Learning Windows Server 2003

BUY THIS BOOK

Print Book $44.99

PDF $35.99

Safari Books Online

What is this?

Print Book £31.99

What is this?

Looking to Reprint or License this content?

Tell a friend

Learning Windows Server 2003, Second Edition

By Jonathan Hassell
Book Price: $44.99 USD
£31.99 GBP
PDF Price: $35.99

Cover | Table of Contents

Chapter 1: Introducing Windows Server 2003

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

It all started with Windows NT, Microsoft's first serious entry into the network server market. Versions 3.1 and 3.5 of Windows NT didn't garner very much attention in a NetWare-dominated world because they were sluggish and refused to play well with others. Along came Windows NT 4.0, which used the new Windows 95 interface (revolutionary only to those who didn't recognize Apple's Macintosh OS user interface) to put a friendlier face on some simple yet fundamental architectural improvements. With Version 4.0, larger organizations saw that Microsoft was serious about entering the enterprise computing market, even if the product currently being offered was still limited in scalability and availability. For one, Microsoft made concessions to NetWare users, giving them an easy way to integrate with a new NT network. The company also included a revised security feature set, including finely grained permissions and domains, which signified Microsoft considered enterprise computing an important part of Windows.

After a record six and one-half service packs, NT 4.0 is considered by some to be the most stable operating system ever to come out of Redmond. However, despite that, most administrators with Unix experience required an OS more credible in an enterprise environment—one that could compare to the enormous Unix machines that penetrated that market long ago and had unquestionably occupied it ever since. It wasn't until February 2000, when Windows 2000 Server was released, that these calls were answered. Windows 2000 was a complete revision of NT 4.0 and was designed with stability and scalability as first priorities.

However, something still was lacking. Sun and IBM included application server software and developer-centric capabilities with their industrial-strength operating systems, Solaris and AIX. Windows 2000 lacked this functionality. In addition, the infamous security problems associated with the bundled Windows 2000 web server, Internet Information Services (IIS), cast an ominous cloud over the thought that Windows could ever be a viable Internet-facing enterprise OS. Given that many saw Microsoft as "betting the company" on a web services initiative called .NET, it was critical that the company save face and do it right the next time. It wasn't too late, but customers were very concerned about the numerous security vulnerabilities and the lack of a convenient patch management system to apply corrections to those vulnerabilities. Things had to change.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Changes from Windows 2000 Server

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Windows Server 2003 provides scores of new features that most administrators have been hoping for since the release of Windows 2000 Server, as well as critical bug fixes, tool improvements, management refinements, and enhancements to the general fit and finish of the product. In this section, I'll take a look at the major changes in the product from Windows 2000 Server.

Windows Server 2003 is fairly secure after the installation process is complete, as Microsoft promised. The product also benefited from the month-long halt of new development in March 2002, referred to by Microsoft as the beginning of the Trustworthy Computing Initiative, wherein all developers and product managers did nothing but review existing source code for security flaws and attend training on new best practices for writing secure code.

But it's not only in the actual code that security takes front seat. Perhaps the most welcome improvement in the eyes of network administrators with large Windows XP deployments is Windows Server 2003's native understanding and support for the expanded feature set of Group Policy (GP ) found in XP. Windows 2000 Server was unaware of the new XP support for software execution restrictions and remote desktop support tools and thus required a bit of handholding to get it all working together. Windows Server 2003 knows about these XP tools out of the box.

Windows Server 2003 also debuts new secure wireless LAN support, and as an added bonus, this support can extend to wired networks, too. This allows you to keep unauthorized hosts off any part of your network, wired or wireless. 802.1X clients can authenticate to Windows Server 2003 machines using the Internet Authentication Service (IAS). For added security, you can add dynamic key exchange and WEP support as well. This is a great boon to both wireless and wired security. I'll explore Windows security features and configurations in greater detail in Chapter 7, and IAS in Chapter 11.

Changes designed to improve both performance and scalability received attention from the development team. When the product was released in early 2003, VeriTest, an independent testing organization, ran benchmarks and custom-designed tests that demonstrated that Windows Server 2003 outperformed Windows 2000 and Windows NT 4.0 by a dramatic margin of anywhere from 100-200%, depending on the task, using the same hardware. That's impressive for any follow-up release and bucks the all-too-familiar trend of needing to upgrade hardware and software simultaneously. Compared with NT 4.0, Windows Server 2003 is about twice as fast when operating as a fileserver, three times as fast as a dynamic web application server, and up to 400% faster at just plain web-page hosting. VeriTest ran all the tests using the same server, but during the battery it alternated the number of processors in the machine at any given time, using one, two, four, and eight processors interchangeably.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

