page contents
MCSE EXAM CODE: 70-290 3
Introduction of server environment: - 3
Editions of 2003 server: - 3
Different types of server: - 3
BENEFITS OF ACTIVE DIRECTORY: - 4
MINIMUM REQUIREMENTS TO INSTALL ACTIVE DIRECTORY: - 4
TYPES OF SERVERS: - 4
STEPS TO CREATE A DOMAIN CONTROLLER: - 5
TO SEE THE STATUS OF DOMAIN CONTROLLER: - 5
Active directory domains and trusts 5
TO CONFIGURE DOMAIN CLIENT: - 5
TO SEE CLIENT COMPUTERS: - 5
TO CONFIGURE LOOPBACK ADAPTER ON WINDOWS SERVER 2003: - 5
USER ACCOUNT TEMPLATE: - 5
SEARCHING IN ACTIVE DIRECTORY: - 5
SAVED QUERIES: - 6
USER ACCOUNTS: - 6
TYPES OF LOG ON: - 6
DSADD user “CN=Name of 6
TO DELETE DOMAIN USER: - 6
TO CHANGE PASSWORD: - 7
DSMOD user “Path of DN” –PWD * 7
TO DISABLE DOMAIN USER: - 7
DSMOD user “CN=username(ABC),CN=users,DC=jha,DC=com” –disabled yes 7
TO ENABLE DOMAIN USER: - 7
DSMOD user “CN=username(ABC),CN=users,DC=jha,DC=com” –disabled No 7
TO SEE INFORMATION ABOUT ALL USERS: - 7
DSQUERY USER 7
REMOTE DESKTOP: - 7
ORGANIZATIONAL UNIT: - 7
Create sub OU or child OU by GUI: - 7
TO WORK ON D.C. MACHINE: - 7
* GPMC tool – Group policy management console 8
STEPS OF INHERITANCE POLICY: - 8
STEPS OF BLOCK POLICY INHERITANCE: - 9
RSOP (RESULTANT SET OF POLICIES): - 9
* CREATE O.U. BY CSVDE (COMMA SEPRATED VALUE DIRECTORY EXCHANGE) COMMAND: - 9
CREATE OU BY LDIFDE (LDAP DATA INTERCHANGE FORMAT DIRECTORY EXCHANGE) COMMAND: - 9
CREATE A USER BY LDIFDE (LDAP DATA INTERCHANGE FORMAT DIRECTORY EXCHANGE) COMMAND: - 9
CREATE OU BY USING BATCH FILE: - 10
SECURITY IDENTIFIER: - 10
TO SEE SID: - 10
Start- Run- Cmd-Ok 10
WHAT IS SHARED FOLDER: - 10
UNC (Universal Naming Convention) path 10
METHODS TO SHARE THE FOLDER: - 10
By command line: - 10
SECURITY TYPE IN NTFS: - 11
PERMISSIONS: - 11
NTFS PERMISSIONS ON FOLDER: - 11
BENEFITS OF NTFS PERMISSIONS: - 11
TO SEE FOLDER SECURITY PERMISSIONS: - 11
TO TAKE OWNERSHIPS: - 12
SHARING/ NTFS PERMISSIONS: - 12
DOMAIN SECURITY POLICY: - 13
TO UNCHECK ACCOUNT IS LOCKEDOUT: - 14
GPMC (GROUP POLICY MANAGEMENT CONSOLE) TOOL: - 14
BLOCK POLICY: - 14
* AUDITING: - 14
CATEGORIES OF AUDITING: - 14
FOR REFRESHING: - 15
STEPS FOR OBJECT ACCESS: - 15
System group 15
Custom group 15
Default group/Built-in group: - 15
System group: - 16
Groups are characterized by scope and type – 16
Group types – 16
Scope – 16
Global 16
Domain functional level: - 16
To create global security group by command line: - 17
DSADD group “cn=hclcdc,cn=users,dc=sprite,dc=com” 17
To create domain local security group: - 17
DSADD group “cn=hclcdc12,cn=users,dc=sprite,dc=com” –scope U 17
To create domain local distribution group: - 17
DSADD group “cn=hclcdc123,cn=users,dc=sprite,dc=com” –scope L –secgrp no 17
To See all groups: - 17
Dsquery group 17
To see system configuration: - 17
DISASTER RECOVERY IN SERVER 2003: - 17
Backup 17
Backup software 17
WHAT YOU WANT TO BACKUP: - 18
TYPES OF BACKUP: - 18
Boot Disk – 18
When we start system then following task is preformed: - 19
MBR checks for active partition c:\ 19
To see these files: - 19
To see hidden files by command line: - 19
Compression and encryption: - 21
Compact /C DNS (Folder name) - To compress folder 21
1. GUI 21
MONITORING OF WINDOW SERVER 2003: - 22
Network 22
MONITORING TOOL: - 22
HOW TO INSTALL RECOVERY CONSOLE: - 23
To remove Recover Console: - 23
MCSE EXAM CODE: 70-290
Introduction of server environment: -
a. NT 4.0 server
b. 2000 server
c. 2003 server
d. 2008 serve or Longhorn
Editions of 2003 server: -
A. Web edition: - Only for web server purpose. We can’t make it domain server. We use it for website creation. It supports two CPUs.
B. Standard edition: - We use it small to medium organization. Clustering is not available with standard edition. It supports 4 (Four) CPUs.
C. Enterprise edition: - We use it for medium to large organization. Clustering is available only this edition. It supports 8 (Eight) CPUs and 4 (Four) GB RAM.
D. SBS (Small Business Server) edition: - It supports 1-100 clients and 3 (Three) CPUs.
E. Data center edition: - This server use to big companies. In this server 64 GB RAM is available. It supports 32 CPUs.
Different types of server: -
· SERVER: - Server offers the networking services and client accept the networking services.
