986 Index
copying, 177
pools, 167–168
media access control (MAC), 237, 300
Media Services, improvement in
Windows Server 2003, 10–11
memory
leaks, 244
minimum system requirements for
operating systems (table), 67–68
and performance bottlenecks, 244–245
required configuration, 16
requirements per site, 532
virtual, and system performance, 245
messages
DHCP warning, 240
error. See error messages
IGMP warning, 236
Microsoft Cluster Service (MSCS), 6–7
Microsoft Exchange and e-mail
distribution groups, 404
Microsoft Knowledgebase, 106
Microsoft Licensing Program Reseller
Web page, 14
Microsoft Metadirectory Services, 13
Microsoft Passport authentication, 442
Microsoft Point-to-Point Encryption
(MPPE), 858
Microsoft Resource Centre, 14
Microsoft SQL Server, 78
Microsoft Systems Management Server

(SMS), 19, 292
migration of Windows 2000 to
Windows Server 2003, 3
MIME (Multipurpose Internet Mail
Extension) and IIS, 923
mirrored volumes
creating, 144–146
described, 111
troubleshooting, 187–188
MMC (Microsoft Management Console)
Active Directory administration, 347
adding snap-ins, 89–91
Computer Management, 35–36
console modes (table), 29
custom snap-ins described, 29
disk management, using, 115–116
installing media services from, 10
Remote Storage, 174
System Monitor. See System Monitor
models
AGDLP, 445–446
AGGUDLP, 446–447
cluster, 192–193
extensive defense, 432
OSI reference (table), 884
remote access by user, by policy, 853
modes
and functional levels (Active
Directory), 370
MMC console (table), 29

Terminal Services Administration, 34
modifications, software packages, 606
modifying
See also changing
data in AD database, 629
existing listener connections, 957–965
objects in Active Directory, 359
password policies, 435–436
monitoring
AD database, 636–640
client Internet connections, 309–310
disk quotas, 159–160
DNS servers, 705–710
IPSec, 813–814
IPSec connections, 318–320
NAT activity, 308
Network Load Balancing (NLB),
233–234
network traffic and devices, 756
performance counters, 251
replication, 525–526
servers with Event Viewer, 260–267
servers with System Monitor, 247–257
and troubleshooting Internet
connectivity, 304–318
mounted drives, 208, 645
mountvol command, 178
MOVETREE command, moving
objects in forests, domains,
359–360, 427–429

moving
AD database, 633–635
log files, 633–635
objects in domains, 359–360, 427–429
MPIO (multipathing input/output), 9
MPPE (Microsoft Point-to-Point
Encryption), 858
mrinfo command, 791
.msc files, 29
.msi files, 602, 606
MSI install package, 101
MsiInstaller messages, 623
.msp files, 607
.mst files, 606
multi-masters, 55
Multi-Win component,Terminal
Services, 932
multicast
communications, 743
IP addresses, 760
multihomed computer route
descriptions (table), 744–745
multilink connections, 853
multimaster replication, 345
multipathing input/output (MPIO), 9
multiprocessing described, 245
Multipurpose Internet Mail Extension
(MIME) and IIS 6.0, 923
multithreading described, 245
mutual authentication, 439

My Documents folder, redirecting, 589
N
N-node failover pairs, server cluster
deployment option, 196–197
name collisions, 490
name resolution
host. See host name resolution
troubleshooting, 310–314, 732–739
names
logon. See logon names
NetBIOS, 710
namespaces
Active Directory, 381
discontinuous, 456
disjointed, 669
DNS. See DNS namespace
guidelines for internal domain, 672
multiple, support for, 668
NetBIOS, 710–711
naming
Active Directory scheme, 328–329
conventions, security principals and
SIDs, 381–384
distinguished names, 62
GPOs (Group Policy Objects), 578
host conventions, 666
logon names, 382
renaming. See renaming
schema objects, 555
schemes, and Active Directory,

330–331
NAT (Network Address Translation)
components of, 761
and Internet connectivity, 292
and IPSec, 796, 800–801
services described, 873–877
troubleshooting, 304–310
NAT traversal (NAT-T), 8
NBMA (non-broadcast multiple access)
network type, 769
nbstat command, 737
NBTStat, 312
nesting security groups, 455
.NET Framework, support for, 6
.NET passport authentication, 922
Net share command, 471
301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 986
Index 987
NetBIOS
disabling encapsulation, 757
name resolution, troubleshooting, 311,
710–713, 736–737
renaming, 3
and WINS service security, 730–731
NetBIOS over TCP/IP (NetBT), 77
netdiag.exe, 320, 814
netdom query fsmo command, 429
Netdom.exe, 486
NETMON.exe, protocol analyzer
described, 790

netsh command utility
administering routing servers, 770–772
controlling IPSec, 805
described, 319–320, 752
monitoring IPSec, 813
troubleshooting remote connections,
886
netstat utility, 309–310
Network Access Quarantine Control
(NAQC), 316–318, 867
network address translation. See NAT
network authentication, 438
network components and system
performance, 246–247
network interface cards. See NICs
network interface controllers and server
clustering, 206
Network Load Balancing (NLB)
best practices, 234–242
creating NLB clusters, 236–242
described, 6–7, 224
error detection, handling, 232–233
introduction, 113–114
managing clusters, 228–233
relationship to clustering, 227–228
terminology, concepts, 225–227
Network Monitor
Capture Window, 296–297
configuring, 298–304
determining IPSec protocol in use,