What Service Pack 1 Adds

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Windows Server 2003 Service Pack 1 was released in April 2005 and consists of several must-have updates. Essentially, SP1 brings the new security features, improvements to the built-in firewall and Windows Explorer, and the overall better user experience found in Windows XP Service Pack 2 over the fence to the server side. You'll find the following:

The Security Configuration Wizard makes it its debut. The SCW is perhaps the biggest security enhancement to any version of Windows on the server since the initial release of Windows NT Server. The SCW takes into account the functional roles a machine is performing and adjusts the configuration and operation of its installed services, Registry, filesystem, and auditing policies to significantly reduce the attack surface of the machine. It does this with a wonderfully easy-to-use interface that includes the ability to save created policies, apply existing policies to other machines, and roll back misapplied policies. I cover the SCW in great detail in Chapter 7.
The Internet Connection Firewall is renamed Windows Firewall and is improved to work almost exactly like its Windows XP counterpart. A major difference, however, is the default state: unlike XP, the firewall is turned off by default on the server. You'll need to specifically enable it if you want its protection.
The Automatic Updates interface has been completely redesigned, again to resemble the XP interface.
Security for the DCOM and RPC subsystems of the product, both of which have been exploited by several pieces of malware over the past few years on other Windows operating systems, has also been significantly improved.
Microsoft has increased the speed at which IPSec connections between trusted nodes are made by moving code into kernel mode for faster SSL connections and other secure transmissions. Now the performance hit of using secure channels for communication has been lessened.
IIS start-up times have also been optimized. I cover other, more specific (and less obvious) improvements to IIS in SP1 in Chapter 8.
Finally, don't discount the convenience of having all security updates issued between the initial "gold" release of the product in April 2005 all rolled into one easily executable package. Patching is a big headache these days, and service packs are great ways to leap ahead to the most secure installation possible if you're a bit behind on your updating.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

What R2 Adds

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Alas, Windows Server 2003 R2, released in late 2005, is a less obvious upgrade: it's the first deliverable in Microsoft's newly adopted server update schedule. The idea is that a new version—that is, what most of us would characterize as a major release—will be offered every four years. Two years after each major release, Microsoft will issue an incremental version upgrade that will refresh the product and bring it more in line with other out-of-band software releases the company may have made. (Case in point: Windows SharePoint Services [WSS] was released after the original version of Windows Server 2003 hit the commercial channels. Windows Server 2003 R2 includes WSS, thus adding a fresh face to the original release.) If you do the math, you'll see that the next major version of the core Windows server product, which is codenamed Longhorn at this point, is due in 2007, with Longhorn Server R2 supposedly due in 2009. As you probably know, though, forward-looking statements, when made about Microsoft products and release dates, are hardly ever very precise. At any rate, R2 ships as a second CD in the Windows Server 2003 product, and that product includes an integrated version of Service Pack 1 so that you're automatically at the latest service pack level when you install.

From a more general standpoint, R2 includes a lot of upgrades to already released technologies. There's an update to the Microsoft Management Console, improvements to Active Directory Application Mode, and an integrated version of Windows SharePoint Services with its second service pack. Specifically, though, the most useful enhancements to R2 are as follows:

Upgrades to the Distributed File System (DFS). There's great new functionality involved in replicating files, folders, and software out to branch offices over sometimes unpredictable links. And if you're an NT veteran and are familiar with the instability and limitations of the old File Replication Service (FRS), take heart: R2 has a completely new DFS replication engine that handles huge files and huge numbers of files effortlessly. You can use the new engine to maintain real-time replicas of large data volumes in a central location, which makes multiple-targeted DFS links completely possible. I'll cover these updates in Chapter 3.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Windows Server 2003 Editions

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Microsoft has increased the number of versions of Windows Server 2003 it offers over what was offered in Windows 2000 Server. Windows 2000 Server was sold in three editions: Server, Advanced Server, and Datacenter Server, each requiring increasingly faster processors and more memory. Windows Server 2003 is available in the following editions:

Web Edition (WE): This version of Windows Server 2003 is optimized to host web sites using IIS and is therefore limited in its support of hardware and in its feature set. It cuts the addressable memory in half from 4GB to 2GB, restricts Internet Connection Sharing, network bridging, and Terminal Services (although you can still use the XP-like Remote Desktop feature for Remote Administration), and does away with DHCP and fax services. In addition, WE can be a member server of a domain, but it cannot be an Active Directory domain controller. Windows Server 2003 WE is available only through OEMs; you can't purchase it through traditional retail channels.
Standard Edition (SE): This is the plain-vanilla version of Windows that most corporations likely will deploy. Included with it is support for up to four processors and 4GB of memory. SE includes most of the features and support of the other editions, including the .NET Framework, IIS 6, Active Directory, the distributed and encrypting filesystems, and various management tools. You also receive Network Load Balancing (a feature previously reserved for the "premium editions" of the NT server product) and a simple Post Office Protocol 3 (POP3) server which, coupled with the existing Simple Mail Transfer Protocol (SMTP) server bundled with IIS, can turn your Windows Server 2003 machine into an Internet mail server.
Enterprise Edition (EE): Aimed squarely at more demanding environments, EE adds Metadirectory Services support, high-level memory management features, and some session management features for Terminal Services. It also includes support for eight-node clustering and booting directly from a SAN. Plus, you can add memory to EE while the system is running, without needing to reboot.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Hardware Requirements

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Table 1-1 lists Microsoft's minimum and recommended system requirements for running Windows Server 2003 Standard and Enterprise, the most commonly purchased editions.

Table 1-1: Minimum and recommended system requirements
Requirements	Standard edition	Enterprise edition
Minimum CPU speed	133 MHz	133 MHz for x86-based computers; 733 MHz for Itanium-based computers
Recommended minimum CPU speed	550 MHz	733 MHz
Minimum RAM	128 MB	128 MB
Recommended minimum RAM	256 MB	256 MB
Maximum RAM	4 GB	32 GB for x86-based computers; 64 GB for Itanium-based computers
Multiprocessor support (MPS)	Up to 4	Up to 8
Disk space for setup	1.5 GB	1.5 GB for x86-based computers; 2 GB for Itanium-based computers

However, anyone with prior experience with Windows operating systems is likely familiar with the simple fact that Microsoft's minimum system requirements (and often, the recommended requirements as well) are woefully inadequate for all but the most casual serving duties. Based on price and performance considerations as of this writing, I recommend the following specifications for any Windows Server 2003 version available through traditional channels. I'll refer to these as the "realistic minimums" from this point on in the book.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Last Word: Assessing the Release

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Two camps of people and their organizations will find compelling reasons to immediately upgrade to Windows Server 2003 and R2:

Those still running a version of Windows NT: The official Microsoft decree of end of life for NT Workstation 4.0 was on July 1, 2003, well before this book and this edition were published. NT Server 4.0 reached the end of its supportable life on December 31, 2004, so it's really not prudent to continue to bet your company's IT assets and policy on what is now a dead, deprecated, and fundamentally unsafe operating system. Windows Server 2003 provides a good jump, and it's a stable jump, too. A new server version of Windows will not be released at current estimates for at least two years, and more likely three. Upgrading now—as soon as possible—makes sense if you're running NT, and as a bonus for waiting, you'll get Windows Server 2003 R2 as well with new SKU purchases.
Those with current Microsoft Select, Software Assurance, or Open License agreements that allow them to upgrade to the latest release at no additional cost: If there's no fee or additional monetary outlay for your upgrade, you can get the benefit of Windows Server 2003 R2 for little overall cost. Windows Server 2003 requires about the same hardware as Windows 2000 Server, so if you're currently on that level, you can keep the machines you already have and enjoy the fit, finish, and new features Windows Server 2003 R2 offers you.

If you are not a member of either group, the value of upgrading to Windows Server 2003 and R2 is less clear. Traditionally, Microsoft operating system upgrades offered at least somewhat compelling reasons to move to the newest edition: improved user interfaces, performance enhancements, the migration from 16- to 32-bit, and so on. That's not as much the case anymore, at least until the next paradigm shift at Microsoft, which again won't be for a couple of years. If you're happily chugging away with Windows Server 2003 and don't have an update agreement with Microsoft, you're forced to determine if the license expense is worth the added features and benefits that R2 brings to the table. It probably isn't worth it unless your organization has a lot of branch offices, has a critical storage resource management crisis, or requires the identity management improvements of ADFS.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 2: Installation and Deployment

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Now that you've been thoroughly introduced to what's new, what's hot, and what's not in Windows Server 2003, the time has come to install the operating system on your machines. Installing Windows Server 2003 is easy: the fun comes in configuring and customizing the operating system. I begin this chapter by covering the installation options and how you can install the operating system using a CD-ROM, including the additional components located on the second disc as part of the R2 release. Then I devote a large part of this chapter to unattended installations, automated deployment, and batch machine imaging, because you can gain a significant time savings by letting your computer handle as many of the tedious installation tasks as possible. So let's jump in and get started.