· SERVER ROLES: -
a. Domain controller: - The server on which active directory is installed, that server is called Domain controller.
b. DHCP (Dynamic Host Configuration Protocol): - DHCP server provides IP configuration data automatically.
c. WINS (Window Internet Naming Services) server: - WINS serve is use to resolve NETBIOS name into IP address. It is also called NBNS (Net Bios Name Server).
d. Print server: - The server on which printer is install, that is called print server.
e. Firewall server: - Firewall server is use to protect your private network from (LAN) from your public network or Internet.
f. Backup server: - Backup is use for backup purpose, on which backup medias are installed.
g. Proxy server: - Proxy server is a server that provides secure Internet connection to all users in your network from a single location.
h. DNS server: - DNS stands for Domain Name System or Domain Name Service. DNS provides name resolution on TCP/IP network. DNS resolves host name into IP and IP into host name. DNS is an application layer protocol. Its port number is 53.
i. VPN (Virtual Private Network) server:- VPN means connecting two LANs with the help of internet by using secure connection. So that data transmission is secure and encrypted. In this, two protocols are work PPTP (Point to Point Tunneling Protocol) and L2TP (Layer 2 Tunneling Protocol).
j. FTP server: - FTP hosts FTP websites.
k. Web server: - The purpose of web server is to host a website for intranet purpose as well as for Internet purpose. In this, IIS (Internet Information Services) are used.
l. RADIUS (Remote Authentication Dial in User Service):- The purpose of RADIUS server is centralized authentication and remote access policies. RADIUS server is also called IAS (Internet Authentication Service).
m. RAS (Remote Access Server): - RAS is also called RRAS (Routing and Remote Access Service). This service is inbuilt in 2000 server as well as 2003 server.
· WORK OF RRAS: -
a. We can configure VPN server.
b. We can configure DHCP server.
c. Routing.
d. Filtering.
e. LAN-to-LAN connectivity.
· STEPS: - Start – programs – Administrative tools – RRAS.
· ACTIVE DIRECTORY: - Active Directory was first introduced with win 2000 server. It carries on in 2003 server as well as in 2008 server with some modifications. Active directory stores the information in a centralized database. Active directory provides single point of management.
BENEFITS OF ACTIVE DIRECTORY: -
Centralize management
Delegated administration or Control: - Some responsibility or authority, we can distribute in other users, means divide work to different users.
Scalability: - You can create millions of object (users or Computers). We can expand it. In this, 2 TB database is available and 2048 GB space.
In the NT server 40 MB database and 40000 object.
DNS integration: - DNS works with active directory for name resolution purpose.
MINIMUM REQUIREMENTS TO INSTALL ACTIVE DIRECTORY: -
a. 2000 server or 2003 server or 2008 server.
b. Minimum hard disk space 250 MB, Recommend 1.5 GB
c. Partition should be NTFS.
d. Processor speed 233 MHz
e. Minimum RAM 128 MB.
· DCPROMO (Domain Controller Promotion) COMMAND: - This command is use to promote as well as demote your server as domain controller.
· DOMAIN: - Domain is a logical collection of users and computers that share the database of active directory. Domain is just like an umbrella.
· We can configure client to web edition server 2003.
TYPES OF SERVERS: -
1. Stand-alone server: - Server, which is the member of workgroup that is called, stand alone server.
2. D.C.: - Server on which active directory is installed, that server is called Domain Controller.
3. Member server: - Server, which is member of domains, is called member server.
STEPS TO CREATE A DOMAIN CONTROLLER: -
Start – run – dcpromo – ok.
Now, wizard comes – next – next – (.) Select domain controller for a new domain – Select domain for a new forest- Give the full DNS name (jha.com) – next – next – next – select last option (.) Permissions compatible only with windows 2000 or windows 2003 server operating systems – next – give the restore mode password………..
And confirm password………..
(It is not essential for active directory installation) – next – next – finish – Restart now.
TO SEE THE STATUS OF DOMAIN CONTROLLER: -
Start – programs – administrative tools – Here, you can see three options: -
Active directory domains and trusts
Active directory sites and services
Active directory users and computers
My computer (R.C.) – manage
(Note- If here local user and groups option is not available than we can understand the system is in the domain controller.)
When log on screen comes than we click on options if domain controller is working properly than domain name comes in log on tab.
TO CONFIGURE DOMAIN CLIENT: -
My network places (R.C.) – properties – Local area connection (R.C.) – properties – Internet protocol TCP/IP – properties give the IP and subnet mask of same class (Domain controller class or range)- Give the IP of preferred DNS (IP of domain controller, if you have configured D.C. as a DNS server) – ok – close.
Now, R.C. on my computer – properties – computer name – change – (.) Domain and give the name of domain controller (jha.com) – ok.
TO SEE CLIENT COMPUTERS: -
Start – run – dsa.msc – ok.
Now, click on computers for client and click on domain for domain controller.
· TO CREATE A NEW USER: - Click on users – click new –user.
· By computer management we can find that system is presently working or not as a domain controller because here local users and groups options doesn’t comes.
TO CONFIGURE LOOPBACK ADAPTER ON WINDOWS SERVER 2003: -
Start – settings – control panel – Add hardware wizard – next – (.) yes I have already connected the hardware – select add a new hardware device – next – select network adapters – Microsoft loop back adapters – finish.
USER ACCOUNT TEMPLATE: -
Through this option we can find the information about a user and also we can copy the information for another user that is common in both users.
STEPS: - Start – programs – administrative tools – Active directory users and computers – click on user – R.C. on username – properties –fill all descriptions one by one about user – Again R.C. on same user select copy and create a new user.
After doing this steps system copy the all-common description to another user. Mean to say that only address telephone and title are not copied.
SEARCHING IN ACTIVE DIRECTORY: -
We can search the information about department and users.
STEPS: - Start – programs – administrative tools – Active directory users and computers – R.C. on domain name (jha.com) – Find – find and select custom search – field, select user – select any department – in value, name of the department – add – find now – show all users in same departments.
SAVED QUERIES: -
Through this option we can search the users query. Mean to say that if any user is added in same department the system automatically save it into the saved queries.