798
installing, 292–298
monitoring network traffic, 319–320
troubleshooting IPSec, 819
Network News Transfer Protocol. See
NNTP
network protocols, Windows Server
2003, 742
network security settings, 84–88
network topology
and network performance, 247
planning, 755–756
network traces, interpreting, 301–304
network traffic, monitoring, 756
networking, wireless. See wireless
networking
networks
bridges, 773–774
determining bandwidth requirements,
757
directory services, 322
gateways, 764
hubs, 772–773
lease time, determining, 318
minimizing attack points, 784–785
monitoring generally, 291–292
perimeter, 782
planning infrastructure, 17–21
subnets and, 508
updates. See software updates

using convergence, 766–767
New Delegation Wizard, 665
New Partition Wizard, 121
New RADIUS Client Wizard, 871
New Server Cluster Wizard, 218
New SMTP Virtual Server Wizard,
912–913
New Trust Wizard, 486, 496
New Volume Wizard, 136–139, 142, 146
next-hop IP address, 762
NICs (network interface cards)
IPSec and system performance, 247
and listener connections, 956
NLB support, 7
redundancy in, 288
NLB. See Network Load Balancing
(NLB)
NLB Manager
described, using, 7, 228–229
enabling logging, 233–234
logging entries, 241
NLB (Network Load Balancing), 6–7
NLB query, display commands, 234
NLB.exe, 229–232
NNTP (Network News Transfer
Protocol)
and IIS 6.0, 913
protocol described, 59
NNTP servers, setting up, 913–914
No Terminal Server user SID security

template, 83–84
nodes
multiple interconnections, 211
NetBIOS (table), 311–312
recovering from failed cluster, 205
in server clusters, 190
non-broadcast multiple access (NBMA)
network type, 769
nonrecursive servers, 677
Notssid.inf, 83
Novell, NDS structure, leaf objects, 341
NSLookup tool
described, 662
troubleshooting remote connections,
887
using to monitor DNS servers, 709
NT LAN Manager
network authentication option,
441–442
version 2 (NTLMv2), 84
Ntbackup, 641
NTBackup.exe, 275
NTDS performance object counters,
monitoring Active Directory, 638
NTDS.dit, 55, 326
ntds.dit, 628
NTDSUTIL tool
command options, 649–658
described, 362, 632–635, 647–648
managing SIDs with, 380–381

transferring FSMO roles, 476
NTFS file system
and clustered disks, 208
converting partitions to, 74
and data restoration, 645
formatting basic volume with,
130–131
managing, 119–120
NTFS permissions in server clusters, 216
NTLMv2 (NT LAN Manager version
2), 84
O
Oakley key-determination protocol, 801
object classes in Active Directory,
551–552
object counters, using to monitor Active
Directory, 637–639
Object Identifier (OID) and naming
schema objects, 555
object inheritance, 364–365
objects
in Active Directory, 326
adding to Active Directory, 358
attributes and properties, 344
expiration of, 630
identifiers, and SIDs, 376
locating by distinguished names,
383–384
modifying in Active Directory, 359
moving in Active Directory, 425–428

setting permissions on Active
Directory, 366–367
301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 987
988 Index
site-link, 346, 515
user, creating in Active Directory,
389–390
Office XP and Terminal Services, 66
offline defragmentation, 631–633
Open Shortest Path First (OSPF), 759,
768–770
operating systems
choosing, 66–67
running multiple, 22
operations masters, 55–57, 539
organizational units (OUs)
adding to Active Directory, 358
creating and managing, 500–503
delegating control of, 503
described, 327, 340, 495
and distinguished names, 330
planning structure and strategy,
503–505
organizations, administrative structure
and physical network structure,
510–511
OSI reference model (table), 884
OSPF (Open Shortest Path First), 759,
768–770
out-of-band DoS attacks, 701

out-of-band operations, 37
P
packet event logging, troubleshooting
IPSec, 817
packet filtering
configuring RRAS, 855–858
controlling IP filters, 883
and firewalls, 788–789
IPSec, 821
packet sniffers, 819
paging and system performance, 245
PAP (Password Authentication Protocol),
865
partitioning physical sites and logical
domains, 511
partitions
application, 452, 491–494
application directory, using, 483
defragmenting, 149–155
directory. See directory partitions
disk and directory, 325
types and logical drives, 110–111
Passport authentication, 442, 922
Passport Integration described, 9
Password Authentication Protocol (PAP),
865
password policies
components of, 431
creating for domain users, 431–437
defining, 433–437