As with any operating system, Windows Server 2003 comes with optional components that add or extend functionality in addition to the components that are required for everyday use. In this section, I'll outline these optional components, explain their function, and guide you as to whether you should install them.

An unwritten rule of system administration is to never install any components unless they are required. Although that might seem really basic at first, the point to take from this is that systems that operate only with the components required for their daily work are far easier to manage and considerably reduces your attack surface. There's less to go wrong, less to secure, and less to administer. Microsoft has embraced this maxim in a lukewarm sort of way by eliminating the ability to customize components (including adding them) at the time of a standard installation; you can add and remove Windows components only after installation is complete. (I'll cover ways around that limitation later in this chapter, but for now be aware that you can't customize an installation while it is in progress.)

However, even before you install the operating system, you should spend some time looking over its components to figure out which ones you need. Use Table 2-1 as a guide, which lists the components available for installation on machines with Windows Server 2003 loaded. Some of these options have submenus that deserve a look as well.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Preparing to Install Windows Server 2003

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Table 2-1: Windows Server 2003 installation components
Option	Purpose
Accessories/Utilities	A collection of small applications and utilities such as WordPad and Paint
Certificate Authority

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Installing Windows Server 2003

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

It's a fairly effortless procedure to install Windows Server 2003 onto new systems. Here are the steps:

Turn the system power on and insert the Windows Server 2003 CD into the drive. If you receive a prompt asking you to select from what location to boot, choose the option to boot from the CD. The system will boot a minimal, text-only version of Windows Server 2003 into main memory and will begin the initial installation procedure. Figure 2-1 shows the beginning of this phase.

Figure 2-1: The character-based Setup process
The Welcome to Windows Setup screen will appear. Press Enter to continue.
Read the terms of the license agreement. If you accept (which, of course, you have to do to continue installation), press F8 to continue.
A screen listing your current disk partitions will appear. You can simply move around the menu and select an existing partition on which to install by pressing the arrow keys and then Enter to confirm your selection. You also can delete partitions (be sure you have backed up your data first!) by selecting the partition and pressing the D key. Lastly, you can create a new partition by selecting the Unpartitioned space selection in the menu and then pressing the C key. Figure 2-2 shows the disk partitioning screen.
Choose the best option for you, and then press the appropriate key.
You'll now be prompted to choose a filesystem. Select the filesystem with which you want the partition formatted and press Enter to start the format. The formatting process can take up to one hour to complete, depending on your drive's size and speed, and then large amounts of files will be copied to the newly formatted partition. Now's a good time to catch up on your email backlog or to take a coffee break.

Figure 2-2: The disk partitioning screen
Once the format and file copy processes are complete, the system will reboot, and the next portion of the installation will commence in graphical mode. The process starts with the Regional Settings screen, which pops up soon after the reboot. On this screen, you can change the language, locale, and keyboard settings depending on your geographical location. Click Next to continue.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Upgrading Previous and Existing Installations

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Most organizations and businesses have extensive investments in previous versions of server operating systems. In this section, I'll cover issues you'll run into when upgrading from Windows NT and Windows 2000 to Windows Server 2003.

A lot of companies are jumping the sinking NT ship—end of life for the NT Workstation product was mid-2003 and NT Server's death has reached us as well—and so it's highly possible you have some machines running NT that are worth upgrading. It's remarkably easy to upgrade any type of Windows NT installation—be it a primary domain controller (PDC ), a backup domain controller (BDC ) , or a regular member server—to Windows Server 2003. Microsoft has taken great pains to ensure the upgrade to Windows Server 2003 is as painless as possible. The installation procedure follows a clean install reasonably closely, and in fact requires less hands-on work. The program doesn't prompt you at all after the inception of the installation, and at the beginning, you're asked only for the CD Key and to acknowledge any compatibility issues.

NT upgraders should, however, note the following points:

The Windows NT installation must be running Service Pack 5 or greater. You can download the most recent update, Service Pack 6a, from http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/allSP6.asp. Other acceptable Windows NT versions include NT Terminal Server Edition with SP5 or later, and NT Server Enterprise Edition, also with SP5 or later.
Little to no reconfiguration is required with an upgrade installation because existing users, settings, groups, rights, and permissions are saved and automatically applied during the upgrade process. You also don't need to remove files or reinstall applications with an operating system version upgrade.
Before the upgrade, you should evaluate the hardware on which Windows Server 2003 will run. Does it require an upgrade based on the minimum or recommended hardware requirements covered in Chapter 1?
On a machine that's a candidate for Windows Server 2003, insert the Windows Server 2003 CD and run

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Installing the R2 Components

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

For the first time in the history of Windows on the server, Microsoft is shipping additional, optional components on a second CD inside the actual Windows Server 2003 R2 product box. Most of these components are enabled for future installation by running a separate Setup process, which you can launch directly from the desktop after you finish the base install of Windows Server 2003 SP1 from the first disc (Setup places a shortcut on the desktop for you for easy access). You use the same product key for both the initial installation of Windows Server 2003 and the R2 components . It's a very simple Setup program that copies some libraries and descriptive files to your computer, and it shouldn't take more than a couple of minutes.

