CHAPTER 1
INTRODUCTION TO MICROSOFT WINDOWS 2000
Overview of Windows 2000
Windows 2000 is a multipurpose operating system with integrated support for client/server and
peer-to-peer networks. It incorporates technologies that reduce the total cost of ownership and
provides for scalability from a small network to a large enterprise network (TCO) is the total
amount of money and time associated with purchasing computer hardware and software and
deploying, configuring and maintaining the hardware and software.
Windows 2000. High-performance, secure network client computer and corporate desktop
operating system that includes the best features of Windows 98.
Windows 2000 Server. This product is a file, print, terminal and application server, as well as a
Web-server platform that contains all of the features of Windows 2000 Professional plus many
new server-specific functions.
Windows 2000 Advanced Server. Powerful departmental and application server and provides
rich network operations systems (NOS) and Internet services.
Windows 2000 Datacenter Server. This product is the most powerful and functional server
operating system in the Windows 2000 family.
New Features Included in Windows 2000
=====================================================================
Feature Description
=====================================================================
Active Directory Active Directory is an enterprise-class directory service
that is scalable, built from the ground up using Internet-
standard technologies, and fully integrated at the
operating-system level.
Active Directory ADSI is a directory service model and a set of
Service component object Model (COM) interfaces.
Interfaces (ADSI)
=====================================================================
winads1.html PAGE 2 2002/02/06
(ATM)
Asynchronous ATM is high-speed, connection-oriented protocol
Transfer Mode designed to transport multiple types of traffic
a network. It is applicable to both LANs and WANs.
Voice, data, image and video.
Certificate You can deploy your own public key infrastructure.
Services
Component Component Services provides improved threading and
Services security, transaction management, object pooling, queued
Components, and application administration and
Packaging.
Disk Quota You can use disk quotas on volumes formatted with
Support the NTFS file system to monitor and limit the amount
of disk space available to user.
Dynamic Host DHCP works with DNS and Active Directory on Configuration
Internet protocol IP networks, freeing you from assigning
Protocol (DHCP) and tracking static IP addresses. DHCP dynamically
With Domain assigns IP addresses to components to other resources
DNS and Active connected to an IP network.
Directory
Encrypting File Runs
transparent to the user.
System (EFS)
Graphical Disk Disk Management is a graphical tool for managing
Management disk storage that includes many new features, such as
Support for new dynamic volumes, online disk
Management, local and remote drive managing.
Group Policy Policies can define the allowed actions and the
(part of Active settings for users and computers.
Directory)
Indexing Services Fast and easy for users to search for information locally
or on the network.
IntelliMirror High levels of control on client systems running
Windows 2000 Professional.
=====================================================================
winads1.html PAGE 3 2002/02/06
Internet IAS provides you with a central point for managing
Authentication authentication, authorization, accounting, and auditing
Service (IAS) of dial-up or Virtual Private Network users.
Internet Connection With the Internet connection sharing feature of
Sharing Network and Dial-up connections, you can use
Windows 2000 to connect your home network or
small office network to the Internet.
Internet Easy to share documents and information across
Information a company intranet or the Internet. You can
Services create Web pages.
(IIS) 5.0
Internet Security Use IPSec to secure communication within an
(IPSec) support intranet and to Protocol create secure Virtual Private
network solutions across the Internet.
Kerberos V5 Kerberos V5 is a mature, industry-standard network
Protocol authentication protocol. With Kerberos V5 support,
Support a fast, single logon process gives users the access they
need to Windows 2000 Server-based enterprise
resources, as well as to other environments that support
this protocol.
Layer 2 L2TP is a more secure version of Point-to-Point
Tunneling tunneling, address assignment and authentication.
Protocol (L2TP)
Support
===================================================================
*** See the book,
Sick of this ***
Windows 2000 Network Environments
Windows 2000 can be set up as either a working model or a domain level. Both Windows 2000
Professional and Server can participate in either of these two models.
