CHAPTER
1
INTRODUCTION TO MICROSOFT WINDOWS 2000
Lesson 1:
Overview of Windows 2000
There are four operating system, Windows 2000 Professional, Windows 2000 Server, Windows
2000 Advanced, and Windows 2000 Datacentre.
Windows 2000 is a multipurpose operating system with integrated support for client/server and
peer-to-peer networks. The Windows 2000 family of products has been designed to increase
reliability, deliver higher levels of system availability and provide for scalability from small network
to a large enterprise network.
Windows 2000 incorporates technologies that reduce the total cost of ownership by allowing
organizations to increase the value of their existing investments while lowering overall computing costs.
Windows 2000 Professional
Windows 2000 is the main desktop operating system for businesses of all sizes. It high-performance
and secure client computer and incorporates the best business features of Windows 98 and builds in
the traditional strengths of Windows NT Workstation. It allows you to do file encryption and
application management tools.
Windows 2000 Server
Windows 2000 Server is a file, print, and application server, as well as a WebServer platform, and contains
all features of Windows 2000 Professional plus many new server-specific functions.
At the core of Windows 2000 Server is Active Directory directory services.
Windows Server supports uniprocessor systems to four-way symmetric multiprocessing (SMP) systems
with up to 4 gigabytes (GB) of physical memory.
Windows 2000 Advanced Server
Windows 2000 Advanced Server is a more powerful departmental and application server operating
system that includes the full feature set of Windows 2000 Server and add the advanced high availability
and improved scalability required for enterprise and larger departmental solutions.
======================================================================
winser1.html PAGE 2 2001/01/12
Windows 2000 Advanced Server supports 8-way SMP and integrates high-availability two-way clustering,
and it is ideal for database-intensive work.
Hardware that is designed around Intel Physical Address Extensions (PAEs) allows Windows 2000
Advanced Server to take advantage of more physical memory.
Windows 2000 Datacenter Server
This is a specialized high-end version of Windows 2000 Server designed for large-scale enterprise
solutions. It is ideal for OLPT, and ISPs and Web site hosting. Windows 2000 Datacenter provides
load balancing services and
enhancing clustering services by supporting
four-way clustering.
Windows 2000 Datacentre is a specialized high-end version of Windows 2000 Server that supports
up to 16-way SMP and up to 32-way SMP through original equipment manufacturer (OEM)
operating system enhancements.
=======================================================================
Feature Benefit
=======================================================================
Lower total cost Reduces the cost of running a network, by providing
Of ownership automatic installation, and upgrading of applications,
and by simplifying the setup and configuration of
client computers.
Security Authenticates users before they gain access to
resources on the network.
Directory Services Stores info. About network resources, such as user
accounts, applications, print resources, and security
information.
Performance and Supports SMP on computers that are configured
Scalability with multiple microprocessors. Server supports up to
4 microprocessors. Windows Professional supports
up to 2 microprocessors.
Network and Built-in support for network protocols, including
Communication services TCPIP and IPX/SPX.
Windows 2000 Server supports 256 simultaneous
Inbound dial-up sessions.
Windows 2000 Professional supports 1 inbound
Dial-up session.
======================================================================
winser1.html PAGE 3
2001/01/12
=====================================================================
Feature Benefit
=====================================================================
Internet Windows 2000 Server includes IIS, Internet
Integration information server.
Integrated Create customized tools to manage local and
Administration tool remote computers with a single standard
Interface.
Hardware Support Supports USB, support plug and play hardware.
======================================================================
Lesson Summary:
client/server and peer-to-peer networks.
more features.
simultaneous
users.
Lesson 2:
Operating System Architecture
Windows 2000 is an object-based system. In other words, it is a modular operating system made up
of small, self-contained software components that work together to perform operating system tasks.
Windows 2000 Architectural Overview
Windows 2000 is a portable operating system designed to run on Complex Instruction Set Computing
(CISC)-based computers. Because of this, devices and their drivers are both hardware-configurable
and software configurable.
======================================================================
winser1.html PAGE 4
2001/01/12
Windows 2000 is always preemptible and always interruptible, and it is designed to run uniformly on
uniprocessor and SMP platforms, ensuring that code being executed on one processor does not
simultaneously access and modify data being access and modified from another processor.
