Internet. Note It is worthwhile to note that this “proxy” service for getting internal clients connected to the Internet over a shared connection is completely different from the Microsoft Proxy BackOffice application, or their current version of Proxy, Internet Security and Acceleration (ISA) Server.

Although this service is primarily of use to small and home offices, it has been a dramatic (and welcome) addition to the suite of services contained in RAS.

Accepting VPN Connections from Remote Clients Along with the advent of the Internet in the corporate world, the concept of virtual private networking (VPN) has emerged and become one of the hottest areas in networking. Virtual private networking,

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1575

1576

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

loosely defined, is a means of running a secure private network over an insecure public network. Or, in plain English, you can have clients get connected (securely) to your office network by simply having an Internet connection and a valid (public) IP address and then establishing a VPN session to your RAS server. The VPN session is secure and encrypted, so your private data is protected as it passes over the public network (i.e., the Internet). Microsoft leveraged their investments in RAS with the development of virtual private networking and this feature is continued in Server 2003. By incorporating PPTP and L2TP protocols within the operating system, you can effectively set up “virtual” modems that work over IP networks, instead of analog or digital circuits. The methodology and terms used to implement these virtual modems are the same that are used for regular modems, so learning how to implement virtual private networking is made easier. Microsoft offers two choices for communication using VPNs. You can use the older PPTP and MPPE combination of encryption and authentication protocols, or you can use L2TP and IPSec. In Windows Server 2003, Microsoft has expanded the capabilities of using L2TP and IPSec from behind a network address translation interface, which was impossible previously. We’ll talk more about VPNs in the section titled “VPN Overview.”

Dialing Up a Remote Network and Routing Traffic With the addition of the Routing and Remote Access Service Update to Windows NT 4, Microsoft made it easier for a Windows NT Server to act as a router, connecting to remote networks as needed and routing traffic. This type of connection between locations is commonly referred to as wide area networking, or WAN connectivity. With no more hardware than a dial-up modem at each site, internal clients and workstations can access resources on remote networks through this capability. By simply programming your internal workstations and devices to use your Windows Server 2003 as a “gateway,” RAS can accept client traffic destined for a remote network, establish a connection to that network, and then pass the traffic across the connection as necessary. Since most office-to-office connectivity has traditionally been handled via costly dedicated circuits, having this ability is a tremendous benefit. This capability has helped organizations act in a completely “virtual” capacity—appearing to have a centralized network of resources that are actually individual servers spread across several sites, joined by demand-dial connections.

Bandwidth Planning and Considerations Before we begin discussing what types of hardware and software you need to start using RAS, it’s important to make sure you have an understanding of when RAS would and wouldn’t be a good solution. The two most important factors in determining this are speed and reliability. No discussion of remote access would be complete without defining the two different types of communication that are often referred to when you hear the phrase “remote access.” These are sometimes referred to as remote-node and remote-control technologies. They may sound similar, and as far as end users are concerned they’re basically the same, but these two methods of remote access are in fact very different. Unfortunately, many administrators are often left with implementing vague management directives such as “make sure that our employees can work while they’re on the road,” which are amazing oversimplifications of remote access’s complexities. It’s important to understand the capabilities and limitations of each type of access so you can make the best decision for your needs.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BANDWIDTH PLANNING AND CONSIDERATIONS

Remote Node RAS is a remote-node method of communication and a very flexible and versatile means of getting users or networks connected to one another. Overall, I prefer remote-node solutions over remote control for most applications, but having an understanding of how remote node works will help you recognize the best time to use it. One of the simplest ways to visualize remote-node communication is to view the phone line connecting a client to a network as a very long network cable. Like any normal network cable in your office, this one is plugged into two locations. It starts at the user’s workstation or laptop, goes through the phone company, and then ends at a modem in your office. Visualize that entire connection as a network cable. That modem, in turn, is connected to a RAS server (or another similar device), and the RAS server is—presumably—connected to your network. The RAS server accepts the incoming data from that dial-in user and then simply “passes” their data onto a local network segment. The same is true for outgoing data. The RAS server will see any outgoing data destined for that user on the network and transmit it over the phone line. As far as end-user functionality goes, your network should work exactly the same way in the office as it does dialing in, albeit much slower. Since typical office network connections these days are running at speeds of upwards of 10,000,000 to 100,000,000 bits per second, throughput can be amazingly fast. So fast, that it is easy to overlook the amount of data that is actually traveling across your network. Considering the fact that the best analog modems available today are only reaching speeds of 56,000 bits per second, throughput can be a problem with remote-node solutions. Basic math indicates that there’s only about 1/20th of the bandwidth available over a 56K modem in comparison to a 10-megabit Ethernet connection. That simple fact has a direct impact on the speed and performance of applications being used on the network. For example, a 2.5MB Word document might open up in just a few seconds on a 10-megabit Ethernet connection in an office, but on a 56K modem connection, that document could take upwards of a few minutes to open up. Calculating Modem Transmission Times Use the following formula to calculate modem transmission times:

File size in “bytes” 8 Speed of connection in “bits” (i.e., 56k = 56,000)

= Transmission time in seconds

Case in Point: Choosing the Right Remote Access Solution

If you implement a RAS solution without having some of these facts in your arsenal, you could end up with a solution that is effectively useless. Consider, for example, the case of one of my clients— let’s call them the XYZ Corporation. The XYZ Corporation was in the process of moving into a new building but had to leave their accounting software and data on the file server in their old building due to several licensing and political issues. The accounting software was an old FoxPro file-based program that had served them well for many years, but it was eventually being replaced when they moved.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1577

1578

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

Their initial desire was to just have users dial in to the network in the old building and work on the accounting application as they did before. However, since the accounting application was filebased as opposed to being client-server (more on that later), the amount of data going back and forth between their workstations and servers was simply too great to make a remote-node solution work for their application. Simple analysis of their traffic indicated that their primary users of the accounting software were easily transferring 20 to 40 megabytes worth of data across their network in as little as an hour. If you’ve ever downloaded a large application from the Internet over a modem, you know how long it takes to move that much data—you probably start your download overnight and check it again the next morning. Remembering our calculations from earlier, only about 1⁄ 2 0th of the bandwidth was available to XYZ Corporation over a dial-up remote-node connection. Quite simply, they were not going to be able to move that much data over a modem and maintain usable response times—a remote-node solution was not going to work for this client with this specific application. The key factor that worked against XYZ Corporation was the fact that their critical application was file-based instead of being client-server. I can’t emphasize enough how important it is to understand the mechanisms that computers typically use to move data around, so let’s walk through some example applications of each of these types, see how they work, and see why some don’t work well with remote-node solutions while others do. File-Based Apps versus Client-Server Apps

Consider, if you will, a simple Microsoft Access database of names and phone numbers that you have stored on your computer. For discussion purposes, we’ll assume that you have not “indexed” this database (a process which makes searching databases faster) and are trying to look up the phone number for an individual with the last name of Justice. To find this name and number, you’d launch your Microsoft Access application, open your phone number database, and then do a search on the last name. Once you submit your search, your CPU would talk to your hard drive controller, tell it to open the database on your hard drive, and retrieve the first record in the database. When the first record comes back, it turns out that it’s for somebody named Anderson. The CPU realizes that Anderson doesn’t equal Justice, so it dumps the first record from its memory and then requests the second one. The second record is for Beveridge. Beveridge doesn’t equal Justice either, so once again the CPU dumps that record from memory and reads the third one. And so on, and so on, until it finally gets to the record for Justice. Once it successfully finds Justice, it displays the record on the screen. The important factor to take note of is the repetitive process the CPU had to go through to get the data it needed. It had to keep communicating with the hard drive controller to get the next record, and then receive the response (the actual data) and check it. Given how speedy today’s computers are, this all happens in the blink of an eye. But as you can see, there’s a lot of communication that has to go on to make that simple operation work. That communication, however, is all taking place between the internal components of your systems—from the CPU, across the data bus, through the hard drive controller, to the hard drive, and back again. Since these devices are directly connected to each other, they’re very fast. However, suppose you move that phone number database off your hard drive and onto a file server so everyone in your office can access it. If you do the same search as before, each time Microsoft Access has to get a new record to check, the CPU will send a request to the network controller instead of the hard drive controller. The network controller will transmit the request to the server for the record and wait for Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

BANDWIDTH PLANNING AND CONSIDERATIONS

the response from the file server. Once again, the CPU has to request this information over and over again from the network until it finally finds the record for Justice. Since a hard drive on a network file server probably isn’t going to respond as fast as the hard drive in your computer, response time suffers. To put some rough numbers to it, when the database was stored on the computer’s internal hard drive, you might have had a maximum of 20 megabits’ worth of bandwidth between the components inside your computer (hard drive, controller, bus, and CPU). Let’s assume the last-name search took 1 second to complete. Once you move the database on your file server, your maximum bandwidth might have stepped down to only 10 megabits, assuming you’re on a 10-megabit network. In theory, a search that took 1 second before could now take 2 seconds. That’s still not too bad, and these are rough numbers (don’t hold me to them), but they do illustrate the point I’m about to make. The 1-second query operation became a 2-second query operation when the phone number database was moved off the local hard drive and onto the network file server. Part of the reason for that is the fact that the bandwidth between our CPU and the actual data was cut in half, from 20 megabits to 10. Since the CPU had to keep requesting each record in the file, the bandwidth available between the CPU and the data source plays a key role. Now, what if someone was dialing in to the network and trying to perform the same query? If you recall the 1/20th figure discussed earlier in regards to 56K modems, you can probably see where this is heading. Cutting the bandwidth down from 10 megabits to 56 kilobytes could potentially increase our search time twentyfold. It’s entirely possible that our simple query could take upwards of 40 seconds over the 56K dial-up connection. Now, I’ll be the first to admit that I’m oversimplifying things here considerably to make a point. In reality, our example query probably wouldn’t take 40 seconds over a dial-up connection, but the response time would be noticeably sluggish. Even if it only took 10 to 15 seconds to retrieve the data, slowdowns like that eventually produce productivity problems. The key to all this is the fact that bandwidth is a huge factor in remote computing if you have any applications that are file-based. So what’s the solution? Try to stick with applications that are client-server based. In keeping with our name-lookup scenario, let’s assume that the data is stored in a SQL Server database instead of a standard Microsoft Access file. Using Microsoft Access (the client in clientserver) as a “front-end” on your workstation, you can submit the same query for the last name Justice as before. However, instead of requesting each record individually this time and checking them one by one, Access will transmit a request to the SQL Server software (the server in client-server) for a specific record. Access will transmit a specific request such as “get me the record(s) with a last name of Justice.” Small requests like those transmit very quickly, even over a slow connection (like a 56K modem). At that point, the responsibility of retrieving the correct data has shifted from the copy of Microsoft Access running on your CPU and is now in the hands of the SQL Server. Since the SQL Server presumably has high-speed access to the drives that store the data (most likely its own drives), it can find the answer in a few microseconds and then return an appropriate response back to Access. The key thing to look for in determining whether an application is client-server or not is to see if there are two separate parts to the application. One part will run on your client workstations, and a second part will run on the server that stores your data (or at least on a server nearby with a high-speed connection on it). If there are two parts to your application, it is probably a client-server application and you shouldn’t run into too many difficulties with remote-node users using it. However, if there aren’t two parts to your application—if the only part is the client software that just uses directories and files on your file servers—you might run into performance problems using remote-node solutions.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1579

1580

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

Opening Word documents and Excel spreadsheets is, in effect, a file-based application, so it’s worthwhile to look at your average document size to see how quickly it might transmit over a slow connection. Refer to the transmission times formula earlier in this section and figure out how long some sample documents would take to transmit over a modem. If most of your documents are simple and text-based, you probably won’t run into too many performance issues. However, if your users typically work with large, multimegabyte documents on your server, you might need to consider other options.

Remote Control If remote-node communications can be viewed as using a phone line as a long network cable, then remote-control communications should be viewed as using a phone line as a long keyboard, mouse, and video cable. Remote-control solutions, by definition, allow you to remotely take control of a workstation on your network over a dial-up connection. Software on a workstation would typically have some sort of remote-control software running on it (such as pcAnywhere or VNC) and a modem attached to it. This is sometimes referred to as the host PC, since it is typically waiting to host an incoming caller. Then, presumably from another location, another workstation with compatible remote-control software would call into the host PC. Once the two PCs have negotiated a connection, the host would begin sending its screen data to the calling computer, in effect, letting the person at that calling station see everything that is on the remote screen. The calling workstation would then pass any keystrokes or mouse movements to the host PC, which would perform those actions just as if the user were sitting at the host PC doing them herself. In effect, the remote-control software is tapping into the keyboard, mouse, and video input/ output of the host PC and making it available to a remote PC over a phone line. Traditionally, remote-control solutions have been a bit more expensive to develop and scale due to the increased hardware requirements on each side. Whereas one RAS server with an adequate amount of modems would theoretically be able to handle 256 simultaneous inbound modem connections, having that many simultaneous connections using certain remote-control products could require 256 computers—one to receive each of the connections. That can be rather cost prohibitive in most cases, not to mention difficult to manage. However, it is worth mentioning because in some cases it might be the only remote access solution that would work in your environment. Microsoft began including some remote-control functionality in Win2K with the bundling of Terminal Services with the base operating system (hmmm, there’s that “bundling” concept again). If you are using Windows XP, you can use the Remote Desktop Connection software to remotely control your computer. If you are in a position where a remote-node solution won’t meet your needs, you might want to take a look at it and see if Terminal Services or Remote Desktop will work for you. Terminal Services can be a worthy option since it doesn’t require a separate computer to handle each inbound connection; instead, it requires one huge computer, and everybody runs a Windows session on that device (note: there are some other third-party products that function in a similar manner). Note For more detailed information on Terminal Services, see Chapter 16.

Since you’ve gotten this far, I’m assuming that you feel RAS is the right solution for you and you’re ready to start working with it and implementing it on your network. If that’s the case, keep reading. Let’s talk a bit about what type of hardware and circuits you’re going to need to have in place to make this all work.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

RAS HARDWARE REQUIREMENTS

RAS Hardware Requirements One of the first things to determine in remote networking is where you plan on connecting to and how fast you want to connect. Often, one or both of those criteria will help you determine what your available communications options are. In most instances, that will leave you with one of the following options: Connection Type

Typical Maximum Speed

Typical Maximum Distance

Analog modem

Asymmetrical: 53Kbps down, 33.6Kbps up

Unlimited, usually domestic

ISDN

BRI—128Kbps, PRI— 1.544Mbps

Unlimited, usually domestic

X.25

2400bps—64Kbps

Global

Serial cable

Serial port max—230Kbps in most cases

“Physically near (less than 50 feet),” according to Microsoft

Infrared

Varies

Very close, line-of-sight

Parallel cable

Up to 500Kbps

Very close

Frame relay

1.544Mbps

Global

Cable modem

Asymmetrical: 3–10Mbps down, 256Kbps–2Mbps up

Connect to a local provider

(A)DSL

Asymmetrical: up to 2Mbps down, 256Kbps–1Mbps up

~5 Kilometers (local provider)

Of course, it should go without saying that any devices you are considering purchasing for use with RAS should be checked against Microsoft’s Hardware Compatibility List (HCL) to make sure they are compatible with Windows Server 2003. By checking for HCL compatibility, you can be sure your choice of hardware has been specifically tested for compatibility with Server 2003 and has met the standards Microsoft has deemed necessary to be considered “compatible.” Also, if you’re purchasing modems from a manufacturer that has several different models to choose from, pick your product carefully. While some modems might cost more than others due to features like voice or fax capability, if you’re looking at two different models from the same manufacturer with the same capabilities, I’d suggest buying the more expensive of the two. The reason for this is quite simple: lower-cost modems are often designed by manufacturers primarily for light-duty home use applications. These are usually the modems you will see on the shelves in retail computer outlets. They are marketed to consumers and designed with tolerances and specifications targeted at the average consumer’s needs. This doesn’t take into consideration the more demanding needs of using modems for routing links, mail servers, etc. With that out of the way, let’s take a closer look at your hardware and circuit options, and then we’ll jump into configuring RAS on your Windows Server 2003.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1581

1582

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

Analog Modems Analog modems are the most commonly used connection device on RAS servers these days, so a good portion of our examples and configurations throughout this chapter will be using them. A primer on how modems operate is in order for those of you who are unfamiliar with the technology. Modems are devices that accept binary signals (ones and zeros) from whatever device they are connected to, convert those binary signals into audible tones, and then transmit those tones over a phone line at a prescribed speed. (This process is described as “modulation” and is the derivative of the “mo” part of the word “modem.”) On the other side of the telephone line, another modem receives these audible tones and converts them back into the binary ones and zeros they represent. Once they have been converted back (“demodulated”), they are passed through to the device the modem is connected to as binary data. As you probably guessed, this “demodulation” process represents the “dem” in the word “modem.” Therefore, to complete a remote access or dial-up networking connection via a modem, you will need the following: ◆ ◆ ◆

Modem on the transmitting computer Modem on the receiving computer (this may be out of your control, for example, if you are dialing in to an ISP) Telephone connection between the two modems

In today’s world, analog modems can transmit and receive data over traditional phone lines at speeds anywhere from 300 to 33,600 bits per second (sometimes referred to as the baud of the modem). As I mentioned earlier, the modems on either end of the connection convert the stream of bits to analog signals and transmit them over the phone line at a prenegotiated speed. But what about those “56K” modems? When 56K Isn’t Quite 56K

A lot of hype and marketing has gone into the 56K modems that are currently available on the market. The modem manufacturers would love for you to believe that these modems are running at the full 56,000 bits per second, in both directions, but unfortunately that isn’t quite the case. If you’re planning on implementing a remote access solution for your organization, it’s important to understand exactly how these modems work, what speeds you can hope to get from them, and what you can and can’t expect from them. First, you should realize that 56K modems cannot send and receive data at that speed in both directions. At the time of this writing, the maximum bidirectional speed anyone has been able to get out of typical analog connections is 33,600 bits per second. Much of that has to do with analog connections and the signal loss that is inherent as the analog data travels from one location to another. However, modem manufacturers are clever and have found a way to work around that limitation by removing half the analog signaling from the equation. By using a special server-side modem at one of the locations and a digital connection directly to the phone company’s central office, data can be sent all the way from the server-side modem to the phone company with zero signal loss. Once the signal is within the phone company’s systems, it usually travels through their system completely digital as well. The net result of this is that speeds of up to 56,000 bits per second are possible but only in one direction—the direction going from the server-side modem to the phone company. Communication in the other direction—from the location with the analog modem toward the phone company—is still limited by the inherent signal loss and peaks out at 33,600 bits per second.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

RAS HARDWARE REQUIREMENTS

Companies like Internet service providers have been the primary beneficiaries of 56K technology, and 56K modems are a great tool for getting a bit more speed when connecting to the Internet. However, it’s important to realize that you cannot purchase two identical 56K modems, plug them into regular analog lines, and expect to get a connection any higher than 33,600 bits per second between them. Without having a serverside modem at one of your locations and a digital line from that modem to the phone company, you will be bound by the existing 33,600 limitations. It’s also worth mentioning that even when dialing in to a location with a server-side modem that supports 56K, under current FCC regulations in the United States, if you’re using an analog line you will never get a 56,000 connection. The FCC has placed limits on the amount of voltage any device can transmit over a phone line, which currently restricts all modems to a maximum capability of 53,000 bits per second. However, most analyses and studies of 56K modems have revealed that reasonable speeds to expect for your connections are anywhere from 42,000 to 48,000 for data coming from the server-side modem (or “downlink speed”) and, of course, 33,600 for data going to the server-side modem (or “uplink speed”). The amount of speed you get will depend on the quality of the equipment at your local phone company, the condition of the lines in your area, and your physical distance from the phone company’s central office. One of my own computers was never able to get speeds higher than 42,000–44,000bps when dialing in to a local ISP until I recently moved. Nothing else changed with my computer except the location it was in, but when I dialed in from my new home, I was consistently connecting at 48,000 bits per second.