passwords
See also permissions
changing Directory Services Restore
Mode, 657–658
creating, editing, 356
and logons, 389–390
policies. See password policies
and remote connections, 865
setting LM values, 85
strong, 74, 230, 433
patches, security, 95, 605, 607
path rules (Group Policy), 592
pathping command, 314–316, 790, 889
PDC Emulator, 56, 343, 475
PDC Masters, locating, transferring, and
seizing role, 479–481
PEAP (Protected EAP), 867–868
performance
administration tool. See System
Monitor
bottlenecks, 244–247
DC functions affecting (table),
531–532
DNS servers, issues, 674
establishing baseline, 251
and fault tolerance, 631
mirrored volumes and, 113
monitoring with System Monitor,
637–638
optimizing disk, 149–155

optimizing network, 757
WINS servers, 726–730
Performance Console
monitoring DNS servers, 708
using to monitor Active Directory,
637–638
performance counters
analyzing, 256
commonly referenced (table), 249–251
Performance Logs and Alerts function,
251–252
permissions
See also passwords
access control in Active Directory,
364–368
access for Web sites, 909
Active Directory, when adding
packages (table), 621
configuring group, 414–415
and FAT16, FAT32, 327
granting to non-administrators, 583
inheritance, allowing, 402
NTFS, 216
printer, setting, 76–77
for security groups, 404
setting for access to objects, 401–403
setting on listener connections,
964–965
setting on objects, 365–367
setting printer, 40

SIDs. See SIDs
standard, for listener connections
(table), 965
viewing, modifying, 355–356
personal information tabs, user accounts,
393–395
physical vs. logical disks, 108
PIN numbers and Kerberos
authentication, 439–440
ping command, 747, 753, 754
capturing ICMP, 303–304
enabling in IIS 6.0, 920
pathping, 790
troubleshooting IP addressing,
314–318
troubleshooting remote connections,
887
PKI (Public Key Infrastructure)
Active Directory, protocol use,
368–369
auto-enrollment, 841
certificate revocation, 837
described, 825
function of, components, 826–827
lost keys, solution, 835–836
to support L2TP over IPSec for
VPNs, 859
planning
backup and recovery strategy, 268–283
baseline security, 70

CA hierarchy, 835
certificates enrollment and
distribution, 838–843
and deploying domain controllers,
529–538
DNS forwarding, 683–685
DNS server deployment, 672–678
for fault tolerance, 287–290
Group Policy strategy, 568–575
group strategies for forests, 443–447
for host name resolution, 660–665
IP addressing strategy, 746
NetBIOS name resolution, 710–713
network infrastructure, 17–21
network topology, 755–756
OU structure and strategy, 503–505
remote access security, 864–867
replication topology, 520
routing strategy, 759–760
running RSoP query, 573
301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 988
Index 989
security group strategies, 443–447
security in depth, 432
server roles, security, 51
server security strategy, 66–69
sites and site links, 511–518
system recovery with ASR, 283–287
Windows Server 2003 certificate-
based PKI, 825–830

Windows Server 2003 test network,
22–24
WINS server deployment, 713
zone replication, 678–683
point-to-point network type, 769
Point-to-Point Protocol over Ethernet
(PPPoE), 8
Point-to-Point Protocol (PPP), Multilink
and BAP, 860–862
Point-to-Point Tunneling Protocol
(PPTP), 785, 798, 858
policies
configuring IPSec, 803
DNS Security levels, 702–704
Group. See Group Policy
IPSec, configuring, 805–808
network security configurations,
84–88
password. See password policies
remote access, administrative model,
854
remote access, creating, 878–884
remote access wireless, 863
security. See security
in security templates, 82
software restriction, 591–594
policy-based administration, 327
pooling print jobs, 41
POP3 (Post Office Protocol)
on mail servers, 60

and SPA, 79
port rules
adding, editing, 237
and NLB, 226
port switching, 775–776
ports and hubs, 772
POSIX-compliant applications, 403, 422
Post Office Protocol. See POP3
posts, limiting, 926
power-saving features of Windows
Server 2003, 209
power supply
redundant, 290
secure, 71
PPP (Point-to-Point Protocol)
dial-in, 884
Multilink and BAP, 860–862
PPPoE (Point-to-Point Protocol over
Ethernet), Windows Server 2003
support for, 8
PPTP (Point-to-Point Tunneling
Protocol), 785, 798, 858
pre-shared keys and IPSec, 821–822
primary domain controller (PDC)
emulator
DC role, 343
and server roles, 56
primary master DNS server, 675
primary restore method, 648
print servers

described, using, 57
securing, 76–77
printers, creating, 39, 40
printing
enhancement in Windows Server
2003, 4–6
managing, 38–46
priority of program threads, 246
private networks in server clusters,
214–215
processes, terminating, 48–49
processor affinity, 246
processor object counters, monitoring
Active Directory, 638
processors
minimum system requirements for
operating systems (table), 67–68
requirements per site, 532
and system performance, 245–246
profiles
remote access, 878
server roles, 52
setting for user accounts, 396–397
Terminal Services, 400
programs, scheduling, 47
properties
accessing user object, 393
and object attributes, 344
viewing Active Directory object,
358–359