Windows 2000 supports packet-driven input/output (I/O) with reusable I/O request packets (IRPs)
and asynchronous I/O so that the originator of an I/O request can continue to be executed, rather
than waiting for its I/O request to be completed.
Windows 2000 is designed to be a modular system made up of a set of objects that can be broken
into two major layers: User mode and Kernel Mode.
User Mode
The user mode layer of Windows is made up of a set of components referred to as subsystems. A
subsystem passes I/O requests to the appropriate kernel mode driver through the I/O systems
services. The subsystem insulates its end users and applications from having to know anything
about kernel mode components. The user mode layer is made up of two kinds of subsystems:
Environment subsystems and integral subsystems.
Environment Subsystems: IMPORTANT
They allow Windows 2000 to run applications written for different operating systems. These
subsystems emulate different operating systems by presenting the application programming
interfaces (APIs) that the applications need to be available. The environment subsystems
accept the API calls made by the application, convert the API calls into a format understood
by Windows 2000, and then pass the converted API to Executive components running kernel
mode.
=====================================================================
Environment
Subsystem Function
=====================================================================
Win32 Controls Win32-based applications and provides an environment
For Win16 and Microsoft MS-DOS-based applications.
POSIX Provides APIs for POSIX-based applications. POSIX refers to
the portable operating system interface standard developed by the
IEEE.
======================================================================
winser1.html PAGE 5
2001/01/12
The environment
subsystems and the applications that run within them have no direct access
to hardware or device drivers. They are limited to an assigned address space. Environment
subsystems are forced to use hard disk space as virtual memory whenever the system needs
memory.
NOTE: Microsoft Enterprise Memory Architecture (EMA), part of Windows 2000 Advanced
Server and Windows 2000 Datacenter Server, can make larger amounts of physical RAM
available to applications, thereby improving their performance.
User Mode is subject to paging, 64MB RAM minimum, and the kernel mode does not have paging.
Hardware requirements for Windows 2000 Server installation:
· Pentium 133
· 128 MB or RAM
· 2 GB free space for the boot partition
· 500 MB of unallocated space on the computer
· 12X CD-ROM drive
· VGA monitor (800 X 600 resolution or better recommended)
· Microsoft mouse or compatible pointing device
Integral Subsystems:
Integral subsystems perform essential operating system functions.
=====================================================================
Integral
Subsystem Function
=====================================================================
Security Creates security tokens and tracks rights and permissions
associated with user accounts.
Workstation service Provides an API to access the network redirector.
Server Service Provides API to access the network server.
======================================================================
winser1.html PAGE 6
2001/01/12
Kernel Mode
The Kernel Mode layer of the Windows 2000 architecture has access to system data and hardware.
Kernel mode provides direct access to memory and is executed in a protected memory area. It
determines when a particular sequence of code is run by following prioritizing criteria.
Every thread has an associated priority attribute. The kernel mode consists of several components
and they are: Executive,
the Hardware Abstraction Level (HAL), and the set of kernel
mode drivers.
Windows 2000 Executive
The Executive performs most of the I/O and object management, including security. Various
components within the Executive, such as the Virtual Memory Manager (VMM) and the I/O
Manager, define one or more object types. No component is allowed to access any instance
of another component’s object types directly.
The component must call the exported support routines in order to use another component’s object.
Each component exports kernel-only support routines that manipulate instances of its object types
when these routines are called. If the underlying implementation of a support routine changes
over time, its caller remains portable because the interface of the defining component does not
change.
=====================================================================
Component Function
=====================================================================
I/O Manager Manages I/O input from and the delivery to output of
different devices. The I/O manager consists of
File system (translates requests); Device Drivers (drivers
that manipulate hardware); Cache Manager (stores in the
cache, therefore improving I/O processes. SAVES TIME.
Security reference Enforces security policies on the local computer.
Monitor
IPC Manager Manages communication between clients and servers.
Interprocess It consists of LPC (local) and RPC (remote).
Communication
Manager
Virtual The VMM allows the operating system to peripheral
Memory hard disk storage as if it is actually part of the physical
.
======================================================================
winser1.html PAGE 7
2001/01/12
Component Function
=======================================================================
Manager (VMM) memory. VMM also controls paging.
