Collection: Windows Server 2003(1)

IMP Port Number

15 – Netstat   21 – FTP  23 – Telnet  25 – SMTP  42 – WINS  53 – DNS  67 – Bootp  68 – DHCP  80 – HTTP  88 – Kerberos  101 – HOSTNAME 110 – POP3 119 – NNTP  123 – NTP (Network time protocol)  139 – NetBIOS 161 – SNMP   180 – RIS  389 – LDAP (Lightweight Directory Access Protocol)  443 – HTTPS (HTTP over SSL/TLS) 520 – RIP 79 – FINGER 37 – Time  3389 – Terminal services  443 – SSL (https) (http protocol over TLS/SSL)  220 – IMAP3  3268 – AD Global Catalog   3269 – AD Global Catalog over SSL  500 – Internet Key Exchange, IKE (IPSec) (UDP 500)

Type of Backup:     

Normal Backup, Incremental Backup, Differential Backup, Copy Backup,   Daily Backup

Difference between Windows Server 2000 and 2003

1) When installing terminal services for win2000 u r prompted to select application server functions 

or administrative functions sets can be installed sequently on one server but it performs only one 

function at one time.But in 2003 still distinguishes between application and administrative services 

but installation and management are now consolidated.

2) In Win 2000 server we can apply 620 group policies but in 2003 we can apply nearly 720 so 

Win2003 server is more secure than win 2000 server.

3) In 2000 we cannot rename domain whereas in 2003 we can rename Domain.

4) In 2000 it supports of 8 processors and 64 GB RAM (In 2000 Advance Server) whereas in 2003 

supports up to 64 processors and max of 512GB RAM.

5) 2000 Supports IIS 5.0 and 2003 Supports IIS6.0 

6) 2000 doesn’t support Dot net whereas 2003 Supports Microsoft .NET 2.0 

7) 2000 has Server and Advance Server editions whereas 2003 has Standard, Enterprise, 

  Datacenter and Web server Editions. 

8) 2000 doesn’t have any 64 bit server operating system whereas 2003 has 64 bit server operating 

systems (Windows Server 2003 X64 Std and Enterprise Edition) 

9) 2000 has basic concept of DFS (Distributed File systems) with defined roots whereas 2003 has 

Enhanced DFS support with multiple roots. 

10) In 2000 there is complexality in administering Complex networks whereas 2003 

is easy administration in all & Complex networks.

11) In 2000 we can create 1 million users and in 2003 we can create 1 billion users. 

12) In 2003 we have concept of Volume shadow copy service which is used to create 

hard disk snap shot which is used in Disaster recovery and 2000 doesn’t have this service. 

13) In 2000 we don’t have end user policy management, whereas in 2003 we have a End user policy 

management which is done in GPMC (Group policy management console). 

14) In 2000 we have cross domain trust relation ship and 2003 we have Cross forest 

trust relationship. 

15) 2000 Supports 4-node clustering and 2003 supports 8-node clustering. 

16) 2003 has High HCL Support (Hardware Compatibility List) issued by Microsoft.

17) Code name of 2000 is Win NT 5.0 and Code name of 2003 is Win NT 5.1

18) 2003 has service called ADFS (Active Directory Federation Services) which is used to 

communicate between branches with safe authentication. 

19) In 2003 their is improved storage management using service File Server Resource Manager (FSRM).

20) 2003 has service called Windows Share point Services (It is an integrated portfolio of collaboration

 and communication services designed to connect people, information, processes, and systems both 

within and beyond the organizational firewall). 

21) 2003 has Improved Print management compared to 2000 server.

22) 2003 has telnet sessions available.

23) 2000 supports IPV4 whereas 2003 supports IPV4 and IPV6.

Active Directory

An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains.

Active Directory Domain Services (AD DS), formerly known as Active Directory Directory Services, is the central location for configuration information, authentication requests, and information about all of the objects that are stored within your forest. Using Active Directory, we can efficiently manage users, computers, groups, printers, applications, and other directory-enabled objects from one secure, centralized location.