Protected EAP (PEAP), 867–868
protocols
See also specific protocol
authentication, 368–369
IEEE 802.1X, 9
Internet printing, 46
Network Load Balancing (NLB),
234–235
routing, 764–770, 793
Web server, 58–59
Windows Server 2003 network, 742
wireless security, 867–873
proxy servers, 289
Public Key Infrastructure. See PKI
publishing
applications (Group Policy), 602–603
applications using .zap setup files,
610–611
services in Active Directory, 509
pull model, software deployment, 605,
718–719, 739
pull replication, 521
push model, software deployment, 605,
716–718, 739
Q
queries
Global Catalog, example, 543
and nonauthoritative responses, 674
RSoP, 573, 599–600
Quota administration, 452

quotas, disk. See disk quotas
R
RADIUS (Remote Authentication Dial-
In User Service)
authentication described, 862
configuring IAS, 891–893
configuring WAPs as clients, 864
IAS vs. Windows authentication,
865–866
improvement in Windows Server
2003, 8
RAID
controllers, 206
solutions, implementing, 164–166
troubleshooting, 187–188
RAID-5 volumes
creating, using, 146–149
described, 114–115
RAM (random access memory)
and performance bottlenecks, 244–245
required for installation, 16
RCP-Tcp connections, configuring, 956
RD (Remote Desktop) for
Administration, 34
RDC utility. See Remote Desktop
Connection
RDN (Relative Distinguished Name),
383
RDP (Remote Desktop Protocol), 10,
931–932

realm trusts, 353, 497
recovering
from cluster node failure, 205
transactions, 651–653
Recovery Console described, using, 75
redirection attacks, 700, 730
301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 989
990 Index
redundancy and fault tolerance, 287
regedit.exe, 105
Registration Agent (RA), 835–836
registry
category in security templates, 82
configuring for SUS clients, 103–104
and system state backup, 273
regulatory considerations, network
design, 19
relative distinguished names (RDNs),
330–331, 383
relative ID master (RID), 56
Relative ID Masters. See RID Masters
relnotes.htm, 16
remote access
configuring dial-in accounts, 401
configuring policies for wireless
connections, 863–864
creating policies, 878–884
restriction methods, 880–882
troubleshooting client connections,
884–887

troubleshooting server connections,
888–890
types and strategies for, 850–852
using smart cards for VPNs, 847
Remote Access Quarantine Agent
service, 881
remote administration
of cluster nodes, 215
deciding which tool to use, 37
managing remote computers with
Computer Management, 35–36
NLB, 229, 236
shutting down, restarting computers,
48
using Terminal Services components
for, 933–938
using Web interface for, 33–34
Remote Assistance (RA), 32–33, 387,
931, 934–938
Remote Authentication Dial-In User
Service. See RADIUS
Remote Control tab, user accounts, 399
Remote Desktop Connection (RDC)
utility, 940–942
Remote Desktop Protocol (RDP), 10,
931–932
Remote Desktop (RD) for
Administration, 34, 930–931, 934
Remote Desktops (RD) MMC snap-in
(Terminal Services), 946–949

Remote Desktop Web Connection
utility, 949–953
Remote Installation Services (RIS)
managed computers, 418
Remote Storage
best practices, 177–178
described, 166, 316–317
managing remotely, 120
troubleshooting, 186–187
using, 174–177
Remote Storage Setup Wizard, 171
Removable Storage, using, 167
Remove Administrative mode, 10
removing
managed applications, 618–621
users from groups, 403
renaming
DC renaming tool, 372
domains, 372–373
domains in forests, 486–489
NetBIOS, DNS names, 3
objects within domains, 359–360
sites, 513
replicating
AD information to other domain
controllers, 75
directory data, 373
replication
Active Directory improvements, 373
bandwidth and network traffic

considerations, 548
configuring between sites, 522–524
described, 508
and directory partitions, 324
Global Catalog, 546
inter-site, 520, 680
linked value, 452
managing with Active Directory Sites
and Services console, 354
managing with multiple domains, 337
models of, 719–722
multi-masters, 55
planning for zone, 678–683
site. See site replication
topology, and Active Directory,
345–346
troubleshooting failure, 524–525
WINS partnership configuration,
715–719
WINS, troubleshooting, 738
Replication Monitor, using, 525–526
Replmon.exe, 528
report view, System Monitor, 248–249
reporting
defragmentation, 151–153
with GPMC, 4
reports, RSoP, 575, 596
Res1.log, Res2.log, 628
resources
licensing issues, 14–15

NAT (Network Address Translation)
information, 304
and server clustering, 191
TechNet site, 106
WMI (Windows Management
Instrumentation), 35
restarting computers remotely, 48
restoration options, backup utility,
276–277
Restore Wizard, 473
restores, performing ASR, 286–287
restoring
Active Directory, 640–649
default domain policies, 358
Directory Services Restore Mode, 632
domain controllers (DCs), 538–539
IPSec policies, 812
restrictions
remote access, 880–882
software policies (Group Policy),
592–594
restructuring forests, and renaming trusts,
486–89
Resultant Set of Policy (RSoP)
Group Policy tool, 19
and IPSec security, 822–823
logging and planning mode, 582
planning and troubleshooting policies,
595–597
tool, using to evaluate group policy

design, 568
Resultant Set of Policy Wizard, 568
reverse lookup zones
configuring, 663–665
described, 662
updating, 686
and WINS reverse lookup records, 697
RID Masters
DC role, 343
described, 475
locating, transferring, and seizing role,
479–481
relative identifier generation, 376
troubleshooting, 429
ring topology, replication and, 519, 719
RIP (Routing Information Protocol)
configuring Version 2, 780–781
protocol described, 759, 765–768
RIS (Remote Installation Services) and
managed computers, 418
risk assessment, 69
rogue servers, 77, 895
role-based access control, 367
role-based administration, PKI (Public
Key Infrastructure), 843
301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 990
Index 991
roles, server
See also server roles
assigning (IIS), 897–899