ISDN A few years ago, a 56K analog modem would be more than enough bandwidth for most remote data needs. However, as computers have grown in size and complexity, so have the files and data that computers typically need to move around. Downloading multimegabyte items from the Internet, such as Windows 2000 Service Packs, could literally take hours over a standard dial-up connection. Fortunately, Integrated Services Digital Network (ISDN) is an option to get more bandwidth without having to get a dedicated circuit in place. ISDN typically comes in two different flavors, ISDN Basic Rate Interface (BRI) or ISDN Primary Rate Interface (PRI). The main difference between the two is speed (and therefore, price). BRI can support data speeds of up to 128Kbps over standard copper telephone lines, and PRI supports data speeds of up to 1.544Mbps over T1 cable. Since ISDN BRI can run over the same copper wires that most people have wired in their homes, it’s more commonly implemented. ISDN BRI consists of three separate data channels on one connection. Two of the channels are 64Kbps bearer channels, commonly referred to as B channels. These two channels, when combined, make up the 128Kbps that ISDN can use to move data from one location to another. The third channel (commonly referred to as the D channel) is a special 16Kbps out-of-band channel used for signaling between your equipment and the phone company. Although all three channels add up to 144Kbps, most ISDN implementations will either use one or both B channels, so I’ll refer to ISDN as being able to support 64Kbps or 128Kbps. To use ISDN for remote access, you will need the following: ◆ ◆

An ISDN modem at each location and, optionally, an NT1 network termination device (most ISDN modems come with these built-in today) A digital ISDN connection at each location

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1583

1584

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

Digital Subscriber Line (DSL) DSL (Digital Subscriber Line) has become a more common and affordable high-speed connection method in recent years. Using broadband technology, DSL passes data over your phone line and can reach speeds of approximately 140 times the speed of the fastest analog modems. There are many different implementations of DSL, but the most common form is ADSL, or Asymmetric DSL, which is what I’ll be referring to here. One of the benefits of using DSL as a connection method is its “always on” functionality. Unlike analog modems, DSL doesn’t require you to connect and disconnect by dialing up to a receiving modem. Instead, once the DSL modem is installed, the connection is persistent and remains on at all times. Another great benefit of using DSL is that, although it does use your phone line to transmit data, you can still transmit voice data at the same time, which means that you don’t have to stop talking on the phone so that you can dial up to the Internet. While analog modems transmit signals through a public telephone network—the same facility that’s used to connect telephone conversations—DSL modems “piggyback” data signals over the voice signal. This means that the data gets sent to two different places—your voice calls are sent to the telephone network and your data signals go to the Internet. DSL modems are generally equipped with Ethernet ports so that, by adding a router, you can connect many machines to a single DSL connection, thus sharing the connection among all of the computers in a small office.

Cable Modems Another “always on” technology that is becoming more and more popular is called a cable modem. Cable modems offer high-speed Internet access over a shared cable television line in a geographical area. Like DSL, the connection is persistent, no logging on or off or dealing with busy signals. Unlike DSL though, this technology uses a cable television line rather than a phone line. While cable modems have greater downstream bandwidth capabilities than DSL, keep in mind that the bandwidth will be shared between all users in the near geographic neighborhood. As a result, the available bandwidth will vary, sometimes dramatically, as more people in that area access the Internet at the same time. In general, the upstream traffic on a cable modem tends to be slower than that of DSL, sometimes because the individual cable modem equipment is slower and sometimes because there are just too many people in the area are trying to utilize the bandwidth at a time. Like DSL modems, most cable modems offer an Ethernet connection so that you can tie in the rest of your network and have all your machines use that single access to the Internet. Keep in mind, that although we refer to modems when we talk about both DSL and cable modem technologies, we aren’t really talking about modems in the traditional sense. You can’t dial up to a RAS server using a telephone number with either of these connection types. What you get is a permanent connection to the Internet, allowing you lots more functionality than the traditional method of using dialup.

Direct Options (Null Modem, Parallel, and Infrared) Given the affordability and broad universal support for network cards these days, using a null modem or parallel cable to connect two computers has really become more of a niche than a mainstream use of RAS. However, there may be occasions when it is the only option—maybe you have a specialty

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

RAS HARDWARE REQUIREMENTS

device that can’t support a network card and can only communicate with the outside world via a serial or parallel port. If that’s the case, a null modem cable, parallel cable, or infrared connection between your systems can be used for a connection. Null modem cables are typically available at any computer store or through mail-order catalogs. However, according to Microsoft, standard off-the-shelf null modem cables might not be wired correctly for use with RAS. If possible, have your cabling vendor build a custom cable according to the pin configurations listed in Table 20.1. By connecting the null modem cable to the serial ports on each of your devices, you can connect your two computers together as needed. However, you will be limited to your serial port’s speed and distance limitations of roughly 50 feet. TABLE 20.1: MICROSOFT-SPECIFIED NULL MODEM CABLING REQUIREMENTS FOR RAS 9-Pin to 9-Pin

9-Pin to 25-Pin

Mac RS422/423 to 25-Pin

25-Pin to 25-Pin

Host System

Calling

25-Pin

9-Pin System

Host System

Calling

Mac

Server 2003

3

2

2

2

2

3

1

6, 8

2

3

3

3

3

2

2

20

7

8

4

8

4

5

3

3

8

7

5

7

5

4

4, 8

7

6, 1

4

6, 8

4

6, 8

20

5

2

5

5

7

5

7

7

6

—

4

6, 1

20

6, 1

20

6, 8

7

—

Source: Microsoft Corporation

Parallel connections can be made between two computers using the standard or enhanced (ECP) parallel ports of each device. By connecting devices together in this fashion, it is reasonable to expect throughput speeds of up to 500–600Kbps, but the distance between devices is again very limited. Microsoft lists a specific vendor, Parallel Technologies, in their help files included with Windows Server 2003 as a source for compatible parallel cables to use. Note To contact Parallel Technologies about their DirectParallel line of products, call (800) 789-4784 or visit them on the Web at www.lpt.com.

Infrared connections were new in Windows 2000 Server and will continue in Server 2003 to serve as a useful option for small offices. Since the connection distance is limited by the strength of the infrared signal and a direct line-of-sight requirement, it will be an easy method of connecting (no cables!) but limited in usefulness.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1585

1586

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

X.25 X.25 is a protocol that coordinates communication between multiple machines, routing information through a packet-switched public data network. Instead of establishing direct connections from one device to another, all devices in an X.25 network simply connect to a “cloud” and pass their data to the cloud. It is up to the company that maintains and manages the cloud to ensure that the data reaches the correct destination point. X.25 is a relatively outdated technology, which is why throughput speeds top out at 56K to 64K. So, why use X.25? Well, even though it is an extremely slow transport medium, it is also an exceptionally reliable one. There is an extensive amount of error checking and correction that occurs as a part of the X.25 protocol, which makes it a worthwhile consideration in areas with poor telecommunication services. X.25 is available globally and in some cases may be the only reasonable option for connectivity in certain countries.

Frame Relay Frame relay is quickly becoming a preferred option to X.25 connections, as it functions on roughly the same principle—each system passing data into a data cloud—but at much higher speeds. Frame relay can support connections ranging from 56Kbps all the way up to 1.544Mbps. Since frame relay only requires a single connection from each site into the cloud, it is an excellent choice for global connectivity; otherwise dedicated wide area network links across continents could end up being prohibitively expensive to implement.

RAS Installation and Setup Now that I’ve laid the groundwork for you to understand how remote access works, it’s time to start working through some of the sample applications discussed earlier.

Installing Devices for Remote Access Since a modem is one of the most widely used tools for remote access services, I’ll start by quickly walking you through installing your modem on a Windows Server 2003, making sure that the correct drivers are installed, ports are selected, etc. To begin adding modems to your system, click the Start button. Choose the Control Panel option, and then click the Phone and Modem Options icon. If this is your first time using this option, you will be probably be prompted for information about your area code, what type of dialing the system should use (tone or pulse), etc. After you’ve entered some of that preliminary information, you will be taken to the Phone and Modem Options applet. Click the Modems tab. More than likely, you won’t have any modems listed. Click the Add button to launch the Add Hardware Wizard, as seen in Figure 20.1. Depending on your preferences, you can either have Windows Server 2003 attempt to detect your modem automatically or you can select it manually from a list. If your modem is a bit older (as in, it was on the market before Server 2003 was introduced), you are probably safe letting Server 2003 attempt to find the correct driver for your modem. Leave the Don’t Detect My Modem; I Will Select It From a List box unchecked, and click Next to begin the detection process. If your modem is newer than the release of Windows Server 2003, or if you prefer to configure these options yourself (I prefer setting all these things myself), check the Don’t Detect My Modem; I Will Select It From a List box, and click Next. You’ll be taken to the screen shown in Figure 20.2. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

RAS INSTALLATION AND SETUP

FIGURE 20.1 Add Hardware Wizard

FIGURE 20.2 Install New Modem selection screen

From here, you can choose from a myriad of different modem drivers. Find the driver that matches your modem, select it, and then click Next to install it. If, for some reason, an appropriate driver isn’t listed for your modem, you can always use one of the standard modem drivers listed in the Standard Modem Types selection under Manufacturer. The standard modem drivers are reasonably good and are reliable in most circumstances. There are even standard modem drivers for 56K modems supporting the V.90, x2, and k56Flex standards. If your modem manufacturer included a driver disk along with the purchase of your modem, click the Have Disk button and insert your driver disk in the appropriate drive. You will need to tell Windows to look in that location by giving it the appropriate path to check for the driver (usually A:\; consult your modem manufacturer’s documentation for further information). If you are installing your driver by hand, you will need to tell Windows what communications port this modem is connected to, as shown in Figure 20.3. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1587

1588

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

FIGURE 20.3 Selecting communications ports

If you have identical modems on all your communications ports, you can select the All Ports radio button. Otherwise, you should select the port your modem is currently attached to. If you have multiple modems on many ports (but not all ports), hold down the Ctrl key while selecting each port. When you have selected the correct ports, click Next to complete the installation. You should receive a confirmation dialog box indicating that your modem has been successfully installed. Now that you have a modem installed, it’s time to take it for a test drive. One of the easiest things to do in Windows Server 2003 is to define a dial-up connection to the Internet, so we’ll start there first.

Connecting to the Internet It’s no secret that Windows Server 2003 was designed with the Internet in mind. Given that fact, Microsoft has made it easy to get your computer connected to the Internet. If you are running Windows Server 2003 as a proxy server so your internal clients can surf the Web, or if you’re running it as an e-mail server, dial-up connections to the Internet are an option worth looking into. Due to some readily available fine-tuning parameters you can set for dial-up connections, you can create a rather reliable link to the Internet with just a modem. Let’s get started. The first thing you’ll need to do before connecting to the Internet is set up an account with an Internet service provider (ISP). We won’t go through the specifics of how to do that here, but once you have an account you will need a minimum of three things handy to create your dial-up connection to the Internet: ◆ ◆ ◆

A local access phone number to dial (whether analog or ISDN) A username and password combination Optionally, an IP address to assign to your dial-up connection, and DNS addresses to use (most ISPs won’t require you to program this information in, but in case yours does, be sure to have this handy in advance)

When you’re ready to build your connection to the Internet, choose Start/Control Panel/Network Connections. You should get a window that looks like the screen in Figure 20.4. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

CONNECTING TO THE INTERNET

FIGURE 20.4 Network Connections window

From here, double-click the New Connection Wizard icon to start the wizard. Click Next in the initial screen of the wizard and you will be presented with a list of connection types you can establish. Select the Connect to the Internet option and then click Next. This will walk you through the process of setting up an ISP account. You will be asked whether you want to set up your Internet connection over a modem, a broadband connection such as DSL or cable modem (with or without requiring a password), or a LAN. If you have in-house Internet connectivity that is already running, then a LAN would be the option you would want to choose. However, since we’re discussing modems, let’s walk through the modem configuration. After you select the Connect Using a Dial-Up Modem option and click Next, you will be taken through a process to collect the information we discussed earlier, beginning with the name of your ISP. Once you enter the name of your ISP and the phone number to dial, and choose whether to make this connection available to all users on the system or save it in your profile for your exclusive use, you will need to enter the account information used to authenticate to your provider, as shown in Figure 20.5. FIGURE 20.5 Entering account information

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1589

1590

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

Here you will enter the user credentials (username and password) your ISP has provided you for use with your account. This information will be stored along with all the other information for this dial-up networking entry so Windows Server 2003 doesn’t have to prompt you for it every time you want to make a connection. If you don’t feel comfortable having this information stored on your machine, leave the password field blank. The final options on this screen enable you to choose whether to apply the authentication information to all users, decide if you want this to act as the default Internet connection, and decide whether to turn on the built-in firewall software for the local machine. When you click Next, you will be reminded of your choices in the final screen of the New Connection Wizard. Click Finish to end the wizard and you will be presented with a Connect dialog box that contains the account information for the ISP you just entered, as shown in Figure 20.6. Click Dial to test your connection. FIGURE 20.6 Connect to your ISP.

You may have noticed that you weren’t required to enter an IP address to use for this connection. That’s because, unlike Windows 2000, the New Connection Wizard in Server 2003 now assumes that your IP address for this connection will be issued by your ISP. Of course, you have the option of setting that information manually if you prefer, as well as choosing the settings for your default gateway, DNS servers, and WINS server information. Let’s look at the various options that are available for this dial-up connection. Click the Properties button to view the properties for the connection, then choose the Networking tab to view the screen in Figure 20.7. Highlight the TCP/IP protocol option and then click the Properties button to view the TCP/IP properties page.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

CONNECTING TO THE INTERNET

FIGURE 20.7 Networking properties

Even though most ISPs automatically assign you an IP address, if your ISP requires you to manually assign yourself an address, click the Use the Following IP Address radio button in the top of the window and enter the appropriate address in the IP Address field. Some ISPs may still require you to enter DNS server information (DNS is how Windows Server 2003 translates names like www.microsoft.com into IP addresses). If so, click the Use the Following DNS Server Addresses radio button in the bottom half of the window, and enter your primary and secondary DNS server IP addresses exactly as your ISP provided them to you. Clicking the Advanced button in this screen will allow you to configure the additional network settings you see in Figure 20.8. Notice the check box called Use Default Gateway On Remote Network. If your machine is not connected to a LAN, you don’t need to worry about this option. If your machine does have a LAN connection, in addition to your dial-up connection, then you’ll need to understand something about default gateways. A default gateway is a network address to which your IP requests are sent when the request is for an IP address that lies outside of the local network that your machine resides on. The default in Windows Server 2003, as you can see here, is to use the default gateway of your ISP provider when connected using the dial-up connection. This enables you to communicate on the Internet via your ISP. However, since your machine can only have one default gateway at any one time, your ability to communicate on your local LAN is limited, at least outside your local network. So, if your computer resides in a larger network environment, your computer will be unable to make requests that would normally need to be sent to the default gateway on your LAN. You can get more information about default gateways in Chapter 6.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1591

1592

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

FIGURE 20.8 Advanced TCP/IP Settings screen

Click OK, and then click OK again to return to the Networking properties sheet for your ISP connection. Now that you have configured your networking properties for the connection, let’s look at some additional options for the dial-up connection.

Optional Internet Connection Settings Since you have verified that your Internet connection is working properly, there are some optional settings you might find useful for controlling the behavior of this dial-up connection. Such items include: ◆ ◆ ◆ ◆

Programming a list of alternate numbers for Windows Server 2003 to attempt when dialing Disconnecting idle connections (good for per-minute connections such as ISDN) Automatic redialing of busy or nonresponsive numbers Automatic reestablishing of connections that have dropped

All these features are useful enough by themselves. However, if you’re running a Windows Server 2003 that depends on having an Internet connection available, you’ll find these extra features useful. It takes much less administration when a server can take care of establishing and reestablishing its own Internet connections without any human intervention.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

CONNECTING TO THE INTERNET

To get to these options, you can either click the Properties button from the Connect < YOUR ISP NAME> dialog box or right-click the connection and choose Properties in the Network Connections dialog box. Open the Network Connections window again and right-click your ISP dial-up entry. Select the Properties option, and you should get to the dialog box shown in Figure 20.9. FIGURE 20.9 Advanced Properties for the dial-up connection

If your ISP has several local phone numbers available for you to use, you can program Windows Server 2003 to cycle through the entire list until it gets a connection. Click the Alternates button next to the phone number, and you should see a screen like the one in Figure 20.10. From the Alternate Phone Numbers dialog, you can enter as many numbers as you would like Windows Server 2003 to use to attempt to establish this connection. Click the Add button to add a new number to the list, and then use the arrow buttons on the right side of the dialog box to adjust the order of which number should be dialed first. As an additional option, Windows Server 2003 can remember which number was successful last time you connected and try that one first if you check the Move Successful Number to Top of List option. This will make sure that if for some reason one of your ISP’s local access numbers goes offline for a while, it won’t stay in the top of the list and Windows Server 2003 won’t keep trying to dial that number first. When you’re finished entering alternate numbers, click the OK button to return to the main properties dialog box for this dial-up connection. To reach the next set of editable items for this connection, click the Options tab. This should bring you to a screen similar to Figure 20.11.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1593

1594

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

FIGURE 20.10 Entering alternate dial-up numbers

FIGURE 20.11 Editing options for dial-up entries

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

CONNECTING TO THE INTERNET

This dialog box has several options available, the most useful of which regard dialing, idle timeouts, and reestablishing broken connections. Let’s go through these one by one and show how they can be used. Prompt for Name and Password, Certificate, etc. When you first created this dial-up networking entry using the New Connection Wizard, one of the steps you should have gone through was for entering a username and password to use for this connection. If you decided not to enter your password directly into the settings for this dial-up networking entry, you will want to check this option. Otherwise, Windows Server 2003 will simply try to use a blank password when establishing this connection. Checking this option will cause Windows to prompt you for a username and password to use instead of the existing username and password stored with this dial-up networking entry. Redial Attempts and Time Between Redial Attempts If your local ISP has a problem with busy signals, you will appreciate these options. By choosing the number of times to attempt to redial and the time to wait between attempts, you can program Server 2003 to keep dialing your ISP until a number becomes available. Personally, I’ve found this setting to be extremely useful in times of inclement weather when everyone is stuck in their homes and clogging my ISP’s lines. Idle Time Before Hanging Up If the same phone company that serves my area serves yours, then you are accustomed to paying for your ISDN access by the minute. These per-minute charges can add up to a rather substantial phone bill if your ISDN connection stays up all day. If your server only really needs to have a connection during business hours (for example, for proxy server clients browsing the Internet), set an appropriate idle time-out value here in minutes. Once the specified number of minutes has passed without any activity, Windows Server 2003 will drop the connection. Redial If Line Is Dropped It’s simply a fact of life—dial-up connections “drop” sometimes. It just happens, but it can cause considerable headaches if people are depending on this connection being up and you happen to be away when it goes down. Checking this option causes Windows Server 2003 to automatically redial and reestablish your connection if it drops. Assuming something hasn’t failed on the ISP side of your connection, your link should come back up automatically within about a minute. For this feature to work, you must have the Remote Access Auto Connection Manager service running. This service doesn’t automatically start on Windows Server 2003 by default, so you will need to enable it manually. To do this, enter the Computer Management Console by selecting Start/ Programs/Administrative Tools/Computer Management or by right-clicking My Computer and selecting the Manage option. This will bring you into the Microsoft Management Console (MMC) for managing computers on your network. In the left pane of the MMC, you should see an option for Services under the Services and Applications group (you might need to expand Services and Applications to see it). Click the Services icon in the left pane, and you should see a listing of all the services running on your Windows Server 2003 in the result pane. The MMC screen should look like Figure 20.12. Find the Remote Access Auto Connection Manager service in the listing on the right, and doubleclick it to edit the properties. From here, you can start the service manually and configure it to start

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1595

1596

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

up automatically every time your Windows Server 2003 boots up. The properties page for this service should look like Figure 20.13. FIGURE 20.12 Computer Management MMC for enabling Remote Access Auto Connection Manager

FIGURE 20.13 Service properties for RAS Auto Connection Manager

To start this service manually, click the Start button in the dialog box. If everything goes okay, the status of this service should change to Started. Now, to make sure that this service starts every time

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACCEPTING INCOMING CALLS FROM REMOTE USERS

your Windows Server 2003 boots, select the Automatic option from the Startup Type pull-down box. Click OK to save your changes and then exit the Computer Management MMC. To test the redial functionality, try establishing a connection with this ISP dial-up entry and then pull the phone plug out of your modem. Wait a few seconds so that you’re sure the carrier has dropped (if you have an icon in your Taskbar indicating that you’re connected, it should disappear), and then plug the phone line back in. Within a minute, Windows Server 2003 should attempt to reestablish this connection for you without any intervention whatsoever.