STEPS: - In Active directory users and computers console – Saved queries – new – query – define query – find and select custom search –field, select user for department – In value, name of department (Sales, for example)- add – ok – new query – give the name (anything)- ok.
USER ACCOUNTS: -
1. Local user accounts
· Domain user accounts
TYPES OF LOG ON: -
Local log on: - When we log on by own computer.
Domains log on: - When we log on by domain controller name.
Secondary log on: - Secondary log on is also called Run-As process. It is more secure and time saving process. By using this option we can create, add or remove, manage the programs, meanwhile we log on to a simple user.
RUN AS: - To use some application by using some kind of privileges.
STEPS: - Start – settings – control panel – Add/Remove program –press SHIFT and R.C. on Add/Remove programs – Run as – (.) The following user
Username…administrator\jha.com…….
Password………………….
Ok.
Smart card logs on: Smart card is a device, which is attached to system. Example- ATM card.
DOMAIN USER: - You can also create user by command line.
DSADD user “CN=Name of
user (ABC),CN=users,DC=jha,DC,com” –PWD *
NOTE: - Path of user is called DN (Distinguished Name).
DN represents the exact location of the object.
During configure the DN a protocol is work, that protocol is called LDAP (Lightweight Directory Access Protocol).
LDAP creates DN of object.
TO DELETE DOMAIN USER: -
DSRM “CN=username(ABC),CN=users,DC=jha,DC=com”
OR,
DSRM “Path of DN”
TO CHANGE PASSWORD: -
DSMOD user “Path of DN” –PWD *
TO DISABLE DOMAIN USER: -
DSMOD user “CN=username(ABC),CN=users,DC=jha,DC=com” –disabled yes
TO ENABLE DOMAIN USER: -
DSMOD user “CN=username(ABC),CN=users,DC=jha,DC=com” –disabled No
TO SEE INFORMATION ABOUT ALL USERS: -
DSQUERY USER
REMOTE DESKTOP: -
Through this option we can access the desktop of another system.
STEPS: - My computer (R.C.) – properties – Remote – Allow remote desktop – ok.
TO ACCESS ANOTHER COMPUTER BY REMOTE DESKTOP: -
Start – run – mstsc – and type the IP address of system – connect.
NOTE- To run DSA.MSC command on windows xp at first install the program ADMINPAK.MSI, which is in the windows 2003 cd in i386 folder.
ORGANIZATIONAL UNIT: -
This is a special container that is used to organize the objects in a domain. Symbol of O.U. is book.
PURPOSE OF O.U.: -
Delegation
Group policy
Inheritance
Create O.U. by command line: -
DSADD OU “OU=hcl,DC=jha,DC=com”
Create sub O.U. or child O.U. by command line: -
DSADD OU “OU=noida,OU=hcl,DC=jha,DC=com”
NOTE: - In an O.U., there are many objects as for example User, Computer, Group, Shared folder, Printers are available.
DELEGATION: - Group of representative. You can delegate your task to different users and groups.
Create O.U. by GUI: -
Start – programs – administrative tools – Active directory users and computers – R.C. on domain name (jha.com)- New – Organizational unit – name of OU (sales)- ok.
Create sub OU or child OU by GUI: -
R.C. on OU – New – OU – name (tech) – ok.
This feature is called hierarchical structure of OU.
To see information about number of O.U.: -
Start – run – cmd – ok.
Write- dsquery ou on command prompt.
TO WORK ON D.C. MACHINE: -
D.C. policies – Local policies – user rights assignment – allow – log on locally – add user or group – name (everyone) – apply – ok.
Refresh Command: -
Gpupdate / force
By default it refresh on 5 minutes.
To move user in O.U: -
Right Click on username – move – name of the object where you want to move it. – Ok
* To give the delegate permissions: -
R.c on user – Delegate control – next – add – advanced – Find now – select user name –ok – ok – next – give the permission – next – finish
* To remove the delegate permission: -
R.c on ou – properties – security – select user – Remove - apply – ok.
(2) Group policy: - Group policy is registry-based settings that apply on user as well as on computer.
*Registry – database of the operating system.
-> Group policy stores on sysvol folder:
-> To see it – open A.D directory drive (where A.D is saved) – windows –sysvol – sysvol domain name - policies –
-> We can apply group policy on users and computer also.
-> GPO is also called GUID (Globally unique identifier)
-> IT is a 128 bit hexadecimal number.
-> First introduced with windows 2000 server.
* Steps of Group policy: -
Create a new O. U and give the name (RAJ) – ok – move a user into
Raj OU – r.c on o.u (raj) –properties - group policy – new and give the name of GPO (ABC) – Edit – administrative templates – start menu taskbar and set the policy –R.c on policy – properties – setting Enable – Apply – ok
*TO Remove group Policy: - R.C. on O.U – properties – group policy – Edit – administrative template – start menu task and select place where we applied policy – R.C on policy – properties – Disable – Apply – ok
(3) IN heritance – If we apply any policy on ou then this policy automatically applies on child o.u or o.u
(4) Block policy Inheritance – when we apply this option on sub o.u or child o.u then the policy of o.u cannot be applied on child o.u or sub o.u
(5) NO –override or Enforce – We can apply this option on o.u, after applying this policy, which policy applied on o.u and sub o.u has block policy, in spite-of that o.u’s policy will apply on sub o.u or child o.u.
* GPMC tool – Group policy management console
-> GPMC introduced with 2003 server.
-> Gpmc tool is use to backup and restoring process for GPO.
-> BY using Gpmc tool we can do centralized management of all Gpo’s across forest.
* Refers: -
(1) When user log on or log off then applied policy will refresh.
(2) When computer restart.
(3) By commands line gpupdate / force
(IN 2003 and 2003 server)
IN 2000 server the command is – secedidt / refresh /policy
Refresh time by default is – 5 min automatically
Refresh time maximum is -45 days = 64, 800minutes
Refresh time minimum is – 0 min = 7 seconds
STEPS OF INHERITANCE POLICY: -
Create an o.u. (Name parents) – create two-sub o.u. (Child1) & (child2) – Move a user (anil) into parent’s o.u. And move a user (lav) into child1 and also move a user (amit) into child2 – R.C. click on parents - properties – Group policy – New – Edit – Administrative templates – click option where you want to apply policy – R.C. on policy – properties – enabled – apply – ok.