Terminal Server, 930–931, 938–940
root authorities (root CAs), 61, 829
root domains in forests, 450
root hints file, 661
root zones on DNS servers, 670–671
Rootsec.inf, 83
route command, 890
router-to-router VPNs, 785–788
routers
analyzing components, 783–784
bridge, 773
ICMP discovery, 877–878
RIP, 765–766
Windows Server 2003 as, 777–781
routes, tracing, 889
routing
See also IP routing
adjacencies, 768
administering with netsh commands,
770–772
common problems, 792
demand dial, 304
described, 762–763
evaluating options, 772–777
IP, basics of, 760–764
logging level, 789–790
packet filtering and firewalls, 788–789
planning strategy for implementing
and maintaining, 759–760
security considerations, 782–790

segment, and port switching, 775–776
static vs. dynamic, 763–764
Routing and Remote Access console,
using for troubleshooting, 790
Routing and Remote Access Services.
See RRAS
Routing and Remote Access utility,
viewing routing tables with,
762–763
Routing Information Protocol. See RIP
routing protocols
See also specific protocol
ICMP (Internet Control Message
Protocol), 761
NAT (Network Address Translation),
761
routing tables
configuration problems, 794
ICMP and, 761
RQC.exe, RQS.exe, 316–317
RQS.EXE, RQC.EXE, 881
RRAS (Routing and Remote Access
Service)
configuration, and routing problems,
792
configuring packet filtering, 855–858
described, 304
and dial-in access, 852–854
NAT services, 873–877
packet filtering and firewalls, 788–789

protocol described, 759
when to use, 772
RRAS servers
configuring dial-up, 855–858
configuring as routers, 792
rss.exe, 115
rules
port. See port rules
precedence of policies, 593
for Remote Storage file management,
175
Run as command, 32
Runaway call limit, Remote Storage,
176
S
SACLs (security access control lists), 364
Safe Mode startup, 284
SAM database and Active Directory
authentication, 368
SAs (security associations) and IPSec,
797
saving log files, 266
sc.exe program described, 47
scheduling
backups, 277
file-copy for Remote Storage, 176
printers, 42–43
programs, tasks, 47
Windows Update, 98–101
Schema Masters

DC role, 343
described, 344, 475
Schema MMC snap-in, 545, 556
Schema Operations Masters, locating
and transferring, 476–477
schema partitions, 325–326
schemas
and Active Directory, 344
defunct and reused, 450
modifying, extending, 556–557
object classes and attributes, 550
redefining, 4
troubleshooting, 559
working with Active Directory,
550–559
schtasks.exe program described, 47
scope
described, 405
group, in Active Directory, 405–406
of problems, determining, 429
screened subnets, 783
scripting
command-line, 6
printer, printing management, 43–45
scripts, application assignment, 605, 607
SCSI controllers, 207
searching directory information search,
543
secedit.exe, 93–94
Secure Password Authentication (SPA),

79
Secure security template, 83–84
Secure Sockets Layer (SSL)
Active Directory, protocol use,
368–369
encryption process described, 440–441
Secure Sockets Layer/Transport Layer
Security (LLS/TLS), 440–441
securedc.inf, 89
Secure*.inf, 83
securing
application and terminal servers, 80
backups, 268
certificate authorities (CAs), 79–80
database servers, 78
DNS deployment, 494
domain controllers, 75
file and print servers, 76–77
mail servers, 79
servers according to server roles, 71
trusts using SID filtering, 499
Web servers, 78
zone replication, 682
security
analyzing baseline, 88–93
and authentication strategies, 431
callback, 866
DNS issues, levels, 699–705
and DNS namespaces, 666
Group Policy settings for users and

computers, 588–591
IIS 6.0 new features, 900–902
implementing Active Directory,
363–369
improvement in Windows Server
2003, 8–9
IPSec considerations, 803, 820–823
Local Security Policy utility, 269
301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 991
992 Index
managing IIS, 920–923
minimum requirements for your
organization, 68–70
network settings, 84–88
and NLB, 235–236
patches, 95
planning baseline, 70
planning CA, 836–837
planning remote access, 864–867
planning server strategy, 66–69
Remote Assistance issues, 937
Remote Desktop (RD) for
Administration, 934
routing considerations, 782–790
and RSoP, 822–823
in server clusters, 214–216
setting user object, 400–403
specific policies for, 69
security access control lists (SACLs), 364
Security Accounts Manager (SAM),

