Windows 2000 Basics

1
Windows 2000 Basics

• Larry Passo
• MCSEI, MCT, CCNA, CCDA
• Kevin Orbaker
• MCSE, MCT

2
Windows 2000 Versions

• Windows 2000 Professional
• Windows 2000 Server
• Windows 2000 Advanced Server
• Windows 2000 Datacenter Server

3
Windows 2000 Professional

• Up to 2 processors
• Up to 4GB RAM
• Upgrade from 9x or NT 3.51/4.0 Workstation
• Desktop performance

4
Windows 2000 Server

• Up to 4 processors
• Up to 4GB RAM
• Active Directory
• Terminal Services

5
Windows 2000 Advanced Server

• Up to 8 processors
• Up to 8GB RAM
• Network Balancing
• Load Balancing
• Clustering

6
Windows 2000 Datacenter Server

• Up to 32 processors
• Up to 64GB RAM
• OLTP (OnLine Transaction Processing)
• OEM Versions Only

7
New Features

• Plug and Play
• Increased hardware support
• Offline folders
• Synchronization manager
• IE 5.0

8
New Features

• ACPI power management
• FAT32 support
• Hard Disk Defrag Utility

9
Security Features

• Kerberos v5
• Encrypting File System (EFS)
• IPSec
• Smart Card support
• Secondary logon service (Run As)
• RADIUS (Remote Authentication Dial-In User
  Service)

10
Radius Terminology

• Dialup clients
• Radius clients
• RAS
• NAS
• Radius servers

11
Management Features

• Nested Like Groups (Native Mode Only)
• MMC
• Group Policies
• Windows Scripting Host (WSH)

12
Management Features

• Remote Installation Services
• Remote Storage (automatic archiving)
• Terminal Server
• administrative installation
• application installation

13
File Features

• Distributed File System (Dfs)
• Disk Quotas
• Volume mount points
• NTFS v5
• Inheritable permissions

14
Terms and Definitions
15
Active Directory (AD)

• Directory
• Directory Service

16
Namespace

• A group of names that are defined according to a
  defined naming method
• NetBIOS
• 15 Characters
• Letters/Numbers/Special

17
Hierarchical Namespace

• A multi-level namespace with rules that allow the
  namespace to be partitioned.
• DNS
• www.mycompany.com

18
Domain

• A security boundary
• A replication boundary
• A logical concept

19
Tree

• One or more domains
• Contiguous hierarchical namespace

20
Forest

• One or more trees
• Non-contiguous namespace

21
Organizational Unit (OU)

• An collection of objects in a domain that share
  common administration
• Different OUs in the same domain may have
  different administrators
• Have hierarchical structure

22
Site

• One or more, well connected, IP subnets
• Relates physical WAN infrastructure to logical
  domain structure
• Fast and reliable

23
Object

• Distinct named set of attributes
• User
• Printer
• File

24
Schema

• Defines the structure of Active Directory
• Object class
• Attributes
• Can be extended

25
Distinguished Name

• The absolute address of an object
• CNJamesSmith,CNUsers,DCMicrosoft,DCcom
• The JamesSmith user account in the microsoft.com
  domain

26
Relative Distinguished Name

• The address of an object relative to any specific
  place in a forest
• CNJamesSmith,CNUsers
• A user account that is located in the current
  domain

27
Domain Controller (DC)

• Windows 2000 Server with AD
• Contains information about all the objects in a
  domain
• No more PDCs or BDCs

28
Global Catalog

• A partial replica of every domain in AD (entire
  forest)
• Knowledge of the existence of all objects but not
  all of the attributes of those objects
• Global Catalog servers are also DCs

29
Group Types

• Security Groups
• Distribution Groups

30
Security Groups

• Domain Local Group
• Domain Global Group
• Universal Group (native mode only)
• Like groups may be nested in native mode