Process Manager Creates and terminates processes and threads.
Plug and Play The PnP manager supports boot-time Plug and Play activity
Manager (PnP) and interfaces with HAL.
Power Control power management.
Manager
Windows Manager Manager the display system. GDI manages graphics.
And graphical
Device interface
(GDI)
Object Manager Create, manages and deletes objects that represent
operating system resources, such as processes, threads,
and data structures.
=========================================================================
Hardware Abstraction List (HAL)
The HAL virtualizes, or hides, the hardware interface details, making Windows more portable across
different hardware
architectures. The HAL contains the hardware-specific code that handles I/O
interfaces, interrupt controllers, and multiprocessor
communication mechanisms.
The HAL is implemented as a dynamic-link library and is responsible for all hardware-level, platform
support needed by every component in the system. The HAL exports support routines that hide
platform-specific hardware details about caches, I/O buses, and interrupt controllers; and provides
and interface between the platform’s hardware and the system’s software components.
Kernel Mode Drivers
Kernel Mode drivers are implemented as discrete, modular components with a well-defined set of
required functionality. All kernel mode drivers included Windows Driver Model (WDM) drivers.
======================================================================
winser1.html PAGE 8
2001/01/12
Kernel Mode drivers share many of the design goals of Windows 2000, including all of the following:
There are three basic types of kernel mode drivers: highest-level
drivers, intermediate drivers,
and lowest-level drivers.
***** See the associated
Diagrams *****
======================================================================
Driver type Description
======================================================================
Highest-level The type of file system, FAT or NTFS.
Driver
Intermediate Drivers as virtual disk, mirror or device-type specific
Drivers class drivers.
Lowest-level PnP hardware bus drivers that control I/O on which
Drivers some number of peripheral devices are connected.
======================================================================
Windows Driver Model (WDM)
Some Windows 2000 kernel model drivers are also WDM drivers. WDM drivers are subset of
the intermediate level of kernel mode drivers. Devices that conform to WDM device driver
architecture benefit from a common set of WDM I/O services and a planned binary compatibility
between Windows 2000 and Windows 98 operating systems.
To help decrease the effort necessary for hardware vendors to support all Windows platforms,
WDM enable devices designed for either Windows 2000 or Windows 98 to be installed and used
with computers running under either operating system.
Suppose you have five
separate devices connected to a USB, you would need 5 different unique
drivers. With WDM, driver developers write the generally smaller code pieces (miniports) that talk
to their hardware directly and call the appropriate class driver to do the bulk of the common tasks.
Another significant advantage of writing miniports is that it decreases the likelihood of introducing
bugs into device driver code.
======================================================================
winser1.html PAGE 9
2001/01/12
WDM Layered Architecture
WDM is multiple-layer driver architecture that uses special class drivers to provide cross-platform
support. Driver classes are layers of abstraction that allow WDM drivers to be used in both
Windows 2000 and Windows 98. There are four different classes of drivers.
· Miniport drivers
· Class Drivers
· OS services
· Virtualization Drivers
For each bus class and hardware device class supported by WDM, Windows 2000 provides a
class driver. Because Microsoft provides all platform-specific integration support for WDM, only
miniports are required to be written for all hardware devices whose classes are supported by
Microsoft.
Miniport Drivers
Miniport drivers are already implemented in Windows NT in the classes of SCSI and network
adapters. With Windows 2000, the concept of miniport drivers has been widened to include the
USB support. Miniport drivers have the following attributes:
· Indirect control of hardware through a specific bus class driver
· Source and binary compatibility across Windows platforms
· Dynamic loading and unloading
· Hardware-specific functionality only
· Capacity to expose multiple class interfaces
Class Drivers
Class drivers provide interfaces between different layers of the WDM architecture. . Class
drivers also have the following capabilities:
· Class-specific functions, not hardware-specific or bus-specific, except for bus-type
class drivers
· Dynamic loading and unloading
· Class-specific functions only (such as enumeration)
· Capacity to expose a single class-specific interface to multiple client layers.
