Chapter One:

Installing the O S (Windows 2000, XP and

Server)

compiled
by
Mutabazi Joseph

Kampala
University
 Installation and Configuration
• configuration is an arrangement of
functional units according to their nature,
number, and chief characteristics.
configuration pertains to the choice of
hardware, software, firmware, and
documentation. The configuration affects
system function and performance

• Installation : it is the art of putting into

existence computer features
 Coverage
• Performing an attended installation of
Windows 2000 Professional, XP and
Server
• Performing an unattended installation of
Windows 2000 Professional and Server
• Creating unattended answer files with
Setup Manger
• Creating and configuring automated
methods of installation
 Attended Installation
• In an attended installation, you run the
setup program and manually supply all
required information requested by the
setup program on the local computer.
Before you can begin an attended
installation,
 Requirements
• Operating System determination

• Hardware Requirements
 Running the Windows 2000/XP Setup
Program (Methods used)
• Booting the computer from the Windows 2000 install CD or
the setup boot disks.
• Running winnt.exe from the i386 folder on the Windows
2000 install CD(assuming another OS is already installed on
the computer).
• Running winnt.exe from a shared network drive.
• Inserting the Windows 2000 CD into the computer, allowing
Autorun to load the Setup Wizard, and selecting Install
Windows 2000.
• You can also run setup.exe from the CD to open this form if
your computer doesn’t support Autorun.
 Disk Management tasks
• Create and manage disk partitions
• Choose a file system

Running the Setup

 Booting the computer from the Windows
2000 install CD or the setup boot disks.
 Create and manage disk partitions
• When you run the setup program, it examines
the local hard drive to determine if any logical
partitions exist.
• Logical partitions are any partitions on a physical
disk created by a program like fdisk.exe
• When the setup program starts, the first step is
to agree to the license conditions. The program
next displays each existing partition and any
unpartitioned space on the disk. If no partitions
are on the disk, the program simply shows
Unpartitioned space
 File System
• A means to organize data expected to be
retained after a program terminates by
providing procedures to store, retrieve
and update data as well as manage the
available space on the device(s) which
contain it.
NTFS File System FAT File System
• offers a number of • The FAT file system
features that aren’t should only be used if
available when using your computer will
the FAT file system. dual-boot with another
Features include: OS that can read NTFS.
• file level security
• auditing
• disk quotas
• file encryption
 Phase of the installation
• The licensing mode (for the Server only)
• The computer name
• A password for the administrator account
• The options components to install (for the
Server only)
• The networking settings: typical vs
custom
• The domain or workgroup membership:
Association with other computers on
the network
 Licensing
• All clients (regardless of which OS they’re running)
must have a Client Access License (CAL) to connect to a
Windows 2000 Server. Windows 2000 Server has two
license modes: Per Seat and Per Server mode. In Per
Server mode, all CALs are held on the server. The
Windows 2000 Server keeps track of how many CALs it
contains and how many active connections it has.
• If you choose Per mode, the Windows 2000 Server no
longer counts the number of connections. It moves the
onus of licensing from the server to the client. In Per
Seat mode, you’ll require one CAL for each client
capable of connecting to any Windows 2000 Server.
However, that one CAL will enable the client to connect
to all servers on the network.
 Choosing a Computer
Name and an
• Administrative
After Password
choosing the licensing mode, you must
supply a computer name and administrative
password.
• The computer name must be unique. Giving the
computer a meaningful name is a good idea.
• The default administrator account is called
Administrator. This is well known to anyone
familiar with Windows. So, to protect yourself
and your network, you should choose a secure
administrative password.
 Secure Password
• It should be at least eight characters long.
• It should have a mix of uppercase and lowercase
characters.
• It should include numbers and special
characters (such as _, #, $, -).
• It should avoid using obvious words (like your
name, the word “password,” and so forth).
• It should not be blank.
 Selecting Optional Components to
Install
• With Windows 2000 Server, however, after
you choose a name and password, you are
given a choice of components to install.
• Most of the components are made up of
numerous subcomponents. You can pick and
choose which subcomponents to install.
 Network Settings
• The typical network setting installs the Client for
Microsoft Networks, File and Print Sharing for
Microsoft Networks, and the TCP/IP network protocol.
To use the typical setting, you should have at least one
DHCP Server on the network.
• If you choose the custom network setting, then you’re
given a choice of which networking components to
install. You can add different network services,
• such as the Client Services for NetWare, and additional
network protocols, such as NetBEUI or NWLink.
• You can also use the custom options to set a static IP
address and DNS address for the computer.
 Joining a Domain or
Workgroup
• you must decide whether the computer you’re
installing will be associated with other computers
on the network. This is accomplished by adding
the computer to either a workgroup or a domain.
• A workgroup is a collection of computers joined
together in a peer-to-peer relationship, which
means each computer is aware of the others, but
each one maintains its own security locally.
• Domains differ from work groups because in a
central security authority exists in a domain. All
members of the domain share a common security
context.
 Installation:
• Boot your computer from the Windows 2000
Professional CD.
• When the setup program starts, you see the Welcome
to Setup screen. From this screen, you can begin a
Windows installation by pressing ENTER, or start the
Emergency Recovery process by pressing R. Press
ENTER to continue.
• Press C to continue (Note: If your computer has
existing partitions, you might not be prompted to
press C).
• Press F8 to accept the licensing agreement.
• Press C to create a new partition. Make the partition
at least 2GB in size, and then press ENTER. If you don’t
have enough free space, either delete an existing
partition or select an existing partition.
 Cont…
• Select the partition you just created, and then press
ENTER to install to that partition.
• Select Format the Partition Using the NTFS File
System (see next illustration). If you will be dual-
booting the computer with Window 95 or Windows
98, select the FAT file system instead.
• Wait for the system to format the drive and reboot.
• When you see the Welcome screen, click NEXT.
• Wait for Windows to detect all devices (this might
take several minutes).
• Click NEXT to select the default regional settings.
 Cont…
• Enter a value for your name and organization (the values
don’t matter, but you can’t proceed until something is
entered in the name text box).
• Enter your CD key and click NEXT.
• Use the default computer name, enter password as the
administrator password, and then click Next.
• Click Next to select the default Date and Time settings.
• Select the typical Network setting (this will default to a
private address unless you have DHCP on your network)
and click NEXT.
• Click No, This Computer Is Not on a Network, or Is on a
Network Without a Domain, and type AIO in the
workgroup or computer domain text box, and then click
NEXT.
• Click Finish to complete the installation.
 Installing Windows 2000 Server
• Steps being the same as the ones before upto the
level of Entering CD key and clicking NEXT.
• Configure the Server to use Per Server licenses.
Change the number of licenses to ten.
• In the computer name text box, type TestSrv.
Enter password as the administrator password.
• In the Windows 2000 Components list, select
Internet Information Services (IIS) and click
Details.
• Add the File Transfer Protocol Server and Click OK.
Click NEXT.
• Click NEXT to select the default date and time.
 Installing Windows 2000 Server
• Click Custom Settings and Click NEXT.
• Highlight Internet Protocol (TCP/IP) and click
Properties.
• Set the server’s IP address to 10.13.1.102 and
the subnet mask to 255.255.0.0.
• Click OK.
• Click No, This Computer Is Not on a Network,
or Is on a Network Without a Domain, and then
type AIO in the workgroup or computer
domain text box. Then click Next.
• Click Finish to complete the installation.
 Performing an Unattended
Installation
An unattended installation is one in which all the
decisions made before the installation begins are
applied automatically during the course of the
installation. Microsoft supplies several tools that
allow automated installations to take place with
relative ease.
These include:
•Unattended scripts and the Setup Manager
•Images prepared with Sysprep
•Deploying remote images with the Remote
Installation Service (RIS)
Performing Unattended Installs
Using Answer Files and
Setup Manager
• Answer files supply values for all the
choices that must be made during a
manual install.
• To perform an unattended install with
answer files, you must start the installation
by executing winnt.exe from either the
i386 folder on the Windows 2000 CD
 The unattend.txt and unattend.udf
Files
• The UDF file provides unique values for an
installation by referencing a unique index
value.
 Using Setup Manager
• Setup Manager is a GUI application that can be
used to generate unattend.txt files and UDF
files automatically.

• Before you can start using Setup Manager, you

must install it from the Windows 2000 CD.
Setup Manager is located (along with some of
the other automation tools) in the Support |
Tools folder, in a compressed file called
deploy.cab. You must extract this cab file
before you can run the Setup Manager.
 Imaging Windows OS
• Perform a clean install of Windows 2000 on a test
computer.
• Troubleshoot the installation and ensure no errors
exist.
• Install any service packs or applications on the test
computer that you want on the image.
• Run sysprep.exe on the test machine.
• Restart the test computer and image it with a third-
party imaging tool.
• Save the image to a CD or a network share.
• Start the destination computer(s) and apply the
image to the new machine(s).
 Upgrading
Windows and ,Troubleshooting
Failed
Installations and Upgrades
 Coverage Topics
• Verifying upgrade compatibility
• Performing an upgrade to Windows 2000
• Deploying service packs
• Applying update packs to installed software
applications
• Troubleshooting a failed installation
 Scenario

• A clean installation is one that takes place on a

computer that has no operating system
installed, or one that will completely over-
write any existing OS and reformat the hard
drive.