By running that Setup process, you populate the existing Windows Components dialog within Add/Remove Programs in Control Panel with more options that correspond to the R2 components. You can choose single components to install at any time. Most of the R2 components reside as subcomponents of the larger feature categories within the Windows Components screen—for example, the Print Management Console is located within the Management and Monitoring Tools category. Other components, such as Windows SharePoint Services 2.0, are located within the first set of categories.

Table 2-3 shows the relative locations of all R2 components with the Windows Components section of Add/Remove Programs.

Table 2-3: Relative locations of all R2 components
Top-level components	Level 1 components	Level 2 components	Level 3 components
Active Directory	Active Directory Application Mode (ADAM)
	Active Directory Federation Services (ADFS)	Federation Service Proxy

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Troubleshooting an Installation

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Although the vast majority of the time Windows Server 2003 installs without a hitch, some issues (a piece of malfunctioning hardware, a power failure during installation, or a faulty download of a dynamic update) can cause the installation process to fail. Luckily, you can recover from a bugged-out installation in at least two ways: starting over or using the Recovery Console .

Sometimes it can be easier to cut your losses and restart an installation from the beginning, particularly if an error early in the process is preventing you from proceeding. The installation process changes three things on your drive, all of which you need to reverse to restart the installation (unless, of course, you want to format the hard drive and therefore aren't concerned with data loss):

Setup constructs the $win_nt$.~bt directory to store boot files, which instruct your computer to boot into Setup's post-first phases (that is, all phases after the initial reboot). Remove this directory.

Setup modifies your boot.ini file with a line such as this, that needs to be removed as well:

    Multi(0)disk(0)rdisk(0)partition(2)\$win_nt$.~bt="Microsoft Windows
    Server 2003 Setup"

Setup creates the $win_nt$.~ls directory and copies all files in this directory to the system to have data to work with if it cannot access the setup CD. Remove this as well, if it exists. (Some installation scenarios don't require its creation, such as ones initiated from a network share or a hard disk and not on a CD.)

Once you've removed these three items, no traces of the previous setup attempt remain on the machine, and you are free to restart the installation process.

For dealing with serious installation problems that don't allow you into the standard graphical interface, or for a once-functional installation that seems to have failed, Microsoft provides a tool that might help you rescue a system from the jaws of certain death. Available since Windows 2000, the Recovery Console is a text-based operating system extension that allows you direct access to the disk on which Windows Server 2003 is installed, and similar access to key configuration files and data. It also provides a convenient way around DOS's inability to read NTFS-formatted drives, which is an issue any administrator with troubleshooting experience has come up against.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Running an Unattended Installation

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Unless you have only two or three servers, it's likely that you tire fairly quickly of being a high-paid installation babysitter, shoving disks and CD-ROMs in and out of machines while telling them all what country you live in. For all but the smallest of Windows shops, it is a good idea to use the Windows unattended installation feature—that is, installations run by files constructed by an administrator ahead of time that answer all of Setup's questions. This will save you time and make deploying and rolling out the operating system less tedious.

You can automate Windows installations using one of three main methods. The first is through the use of unattended installation scripts, which are simple to configure and use but lack some flexibility in deploying to machines that are configured with different hardware. Scripts are best when you have a uniform hardware base.

The second method is through the use of Remote Installation Services (RIS), a very useful feature that enables you to boot from the network and install Windows without any sort of distribution media. With this method, you have a lot of upfront configuration, but on the other hand, you can deploy to nearly any base of hardware, and you can customize certain aspects of the user experience during the installation, too. RIS is most appropriate when you have a diverse hardware base, plenty of network bandwidth, and computers that can boot from the network.

The third and final method to use unattended installations is through the deployment of system images. It requires quite a bit of upfront installation, but it's a great timesaver when you need a computer reformatted and reinstalled in less than 30 minutes.

Let's discuss each method.

Perhaps the simplest method of automating a Windows Server 2003 deployment is to use scripts, or more specifically, unattended setup answer files. These files use a syntax not unlike that found in Windows 3.1 INI files, providing answers for questions such as computer name, your CD key, your name, where you live, and the like.