Accepting Incoming Calls from Remote Users In today’s business world, there are several buzzwords that tend to make an administrator’s job a bit more challenging. Phrases like telecommuting, mobile computing, and sales force automation are all centered around one common principle—getting corporate data into the hands of people who need it, exactly when they need it, wherever they are located. In terms of systems administration, this typically means accepting inbound connections from remote clients. If you have yet to face this administrative challenge, rest assured that in the near future you most likely will. The tendency toward remote computing simply shows no signs of slowing down anytime soon. Whatever your dial-in needs are, Windows Server 2003 can act as a universal gateway to get remote clients into your network. Thanks to built-in support for PPP, an RFC-defined dial-up standard, Windows Server 2003 can receive calls from almost any type of device. Windows PCs, Macintosh systems, Unix hosts, and even personal digital assistants (PDAs) can all establish PPP connections to remote networks. Windows Server 2003 can accept traffic from any of these devices and route it to the devices on your internal network, whether they’re NT servers, Novell servers, Unix hosts, etc. To start accepting incoming calls from remote clients, you will need the following: ◆ ◆ ◆ ◆ ◆ ◆

Windows Server 2003 with remote access software configured to accept incoming calls Connection device of some sort (modem, ISDN, X.25, etc.) connected to Windows Server 2003 to accept calls from the remote clients Client computer capable of establishing a PPP session (Windows 9x/Me, NT 4, 2000, and XP; Macintosh; 3Com Palm; etc.) Connection device of some sort (modem, ISDN, X.25, etc.) connected to the remote client and capable of establishing a connection to the corresponding device on Windows Server 2003 Circuit (phone line, ISDN line, etc.) between the two devices User account on your Windows Server 2003 (or within your Active Directory) with dial-in rights granted to it

For the sake of brevity, we’ll assume that you’ve gone through the detailed steps earlier in this chapter to add your modems (ISDN devices or whatever you might be using) to your Windows Server 2003 and that they are functioning properly. With that out of the way, let’s get started on accepting incoming calls from remote clients. To be sure we’re all working from the same baseline, I’ll assume that you do not have the Routing and Remote Access Service installed on your computer. If you do have it installed, going through this

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1597

1598

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

procedure will stop your existing services and reinstall them with the answers provided to the configuration wizard.

Remote Access Server Installation and Setup Start the installation for Routing and Remote Access Service by clicking Start/Administrative Tools/Routing and Remote Access. You will see an MMC window appear, and you should see your server listed somewhere in the left pane. Right-click your server, and select the Configure and Enable Routing and Remote Access option. This will begin the RRAS installation process. This process is aided by a wizard that will help you configure the necessary services to allow remote clients to dial in. After a welcome dialog box (in which you will click Next), the first dialog box you will see should look similar to the screen shown in Figure 20.14. FIGURE 20.14 RRAS Setup Wizard: role of server

The first step of the configuration wizard is to determine what role your Windows Server 2003 will play. If you are simply looking to accept connections from dial-in clients, click the Remote Access (Dial-Up or VPN) radio button, and then click Next to move on to the next step of the wizard. On the next screen (Figure 20.15) you can decide whether you want to offer a VPN service, dial-up, or both of these types of connections to your clients. Choose Dial-Up and click Next to continue to the next step of the wizard, shown in Figure 20.16. The next step of the wizard—assuming you have TCP/IP installed on your server—will ask you how to handle assignment of IP addresses to remote dial-in clients. Since every device on the network must have its own IP address, your dial-in workstations need a way to get addresses as well. By default, RRAS will want to assign addresses to your dial-in users automatically from a DHCP server. If you have a DHCP server running, you will probably want to accept the default Automatically option. Whether DHCP and RAS are running on the same server or on separate systems, the RAS service will

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACCEPTING INCOMING CALLS FROM REMOTE USERS

attempt to obtain a DHCP-assigned address from the internal network and then pass it along to the remote client to use. The key with this option is to make sure you have a working DHCP server somewhere on your network and that it has enough IP addresses that can be used for dial-in connections. Note For further reading on setting up a DHCP server, see Chapter 7. FIGURE 20.15 RRAS Setup Wizard: configuring connection types

FIGURE 20.16 RRAS Setup Wizard: IP address assignment

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1599

1600

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

Under some special circumstances, you might want to control which IP addresses RAS hands out to dial-in clients. For example, if you have developed login scripts or other automation routines that depend on IP addresses, having a preset range might be useful. Or you might have security policies in place on your networks that only allow certain IP addresses to connect to certain devices. Either way, if you need to make sure RAS clients always fall within a certain range of IP addresses, select the From a Specified Range of Addresses option and then click Next to proceed to Address Range Assignment, shown in Figure 20.17. FIGURE 20.17 RRAS Setup Wizard: address range assignment

Through address range assignment, you can enter a series of IP address ranges for RRAS to use when clients dial in to your network. You can make these ranges as small or as large as you would like—just so long as you know that they are usable addresses within your network. To add a range (or ranges) to your system, click the New button and enter a start and end range of IP addresses to use. The New Address Range dialog box will automatically calculate how many addresses are in the range you provided. In the example shown in Figure 20.17, I have already entered a range of 10.16.0.101 to 10.16.0.150 for this RRAS server to use. When you have finished entering your addresses, click Next to proceed with the next step in the wizard, shown in Figure 20.18. Although the next step of the wizard might look like it’s simply asking if you have a RADIUS (Remote Authentication Dial-In User Service) server available on your network, it’s actually asking far more than that. This step of the wizard is asking how you would like to handle dial-in authentications. Your choices are limited to two simple options. If you are currently using RADIUS services on your network for authentication and logging of other dial-in access, you can set up your RRAS server to use the existing RADIUS server instead of using its own authentication and logging mechanisms. To specify your own RADIUS information, select the Yes, Set Up This Server to Work with a RADIUS Server option, and then click Next. Since RADIUS is outside the scope of this chapter, we’ll assume that you will stick to using

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACCEPTING INCOMING CALLS FROM REMOTE USERS

Windows Server 2003’s own authentication and logging mechanisms. Therefore, you can leave the default No, Use Routing and Remote Access to Authenticate Connection Requests option, and then click Next to continue. FIGURE 20.18 RRAS Setup Wizard: RADIUS services

Since the option for RADIUS selection is the final step of the wizard, your server should be configured after you click Finish on the final panel of the wizard.

Granting Dial-In Permissions to User(s) Once you’ve successfully installed the Routing and Remote Access Service, the next thing to do is grant dial-in permissions to a user account in your Active Directory tree. (We’ll assume you already have an account created for this purpose.) Note If you need to add a new account for this exercise, see Chapter 9.

To grant dial-in permissions to selected users, choose the Active Directory Users and Computers MMC by clicking Start/Administrative Tools/Active Directory Users and Computers. Navigate through the Active Directory tree to the user you want to grant dial-in permissions to, and right-click the corresponding record. By selecting the option to edit the properties for this user, you’ll be taken to a dialog box to edit options for this user. Click the Dial-In tab, and you should be left with a screen similar to the one in Figure 20.19. By default, the user account you’ve selected will probably have the Deny Access option selected at the top of the dialog box. Click Allow Access to grant dial-in permissions to this user. You also have the option to edit some user-specific settings through this dialog box. For example, if you’d like to implement an additional measure of security by making sure a certain user’s remote access session always comes from a specific phone number, you have a few options available. First, if your modem and phone line supports caller ID service, you can simply select the Verify

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1601

1602

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

Caller-ID option box and enter the phone number this user must call in on. However, if you are using hardware that doesn’t support caller ID or that service is unavailable in your area, you can achieve the same type of security by having your RAS server call the user back at a certain phone number. Selecting one of the Callback Options available in the middle of the screen activates this feature. FIGURE 20.19 Granting dial-in permissions via user properties

If you have home users who dial in either via long-distance or local long-distance, callback options might also save you some money when it comes to your remote access costs. If the telephone service you have in your office has a better per-minute rate than the rates your users typically have in their homes, you can save money on your remote access connections by having your RAS server call users back at the cheaper rates. In addition to callback options, you can also specify a fixed IP address for this specific user to receive. This feature first occurred in Windows 2000 and can be exceptionally useful when setting up internal access policies based on IP address (firewall rules, etc.). Now, take a moment and relax. Your server is set up to receive calls. You should be able to test this by calling the number associated with your RAS server from a standard phone and getting a carrier tone. If you don’t hear a carrier tone, double-check your work and make sure everything is connected properly. If, for some reason, you still don’t get a carrier tone when you call in, try rebooting the server (oddly enough, this happened to me once, and rebooting it corrected the problem).

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACCEPTING INCOMING CALLS FROM REMOTE USERS

Warning In Figure 20.19 you can see that some of the options are unavailable. These settings only become available if your domain is running in at least Windows 2000 Native Mode. Why? If your domain is still in Mixed Mode, then you still have NT 4 DCs, which means that you can only edit the user attributes that were available in NT 4. NT 4 does not have the ability to store user attributes that are new to Windows 2000 and Server 2003.

Changing RAS Server Configurations after Installation Wizards are both a blessing and a curse for the Windows operating system. Although they make complex tasks easier, they also tend to assume several answers for you with no chance to change those assumptions. The RRAS configuration wizard is guilty of this practice; it will make several assumptions for you as you configure your system. You may want to check these configurations to make sure they are exactly the way you want them to be. If you need to change any of your configurations at a later time, you can easily do so by rightclicking your server in the Routing and Remote Access MMC and then selecting Properties. Through the RRAS properties dialog boxes, you can add or remove support for certain protocols for dial-up connections, increase authentication security, and fine-tune the PPP controls for establishing connections to client systems. I’ll walk you through each of these areas, starting with the controls for security shown in Figure 20.20. FIGURE 20.20 Editing security properties for RAS service

Through this screen, you can control several behaviors for the security and encryption used with your dial-up connections. Although there are pros and cons for using each (with the pros usually

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1603

1604

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

being increased security and the cons being limited client support), we’ll discuss each option briefly so you can make your own judgments as to which one is best to use. By default, the authentication provider that should be automatically configured is Windows Authentication. If you have an external RADIUS server, you can change Windows to use the RADIUS server instead by selecting the RADIUS option from the pull-down box and then clicking the Configure button to define the RADIUS servers to use. You can also configure Microsoft’s implementation of RADIUS, called IAS, to manage authentication. But again, since RADIUS servers are outside of the scope of this chapter, we’ll simply stick to Windows Authentication methods. By clicking the Authentication Methods button below the Authentication Provider pull-down box, you will be taken to a screen similar to the one shown in Figure 20.21. FIGURE 20.21 Editing authentication types for RAS service

As you can see, there are several authentication options to choose from: Extensible Authentication Protocol (EAP) Because security and authentication is a constantly changing field, embedding authentication schemes into an operating system is impractical at times. To solve this problem, Microsoft has included support for EAP, which is simply a means of “plugging in” new authentication schemes as needed. Currently, Windows Server 2003 supports MD-5 Challenge, Smart Card or other Certificate (TLS), Protected EAP (PEAP), and Secured Password (EAP-MSCHAP v2), but this option will allow for future authentication protocols to be plugged into the operating system easily. Microsoft Encrypted Authentication version 2 (MS-CHAP v2) Microsoft’s derivative of CHAP, or Challenge Handshake Authentication Protocol (see the next entry). Using MS-CHAP allows you to encrypt an entire dial-up session, not just the original authentication, which is especially important when it comes to setting up virtual private networking sessions. MS-CHAP v2 support is included in Windows 2000 and Server 2003 for all types of connections and

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACCEPTING INCOMING CALLS FROM REMOTE USERS

in Windows NT 4 and Windows 9x (with the Dial-Up Networking 1.3 upgrade) for VPN connections. Encrypted Authentication (CHAP) Defined in RFC 1334 and later revised in RFC 1994, the Challenge Handshake Authentication Protocol is a means of encrypting authentication sessions between a client and server. Since this protocol is defined by an RFC, it enjoys a broad base of support among many operating systems and other devices. Shiva Password Authentication Protocol (SPAP) SPAP, short for Shiva Password Authentication Protocol, is an encrypted password authentication method used by Shiva LAN Rover clients and servers. Windows Server 2003 can act as a server when Shiva LAN Rover clients are dialing in by providing the correct authentication sequence for them. Unencrypted Password (PAP) Password Authentication Protocol (PAP) is one of the last two options listed, and it is also one of the least secure. It is no more secure than a simple conversation from your server saying, “What is your name and password?” to the client and the client responding with, “My name is Marty and my password is ‘let-me-in’.” There is no encryption of authentication credentials whatsoever. Unauthenticated Access At first glance, this option wouldn’t seem to make much sense— leaving a wide-open access point to your network with no authentication required whatsoever. However, when paired with caller ID verification, this option can make a simple and secure method for getting clients connected to your network. If a dial-in user provides a username only, that username will be checked against the Active Directory. If there is a caller ID verification set for that user, the caller ID information will be checked and the connection will be accepted or rejected based on whether the information matches. If the user does not send a username at all, the Guest account will be used by default. Therefore, if you intend to use this option, you might want to make sure the Guest account is still disabled on your system (it is disabled by default in Windows Server 2003). Once you’ve set your authentication methods, click OK to return to the security properties page. The final option available allows you to direct the client to a custom IPSec policy using a preshared key. Tip To learn more about IPSec, see Chapter 6.

Although Windows Server 2003 still supports IPX/SPX as a protocol, it is no longer available for use by the RRAS service. And, with the advent of Windows Server 2003, we can formally say so long to our old friend the NetBEUI protocol. It is no longer supported in Windows Server 2003, although it may still be possible to make it work if you add the correct DLLs. Within the properties for the RAS service, you have the ability to fine-tune each protocol accepted by the RAS server and passed on to the internal network. By clicking the appropriate tabs (shown in Figure 20.22) for IP and AppleTalk, you can edit the following options for each protocol: Enable IP Routing One way to increase the security of your dial-in system is to only allow dial-in users to access the dial-in server itself. For example, if traveling workers only need to access a set of word-processing documents or spreadsheets, these could be kept on the remote access server.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1605

1606

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

By unchecking the Enable IP Routing option, clients will only be able to access the RAS server itself. FIGURE 20.22 Editing protocol security properties for RAS service

Allow -Based Remote Access and Demand-Dial Connections (available for IP and AppleTalk) To enable or disable support for individual protocols, check the boxes for each protocol to allow and uncheck the boxes for each protocol to reject. If you used the automatic wizard to install Remote Access Service, you might find that Windows Server 2003 enabled support for all the protocols on your system by default. However, good security practices dictate only opening up support for the protocols you need, so it’s probably a good idea to remove any protocols you aren’t using. Dynamic Host Configuration Protocol (DHCP) or Static Address Pool (available for IP Only) As was previously discussed in the configuration of Remote Access Service, here you can select whether your RAS server will use a DHCP server to hand out IP addresses to dial-in clients or if it will manually assign addresses from a static pool. If you choose to assign addresses from a static pool, you will need to provide the correct TCP/IP network address range and subnet mask to use. Note For more information on calculating address ranges and subnet masks, see Chapter 6.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACCEPTING INCOMING CALLS FROM REMOTE USERS

If you need to fine-tune the parameters for your RAS server to use when establishing PPP sessions with clients, click the PPP tab to edit the properties of these items, as shown in Figure 20.23. The default settings will be acceptable in most instances, but, if needed, you can enable or disable the following options. FIGURE 20.23 Editing PPP properties for RAS service

Multilink Connections Multilink Point-to-Point Protocol (MPPP for short) was defined in RFC 1717 as a means of joining (often referred to as “bonding”) two or more PPP sessions together to increase bandwidth. Effectively, you could double or triple your bandwidth between a client and a server if you had two or three modems at each location, two or three phone numbers, etc. This option must be selected if you want to be able to choose the next option. Dynamic Bandwidth Control Using BAP or BACP Defined in RFC 2125, Bandwidth Allocation Protocol (BAP), and Bandwidth Allocation Control Protocol (BACP) are similar in nature to Multilink Protocol in that they are both used to bond connections together for increased bandwidth. However, while Multilink Protocol is a “fixed” solution that will automatically join all the channels it can, BAP/BACP will only initiate additional connections as needed due to high bandwidth utilization. This is an excellent option if you have connections that are subject to per-minute charges and don’t need to have them online all the time.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1607

1608

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

Link Control Protocol (LCP) Extensions Enabling Link Control Protocol (LCP) extensions is a necessary part of supporting callback security on a RAS server. If you are planning on having your system be able to call users back at a specified number, you must have this option enabled. Software Compression Never missing an opportunity to define a protocol for something and create another standard, Microsoft has developed the Microsoft Point-to-Point Compression (MPPC) protocol to compress data as it travels across a remote access link. MPPC is defined in RFC 2118. In addition to configuring protocol and authentication types to use, you may also want to configure what ports on your system are used to accept incoming RRAS calls. For example, you may have some modems that are to be used strictly for dial-in and others strictly for dial-out. The RRAS configuration wizard will simply assume you want to use all your modems for dial-in purposes. To alter the configuration of ports on your system, return to the Routing and Remote Access MMC and expand your server in the left pane of the window. Below your server, you should see an option for Ports. Highlight that option, and then select Properties from the Action pull-down menu (or by right-clicking the item). That should take you to a window similar to the one shown in Figure 20.24. FIGURE 20.24 Configuring RRAS ports via the Routing and Remote Access Service MMC

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACCEPTING INCOMING CALLS FROM REMOTE USERS

As you can see on this screen, all the interfaces that can support RRAS clients are listed for you to choose from. Highlight the interface(s) that you’d like to accept incoming calls from and then click the Configure button. This will open the individual properties page for this device. Check the box labeled Remote Access Connections (Inbound Only) and—if you can—enter the phone number for the line connected to that device in the Phone Number of This Device field. The phone number will allow you to support BAP for devices to initiate additional connections to your server (although since this requires multiple modems and lines at each location, it might not be an option you need). Repeat this procedure for all the ports on your server. Note It is important to note that all types of ports are automatically configured for your RRAS server—including the VPN ports for PPTP and L2TP. If this server is accessible over the Internet, these ports will be “openings” that outsiders can use to try to authenticate to your network. I recommend that you change the Maximum Ports value for L2TP to zero and for PPTP to one (the minimum value allowed), unless you specifically intend to implement virtual private networking (discussed later in this chapter).