Active Directory schema

One of the defining elements of a forest is a common schema. The schema is a definition of the types of objects that are allowed within a directory and the attributes that are associated with those objects. These definitions must be consistent across domains in order for the security policies and access rights to function correctly. There are two types of definitions within the schema: attributes and classes, also known as schema objects and metadata. Attributes are defined only once, and then can be applied to multiple classes as needed. The object classes, or metadata, are used to define objects. For example, the Users class requires certain attributes such as user name, password, groups, and so on. A particular user account is simply an Active Directory object that has those attributes defined. A class is simply a generic framework for objects. It is a collection of attributes, such as Logon Name and Home Directory for user accounts or Description and Network Address for computer accounts. Active Directory comes standard with a predefined set of attributes and classes that fit the needs for many network environments. In addition, network administrators can extend the schema by defining additional attributes and extending the classes within the directory.

Global Catalog Server

Domain controllers keep a complete copy of the Active Directory database for a domain, so that information about each object in the domain is readily available to users and services. This works well within a domain but poses problems when crossing domain trees. Active Directory solves this issue with a special limited database known as the global catalog. The global catalog stores partial replicas of the directories of other domains. The catalog is stored on domain controllers that have been designated as global catalog servers. These servers also maintain the normal database for their domain.

Within a multi domain environment that is running in Windows 2000 Native mode or the Windows Server 2003 functional level, a global catalog is required for logging on to the network. The global catalog provides universal group membership information for the user account that is attempting to log on to the network. If the global catalog is not available during the logon attempt and the user account is external to the local domain, the user will only be allowed to log on to the local machine.

When you add a global catalog server to a site, the Knowledge Consistency Checker (KCC) updates the replication topology, after which replication of partial domain directory partitions that are available within the site begins. Replication of partial domain directory partitions that are available only from other sites begins at the next scheduled interval.

Components that comprise the system state on a domain controller include:

· System Start-up Files (boot files). These are the files required for Windows 2000 Server to start.

· System registry.

· Class registration database of Component Services. The Component Object Model (COM) is a binary standard for writing component software in a distributed systems environment.

· SYSVOL. The system volume provides a default Active Directory location for files that must be shared for common access throughout a domain. The SYSVOL folder on a domain controller contains:

o    NETLOGON shared folders. These usually host user logon scripts and Group Policy objects (GPOs) for non-Windows 2000based network clients.

o    User logon scripts for Windows 2000 Professional based clients and clients that are running Windows 95, Windows 98, or Windows NT 4.0.

o    Windows 2000 GPOs.

o    File system junctions.

o    File Replication service (FRS) staging directories and files that are required to be available and synchronized between domain controllers.

· Active Directory. Active Directory Database includes:

· Ntds.dit (Windows NT Directory Service): The Active Directory database.

o    Edb.chk: The checkpoint file.

o    Edb*.log: The transaction logs, each 10 megabytes (MB) in size.

o    Res1.log and Res2.log: Reserved transaction logs.

Non-authoritative restore of Active Directory

A non-authoritative restore returns the domain controller to its state at the time of backup, then allows normal replication to overwrite that state with any changes that have occurred after the backup was taken. After you restore the system state, the domain controller queries its replication partners. The replication partners replicate any changes to the restored domain controller, ensuring that the domain controller has an accurate and updated copy of the Active Directory database.

Non-authoritative restore is the default method for restoring Active Directory, and you will use it in most situations that result from Active Directory data loss or corruption. To perform a non-authoritative restore, you must be able to start the domain controller in Directory Services Restore Mode.

Authoritative restore of Active Directory

An authoritative restore is an extension of the non-authoritative restore process. You must perform the steps of a non-authoritative restore before you can perform an authoritative restore. The main difference is that an authoritative restore has the ability to increment the version number of the attributes of all objects in an entire directory, all objects in a subtree, or an individual object (provided that it is a leaf object) to make it authoritative in the directory. Restore the smallest unit necessary, for example, do not restore the entire directory in order to restore a single subtree.