Windows is instructed to read these files using an argument switch on its main setup program executable file,

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Last Word

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

In this chapter, I've covered quite a bit about the various methods need to install Windows, how activation works, ways to recover from a bungled Setup, and what to do when Windows Server 2003 just won't boot. I've also looked at automated rollouts of the product and its client brethren.

In the next chapter, we'll step through in detail the file and print service functionality of Windows Server 2003.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 3: File, Print, and User Services

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

One of Windows Server 2003's primary functions within a typical organization is to serve files and connect multiple machines to a smaller number of printers. Windows Server 2003 enables you to create any number of shared folders that contain documents and programs that your users can access via such methods as Windows Explorer, Network Neighborhood, or mapped drives. The operating system also enables you to create a hierarchy of shared folders stored across multiple machines that can appear to end users as though they're stored on a single server.

Print services are simple to configure and manage. Windows Server 2003 enables you to share a printer connected either physically to the server, or to a print server device that is attached directly to the network. It also can host drivers for multiple operating systems and automatically distribute the correct drivers to client systems.

You'll need to be familiar with the following terminology to get the most from this chapter. Feel free to skip to the next section if you've been working with Windows for a while.

Disk: A disk is the actual, physical hard disk within the machine.
Drive: A drive is a logical object formatted for use with Windows. This can be either an entire physical disk or a partition.
Partition: A partition is a portion of a physical disk that can be used with volumes .
Volume: A volume is either a drive or a partition within Windows—it's a common term for both.

In this chapter, I discuss in depth all the file and print services Windows Server 2003 provides.

Several new features have been added to Windows Server 2003 to enable faster, more seamless access to file and print services on your network. Although the infrastructure of the file and print systems has not been completely redesigned, it certainly has been modified to provide for ease-of-use enhancements , increased data integrity, automatic and assisted backup, and other key features, including the following.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

New File and Print Server Features

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Enhanced Distributed File System (DFS): DFS is a feature, introduced in Windows NT but refined in Windows 2000 and nearly completely rewritten in Windows Server 2003 R2, which permits an administrator to create one logical filesystem layout despite the fact that shares can be scattered across the network on different servers. This makes it easier for clients to find and store files consistently, and it allows for better equipment utilization. Windows Server 2003 adds the ability for a server to host multiple DFS roots, which are "starting" points for a hierarchy of shared folders. A Windows Server 2003 server can also use Active Directory site topology to route DFS requests from clients to the closest available server, increasing response time. The brother to DFS, the File Replication Service (FRS), is also improved in that it's more resilient to transient network errors. Those of you using RoboCopy might find that FRS now fulfills that need.
Enhanced Encrypting File System (EFS): Native encryption abilities are built into the NTFS filesystem used in this release of Windows. By simply checking a checkbox in the Properties sheet for a file, you can easily encrypt and decrypt files and folders to protect their integrity. This feature is particularly useful for mobile computers, which have a greater risk of data loss and capture than traditional corporate desktop machines.
Volume shadow copy: The volume shadow copy feature is perhaps one of the most beneficial additions to Windows Server 2003. The server will take snapshots of files at specific periods during the day, thereby making available a library of previous versions of a file. If a user accidentally overwrites a file, saves an incorrect version, or somehow destroys the primary copy, he can simply click Previous Versions in the Explorer view of the folder and access a shadow copy version.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Setting Up File-Sharing Services

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

To configure a machine as a file server , open the Manage Your Server Wizard from the Start menu. Adding a file server role to a machine involves the following tasks.

Configuring the machine as a file server: This process involves turning on file sharing and creating the first shared folder. Windows also creates a few of its own shares by default, which I'll discuss in more detail as the chapter progresses.
Establishing disk space limits by enabling disk quotas, if necessary: Disk quotas are a simple way to limit and control the amount of disk space your users take up with their data. Quotas monitor and limit a user's disk space on a per-partition or per-volume basis; quotas do not stretch across multiple disks. The wizard can configure Windows to apply default quota settings that you select to any new users of any NTFS filesystem. This is not required to set up file sharing services, but you might find the feature useful. And if you are running Windows Server 2003 R2, there is a totally new way of managing quotas—through the File Server Resource Manager, where you can enable per-folder quotas and further limiting by file-type filters.
Turning on the Indexing Service, if necessary: The Indexing Service reads the contents of most files on the server and makes a catalog of their contents for easy search and retrieval at later points in time. Because the user interface for the Manage Your Server Wizard presents this option, I mention it here, but I cover it in detail in Chapter 13.
Installing the File Server Management MMC console: This console snap-in provides an easy way to create, modify, edit, and generally administer shared folders , and I'll talk about it in this chapter.
Creating shared folders and setting share permissions for each folder: Finally, you'll want to create the shared folders and apply permissions to them. After all, that's why you started the process, right?