OS Services
The OS Service layer is always specific to the operating system. This layer abstracts all the operating
system specific functionality from the miniport layers beneath it. This functionality includes:
· Thread management
· Heap management
· Event services
======================================================================
winser1.html PAGE 10
2001/01/12
Virtualization Drivers
They are familiar .vxd files in Window 95 and the .386 files in earlier versions of Windows. Virtualization
drivers under WDM have some very specific functions. The functions virtualize the interfaces of legacy
hardware and send class-specific commands to the appropriate device.
These drivers do not access hardware directly but act as go-betweens so that legacy software or
hardware can work correctly under the new architecture.
The WDM driver support for Windows 2000 includes:
MPEG decoders, audio, DVD-ROM, and broadcast architecture.
Lesson Summary:
software components that work together to perform operating system tasks.
layers: user mode and
kernel mode.
and the kernel mode drivers.
Interrupt controllers and multiprocessor communication mechanisms.
well-defined set of required functionality.
drivers, and lowest-level drivers.
======================================================================
winser1.html PAGE 11
2001/01/12
Lesson 3:
Windows 2000 Directory Services
A Directory is a stored collection of information about objects that are all related to one another in
some way. You can compare a network directory to a telephone directory, which stores the names,
addresses and phone numbers of
individuals and businesses. In much the same way, a directory
service uniquely identifies users and resources on
a network and provides a way to organize and
access those users and resources.
Introduction to Directory Services
In a distributed computing system or a public computer network such as the Internet, many objects
are necessary to support that system, such as users, file servers, printers, fax servers, applications,
and databases.
All of the information needed to use and manage these objects is stored in a centralized location,
the process of locating and managing these resources can be vastly simplified. This is when a
irectory service becomes useful.
The terms directory and directory service refers to the directories found in public and private networks.
A directory is a database of network objects that can be referenced in many different ways. A
irectory service differs from a directory in that it is both the source of the directory information and
the services making the information available to the users.
A directory service provides the means to organize and simplify access to resources of a networked
computer system. It makes it possible to find an object based on one or more of its attributes. For
example, administrators may not know the exact name of an object, but chances are they know one
or more of the attributes of that object.
You can use the directory service to perform a number of functions:
** IMPORTANT **
Enforce security to protect the objects in its database from outside intruders or from internal users who
do not have permission to access those objects.
======================================================================
winser1.html PAGE 12
2001/01/12
Replicate a directory to other computers in the network to make it available to more users and make
it resistant to failure.
Partition a directory into multiple stores that are located on different computers across the network.
This makes more space available to the directory as a whole and allows the storage of a large numbers
of objects.
A directory service is both an administrative tool and an end-user tool. The larger a network becomes,
the more resources there are to manage. As the number of resource objects in a network grows, the
more necessary the directory service becomes.
Workgroups and Domains
Workgroups:
A workgroup is a logical grouping of networked computers that share resources such as files and
printers. A workgroup is sometimes referred to as a peer-to-peer network because all computers
in the workgroup can share resources as equals, without a dedicated server. Each Windows 2000
Server computer and Windows 2000 Professional computer in the workgroup maintains a local
security database, which contains a list of user accounts and resource security information for that
computer.
Because each computer in the workgroup maintains a local security database, the administrator of
user accounts and resource security is decentralized. A user must have a user account on each
computer that the user needs to access. Any changes to user accounts, such as changing a password
or adding a new account, must be made on each computer.
Windows 2000 workgroups provide the following advantages:
centralized security information. A workgroup is simple to design and implement;
it does not require the extensive planning and administration that a domain requires.
A workgroup is convenient for a limited number of computers in close proximity, although a
workgroup becomes impractical in environments with more than 10 computers.
require central administration.
NOTE: In a workgroup, a computer running Windows 2000 Server is called a stand-alone server.
======================================================================
winser1.html PAGE 13
2001/01/12
Domains
A domain is a logical grouping of network computers that share a central directory database that
contains user accounts and security information for the domain.
A directory database contains user accounts and security information for the domain. In Windows
2000, the directory database is known as the directory and is the database portion of Active
Directory services, which is the Windows 2000 directory service.
The domain controller holds the directory, therefore centralizing administration and managing security.
NOTE: There are no BDC and PDC. In Windows 2000 domains, there is only one type of
domain controller. All domain controllers are peers.
Windows 2000 Domains provide the following Advantages:
A domain provides centralized administration because all user information is stored centrally.