328–329, 384
security associations (SAs) and IPSec,
797
Security Configuration and Analysis,
applying security templates with,
93–95
Security Configuration Manager (SCM),
81
security groups
best practices, 443–447
described, 404
nesting, 455
universal, 446
Security Identifiers. See SIDs
security parameters index (SPI), 797
security principals, naming conventions,
limitations, 381–384
security templates
applying, 93–95
configuration areas, 82
generally, 81
types of, 83–84
segment switching, 775–776
Select Cryptographic Service Provider
(CSP), 901
selective authentication, 454
semantic database analysis, 653–655
server authentication (SSL), 440
server clustering
administration, 201–216

backup and recovery, 274–275
binding order, 213
cluster groups, models, 191–195
cluster network configuration,
209–216
clusters, creating, 216–224
deployment options, 196–201
failover ring option, 199–200
and high-availability planning, 190
introduction, 189–190
Network Load Balancing (NLB). See
Network Load Balancing (NLB)
nodes, heartbeats, 190–191
random deployment option, 200–201
relationship to NLB, 227–228
Server-Gated Cryptography (SGC), 901
server roles
configuring, 53–54
described, 50
described, setting up, 52
planning, 51
securing servers according to, 71
server security, planning, 51
servers
See also specific servers
application, and terminal, 64–66
and client, authentication settings
(table), 85
clustering. See server clustering
configuring, managing with wizards,

50
customizing security for, 70–79
database, 60
DHCP, 57–58, 686–688
DNS, 57–58
file, 57
FTP, setting up, 909–911
hot-swappable components, 289
mail, 60–61
managing remotely, 32–37
monitoring with Event Viewer,
260–267
monitoring with System Monitor,
247–257
NNTP, setting up, 913–914
planning security strategy for, 66–69
print, 57
promoting, 457
rogue, 77
SMTP, setting up, 912–913
SUS, 96
synchronizing Windows Update,
98–101
terminal, configuring, 938–940
WINS, 57–58
Service Level Agreements (SLAs), 20
Service Pack 3 (SP3), 101
Service Pack 4 (SP4), 81
service packs and system updates, 71–72
services, removing unnecessary, 73

session keys and digest authentication,
442
sessions
configuring with Terminal Services,
959–960, 967–968
resetting, 972
Setup security.inf, 83
setx.exe program described, 48
sever fault-tolerance solutions, 289–290
SGC (Server-Gated Cryptography), 901
shadow copies, improvement in
Windows Server 2003, 5
sharing printers, 5–6, 39
shortcut trusts, 497
shortest path first (SPF) protocols, 765
shutdown.exe program described, 48
shutting down remote computers, 48
SID filtering for securing trusts, 499
SIDs (Security Identifiers)
described, using, 376–378
managing, 362
resolving to logon names, 160
and RIDs, 343
and security groups, 404
well-known (table), 379–380
Simple Access Protocol (SOAP), 3
Simple Authentication Security Layer
(SASL), 442
Simple Mail Transfer Protocol (SMTP)
protocol described, 59

and site links, 354
simple volumes, 111–112, 136–139
Single Instance Store (SIS), 453
single node server cluster, 193
single quorum device service cluster, 194
single sign-on feature, 508
site link bridges, 511, 523
site-link objects, 346
site links
configuring availability, 522–523
creating and storing, 354
planning, creating, configuring,
511–518
site replication
configuring site link bridges, 523
creating topology, 521
described, types, 518
planning, creating and managing
topology, 520–524
sites
in Active Directory described, 508
configuring replication between,
522–524
creating, 512
creating topology for replication, 507
301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 992
Index 993
described, 335
minimum memory, processor
requirements (table), 532

placing DCs within, 537–538
placing GC servers within, 547
relationship with domains, subnets,
510–511
and site links, planning, 511–518
slave servers, 675
sliding window method of transmitting
data, 757
smart cards
authentication, 443, 843–848
using for remote access, 867
SMS (Microsoft Systems Management
Server (SMS), 19, 292, 605
SMTP servers, setting up, 912–913
snap-ins
Active Directory Domains and Trusts
console, 351–354
Active Directory Sites and Services
console, 354
Active Directory Users and
Computers tool (ADUC), 385
adding to MMC, 89–91
ADUC (Active Directory Users and
Computers tool), 349–351
Authorization Manager, 368
in Computer Management (table), 36
Disk Management, 35–36
multiple, and MMC interface, 347
SOAP (Simple Access Protocol) support,
3

soft associations, 822
soft lockouts, 436
software
deployment. See Group Policy
software installation
push and pull models of deployment,
605
restriction policies, 591–594
software packages
See also application packages
adding, removing modifications for,
622–623
declared upgrade relationship, 616–617
described, 602
software policies (Group Policy), 563
Software Update Service (SUS)
described, 81
managing software updates with, 95
software updates
Group Policy deployment, 617
managing, 95–106
testing, 106
SPA (Secure Password Authentication),
79
space, disk
enabling disk quotas, 155–163
extending with Remote Storage, 166
‘insufficient disk space’ message, 186
planning for applications, 208
setting desired free, Remote Storage,