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

NTFS File and Folder Permissions

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

File- and folder-level permissions are one of the most dreaded and tedious tasks of system administration. However, they are significant in terms of protecting data from unauthorized use on your network. If you have ever worked with Unix permissions, you know how difficult they are to understand and set: complex CHMOD-based commands, with numbers that represent bits of permission signatures—it's so easy to get lost in the confusion. Windows Server 2003, on the other hand, provides a remarkably robust and complete set of permissions, moreso than any common Unix or Linux variety available today. It's also true that no one would argue how much easier it is to set permissions in Windows than to set them in any other operating system. That's not to say, however, that Windows permissions are a cinch to grasp; there's quite a bit to them.

Windows supports two different views of permissions: standard and special . Standard permissions are often sufficient to be applied to files and folders on a disk, whereas special permissions break standard permissions down into finer combinations and enable more control over who is allowed to do what functions to files and folders (called objects) on a disk. Coupled with Active Directory groups, Windows Server 2003 permissions are particularly powerful for dynamic management of access to resources by people other than the system administrator—for example, in the case of changing group membership. (You'll meet this feature of Active Directory, called delegation, in Chapter 5.)

Table 3-1 describes the standard permissions available in Windows.

Table 3-1: Windows Server 2003 standard permissions
Type	Description
Read (R)	Allows user or group to read the file.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Limiting Use of Disk Space with Quotas

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Windows 2000 first introduced the quota feature, allowing an administrator to define a limit or set of limits on the consumption of disk space by individual users. Up until Windows 2000, Windows quota support was available only through third-party software, which was typically very expensive.

Windows Server 2003's quota management features some interesting properties:

Windows Server 2003 can distinguish between volumes, so you can set different quotas on different volumes to perhaps segregate types of data, or to offer a specific volume for one department's exclusive use.
You can assign quotas on mapped drives as long as the physical volumes to which the mapped drives point were created with Windows 2000 Server or Windows Server 2003 or were upgraded to either of the later versions from Windows NT 4.0.
Unlike some third-party software programs, Windows Server 2003 does not allow grace writes . That is, some software allows a user to continue an operation—say, a file copy process—even if during the middle of that operation the quota is reached. Server 2003 does not allow this; it will cut off the operation when the quota is reached.

As usual, though, neat features always contain weak points. First, quotas are supported only on disks formatted with the NTFS filesystem. This isn't too surprising because most progressive filesystem features aren't available under the various flavors of FAT. Second and perhaps more disturbing is that, due to an architectural limitation, filesystem-based quotas can be added only to individual users. This creates quite a headache, as most other network operating systems allow you to set a default quota based on group membership. In this manner, all normal users could have 500MB, power users and executives could have 1.5 GB, and administrators could have unrestricted space. Alternatively, payroll users could have 250 MB, while the sales team with their myriad PowerPoint presentations might need 1 GB a piece. Alas, Windows Server doesn't support this, but later in this section I'll show you a problematic but workable way around this limitation. And third, Windows Server 2003 doesn't provide any sort of messaging mechanism when users exceed their quota. The OS simply writes an event to the System event log, and although you can filter through these events via either the GUI or the command line, as described later, it still requires manual labor on your part. This certainly could be improved in future revisions.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The File Server Resource Manager

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Windows Server 2003 R2 includes the File Server Resource Manager, an integrated console that contains various tools and reporting functions so that you can determine, control, and administer the amount and kind of data stored on your file servers. FSRM provides a single and convenient place for you to configure quotas on folders and volumes, screen for unacceptable types of files, and generate comprehensive reports on exactly where your disk space is going.

Figure 3-13: Entering a new disk quota entry

To install the FSRM , you'll need to install the R2 components on the accompanying product disc. Then, from Control Panel, use the Add/Remove Programs applet, choose Windows Components, and under Management and Monitoring Tools, choose the File Server Resource Manager. Click Next and then Finish, and Windows will install the tool for you.

You can only manage resources on servers with the FSRM installed, which means that you're limited to servers running R2.

To launch the FSRM, simply choose it from the Administrative Tools menu. The default console looks like Figure 3-14.

Figure 3-14: The File Server Resource Manager console

The first step in using the FSRM is configuring some options that will be used by the console. In the Actions pane, click the Configure Options link, and you'll see a screen like Figure 3-15.