STEPS OF BLOCK POLICY INHERITANCE: -
Open active directory console – R.C. on (child1)- properties – Group policy - Block policy inheritance – apply – ok.
STEPS OF NO-OVERRIDE OR ENFORCE: -
Open active directory console – R.C. on (parents) – Properties – Group policy – Options No override- apply – ok.
RSOP (RESULTANT SET OF POLICIES): -
In built in active directory.
Introduced with 2003 server.
GPMC tool is similar function to RSOP.
There is RSOP difference between 2000 and 2003 server.
We can install GPMC tool in windows xp and 2003 server only.
STEPS OF RSOP: -
R.C. on o.u. Or user – All task – RSOP planning – Window comes, now check this option Skip to the final page of this wizard – Next – Next – Finish.
-> RSOP is useful to see the policies.
-> Through RSOP we can find the list of policy, which applied on users or computers.
* CREATE O.U. BY CSVDE (COMMA SEPRATED VALUE DIRECTORY EXCHANGE) COMMAND: -
Steps: - At first write on notepad –
dn,objectclass
“ou=abc,dc=jha,dc=com”,organizational unit
“ou=123,dc=jha,dc=com”,organizational unit
And so on ……………..
Now save as file name ou.cvd in c: (C drive)
Now, start- run- cmd- ok.
Now run following command on c:\>
Csvde -i –k –f ou.cvd
CREATE OU BY LDIFDE (LDAP DATA INTERCHANGE FORMAT DIRECTORY EXCHANGE) COMMAND: -
Open notepad and write-
dn:ou=y1,dc=jha,dc=com
changetype:add
objectclass:organizationalunit
Now save as file name ou.txt in c: (C drive)
Now, start- run- cmd- ok.
Now run the following command on c:\>
ldifde –i –k –f ou.txt
CREATE A USER BY LDIFDE (LDAP DATA INTERCHANGE FORMAT DIRECTORY EXCHANGE) COMMAND: -
Open notepad and write-
dn:cn=abc,dc=jha,dc=com
changetype:add
objectclass:user
Now save as file name user.txt in c: (C drive)
Now, start- run- cmd- ok.
Now run the following command on c:\>
ldifde –i –k –f user.txt
K- Ignore errors
F- File name
I- Import
CREATE OU BY USING BATCH FILE: -
At first open notepad and type-
dsadd ou “ou=raj,dc=jha,dc=com”
dsadd ou “ou=ram,dc=jha,dc=com”
Now, save as filename ou.bat on desktop.
Now, double click on ou.bat file then ou will create.
· MANAGING PERMISSIONS: - We can apply permissions on user and group also.
· Permissions means maximum allowed.
· Permissions applied on resources as for example- file, folder, printer etc.
SECURITY IDENTIFIER: -
Security identifier is a data structure of variable length that identifies user, group and computers. SID is a alphanumeric number. Its length depends on user’s name length.
TO SEE SID: -
Start- Run- Cmd-Ok
Now, on c:\> run the following command: -
whoami /all
WHAT IS SHARED FOLDER: -
Shared folder is a folder, which is access by another computers on the network.
ACCESS METHODS: -
My network places
UNC (Universal Naming Convention) path
Example- \\pc3\xyz (Share name of folder)
THERE ARE THREE TYPES OF SHARING: -
Normal share/ Simple share: - Everyone can access the normal share folder.
Hidden share: - Everyone can’t access the folder. To share it give the share name hcl$ ($- Hidden share). We can access it through UNC path- \\pc3\hcl$
Special share: - According to special share all drives are shared by default. Every can’t access these drives only administrator or it’s member can access. For access by a general user administrator password is required.
On the domain controller machine only (1) Administrator Group (2) Server operators can share the folder.
On the local machine member of power users group can share the folder.
METHODS TO SHARE THE FOLDER: -
My computer- R.C. on My computer- manage- shared folders- shares- R.C. on blank space- new share- next- give the folder path- next- (.) All users have read-only access- Finish- Close.
R.C. on start- Explore- R.C. on file or folder- (.) share this folder – Allow the number of users – apply ok.
R.C. on folder- sharing and security- (.) share this folder- Give the share name- Allowed maximum users- Apply- Ok.
By command line: -
net share hcl=d:hcl
(Where, hcl- Share name and d:hcl- path of folder)
FILE SYSTEM: - To arrange data on the hard disk we use file system.
THERE ARE TWO TYPES OF FILE SYSTEM: -
FAT (File Allocation Table)-
FAT 16- it supports 4 GB partition.
FAT 32- it supports 32 GB partition.
NTFS (NTFS Version 5) - It supports 2 TB partition.
FAT supports Windows 95, 98 and ME etc.
NTFS supports windows 2000, XP, NT, 2003 etc.
NTFS file system provides additional security.
SECURITY TYPE IN NTFS: -
Compression
Encryption
Disk quota
NTFS permissions
PERMISSIONS: -
Sharing permissions- Apply on networks only.
NTFS permissions- it applies on locally and networks also.
Sharing permissions: -
Read (2) Change (3) Full control
For special permissions go to advanced tab.
NTFS PERMISSIONS ON FOLDER: -
Inheritance- Means if we apply the security permissions on c:\ (C drive) and we create a folder into it then this policy is automatically inherited on that folder.
We can also block the policy of inheritance to change the permissions, means if any security already applied on drives then through this option we can change the security options.
Example- C:\ Data (folder)
-A (Reduce one permissions per folder)
-B
-C
* TYPES OF NTFS PERMISSIONS: -
(1) Standard- Full control, Modify, Read & Execute, list folder contents, Read, Write, Special permissions.
Special permission- to apply it goes to advanced tab- Edit.
BENEFITS OF NTFS PERMISSIONS: -
Object owner can always change the permissions.
NTFS permissions are cumulative (combined).