An authoritative restore is most commonly used in cases in which a change was made within the directory that must be reversed, such as deleting an organization unit by mistake. This process restores the DC from the backup and then replicates to and overwrites all other domain controllers in the network to match the restored DC. The especially valuable thing about this is that you can choose to only make certain objects within the directory authoritative. For example, if you delete an OU by mistake you can choose to make it authoritative. This will replicate the deleted OU back to all of the other DC’s in the network and then use all of the other information from these other DC’s to update the newly restored server back up to date.

Performing an authoritative restore

After the data has been restored, use Ntdsutil.exe to perform the authoritative restore. To do this, follow these steps:

1. At a command prompt, type ntdsutil, and then press ENTER.
2. Type authoritative restore, and then press ENTER.
3. Type restore database, press ENTER, click OK, and then click Yes.

Restoring a subtree

Frequently, you may not want to restore the whole database because of the replication impact this would have on your domain or forest. To authoritatively restore a subtree within a forest, follow these steps:

1. Restart the domain controller.
2. When the Windows 2000 Startup menu is displayed, select Directory Services Restore Mode, and then press ENTER.
3. Restore the data from backup media for an authoritative restore. To do this, follow these steps:

1. In Directory Services Restore mode, click Start, point to Programs, point to Accessories, point to System Tools, and then click Backup to start the Windows 2000 Server Backup utility.
2. Click Restore Wizard, and then click Next.
3. Select the appropriate backup location, and then make sure that at least the System disk and System State containers are selected.
4. Click Advanced, and then make sure that you restore junction points. If you do not use the Advanced menu, the restore process will not be successful.
5. In the Restore Files to list, click Original Location.
6. Click OK, and then complete the restore process. A visual progress indicator is displayed.
7. When you are prompted to restart the computer, do not restart. 
3. At a command prompt, type ntdsutil, and then press ENTER.
4. Type authoritative restore, and then press ENTER.
5. Type the following command, and then press ENTER:

restore subtree ou=OU_Name,dc=Domain_Name,dc=xxx

Note In this command, OU_Name is the name of the organizational unit that you want to restore, Domain_Name is the domain name that the OU resides in, and xxx is the top-level domain name of the domain controller, such as "com," "org," or "net."

7. Type quit, press ENTER, type quit, and then press ENTER.
8. Type exit, and then press ENTER.
9. Restart the domain controller.

How to Recover the Active Directory Database

To recover the database, follow these steps:

1. Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
2. At the Ntdsutil command prompt, type files, and then presses ENTER.
3. At the file maintenance command prompt, type recover, and then press ENTER.
4. Type quit, and then presses ENTER.
5. Restart the computer.

NOTE: You can also use Esentutl.exe to perform database recovery when the procedure described earlier in this article fails (for example, the procedure may fail when the database is inconsistent). To use Esentutl.exe to perform database recovery, follow these steps:

1. Click Start, click Run, type cmd in the Open box, and then press ENTER.
2. Type esentutl /r path\ntds.dit, and then press ENTER. path refers to the current location of the Ntds.dit file.
3. Delete the database log files (.log) from the WINDOWS\Ntds folder.
4. Restart the computer.

NTDSUTIL.EXE: It is a command-line tool that is used to manage Active Directory. This utility is used to perform the following tasks:

• Performing database maintenance of Active Directory.
• Managing and controlling operations master roles.
• Removing metadata left behind by domain controllers.

To perform offline defragmentation of the Active Directory database:

1. Back up Active Directory. Windows 2000 Backup natively supports backing up Active Directory while online. This occurs automatically when you select the option to back up everything on the computer in the Backup Wizard, or independently by selecting to back up the "System State" in the wizard.
2. Reboot the domain controller, select the appropriate installation from the boot menu, and press F8 to display the Windows 2000 Advanced Options menu. Choose Directory Services Restore Mode and press ENTER. Press ENTER again to start the boot process.
3. Click Start, point to Programs, point to Accessories, and then click Command Prompt. At the command prompt, type ntdsutil, and then press ENTER.
4. Type files, and then press ENTER.
5. Type info, and then press ENTER. This displays current information about the path and size of the Active Directory database and its log files. Note the path.
6. Establish a location that has enough drive space for the compacted database to be stored.
7. Type compact to drive:\directory, and then press ENTER, where drive and directory is the path to the location you established in the previous step.
   compact to "c:\new folder"
8. A new database named Ntds.dit is created in the path you specified.
9. Type quit, and then press ENTER. Type quit again to return to the command prompt.
10. If defragmentation succeeds without errors, follow the Ntdsutil.exe on-screen instructions. Delete all the log files in the log directory by typing the following command:

del drive :\ pathToLogFiles \*.log

Copy the new Ntds.dit file over the old Ntds.dit file in the current Active Directory database path that you noted in step 6.

Note You do not have delete the Edb.chk file.

11. Restart the computer normally.

DHCP Database

DHCP has its own database.  Stored in this DHCP.mdb are the addresses, scopes and leases of the clients.  Understanding this database will help you backing up and restore a DHCP server.

Check out this folder: %systemroot%\system32\dhcp\dhcp.mdb

As time goes by the database will grow, and best practice dictates that you should consolidate the database by freeing up space taken up by old leases.

The procedure for compacting the dhcp.mdb database is this.

1) Stop the DHCP service.  Either right click the DHCP Server icon, select All tasks then Stop.  Alternatively, go to the command line and type: NET Stop DHCPServer.  (For once the command really is DHCPserver, NOT DHCPyourservername.)

2) At the command line, navigate to: %systemroot%\system32\dhcp\dhcp.mdb.

3) Jetpack dhcp.mdb temp.mdb. What this does is copies the existing database, compacts it, then copies it back to the original location - clever.

4) Remember to restart DHCP.  Either use the GUI, or if you are at the command line, NET Start DHCPServer

Warning: Do not 'mess' with any of the files that you find in the %systemroot%\system32\dhcp folder, if you do, then DHCP will stop working and you will either have to restore, or else re-install DHCP.

File Replication service (FRS)

File Replication service (FRS) is a technology that replicates files and folders stored in the SYSVOL shared folder on domain controllers and Distributed File System (DFS) shared folders. When FRS detects that a change has been made to a file or folder within a replicated shared folder, FRS replicates the updated file or folder to other servers. Because FRS is a multimaster replication service, any server that participates in replication can generate changes. In addition, FRS can resolve file and folder conflicts to make data consistent among servers.

By keeping files and folders synchronized across servers, FRS enables organizations to increase the availability of data. If one server becomes unavailable, the files are still available, because they exist on another server. Using multiple servers to host data also helps organizations that have offices in multiple geographic locations, because clients can access servers in or closest to their current site and do not need to use expensive WAN links to access data.

FMSO (Flexible Single Master Operations) Roles

In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:

Schema Master:

The Schema Master role controls all the updates and modifications to the schema itself. The schema controls the definition of each object in the directory and the object’s associated attributes.

Domain naming master:

The Domain Naming Master role controls the addition or removal of domains from the forest.

Infrastructure Master:

The Infrastructure Master role is responsible for maintaining all inter-domain object references. In other words, the Infrastructure Master informs certain objects (such as groups) that other objects (such as users in another domain) have been moved, changed, or otherwise modified. This update is needed only in a multiple domain environment. If there is only a single domain, then all domain controllers already know of the update, and this role is unnecessary. Likewise, if all domain controllers are also global catalog servers, the domain controllers are aware of the updates and do not need the assistance of the Infrastructure Master.

Relative ID (RID) Master:

The Relative ID (RID) Master role controls the sequence number for the domain controllers within the domain. The master assigns a unique sequence of RIDs to each of the domain controllers. When a new object is created by a domain controller, the object is assigned a security ID (SID). The SID must be unique within the domain and is generated by combining a domain SID and a RID. The domain SID is a constant ID within the domain, while the RID is assigned to the object by the domain controller. When the domain controller uses all the RIDs that the RID Master has assigned, the domain controller receives another sequence of RIDs from the RID Master. If the RID Master is unavailable and a domain controller exhausts its pool, it will be unable to create additional objects.