• So how about an upgrade

• An operating system upgrade may completely
change the menus and the way you use your
computer or phone.
 Compatibility Issues

• Verify that all software and hardware are

compatible with the intended OS for
upgrade
• Make a compatibility report: The HCL
enables you to check that your hardware
is compatible – Driver Issues
• Check the active Directory
 Preparations to Upgrade
• Backing up all drives before you begin the
upgrade, in order for system restore
• Backing up the Registry.(local security settings)
• Correcting any errors on the system.(Check the
logs ) type regback.exe
• in Event Viewer to find unresolved errors.)
• Closing or disabling any applications running in
memory (such as virus scanners or monitoring
software).
• If you’re upgrading a Window NT computer, you
should also upgrade the Emergency Repair Disk
(ERD). Type rdisk.exe
 Cont.…..
• Disconnecting the serial connection to any UPS
device.
• Making sure all the most current Service Packs
have been applied to the OS and to any
applications.
 Upgrading Wizard
• Right-click Network Neighborhood and select
Properties.
• Click the Identification tab, and record the computer
name and any domain or workgroup membership.
• Click the Configuration tab and record your network
settings. If you’re using TCP/IP, click TCP/IP in the
components list, and then click Properties to view the
IP properties (see the next illustration).
• Insert the Windows 2000 Professional CD and start the
Windows 2000 Setup Wizard.
• Select Upgrade to Windows 2000 (Recommended) and
click Next.
 Cont…
• Review the License Agreement, click I Accept This
Agreement (see the following illustration), and then
click NEXT.
• Notice you can add more upgrade packages from the
Microsoft Web site. Click NEXT.
• On the next screen, you can add upgrade packs. If you
have upgrade packs click Yes, I Have Upgrade Packs,
and then click Add to add them to the list (see
illustration). For this exercise, click No, I Don’t Have
Any Upgrade Packs, and then click NEXT.
• When you’re asked to upgrade to NTFS, choose Yes,
Upgrade My Drive, and then click Next (see
illustration).
 Cont…
• Next, the setup program will automatically
run the compatibility report.
• Examine the compatibility report. If you have
incompatible hardware, you won’t be able to
continue with this exercise. Click Next.
• On the Ready to Install page, click Next to
begin the upgrade.
• When the upgrade is complete, check to see
if the upgraded Windows 2000 Professional
computer has the same name and network
settings as the Windows 95/98 computer.
 Deploying Service packs
• Service Packs are updates Microsoft releases after the
products are released. They most often contain a large
number of hot fixes, security fixes, and updated
drivers to the products.
• After installing or upgrading to Windows 2000, you’ll
probably need to run additional Service Packs.
• Winver.exe to show service pack
• Update.exe to download updates

• A service pack is a collection of updates, fixes or

enhancements to a software program delivered in the
form of a single installable package
 Common Problems
• Media error: occur when you have a problem
with the Installation CD itself.
• Failure of dependency services to start: This
error occurs most often during the network
configuration phase of the installation
process. NIC has a problem
• Failure of the installation process to start:
Hardware problems
• Inability to join a domain: only affects
security of the network doesn’t stop
installation
Troubleshooting Failed Installations
and Upgrades
• Making sure the CD is bootable
• Making sure the drivers are the right
ones
• Making sure the NIC is working
properly
• Making sure we use the right
workgroup
Some Upgrades
Managing Windows 2000
Hardware Configuration
 Topics
• Implementing, managing, and troubleshooting disk devices
• Implementing, managing, and troubleshooting a video adapter
• Implementing, managing, and troubleshooting input and output
(I/O) devices
• Implementing, managing, and troubleshooting printing
• Implementing, managing, and troubleshooting Card Services
• Monitoring and configuring multiple processing units
• Updating drivers
• Managing and troubleshooting driver signing
• Managing hardware profiles
• Configuring Advanced Power Management
 Tools and Features for Managing
the Windows 2000 Hardware
• Plug and Play
• The Add/Remove Hardware Wizard
• The Device Manager
• Windows Update
 Plug and Play
• Windows should be able to detect new hardware
and load the appropriate drivers automatically.
• Plug and Play will also configure the device so it
works correctly with other devices on the
computer. This is only in the case of full Plug and
Play, though. To be fully functional,
• Plug and Play requires the following:
– A Plug and Play OS
– A Plug and Play BIOS
– A Plug and Play-compatible hardware device (and the
correct drivers)
 Levels of Interaction
• Non-Plug and Play OS, BIOS, and Hardware. In this
case, you must manually install and configure the
device and its drivers. You must also assign all resources
for the device.
• Plug and Play OS and legacy (Non-Plug and Play)
Hardware. You can install the hardware using the
Add/Remove Hardware Wizard. This still requires some
manual intervention, but the driver installation and
most of the configuration is performed automatically.
• Full Plug and Play. This is the easiest method. With full
Plug and Play, all you need to do is physically install the
device and turn on the computer. Plug and Play will
detect the device and load the appropriate drivers. The
installation is completely transparent to the user.
 Add/Remove Hardware Wizard
• Click Start | Settings | Control Panel.
• In the control panel, double-click the
Add/Remove Hardware icon. When the
wizard starts, click Next to begin.
• On the Choose a Hardware Task from, select
Add/Troubleshoot a device and click Next, as
the following instructions up to the end.
 Device Manager
The Device Manager is used to manage and
troubleshoot devices that have been installed on
the computer.
It includes the following:
• View information about the current driver
• View current settings (such as IRQ and DMA
channel assignments)
• Update existing drivers
• Disable devices
• Uninstall devices
• Change the resources used by a device
• Print a system setting report.
 Managing Device Drivers
• A driver is a piece of software that contains
information about a particular hardware
device.
• What happens if you put wrong drivers?
• A volume is a logical block of disk space
associated with a drive letter or a mount
point.
 Driver Signing
• Windows OS includes a new feature to protect
the system against updates that can damage the
system. It is to have a mechanism of testing
third-party drivers and updates to Windows
system files.
Monitoring and Supporting Multiple
Processors
• Most versions of Windows OS support
multiple processors.
• If you click the Driver tab and select the
Update Driver button, you can change the
mode for uni to multiprocessor
• If you want to monitor how each processor is
used by Windows, you can look in the Task
Manager. On the Performance tab, you can
see one window for each processor.
• Windows professional 2000 – 2 processors
• Windows 2000 server – 4 processors
• windows 2000 advanced server –8 processor
• Windows 2000 datacenter server – 32
processors
 Managing Disk Devices
• Working with Basic Disks; There are two
types of partitions:
• Primary partitions
• Extended partitions
• A primary partition can’t be subdivided into
smaller units. An extended partition, on the
other hand, can contain multiple logical
drives, which are individual volumes that are
part of the extended volume.
Working with Dynamic Disks
• A volume is a logical block of disk space
associated with a drive letter or a mount
point.
• Volumes on a dynamic disk can be extended
to include noncontiguous space or even on
to different volumes
 Dynamic Forms

RAID-5 volumes and mirrored volumes are

fault-tolerant. Help in disaster recovery
 Extending Existing Volumes
• If you have a dynamic disk, you can also extend
the size of an existing volume. To extend the
volume, the volume must be formatted with
NTFS. FAT -16 and FAT -32 volumes can’t be
extended. The volume can be extended both on
to noncontiguous space on the same disk or on
to space on another disk.
• If you use space on another disk, this is called
spanned volume. Note, be careful with spanned
volumes because they are not fault-tolerant.
• If any disk in a spanned volume fails, the entire
volume will be lost.
Managing Display Devices
Advanced Settings
 Managing and configuring printers
• The print device is the physical printer,
• A printer in Windows 2000 terms is the
software on a print server that manages
printing.
• The print server is the computer where you
install the printer.
 Installing a printer
• Click Start | Settings | Printers to open the printers window.
• Double-click the Add Printer icon, and then click Next to
start the Add Printer Wizard.
• Select the local printer option and clear the Automatically
detect and install my plug and play printer” check box, as
you can see in the next illustration. Then, click Next.
• On the Select Printer Port form, select LPT1. If this port is
taken, select the first free port, and then click Next.
• In the printers window, select HP LaserJet 5L (or any other
printer you like). Notice the list of printers changes to the
models supported by each manufacturer, as shown in the
next illustration. Click Next.
 Cont…
• Click Do not share this printer. This keeps the
printer local.
• In the Location and Comment field, enter your
current location. Click Next.
• If you installed the printer without a
corresponding print device, click No to print a
test page, and then lick Next.
• Click Finish to complete the wizard.
Adding a Standard TCP/IP Printer Port
1. Click Start | Settings | Printers to open the
printers window.
2. Double-click the Add Printer icon, and then
click Next to start the Add Printer Wizard.
3. Select the Local Printer option and clear the
Automatically detect and install my plug and play
printer check box. Click Next.
4. On the Select Printer Port form, click the
Create a New Port button. In the type box, select
Standard TCP/IP Port. Click Next to start the Add
Standard TCP/IP Printer Port Wizard.
5.Click Next to start the wizard.
6. In the Printer Name or IP Address
text box, type the IP
address 10.10.1.2. Notice Windows
2000 automatically adds the port name.
Click Next to continue.
7. On the next form, you receive a
message that the device can’t be found.
In a live installation, you would check
your connection at this point. In this
exercise, though, we’ll ignore the
message and continue.
8. Choose Generic Network card as the device type, and then
click Next.
9. Click Finish to complete the installation of the TCP/IP port.
Windows then returns you to the Add/Remove Printer Wizard
and prompts you to choose the type of device.
10. Click the Back button. Notice the TCP/IP port was added to
the list of available ports, as you can see in the next
illustration.
Managing power management
Notebook computers, unlike desktop computers,
can be connected to a power supply or
run on a battery power. Even for computers that
are connected to a power supply, you
might want to power off screens, or even the
computer itself, to save energy when the
system is idle.