Client Configurations Now that you have a RAS server that’s running smoothly, it’s time to enable some clients and get connected into the network. While I can’t cover every possible platform under the sun when it comes to remote access, we’ll look at a few of the more common options, namely Windows NT 4 Workstation, Windows 9x, and Windows XP Professional. Windows 2000 Professional Dial-Up Networking will follow a routine very similar to the Windows Server 2003 Dial-Up Networking steps, outlined in detail in the next section, so I won’t cover it here. All these client configurations assume that you have Dial-Up Networking already installed on your system and correctly configured. Assistance on installing Dial-Up Networking on other platforms is outside the scope of this book. Tip I frequently get calls from clients who have configured one of their users’ home computers to dial in to the corporate network but are having trouble browsing the Network Neighborhood and seeing any resources. In most cases, this is due to the workgroup and domain settings on the home system not matching the settings for workstations in the office. Make sure you use the same settings in both locations. Windows NT 4 Workstation

From the Windows NT 4 Desktop, double-click My Computer and then Dial-Up Networking to bring up the main Dial-Up Networking program. If this is the first time you are using Dial-Up Networking, you might get a message about your phonebook being empty—this is okay because it is simply Windows telling you it doesn’t know how to dial anyone yet. If you get that message, click OK to continue, and that should leave you at the main Dial-Up Networking screen as shown in Figure 20.25. To add a new entry for your Windows Server 2003, click the New button to start defining a new phonebook entry. The initial screen will let you enter information such as a friendly name to use for this phonebook entry, the number to dial, which modem to use, etc. Enter the appropriate information as needed and then click the Server tab to enter information about the server you are calling into. Your phonebook entry screen should look similar to Figure 20.26.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1609

1610

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

FIGURE 20.25 Dial-Up Networking in Windows NT 4 Workstation

FIGURE 20.26 Selecting server options for a new phonebook entry, Windows NT 4 Workstation

By default, Windows NT 4 Workstation will assume you are going to be dialing in to a PPPcompatible server, so it will use that selection as a default for the Dial-Up Server Type pull-down box. Also, NT Workstation will assume you want to use software compression and PPP LCP extensions (as seen by the check boxes in the bottom of the window). These are also acceptable defaults for most dial-up connections and can be left checked in most cases. These settings directly correspond to the PPP settings defined on the configured RAS server.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACCEPTING INCOMING CALLS FROM REMOTE USERS

By far, the most important settings in this dialog are the network protocol settings. In general, these settings should correspond directly to the protocols configured when installing RAS, as seen back in Figure 20.15. The client workstation obviously cannot connect on certain protocols if they are not installed on your server, so make sure you are using the same protocols in each location. If you plan on using TCP/IP (and I expect most readers will), click the TCP/IP Settings button to define protocol-specific parameters if necessary. The TCP/IP Settings screen should look like the one in Figure 20.27. FIGURE 20.27 TCP/IP settings on Windows NT 4 Workstation dial-up networking

For most installations, the default TCP/IP settings should work fine, but if your situation is a bit more specific, you can enter values for the IP address that the client should use and which DNS servers and WINS servers to use for name resolution. If you don’t enter any settings for the DNS and WINS servers to use, the dial-up networking client will inherit the same values the RAS server uses itself. This is an important point, because if you are using DHCP to assign addresses, you might assume that any DHCP scope options you have added to your address space would be automatically passed along to your RAS clients. However, even if your RAS server is consulting your DHCP server for addresses to use, it will not pass DHCP scope options along to RAS clients. Settings for DNS servers and WINS servers to use will come directly from the same settings programmed into your RAS server. So, if you’re using DHCP on your network, make sure you hard-code an IP address for your RAS server and program in the correct name server addresses.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1611

1612

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

Once you have set your server and protocol settings as necessary, click the Security tab to define the appropriate authentication options for your dial-in client. The security settings are shown in Figure 20.28. Just as the correct configuration for the server settings on the dial-up client depends on how your RAS server was configured, the security settings on the client will depend on how the security is configured on the RAS server as well. FIGURE 20.28 Security settings on Windows NT 4 Workstation dial-up networking

By default, Windows NT 4 Workstation selects the option to Accept Any Authentication Including Clear Text. If the RAS server is configured to only allow MS-CHAP authentication, then the dial-up networking client will submit an MS-CHAP authentication and should be validated without any difficulty. If you run into problems logging in, make sure your authentication settings between your server and your client match on at least some level. When you have completed making the necessary settings for this dial-up networking entry, click OK and then click Dial to dial in to your Windows Server 2003. You will be prompted for a valid username, password, and domain name to log in with. Use the username(s) you granted dial-in permission to on your servers, click OK, and if everything goes according to plan your Windows NT 4 Workstation should be connected! Windows 9x

From the Windows 9x Desktop, double-click My Computer and then Dial-Up Networking to bring up the Dial-Up Networking program. If this is the first time you are using dial-up networking, you might be asked to enter information about your local area code, whether to use touch-tone or pulse dialing, and any prefixes you need to dial. Simply fill in the information and click OK to continue. This should bring you to the Make New Connection window shown in Figure 20.29.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACCEPTING INCOMING CALLS FROM REMOTE USERS

FIGURE 20.29 Windows 9x Make New Connection window

At the first step of the Make New Connection dialog box, you can enter a friendly name for this Dial-Up Networking connection and select which modem device you’d like to use. Enter this information and then click Next to continue to the next step, shown in Figure 20.30. FIGURE 20.30 Windows 9x Make New Connection window, step two

In the second (and final) step, enter the area code and phone number of your RAS server and then click Next to complete the creation of this Dial-Up Networking entry. By default, Windows 9x will assume several things about this Dial-Up Networking entry, including which protocols and security settings you’d like to use. For example, Windows 9x will select all the protocols installed on your system and try to use them over this Dial-Up Networking connection.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1613

1614

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

If you’d prefer to configure these options yourself instead of having Windows 9x assume what you want, go back to the main Dial-Up Networking window (the one with the Make New Connection icon) and you should see an icon for your Dial-Up Networking session. Right-click the icon, and select Properties to edit the configuration. You will see the properties pages for this Dial-Up Networking connection, as shown in Figure 20.31. FIGURE 20.31 Editing Windows 9x Dial-Up Networking entry properties

From here, you can (and should) change the security and protocol settings to match those of your RAS server. Configure the settings accordingly, and then launch your session to verify that it works. Windows XP Professional

Once you have installed your modem, from the Windows XP Desktop, click Start/Control Panel/ Network Connections (in category view, click Network and Internet Connections). From here you will need to start the New Connection Wizard to add a new connection to the server you wish to dial. Click Next to get through the initial screen of the wizard and you will see the screen shown in Figure 20.32. To create a connection using dial-up, choose the Connect to the Network at My Workplace option and click Next. Choose the Dial-up Connection option and continue by clicking Next. Specify a name for the connection and, in the following screen of the wizard, type in the phone number for the connection. Next you will need to decide whether this connection will be used for everyone who uses your computer or whether it should only apply to your account profile. In the final screen of the wizard, you will be shown a summary of the options you selected, and you are given the

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACCEPTING INCOMING CALLS FROM REMOTE USERS

option of creating a shortcut to the connection on your Desktop. Click Finish to complete the wizard and you will be shown the Connect dialog box, as seen in Figure 20.33. FIGURE 20.32 Choosing a connection type

FIGURE 20.33 Connecting to the dial-up server

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1615

1616

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

From here, choose the Dial button to test your connection. Since you already know the basics about adjusting the settings for your dial-up connection, just know that by choosing the Properties button from this screen you can configure the security settings, protocols, and phone options.

Managing Connected Users If you need to keep tabs on users connected to your network, the Routing and Remote Access MMC can give you an overview of all remote access connections currently connected to your server. Whether connections are coming into your systems from VPN connections, serial connections, analog modems, or ISDN lines, you can get an overview of all your remote connections from one convenient console. To manage connected users, start by launching the Routing and Remote Access MMC by selecting Start/Administrative Tools/Routing and Remote Access. By expanding the details for your RAS server in the left pane, you should see a subitem for Remote Access Clients listed below your system, along with a number next to it in parentheses. This number indicates the number of dial-in users currently connected to your system. This screen should look similar to the one in Figure 20.34. FIGURE 20.34 Managing remote access users through RRAS MMC

From this screen, you can get an overview of how long users have been connected to your network, who is currently connected, which ports are in use, etc. By double-clicking any of the listed connections on your system, you can get advanced details about that individual connection, such as what IP addresses were assigned to the system, how much data has been transferred, etc. You can disconnect an individual connection from the same properties page by clicking the Disconnect button, or you can disconnect a user by right-clicking that user’s connection in the main list of connected users and choosing Disconnect. In addition to being able to disconnect a user from the main listing of connected users, you can also send a message to an individual user or to all connected users by right-clicking a connection and selecting either Send Message or Send to All, respectively.

Connecting to a Private Network Much like connecting to the Internet, at times you might need to connect your Windows Server 2003 to another private network. Maybe one of your servers needs to collect data from a client’s systems

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

CONNECTING TO A PRIVATE NETWORK

or transmit product orders to a supplier. The private network might be a Win2K network, an NT network, a Novell network, or a network that contains a combination of servers and other systems. In any case, dial-up networking can get your Windows Server 2003 connected with a minimal amount of effort. Before getting started, there are a few things you will need to have to complete making a connection to another network. Namely, you will need to have the following information available in advance: ◆ ◆ ◆ ◆

Access phone number to dial Username and password combination Protocols that will be used on the remote network Authentication the remote network will require

To get started, we’ll once again be working through the Network Connection Wizard by clicking Start/Control Panel/Network Connections and then choosing the New Connection Wizard icon. When the wizard starts, you should see the screen shown in Figure 20.35. Click Next to jump to the second screen of the wizard. FIGURE 20.35 New Connection Wizard: welcome screen

From this point, select the second option, Connect to the Network at My Workplace, and click Next to continue to the next step of the wizard, as seen in Figure 20.36. Here you’ll have to choose whether you want to connect to the remote network using dial-up or a VPN. Choose Dial-Up Connection and continue to the next wizard screen. Enter the name that you want to give this connection and click Next. Enter the phone number as prompted, and then click Next to get to the last step of the wizard, pictured in Figure 20.37.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1617

1618

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

FIGURE 20.36 New Connection Wizard: Network Connection

FIGURE 20.37 New Connection Wizard: Connection Availability

The last step of the Network Connection Wizard will ask if you would like to make this dial-up connection available to all users or to make it available only to the user who is creating this connection. For the purposes of simply connecting Windows Server 2003 to another network, select the My Use Only option here. The other option, Anyone’s Use, would end up sharing this connection for other users on the network, a topic discussed in the next section (“Acting as an Internet Gateway”). Click Next when you are finished, click Finish when presented with the summary, and you will have successfully created a Dial-Up Networking entry.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

CONNECTING TO A PRIVATE NETWORK

Once the wizard is completed and your connection has been created, you will find that Server 2003 will have assumed several things about your dial-up networking entry that might not work for your specific situation. To double-check everything, edit the properties for this dial-up connection by right-clicking the icon for it in the Network Connections window. Clicking the Networking tab on the properties page should bring you to a page similar to the one shown in Figure 20.38. FIGURE 20.38 Dial-Up Networking entry properties

Windows Server 2003 will assume you want to use several defaults when you try to connect to this remote network. For example, it will assume you want to use all the protocols loaded on your system for this connection, it will assume it can use unsecured passwords, etc. Some of these options might not make sense in specific situations. For example, if you are connecting to an IP-only network, it doesn’t make much sense to try and negotiate an AppleTalk connection. Even though Server 2003 will realize that it can’t establish the AppleTalk connection, why even try? To fine-tune this connection, remove or add specific protocols as needed by checking the boxes next to the protocols listed under the Networking tab of the Dial-Up Networking entry properties pages. If you are connecting to a remote TCP/IP network and the device you are dialing in to does not provide you with an IP address or DNS server addresses automatically, you can program these in by highlighting the TCP/IP protocol and then clicking the Properties button. This will bring you to the specific TCP/IP settings to use for this connection (Figure 20.39).

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1619

1620

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

FIGURE 20.39 Editing TCP/IP properties for DialUp Networking entries

On this screen you can enter the necessary information for your TCP/IP connection. If you are accessing a remote network that uses WINS servers but does not provide those addresses to you, enter them in the advanced TCP/IP settings area by clicking the Advanced button and then clicking the WINS tab. Once you have your protocols configured correctly, click OK to get back to the main properties page for this dial-up connection. If you need to edit any other properties, such as the type of security or authentication to use, click the appropriate tabs and make those settings as necessary. If you think this looks similar to the steps to connect to the Internet described earlier in this chapter, you are correct. Basically, all the mechanisms are the same in Dial-Up Networking, but different wizards will take a different approach to the settings that are applied by default. Therefore, some of the same advanced options discussed in the “Connecting to the Internet” section (reestablishing failed links, redialing non-responsive numbers, etc.) are available for regular dial-up connections to private networks.

Acting as an Internet Gateway One of the hottest little “niche” applications people always seemed to want to do with Windows NT 4 Server was to share an Internet connection with everyone else inside their organization. After all, NT servers were usually set up to share other resources (files, printers, etc.)—so it made sense that NT Server should have been able to share an Internet connection, right? Not exactly.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACTING AS AN INTERNET GATEWAY

With enough tweaking and some strict rules to follow, you could actually have NT Server dial an Internet connection and route traffic for internal hosts out to the Internet. However, the setup is difficult and cumbersome, and it requires having valid (InterNIC-assigned) IP addresses available for everyone within the organization. Without using a third-party software solution, the act of simply sharing a $20/month unlimited-access Internet account wasn’t a viable option. Now, Microsoft has included a variety of capabilities in Windows Server 2003—actually, this was around in Win2K too—that make this task relatively easy. With the correct information about what type of connectivity you need to the outside world, Windows Server 2003 can act as an Internet gateway for your internal clients, leveraging an existing Internet connection among all the workstations in your organization. Although Microsoft has included some great tools for sharing connections on your network, it is important to note several subtle hints Microsoft has included in their documentation for this feature of Windows Server 2003. First and foremost, Microsoft often makes several references to small or home office networks, implying that this capability really isn’t designed for use in medium-to-large environments. I would have to agree with them on this point; if you have a reasonable number of workstations on your network, you will probably be far better off going with a product such as Microsoft Proxy Server and a dedicated Internet connection. The second point Microsoft makes repeatedly throughout their documentation is that “you should not use this feature in an existing network with other Windows Server 2003 domain controllers, DNS servers, gateways, DHCP servers, or systems configured for static IP.” Since this configuration requires a very specific IP configuration to work correctly, implementing this on a network that doesn’t conform to that configuration could cause lots of difficulty. I would agree with Microsoft on this point as well. Although acting as an Internet router isn’t one of the options normally available through the New Connection Wizard used throughout this chapter, fortunately one of the other options will configure most everything necessary. By using the steps detailed in the last section, “Connecting to a Private Network,” and connecting to the Internet as the “private” network, you can make Windows Server 2003 act as an Internet gateway, routing traffic from your internal clients out to the Internet and back again.

Configuring Windows Server 2003 to Act as an Internet Gateway Start with the same steps listed in the section “Connecting to a Private Network” and go all the way up to the point where you enter the phone number, using a local access number for your ISP as the number of the private network to dial. This time, when the New Connection Wizard (pictured back in Figure 20.37) asks if you would like to make this connection available to all users, select Anyone’s Use instead of My Use Only. When you finish the wizard, you will be presented with the Connection dialog box. Here you need to enter a username and password in order to share the connection among all your users. Once you have entered the name and password, you will need to allow the connection to save the credentials by checking the Save This User Name and Password for the Following Users box. Of the two available sets of users, you will need to select the Anyone Who Uses This Computer radio button. Once you have finished, click the Properties button. Although there is no Apply button on the Connect dialog box, the simple act of clicking the Properties

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1621

1622

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

button seems to save the username and password combination. From the properties sheet, click the Advanced tab to complete the final step for the process of sharing this connection with your users (see Figure 20.40). FIGURE 20.40 Defining sharing options

Click the check box entitled Allow Other Network Users to Connect through This Computer’s Internet Connection. This will enable the sharing properties for this connection. The other option you can see in the Internet Connection Sharing (ICS) section of this property sheet allows for a dial on-demand feature for the connection. That way, any time a user makes a request for this connection, the computer will know to automatically establish the connection. Since you are implementing a shared Internet connection, you probably want to select this option also. When you check the box for this feature and click OK, you should receive a warning dialog box similar to the one in Figure 20.41. FIGURE 20.41 Static IP address change warning

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACTING AS AN INTERNET GATEWAY

This dialog box lets you know that Windows Server 2003 will need to make several changes to its IP configuration for this functionality to work, including specifying a fixed IP address to use for the server’s internal network connection. If anyone is connected to your server at this point, make sure they are disconnected before continuing, otherwise they may lose their connections to the system. Click Yes to continue, and Windows Server 2003 will make the appropriate IP changes to support sharing an Internet connection. Once you have completed the wizard and made any changes to the settings, you should see an icon for your shared connection in the Network Connections dialog box. Launch the connection to verify that everything is working correctly. Since you have saved the username and password combination for this connection, when it is demand-dialed it will have what it needs. Once you have established that the connection works correctly in and of itself, it’s time to define a few rules as to what you want to allow across your Internet connection. Defining Service Configurations

By default, Windows Server 2003 will not automatically route any traffic from the Internet to the machines on your network. You must define specific rules as to what type of traffic (i.e., what TCP/IP packets) can go across your shared connection. To do this, begin by editing the properties for your shared Internet access connection by right-clicking the Shared Internet Connection icon in the Network Connections window and then selecting Properties. Click the Advanced tab, and you should see the same settings for enabling shared access for this connection and on-demand dialing that you saw in Figure 20.40. At the bottom of the window is a button labeled Settings. By clicking the button, you can define settings for which services can go across your shared Internet connection, as shown in Figure 20.42. FIGURE 20.42 Configuring services settings for Internet Connection Sharing

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1623

1624

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

Note The other two tabs you see in Figure 20.42 are only visible if you enable the Internet Connection Firewall (ICF) on the advanced properties sheet for the connection. Here’s the short version of what ICF gives you. Basically, even if you don’t enable ICF, your shared Internet connection won’t allow any incoming traffic by default. Once you enable it, however, you can allow your connection to accept and/or respond to ICMP traffic, like ping (echo requests). You can also set up logging in the connection and record dropped packets and successful connections.

Sharing an Internet connection allows you to accept traffic from external hosts targeted at systems within your network. For example, maybe you have a small Web server running in your organization that you would like people to be able to access. Using a shared Internet connection not only lets your users share access to the Internet, but it can be programmed to allow Internet access to your internal shared resources as well. This is one of the reasons why it’s important to define rules as to what is allowed in to your shared Internet connection. If you need to have outside clients access services on a computer on your internal network, you will need to enable them from the Services tab in the Advanced Settings dialog box of your connection properties. Unless you want people from the outside world connecting to your internal systems, I recommend leaving this blank. But if you have a Web server or an FTP server that you need to have people connect to, this is the place to do it. Click the check box for the type of service that you want to allow external access to. To define an internal host that Windows Server 2003 should direct that type of traffic to, click Edit. You should see the dialog box pictured in Figure 20.43. FIGURE 20.43 Configuring a predefined service for ICS

As you can see in this example, you don’t really need to know anything about ports to do this because Windows Server 2003 assumes the standard port settings for these services. However, if you prefer to use different port settings for any of your services, or if you want to add a service that is not in the predefined list, click OK to return to the Advanced Settings property sheet you saw in Figure 20.42. To define your own services, click the Add button and you will see the dialog box shown in Figure 20.44.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACTING AS AN INTERNET GATEWAY

FIGURE 20.44 Adding a shared access service

Keep in mind that services that are accessed on your network using ICS by external clients won’t connect directly to the IP address assigned to your internal workstation that has the destination service (especially since in most cases the internal IP addresses won’t be routable addresses on the Internet). Instead, external systems will connect to your Windows Server 2003 on a specific port, and based on what port they connect to, Server 2003 will redirect the request to one of your internal systems. Start defining your service by giving it a name—for example, the name of your Web server or an application your clients will access, etc. and then list the name of the server that will host the service or application. If you are using DHCP to assign IP addresses to your internal computers, I recommend referencing the system by name in this dialog box, rather than the IP address. In the External Port Number for This Service field , enter the port you will expect incoming connections to come to. If you wanted to allow incoming HTTP traffic, for example, you would enter 80. The Internal Port field is used to route your traffic to whatever port your service is being hosted on. Some services or applications use both TCP and UDP packets. You can’t enable them both here, though. If you define this application to accept TCP packets as shown in Figure 20.44, you’d need to create another service definition with the same configurations to allow UDP packets to access the application across the port. Once you have completed this definition, click OK and you should see the new service listed in the Services list. If you have a connection that is dialed on demand, though, it’s important to note that this won’t typically work for incoming connections. That is, your ISP won’t know that it should dial your server whenever someone on the Internet tries to access a service or application on one of your systems. Therefore, if you are going to accept incoming service connections I’d recommend having your Internet connection online at all times. Once you have defined the appropriate service settings, it’s time to configure your clients to direct their Internet traffic to your Windows Server 2003 for routing.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1625

1626

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

Configuring Clients

Once your server is ready, you will need to tell your clients to route their Internet traffic to your Windows Server 2003. When Windows Server 2003 receives these packets, it will realize that they are destined for the Internet and route them as necessary (initiating your demand-dialed connection if needed). You can either program each workstation manually or let DHCP do it for you by defining the correct scope and options to use. Note For more information on configuring DHCP scopes, see Chapter 7.