31
Lightweight Directory Access Protocol (LDAP)

• A protocol used to access AD
• The preferred access protocol
• A simplified version of DAP from X.500

32
Active Directory Design
33
Changes to domain model

• DNS and TCP/IP are now mandatory
• Automatic, two-way, transitive trusts
• Hierarchical

34
Delegate Management

• Use OUs within a domain to delegate
  administrative control over objects
• Users
• Printers
• Computers
• OUs can take the place of multiple domains

35
Delegate management
Accounting OU contains Printers located in
accounting. Accountant Joe delegated printer
management.
CORP
OPS
MFG
HR
ACCT
36
Extending Schema

• New types of objects and/or attributes can be
  created
• Existing objects can be extended to include new
  attributes
• Exchange 2000 extends AD
• Forestprep
• Setup

37
Before You Get Started What You Need
38
Testing Environment

• Build it to your needs
• Domain Model
• Simulate site speeds
• Global Catalog Servers
• Replication traffic vs. Authentication traffic

39
Implementation and Migration Planning

• Determine your migration path
• In place upgrade vs. Parallel migration
• Software validation
• DNS naming definitions

40
Justification to Management

• Why should you implement today?
• Decrease TCO
• Eliminate most reboots
• Increased uptime
• Shrinking Support for NT 4.0

41
Mixed Mode

• Default configuration
• Supports NT BDCs
• All DCs support Win9x/NT authentication
• More Overhead

42
Native Mode

• No support for NT 4.0 BDCs
• Allows for legacy member servers and desktops
• Increases functionality
• Speed, Universal Groups, nesting of like groups
• Conversion to native is one way

43
OU Design

• OUs are defined within domains
• Reflects organizational divisions
• Designed to make logical organizations of the
  business model
• Consider the implications of
• Inheritance of Group Policy
• Inheritance of Security
• OUs typically change from domain to domain

44
Example OU Design
company.org
45
Domain Design

• Single domain
• Tree
• Forest

46
Single Domain
47
Single Domain Advantages

• Simple to implement
• Effective for large and small organizations
• Delegate administration with OUs
• No trusts required
• Can move objects between OUs

48
Single Domain Disadvantages

• Cant limit replication traffic
• Single security policy

49
Multiple Domain
company.org
na.company.org
euro.company.org
asia.company.org
50
Multiple Domain Advantage

• Unlimited scalability
• Two-way transitive trusts
• Can break up administrative through domains and
  OUs
• Multiple security policies

51
Multiple Domain Disadvantage

• Increased complexity
• Increased GC replication traffic
• Cannot easily move objects between domains
• Requires third-party solutions

52
Domain Creation Demo
53
Forest
widgets.org
gidgets.net
fidgets.com
54
Forest Guidelines

• Dont create a multiple trees without a solid
  business reason
• If a company is diverse, multiple trees may be
  the best model

55
Forest Advantages

• Noncontiguous namespace
• Acquiring a new company
• Planning for splitting a company

56
Forest Disadvantage

• Noncontiguous namespace
• Increased GC replication traffic
• Increased management complexity!

57
Intrasite Replication

• Frequent
• Uncompressed
• Cant be scheduled
• RPC Only

58
Intersite Replication

• Compressed
• Scheduled
• RPC or SMTP

59
Global Catalog Server

• Determine authentication and replication needs
• Replicating extended information
• Which extended attributes should be included
• Requires additional memory

60
Global Catalog Server Logon

• Client machine contacts the cached domain
  controller (DC)
• DC looks at the IP address of client machine
• If the client is not on the local subnet, the DC
  checks the GC to see if there is a DC more local
  to the client
• Client notified if the cached DC isnt the
  closest DC
• Avoids WAN traffic when possible

61
Operations Masters

• Schema master
• Domain naming master
• RID master
• PDC Emulator
• Infrastructure master

62
Schema master

• One per forest
• Controls all updates and changes to the schema

63
Domain Naming Master

• One per forest
• Controls addition or removal of domains from the
  forest

64
RID Master

• One per domain
• Allocates sequences of RIDs to the DCs in a domain

65
PDC Emulator

• One per domain
• Sends updates to BDCs
• Receives preferential replication of password
  changes from DCs
• What if replication hasnt been received yet?