To configure your power management, use the

Power Options utility in the control panel. This
tool enables you to choose a power scheme for
your computer. This power scheme determines
when to power off your monitor and hard disk to
conserve power.
Managing Windows 2000
Networking
Kampala University
 Topics covered
• The basics of networking
• Client Server computing
• Interprocess communications
• Network services
• The OSI model
• Installing and configuring TCP/IP, NWLink,
and NetBIOS
• Installing and configuring network adapters
in Windows 2000
• How TCP/IP communicates
 Networking
• A network is simply a way to move data from one
computer to another.
Element for Communication
• A common language.
• A common frame of reference must exist. I.e. Terms
and concepts
• Method of communicating.
Element for Networking
• A common understanding—the correct pairing of client
and server.
• A common language—the same network protocol.
• A method of transferring the information—the physical
network cards and wiring or radio frequencies.
 OSI Model
The OSI model describes all the functions required to
allow two systems to communicate and it breaks them
into seven different groups called layers.

•All People Seem To Need Data Processing

•Please Do Not Throw Sausage Pizza Away.

•Application
•Presentation
•Session
•Transport
•Network
•Data Link
•Physical
 Application Layer
It exists on both the client computer and the
server computer, and it deals with data in
parcels, called protocol data units (PDU).
Example,
•A client computer might create a PDU that
requests a server to send a file to the client or it
might create a PDU that requests the data be
printed.
The PDU the client creates is sent across
the network to a server.
 Presentation Layer
• Two major functions occur as the data is
passed through the presentation layer.
• Encryption: SSL on a website, Symmetric key
encrypt
• Code Page Translation - This ensures the
characters will be displayed correctly in the
local code page.
 Session Layer
• It is responsible for the creation, management,
and closing of sessions between
communicating hosts.
• Uses the NETBIOS(Network Basic
Input/Output System): service used to define a
simple method of formatting a request and a
response using SMBs(server message blocks).
• The services all use the same session
management, encryption, and name services
provided by NetBIOS.
• Enter the command nbtstat -n.
 Terms of communication
• Unicast or Point-to-Point In this case, one system is
directly communicating with another system. This type
of communications normally uses a session.
• Multicast In this case, a computer is sending
information and a selected group of systems are
listening in on the transmission. Streaming media, such
as radio stations, that are available on the Internet use
this method.
• Broadcast In this case, the information is sent to every
other computer on the network. however, it is an
efficient method of sending a query to all the systems
on a network, This includes name-resolution queries
and queries to resolve IP addresses to hardware
addresses
 Transport Layer
• It is responsible for creating the packets or
datagrams that will be sent across the network
to the remote system.
• A datagram is simply data that will be sent on
the network but doesn’t require a session.
Whereas Packets also contains data but require
a session.
• TL provides reliable delivery of the information
to the remote host in case there is a session.
 Network Layer
• It is used for communications to remote
networks. This means every packet passed
through this layer needs to be identified as being
for the local network or for a remote network. In
the case of IP, this is done using the subnet mask.
• If the network layer determines a packet is for a
local network, it will pass the packet to the next
layer for delivery. If the packet is destined for a
remote network, then the network layer will
determine how to get the packet there.
• The router will have an interface on the local
network and the packet will be directed to that
local interface on the router.
 Data Link Layer
• This layer takes the information passed from the
network layer and sends the data on to the network.
• DLL has 2 parts the LLC and .
• Logical Link Control: manages pointers to the other
systems with which you’re communicating. All the data is sent
to the address of the network card, called the Media Access Control (MAC) address.
The LLC is where these addresses will be kept for a time.
• MAC- is a component responsible for taking the data
from the layers above and creating frames that can be
transmitted on the wire.

• A frame contains the data that will be transmitted on

the network and typically consists of a preamble, the
destination MAC address
 Main Functions of the DLL
• Framing
• Physical Addressing
• Flow Control
• Error Control
• Access Control
• Media Access Control(MAC)
 Physical Layer
• It is responsible for placing the 1’s and the 0’s
on the wire and reading 1’s and 0’s off the
wire.
• However it manages the physical movement of
traffic on the network.
• Establishment and termination of a connection
to a Communication medium (e.g: Fibre
Optics).
• Ethernet network, which uses Carrier Sense
Multiple Access with Collision Detection
(CSMA/CD) as its access method,
Putting the Layers together
 TCP/IP Model
• • Application
• • Transport
• • Network
• • Network Access
 Remote Procedure Calls
• RPC client and server services allow complex
interactions between the client system and the
server system.
• Other Services such as Microsoft Exchange and
Active Directory use RPCs for replication.
• This protocol is only usable on a local area network
(LAN) with sufficient available resources.

[Course Work Next!!]

Duration: 2 weeks, present PowerPoint
presentations in groups of 5
 Course work
• How to install and manage Domain Name Services
• Managing and configuring a DHCP
• Distributed Component Object Model (DCOM)
• Transmission Control Protocol (TCP)
• User Datagram Protocol (UDP)
• File Transfer Protocol (FTP)
• Internet Control Message Protocol (ICMP)
• Address Resolution Protocol (ARP)
• Internet Group Management Protocol (IGMP)
• Simple Network Management Protocol (SNMP)
[Class READ about these Protocols And show how to
configure and manage them.(show examples $
illustrations)]
 Routing
• The main component in routing is the router. Routers
are systems that contain two or more network
interfaces.
• A simple command to demonstrate this and enable you
to determine the path your data is taking is the tracert
command. Performing a tracert command is done as
follows: eg
C:\>tracert ebok.scrimtech.com

The Local Routing Table

• Every system with IP installed has a routing table. The
routing table is used to determine the next router to
pass the packet to. To see the local routing table, you
can use the route
C:\>route print
 Configuring Network Settings in
Windows.
• Network identity comes in several pieces: the MAC
address, the IP address, and the computer name.
• we look at setting the computer name, which is
the NetBIOS identity of the computer. You can get
to the network identification information and see
it in two ways:
1. Right-click My Computer and choose Properties
from the Context menu. Or Open the Control Panel,
and then open the System icon.
2. Click the Network Identification tab
 Cont……
• However to change the computer name, workgroup, or domain
membership, do the following:
1. Click the Properties button. This opens the Identification Changes
dialog box
2. To change the computer name, enter a new name in the
Computer Name text field.
3. To change the workgroup or domain membership, click
Workgroup or Domain, and then enter the name of the domain or
workgroup to join. If prompted, enter the user name and
password of a user permitted to add a computer to a domain.
• When the change is made, you’ll receive a message welcoming
you to the domain or workgroup. Click OK to continue.
4. You receive a message that says you must restart for the changes
to take effect. Click OK to clear the message.
5. Click OK to close the System Properties dialog box, and then click
Yes to restart your system.
 Configuring Network Adapters in
Windows 2000
• Before you can communicate on the network, you need to
physically talk to the network.
• This means you must be able to configure the network
adapter in the system. This is generally a simple matter of
plugging in the network adapter, and then starting the
system.
• Some time you may need the driver which normally comes
with the adapter on a CD or can be found on the Internet.
1. Right-click My Network Places and choose Properties from
the Context menu.
2. Right-click the connection to configure and choose
Properties from the Context menu. or
1. Click Start | Settings | Network | Dial-up Connections.
2. If the submenu appears, choose the connection to
configure
 Basic Configurations
1. Open the Connection properties.
2. Select the Internet Protocol (TCP/IP) from
the list and click the Properties button.
3. To configure an IP address manually, select
Use the Following IP Address and Use the
Following DNS Server Addresses.
4. Enter the required information and click OK.
5. Close the Connection properties.
 Advanced Options
• The advanced options enable you to have
more control over the TCP/IP configuration
and to configure options like multiple IP
addresses or WINS server addresses.