NTFS permissions are applied only on the NTFS partitions.
You can view the effective permissions on a file or a folder.
NTFS permissions are cumulative means, suppose Amit is a user which is member of sales and account both groups and the permission already applied on both groups is read, write and then Amit has read and write both of permissions.
READ on sales and WRITE on Accounts
Amit-[ XYZ folder (R+W)
INHERITANCE STEPS: - Open MY computer- R.C. on c:\- properties- security- give the permission- ok- create a new folder in c:\ then the permissions will automatically apply on this folder.
TO SEE FOLDER SECURITY PERMISSIONS: -
R.C. on folder- properties- security- sees permissions.
* BLOCK POLICY (PERMISSIONS) INHERITANCE: -
Create a folder in any drive- R.C. on that folder- properties- security-Advanced- uncheck allow inheritable permissions……………- copy- apply-ok- and then we can apply new permissions on that folder- apply- ok.
TO TAKE OWNERSHIPS: -
Create a user name (hcl)- log on to hcl- create a folder in any drive name xyz- R.C. on folder – properties- security- select user administrator- deny (Check boxes)- apply- yes- ok.
NOW, log on to administrator- open that folder then message comes Access is denied.
Now, R.C. on that folder- properties- security- ok- advanced- owner- select user administrator- Check replace owner on sub containers and objects- apply- yes- ok- ok.
SHARING/ NTFS PERMISSIONS: -
· Sharing – Read, Change, Full control
· NTFS permissions – Full control, Modify, Read
Everyone (User) Sharing: - READ XYZ folder
NTFS: - FULL CONTROL
· When we access that folder (XYZ) on which sharing and NTFS permissions is applied then least permissions is apply.
· NTFS PERMISSIONS: -
3. Standard
· Advanced
· Sharing permissions always apply on the network.
· There are only three sharing permissions Read, Change and Full control.
· NTFS permissions apply on local as well as on network.
· There are two types of NTFS permissions Standard and Special permissions.
· If there is conflict between sharing and NTFS permissions on the network the least permission should always apply.
· In case of NTFS, permissions are cumulative (combined).
· EXAMPLE: -
NTFS – READ (Sales group)
Backup (Folder) XYZ (user)
Sharing permission
Everyone Full control NTFS – MODIFY (Accounts group)
· At first according to NTFS permission READ+MODIFY=MODIFY. Means, Modify is apply. Now, in MODIFY and FULL CONTROL, MODIFY is least permission so it is applied.
· EXAMPLE: -
NTFS- Full control (Sales group)
Backup (Folder) XYZ (user)
Sharing
Everyone READ NTFS –READ (Accounts group)
· Here, At first Full control+Read=Full control
But, in Full control and Read, Read permission is the least permission so it will apply.
· On the locally machine NTFS permissions is applied and on network machine sharing permission is applied.
DOMAIN SECURITY POLICY: -
2. Account policies
· Local security policies
· Account policies: -
a. Account lockout policy
b. Password policy
2. Local security policies: -
a. User rights-Assignments
b. Audit policy
c. Security option
a. Account lockout policy: -
B. Account lockout duration- Maximum 99,999 minutes = Approx. 70 days.
b. Account lockout threshold- Maximum 999 attempts.
c. Reset account counter after- Maximum 99,999 minutes.
· By default these policies are not defined.
b. Password policy: -
B. Enforce password history- 24 password
B. Maximum password age- 999 days
C. Minimum password age
D. Minimum password length- max. 127 character
E. Complexity password requirements
F. Store password using reversible encryption for all users in the domain.
· STEPS: - Start- Programs- Administrative tools- Domain security policy- Account policies- Password policy.
TO UNCHECK ACCOUNT IS LOCKEDOUT: -
R.C. on user- Properties-Account- Uncheck Account lockout policy.
-> TO SEE USER’S PASSWORD POLICY: -
Start- Run- cmd- ok.
Now, on c:\> net accounts
· Windows 98 and NT supports minimum 14 characters password.
GPMC (GROUP POLICY MANAGEMENT CONSOLE) TOOL: -
It is tool through which we can work on Active Directory. It is introduced with 2003 server. GPMC.MSI is Microsoft installer file. Through GPMC tool we can take the backup of GPO’s and we can also restore it. By using GPMC tool we can do centralized management of all GPO’s across forest. GPMC.MSI takes 5.5 MB space.
TO APPLY POLICY AND TAKE BACKUP BY USING GPMC TOOL: -
At first install GPMC.MSI
Start- programs- administrative tools- group policy management- domain- domain name (jha.com)- R.C. on domain name- new ou- name of ou (krish)- R.C. on ou (krish)- create and link a GPO here- name of new GPO (aaa)- ok- R.C. on GPO (aaa)- edit- administrative templates-now set the policy settings.
Now, R.C. on group policy objects- Now R.C. on GPO (aaa)-Backup- give location- Backup- ok- now delete GPO (aaa).
TO RESTORE: -
R.C. on group policy objects- manage backups- select whatever you want to restore- restore- ok- close.
-> TO MOVE A GPO IN O.U.: -
R.C. on o.u. (krish) - click on existing GPO- select GPO- select GPO (aaa) - ok
-> TO SEE POLICY SETTINGS: -
Double click on GPO- settings- show all policy settings.
BLOCK POLICY: -
R.C. on child O.U. - Block Inheritance
* AUDITING: -
Auditing is the process that tracks user and operating system activities by recording selected type of events in the security log of a server or a workstation. Auditing is crosscheck policy. There are two types of auditing- Success and Failure. To see Auditing go to Event viewer- Security logs.
CATEGORIES OF AUDITING: -
Audit account management- User account creates or deletes entry.
Audit account log-on Events- When any wrong or unauthorized user try to logon then its information shows in failure audit and when any user succeed then this information shows in success audit.
Audit logon Events- This policy applies on client machine. We enable this policy for success or failure logon events.
Audit object access- When any user access a file, folder or printer and Administrator want to see that, which one user or group access the file and resources then he can configure object access audit policy.