PDC Emulator:

The PDC Emulator role is used whenever a domain contains non–Active Directory computers. It acts as a Windows NT PDC for legacy client operating systems, as well as for Windows NT BDCs. The PDC Emulator processes password changes and receives preferential treatment within the domain for password updates. If another domain controller is unable to authenticate a user due to a bad password, the request is forwarded to the PDC Emulator.

GPO behavior 

Group Policy is processed in the following order:

Local Policy > Site GPO > Domain GPO > OU GPO > Child OU GPO

GPO

A Group Policy Object (GPO) is a collection of settings that define what a system will look like and how it will behave for a defined group of users. Microsoft provides a program snap-in that allows you to use the Group Policy Microsoft Management Console (MMC). The selections result in a Group Policy Object. The GPO is associated with selected Active Directory containers, such as sites, domains, or organizational units (OUs). The MMC allows you to create a GPO that defines registry-based polices, security options, software installation and maintenance options, scripts options, and folder redirection options.

Storage of Group Policy objects

Each computer that runs Windows XP Professional, Windows XP 64-bit Edition (Itanium), or the Windows Server 2003 operating systems, has exactly one local Group Policy object (GPO). It is stored in systemroot\System32\GroupPolicy.

Group Policy objects, other than the local Group Policy object, are virtual objects. The policy setting information of a GPO is actually stored in two locations: the Group Policy container and the Group Policy template. The Group Policy container is an Active Directory container that stores GPO properties, including information on version, GPO status, and a list of components that have settings in the GPO. The Group Policy template is a folder structure within the file system that stores Administrative Template-based policies, security settings, script files, and information regarding applications that are available for Group Policy Software Installation. The Group Policy template is located in the system volume folder (Sysvol) in the \Policies subfolder for its domain. For more information about the local Group Policy object, see Local Group Policy.

Group Policy container

The Group Policy container is a directory service object. It includes subcontainers for computer and user Group Policy information. The Group Policy container contains the following data:

• Version information--Used to verify that the information is synchronized with Group Policy template information.
• Status information--Indicates whether the Group Policy object is enabled or disabled for this site, domain, or organizational unit.
• List of components--Specifies which extensions to Group Policy have settings in the Group Policy object.

Group Policy sections

Each GPO is built from 2 sections:

• Computer configuration contains the settings that configure the computer prior to the user logon combo-box.
• User configuration contains the settings that configure the user after the logon. You cannot choose to apply the setting on a single user, all users, including administrator, are affected by the settings.

Within these two section you can find more sub-folders:

• Software settings and Windows settings both of computer and user are settings that configure local DLL files on the machine.
• Administrative templates are settings that configure the local registry of the machine. You can add more options to administrative templates by right clicking it and choose .ADM files. Many programs that are installed on the computer add their .ADM files to %systemroot%\inf folder so you can add them to the Administrative Templates.

Tools used to configure GPO

You can configure GPOs with these set of tools from Microsoft (other 3rd-party tools exist but we will discuss these in a different article):

1. Group Policy Object Editor snap-in in MMC - or - use gpedit.msc from the Run command.
2. Active Directory Users and Computers snap in - or dsa.msc – to invoke the Group Policy tab on every OU or on the Domain.
3. Active Directory Sites and Services - or dssite.msc – to invoke the Group Policy tab on a site.
4. Group Policy Management Console - or gpmc.msc - this utility is NOT included in Windows 2003 server and needs to be separately installed.

Netlogon share:

A share located only on Domain Controllers and contains GPOs, scripts and .POL files for policy of Windows NT/98. The Netlogon share replicates among all DCs in the Domain, and is accessible for read only for the Everyone group, and Full Control for the Domain Admins group. The Netlogon's real location is:

C:\WINDOWS\SYSVOL\sysvol\domain.com\SCRIPTS

When a domain member computer boots up, it finds the DC and looks for the Netlogon share in it. To see what DC the computer used when it booted, you can go to the Run command and type %logonserver%\Netlogon. The content of the Netlogon share should be the same on all DCs in the domain.