• The DNS tab can be used to configure special

settings for the DNS client on the computer.
The settings on this tab affect the way in
which a DNS query will be sent to the DNS
server.
 Testing the TCP/IP Configuration
• Ping 127.0.0.1 This ensures the protocol is
installed and working correctly. The address
127.0.0.1 is called the loopback address.
• Ping local_IP Where local_IP is the IP address of
the computer. This ensures the IP protocol is
correctly bound to the network card.
• Ping default gateway Where default gateway is
the IP address of the default gateway. This ensures
you have connectivity to the local network and can
send and receive information. You should also ping
other systems on the same local network.
• Ping remote host Where remote host is the IP
address of a host that’s known not to be on the
local subnet.
Managing Disk, Share, and
Printer Access

Kampala
University
 File System
• Windows 2000 supports three file systems:
FAT, FAT32, and NTFS.
• In terms of file system functionality, you can consider FAT
and FAT32 as basically the same file system, since the only
difference between them is that FAT32 has support for
disks larger than 8GB in size (or less, depending on drive
geometry). FAT32 was introduced with Windows 95 and
has been supported on Windows 98 and Windows ME.
Windows NT never had support for FAT32, which is
something that Windows 2000 has corrected. Both FAT
and FAT32 provide compatibility with previous versions of
Windows, thereby allowing you to configure dual booting
• On the other hand, when a hard disk partition is
formatted with NTFS, it can be used only by Windows NT
4.0 and Windows operating systems on the computer.
 Converting from FAT to NTFS

C:\>help convert
Converts FAT volumes to NTFS.
CONVERT volume /FS:NTFS [/V]
volume Specifies the drive letter (followed by a colon),
mount point, or volume name.
/FS:NTFS Specifies that the volume to be converted to
NTFS.
/V :Specifies that Convert should be run in verbose
mode.
 Converting a Partition to NTFS
• Log onto your Windows 2000 server computer as
Administrator with the appropriate password.
• Right-click on My Computer and then select Manage to
invoke the Computer Management console.
• Expand Storage and then click on Disk Management. A
list of installed hard disk, CD or DVD, and other
removable devices on your computer will be displayed.
• Select an existing FAT or FAT32 partition and then
record the drive letter assigned to it. If no drive letter is
assigned to the FAT or FAT32 partition, assign one by
right-clicking on the partition and selecting Change
Drive Letter and Path. Also record the volume label
(that is, the name of the partition) because you will
need this information to complete the conversion.
 Cont.
• Exit the Computer Management administrative
tool and start a Command Prompt from Start,
Programs, Accessories.
• At the Command Prompt issue the Convert
command using the drive letter from step 4. Use
the verbose option of Convert command, as in the
following example, to convert drive F to NTFS: C:\
>convert f: /fs:ntfs /v
• When prompted to enter the volume label for the
drive, enter it. The conversion will start, unless you
have system files or in-use files on the disk.
 Cont.
The type of the file system is FAT.
Enter current volume label for drive F: FAT DISK
Determining disk space required for file system conversion...
Total disk space: 1044193 KB
Free space on volume: 1043920 KB
Space required for conversion: 8771 KB
Converting file system
Conversion complete
C:\>

•Close the Command Prompt window by typing Exit and then

hitting ENTER.
Converting from NTFS to FAT

• Once a disk volume or partition has been

converted to NTFS, the only way to make
the disk volume FAT or FAT32 again is to
reformat the volume as FAT or FAT32
thereby losing all the data on that disk.
 Securing Files and Folders with NTFS Permissions
• The big advantage of NTFS is that it allows you to
secure files and folders by applying permissions.
• Permissions follow a distinct hierarchy of
inheritance and can be set at the file or folder level.
• Permissions for a file or folder are stored in an
Access Control List (ACL) for the file or folder. Each
permission assigned is referred to as an Access
Control Entry (ACE) and includes the user, group, or
computer the permissions has been assigned to, as
well as the permission itself.
• The default permission applied to the root folder of
any NTFS volume or partition is Everyone—Full
Control, which essentially allows any user to
perform any action.
Permission Application and Inheritance
• Prior to assigning permissions to files and
folders on an NTFS partition, it is important to
understand how multiple permissions applied
to the same file or folder are evaluated, as well
as how setting permissions on a folder will
affect files and subfolder folders created later.
Finally, it is important to understand the
difference between the Grant and Deny
attribute of a permission, since both can be
assigned.
Standard NTFS Permissions for
Folders
Standard NTFS Permissions for Files
Permission Behavior for Move and Copy Operation
 Setting NTFS Permissions for Files and Folders