Audit system events- by using this policy we can find a user when, restarted or shuts- down the computer or an events occurred.
Audit directory service access- to find which user accessed Active directory services we enable this policy.
Audit privilege use- to see entry related to user rights, we enable this policy. As for example changing the system time or taking ownership of a file.
Audit policy change- if any policy changed such as password options or accounts logon settings, user rights or Audit policies then the information shows in this policy.
Audit process tracking- this information is generally useful only for programmers, who want to track details about application execution.
FOR REFRESHING: -
Start- Run- gpupdate /force- ok.
[NOTE: - Event ID 538- Logon/ logoff, Event ID 673- account logon, Event ID 642- Account management.]
STEPS FOR OBJECT ACCESS: -
Create a new folder- R.C. on folder- Properties- Auditing- Select user- Give success and failure control (Check mark all)- logoff and then logon by that user.
Now, open folder- create new folder or file inside that folder- now logoff that user.
Now, login to Administrator- See success or failure audit policy.
GROUPS: - Group is a collation of user’s computers. The purpose of group is, assign permission on resources.
File folder and printer – These are resources.
These are here types of groups
Default group
System group
Custom group
Default group/Built-in group: -
Administrator group – the member of this group can change the whole setting of computer.
Account operators – Member of this group can create user and groups in active directory and can also manage users and group created by the administrator.
Backup operator – the members of this group can take backup on domain controller, but only by using backup wizard. Even this group has not permission on files and folders. He can still take the backup by using backup wizard.
Server operators – the members of this group can shutdown the domain controller, manage he printer, share the folders and can log-on on domain controller.
Print operators – the members of this group can only manage the printer on domain controller. The members of this group have their permission on printer 1. Print permission 2. Manage printer’s permissions 3. Manage documents permissions.
Network configuration operation – The member of this group can change the network setting (As-IP address subnet mask, Preferred DNS or Alternate DNS, Default getaways etc.)
Guests – The members of this group contain guest user. For example guest user account
Power users group – The member of this group can perform the following tasks: -
He can manage the printers.
He can share the folders.
He can create local users and groups but cannot manage local users and groups created by the administrator.
He can change the system time.
System group: -
Everyone – The members of this group contains all users and groups.
Creator owner – Creator owner group is a special system group that contains only one account that is administrator. It means that only the administrator is a member of creator owner group.
Administrator is a can member of creator owner group that’s why he can take the ownerships of files and folders.
Interactive group – If you are using any local resources on your computer then you will automatically becomes the member of Interactive group.
Networks – While you accessing any network resources, In this case you will become the member of network group.
System group: - System group is those types of group that created automatically according to the situation. You cannot change the memberships of system group but you can modify the permission of system groups. Its icon is red arrow ( )
Authenticated user group: - The user who log on to your machine with valid username and password they become the member of authenticated users group.
Custom group: - Custom group is a type of group, which is created by users manually.
Groups are characterized by scope and type –
Group types –
Security – Used to assign user rights and permissions and can be use as used as an e-mail distribution list.
Distribution – can be used only with e-mail application and cannot be used to assign permissions.
Scope –
Global
Domain local
Universal
Domain functional level: -
Windows 2000 mixed – You can create only 40,000 objects. In this, three operating systems come – NT, win 2000 and win 2003 server.
Windows 2000 native – You can create millions of objects. In this, two operating systems will consider – win 2000 and win 2003 server.
Windows 2003 – Only for 2003 server operating system.
We cannot create universal-security into windows 2000 mixed.
To raise domain functional Level: - R.C on domain name – Rise domain functional level – select the raise options – raise
To create global security group by command line: -
DSADD group “cn=hclcdc,cn=users,dc=sprite,dc=com”
To create domain local security group: -
DSADD group “cn=hclcdc12,cn=users,dc=sprite,dc=com” –scope U
To create domain local distribution group: -
DSADD group “cn=hclcdc123,cn=users,dc=sprite,dc=com” –scope L –secgrp no
To See all groups: -
Dsquery group
To see system configuration: -
Start- Run- msinfo32-ok.
DISASTER RECOVERY IN SERVER 2003: -
Disaster recovery is the process that allows normal business operations to resume as quickly as possible after a disaster.
MINEOPLIS is a place in the united state of America, and there is an institute name ONTRACT RESEARCH INSTITUTE. According to this institute, in the many companies reason of disaster is following: -
42% = Hardware failure
32% = Human error
13% = Software problem
7% = Virus problem
3% = Natural disaster
3% = Others
DISASTER RECOVERY TOOL: -
Backup
Emergency phone numbers
Boot disk
ERD (Emergency Repair Disk)
Recovery console
Safe mode
Event viewer
Dr. Watson
ASR (Automated System Recovery)
Shadow copy
Backup software
All installation CD’s (Software/O.S.)
RAID (Redundant Array Of Independent Disk)
IRT: - Incident Response Team is a recovery team. When any incidents occur then this team give us responses and when its member doesn’t present then Alternate Response Team manage the whole things.
BACKUP: - By using ‘ntbackup’ wizard, we can take the backup on which machine there is a backup Medias are installed.
We can’t take backup in CD’s or DVD’s. But in windows 2008 server, we can take backup in CD’s or DVD’s.
Tape drives, pen drives these are the backup Medias.
Member of Administrator or Backup operators can take the backup.
You can also take the backup of file and folder, if you have at least read permissions on that file or folder. The owner of files and folders can always take the backup.
We can do copy both of sites- ONSITE and OFFSITE.
For accidentally cases, we use this option to restore.
WHAT YOU WANT TO BACKUP: -
Backup selected files and folders- whatever you want to backups then you can select.
Backup system state data- (1) Active Directory (2) Boot files (3) sysvol (4) IIS (5) Certificates (6) Registry.
Backup entire computer- we can take backup the whole systems.
TYPES OF BACKUP: -
Normal/ Full backup
Incremental backup
Differential backup
Copy backup
Daily backup
ARCHIVE BIT: - It is a checkmark that denotes us we have to take backup files and folders. In companies N+I or N+D backup is used.