175
spanned volumes, 112, 138
special permissions, 365
speed
clock, or processors, 245
performance. See performance
speed-buffering bridges, 774–775
SPF (shortest path first) protocols, 765
SPI (security parameters index), 797
split DNS configurations, 694–695
spooler service, printer management, 45
SSL/TLS protocol described, 440–441
stand-alone CAs, 831
Standard Edition, Windows Server 2003,
12–13
standards
802.11 wireless, 851, 862
authentication, 368–369
starting
Active Directory Users and
Computers tool (ADUC), 388
Backup Utility, 275
MMCs, 347
NLB Manager, 229
Safe Mode startup, 284
static address pools, 852
static packet filters, 304
static vs. dynamic routing, 763
static WINS entries, 722, 737
statistics, capturing network data with

Network Monitor, 296–297
stealth servers, 676
stopping processes remotely, 48–49
Storage Area Networking (SAN) and
clustering technology, 6–7
storage devices and server clustering, 206
strategies
planning and implementing routing,
759–760
planning DNS, 659–660
planning remote access, 850–852
streaming, fast, 11
striped volumes, 112–113, 141–144
strong encryption algorithm (3DES) and
IPSec security, 820
strong passwords, 74, 230, 433
stub zones, 670
subnets
associating with sites, 514
creating, 513–515
creating scheme for IP addressing, 746
described, 335
and networks, 508
relationship with sites, 511
screened, 783
storing information about, 354
subordinate CAs, 61
suffixes, UPNs (user principal names),
382, 424–425
Support Tools for managing sites,

subnets, and networks, 527–528
Support_388945a0 account, 386–388
SUPTOOLS.MSI, 428
switches
described, 775–776
in Ethernet networks, 247
synchronizing
media copies, 177
servers with Microsoft Windows
Update servers, 98–101
SYS command, 283
syskey command, 433
System Compatibility wizard, 16
System Equivalency licenses, 15
system key utility (syskey), 432–433
system media pools, 167–168
System Monitor
comparisons with multiple systems,
256
creating console, 257–260
described, using, 247–257
managing print performance with, 6
monitoring network traffic with,
756–757
monitoring Active Directory with,
639–640
system object counters, monitoring
Active Directory, 639
system performance, 244–247
System root security template, 83–84

system state data
backing up, 538, 631, 641
and new system state backup method,
472–476
Systems Management Server (SMS), 35
T
tape backups, 277
taskkill.exe program described, 48–49
tasks
managing, 48–49
301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 993
994 Index
scheduling, 47
taskslist.exe program described, 48
TCO (Total Cost of Ownership), 20–21
TCP/IP
automatic interface metric
determination, 744
configuration problems, 794
default protocol, 246
infrastructure planning, implementing,
maintaining, 741
interconnect settings, 213
IPv6, 743
troubleshooting IP addressing,
314–318
Windows Server 2003 enhancements,
742–745
TechNet site, 106
technologies, determining costs of,

20–21
Telnet, stopping service, 47
templates
certificate, 838–841
security. See security templates
Terminal Server Client Access License
(TS CAL), 14–15
terminal servers
logging on with smart cards, 848
securing, 80
security template setting, 84
and server roles, 64–66
Terminal Services
command-line tools (table), 971–972
configuration server settings, 965–966
improvement in Windows Server
2003, 9–10
introduction to, 929–930
listener connection, managing,
957–965
Remote Assistance (RA), 931
setting properties, 398–400
and terminal servers, 66
troubleshooting, 972–974
using administrative tools, 953–972
using client tools, 940–953
using Configuration tool, 956
using for remote administration,
933–938
using group policy settings to control

users, 970–971
Terminal Services Administration mode,
34
Terminal Services Manager. See TS
Manager
testing
developing Windows Server 2003 test
environment, 21–25
DNS server configuration, 706
software updates, 106
‘this initial program cannot be started’
error message, 973
threads in programs, 245
three-hop rule of intra-site replication,
518–520
ticket-granting service (TGS) and
Kerberos authentication, 440
time-outs, troubleshooting, 926
Time To Live (TTL), dynamic data, 362
TLS (Transport Layer Security), 369
Token Ring networks, 247
tombstone interval and WINS servers,
712
tombstone process, interval, 630
tools
See also specific tool
Active Directory Object Manager, 427
Active Directory Support, 527–528
Backup Utility, 269–275
cluster administrator, 201–202

command-line utilities. See command-
line utilities
defrag.exe, 154
Disk Defragmenter, 149–154
disk management command-line,
117–120
NLB Manager, 228–229
NSLookup diagnostic, 662
NTDSUTIL, 380–381
Resultant Set of Policy (RSoP), 568
software installation diagnostics tool,
625
Terminal Services administrative,
953–972
for viewing, managing security
identifiers, 380–381
topology
Active Directory, 326
convergence, 766
and network availability, 289
and network performance, 247
and physical directory structure, 341
planning network, 755–756
replication, 345–346, 520–524
simplifying network to minimize
attack points, 784–785
Web site, for optimizing replication,
507
Total Cost of Ownership (TCO), 20–21
tracert command, 314–318, 748,