Figure 3-15: Configuring FSRM options

The FSRM is designed to send email alerts and reports via email; on the Email Notifications tab, enter the outgoing SMTP server (either through an installed SMTP service on the local machine or another mail server provided either by your organization or your ISP), and the To and

Figure 3-16 shows the Storage Reports tab.

Figure 3-16: The Storage Reports tab

On this tab, you can specify your preferences for each report that can be generated by the FSRM. For example, if you highlight the File Screening Audit report and click the Edit Parameters button, you'll be able to select which users are included in the report. To take a look at all of the parameters for the reports, click the Review Reports button. The defaults work pretty well here, but as you'll see as we dig further into the FSRM, you may want to alter these slightly to customize the reports for your environment.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Using Offline Files and Folders

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Offline Files and Folders is a neat feature, offered for the first time in Windows 2000 Professional, which synchronizes files and folders when you connect to and disconnect from the network. Similar to the Windows 95 Briefcase, except much more versatile and automated, Offline Files and Folders caches a copy of selected files and folders on a computer's hard drive. When that computer becomes disconnected from the network for any reason, Windows reads the cache on the machine and intercepts requests for files and folders inside the cache. To the end user, he or she still can open, save, delete, and rename files on network shares because Windows is fooling him or her into thinking that everything is still on the network and not in the cache. Windows records all changes, and the next time an appropriate network connection is detected, the changes are uploaded to the network and the cache and the actual network file store are synchronized.

What happens when a common network share—call it Contracts—is modified by two different users while they're offline? In this instance, it's really a case of who gets connected first. User A will synchronize with the network, and his modified version of the file will be the one now stored live on the network volume. When User B attempts to synchronize, Windows will prompt him to choose whether to keep the existing version (the one that User A modified) or to overwrite it with the one that User B has worked on.

This has obvious advantages for mobile users. In fact, as I write this, I am sitting at a rest stop on Interstate 20 outside Augusta, Georgia, taking an extended break from a road trip. To open this file, I navigated through Windows Explorer to my regular network storage location for this book and its assorted files. I noticed no difference between being in my office and being in this car right now, at least as far as Windows' interface to the network was concerned. However, tomorrow, when I am back in my office, I will plug the Ethernet cable into my laptop, and Windows will synchronize any files I modified in that folder with the files on my servers in the office. Using this feature, I always have the latest file with me wherever I am, be it in the office or on the road, and I don't really have to consciously think about it. But there's also a plus side that you might not have considered: if you enable Offline Files on regular desktop machines, not just mobile laptops, you create a poor man's fault-tolerant network. (The price you pay for such fault tolerance is bandwidth.) That is, when the network connection disappears, Windows doesn't care if you are using a big mini-tower system or an ultra-thin notebook. So, your desktop users still can safely and happily use network resources, even if the network has disappeared, and you as the administrator can rest assured in knowing whatever the users do will be updated safely on the network when it reappears. Now, of course, this is no substitute for a well-planned network with quality components, but in a pinch, offline folders do well to reduce user panic and wasted help-desk calls.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Using Shadow Copies

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Shadow copies are a new technology within Windows products that enables a server to take snapshots of documents on a disk to record their states at certain points in time. If a user accidentally deletes or otherwise overwrites a file, he or she can open a version the server saved earlier in time, thereby eliminating the need to either recreate his or her work or contact the help desk to get them to restore the file from the most recent backup. When shadow copies are enabled on a disk, clients connecting to a share on that disk will be able to view and access previous point-in-time copies of either individual files or entire directories.

Further benefits lurk beneath the surface of this feature, however. The service behind shadow copies, called the Volume Shadow Copy Service (VSS) , is actually responsible for a newly developed application programming interface (API) that allows server-based applications such as Exchange, SQL, and backup programs to take advantage of the benefits of shadow copies. Perhaps the most famous example is a backup that skips open files, either because they are currently open by a user or because they are locked by another process. In the past, this resulted in incomplete backups, either because the backup process halted in midstream because of this unrecoverable error, or because the process skipped the open file. If the open file is, say, your Exchange email database, that's not necessarily a good thing. But now, with volume shadow copies, the backup application can simply use an API to take a snapshot of any open files and back up that snapshot. Now you have an instant backup of a database at any point in time, with no interruption in availability to the user. This is a very nice feature.

You definitely can take advantage of shadow copies in the user realm as well. Part of the volume shadow copy service is a piece of client software that can be pushed out to any computer in your domain through Group Policy. (This software is located on the Windows Server 2003 CD and can also be downloaded from Microsoft's web site.) Once the user has this client, Windows adds a tab to the Properties sheet for any document. This is shown in Figure 3-25.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Backing Up Your Machines

Content preview·Buy PDF of this chapter|Buy reprint rights for this