• Log onto your Windows 2000 server computer as

Administrator with the appropriate password.
• Right-click on My Computer and then select Explore to
invoke Windows Explorer. You can also access Windows
Explorer by selecting Start, then Programs, then
Accessories, then Windows Explorer.
• Click on a partition on your hard disk that has been
formatted with NTFS. If you did not create a second
partition and format it with NTFS, use the drive in which
you installed Windows 2000. To ensure that the
partition is formatted as NTFS, right-click on the
partition and select Properties to display the Properties
dialog box General tab and ensure that the file system is
NTFS, and then OK to close the Properties tab.
 Cont.
• In the details pane of your selected partition, right-click
and select New and then Folder. Change the name of the
folder to NTFSTestFolder and then press ENTER.
• Right-click on NTFSTestFolder and then select Properties
to bring up the Properties dialog box.
• Click on the Security tab to display the current
permissions assigned to the newly created folder. Note
that the default permissions for the folder were
inherited from the parent folder. This is indicated by the
fact that the permissions listed are grayed in the
Permissions window of the Security Tab.
• Click on the Add button and then, in the Select User,
Groups, or Computers dialog box, add Administrators
and Users to the list of accounts to be added. Click OK
when done.
 Cont.
• Click Apply and then OK to save your permission
changes.
• Double-click on NTFSTestFolder to display its contents
in the details pane of Windows Explorer.
• Right-click on the details pane and select New and then
Text Document. Change the name of the file to
NTFSTestFile and then press ENTER.
• Double-click on NTFSTestFile to invoke Notepad. Add
the following text to the file: This is NTFSTestFile when
it was first created. Save the file and exit Notepad.
• Right-click on NTFSTestFile and select Properties. Select
the Security tab to view the default permissions
assigned to the file. Note that permissions are assigned
that all permission entries are grayed out, indicating
inheritance.
 Cont.
• Click Everyone and then click Remove. Note the
error message displayed in the Security dialog box
indicating that you cannot remove inherited
permissions without first breaking the inheritance.
Click OK to acknowledge the Security dialog box.
• To turn off permission inheritance, uncheck the
Allow Inheritable Permissions from Parent to
Propagate to this Object check box.
• Click Everyone and then Remove to remove
permissions for the Everyone group.
• Verify that the Administrators group has Full
Control permissions to the file. Click Add and then
add the user Administrator to the list of objects
being assigned permissions.
 Cont.
• Click Apply and then OK to save your changes.
Note the Security warning dialog box verifying that
you do indeed want to assign a Deny attribute to
the Read permission. Click Yes to acknowledge the
dialog box and save the Deny setting.
• Double-click on NTFSTestFile to read it with
Notepad. Note that you are not able to read the
file because an explicit Deny was configured for
the user Administrator and are presented with a
dialog box indicating that access has been denied.
Click OK to acknowledge the message and then
exit Notepad.
• Close Windows Explorer.
 Special NTFS Permissions
The standard Read permission is actually composed of four
special NTFS permissions:
•Read Data Allows the holder to read the file or folder and its
contents.
•Read Attributes Allows the holder to read the standard
attributes of the file or folder, such as Read Only, Archive, Date
and Time, and so on. (Attributes will be discussed )
•Read Permissions Allows the holder to view the permissions
assigned to the file or folder.
•Read Extended Attributes Allows the holder to view the
extended attributes (compressed, encrypted, and so on) of the
file or folder.
Special NTFS permissions allow the administrator to assign
very specific permissions to users and groups for files and
folders on NTFS partitions.
 Assigning and Testing Special NTFS
Permissions and Inheritance
• Log onto your Windows 2000 server computer as
Administrator with the appropriate password.
• Right-click on My Computer and then select Explore to
invoke Windows Explorer. You can also access Windows
Explorer by selecting Start, then Programs, then
Accessories, then Windows Explorer.
• Click on NTFSTestFolder folder in the navigation pane
and then right-click on NTFSTestFile and select
Properties.
• Click on the Security tab and then click on the Advanced
button to display the Access Control Settings dialog box.
 Cont.
• Click on the Deny entry for Administrators and then on the
View/Edit button to display the Permission Entry dialog box.
Note the permissions that have been assigned for the denial
of the Read standard permission.
• Click on the Allow check box for the List Folder/Read Data
permission and then click OK to save your changes. Note
that Windows 2000 converted this into two entries in the
Access Control Settings dialog box with a permission type of
Special to deal with the assignment.
• Click Apply and then OK to save your changes. Note that all
of the check boxes for standard permissions for the
Administrator user are cleared on the Security tab of
NTFSTestFile Properties dialog box. This is because none of
the standard permissions available apply, but Windows 2000
needs some way to indicate toyou that permissions have
been specified for the user. Click OK to close the dialog box.
 Cont.
• Double-click on NTFSTestFile to invoke Notepad to read
the file. Note that you still cannot read the file, even
though you have the Read Data permission. This is
because Notepad is unable to read the file’s permissions
to determine if access is allowed and therefore assumes
it is denied. Acknowledge the dialog box and exit
Notepad.
• Right-click on the NTFSTestFolder in Windows Explorer
and then Properties and then select the Security tab.
• Click on the Advanced button to display the Access
Control Settings dialog box for the folder.
• Clear the Allow Inheritable Permissions from Parent to
Propagate to This Folder check box and select Copy
when prompted on how to handle permissions.
• Click on the permission assigned to the Everyone group
and select Remove.
 Cont.
• Click on the Advanced button and then click on the
permission assigned to the Users group and select View/Edit
to bring up the Permission Entry dialog box for this ACE. Note
the permissions displayed.
• Click on the down arrow next to Apply Onto to display the
level at which permissions will be applied when modified.
• To force the selected permissions on all children of this folder
and to reset their permissions, erasing any existing
permissions in the process, select the Reset permissions on
All Child Objects and Enable Propagation of Inheritable
Permissions check box and then click on Apply.
• When the Security dialog box warning is displayed, review the
message stating that you will reset all permissions on child
objects and then click Yes to continue the process.
 Cont.
• Click OK to close the Access Control Settings dialog box.
• Click OK to close the NTFSTestFolder properties dialog
box.
• Double-click on NTFSTestFile in the NTFSTestFolder and
notice that Notepad starts and displays the file’s
contents. Close Notepad.
• Right-click on NTFSTestFile and select Properties. Click
on the Security tab and review the existing
permissions. Note that all permissions on the file are
now the ones set on the folder and inherited by the
file. All permissions that were previously manually
assigned have been removed, as expected.
• Click OK to exit the NTFSTestFile properties dialog box.
• Exit Windows Explorer.
• Log out of Windows 2000.
 Managing File Compression
• In those situations in which disk space is becoming
a problem, NTFS allows you to compress files and
folders so that they occupy less disk space.
Windows 2000 will dynamically decompress the file
when it is accessed and compress it when it is saved
on disk, if modified. The fact that a file is
compressed has no bearing on the user’s ability to
access it, assuming the user has appropriate
permissions, but there will be a small CPU overhead
in order to perform the compression and
decompression.
 Attributes
Each file and folder on every file system contains
attributes. These are properties associated with
the file that are used by the operating system
and application to determine the state of the
file. Extended Attributes include compression
and encryption.
 Compressing Files and Folders on
NTFS Partitions
• Log onto your Windows 2000 server computer as
Administrator with the appropriate password.
• Right-click on My Computer and then select
Explore to invoke Windows Explorer. You can also
access Windows Explorer by selecting Start, then
Programs, then Accessories, then Windows
Explorer.
• Click on NTFSTestFolder folder in the navigation
pane and then right-click on the same folder
(NTFSTestFolder) and select Properties.
• Click on the Advanced Button to display the
Advanced Attributes dialog box.
• Select the Compress Contents to Save Disk Space
check box and then click OK to save your changes.
 Cont.
• Click Apply to save your changes to the folder. When the
Confirm Attribute Change dialog box is presented, select the
default of Apply Changes to this Folder Only and click OK.
• Click OK to exit the NTFSTestFolder Properties dialog box.
• Right-click in the details pane of NTFSTestFolder and select
New Text Document. Change the name of the file to
CompressionTest.
• Double-click on the file to invoke Notepad and enter any text
you wish in the file. It should be at least 5 or 6 lines long with
at least 40 to 60 characters per line. Save your changes and
exit Notepad.
• Right-click on the file (CompressionTest) and select
Properties. Note that the display indicates the size of the file
and disk space occupied. Disk space may be larger than the
file size because of hard disk minimum cluster size.
• Exit Windows Explorer.
Modifying Display of Compressed Files
and Folders in Windows Explorer
• In you are not currently logged on, log onto your
Windows 2000 server computer as Administrator
with the appropriate password.
• Right-click My Computer and then select Explore to
invoke Windows Explorer. You can also access
Windows Explorer by selecting Start, then
Programs, then Accessories, then Windows
Explorer.
• Click on NTFSTestFolder folder in the navigation
pane and then, from the Windows Explorer menu
bar, select the Tools menu and the Folder Options.
• In the Folder Options dialog box, click on the View
tab.
 Cont.
• Select Display Compressed Files and Folders with
Alternate Color and then click Apply
• Click OK to save your changes. Note the way that
CompressionTest and NTFSTestFile are displayed—
CompressionTest in blue, indicating that it is
compressed, and NTFSTestFile, because it was
created before you enabled compression on the
folder, still in black indicating it is not compressed.
Also note that NTFSTestFolder is now displayed in
blue indicating any files and folders created in
NTFSTestFolder will now inherit the compressed
attribute.
• Exit Windows Explorer.
 Guidelines for Compressing Files and Folders
• Do not compress already compressed files. ZIP, JPG, RAR and
many other file formats are already compressed and will
cause CPU overhead on the computer without really
accomplishing much compression—in other words waste a
lot of resources.
• Do not compress files that are frequently accessed. If a file is
frequently read and/or written to, it should not be
compressed because it will cause more work for Windows
2000 to maintain it than if it were not compressed. Files that
should not be compressed include database files, frequently
accessed spreadsheets, and popular web pages.
• Remember that files are uncompressed as needed, including
for backups. When compressed files are backed up, they will
require as much space during the backup as if they were not
compressed—plan your backup strategy accordingly.
• Configure Windows Explorer to display compressed files and
folders in blue, as shown earlier.
Managing Shared Access to Folders and
Printers
• Right-click on My Computer and then select Explore to invoke
Windows Explorer. You can also access Windows Explorer by
selecting Start, then Programs, then Accessories, then Windows
Explorer.
• Expand your NTFS partition and then right-click on NTFSTestFolder
and choose either Sharing or Properties. If you select Sharing, you
will be taken to the Sharing tab of the folder’s properties dialog box;
if you select Properties, click on the Sharing tab once the Properties
dialog box is displayed.
• By default, folders are not shared. To share the folder, click on Share
this Folder.
• In the Share name box, enter a name for the shared folder, which
must be unique for the computer on which the share is located
 Cont.
• You may also enter a description for the shared folder in the
Comment box. The description is visible to users accessing
the shared folder across the network and can provide
additional information on the folder’s contents. Enter
Shared folder on NTFS partition in the Comment box.
• You can also limit the number of users who can access the
shared folder at the same time. The default is preset to
Maximum Allowed, which means the number of legal
connections is determined by the Client Access Licenses
(CALs) purchased or the Windows 2000 Professional hard-
coded limit of 10. If you want to limit the number of users to
10, click on Allow and then enter 10 in the scroll box. Leave
the default of Maximum Allowed.
• Click on the Permissions button to display the default share
permissions of Everyone—Full Control. You can also set
shared folder permissions here.
 Cont.
Grant the Everyone group only Read permissions to the
shared folder and add the Administrators group with Full
Control permissions to the list of assigned permissions.
Click on Apply and then OK when done.
•The Caching button is used to configure settings for
Offline access of the shared folder contents. Click Apply
and then OK to save your changes. Note that the display
of the folder changes to indicate that it is shared by
placing a hand under the folder icon.
•Close Windows Explorer.
 Using the Run Command to Connect to a Shared
Folder
• Log onto your Windows 2000 server computer as
Administrator with the appropriate password.
• From the Start Menu select Run.
• In the Run dialog box, enter your computer name using the
UNC format of \\computer and then click OK.
• On the Explorer Window that comes up, you are presented
with all of the shares defined on your computer. These may
include the SYSVOL share, if your computer is a domain
controller, Printers, and Scheduled Tasks, as well as any
other shares that you have created. Verify that NTFSShare is
displayed and note that no administrative shares are listed.
• Double-click on NTFSShare to view its contents.
• Close NTFSShare.
 Publishing a Shared Folder in Active
Directory
• Log onto your Windows 2000 server computer as
Administrator with the appropriate password.
• From the Start Menu select Programs, then
Administrative Tools, then Active Directory Users and
Computers.
• In Active Directory Users and Computers, right-click your
domain and then select New and then Shared Folder.
• In the New Object - Shared Folder dialog box enter
NTFSShare Published in the Name box and the UNC path
to the shared folder in the Network path box and then
click OK. Note that the shared folder is listed in the
objects displayed at the domain.
• Close Active Directory Users and Computers.
 Using
Group Policy for
Management