66
Infrastructure master

• One per domain
• Updates group to users references when group
  memberships are changed
• Should not be a GC

67
Demo

• FSMO Management

68
DNS Architecture
69
DNS Primer

• A zone is a subtree of the DNS tree
• Administered separately
• Common zone is second level (microsoft.com)
• Zones can be divided into sub zones
• A name server can manage one or more zones

70
DNS Primer

• Domain or Zone?
• microsoft is the zone
• microsoft.com is the domain

71
DNS Primer

• Internet is one name space (.)
• Drive root (\)
• Top Level Domains (TLD)
• .com, .net, .org, .mil
• Second Level Domains
• .microsoft.com
• Fully Qualified Domain Name (FQDN)
• www.microsoft.com

72
DNS Primer

• The directory is the zone file
• The directory service resolves a FQDN to an IP
  address in the directory
• Single master replication of directory
• MSDNS is fully RFC compliant

73
DNS Server Types

• Three server types
• Primary
• Hosts zone information
• Only one per zone
• Secondary
• Obtains database via zone transfer
• One or more per zone
• Caching only

74
DNS Naming

• Use Internet-standard characters
• A- Z, a-z, 0-9, and - (RFC 1123)
• Microsoft DNS supports wider range
• Users not exposed to domain names
• E-mail style login name doesnt have to be
  related to domain name
• Most interaction is query to global catalog
• Admins exposed to domain names

75
DNS Locater Service

• Domain controllers dynamically register Service
  Location records
• SRV resource record (RFC 2052)
• Maps (service) --gt (hosts offering service)
• General rendezvous mechanism
• Analogous to SMTP and the MX record
• NETLOGON service sends updates
• Dynamic update protocol (RFC 2136)

76
DNS Locater Records

• SRV records are named like
• ldap.tcp.ltdomain namegt.
• i.e. ldap.tcp.nt.microsoft.com.
• More like that, all ending in
• ltdomain namegt
• DNS server that owns ltdomain namegt
• MUST support the SRV record
• SHOULD support dynamic update

77
DNS Requirements for AD

• Must support SRV records(RFC 2052)
• Bind 8.1.1
• Should support DDNS(RFC 2136)
• Windows 2000 DNS
• Bind v8.1.2

78
AD and DNS

• AD integration (optional)
• Single replication topology
• Per-property replication
• Secure replication
• Multi-master replication
• Simplified management
• Support for non Win2K DNS servers
• ACL maintained authority control DNS Models

79
Single zone

• Example.com internal
• Example.com external

80
Dual Zone

• Example.com internal
• Corp.example.com external

81
Zone requirements

• _msdcs.example.com_tcp.example.com_udp.exam
  ple.com_sites.example.com

82
DNS Name Registration

• DDNS registration process

SOA Query
SOA Response
Assertion update
ACK/NACK
Registration
83
DNS Name Registration

• DNS registration process
• Win2K Client / Win2K DHCP Server
• Client DHCP service responsible
• Client updates A RR
• DHCP server updates PTR RR
• Win2K Client / NT4 DHCP Server
• Client update A and PTR RR

84
New Features of Windows 2000 DNS

• DNS registration process
• NT4 Client / Win2K DHCP Server
• DHCP Serve update A and PTR RR
• Win2K Client (Static)
• Client update A and PTR record
• RAS Client treated as Static
• Client update A and PTR record
• Attempts to remove A and PTR when closing
  connection

85
DDNS Configuration Demo
86
New Features of Windows 2000 DNS

• Scavenging
• Dynamic update requires maintenance
• Defined scavenge criteria
• No-refresh and refresh intervals