The following information will work in your DHCP scope for getting your clients connected to the Internet (other slight variations would work as well; this is merely an example): ◆ ◆ ◆ ◆

Address range: 192.168.0.2 to 192.168.0.254 Address mask: 255.255.255.0 Default gateway: 192.168.0.1 DNS servers to use: enter your ISP’s DNS server addresses

To enter these settings manually on a Windows XP, 2000 Professional, NT 4, or 9x client, edit the TCP/IP properties of your computer to change the IP address to something in the range just listed. The mask should be 255.255.255.0 as listed, and the default gateway should be 192.168.0.1, the IP address your Windows Server 2003 will give itself once you enable the shared connection. In Windows XP Professional, this would look similar to the dialog box shown in Figure 20.45. FIGURE 20.45 TCP/IP settings for shared access on Windows XP

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACCEPTING VPN CONNECTIONS FROM REMOTE CLIENTS

The last setting to make is the DNS server setting. Since your workstation will need to look somewhere to translate host names into IP addresses, you will need to put the DNS server IP addresses for your ISP into your connection settings. If you don’t know the IP addresses of your ISP’s DNS servers, I recommend contacting them to ask them directly or see if they list the appropriate settings somewhere on their Web site. Once you have the correct DNS and TCP/IP settings programmed in, you should be able to connect to the Internet using your newly configured ICS. You should see that your Windows Server 2003 automatically initiates the connection as needed whenever one of your client systems tries to access the Internet.

Accepting VPN Connections from Remote Clients Virtual private networking (VPN) is one of the hottest subjects in networking today. With the widespread presence of the Internet, it only makes sense that corporations and organizations would want to try to leverage existing investments in Internet connections for their corporate networks. But as exciting as VPN can be, it can also be a rather complex subject. Since it is basically a means of layering one logical network over another, the complexities of making a network connection are, in effect, doubled.

VPN Overview Loosely defined, a VPN allows you to run a secure, private network over an unsecured public network. You can use virtual private networking to get clients connected to your network over the Internet and do it securely, even though the Internet is inherently an unsecured network. One of the better analogies I’ve found for explaining the concepts of a virtual private network is to refer to them as “pipes.” To conceptualize VPNs, think of two pipes, one large and one small. Now, imagine that the small pipe actually runs inside of the large one. It starts and ends at the same places the large pipe does, and it can carry materials on its own, completely independent of whatever is happening in the large pipe. As a matter of fact, the only thing the small pipe depends on the large pipe for is the determination of the start and end points. Beyond that, the small pipe can operate independently of the large pipe in terms of direction of travel, materials it carries, etc. To add another layer to this analogy, let’s assume that the large pipe is made out of a transparent material, and the small pipe is made out of metal. If anyone were to take a look at the pipe-withina-pipe, they would easily be able to see whatever was moving through the outside (large) pipe. However, whatever was traveling through the inside pipe would remain a mystery. If this is starting to make sense, you should be thinking to yourself that the large pipe represents the unsecured network (i.e., the Internet) and the small pipe represents the virtual private network. VPN is a way of tunneling data packets through a connection that already exists but that can’t be used on its own for privacy reasons. Obviously, the Internet is a perfect example of a network that often can’t be used alone for privacy reasons. So, what benefit does this have for the overworked network administrator? Well, for starters, it could reduce or eliminate your need to maintain a pool of modems at your site for remote dial-in users. Remote users don’t need to call directly into your network to get connected; they can simply call in to a local ISP and get a valid Internet (unsecured) connection. Assuming you have a VPN/ RAS server running on your network (and it’s connected to the Internet), once the remote user has

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1627

1628

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

connected to their ISP, the client just has to establish the VPN (secured) session with the RAS server. The cost of maintaining modems and phone lines is shifted to the ISP. As long as your RAS server is connected to the Internet, you can support multiple incoming calls all over that one connection. Also, in keeping with this example, since the VPN session is being established over the Internet, there is no need for any long-distance calls. If your remote user is hundreds of miles away, the cost to connect to your network is the same as if they were local, since the only call they would need to make would be to their ISP. This is a great way to support a geographically dispersed user base. Microsoft has gone a long way toward making virtual private networking easy to implement since its inception in Windows NT 4. However, if there is one piece of advice I could give everyone trying to implement virtual private networking, it is this: get a good, solid RAS server working and accepting incoming connections first. Use standard connections (analog modems, ISDN, etc.) on your RAS server first to make sure everything is functioning correctly. Once you are sure RAS is working correctly for standard connections, only then is it advisable to try implementing VPN connections. Since virtual private networking adds another layer of functionality “on top of ” RAS, it is crucial to have a stable foundation to begin with. RAS can be peculiar in its behavior at times, so it is important to have all your configurations working correctly (DHCP address assignment, browsing, etc.). If only I had a nickel for every time I heard someone say “this VPN thing is messed up,” only to find out that if they dial in to their network over a modem connection, they experience the exact same problems.

A Brief History of VPN: PPTP, L2F, and L2TP When virtual private networking was first being developed back in the mid-1990s, two of the largest companies in the computer/networking industry tried to run with implementations of VPNs in the hopes that they would enjoy widespread implementation and therefore become an “industry standard.” The two companies were Microsoft and Cisco, and each had its respective VPN technologies. Microsoft was approaching the VPN market from the operating systems point of view and had developed Point-to-Point Tunneling Protocol (PPTP) as a means to securely transmit data across unsecured networks. At the same time, Cisco was taking the lead in VPN from a strictly networking point of view with a protocol called Layer 2 Forwarding, or L2F. Now, when either of these companies decides to develop an industry standard, they can usually get away with it if one doesn’t already exist. No single standard had obtained a large enough share of the VPN market to be considered an industry standard, so the playing field was literally wide open. However, the sheer muscle and momentum that either one of these companies can put behind an initiative wasn’t necessarily enough to displace the other. Each protocol had its strengths and weaknesses, and Microsoft’s and Cisco’s offerings enjoyed moderate successes. Now, I’m speculating a bit here, but I think that since neither industry giant was going to successfully displace the other in the VPN market, they decided it would be better to cooperate than compete. In any case, Microsoft and Cisco made the decision to collaborate on virtual private networking by merging their protocols, PPTP and L2F, into one hybrid protocol. The final product of that collaboration is Layer 2 Tunneling Protocol, or L2TP for short. Windows Server 2003 includes L2TP support for establishing virtual private networking connections, but it also includes support for PPTP for backward compatibility with other operating systems. L2TP is supported in Windows 2000 (Server and Professional) and Windows Server 2003. Windows 98, Me, and NT 4 can utilize the functionality of L2TP and IP Security (IPSec) by

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACCEPTING VPN CONNECTIONS FROM REMOTE CLIENTS

installing an additional client. Okay, enough said. Let’s assume you’ve got a good solid RAS server running and get on to the fun stuff.

Implementing VPN via PPTP and L2TP If you went through the section “Accepting Incoming Calls from Remote Users,” congratulations— you have 80 percent of what you need to support VPN connections in place already. When you install Remote Access Service, Windows Server 2003 should have added support for five PPTP connections and five L2TP connections by default. If you didn’t go through the section to accept incoming calls from remote users, stop reading now and go back to complete the steps listed there. For the remainder of this section, we’ll assume you have a functional RAS server in place. We’ll start by verifying that support for PPTP and L2TP is in place through the Routing and Remote Access MMC. Start the RRAS MMC by selecting Start/Administrative Tools/Routing and Remote Access. In the left portion of the MMC window, you should see the name of your RAS server listed; expand the information for that server by double-clicking it or clicking the plus sign next to the server. Right-click the listing for ports, and then select Properties to edit the ports (Figure 20.46). FIGURE 20.46 Ports Properties screen

In the Ports Properties screen, you will see all the ports that Server 2003 has recognized and can use for Remote Access Service. Each device has a usage listed, a device name, a type, and a number of ports associated with it. By default, RAS should have PPTP and L2TP devices installed on your system with five ports allocated to each. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1629

1630

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

Depending on which type of connections you will be allowing and how many you want to allow, you can edit your protocols and ports accordingly from here. For example, you may only need to support L2TP for your VPN, but if you still have clients using PPTP, then you’ll need to keep those available. You can also extend the number of L2TP and PPTP ports to 128 each, if required. In any case, to edit the port properties for either type, double-click the item to edit or just highlight it and click the Configure button. This will take you into the port configuration screen shown in Figure 20.47 (the screen looks the same whether you are configuring PPTP, L2TP, or modem ports). FIGURE 20.47 Configuring RAS ports (PPTP shown)

To configure your server to accept VPN connections, make sure the Remote Access Connections (Inbound Only) option is checked in the Configure Device dialog box. Despite the fact that the dialog box has a Phone Number for This Device field, you need to enter the public Internet IP address of your server (assuming the Internet is the public, unsecured network you will be using). This is the IP address that clients will eventually connect to across the Internet for establishing VPN circuits. Tip I strongly recommend that you use a fixed IP address and Internet connection for your server. Yes, you can use a dial-up connection from your RAS server to the Internet, and you can even make dynamic IP addresses work for this. But with dynamic IP addresses, your server’s IP address will change every time it has to reestablish its link, quickly becoming a management nightmare.

Depending on how many simultaneous virtual private networking connections you plan on supporting, adjust the Maximum Ports value accordingly (up to 128) and then click OK. Tip I recommend disabling any and all VPN connections that you don’t plan on using. For example, if you are only going to support L2TP connections, disable PPTP by unchecking the Remote Access Connections (Inbound Only) option on the properties page for PPTP. This will prevent anyone from trying to establish a connection to your server via PPTP without your knowing about it.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACCEPTING VPN CONNECTIONS FROM REMOTE CLIENTS

Client Configuration

To get a client workstation connected to a Windows Server 2003 running VPN protocols, you will need to have one of the following: ◆ ◆ ◆ ◆ ◆ ◆

Windows 95 with the Dial-Up Networking 1.2 upgrade or better (PPTP only) Windows 98 (PPTP or L2TP) Windows Me (PPTP or L2TP) Windows NT 4 Workstation or Server (PPTP or L2TP) Windows 2000 Professional or Server (PPTP or L2TP) Windows XP Professional (PPTP or L2TP)

Let’s go through getting some of these clients connected to a VPN using PPTP. Since older operating systems such as Windows 95 and Windows NT 4 don’t install tunneling protocols by default, the first thing to do is add PPTP support to the client system. PPTP is a standard protocol, just like NetBEUI or NWLink, so the procedures for adding this new protocol are roughly the same. In addition, support for L2TP is relatively recent in most of these clients. Microsoft released a VPN client software download recently to upgrade the VPN clients on these older systems so that they could be compatible with the L2TP/IPSec standards. Windows NT 4 Workstation

Assuming you already have Dial-Up Networking set up on your NT 4 Workstation, the first step to adding VPN support is to add the Point-to-Point Tunneling Protocol in the Control Panel/ Network applet. Start by clicking Start/Settings/Control Panel/Network, and then click the Protocols tab. Clicking the Add button from the protocols properties page will bring you to the protocol properties dialog box, as shown in Figure 20.48. FIGURE 20.48 Protocols properties page in NT 4 Workstation

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1631

1632

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

Once you have selected the Point-to-Point Tunneling Protocol and clicked OK, NT 4 Workstation will ask you how many simultaneous virtual circuits you’d like to support in the dialog box in Figure 20.49. FIGURE 20.49 Configuring the number of virtual circuits to support

The number of circuits you choose here will determine how many virtual ports Windows NT 4 will add to its configuration. Each virtual port will be called VPNx, with x referring to the specific port number. In effect, they function similarly to modems running on COM ports (COMx), so think of these VPN devices as virtual modems. If you will only be connecting to one virtual private network at a time, choose 1 and click OK. Once you have completed selecting the number of virtual circuits to support, NT 4 Workstation will invoke RAS setup to allow you to add your new virtual modem(s) to the RAS configuration. Click the Add button in Remote Access Setup and you should see your VPN device in the Add RAS Device window (see Figure 20.50). If you see a modem or some other device there, try pulling down the list and then selecting your VPN device. Once you have your VPN device selected, click OK and it will be added to your RAS configuration. FIGURE 20.50 Adding VPN devices to RAS in NT 4 Workstation

Once you are back to the Remote Access Setup screen, highlight your VPN device and click the Configure button. This device should be configured for Dial-Out Only, as shown in Figure 20.51. Once everything is set correctly, click OK and RAS will start the installation routine. This will most likely require a reboot of your computer, so go ahead and restart it and get back into Windows. To use your VPN device, the last step you need to perform is creating a Dial-Up Networking entry.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACCEPTING VPN CONNECTIONS FROM REMOTE CLIENTS

FIGURE 20.51 Configuring VPN devices for dial-out only in NT 4 Workstation

Double-click My Computer and then Dial-Up Networking to begin creating a new Dial-Up Networking entry. Creating a VPN Dial-Up Networking entry is almost identical to creating a regular Dial-Up Networking entry for a phone line, except that you will use an IP address instead of a phone number to dial and the VPNx device instead of a modem. This is shown in Figure 20.52. FIGURE 20.52 Creating a VPN Dial-Up Networking entry in Windows NT 4 Workstation

As you can see, this Dial-Up Networking entry will call a VPN server at IP address 10.16.0.4, the same IP address used in the configuration of the RAS/VPN server earlier in this chapter. As long as the VPN device is selected in the Dial Using pull-down box, everything should be set for this connection. Unlike the newer clients, you may have to perform two steps to initiate a connection to your VPN server. The first step to making this connection is to make sure you have an actual, valid Internet IP address before doing so. If you need to use Dial-Up Networking to connect to an ISP for this, do that first. Once you have a valid IP address available, launch your VPN Dial-Up Networking Connection

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1633

1634

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

to get connected to your remote system. Once you provide a set of valid user credentials, you’ll be connected to your VPN. To disconnect from the VPN, simply double-click the Dial-Up Networking icon in My Computer, select the phonebook entry for the VPN, and click the Hang Up button, as shown in Figure 20.53. You can also right-click the Dial-Up Networking Monitor icon in the system tray and choose Hang Up. FIGURE 20.53 Disconnecting a VPN session in NT 4 Workstation

Windows 9x

Windows 9x takes a unique approach to implementing virtual private networking through the use of a Microsoft VPN adapter. Instead of adding support for PPTP or other protocols (like in other Microsoft operating systems), all you need to do is add the VPN adapter to your system to get connected. Note To add VPN support for Windows 95, you must have the Dial-Up Networking upgrade v1.2 or later installed on your system. Windows 95 only has support for PPTP, remember. VPN support for PPTP is included in Windows 98 right out of the box, and with the addition of the L2TP VPN client, which you can download from the Microsoft Web site, Windows 98 will support L2TP as well as PPTP.

Start by editing the network properties of Windows 9x by selecting Start/Settings/Control Panel/Network. When the Network properties page comes up, click the Add button, and then select Adapter as the component type you’d like to install. Your screen should look like Figure 20.54. In the list of adapters supplied, scroll down to Microsoft for the manufacturer, then select the Microsoft Virtual Private Networking Adapter listed on the right side of the screen. Click OK, and Windows 9x will add the VPN adapter to its system. Of course, this will require a reboot for the changes to take effect. Once your system has rebooted, the next step to getting connected is creating a Dial-Up Networking entry to connect to your VPN server. From the Windows 9x Desktop, double-click My Computer,

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACCEPTING VPN CONNECTIONS FROM REMOTE CLIENTS

then Dial-Up Networking, and then Make New Connection to launch the Make New Connection Wizard, shown in Figure 20.55. FIGURE 20.54 Adding the Microsoft VPN Adapter to Windows 9x

FIGURE 20.55 Windows 9x Make New Connection Wizard

From the Select a Device pull-down box, choose the Microsoft VPN Adapter if it isn’t already selected. Click Next to move to the next step of the wizard shown in Figure 20.56. Enter the IP address or DNS name of your VPN server in the box as needed. In the example in Figure 20.56, we have used an IP address of 10.16.0.4. You may remember that this is the same IP address used in the configuration of the RAS/VPN server earlier in this chapter. After entering the hostname or address, clicking Next will complete the wizard and place a VPN Dial-Up Networking entry on your system.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1635

1636

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

FIGURE 20.56 Entering the IP address of a VPN server in Windows 9x

To make the VPN connection, you must make sure you have an actual, valid Internet IP address before doing so. As with NT 4, you may need to connect to the VPN in two steps. If you need to use Dial-Up Networking to connect to an ISP for your IP address, do that first. Once you have a valid IP address available, you can then launch your VPN Dial-Up Networking connection to get connected to your remote system. After providing a valid set of user credentials, you’ll be connected to the VPN server. To disconnect the connection, simply double-click Dial-Up Networking from My Computer, double-click the connection to the VPN server, and then click Disconnect, as shown in Figure 20.57. Or you can right-click the connection in the Dial-Up Networking window and click Disconnect. FIGURE 20.57 Disconnecting the VPN connection in Windows 9x

Windows 2000

Windows 2000 added a few nice features to the client side of establishing VPN connections, namely the ability to automatically associate one DUN entry with another. For example, if you need to dial an ISP before you can connect with your virtual private network, Windows 2000 can join these

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACCEPTING VPN CONNECTIONS FROM REMOTE CLIENTS

two functions. The end result is that when you (or your users) need to connect to the virtual private network, doing so only requires launching one Dial-Up Networking session, rather than the two steps required with the older clients. Windows 2000 also includes support for L2TP without any additional add-on software components. Like most of the remote access functionality in Win2K, to define a VPN connection, you will begin with Start/Settings/Network and Dial-Up Connections, and then the Make New Connection Wizard. Remember, you may have to add your phone information here if this is the first time you’ve initiated this. After clicking Next in the initial screen of the wizard, select the option Connect to a Private Network Through the Internet, as shown in Figure 20.58. FIGURE 20.58 Creating a VPN connection on Windows 2000

Click Next to continue. If you have already created a dial-up connection on your system, Win2K will then ask if you need to establish a public network (Internet) connection first before establishing the VPN connection, as shown in Figure 20.59. Tip If you have not yet created a dial-up connection, Win2K will not give you the option to decide whether or not to dial it during the wizard. However, if you create a dial-up connection after you create the VPN connection, you can make sure that Win2K knows to use the dial-up connection first by changing the setting in the VPN connection properties sheet. To set this, simply right-click the VPN Connection icon from the Network and Dial-Up Connections window and click Properties. Then check the Dial Another Connection First check box.

If the Win2K device you will be connecting already has a valid, public Internet IP address, answer Do Not Dial the Initial Connection to this question. Otherwise, if you need to obtain an IP address first from an ISP, select Automatically Dial This Initial Connection and choose the connection that will get you connected to the Internet. Doing so will cause your VPN Dial-Up Networking connection to initiate an ISP connection first. Click Next to continue on to entering the IP address or hostname of the target server, as shown in Figure 20.60.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1637

1638

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

FIGURE 20.59 Creating a public connection before a VPN connection

FIGURE 20.60 Entering the IP address of the VPN server

Much like many of the other client platforms we’ve already discussed, you will need to enter the IP address of your target system or a DNS-resolvable hostname. As you can see, this Dial-Up Networking entry will call a VPN server at IP address 172.16.0.1. Click Next to continue, and the final step of the wizard will ask you whether you want to make this VPN connection available to

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACCEPTING VPN CONNECTIONS FROM REMOTE CLIENTS

all users or just yourself. For the purposes of this section, I’ll assume that you just want to use the VPN connection for yourself, so click the Only for Myself radio button and click Next to finish creating the Dial-Up Networking entry. Select a name for the connection and click Next to finish the wizard. You also have the opportunity here to have Win2K create a shortcut on the Desktop for this connection, a handy feature if the connection will be used often. Once you have completed the wizard, you will have an opportunity to test the connection. When it comes time to actually establish this connection, if you selected the option to have Win2K dial an initial connection, you will see a dialog box like the one in Figure 20.61 asking you if the public network connection should be initiated first. FIGURE 20.61 Windows 2000 asking if an initial public network connection should be established first

Windows XP

To create a virtual private network connection in Windows XP, open Control Panel from the Start menu and double-click the Network Connections icon. Start the New Connection Wizard by double-clicking that icon and click Next in the initial screen of the wizard. Click the Connect to the Network at My Workplace radio button (Figure 20.62) and then click Next. FIGURE 20.62 Setting up a VPN connection in Windows XP

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1639

1640

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

In the next screen, choose the Virtual Private Network Connection option and click Next. Type in the name you want to use for this connection and click Next. If you have previously set up a dial-up connection on your XP client, you will now receive the option of whether to dial that first, before connecting to the VPN. If, for instance, you need to connect to an ISP to receive a valid IP address, which is required before you can utilize the VPN, choose the Automatically Dial This Initial Connection option as seen in Figure 20.63. FIGURE 20.63 Windows XP asking if an initial dial-up connection should be established before connecting to the VPN

Note When I say that your VPN client needs a valid IP address, realize that if your client machine is on a network which uses NAT or private IP addresses routed through a centralized device like a router, a demand-dial server, or your cable modem at home—as long as that device supports VPN traffic—you will be able to connect to the VPN just as you would to the Internet from that machine, no matter what kind of IP address you have.