Kampala
University
 Introduction
• One of the most powerful features of Windows
2000 Active Directory is the ability to configure
many settings for a computer or user through the
application of centralized policies. This is part
whose main component is Group Policy.
• Topics covered here will include the components
that make up Group Policy, the scope of Group
Policy including the concepts of inheritance and
filtering, securing Group Policy, and overriding
and blocking Group Policy settings.
 Group Policy Basics
With Group Policy an administrator can do the
following:
•Configure policies to enforce user and computer
settings at the site, domain, or OU level.
•Delegate the creation and enforcement of
computer and user settings to local administrators,
or override local settings when corporate
requirements dictate.
•Configure a standard desktop for the site, domain,
or OU.
•Deploy software to the computer or user, either as
a required installation or an optional choice the user
can make.
 Cont.…..
• Remove deployed software from computers,
either as a mandatory requirement or optional
uninstall.
• Configure and enforce domain-level security and
audit settings.
• While all of this sounds wonderful, it is important
to note that Group Policy can only be enforced
on Windows 2000-based computers and
Windows XP Professional. Windows XP Home
Edition, Windows NT, and all Windows 9x
variants as well as other operating systems
cannot benefit from the configuration
capabilities provided by Group Policy.
 Group Policy Components
• Group Policy is an object in Active Directory and is often
referred to as the GPO, which stands for Group Policy Object.
• The GPO itself is composed of two elements: the Group Policy
Container (GPC) and the Group Policy Template (GPT).
• The Group Policy Container is an Active Directory object that
consists of GPO attributes and version information. Each GPO
is represented by a Globally Unique Identifier (GUID).
• The GUID is a 128-bit number that uniquely identifies the GPO
within the forest, domain tree, and domain. The GPO also
keeps track of version information, which is attached to the
GPC and is replicated to domain controllers. Each domain
controller uses this information to make sure it is running the
most recent version of a GPO, and, if not, to ensure the most
recent version of any GPO is replicated to it.
• You can view the GPC and the GUID for any GPO by turning on
Advanced Features in Active Directory Users and Computers.
 Cont.……
• The second part of the GPO is the Group Policy Template (GPT).
• The GPT is a set of folders on each Domain Controller in the domain or
site where the GPO was created.
• This is the part that gets downloaded to every computer on which it
needs to be applied. It is replicated to all Domain Controllers within the
scope of the GPO through the File Replication process of Active
Directory.
• Each GPT is created with the same name as the GUID of the GPO. This
ensures that there is never a naming conflict, even if different GPOs at
different parts of Active Directory have the same name (which is
possible). The sub-folders within the top-level GPT folder include all of
the elements required to ensure that specified policies are enforced,
including administrative templates, security settings, scripts (logon,
logoff, startup and shutdown), software installation information, and
folder redirection settings.
• In essence, the GPC determines which user or computer gets a policy
applied, and the GPT is used to send across the policy settings to be
applied.
 Displaying Group Policy Container
and GUID
• From the Administrative Tools program group,
invoke Active Directory Users and Computers for
your domain.
• In Active Directory Users and Computers, select
the View menu and then Advanced Features.
• Expand the System folder that now appears and
then click on the Policies folder.
• The detail pane will display at least two objects of
type “groupPolicyContainer” and the GUID for
each.
• Close Active Directory Users and Computers.
 How Group Policies work
• The Local Computer Policy sets the basic
configuration of the computer as well as
default desktop and other user settings, but is
the least important when the Windows 2000
computer is part of an Active Directory
domain.
• However GPOs configured at the site, domain,
or OU level can overwrite any setting in the
Local Computer Policy.
 Group Policy Inheritance
you can create a GPO at the site, domain, or OU
level. When GPOs are applied, they are applied in
that order—first GPOs at the site are applied, then
those at the domain level, and, finally, any GPOs
at the OUs level. It is important to also remember
that
many GPOs can be applied to the same user or
computer.
Group Policy Processing Details
• Policy inheritance follows the path of site, then
domain, and finally organizational unit (OU).
• If more than one GPO is linked to the same Active
Directory container, GPOs are processed from the
bottom to the top as they are listed in the Group
Policy tab for the container.
• All Group Policy settings apply unless a conflict is
encountered. This means the effective policy
settings applied to a user or computer are the sum
of all site, domain, and OU GPOs that have been
specified for both the user and computer.
• A conflict may occur and is defined as the same
setting being defined at more than one level or in
more than one GPO at the same level.
 Cont.…….
• The last setting processed always applies. This
means that, when settings from different GPOs
in the inheritance hierarchy conflict, the one
that applies is the setting specified in the last
container.
• If a setting is specified for a user as well as a
computer at the same GPO level, the computer
setting always applies when it conflicts with a
user setting.
 Available Administrative Template
Settings
• Administrative Templates in Windows 2000
Group Policy can be applied to the user or
computer, since a GPO can apply to either.
When editing a GPO, you have the option to
configure any of the available settings,
 Managing Users
and Groups, Computers

Kampala University
 Objectives
• Creating a user account for both local and domain
authentication
• Best practices for user names and passwords
• Discovering the difference between local and
domain authentication
• Configuring and troubleshooting Domain User and
Group accounts
• Implementing and configuring account settings
• Implementing and configuring user rights with
Built-in groups
 General Guidelines for Creating User
Accounts
• The process of validating a user is known as
Authentication or simply logging in. To authenticate,
the user must have a user account and password
stored in an account database, which can be used to
validate the user when they attempt to log in.

• Several rules apply to all user account names.

1. The user name must be unique.
2. User names can be up to 20 characters long.
3. User names can contain mixed-case, alphanumeric
characters and some special characters.
 Cont.
• User names can also include numbers and any
special character, except for the following
characters: < > * ? + , = | [ ] \ / : ;. These special
characters aren’t allowed because they already
have a special meaning in Windows so, to prevent
conflict, their use isn’t allowed.

General Guidelines for Passwords

1. Always set an appropriate length for a password.
2. Use a mixture of letters, numbers, special
characters, and mixed cases.
3. Educate your users. Users should avoid using
obvious or easy-to-guess passwords
 Differentiating Between Local and
Domain Security
• Any security object (that is, user or group
account) created locally on one computer
cannot be used to give access to another
computer. Domain Security applies on all
computers on the network