DAY INC. BACKUP DIFF. BACKUP
MON M M
TUE T M, T
WED W M, T, W
THU TH M, T, W, TH
FRI FR M, T,W,TH,FR
SAT SAT M,T,W,TH,FR,SAT
Restore for N+I: - Restore normal backup and also every incremental backup.
Restore for N+D: - Restore normal backup and last day’s differential backup.
DAILY BACKUP: - Daily take backup, means to say that if we created a file on 21st June and we want to take its backup then we would take backup on same date. If we will take backup on 22nd June then backup will completed but when we want to restore it then its contents won’t come.
COPY BACKUP: - Same as full backup, but I don’t clear the archive bit.
STEPS: - start – Programs – Accessories – System tools – Backup
Boot Disk –
1. NTLDR 2. Boot.ini 3. NTDETECT.com 4. NTOSKRL.exe 5. NTBOOTT.sys 6. Bootsect.com
NTLDR, Boot.ini, NTDETECT.com and NTOSKRNl.exe are mandatory files and NTbootdd.sys, Bootsect.dos are options.
NTLDR, Boot.ini, NTDETECT.com, NTbootdd.sys Bootsect.dos files create on C:\ (System partition)
These files are hidden.
NTOSKRNL.exe create in windows\system32
NTLDR – NTLDR is a pre-boot sequence file. This file is also called parent file. This is always executed in c partition
When we start system then following task is preformed: -
POST
BIOS check for MBR (Master Boot Record)
MBR checks for active partition c:\
NTLDR executed in c partition
Boot.ini – It contains the list of the operating system, installed in your computer.
By default operating system selection time is 30 seconds, but we can increase or decrease the time setting.
To see these files: -
1. By using GUI interface
2. By using attrib command
NTOSKRNL.EXE – This file is use to execute or boot your operating system.
NTDETECT.com – This file detects all the hardware in your computer and enters the hardware key in the registry.
Key – Information in registry.
NTBOOTDD.SYS – When we use SCSI hard disk then this file create. Then its entry shows in c partition.
Boot.DOS – If you are use dual booting XP and 2000 then this create. This file divides operating system into sector.
To see hidden files by command line: -
Start – run – cmd – c:\Attrib
NTLDR – SHR (System Hidden Red only)
· Recovery console – Recovery console is a disaster recovery tool that is use to enabling and disabling the services, recovering the missing files and you do troubleshooting by using limited command line troubleshooting tool. You can use recovery console by two ways –
2. By using CD
· You can also install recovery console from CD.
· The minimum space required to install recovery console is 7 MB.
· Recovery console is a security enable tool that means you can’t copy any files from your hard disk to another media but VICE-versa is possible.
· Commands in Recovery Tool –
1.Copy 2. Format 3. CD_. 4. LISTSVC – For driver and services 5. CHKDSK 6. DISKPART 7. HELP 8. MORE 9. Enable 10. Disable 11. RMDIR 12. MKDIR 13. EIXMBR – To FIXMBR 14. Expend for uncompress 15. FIXBOOT – To FIX BOOT sector.
· DR.Watson – It is a tool that use for application errors means software errors. (To see errors)
· Start – run – DRWTSN32 (To see application errors)
· Safe mode
· Safe mode with networking
· Safe mode with command prompt
a. Safe mode – In safe mode, system is boot with GUI interface with minimum set of drivers and services. The purpose of safe mode is to troubleshoot devices and services.
b. Safe mode with networking – We can copy file through network and also load the LAN drivers.
c. Safe mode with command prompt – Troubleshoot by command line interface.
All installation CD’S
1. CD’S XP\2003
2. Latest service packs
3. Software = MS Office, TALLY, ADDBE etc.
4. Antivirus software
Shadow copies – A shadow copy is a feature of the windows server 2003 family that provides point-in-time, read-only copies of files on network shares. By using shadow copies of shared folders, you can view the contents of network folders as they exited or created at various point in time.
NTFS partition is required for shadow copies.
It applies on driver or volumes.
It works on only share files o folders.
Minimum amount of storage space for shadow copy is 100 MB.
It creates 64 shadow copies of 1 file.
By default time of shadow copies creation is 7:00 AM and 12:00 PM.
We can change the time settings.
Bu using this, we can recover files and we can also see previous version of file.
Previous version is software where whole snap-shot is applied.
To see it-
Start- Run- \\5.0.0.0.1-ok. Now. R.C. on share folder- Properties- Previous version.
In windows XP with Service pack-2 and in windows VISTA this option is already installed.
STEPS: - R.C. on any drive- Properties- Shadow copies- Enable- Settings- (.) Use limit space (100 MB)- Schedule- Once (Schedule task)- Start time (10:35 AM)- Advanced- Repeat task (Every 5 minutes)- ok- ok- ok- ok.
Now, create a new folder in same drive name hcl- R.C. on hcl- Sharing and Security- Share this folder- Permissions- Everyone full control- Ok- Apply- Ok.
Now, Start- Run- \\5.0.0.1 (IP address of own computer)- Ok. - R.C. on hcl folder- Properties- Previous version.
ERD (Emergency Repair Disk): - When we run ntbackup wizard then in windows 2000 professional there are three options shows- Backup, restore and ERD. But in Windows XP professional there are three options come- Backup, Restore and ASR (Automated System Recovery). When we click on ERD and insert floppy then it copies IO.SYS, MSDOS.SYS, COMMAND.COM (System files), Registry and Partitions also.
ASR: - Automated System Recovery is a backup utility, which helps us to recover a system that doesn’t start. It contains two parts- Backup and Recovery. ASR also creates a floppy disk that is used to store disk configurations during the ASR recovery procedure.
We can restore operating system, software’s and system state data.
Suppose that c:\ is corrupt and in the d:\ Backups are available then insert the floppy now, it copies all files or folders into floppy. After that we insert the floppy and press F2 and through doing this process we can restore the O.S. and other software’s.