A domain provides a single logon process for users to gain access to network resources, such as
file, print, and application resources for which they have permission. A user can log on to one
computer and access resources on another computer in the network as long as that user has
appropriate permissions to the resource.
A domain provides scalability so that you can create very large networks.
Windows 2000 Active Directory Services
Active Directory services is the directory service included in Windows 2000. AD provides a
single point of network management, allowing you to add, remove, and relocate users and
resources easily.
The resources stored in the directory, such as user data, printers, servers, databases, groups,
computers, and security policies, are known as objects.
Active Directory Features
Active directory services organizes resources hierarchically in domains. A domain is a logical
grouping of servers and other network resources under a single domain name. The domain is
the basic unit of replication and security in a Windows 2000 network.
======================================================================
winser1.html PAGE 14
2001/01/12
A domain controller is a Windows 2000 Server computer that stores a complete replica of the
domain directory. To simply administration, all domain controllers in Active Directory services
are peers, so you can make changes to any domain controller and the updates are replicated to
all other domain controllers in the domain.
Scalability
In Active Directory services, the directory stores information by using partitions, which are logical
dividers that organize the directory into sections and permit storage of a large number of objects.
Therefore, the directory can expand as an organization grows, allowing you to scale from a small
installation with a few hundred objects to a large installation with millions of objects.
Open Standard Support
Active Directory services uses the Domain Name System (DNS) for its name system and can
exchange information with any application or directory that uses Lightweight Directory Access
Protocol (LDAP).
The Domain Name System (DNS)
Because Active Directory services uses DNS as its domain naming and location services,
Windows 2000 domain names are also DNS names. Windows 2000 Server uses dynamic
DNS, which enables client computers with dynamically assigned addresses to register directly
with the DNS server and update the DNS table dynamically. DNS can eliminate the need for
WINS.
NOTE: For Active Directory services and associated client software to function correctly,
you must have installed and configured the DNS service.
Lightweight Directory Access Protocol (LDAP)
LDAP is an Internet standard (RFC 1777) for accessing directory services. It was developed
as a simpler alternative to the X.500 Directory Access Protocol (DAP). X.500 is a set of
standards defining a distributed directory service, developed by the International Standards
Organization (ISO).
======================================================================
winser1.html PAGE 15
2001/01/12
Support for Standard Name Formats
=======================================================================
Format Description
=======================================================================
RFC 822 RFC 822 names are in the form username@domainname
LDAP URLs LDAP names use X.500’s attributed naming. An LDAP URL
and X.500 specifies the server holding Active Directory services
And the attributed name of the object. For example:
LDAP://servername.myco.com/CN=jimsmith,OU=sys,
OU=product,OU=division,O=myco,C=US.
Universal Naming Active Directory services supports the UNC used in
Convention (UNC) Windows 2000-based networks to refer to shared volumes,
Printers, and files, for example:
\\servername.myco.com\sl\budget.xls
========================================================================
The Active Directory Structure
Windows 2000 Active Directory services provides a method for designing a directory structure
tailored to the needs of your organization. Therefore, you should examine your organization’s
business structure and operations before installing Active Directory services.
Active Directory separates the network into two structures: logical and physical.
Logical Structure:
Grouping resources logically enables you to find a resource by its name rather than its physical
location.
Objects:
An object is a distinct named set of attributes that represent a network resource. Object attributes
are characteristics of object in the directory. An attribute for a user may be a user’s first or last name,
department or e-mail address.
======================================================================
winser1.html PAGE 16
2001/01/12
In Active Directory services, you can organize objects in classes, which are logical groupings of
objects. For example, a class of objects might be users, groups, computers, domains or
organizational units.
NOTE: Container objects are objects that can contain other objects. For example, a domain is
a container object.
Organizational Units:
An organizational unit (OU) is a container object that you use to organize objects within a domain
into logical administrative groups. An OU can contain objects such as user accounts, groups,
computers, printers, applications, file shares, and other OUs.
Domains:
The core unit of the logical structure in Active Directory services is the domain. A domain is a
security boundary. Access to domain objects is controlled by Access Control Lists (ACLs).
NOTE: A domain is called a partition of Active Directory services. All domains within a forest
make up Active Directory services.