• Read about the KEBEROS in conjuction with

security and Domain security, how does it work
 Creating and Managing Local User
Accounts
• Click Start | Program | Administrative Tools | Computer
Management. This will open the Computer Management
console.
• In the navigation panel of Computer Management console,
click System Tools |Local Users and Groups
• Right-click the Users folder and select New User. This opens
the New User form.
• In the New User form, you are asked for a user name, a full
name, and a password.
• Retype the password in the confirm password textbox and
click Create.
• Click Close to close the New User dialog box and close the
Computer Management console.
• Once the user account is created, it will be visible inside the
Users folder.
 Managing Local User Accounts
• Once you create a local user account, properties for
the user account can be set. If you take any user
account, right-click it, and then choose the
Properties option, you’ll open the user’s Properties
sheet. This sheet has four tabs.
• These options can’t be set when you create
account. You must go into the Users folder after the
account has been created to set any of the options
in the Properties sheet.
• The account Property sheet doesn’t allow you to
rename the user name of the account or to reset
the password. To change the user name of a local
user account
• To change the user name of a local user account, right-click
the user in the Users folder in Computer Management and
select Rename.
 Creating and Managing Local
Groups
• A group is simply an object that enables you to join
several user accounts together and treat them as if
they were one object.
• All members of a group inherit whatever
permissions you assign to a resource for that group.
Creating a Local Group
• Click Start | Program | Administrative Tools |
Computer Management. This opens the Computer
Management console.
• In the Navigation panel of Computer Management
console, click System Tools | Local Users and
Groups.
 Cont.
• Expand the Local Users and Groups folder, and then
right-click the Groups folder and select New Group.
• In the Group Name box, type Test Group. In the
Description box, type a description for the group. When
you finish, the group should look something
• Click Create, and then click Close to close the New
Group dialog box.
• After you add the group, you can now add users to it.
Adding Users to a Local Group
• Open the Group folder in Computer Management.
• Right-click Test Group and select Add to Group. (Note:
clicking Properties or double-clicking the Test Group
itself will open the same dialog box).
 Cont…
• In the Test Group Properties form, click Add. This opens the
Select Users or Groups form. Make sure the Look in: box is
showing the name of your local computer. (Note, if your
computer is part of a domain, the domain name will also
appear in this list box. By selecting the domain name, you
can add domain users and groups to this local group.)
• In the Name list, locate the testuser account you created in
• Select the account, and then click Add.
• The account should appear in the lower box (see
illustration). Notice this is listed as Computername\testuser.
If you added a domain account, it would appear as
domainname\username. This enables you to tell where a
user account comes from.
 Cont.
• Repeat Steps 4 to 6. and then add other user
accounts to the group.
• Attempt to add the Administrators group to the
Test Group. Notice this group doesn’t appear in
the list of users to add. This is because you can’t
add Local groups to other Local groups. You can,
however, add certain Built-in system groups like
everyone or Creator Owner to a Local group.
“Built-in User and Group Accounts.”
• Click OK to close the Select Users of Groups form.
• Click OK to close the Test Group Properties sheet.
 Creating and Managing Domain User
Accounts
• To create a domain user account, you must be
able to connect to an Active Directory Domain
Controller.
Adding a Domain User Account
• Click Start | Program | Administrative Tools |
Active Directory Users and Computers.
• Right-click the Users folder in the folder tree
and select New | User. This opens the New
Object User dialog box.
• Enter the required information:
 Cont.
• Click Next.
• In the password box, type password. Type password
again in the Confirm Password box, and then click Next.
• Click Finish to create the account.
• Repeat Steps 2 through 6. This time, use the same first
name and last name, but use user bsmith as the user.
Notice Windows won’t let you create the account.
• Click the Back button until you reach the first screen.
Change the first name from “Robert” to “Bob” and
repeat Steps 4 to 6. Notice this time you create the user
account successfully.
 Managing User Accounts
• As with the local user accounts, you can
configure properties for your domain user
accounts after they’ve been created. A large
number of options are available for users in
the Active directory, however. The User
Property sheet has 11 tabs available, which
are listed in Table next slide
 The Account Tab
• Of all the Property tabs, the Account tab is the
most important for user configuration.
• On this tab, you can:
• Disable the account and change the password
options.
• Control which hours the user is able to logon.
• Control which computers the user is allowed to
logon to.
• Set an expiration date for the account.
 Setting the Account Properties of a
Domain User Account
• Open the Users container in Active Directory Users and
Computers.
• Right-click the rsmith account you created in the last exercise
and click Properties. In the Property sheet, click the Account
tab.
• To set logon hours for this user, click the Logon Hours
button.
• In the Logon Hours form, highlight all the squares from 12
A.M. to 8 A.M., and then click the Logon Denied button. Do
the same for all squares from 6 P.M. to 12 P.M. This will only
enable the user to log on between 8 A.M. and 6 P.M..
• When you finish, the form should look like the illustration
shown next. Click OK to close the Window.
 Cont.
• To change which computer the user can log on
from, click the Log On To button.
• In the Logon Workstation sheet, under This
user can log on to: click The following
computers button.
• In the Computer Name text box, type
Workstation1 and click Add.
• Repeat Step 8 and enter Workstation2,
Workstation3, and Workstation4. When you
finish
• Click OK to close the form.
 Creating and Managing Domain
Groups
• Domain groups have the following membership
restrictions.
• Security Groups. These groups are used to assign
permissions to groups of user accounts.
• Universal Groups—Can contain any user account or
group from any trusted domain in the Active Directory
forest.
• Global Groups—Can contain user accounts and other
Global groups from the domain where the Global group
resides. Global groups can’t contain Universal groups or
Domain local groups.
• Domain Local Groups—Can contain user accounts,
Global groups, and Universal groups.
 Creating and Managing Global
Groups
• Open Active Directory Users and Computers.
• Right-click the Users container and select New | Group.
• In the Group Name text box, type Sales Managers.
• On the Group Scope section, click Global.
• On the Group type section, click Security.
• Click OK
• Repeat Steps 2–6. This time, call the group Sales.
• In the list of users and groups, locate the Sales Manager
Global group.
• Right-click the Sales Managers group and select
Properties. Click the Member Of Tab.
 Cont.
• Click Add and locate the Sales group from the list. Click
Add again to add the group to the lower window. This
adds the Sales Managers group to the sales group.
• Click OK.
• Right-click the Sales group and select Properties.
• Click the Members tab. Notice the Sales Managers group
appears on the tab.
• Click Add.
• In the list, locate the TestUser account and click Add to
add the user to the group. Then click OK to complete the
action. You should see both the TestUser account and
the Sales Managers group in the Members tab.
• Click OK to close the Property sheet for the Sales group.
Creating and Managing Domain Local
Groups
• Open Active Directory Users and Computers.
• Right-click the Users container and select New |
Group.
• In the Group Name text box, type File Resources.
• On the Group Scope section, click Domain local.
• On the Group Type section, click Security
• Click OK.
• Repeat Steps 2–6 and create a group called
Addtest.
• Locate the File Resources group in the list of users
and groups.
 Cont.
• Right-click the group and select Properties.
• Open the Members tab and click Add. Locate the
Sales group and click Add again.
• Try to add the Addtest Domain Local group. Notice
you can also nest Domain
• Local groups in other Domain Local groups.
• Click OK to close the Property sheet.
• Close Active Directory Users and Computers.
 Built-In User and Group Accounts
• When you install Windows 2000, it preloads
some special Built-in groups. These groups
appear in all installations of Windows 2000 and
are used to assign specific user rights. These
user rights enable users to perform
administrative tasks. User rights are special
Windows-specific privileges
Introduction to Active
Directory
Kampala University
 By Definition
• Active Directory allows for a uniform
management model that can centralize
some administrative functions, while
allowing other elements of the
administrative workload to be delegated to
administrators closer to the daily operations
of a specific part of the network.
 Directory Service Basics
• Directory service is a database of all objects in
the directory.
• Many directory services exist in the computer
world with Active Directory being the latest
incarnation.
• Some others include NetWare Directory
Services (NDS), introduced with Novell
NetWare 4.0; Banyan VINES and its StreetTalk
directory structure; NIS+ in the Unix world;
and others.
 Active Directory Services
• A directory service is organized in a hierarchical
fashion.
• A directory service provides a list of all objects
available within a logical structure.
• Each object within the directory can be uniquely
identified using a specific naming structure.
• Windows Active Directory uses the X.500
specification to organize objects in a hierarchical
fashion.
• LDAP can be used to query Active Directory.
 Active Directory and Domains
• Domain is a list of all users, groups, computers, and other
objects within a defined NetBIOS namespace

Active Directory Structure

• The structure is both logical (the way objects are organized
in the directory for them to be found) and physical (the
placement of computers and other physical elements within
the directory).
• Of the two characteristics, the logical structure is most
important because it changes far less frequently than the
physical one. For example, your company might move
offices or add locations several times, but it might not
change its name that frequently. Whatever name is chosen
will work, no matter where the company has offices and the
placement of offices rarely has an impact on the name of a
company.
 DNS and Active Directory
• Active Directory relies on the Domain Name
System (DNS) to provide a hierarchical naming
context for all domains in Active Directory, to
resolve queries for computers that are Domain
Controllers, or to hold other special roles in
Active Directory.
 Installing the DNS Server Service
• Log on to your Windows 2000 server computer as
Administrator with the appropriate password.
• From the Start menu, choose Settings, and then select
Control Panel.
• In the Control Panel, double-click Add/Remove
Programs.
• In the Add/Remove Programs dialog box, click on
Add/Remove Windows Components.
• When the Windows Components Wizard is displayed
(this can also take some time, so don’t get anxious if it
does not immediately pop up), scroll down until you
see Networking Services. Click Networking Services and
the click Details.
• In the Networking Services dialog box, select the DNS
server service, and then click OK.
 Cont.…….
• Click Next to install the components you
selected. The Configuring Components dialog
box will indicate the progress of installation. If
prompted to insert the Windows 2000 CD so
additional files can be copied, do so.
• When the wizard has completed, click Finish.
• Click Close to close the Add/Remove Windows
Components dialog box.
DCPROMO
is a new utility that was added to Windows 2000 that allows a
Windows 2000 Server, Advanced Server, or Datacenter Server
computer to be promoted to become a Domain Controller or
demoted to become a member server in an Active Directory domain.
Running DCPromo to Install and Configure
Active Directory
• Log on to your Windows 2000 Server computer as
Administrator with the appropriate password.
• From the Start menu, choose Run.
• In the Run dialog box, type dcpromo, and then
click OK.
• The Active Directory Installation Wizard will start
and present an introductory dialog box. Click Next
to start the process of creating your first domain.
• On the Domain Controller Type dialog box, select
Domain Controller for a New Domain to create
the first Domain Controller in your domain.
 Cont.……
• On the Create Tree or Child Domain dialog box,
select Create a New Domain Tree to create a
new top-level domain for a new set of domains
with the same DNS-style namespace. If you
were to create a subdomain (or child domain)
of an existing domain, you would choose
Create a New Child Domain in an Existing
Domain Tree. Because this is the first domain
being created, that option won’t work.
• On the New Domain Name dialog box, enter
the DNS-style name to be used for your
domain, and then click Next.
 Cont…..
• The Active Directory Installation Wizard will attempt to
determine if the domain name already exists on the list
of DNS servers it knows about and, if not, it will present
you with a dialog box to enter the NetBIOS name for
the domain. Make any changes to the name presented,
and then click Next.
• In the Database and Log Locations screen, enter the
paths to store the Active Directory database and log
files, which will store the data about all the objects in
the domain. These must be on NTFS partitions, and the
database and log files should be separated on different
physical disks to minimize the impact of disk failure. For
now, leave the default choices presented and click
Next.
 Cont.
• Provide the path to store the Shared System
Volume (C:\WINNT\SYSVOL) for the Domain
Controller. This path must also be on an NTFS
partition of the computer and should be large
enough to hold any Group Policy templates and
script files you plan to create. This path is used by
computers and users during startup and logon to
download scripts and Group Policy. Although you
should place this path on a different physical drive
from where you installed Windows for this
exercise, leave the default selection intact and click
Next.
 Cont.
• If you didn’t configure a DNS zone on one of the servers in
your TCP/IP Properties tab to host the haunting.com zone,
you’ll be presented with a dialog box indicating the DNS
server for the zone can’t be contacted. Click OK to continue.
• The Active Directory Installation Wizard asks you if you want
to install and configure DNS on the local computer. The
easiest way to configure DNS is to select Yes, and then click
OK.
• You now need to determine the default level of permissions
to be allowed for
• users to search Active Directory. If you have only Windows
2000 computers,
• you can select Permissions compatible only with Windows
2000 servers. Choose the Default option and click Next.
 Cont.
• Enter the password to be used to access this computer,
in case you need to perform restore and recovery of
Active Directory. This is not the same as the password
for the user Administrator and it can be different for
each Domain Controller, though this isn’t
recommended. Enter a password of password in both
the Password and Confirm Password fields, and then
click Next.
• The Summary screen provides details on the tasks to be
performed by DCPromo. Click Next to start the process
of installing and configuring Active Directory.
• The Configuring Active Directory dialog box will be
launched, enabling you to monitor the progress of the
installation of Active Directory. If you want to abort the
install, click Cancel, otherwise allow the configuration to
complete.
 Cont.
• After the process of installing Active Directory
is complete, a dialog box indicating all tasks
have completed will be presented. Click Finish
to end the wizard.
• When prompted to reboot, select Restart
Now.
 Modifying Active Directory DNS
Configuration
• Once you configure a DNS zone to be used to host
service and other records for computers in your
Active Directory domain, you might want to secure
those zone files from tampering by users who
don’t have appropriate privileges. Furthermore, if
you have more than one Domain Controller in your
domain (highly recommended), you can have
transfers of zone updates take place using Active
Directory replication, instead of normal DNS-zone
transfers. Both these tasks can be accomplished by
modifying the properties of the zone for the Active
Directory domain.
 Recurring the Active Directory DNS
Zone
• Log on to your Windows 2000 server computer as
Administrator with the appropriate password.
• From the Start menu, choose Programs, then
Administrative Tools, and then DNS to bring up the
DNS Microsoft Management (MMC) Console.
• Expand your server name, then Forward Lookup
Zone, and then click your Active Directory domain
name (haunting.com, in this example) to get a list
of records in your DNS zone.
• Right-click your domain name (haunting.com) to
bring up the Properties dialog box.
 Cont.….
• If you created your DNS zone prior to running
DCPromo, you’ll need to switch the option.
• On the General Page tab, ensure the zone type is
Active Directory-integrated. DCPromo preselects
this option if you specify you want it to install
and configure DNS on the computer. If you
created your DNS zone prior to running
DCPromo, click the Change button and make the
selection now.
• After you make your changes, click Apply, and
then click OK to save your changes.
• Exit the DNS MMC Console.
 The Logical Structure of Active
Directory
• Domains, Trees, and Forests
• The administrative unit of Active Directory is a
domain.
• A domain tree is one or more domains that
share a contiguous namespace.
• A forest is two or more domains with a
discontiguous namespace that will be
administered as a unit.
 Organizational Units and Containers
• OU is a logical container that can be created in a
domain to group users, groups, computers, and other
resources, so they can be administered together.