87
New Features of Windows 2000 DNS

• Unicode Character Support
• Supports NetBIOS namespace
• Allowed per server or zone
• Interoperability is unknown with non-UTF-8-aware
  DNS servers

88
DNS Performance

• Performance
• Dual Pentium II 400
• 900 Queries/ses
• 100 Dynamic registrations/sec
• 35 CPU Utilization
• More than 2,200,000,000 and 270,000,000 dynamic
  registrations in 19 days

89
DNS and WINS

• WINS still required for down-level clients
• Applications may still be NetBIOS only
• WINS improvements
• Improved reporting
• Improved management
• Improved performance

90
Security
91
Encryption

• Two types
• Symmetric
• Asymmetric

92
Symmetric Encryption

• Same key used for encryption and decryption
• DES
• Triple DES (3DES)

93
Asymmetric Encryption

• Different keys used for encryption and decryption
• One private key, one public key
• RSA, PGP
• Referred to as Public Key (PKI)

94
Principles of Encryption

• What do you know?
• What can you find out?
• What do you want to do?
• What did you not do?

95
What Do You Know?
96
What Can You Find Out?
97
What Do You Want To Do?

• Digital Signature
• Start with the senders private key
• Digital Envelope
• Start with the recipients public key

98
What Did You Not Do?

• Digital Signature
• Guarantees origin
• Doesnt protect contents
• Digital Envelope
• Conceals content
• Doesnt guarantee origin

99
Certificates

• To send an encrypted message to anyone you need
  their public key
• How can you get securely get their public key?
• Certificate Authorities
• X.509 based certificates

100
IPSec

• Both ends authenticate before transmission
• Encrypts data transmission
• Authentication methods
• Kerberos
• Certificates
• Text-based key (authentication only)

101
Enabling IPSec

• Chose a default policy
• Choose an authentication method

102
IPSec Policies

• Client
• Respond Only
• Server
• Request Security
• Require Security

103
Kerberos Components

• Kerberos Server
• Ticket Granting Server
• Ticket Granting Ticket

104
Kerberos Process
105
Kerberos Authentication

• Client sends request to Kerberos server
• Kerberos sends valid user
• Session key between the client and TGS, encrypted
  w/client's secret key
• TGT, encrypted w/Kerberos secret key
• The client decrypts the TGT with its secret key

106
Kerberos Authentication

• To obtain a ticket for a service
• Client encrypts a request using session key from
  Kerberos
• TGS decrypts request and, if valid, returns a
  ticket for the service

107
Upgrading Networks to Windows 2000
108
When To Upgrade

• Member servers and client workstations
• upgrade anytime
• Domain Controllers
• PDC always first

109
Plan for Disaster

• Before upgraded the PDC
• Install new NT 4.0 BDC
• Force replication
• Take box offline
• Save for a rainy day

110
Upgrade Path

• Install NEW DC
• Upgrade NT 4.0 BDCs
• Upgrade clients
• Convert to native mode (someday)

111
Upgrading Clients

• NT 4.0 Boxes
• Upgrade to Windows 2000
• Windows 9x
• Install new Windows 2000 Professional

112
Native Mode

• Client authentication issues
• Non-AD aware clients must be authenticated by the
  PDC emulator
• Improved performance

113
Directory Services Client

• For Windows 9x/NT 4.0 clients
• www.microsoft.com/windows2000/adclients

114
Directory Services Client

• Supported features
• Site Awareness
• ADSI Interface
• Dfs fault tolerant client
• WAB Client
• NTLM v2.0

115
Directory Services Client

• Unsupported features
• Kerberos
• Group Policy / IntelliMirror
• IPSec or L2TP
• Mutual Authentication

116
Whats New in Windows XP

• This is not the Xbox
• All beta versions are known as Whistler
• XP Home Edition
• XP Professional
• Windows .NET Server products

117
Questions?