A typical domain will have the following types of computers:
and maintains a copy of the directory.
not configured as a domain controller. A member server does not store directory
information and cannot authenticate users. Member servers provide shared resources
such as shared folders or printers. Client computers running Windows 2000 Professional.
Client computers run a user’s desktop environment and allow the user to gain access to
resources in the domain.
Trees:
A tree is a grouping of hierarchical arrangement of one or more Windows 2000 domain that allows
global resource sharing. A tree can consist of a single Windows 2000 domain. A tree is a
contiguous namespace.
======================================================================
winser1.html PAGE 17
2001/01/12
directory that contains the user account information for the users in that domain.
which makes the information of each domain globally accessible.
object types you can store in an Active Directory deployment. All domains within
a single tree share a common global catalog.
In Active Directory services, a tree is defined by:
· A hierarchy of domains
· A contiguous namespace
· Kerberos transitive trust relationships between the domains
· A common schema
· A global catalog capable of listing any object in the tree.
Forests:
A forest is a grouping of one or more trees. Forests allow organizations to group divisions that
do not use the same naming scheme, operate independently, yet need to communicate with the
entire organization.
The trees in the forest share the same schema and rules on how objects work together. All
domains in a forest have the same global catalog and configuration container.
A forest is defined by:
·
One or
more sets of trees
·
Disjointed
namespaces between these trees
·
Kerberos transitive
trust relationships between the trees
·
A common
schema
·
A global
catalog capable of listing any object in the forest
The objects of the domain trees that make up a forest are available to all users objects in the forest.
======================================================================
winser1.html PAGE 18
2001/01/12
Trust Relationships:
The domains in a tree are joined together transparently through two-way Kerberos transitive trust
relationships. A Kerberos transitive trust simply means that if domains A trusts Domain B, and
Domain B trusts Domain C, then Domain A trust Domain C. Therefore, a domain joining a
tree immediately has trust relationships established with every domain in the tree.
A trust relationship is a link between at least two domains in which the trusting domain honors
the logon authentication of the trusted domain.
Transitive Trust Relationships:
You can implement a one-way trust for accounts if a two-way trust is not
appropriate.
Windows 2000 Trust Relationships:
When a domain is joined to a Windows 2000 domain tree, a trust relationship is automatically
established between the new domain and the root or parent domain of the tree.
NOTE: You can define explicit one-way trust relationship as necessary through the domain
properties in the Site Manager snap-in.
Physical Structure:
The physical structure of Active Directory services affects the efficiency of replication amount
the domain controllers.
Domain Controllers:
A domain controller is a Windows 2000 Server computer that stores a replica of the
directory partition (local domain database). When there is a change in the Directory,
Windows 2000 automatically replicates the changes to all domain controllers.
Only computers running Windows 2000 Server, Advanced Server, or Datacenter Server
can be designated as domain controllers.
======================================================================
winser1.html PAGE 19
2001/01/12
Sites
The concept of a site has become familiar in the implementation of Microsoft BackOffice
amily of products. Active directory sites are defined as a range of IP subnets. In Back
Office products such as Microsoft Exchange Server, a site is a logical grouping of servers
that can be specified without regard to physical location of the servers themselves.
In Windows 2000 Active Directory services, the site concept uses existing Internet Protocol
(IP) subnets to determine site boundaries for replication traffic considerations.
Basically, an Active Directory site is collection of IP subnet ranges. For example, a site can
be defined as the subnet ranges 192.168.10.0/24 to 192.168.20.0/24. Another site on the
other side is WAN link can be 172.20.10.0/24 to 172.20.20.0/24. However, both sites can
be part of the same Windows 2000 domain.
NOTE: The /24 nomenclature used in the previous example represents 24 bits enabled from
left to right, or 255.255.255.0. A /22 nomenclature would represent 255.255.252.0 or 22
bits enabled from left to right.
One of the benefits of Active Directory services is that domains can span geography with
different topologies connected by WAN links and still remain transparent to the user.
Comparing the site of the user and the site of the workstation (i.e., comparing the subnets)
will help locate an appropriate domain controller.
Lesson Summary:
of a networked computer system.
single point of network management.
relationship is automatically established between the new domain and the root or parent
domain of the tree.The physical structure of the domain hierarchy is made up of domain
controllers and sites.