In the next screen of the wizard, type in the IP address or hostname of the VPN server (172.16.0.1 in the example) and click Next. The next screen asks you to decide who will use this VPN connection that you are creating (see Figure 20.64). If you want to share the connection among several users on the machine, choose the Anyone’s Use option and the connection will be copied to the All Users profile on the machine. For now, choose the My Use Only radio button to reserve the use of this connection and user credentials to one user. The final screen of the wizard allows you to view the options you have selected and enables you to create a shortcut to this VPN connection on your Desktop, which can be handy if you will be using it often. When you have completed the wizard, if you have opted to dial another connection first, you will be asked if you would like to dial that initial connection at this time. If you do not have another connection that you need to dial before connecting to the VPN, you will be taken to the Connect dialog box, where you can click the Connect button to test your connection (Figure 20.65).

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

ACCEPTING VPN CONNECTIONS FROM REMOTE CLIENTS

FIGURE 20.64 Decide who will be allowed to use the VPN connection on this machine.

FIGURE 20.65 Test your connection.

Once you are connected and your credentials are verified, you can use the VPN connection to access resources on the remote network, use drive mappings and even browse the remote network using Network Places. You can copy this VPN connection in the Network Connections folder and rename it if you need to create multiple VPN connections on this machine. Just change the connection and security settings for each connection to accommodate the various VPN servers you need to connect to.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1641

1642

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

To disconnect the VPN connection in Windows XP, right-click the connection and choose Disconnect. You can also, of course, double-click the connection and do the same thing or right-click the network icon in the notification area of the system tray and choose Disconnect. There are always at least three ways to do anything in a Windows environment, remember? Note Keep in mind that a firewall can keep you from being able to connect using your new VPN. If you are having trouble connecting, consider any firewalls that may exist, whether it is on a home pc or in the corporate environment in the course of your troubleshooting.

VPN Performance Considerations Our section on virtual private networking wouldn’t be complete without taking a bit of time to discuss performance issues to consider. Although virtual private networking is a neat technology, unfortunately there are some times when it just might not make sense to use it. Careful planning and consideration should help you determine if it is a solution that can add value to your organization. In the right set of circumstances, virtual private networking can provide fast, reliable, and secure connections to remote networks across the Internet (or another unsecured network). However, in the wrong set of circumstances, a VPN can make an already slow dial-up connection seem even slower. So what are the right circumstances? In my professional opinion, the right circumstances are when you have high-speed connectivity on your RAS server at the very least and preferably when you have high-speed connectivity on both your RAS server and your DUN client. On occasions when I have been able to implement VPN circuits at locations with a T1 or better available at both the server and client ends, performance has been wonderful and the connections reliable. However, due to the protocol overhead involved with PPTP and L2TP and the inherent latency of the Internet, if you are planning on implementing a VPN with dial-up modems on each side of your connection, I urge you to think twice. I wish I could say that Microsoft’s VPN implementations were going to give you the performance you might expect over modem connections, but they just won’t. Simply due to the additional complexities of encrypting the data, bundling the payload data inside a TCP/IP packet, and the latency of communications across the Internet, you can expect a decrease in your performance ranging anywhere from 10 to 50 percent. Now, without getting into all the technical details, it is worthwhile to note that this isn’t entirely Microsoft’s fault; after all, they can’t be blamed for the fact that the Internet can be inherently slow at times (or can they?). However, even with the worst-case scenario of a 50 percent reduction in performance, if there is a T1 on each side of the virtual private network, the effective speeds of the network are still roughly in the 760Kbps range. However, if you’re using a 56K modem on each side of the virtual private network, which probably won’t connect much faster than 48Kbps, you can easily see how a 50 percent performance penalty can make a connection go from “slow” to “unusable.” Simply put, if you are using a modem on your RAS server and a modem on your DUN client, you will get your best possible speeds by having one dial directly in to the other. And without a VPN, there is no protocol overhead getting in the way, nor is there the need for your data to travel across dozens of routers as it works its way to its destination. By creating a direct connection, data packets go directly from the DUN client to the target network. However, everything in life is a trade-off, and it will be up to you to decide whether this will work adequately enough for your needs. After all, what is adequate to one person might be great to another Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

DIALING UP A REMOTE NETWORK AND ROUTING TRAFFIC

and unacceptable to yet another. In either case, expect a performance penalty when implementing virtual private networking and plan your bandwidth accordingly.

Dialing Up a Remote Network and Routing Traffic With the release of the Routing and Remote Access Service update to Windows NT 4 Server, Microsoft was able to improve on the routing capabilities that already existed in Windows NT. Although Windows NT 4 shipped with routing capabilities right out of the box, they were limited and cumbersome, to say the least. Microsoft then included all the capabilities of the Routing and Remote Access Service update in Windows 2000 Server, making that operating system a platform capable of solving several common routing scenarios right out of the box. Microsoft has added a few more features to Server 2003, including support for preshared keys in L2TP/IPSec authentication, the ability for NAT interfaces to work with Basic Firewall, support for L2TP/IPSec connections originating from VPN clients behind a network using NAT, and broadcast name resolution by a NetBT proxy on the VPN server for networks operating without WINS or DNS. All in all, Windows Server 2003 offers a fairly comprehensive package in its RRAS implementation. Let’s take an example of routing traffic from a central office to a remote office over an analog connection. Many organizations are often faced with a connectivity dilemma when opening remote offices, especially if there are only a small number of computers at the remote site. Installing dedicated links between locations can be cost-prohibitive depending on the number of people at the remote site, but having a group of individuals completely isolated from the organizational network usually isn’t an acceptable alternative either. Windows Server 2003 is a perfect solution for this scenario, as it can establish demand-dialed links between locations whenever traffic needs to pass from one site to another. By using simple modems and ordinary phone lines, Windows Server 2003 can be a lowcost alternative to installing dedicated WAN links. To get started, let’s walk through the details of a sample scenario.

Sample Network Our sample network consists of the following: ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆

Number of sites: two (New York and Atlanta) TCP/IP subnet for New York: 10.16.0.x with a subnet mask of 255.255.255.0 TCP/IP subnet for Atlanta: 172.16.0.x with a subnet mask of 255.255.255.0 Windows Server 2003 RRAS server in New York: NYC-RAS1 with an IP address of 10.16.0.4 Windows Server 2003 RRAS server in Atlanta: ATL-RAS1 with an IP address of 172.16.0.1 Phone number for analog line connected to New York Windows Server 2003 RRAS server: (212) 555-1212 Phone number for analog line connected to Atlanta Windows Server 2003 RRAS server: (404) 555-1212 User account created in the New York Active Directory and granted dial-in permissions: ATLANTA-ROUTER, password: atlanta User account created in the Atlanta Active Directory and granted dial-in permissions: NEWYORK-ROUTER, password: newyork Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1643

1644

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

In effect, our network looks similar to the diagram shown in Figure 20.66. FIGURE 20.66 Diagram of sample network NY Site Corporate LAN

ATL Site

Modem

Modem

Corporate LAN

Analog line

NYC-RAS1 IP: 10.16.0.4

ATL-RAS1 IP: 172.16.0.1

User Workstation IP: 10.16.0.5

User Workstation IP: 172.16.0.2

Setting Up the First Server To start building a demand-dialed analog connection between these two locations, you will need to have your Windows Server 2003 able to function as a router. If you’ve worked through any of the configurations previously discussed in this chapter, your system is probably configured to simply act as a Remote Access Server. Changing roles for the server is as simple as editing the properties for the Remote Access Service. Note For the purposes of walking through the first server configuration, I will be configuring the necessary components on our New York router first, using the details just defined.

To change roles for your server, open the Routing and Remote Access MMC by selecting Start/ Administrative Tools/Routing and Remote Access. Edit the properties for Remote Access Service on your server by right-clicking your server name and then selecting Properties. You should see a dialog box similar to the one pictured in Figure 20.67. To add routing services to your system, put a check in the box labeled Router and then select one of the two radio buttons below that option. If you will only be using LAN-based interfaces (Ethernet adapters, etc.) as your routing devices on your system, you can leave the Local Area Network (LAN) Routing Only option selected. However, if you intend to use dial-up connections (as we will in this example), demand-dialed links, or VPN connections, select the LAN and Demand-Dial Routing option. Click OK to apply the changes, and Windows Server 2003 should stop and restart the Routing and Remote Access Service to implement the changes.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

DIALING UP A REMOTE NETWORK AND ROUTING TRAFFIC

FIGURE 20.67 Editing RAS server properties to add routing capabilities

When you return to the Routing and Remote Access MMC, the next step will be to enable routing support for one of the ports on your system. In the Routing and Remote Access MMC, make sure you have expanded the RAS server by clicking the plus symbol next to it, then right-click the option for Ports and select Properties to get to the ports properties pages. Once you have the ports properties pages available, double-click the device you intend to use as your demand-dialed connection (if the device you want to use isn’t listed, go back to the section on adding RAS devices earlier in this chapter). The configuration page for that device should look similar to the dialog box in Figure 20.68. FIGURE 20.68 Editing properties for the demanddial port

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1645

1646

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

Configure this device by checking the Demand-Dial Routing Connections (Inbound and Outbound) option and clicking OK. If you would eventually like to use Bandwidth Allocation Protocol with this configuration—to increase bandwidth by adding more dial-up connections as needed— enter the phone number for your connection and click OK to accept the changes. When you return to the Routing and Remote Access MMC, you might have noticed a new item called Network Interfaces in the results pane of the window when you look at your Windows Server 2003, as shown in Figure 20.69. This option was added when routing services were added to the server, and it is where you will begin to add your demand-dialed interface. FIGURE 20.69 Adding a demanddial interface to the RRAS MMC via Network Interfaces

To start creating a demand-dial interface, right-click the Network Interfaces selection, and then choose the option to add a new demand-dial interface. This will launch the Demand-Dial Interface Wizard, which will walk you through steps to create the interface. Once you click Next to get through the initial wizard screen, the first step of the wizard appears, as shown in Figure 20.70. FIGURE 20.70 Defining a name for a demand-dial interface

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

DIALING UP A REMOTE NETWORK AND ROUTING TRAFFIC

In most cases of assigning a friendly name to a RAS or other type of connection, any name will do. However, in creating demand-dial routing connections, the name assigned to a demand-dial interface is important. The name assigned to a demand-dial connection must match the name of the user account entered into the Active Directory at the same site. The same must be true on both sides of the wide area network. To quote Microsoft directly: “The username in the authentication credentials sent by the calling router must exactly match the name of a demand-dial interface on the answering router.” If the username does not match a demand-dial interface name, the answering router will assume that the incoming call is a RAS user, not a remote router. Therefore, whatever name is entered here must also be used as a username on the same system’s Active Directory. Since we’re walking through setting up our New York remote office in our example that will dial out to the Atlanta office, I’ve decided to call this interface ATLANTA-ROUTER. When you have entered the appropriate name, click Next to continue to the next stage of the wizard, shown in Figure 20.71. FIGURE 20.71 Selecting the connection type for the demand-dial interface

Here you will need to choose the option to Connect Using a Modem, ISDN Adapter or Other Physical Device or you can choose to use Point to Point Protocol over Ethernet (PPPoE), which allows you to utilize your broadband connection to pass packets from one LAN to another. Choose the first option and click Next. In the screen that follows, select the modem or adapter that you want to use. This step of the wizard should be relatively self-explanatory. The wizard needs to know what phone number Windows Server 2003 should dial when it is attempting to connect to Atlanta. Enter the number exactly as your system should dial it, including any prefixes, area codes, etc. If you have a list of alternate numbers that Windows Server 2003 can use to establish this demand-dial connection, click the Alternates button and enter the information there. When you click Next to move to the next step in the Demand-Dial Interface Wizard, you should see a dialog box similar to the one pictured in Figure 20.72.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1647

1648

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

FIGURE 20.72 Selecting protocol and security options for a demand-dial interface

Depending on the network you are connecting to, here you can select which protocols Windows Server 2003 should route, although since Microsoft has dropped IPX/SPX from its list of RRAS protocols, this list is becoming pretty slim. In addition to selecting the appropriate protocols for the remote network, you can also choose to have Windows Server 2003 create a user account so that the remote network’s router can dial in to your system. Lastly, you can choose custom connection options such as sending a plain-text password if that is the only way the remote router will let you connect, or any advanced scripting options you might need. Depending on the options you select from this screen, the remainder of the Demand-Dial Interface Wizard will vary, but for the purposes of our example we’ll assume you’ve selected IP and decided to create a user account for a remote router as seen in this figure. Click Next to continue to the next step of the wizard, shown in Figure 20.73. FIGURE 20.73 Adding static routes for the remote network

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

DIALING UP A REMOTE NETWORK AND ROUTING TRAFFIC

Here you will need to define a static route entry for the remote IP network. In effect, you will need to tell your Windows Server 2003 “whenever you need to contact these IP addresses, use this demanddial interface to get there.” By entering a static routing entry for the remote network’s IP address range in the Atlanta office and then defining the demand-dial interface as the connection to use, Windows Server 2003 will know to route any packets for that network by dialing in to the remote router. To add a static route, click Add and you should end up with a dialog box similar to the one in Figure 20.74. FIGURE 20.74 Defining a static route to a remote network

Here you can define the network address and mask for the remote network, which this interface will use to get the packets to their destination. Windows Server 2003 will use this information to determine if packets—when it receives them—match the IP address range of the remote network. If the packets match the range defined, Windows Server 2003 will route them. Lastly, you can leave the metric at 1. Once you have all this information entered, click OK and you should see your static route appear in the list of Static Routes. Click Next to move to the Dial-In Credentials pane of the wizard, as seen in Figure 20.75. FIGURE 20.75 Configuring router dial-in credentials

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1649

1650

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

Remember that, although we are creating this interface to route our New York users to Atlanta by using the demand-dial connection, when users in Atlanta are routed to the New York office, the RAS server in Atlanta (ATL-RAS1) will need to access this interface we are creating in New York. When ATL-RAS1 attempts to connect to this interface, it will need to have credentials that are valid in New York. As previously stated, the friendly or descriptive name you use for a demand-dial interface needs to be the same as the credentials for that connection, otherwise the answering router (NYC-RAS1) will assume the incoming caller (ATL-RAS1) is simply a RAS connection, not a router. Since we are defining a demand-dial interface to also allow calls into the ATLANTA-ROUTER device we are creating here in New York, if ATL-RAS1 were to call the NYC-RAS1 system we’re now configuring, it would need to identify itself as ATLANTA-ROUTER. Therefore, the username field is grayed out by default, preventing you from changing it. This is an important point, because if you decide to change the user accounts used by RRAS at a later date, but you don’t change the interface names accordingly, you could end up with a broken routing system. Enter a password for this account to use, and make a note of it. Click Next to continue to the next screen in the wizard, as seen in Figure 20.76. FIGURE 20.76 Configuring router dial-out credentials

Now we’ll look at how we dial out to the Atlanta office from the interface we are creating here in New York. You will need to define the user credentials that NYC-RAS1 will use when calling the Atlanta office and dialing in to ATL-RAS1. The username entered here must match the name of the demand-dial interface configured on the remote system (ATL-RAS1) exactly or else the remote system in Atlanta will simply assume your Server 2003 is a standard RAS user. Remember the network configuration I showed you earlier for our scenario? We called the interface in Atlanta NEWYORK-ROUTER, so that is the user account that we will need to use when we connect to Atlanta from New York. Enter the appropriate domain, username, and password combination for your configuration and then click Next.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

DIALING UP A REMOTE NETWORK AND ROUTING TRAFFIC

At this point, you have completed exactly half the work required to have your systems routing data over analog links. The other half of the job, of course, is to go through the exact same steps on the other system by configuring a demand-dial interface in the same manner we just described. In our case that other system would be the Atlanta system, called ATL-RAS1. On that system we will create a demand-dial interface called NEWYORK-ROUTER, which will be used both to route Atlanta network traffic destined for the New York office to NYC-RAS1 and to receive incoming calls from our NYC-RAS1 system. Once you have both systems configured correctly, you should be able to test your connection to see if it works by doing a ping from one system to another. Note For more information about Ping, see Chapter 6. Warning This may just be a bug that hasn’t been ironed out, but despite the fact that the Demand-Dial Interface Wizard told me that it would create a user account for me, it didn’t, at least not in the Active Directory. When I initially tested my new connection to the Atlanta office, I found that I couldn’t authenticate. What happened? In Figure 20.75, you can see that I have no choice in the username that will need to authenticate in New York since it has to be the same as the interface name. Note that it doesn’t specify any domain information. On the following screen (Figure 20.76), I configured the dial-out credentials to use the interface name of the RAS server in Atlanta (NEWYORK-ROUTER). Note also that I was given the opportunity to add the domain name for those dial-out credentials in the wizard. I assumed that a domain account would be created. So, in New York, I told the interface to use the domain account DEVTECHS\ NEWYORK-ROUTER for the outbound connection to Atlanta. In Atlanta, however, the user account created in the wizard for the dial-in credentials, although it was called NEWYORK-ROUTER, was not actually created in the DEVTECHS domain. Upon closer inspection, I found that when I created the interfaces, both in New York and in Atlanta, an account was indeed created, but it was a local account. So, in the same wizard in which you can specify a domain account for the dial-out credentials, you get no opportunity to add the domain information to the dial-in account, leaving you with two different sets of credentials on each interface.

Start at one of your Windows Server 2003 boxes configured with a demand-dial interface, go to a command prompt, and ping one of the IP addresses on the distant network. You should see your demand-dial connection come online and start passing traffic. However, it is important to realize that for the type of communication you are attempting, your call setup times might take too long. For example, the ping command typically sends four ICMP echo requests, and then waits 1.5 seconds after each one for a response. All total, a test of four pings should take no longer than 6 seconds. However, if you are using analog connections, your call setup times are most likely going to be in the range of 20–30 seconds. Therefore, your connection won’t come online in time to satisfy the request. For testing purposes, I would recommend using an indefinite ping by using the -t option on the command line, such as ping -t 172.16.0.2, which is an address in the Atlanta office in our scenario. To solve problems like these and others, you can use some fine-tuning controls for your demanddial connection. For example, if you are using analog lines to connect sites and the analog lines aren’t billed per-minute, it might make sense to have your demand-dial connection online all the time. This is called making a persistent connection. From the Routing and Remote Access MMC, click the selection for Routing Interfaces in the left pane of the window. In the results pane, you should see your demand-dialed interface listed. Right-click the demand-dialed interface and select Properties to edit the properties page for this connection. You should see a four-tabbed dialog box similar to the one in Figure 20.77 (shown with the Options tab selected).