=====================================================================
winads1.html PAGE 4 2002/02/06
Windows 2000 Workgroup Model
A workgroup is a logical grouping of networked computers that share resources, such as files
and printers. A workgroup is referred to as a peer-to-peer network.
A local security database is a list of user accounts and resource security information for the
computer on which it resides.
Disadvantages of using workgroup mode:
in the workgroup.
accounts on each individual computer.
Advantages of using workgroup mode:
than 10 users.
NOTE: In a workgroup, a computer running Windows 2000 Server that is not a member of a
Windows 2000 domain is called a stand-alone server.
Windows 2000 Domain Model
A Windows 2000 domain is a logical grouping of network computers that share a central directory
database. A directory database contains user accounts and security information for the domain.
In a domain, the directory resides on computers that are configured as domain controllers. A domain
controller is a server that manages all security-related aspects of user-domain interactions. Security
and administration are centralized. Only computers running Windows 2000 Server may be designated
as domain controllers.
=====================================================================
winads1.html PAGE 5 2002/02/06
A domain does not refer to a single location or specific type of network configuration. The computers
in the domain can share physical proximity on a small LAN or can be located in different corners of
the world, communicating over any number of physical connections, including dial-up lines, Integrated
Services digital Network (ISDN) lines, fiber lines, Ethernet lines, token ring connections, frame relay
connections, satellite connections, and leased lines.
The benefits of a Windows 2000 domain are as follows:
A domain allows centralized administration because all user information is stored centrally. All changes
are replicated within the domain.
A domain provides a single logon process for users to gain access to network resources, such as file,
print and application resources for which they have permissions.
A domain provides scalability so that an administrator can create very large networks.
A typical Windows
2000 domain will have the following types of computer:
Domain Controllers running Windows 2000 Server. Each domain controller stores and
maintains a copy of the directory.
Member servers running Windows 2000 Server. A member server is a server that is
not configured as a domain controller. A member server does not store directory information and
cannot authenticate domain users. Member servers provide shared resources such as a shared
folders or printers.
Client computers running Windows 2000 Professional. Client computers run a user’s desktop
environment and allow the user to gain access to resources in the domain.
Lesson Summary:
such as files and printers.
database containing security and user account information.
=====================================================================
winads1.html PAGE 6 2002/02/06
Lesson Summary:
2000 Server, Windows 2000 Advanced, and Windows 2000 Datacenter.
with integrated support for client/server and peer-to-peer networks. Supports 1 inbound
dialup connections at a time.
2000 Server supports 4-way symmetric processing (SMP). Supports 256 simultaneous
inbound connections at a time.
2-way clustering.
Server, but supports four-way clustering, 16-way SMP to 32-way SMP and load balancing.
You can also have more processors, and more than 10,000 simultaneous users.
Lesson 2:
Windows 2000 Architecture Overview
The Windows 2000 architecture contains two major
layers: user mode and kernel mode.
User Mode
Windows 2000 has two different types of user mode components: environment subsystems and
integral subsystems.
Environment subsystems. One of the features of Windows 2000 is the ability to run applications
written form different operating systems. Windows 2000 accomplishes this through the user of
environment subsystems. The environment subsystem accepts the API calls made by the application,
convert the API calls into a format understood by Windows 2000, and then pass the converted API
to the Executive Services for processing.
======================================================================
Environment Subsystem Function
======================================================================
Windows 2000 32-bit Controls all screen oriented input/output
Between subsystems.
OS/2 subsystem Provides a set of APIs for 16-bit
Character mode OS/2 applications.
Portable Operating Provides APIs for POSIX-based
System (POSIX) applications.
=====================================================================
winads1.html PAGE 7 2002/02/06
The environment subsystems and the applications that run within them are subject to the following
limitations and restrictions:
system needs memory.
to central processing unit (CPU) cycles than processes that run in kernel mode.