EVENT VIEWER: - A component you can use to view and mange event logs, gather information about hardware and software problems, and monitor security events. Event viewer maintains logs about, program, security, and system events.
(Logs – Information)
Application – Application error or software error
(As – c, c++, MS office etc.)
System – operating system events (As – DHCP, DNS, etc.)
Security – Audit policies
RAID – Redundant array of independent/Inexpensive disk
A method used to standardize and categorize fault tolerant disk system.
There are three types of RAID levels–0(Striping level – 1 (marring) and level 5 (RAID-5)
Compression and encryption: -
Compression – To increase space in drives or removable storage we apply this attribute because compressing files and folders decreases their size.
For compression NTFS partition is required.
Compressed files and folder shows in blue color.
We should not compress to the system files and windows folders because this affects the server performance.
In Microsoft windows server 2003 supports two types of compression –
NTFS compression and 2. Compressed (Zipped) folders feature.
Compact command: - This is another toot for compressing files and folders.
Compact – Displays the states of files and folders in current directory.
Compact /C DNS (Folder name) - To compress folder
Compact /U DNs (Folder name) – To uncompress folders
Compact
By GUI – R.c on file or folder – properties – advanced - Compress files and folder.
Encryption – By applying this option we can hide the contents of message.
DRA – It is a Microsoft certificates services.
DRA stands for data recovery agent.
By default DRA is not available in windows XP when it is the workgroup.
Domain administrator is defaulting DRA when XP is in the domain.
Plaintexts – Data that is not encryption. It is also called clear text.
Cipher – After encrypt the file or folder. Everyone can’t read these files.
We should not encrypt the system and windows files.
We can encrypt files using two method –
1. GUI
2. Command line.
R.c on file and folder – Properties – advanced - Encrypt files and folders.
cipher command – (Displays the states of the files and folders in the current directory.
cipher /e xyz (folder name)- This command is use to encrypt the folder.
cipher /d xyz (folder name)- This command is use to decrypt the folder.
cipher /e /a xyz\a.txt (a.txt- file name)- This command is use to encrypt specific files in the folder.
cipher /e /s:xyz- to encrypt folders inside the folder.
MONITORING OF WINDOW SERVER 2003: -
We can monitor this things-
RAM
Hard disk
Processor
Network
PROACTIVE: - Already active to face some problems or accidents.
REACTIVE: - Immediately active.
Proactive is better than reactive because it gives us more time to think about how to resolve the problems.
MONITORING TOOL: -
TASK MANAGER- it is also called real time monitoring tool. Windows task manager provides information about computer performance and displays details about programs and processes running on your computer.
ALERT- Alerts related to server and resource use. Alert notify users about problems in areas such as security and accesses, server shutdown due to powerless, directory replication and printing. For this, messenger service should be started. When a computer generates an administrative alert a message is sent to a predefined list of users and computers.
STEPS: - First install a printer- After that- Programs- Administrative Tools- Services- R.C. on messenger- Properties- Select startup type- Automatic- Apply- Ok- Now R.C. on messenger- Start.
Now, Start- Programs- Administrative Tools- Performance- Performance logs and alerts- R.C. on alerts- new alert setting- Name – Printer- Ok- Add- Performance object- Printer queue- Add- Close- Limit 2- Send a network message to \\krishna- Apply- Ok.
Now, Open word pad – Type anything- save.
COUNTER: - It is a log-monitoring tool.
ROAMING PROFILE: - When we create any user in Active directory and log on that user and create some files or folders on user’s desktop and we want to log on that user on client machine then the environment of Active directory comes on client machine and user can work freely with network in anywhere. So Roaming profile is more useful for client computers.
STEPS: - Create a folder in any drive and share the folder- and give full control- (Give folder name – Ram)- Apply ok.
Now, Open Active directory- Users- Create two new user name (Any name)
Now, Create a new folder in Ramesh and also Raj
Now, on first user name- Properties- Ram- Path of ram folder- \\computername\Ram (folder name)\Ramesh (folder)- Ok
Now, Log on to first user- Open My computer- Properties- Advanced- User profile- Settings- See roaming profile.
(NOTE- Same process for 2nd user)
MANDATORY PROFILE: - A mandatory user profile is a roaming profile that can be used to specify particular settings for individuals or an entire group of users. Only system Administrator can make changes to mandatory user profile.
STEPS: - Where we create a Ram folder during Roaming profile practical- Open – Ramesh- NTUSR.DAT- Rename this file into NTUSR.MAN
Now, R.C. on MY computer- Properties- Advanced- Settings- Here all mandatory profile shows.
RECOVERY CONSOLE: - The recovery console is a minimal version of the windows server 2003 operating system that you can use to start windows server 2003, when severe startup problems prevent the server from booting. It provides a command-line interface and a set of commands that you can use to repair damaged system components, such as a damaged boot sector, that prevent you from starting the computer any other way.
To install the Recovery Console locally, Run-
D:\i386\winnt32.exe/cmdcons, Where D: is a CD ROM drive.
STEPS: - C:\- Tools- Folder options- View- Show hide file and folders –Apply –Ok.
C:\- ntldr (Shift+del) Means, delete ntldr file
Then restart the system, now comment shows-
NTLDR is missing
Now, Restart the system and boot from CD- Press R- now, press 1 (Where is boot partition)- Type password
Now, go to CD drive-
D:\i386 > copy ntldr C:\
D:\>cd\
D:\>exit
To hidden the NTLDR file:-
C:\>attrib +s +h +r ntldr
Now, in folder options- View- (.) Hide protected operating system file
C:\>attrib –s –h –r ntldr
To see system file ATTRIB command is used.
HOW TO INSTALL RECOVERY CONSOLE: -
Type-
D:\>i386\winnt32.exe /cmdcons
To view all command related to Recovery Console type: -
C:\>HELP
To remove Recover Console: -
Tools- Folder options- View- Show hide protected in C:\ cmdcons- Delete the folder- Delete cmldr file
Now, C:\>attrib –s –h –r boot.ini (Remove Recovery Console)
No comments:
Post a Comment