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1651

1652

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

FIGURE 20.77 Editing router interface properties

There are several settings you can control through this dialog box, but some of the most useful are listed under the Options tab shown in Figure 20.77. For example, if you are using an ISDN connection to reach your distant network and your ISDN is billed per minute, you can enter an idle time-out value in the Connection Type area of the window so your connections don’t stay on any longer than necessary. Or, if the opposite is true, and you aren’t billed per minute for your connections, you can select the persistent connection option to have the link stay online all the time. If, for some reason, the link fails, Windows Server 2003 will bring it right back online again. Set the options you would like to use for this interface. Now click the Security tab to view your authentication protocol and encryption options, as shown in Figure 20.78. If you leave the default option checked for Typical (Recommended Settings) in the Security Options section of this dialog box, you are telling the RAS server to require a secured password for the connection, but you are given the opportunity to allow unsecured passwords here as well by clicking the drop-down box. The check box labeled Require Data Encryption is not a default setting, but if you want to make sure that the data that passes in and out of this interface is encrypted, select Require Data Encryption (Disconnect if None) to force the system to disallow any unencrypted communication. Otherwise, by default, the server will request encryption, but will allow nonencrypted clients to connect anyway. Dial-up connections in RAS use Microsoft Point-to-Point Encryption (MPPE). VPNs have two options for encryption. You can specify either MPPE and Point-to-Point Tunneling Protocol (PPTP), or IP Security (IPSec) encryption along with Layer 2 Tunneling Protocol (L2TP). Remote Access Policies are used to specify encryption levels, which can be set to Basic (40-bit), Strong (56-bit), or Strongest (128-bit). MPPE requires the use of the MS-CHAP (v1 or v2) or EAP-TLS authentication protocols. To set your authentication protocols for this interface,

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

DIALING UP A REMOTE NETWORK AND ROUTING TRAFFIC

check the box labeled Advanced (Custom Settings) and click the now-highlighted Settings button. You should see the screen shown in Figure 20.79. FIGURE 20.78 Security settings for the RAS interface

FIGURE 20.79 Authentication protocols for the RAS interface

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1653

1654

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

Use this properties page to decide which authentication protocols to allow on the interface. You can also customize in more detail how the interface handles encryption. Rather than simply requiring encryption or asking for it and then allowing the connection anyway, you can also choose to disallow all encryption. This will disconnect any connection that tries to send encrypted data; you even have the ability to require strongest encryption without having to set this in your Remote Access Policies. If you need to create anything more customized than these settings allow, you will have to learn all about Remote Access Policies, which allow you to fine-tune exactly what your clients can do with the connection based on various attributes—for instance, the phone number that they dial in from, the type of OS they are using, group membership, or perhaps the time of day that they are calling. By using these attributes, you can create policies that will affect the way a user can connect, how long they can use the connection, IP addressing, idle times, and more. Don’t forget to make sure to give the users the ability to connect by checking the Allow Access setting in their user properties. Also, remember that this interface is set up to dial another network, as well as to receive inbound calls from clients. It is, then, a client itself at times. The Networking tab allows you to adjust the client settings for this interface for the times that it is dialing in to another network, in this case, Atlanta. Click OK to save your settings and return to the RRAS MMC. Take a look at Figure 20.80. When you right-click the demand-dial routing interface in the Routing and Remote Access MMC, there are some additional options you could set, in addition to editing the property sheets of the item itself. For instance, you can reset the credentials that this interface uses when it dials another network, in this case, our Atlanta office. Remember, though, that if you reset the username here for the dial-out credentials, you will also have to change it in the Active Directory of the remote network (it could be that both of these offices are in the same AD, of course) or on the local server, if the remote RAS server is not a member of a domain. FIGURE 20.80 Additional interface settings

You can also manually connect or disconnect from here, which can be very useful for testing or troubleshooting. One of the more useful items listed is the ability to create IP filters for the connection. With this option, you can discriminate against certain types of traffic and allow or prohibit the

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

THE MOST COMMON (AND POORLY DOCUMENTED) RAS PROBLEMS

traffic through the interface. You can even specify whether the connection should be initiated at all, based on the type of traffic. If you click the Dial-Out Hours menu option, you can set the hours in which this connection can be established. If you would like to restrict the times when your demanddial connections can be brought online, select the Dialing Hours option when you right-click the routing interface. You should end up with an hourly grid dialog box, like the one in Figure 20.81, in which you can select the hours to allow and disallow connections. By default, users can access the connection at any time of day or night. FIGURE 20.81 Defining dialing hours for demanddial connections

Once you have completed everything, you should have a functional wide area network running between locations and passing data as necessary. Through the use of this functionality, I have seen organizations that have set up completely “virtual” WANs consisting of multiple sites that all look as if they’re operating as one large network, but in reality they are each small sites which are connected to a master network over analog links. Although Windows Server 2003 isn’t designed to displace high-end routers in complex routing scenarios, it is a good solution for a lot of networking problems— some of which you may face.

The Most Common (and Poorly Documented) RAS Problems Microsoft’s RAS service is a great feature in Windows Server 2003—and even though they’ve made it simple to set up, under the hood a complex communication mechanism is working away to get packets from one system to another. Often, the Microsoft wizards will help you with setting up most of the settings necessary for RAS itself, but RAS depends on some other specific settings within Windows Server 2003 to function properly. In this section, we’ll take a look at some common (and poorly documented) problems that users run into when they’re trying to set up RAS.

“I’ve connected to a RAS server from my home PC, but I can’t browse anything on the network!” Okay, technically this doesn’t fall under a RAS problem per se—but browsing remote networks is a problem most commonly found on RAS connections. Actually, it’s the number one problem that I see posted on Usenet when people are trying to get RAS configured and running on their network. Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1655

1656

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

Let’s say that you gave the phone number for the RAS server to Jane in Accounting so that she can work at home. After giving her a quick lesson on how to create a dial-up networking connection, you’re hoping that Jane will be able to connect to the network from her Windows 98 PC, and then navigate through the network to get to the resources that she needs. So Jane successfully dials in over the weekend but she can’t see anything in her Network Neighborhood. If she knew how to map a drive, she’d be able to do it—but she’s accustomed to double-clicking things in the NetHood to find her files. So, she can’t work. On Monday, she calls for help—frustrated that she’s now behind in her work. That leaves you with the unpleasant task of remotely troubleshooting a home user’s PC. Who knows, maybe her 14-year-old kid messed up the TCP/IP stack? Or maybe there’s some odd problem with her modem? In any case, it might seem like it’s going to be a painful issue to troubleshoot since you can’t easily get your hands on the PC. Well, here’s a quick tip that could save you a lot of headaches: More often than not, when a user experiences this type of problem, it’s due to a misconfigured workgroup configuration on their computer. For example, let’s say that your network domain is called COMPANY (we’ll stick with down-level NetBIOS names here to make it easier). Now, most retail PCs that a user might buy for their home are configured out-of-the-box with something like Workgroup for their workgroup setting. Odds are good that the company that your user bought her PC from didn’t give it the same workgroup setting as the name of your domain. And that’s what you need so Microsoft browsing will work properly. The solution is to configure the workgroup name on the client’s workstation to be the same as the Windows NT/2000/Server 2003 domain or workgroup to which your users are connecting. If you’ve run into this problem, give it a shot and see if it works.

“How can I keep RAS connections alive when a user logs off of their workstation?” By default, RAS connections (on Windows NT and 2000 clients) are automatically disconnected whenever a user logs out of their workstation. If you have a workstation setup at a remote site that multiple people use, you might not want this to be the case. In order to change this default behavior, you’ll need to modify the registry on the RAS client—the system that is dialing in. Look in the following key in the Registry: HKEY_Local_Machine\Software\Microsoft\Windows NT\Current Version\Winlogon

You may see a value in that key called KeepRasConnections, but most likely you won’t. It’s not there by default. Add this value to your system as a type REG_SZ, and give it a value of 1 (the default behavior is indicated by a 0). This will instruct the client workstation to keep the RAS connection open, even when the user at the workstation logs out.

“No matter what I try, I can’t seem to get a modem connection from a workstation to my RAS server.” If you’re in this boat, you have two places to start diagnosing the problem: the server or the client. Fortunately, you might get lucky with the server diagnosis—if other users or workstations can successfully dial in to the RAS server, then it’s probably not a server problem. So, the next course of action is to start troubleshooting the workstation.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

THE MOST COMMON (AND POORLY DOCUMENTED) RAS PROBLEMS

The great advantage—and disadvantage—of the Windows operating system is that it hides the complexity of operating the underlying components of a system. For example, instead of knowing that to dial a modem you need to issue the command ATDT5551212 and wait for the response, you simply need to know how to enter a phone number in the appropriate dialog box within Windows. But, what if you want to troubleshoot the dialing function? It would be helpful to see those commands as they are passed back and forth to your modem. Windows Server 2003 makes it an easy process to view the modem commands that RAS clients or RAS servers send. By default, Windows Server 2003 will automatically log the commands that it sends to any modem. To view the log files for a particular modem, start out by selecting the Phone and Modem Options icon from the Control Panel. Click the Modems tab and then select the modem whose log file you want to view. Edit the properties for the modem, and then select the Diagnostics tab on the modem properties. You should see a View Log button on the diagnostics page—click it, and it will bring up a file named %systemroot%\ModemLog_modemname.txt. This file contains the history of all the commands passed back and forth between Windows Server 2003 and your modem. Got a problem with a modem on a RAS server that never wants to answer calls? Try checking the log files to see if they’re arguing over something. Got a RAS client that just can’t seem to dial in, even though everything is configured correctly? Check the log and see if there’s a problem with the initialization strings that Windows Server 2003 is sending. These log files can help you go far in your troubleshooting endeavors.

“Can I make a RAS client automatically dial in to a RAS server at a specified time?” Absolutely! For example, let’s say that you wanted to have an automatic routine set up for each office to call into the home server (called HOMEBASE) every night and transmit its sales figures, back up a few key data files, etc. You’ll need to create the following: ◆ ◆ ◆

A dial-up networking connection with the properties for the remote server (we’ll call it HOMEOFFICE in our example) A batch file to dial the dial-up networking connection and transfer the files A job in Scheduled Tasks to trigger the batch file to run nightly

Now, the creation of the dial-up networking entry is pretty straightforward. We’ve covered that at length earlier in this chapter. The batch file that you create might look similar to the following (the important line to note is the RASDIAL command): @ECHO OFF CLS ECHO Transmitting updates to HOMEBASE server RASDIAL HOMEOFFICE NET USE X: \\HOMEBASE\sharename XCOPY C:\TRANSFER\.* X: /S /E /Y ECHO Updates to HOMEBASE server completed—hanging up RASDIAL HOMEOFFICE /DISCONNECT

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1657

1658

CHAPTER 20

INSTALLING AND MANAGING REMOTE ACCESS SERVICE IN WINDOWS SERVER 2003

Tip If you receive an error telling you that RASDIAL can’t find the phonebook entry HOMEOFFICE, you might have to specify the path to the phonebook file (.pbk) in the batch file.

Now, the commands here are pretty straightforward, but the key is the RASDIAL command. This is a command-line utility that will automatically dial a dial-up networking entry. For this to work you will need to have cached the username and password credentials on the dial-up networking entry that is named (HOMEOFFICE in this case). After that, the batch file runs some standard commands to connect to a share on a server, and then copy files up to the server. After the commands are completed, the RASDIAL command will hang up the connection. Test the command out to make sure that it works properly interactively—running it from the keyboard. Once you’re sure that all the timing and sequence is correct for your needs, it’s time to schedule the batch file to run nightly. By default, the scheduler service is automatically installed in Windows Server 2003, so setting up a job is as simple as a few point and clicks. To create a schedule, start out by launching the Scheduled Tasks icon from the Programs/Accessories/System Tools menu. Click Add Scheduled Task to add a new task to your system, and then proceed through the wizard panels as prompted. Schedule the batch job to execute on a nightly basis, and then leave it alone as the system obeys and runs your batch file every night. You could even get fancy with your batch file by trapping certain error levels—sending alert messages if there are errors, etc.

“My dial-up users aren’t getting the WINS and DNS addresses that are defined on our network.” Due to the nature of the communications protocols used for dial-up connections versus local network connections, the rules are a little bit different when it comes to how clients get their WINS and DNS configurations. For LAN connections, it’s a pretty straightforward process: the workstations will use WINS and DNS settings that are either hard-coded into the TCP/IP stack, or whatever they receive from a DHCP server’s scope properties. So, it should work the same for dial-up connections, right? The workstation should either use its own hard-coded settings or the settings defined on a DHCP server, right? Wrong! Once, this little quirk had me stumped for the better part of a day at a client’s site. Here’s what happens—by default, Windows Server 2003 RAS servers will offer WINS and DNS addresses to clients based not on what the DHCP scope says, but whatever is configured for the RAS server itself. So, if you have your network’s DHCP configuration setup perfectly, but you forgot to hard-code the correct WINS or DNS configuration in the RAS server, your RAS clients will be misconfigured when they dial in.

“I don’t want my dial-up users to get the WINS and DNS addresses that are defined on our network.” Okay, so let’s say that you want to override the default behavior of RAS to offer its WINS and/or DNS addresses to clients that are dialing in, without removing the WINS and DNS configuration from the RAS server itself. In that circumstance, you’ll need to dive into the Registry to tweak Windows Server 2003 a bit.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

THE MOST COMMON (AND POORLY DOCUMENTED) RAS PROBLEMS

To prevent your RAS server from offering a WINS address to dial-in clients, look in the following key in the Registry: HKEY_Local_Machine\System\CurrentControlSet\Services\ RemoteAccess\Parameters\IP

You may see a value in that key called SuppressWINSNameServers. If you do, set the value to 1. If you don’t see the value in there, add it and set it to a value of 1. To prevent your RAS server from offering a DNS address to dial-in clients, look for a value called SuppressDNSNameServers. If you see that value there, set it to a 1. If you don’t see the value in there, add it and set it to a value of 1.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1659

Chapter 21

Novell NetWare and Windows Server This chapter was intended for those of you who are working on a network that has both Server 2003 servers and NetWare. Although it is always possible to migrate all of your servers over to Windows Server, there may be some compelling reasons not to—the best reason being that Novell NetWare will run (and run well) on computers that cannot run Server 2003. To migrate, you’d have to buy new equipment. Frankly, if the NetWare servers are working, why get rid of them? Integration may be the cheapest, most convenient, and most efficient way to make the best of the resources you have. That is why this chapter will cover what is left of Windows’ integration components with NetWare—and what Novell has done to compensate for Microsoft’s lack of NetWare support. In order to be sure that we’re all on the same page, I am going to cover some NetWare terminology and basic concepts before actually going into integration. It helps to know what I’m talking about before I start telling you what to do. My apologies to those of you who are CNEs. I’ll try to be brief. Ever try to buy the workstation version of NetWare? You know, call your local software vendor and ask them to quote you a price on NetWare 6 workstation. You are not going to be asked if you would like the professional or home edition, that’s for certain. NetWare has always been a server product only. From the beginning, Novell was wise to keep it simple. NetWare is simply a network operating system that services clients with files, printers, and the like. A true server. No solitaire, no word processor. Heck, until relatively recently, it was menu driven. No wasted processor effort drawing windows. And that is both its strength and its weakness. You see, NetWare is a server that services clients. Any client. DOS, Unix, Macintosh, Windows of any flavor. It was built that way, already supporting diversity out of the box. Integration is NetWare’s game by definition. But the craving to just buy the workstation operating system that was designed to be a particular server’s client is pretty overwhelming. Thus, Windows dominates in the networking world. In order to get a Unix, Mac, DOS, or Windows 95 through XP workstation to access a NetWare server, you need to make them a NetWare client. To do that, you just install the appropriate client

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1662

CHAPTER 21

NOVELL NETWARE AND WINDOWS SERVER

software on the workstation of your choice. Once the software is installed, you can log in to the NetWare server and access the resources that are located there. It’s the software that is the client. NetWare makes the client software available from their Web site. (It may take some searching if you actually want to use a DOS client. There is a client available from the cool solutions/cool tools page.) Now then, why would Microsoft want to make its own NetWare integration tools? If Novell’s already got it covered, then what’s the point, right? Well, two things: One, Novell’s client software for Windows was not necessarily without flaws. Two, Microsoft, saw an opportunity to service its customers and corner a little bit more of the market. Because of that, Microsoft added the Client for NetWare component to its operating systems (both server and workstation). That is why Windows supports their version of Novell’s IPX/SPX networking protocol, which they called NWLink. That, along with their own design of the Novell Client, made it possible for the Windows machines to access NetWare files without resorting to using anything but Microsoft products to get there. There is one small inconvenience, of course, and that is having to install the client software (or add the Windows component) on all of the machines that will need it. You can use the Novell client, you can use the Windows client, but however you cut, client software must be on each workstation. Thus, Gateway service for NetWare was created. This service is available on NT and 2000 but not Server 2003. The Gateway service made it possible for machines that do not have the NetWare client software installed to access files on the NetWare server. The Gateway service used the Windows server to handle NetWare share points as if they were located on the Windows server itself. Completely transparent to the workstations, it removed the necessity of loading the client software. Unfortunately, Server 2003 does not have Gateway service for NetWare. Strangely enough, it can still be a NetWare client. I’m sure we all find that comforting. Also, an interesting fact. Let’s say that you want to migrate away from your NetWare servers to Windows Server. I would think that Microsoft would love the idea and would definitely have software at the ready for you to do just that. Free on the CD, and an easy download away. I would be wrong. Originally, Windows NT had migration software available on the Server CD. The beta version of Windows 2000 had it on the CD. But by the time Windows 2000 went retail, Directory Service Migration Tool (DSMT) and File Migration Utility (FMU) were pulled from the CD, bundled together with a few other tools for about $200 (give or take, check with your vendor) and called “Services for NetWare.” Thus, quite possibly making migrating to Windows not entirely cost effective. If you are turned off by the idea of having to install Client for NetWare on all of your workstations and servers to access the NetWare files, don’t be. Novell has come up with a way to centrally manage client access from the NetWare server, avoiding client software altogether. They created Native File Access (NFA), so Windows clients can access the servers as if they were Server 2003 servers. And, being as broad minded as they are, Novell also has native file access for Unix and Macintosh too. (Not that we are going to need them here, I just thought I’d mention it.) Make note, NFA is relatively new, and because of that it works only with NetWare 5.1 (with Service Pack 3 and higher) and 6 (straight out of the box). I think it goes without saying that it will probably be available on all new versions of the NOS as well.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

NETWARE 101: THE BASICS

NetWare 101: The Basics Although I don’t intend to use this chapter to prepare you for Novell certification, I am going to briefly explain two concepts that I think will help you understand why NetWare uses the terminology it does, when it does. These two concepts are NetWare’s Directory Service and the way it handles its filesystem.