Integral Subsystems. Many different integral subsystems perform essential operating system functions.
See the diagram.
=======================================================================
Integral subsystem Function
=======================================================================
Security subsystem Tracks rights and permissions associated
With user accounts.
Workstation service Networking integral subsystem that
provides an API to access the network
redirector.
Server service Networking integral subsystem that
Provides an API to access the network
Server. Allows a computer running
Windows 200 to provide network
Resources.
=======================================================================
Kernel Mode
The Kernel mode consists of four components: Windows 2000 Executive, Device Drivers, the
Microkernel, and Hardware Abstraction Layer (HAL).
=====================================================================
winads1.html PAGE 8 2002/02/06
Windows 2000 Executive
This component performs most of the I/O and object management, including security. It does not perform
screen and keyboard I/O; the Microsoft Win32 subsystem performs these functions. The Windows 2000
Executive contains that Windows 2000 kernel mode components. Each of these components provides the
following two distinct sets of services and routines:
System Services are available to both the user mode subsystem and to other Executive components.
Internal routines are available only to other components within the Executive.
*** See the Chart on
page 15 ***
Device Drivers
This component translates driver calls into hardware manipulation.
Microkernel
This component manages the microprocessor only. The kernel coordinates all I/O functions and
synchronized the activities of the Executive Services.
Hardware Abstraction List (HAL)
This component virtualizes, or hides, the hardware interface details, making Windows 2000 more
portable across different hardware architectures. The HAL contains the hardware-specific code that
handles I/O interfaces, interrupt controllers and multiprocessor communication mechanisms. This layer
was originally designed to allow Windows 2000 to run on both Intel-based and Alpha-based systems
without having to maintain two separate versions of Windows 2000 Executive.
Lesson Summary:
Windows 2000 to run applications written for different operating systems, and integral
subsystems, which perform essential operating system functions.
=====================================================================
winads1.html PAGE 9 2002/02/06
Lesson 3:
Windows 2000 Directory Services Overview
A directory is a stored collection of information about objects that are related to one another in
some way.
In a distributed computing system or a public computer network such as the Internet, there are
many objects, such as a file servers, printers, fax servers, applications, databases and users.
Directory and Directory service refers to the directories found in public and private networks. A
directory provides a means of storing information related to the network resources to facilitate
locating and managing these resources. A directory service is a network service that identifies
all resources on a network and makes them accessible to users and applications.
Advantages of Directory services:
do not know what computer you are working on.
Why have a Directory Service?
Users and administrators may not know the exact name of the objects they need.
Other functions of Directory Services are:
users who do not have permission to access those objects.
the network. This makes more space available to the directory as a whole and allows the storage
of a large number of objects.
=====================================================================
winads1.html PAGE 10 2002/02/06
Windows 2000 Directory Services:
The resources stored in the directory, such as user data, printers, servers, databases, groups, services,
computers, and security policies are known as objects.
Simplified Administration
Active Directory organizes resources hierarchically in domains. A domain is a logical grouping of servers
and other network resources under a single domain name. The domain is the basic unit of replication and
security in a Windows 2000 network.
Each domain includes one or more domain controllers. A domain controller is a computer running
Windows 2000 server that manages user access to a network, which includes logging on, authentication,
and access to the directory and shared resources.
Scalability
In Active Directory, the directory stores information by organizing the directory into sections that permit
storage for a very large number of objects.
Distributes the workload between domain controllers. Active Directory replicates between domains,
thereby creating a type of fault tolerance.
No more PDC and BDCs,
NOTE: You can distribute directory information across several computers in a network.
=====================================================================
winads1.html PAGE 11 2002/02/06
Open Standards Support
Active Directory integrates the Internet concept of name space with the Windows 2000 directory
services. This allows you to unify and manage the multiple name spaces that now exist in the
heterogeneous software and hardware environments of corporate networks.