889–890
traces, interpreting network, 301–304
traffic
distributing within NLB cluster,
225–226
management planning, 756
monitoring IPSec, 318–320
transaction logging, 629
transactional database, 628
transactions
recovering, 651–653
and tombstone interval, 630
transforms
applying to software packages, 622
described, 602
and software packages, 605–607
transitive relationships
described, 338, 496
and trusts, 484–486
transitive site links, 523
translating bridges, 774
Transport Layer Security (TLS), 369, 440
trees and forests, 450
troubleshooting
account problems, 429
Active Directory availability, 649–658
Active Directory schema issues, 559
basic disks, 178–181
disk quotas, 184–186
disk space problems, 149

dynamic volumes, 181–183
fragmentation problems, 184
Global Catalog issues, 549–550
Group Policy, 595–600
Group Policy software deployment,
623–625
IIS 6.0, 923–927
installation, 16–17
IP addresses, 314–318
IP routing, 790–794
IPSec, 814–820
and monitoring Internet connectivity,
304–318
name resolution, 310–314, 732–739
NAT (Network Address Translation),
304–310
NetBIOS name resolution, 736–737
performance issues, 251
RAID, 187–188
remote access client and server
connections, 884–890
Remote Storage, 186–187
replication failure, 524–525
software updates, 106
Terminal Services, 972–974
trust relationships
described, 495
and domain trees, 338
301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 994
Index 995

establishing, 484–486
types of, 496
trusts
direction and transitivity, 484
forest-level, 3
realm, 353
renaming after forest restructuring,
486–89
securing using SID filtering, 499
shortcut, forest, 352
types of, 486
working with, 496–503
TS Manager, connecting servers,
managing users and processes,
954–956
tunneling, 6to4, 753
U
UCS Transformation Format (UTF) and
IIS 6.0, 904
UDDI (Universal Description,
Discovery, and Integration
Services), 13
underscore character in NetBIOS
names, 667
unicast addresses, 760
Unicode Transformation Format, 667,
904
Uniform Resource Locators. See URLs
uninstalling applications, 618–621
Uninterruptible Power Supplies (UPSs),

71, 290
Universal Description, Discovery, and
Integration Services (UDDI), 13
Universal Group caching, 452, 548–549
Universal Group membership, 345, 544,
546
Universal Groups and group
conversions, 454–456
Universal Naming Convention (UNC)
and Active Directory, 328
universal security groups, 405, 446
Unix and IIS errors, 926–927
‘unreadable’ disk message, 180
updates
automatic, 72–73
deploying with Group Policy, 617
dynamic, and DNS servers, 466
dynamic DNS (DDNS), 667–668
managing software, 95–106
replication and, 324
and software packages, 607
for Windows operating systems, 71–72
updating forward and reverse lookup
zones, 686
upgrades, Windows Server 2003, issues,
16–17
upgrading
applications, 616–617
DCs to Windows Server 2003,
536–537

domain or forest functional level,
23–24
UPN (User Principal Name), 328, 382,
424–425, 798
UPN authentication and Global
Catalog, 542
UPSs (Uninterruptible Power Supplies),
71
URLs (Universal Resource Locators)
accessing resources via, 329
and Active Directory, 328
user accounts
Account tab, 396–398
Active Directory server objects, 376
built-in domain, 386–388
configuring with Terminal Services,
966
creating in test environment, 23
creating, managing, 385
disabling, 73
lockout policies, creating and applying,
436–437
managing, 393–403
passwords. See passwords
for Remote Assistance, 935
restricting hours of access, 396
troubleshooting, 429
working with, 384–386
user and computer policies (Group
Policy), 563–565

User CALs, 15
user certificates use in PKI system, 828
User Datagram Protocol (UDP), 798
user logons, processing policy settings
(Group Policy), 566
User Principal Name (UPN)
and Active Directory, 328
creating alternative suffixes, 424–425
in forests, 381
user rights, viewed from Local Security
Policy, 269
userenv, 623
usernames, creating and editing, 356
users
accounts. See user accounts
adding to Active Directory, 358
deploying software to (Group Policy),
607–608
displaying information about logged-
on, 362–363
educating about security, 442
managing with TS Manager, 954
remote access, administration of, 854
removing from groups, 403
security settings, 589
single sign-on authentication, 438
software restriction policies, 591–594
Users container, default groups in,
407–408
UTF (UCS Transformation Format) and

IIS 6.0, 904
V
VDS (Virtual Disk Service), 9
verbose logging, 624–625
verifying
forest-root, 468–469
Group Policy, 582
viewing
group membership, 411
information about groups, 414
IP policy assignment information,
815–816
IPSec statistics, 814
policy maps, 594
printer queue, 46
RSoP results, 570–571
security identifiers, 380–381
Virtual Directory Creation Wizard, 916
Virtual Disk Service (VDS), 9
virtual LANs (VLANs), 864
virtual memory (VM) and system
performance, 245
virtual private networks. See VPNs
VMware, 22
volume shadow copy (backup), 272, 641
volumes
defragmenting, 149–155
extending basic, 132–133
managed, 166, 174
mirrored, 111, 113–114, 144–146

mounting, 178
RAID-5, 114–115, 146–149
spanned, 112, 138–139
striped, 112–113, 141–144
VPNs (virtual private networks)
design considerations, 858–860
PPP Multilink and BAP, 860–862
router-to-router, 785–788
troubleshooting connections, 884–886
using smart cards for remote, 847–848
vs. other remote access types, 851
301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 995