Initiating Replication Using the Sites and Services Manager Snap-in

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
2. Expand the Sites container in the left pane. Expand the container that represents the name of the site containing the target server that needs to be synchronized with its replication partners.
3. Expand the Servers container, and then expand the target server to display the NTDS Settings object (an object that represents settings for the domain controller).
4. Click the NTDS Settings object. The connection objects in the right pane represent the target server's direct replication partners.
5. Right-click a connection object in the right pane, and then click Replicate Now. Windows 2000 initiates replication of any changes from the source server (the server represented by the connection object) to the target server for all directory partitions the target server is configured to replicate from the source server.

Distributed File System overview

With Distributed File System (DFS), system administrators can make it easy for users to access and manage files that are physically distributed across a network. With DFS, you can make files distributed across multiple servers appear to users as if they reside in one place on the network. Users no longer need to know and specify the actual physical location of files in order to access them.

For example, if you have marketing material scattered across multiple servers in a domain, you can use DFS to make it appear as though all of the material resides on a single server. This eliminates the need for users to go to multiple locations on the network to find the information they need.

Reasons for using DFS

You should consider implementing DFS if:

• You expect to add file servers or modify file locations.
• Users who access targets are distributed across a site or sites.
• Most users require access to multiple targets.
• Server load balancing could be improved by redistributing targets.
• Users require uninterrupted access to targets.
• Your organization has Web sites for either internal or external use.

Group Types

In Windows 2000, there are three types of groups:

· Local groups: Groups that are defined on a local computer. Local groups are used on the local computer only. You create local groups with the Local Users And Groups utility.

· Security groups: Groups that can have security descriptors associated with them. You define security groups in domains using Active Directory Users And Computers.

· Distribution groups: Groups that are used as e-mail distribution lists. They can't have security descriptors associated with them. You define distribution groups in domains using Active Directory Users And Computers.

Group Scope

Groups can have different scopes—domain local, built-in local, global, and universal. That is, the groups have different areas in which they are valid.

·Domain local groups: Groups that are used to grant permissions within a single domain. Members of domain local groups can include only accounts (both user and computer accounts) and groups from the domain in which they are defined.

·Built-in local groups: Groups that have a special group scope that have domain local permissions and, for simplicity, are often referred to as domain local groups. The difference between built-in local groups and other groups is that built-in local groups can't be created or deleted. You can only modify built-in local groups. References to domain local groups apply to built-in local groups unless otherwise noted.

·Global groups: Groups that are used to grant permissions to objects in any domain in the domain tree or forest. Members of global groups can include only accounts and groups from the domain in which they are defined.

·Universal groups: Groups that are used to grant permissions on a wide scale throughout a domain tree or forest. Members of global groups include accounts and groups from any domain in the domain tree or forest.

What’s the difference between local, global and universal groups?

Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.

Lightweight Directory Access Protocol

The Lightweight Directory Access Protocol, or LDAP, is an application protocol for querying and modifying directory services running over TCP/IP.

A directory is a set of objects with attributes organized in a logical and hierarchical manner. A simple example is the telephone directory, which consists of a list of names (of either persons or organizations) organized alphabetically, with each name having an address and phone number associated with it.

An LDAP directory tree often reflects various political, geographic, and/or organizational boundaries, depending on the model chosen. LDAP deployments today tend to use Domain name system (DNS) names for structuring the topmost levels of the hierarchy. Deeper inside the directory might appear entries representing people, organizational units, printers, documents, groups of people or anything else that represents a given tree entry (or multiple entries).

What kinds of updates does WSUS distribute?

WSUS distributes Microsoft critical updates, definition updates (i.e. for Microsoft Outlook Junk E-mail filters and Windows Defender), security updates, update rollups, and specific tools like the Malicious Software Removal Tool.

Updates will be distributed for IT supported Windows operating systems and Microsoft Office. Though patches for additional Microsoft software such as SQL Express Edition, Forefront, and XML may be distributed by WSUS, this software is not supported by IT, and IT cannot guarantee that all applicable patches will be distributed to campus. Therefore, IT does not recommend that individuals running unsupported Microsoft software rely solely on WSUS to keep their computers up-to-date and secure.