DNS
If you are having problems with your operating system, it is important to check your DNS and ensure
that all is working well with it. If DNS is not working, it is a core component of Active Directory,
changes are that it is the root of the problem.
Because Active Directory uses DNS as its domain naming and location service, Windows 2000
domain names are also DNS names. Windows 2000 Server uses Dynamic DNS (DDNS), which
enables clients with dynamically assigned addresses to register directly with a server running the
DNS service and update the DNS table dynamically. DDNS eliminates the need for other Internet
naming services, such as Windows Internet Name Service (WINS), in a homogeneous environment.
IMPORTANT: For Active Directory and associated client software to function correctly, you must have
installed and configured the DNS service.
Support of LDAP and HTTP
Active Directory further embraces Internet standards by directly supporting LDAP and HTTP. LDAP
is a version of the X.500 directory access protocol, which was developed as a simpler alternative to
the Directory Access Protocol (DAP).
NOTE: Active Directory uses LDAP to exchange information between directories and applications.
=====================================================================
winads1.html PAGE 12 2002/02/06
Support for Standard Name Formats
Active Directory supports several common name formats.
=======================================================================
Format Description
=======================================================================
RFC 822 Takes the form of someone@domain is and is familiar
to most users as an Internet e-mail address.
HTTP Uniform Takes the form of http://domain/path-to-page
Resource Locator
(URL)
Universal Naming Takes the form of \\microsoft.com\xl\BUDGET.XLS
Convension (UNC)
LDAP URL Difficult names to remember CN = OU = etc.
========================================================================
Active Directory in the Windows 2000 Architecture
Two processor access modes, kernel and user, divide the low-level, platform-specific processes from the
upper level processes, respectively, to shield applications form platform differences and to prevent direct
access to system code and data by applications.
Each application, including service applications, runs in a separate module in user mode, from which it
request system services through an API that gains limited access to system data.
The security reference monitor, which runs in kernel mode, is the primary authority for enforcing the
security rules of the security subsystem.
Access to all directory objects first requires proof of identity (authentication), which is performed by
components of the security subsystem, and then validation of access permissions (authorization), which
is performed by the security subsystem in conjunction with the security reference monitor.
=====================================================================
winads1.html PAGE 13 2002/02/06
Active Directory Architecture
Active Directory consists of three service layers and several interfaces and protocols that work
together to provide directory services.
The key service components include the following:
stored in the directory. Provides APIs for directory access calls.
store on the basis of the object’s relative distinguished name attribute.
Storage Engine database engine, stored in the \Winnt\NTDS folder on the domain controller.
You can administer the file by using the NTDSUTIL tool, located in the \Winnt\system32 folder
on the domain controller.
Clients obtain access to Active Directory by using one of the following mechanisms that is supported
by the DSA:
DSA by using the MAPI RPC address book provider interface.
use the SAM to connect to the DSA. Replication from BDC in mixed-mode domain goes
through the SAM interface as well.
connect to each other by using a proprietary RPC interface. RPC remote procedure calls 128K
connection.
Lesson Summary:
as user data, printers, servers, databases, groups, computers, and security policies.
enforcing the security rules of the security subsystem.
=====================================================================
winads1.html PAGE 14 2002/02/06
Lesson 4:
Logging onto Windows 2000:
Local Logon:
When you log on locally, you are granted an access token which is attached to the GUI, and the first thing
loaded is explorer.exe.
Domain Logon:
Checks active directory, and handles the access token. If Kerberos authentication is running it issues tickets.
Lesson Summary:
IMPORTANT. A user cannot log on to either the domain or the local computer from any computer
running Windows 2000 Server unless that user is assigned the Log on Locally user right by an
administrator or has administrative privileges for the server. This feature helps to secure the server.
NOTE: Domain controllers do not maintain a local security database. Therefore, local user accounts
are not available on domain controllers, and a user cannot log on locally to a domain controller.
you go assuring that you have permissions to log on to the requested files or location.
password, Task Manager, Cancel.