Directory Service In 2000, Microsoft came out with its own directory service, Active Directory. NetWare has had had its own Novell Directory Service (NDS) for quite a while. It has been upgraded with newer versions of NetWare and is now called eDirectory but, for our purposes, any version does what we need it to do, so I will refer to Novell’s Directory Services, new or old, as NDS. This directory service is suspiciously similar to Active Directory but has been around much longer (you can make your own assumptions). There are trees, containers such as organizations and organizational units (OUs), users, computers, and other objects. As in AD, designing the NetWare tree takes some planning. It is a bit different though. With an NDS tree, you define the tree name, and then you choose the container that the server or servers will reside in. These large containers can be called country, organization, or domain. There are several large container types to choose from because some businesses are structured geographically while others are structured organizationally. Recently, Novell added the domain type of container for administrators who are partial to domain models. All the containers function in basically the same way: they organize groups of servers, user accounts, and other resources for management and logical convenience. And, just like domains in a tree in AD, there can be more than one of these large containers in a NetWare tree, any of which can contain any number of organizational units and other objects. NDS tends to think of users as an object essentially equal to servers and not “contained” in them per se. They can be in the same organization as the server, or they can be located in an OU within that organization (and they are generally organized by OU, just as they are in AD). Because of this, NetWare users may need to specify the “context” or container their account is in explicitly, not just their tree and organization. Generally, when you log in to a NetWare server, you are really logging in to the container where your user account resides. You will typically be using a login dialog box that has a field in which to specify the tree, a field for the big container, and a field for the username. To further specify where the user account really is, you will need to add the context of the exact container in which the user account is located by adding it to the username itself. The syntax for entering a username with context on one line is username.container. Just like a domain name, there has to be a period between the username and the container name. If the container (probably an OU) is nested within another container, the context will be nested as well, from small to big: for example, username.subOU.OU. In your network environment, your NetWare administrators may have set up their Novell servers and clients to allow for Contextless Login. This can require NetWare to scan the NDS tree for all users regardless of what OU they are in (especially if the NetWare admin has not set up a catalog on the server of containers for the users). If there are several John Smiths and one of them is trying to log in, a list will pop up to allow him to choose the right one (you hope), then enter his password.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1663

1664

CHAPTER 21

NOVELL NETWARE AND WINDOWS SERVER

Filesystem Because NetWare likes to keep it simple, doesn’t fix what isn’t broken, and has been around for a long time, it uses DOS. DR DOS to be precise, but DOS nonetheless. As a matter of fact, the boot partition of the NetWare server’s hard drive is a DOS partition. That also brings us to another NetWare naming convention. The NetWare partitions are not given a new drive letter and a name, as they are in Windows. They are volumes, so they are given volume names. In NetWare, the first partition is usually called SYS, and additional volumes are inevitably named, vol1, vol2, vol3, and so on. Not particularly creative or intuitive, I know. This is probably because, being rooted in DOS, the administrators instinctively keep names short (especially since many patches and support packs are DOS based). Mind you, this does not mean that NetWare cannot handle long filenames. In order to access files on a Server 2003 server, the user must have a valid account and password. That account must have the right to access the folders and use files. That helps secure the resources on the network. I guess it comes as no surprise that NetWare also requires any user accessing its filesystem to have a valid user account and password. Although it is redundant (and therefore must be managed at both servers), it is logical. I can almost hear you groaning about the extra work necessary to create and manage dual user accounts. Chances are that the NetWare server already has user accounts for all users who access files there, but even if they haven’t been created already, there are several handy tools that the NetWare administrator can use to import users into NetWare from AD. All you need is a valid username and password. There is no need, on the NetWare side, to do anything else but give the users rights to folders, so no fussing with home directories or login scripts unless you want to. Tip Native File Access (NFA) has a User Import Utility that will pull user account names and passwords from the authenticating domain controller and create simple NetWare accounts with them. Just make sure NFA is set to Domain Mode so it can find the correct Domain Controller to pull from.

Now that I’ve covered the particulars of NetWare, specifying a user context during login and browsing through volumes on the server should make more sense. That said, it’s time to delve into the mysteries of the NetWare client.

CSNW (Client Service for NetWare) Client Service for NetWare (CSNW) hasn’t changed much over the years. It requires NWLink IPX/ SPX and NetBIOS over IPX/SPX to communicate with the NetWare servers, so it installs these protocols during its install process. It uses the username and password that is being utilized to log in to the workstation to authenticate to the NetWare server. Obviously that inhibits logging in to the Server 2003 network as one person and logging in to the NetWare network as another. It’s important to make sure the NetWare user account matches the user account on the Server 2003 domain controller for everyone who will be using CSNW. Once CSNW is installed, it runs pretty much invisibly. To add the CSNW to the Server 2003 server (or to an XP workstation, for that matter), you will need to access the Local Area Connection properties page. On an XP Workstation, right-click Network Places on the Start menu and choose Properties. Alternatively, go to the Control Panel and select Internet and Network Connections, choose Network Connections, right-click the Local Area Connection icon, and select Properties from the drop-down menu. On a Server 2003 server, choose Control Panel from the Start menu, go to Network Connections, and select Local Area Connection (see Figure 21.1).

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

CSNW (CLIENT SERVICE FOR NETWARE)

FIGURE 21.1 Local Area Connection properties page

Click Install. It will bring up a dialog box that will list the type of component you could install. Select Client and click Add. In the Select Network Client dialog box (see Figure 21.2), choose Client Service for NetWare (it may be your only choice) and click OK. FIGURE 21.2 Installing Client Service for NetWare

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1665

1666

CHAPTER 21

NOVELL NETWARE AND WINDOWS SERVER

In a moment or two, you will be prompted to reboot the computer. Because, by definition, the Client Service for NetWare is intended for clients, it does require a reboot. This, of course, is not generally something that an administrator wants to do with a Server 2003 server during business hours—unless they actually enjoy talking to a large number of irate users. Once the computer has rebooted and you log back in, you will be prompted to enter either the name of the NetWare server you prefer to use, or the tree and context (container) in which your NetWare account is located (see Figure 21.3). This second option is useful if there is more than one server in the organization (or country or domain) your account belongs to. FIGURE 21.3 Logging in to NetWare Network

Tip The choices you make in the Select NetWare Logon dialog box will be saved to the local drive and used when you log in again. If you want to change your preferred server or context, you will need to go to the Control Panel, change to Classic View, and double-click the CSNW icon.

Once the Desktop comes up, it will appear as if nothing has changed. To see if CSNW did in fact install NWLink IPX/SPX–compatible protocol and NWLink NetBIOS, go to the Local Area Connection properties page (see Figure 21.4). They should be listed. Note If you are having a problem getting CSNW to work, remember that it uses IPX/SPX. Early versions of NetWare used the nonstandard Ethernet frame type 802.3; all newer NetWare servers use 802.2. It is possible for the auto-detect feature of NWLink to choose the wrong one. Pretty unlikely, but possible. You can fix this problem by selecting the NWLink IPX/SPX/NetBIOS Compatible Transport Protocol, then clicking the Properties button. In the properties page, you can choose to manually add the appropriate frame type.

To access the newly available NetWare servers, simply browse to your network though My Network Places (or whatever way suits your fancy). You will notice that there is a new NetWare or Compatible Network icon (see Figure 21.5). If you double-click the NetWare network icon (or select it in the Folders list, as I did in Figure 21.6), you will be presented with the icons for the tree and/or server(s) that fit your context (if you’ve ever played with Windows’ pre-existing icons and wondered what the tree was for, now you know).

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

CSNW (CLIENT SERVICE FOR NETWARE)

FIGURE 21.4 Making sure NetWarecompatible protocols are installed

FIGURE 21.5 New NetWare Network icon

If you double-click a server, it will display the volumes available (see Figure 21.7). You may not have the right to access them all, but they are there. You can map a drive letter to a volume or directory just like any other network drive. If you were to open up one of those volumes (assuming you have the rights to), you would see that the filesystem (as shown in Figure 21.8), complete with long names, is just like that of Windows.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1667

1668

CHAPTER 21

NOVELL NETWARE AND WINDOWS SERVER

FIGURE 21.6 NetWare resource icons

FIGURE 21.7 NetWare volumes

Windows’ Client Service for NetWare is pretty straightforward. It integrates well with Windows software (for obvious reasons). Also, since it is not a separate software package, you don’t have to worry about installing upgrades, patches, or service packs. CSNW does have some limitations, one of which is the fact that your Windows login has to match your NetWare login. If this is a problem and you would like to monitor your connections or have additional functionality other than logging in and that’s it, installing Novell’s Client may be the right

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

NOVELL’S CLIENT FOR WINDOWS (CLIENT32)

thing for you. Be aware that this product is not supported by Microsoft (since it’s made by Novell), so it may not play nice with some software packages, and it may be difficult to uninstall. I suggest you test it before you install it on a production machine. And, just to be safe, never load it on a Server 2003 server that’s in production (to avoid any software fighting on the server during work). FIGURE 21.8 List of folders on the NetWare server

On the other hand, the Novell Client is really convenient to use. Once you’ve had it installed for a while, you’ll wonder how you got along without it. It is especially useful for and designed to support administering NetWare servers and services from the client (by someone with the correct rights of course).

Novell’s Client for Windows (Client32) To install the Novell Client for Windows, affectionately known as Client32, you first need to download it from Novell’s Web site. It will be easy to find, even if Novell makes changes to their site. Once you have downloaded the client software, unzip it to a location of your choice (preferably a network share, if you are going to be using it elsewhere in the future). In that location, it will unzip to a folder called WINNT. Open WINNT, open the subfolder called i386, and scroll to the setupnw file. Double-click setupnw to launch the Novell Client Installation program (see Figure 21.9). For a typical client, perform the typical install. If you are going to be administering any NetWare servers, you may want to do a custom install and add additional components. Warning If you have Microsoft’s Client Services for NetWare running, it will be uninstalled during the Novell Client installation process, otherwise it will cause conflicts as to which software package controls NetWare server access. You will be prompted to allow the installer to remove CSNW. You really don’t have any choice; the install will abort if you don’t allow the removal of CSNW to happen.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1669

1670

CHAPTER 21

NOVELL NETWARE AND WINDOWS SERVER

FIGURE 21.9 NetWare Client Installation program

After the installation is complete, you’ll be prompted to reboot. The first thing you’ll notice after rebooting is that the Windows Welcome screen has been replaced by a Novell Client box with a picture of three big Ctrl, Alt, and Del buttons on it (and the words “to login” next to them). If you press Ctrl+Alt+Del, the Novell Login dialog box displays (see Figure 21.10). FIGURE 21.10 Novell Login dialog box

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

NOVELL’S CLIENT FOR WINDOWS (CLIENT32)

This dialog box obviously has more going on than CSNW did. It can have separate tabs (if you click the Advanced button during login, as shown in Figure 21.10) for things like logging in with different NetWare and Windows accounts and displaying login scripts. If the NetWare server needs to be accessed via dial-up, dial-up settings can be managed here. At the very least, the Novell Client gives the user the opportunity to log in to Windows as one user and NetWare as another if they need to. This can be very useful if you need to log in using an administrative account on the Windows machine, and you need to log in as an administrator on the NetWare server. These two accounts will usually be different, if only for the sake of security. There are separate tabs for NetWare and Windows. Once you’ve logged in, you may notice that there is a red N next to the clock in the system tray on the taskbar. Right-click the N and you will get a menu with a plethora of extra options for managing your client connection, mapping network drives, and configuring your client login (see Figure 21.11). FIGURE 21.11 Novell Client menu

To Whom It May Concern: Contextless Logins To save time, especially if there is no one else on the NetWare server with your username, the Novell Client can be set up to do contextless logins. (The NetWare server(s) may need to be first prepped by your NetWare admin to handle logins without context, depending on which version they are running, so check first.) Select Novell Client Properties from the red N pop-up menu and go to the Contextless Login tab to enable a contextless login (see Figure 21.12). Be sure to specify the user’s tree and, if there is one, the catalog of OUs to search for users in this dialog box. If you don’t do this, NetWare will browse every container in the tree looking for any account that matches your username. That will slow down the login process and possibly bring up that list of matching names (like John Smith) to choose from. Continued on next page

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1671

1672

CHAPTER 21

NOVELL NETWARE AND WINDOWS SERVER

To Whom It May Concern: Contextless Logins (continued) FIGURE 21.12 Novell Client Configuration, Contextless Login

As far as file access is concerned, that has also changed a bit with the installation of the Novell Client. In My Network Places, there is now an icon consisting of a circle of red Ns that denotes a NetWare client’s Novell NetWare connection (see Figure 21.13) and there is a new NetWare Services icon under Entire Network. FIGURE 21.13 New Novell Connections icon

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

NATIVE FILE ACCESS FOR WINDOWS

Double-click the red Ns to access the NetWare resources (see Figure 21.14). FIGURE 21.14 NetWare resources

Up until this point, I have focused on managing the client’s access to the NetWare network from the workstation point of view. If you do not want to install and support client software on every client machine just to access files on the NetWare servers, then you are in luck. Novell has created Native File Access (NFA) for Windows just for you… Well, maybe not you exactly, but people just like you.

Native File Access for Windows Available as part of the Native File Access Pack (NFAP) from Novell, NFA for Windows is a NetWare server–based software package that makes client-side opening, saving, and working with NetWare stored files possible, without installing any NetWare client software. In many cases you can take a new Windows workstation, configure TCP/IP and, as long as there is a valid NetWare user account (and license), immediately start using it to access files on the NetWare servers. NFA for Windows uses CIFS (Common Internet File System) over TCP/IP to give Windows clients the impression that they are browsing a Windows server. Like SMB (Small Machine Block) protocol, it is easily recognized by Windows clients as a filesystem it can use to share files. CIFS file shares, and the display name for the server to the Windows clients, can be set in the CIFS properties page during install or under the properties of the NetWare server. If no file shares are specified, CIFS should display all volumes. (This is another good reason for the NetWare administrator to take user rights to files and folders seriously.) To use CIFS, the Windows clients need to authenticate somewhere to be given access to the volumes on the NetWare servers. To this end, Novell offers two different authentication methods: Local and Domain. Local authentication means that the Windows user has a user account on the NetWare server that has a simple password. The name is misleading though. It doesn’t mean the password is insecure or needs

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1673

1674

CHAPTER 21

NOVELL NETWARE AND WINDOWS SERVER

to be short and easy to crack. Novell’s eDirectory Service password uses a one-way hashed algorithm. Microsoft clients cannot do one-way hash. Thus, the simple password was created as a work-around. It allows Windows clients to have NetWare passwords that they can understand, while allowing the password to be encrypted enough to be secure. This means, however, that either the user updates their NetWare password every time they change their Windows password (which means administrators have to make sure that every NetWare user account has a simple password that matches their Windows account), or they end up with two passwords. Although inconvenient, using simple passwords with local authentication is the method preferred by Novell and is extremely stable and easy to use. Note An NDS password and a simple password are not the same thing. They can and should match, but a NetWare account can have both.

Domain authentication means that the users utilize their Windows username and password to get to the files on the NetWare servers. The NetWare server gets the user information and passes it on to the domain controller, which accepts it if it’s valid and passes the acceptance back to the NetWare server, which then lets the user access whatever files they have rights to. Mind you, there still needs to be a user account on the NetWare server that matches the Windows account because it is something to apply rights and restrictions to. Using Domain authentication allows Windows clients to only have one password. If their Windows password changes, that’s okay because they don’t have a simple password on the NetWare server to update. Domain authentication is more complicated to implement and, if something goes wrong, it’s harder to troubleshoot. However, it is a great way to limit the administrative load while giving users NetWare file access. Note NetWare 6 installs NFAP during its setup. The administrator can choose at that time to initiate the Local or Domain login method. They can change the method after installation, but they may have to stop and start CIFS in order for it to take hold properly. Tip NetWare 5.1 does not set up NFAP during installation (since it was released to CD before NFAP came out), but it can be added after the fact. The administrator needs to be sure that Service Pack 3 and any necessary patches have been installed before installing NFAP.

NetWare does not use fully qualified domain names to find Windows servers. Because of that, a WINS server needs to be up and accessible to the NetWare server if it is supposed to handle Domain logins. NetWare communicates with the Server 2003 server by way of NetBIOS over TCP/IP (NBT), especially while negotiating Domain authentication, so the Server 2003 server needs to be sure that it is accepting NBT over TCP/IP at all times. By default, Server 2003 enables NBT if the address from which it is receiving NetBIOS broadcasts is a static address, but it is best to manually set the Server 2003 server to explicitly accept NetBIOS over TCP/IP. To check if NBT is enabled, go to the Local Area Connection properties page. Select Internet Protocol (TCP/IP) and click Properties. Click Advanced and turn to the WINS tab (see Figure 21.15). Make certain that Enable NetBIOS over TCP/IP is selected. There are a few other preparations you can make on the Server 2003 server to prepare it to perform domain logins with NetWare. The NetWare server will need to have a computer account in the Server 2003 domain. When creating the computer account, make sure that you check the Assign This Computer Account as a Pre-Windows 2000 Computer. This will help Server 2003 realize that it uses NetBIOS.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

NATIVE FILE ACCESS FOR WINDOWS

FIGURE 21.15 Enabling NetBIOS over TCP/IP

Tip If authentication is set to Local, once there are user accounts in the NetWare tree, the NetWare administrator can use NFAP Security in the Remote Manager to generate simple passwords for every user it finds.

To use files stored on a NetWare server from the Windows client side, just browse to it in My Network Places (or however you generally like to get to network resources). Once you select the server you would like to access, a dialog box will pop up requiring a username and password (see Figure 21.16). FIGURE 21.16 Connecting to a NetWare server with NFA

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

1675

1676

CHAPTER 21

NOVELL NETWARE AND WINDOWS SERVER

Note Remember that you may need to use the syntax username.context in the Username field if CIFS is set for Local authentication.

Authentication will take place (it may take a few moments), and then the contents available for CIFS sharing will appear in the window (see Figure 21.17). It’s that easy. Notice that the NetWare server (I gave mine the name “netshare,” otherwise known as nvlsvr3w) shows up under Microsoft Networks looking just like a Windows server. FIGURE 21.17 Native file access to NetWare resources

Integration seems to be a word that many network administrators avoid. I’ll admit that it may be easier to handle a homogenous environment, where every server is just like every other one, and workstations are identical. But in the real world, operating systems (and hardware) can vary greatly. Things come and go over time, directions change. And, just like the people who use them, these different networks can work together. It may take some effort, but it’s worth it. Or maybe, just maybe, you might not have any choice. Sometimes you just have to make it work. I hope that, instead of giving up on your NetWare resources, you have learned from this chapter how easy it is to give Server 2003 network users access to the NetWare servers, despite their differences.

Copyright ©2003 SYBEX, Inc., Alameda, CA

www.sybex.com

Mastering Windows Server 2003

This is a footer

and

Mastering Windows Server 2003

Mastering Windows Server 2003

Mastering Windows Server 2003

Mastering Windows Server 2003

Mastering Active Directory for Windows Server 2003

Mastering Active Directory for Windows Server 2003

Mastering Active directory for Windows server 2003

Mastering Active Directory for Windows Server 2003

Mastering Windows 2000 Server

Inside Windows Server 2003

Windows Server 2003 Registry

Programming Windows Server 2003

Learning Windows Server 2003

Securing Windows Server 2003

Programming Windows Server 2003

Inside Windows Server 2003

Windows Server 2003 Bible

Windows Server 2003 Security Cookbook

Dns on Windows Server 2003

Windows Server 2003 Pocket Administrator

Windows Server 2003 for Dummies

Windows Server 2003 for Dummies

Windows Server 2003 Networking Recipes

Windows Server 2003 (Hacking Exposed)

Windows Server 2003 for Dummies

Windows Server 2003 (Hacking Exposed)

Windows Server 2003 Pocket Administrator

Windows Server 2003 for Dummies

DNS on Windows Server 2003

Introducing Microsoft Windows Server 2003

Doctitle	Vpath	Filename	Size	Write	Characterization	Rank	Directory	Path
” & hlink & “	” & RS(“Vpath”) & “	” Copyright ©2003 SYBEX, Inc., Alameda, CA www.sybex.com 1425 1426 CHAPTER 17 TCP/IP SERVER SERVICES (IIS, NNTP, TELNET, SMTP, POP3, AND FTP) response.write RS(“filename”) & “	” & RS(“size”) & “	” & RS(“write”) response.write “	” & RS(“characterization”) & “	” & RS(“rank”) response.write “	” & RS(“directory”) & “	” & RS(“path”) & “

Mastering Windows Server 2003

This is a footer

and

Mastering Windows Server 2003

Mastering Windows Server 2003

Mastering Windows Server 2003

Mastering Windows Server 2003

Mastering Active Directory for Windows Server 2003

Mastering Active Directory for Windows Server 2003

Mastering Active directory for Windows server 2003

Mastering Active Directory for Windows Server 2003

Mastering Windows 2000 Server

Inside Windows Server 2003

Windows Server 2003 Registry

Programming Windows Server 2003

Learning Windows Server 2003

Securing Windows Server 2003

Programming Windows Server 2003

Inside Windows Server 2003

Windows Server 2003 Bible

Windows Server 2003 Security Cookbook

Dns on Windows Server 2003

Windows Server 2003 Pocket Administrator

Windows Server 2003 for Dummies

Windows Server 2003 for Dummies

Windows Server 2003 Networking Recipes

Windows Server 2003 (Hacking Exposed)

Windows Server 2003 for Dummies

Windows Server 2003 (Hacking Exposed)

Windows Server 2003 Pocket Administrator

Windows Server 2003 for Dummies

DNS on Windows Server 2003

Introducing Microsoft Windows Server 2003

Recommend Documents