Creating Organization Units

• Log on to your Windows 2000 Server computer as
Administrator with the appropriate password.
• From the Start menu, choose Programs | Administrative
Tools | Active Directory Users and Computers to bring
up the proper administrative console.
• Click the plus (+) sign beside your domain name to
expand the list of containers in the domain.
 Containers

4. To create an OU, right-click your domain, and

then select New, and then Organizational Unit.
 Cont.
• On the New Object—Organizational Unit dialog box, type
the name of your OU, such as Sales OU, and then click OK.
The name of the OU must be unique within the level of the
Active Directory where it’s being created. This means you
can’t have two OUs called Sales OU at the root of the
domain, but you can have another Sales OU located within
an OU, which you might have created. For example, Africa
OU could contain an OU called Sales OU even if another OU
called Sales OU already exists at the root of the domain.
• After you create the OU, you can view it in the Active
Directory Users and Computers MMC snap-in.
• Right-click the Sales OU and select New, and then
Organizational Unit to create two additional OUs called
European Sales and North American Sales. Click the + sign
by Sales OU to display your new structure in Active
Directory. Close the Active Directory Users and Computer
MMC snap-in.
 Objects used
• Objects, such as users, computers, and others. The
list of base objects, other than an OU, that can be
created in Active Directory includes the following:
• Users An account that can be granted permissions
and allowed to log on to the domain.
• Contact An account that can be sent e-mail, but
can’t be granted permissions or allowed to log on
to the domain. Primarily used with Microsoft
Exchange 2000 and other e-mail systems.
• Computer A machine account that’s a member of
the domain, can be administered through Group
Policy and other means, and can be assigned
permissions on the domain.
 Objects used
• Group A logical name that can be sent e-mail
(distribution group) or assigned permissions to
network or domain resources (security group).
Any permissions granted or denied to a group are
inherited by its members. Depending on the
group type, members might include users,
contacts, computers, and other groups from the
same or different domains.
• Printer A device defined on a computer that’s a
member of the domain and is shared, so others
cam locate it and use it for output.
• Shared Folder A network location that can be
accessed by users who know about it and that can
be assigned permissions to control this access.
 Delegating Administrative Control of
an OU
• Log on to your Windows 2000 Server computer as
Administrator with the appropriate password.
• From the Start menu, choose Programs |
Administrative Tools | Active Directory|Users and
Computers.
• Click the + sign beside your domain name to
expand the list of containers in the domain. Right-
click the Sales OU and select Delegate Control.
• The Delegation of Control Wizard introductory
screen is displayed, describing what tasks it can be
used to perform. Click Next to continue.
 Cont.
• On the Users or Groups screen, click the Add button to see a
list of users and groups to which you can delegate (that is,
grant administrative capabilities to) control.
• In the Select Users, Computers, and Groups dialog box, select
Account Operators, and then click Add to select this group for
delegation of administrative authority. Click OK to save your
selections.
• Click Next on the Users and Groups screen to save your
selection of Account Operators, and then move on to the next
phase of delegation of control.
• On the Tasks to Delegate screen, review the list of standard
tasks (these are self-explanatory), and then select Manage
Group Policy Links. Click Next to continue.
• On the following screen, you see a summary of the delegation
tasks to be performed. Click Finish to save your changes.
• Close the Active Directory Users and Computer MMC snap-in.
Enabling Advanced Features in the Active Directory Users
and Computers MMC Snap-In
• Log on to your Windows 2000 Server computer as
Administrator with the appropriate password.
• From the Start menu, choose Programs |
Administrative Tools | Active Directory Users and
Computers.
• In the snap-in window, click the View menu, and then
select Advanced Features.
• Notice the additional containers are now displayed in
the Active Directory Users and Computer MMC snap-in.
These include LostAndFound and System.
• Right-click the Sales OU and select Properties to display
the Sales OU Properties dialog box.
 Cont.
• Right-click the Sales OU and select Properties to
display the Sales OU Properties dialog box.
• Click Authenticated Users group in the user and
group list, and then click the Advanced button to
see a list of permission entries on the OU. From
the Access Control Settings dialog box, you can
display all privileges assigned, configure auditing,
and change ownership of the OU.
• Click OK to close the Access Control Settings for
Sales OU dialog box.
• Click OK to close the Sales OU properties dialog
box.
• Exit the Active Directory Users and Computers
MMC snap-in.
 The Physical Structure of Active
Directory
• Authenticate Users and Computers Whenever a computer
starts up or a user logs on to the domain, the Domain
Controller is responsible for ensuring the proper account
name and password are provided to access the domain.
Furthermore, whenever a user or computer communicates
with another computer for access to resources on it, it also
needs to be authenticated. The Domain Controller ensures
the accounts are valid and active.
• Exchange Information with Other Domain Controllers
Because no one Domain Controller has a master copy of the
Active Directory database, each Domain Controller needs to
communicate periodically with others to ensure it has the
most current information about the objects available and
their attributes. This is done by replicating information with
other Domain Controllers configured as replication partners.
 Configuring a Custom MMC Console
for Active Directory Schema
• Log on to your Windows 2000 Server computer as
Administrator with the appropriate password.
• From the Start menu, select Run and enter MMC,
and then click OK. A blank MMC console is
displayed.
• In the Add Standalone Snap-in dialog box, click
Add to display a list of available snap-ins
• Select Active Directory Schema and click Add, and
then click Close. The Add/Remove Snap-in dialog
box will change to display the addition.
 Cont.
• Click OK to return to the MMC console.
• In the MMC console, expand Active Directory
Schema.
• To change the Schema Master, right-click
Active Directory Schema and select Operations
Master.
• In the Change Schema Master dialog box click
Change to modify the Schema Master. Click OK
to save your changes.
• Close the MMC console. When prompted to
change console settings, click No.
»End