WINDOWS 2000 SERVER

SYSTEM ADMINISTRATION HANDBOOK
FREE Monthly
Technology Updates
One-year Vendor
Product Upgrade
Protection Plan
FREE Membership to
Access.Globalknowledge
Paul Shields, MCSE
Ralph Crump, MCSE, CCNA, Master CNE
Martin Weiss, MCSE, MCP+I, CNA
Technical Edit By:
Sean Wallbridge, MCSE, MCSD, MCT, MCDBA, MCP+I
An insightful and detailed overview
of the tools and tasks that the
Windows 2000 administrator faces.
Great as an introduction and as a
resource for any IT library.”
—Lloyd Fray,
Information Technology Manager
Mutual Risk Management
“
With over 1,000,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we have come to know many of you personally. By
listening, we've learned what you like and dislike about typical computer
books. The most requested item has been for a web-based service that
keeps you current on the topic of the book and related technologies. In
response, we have created

, a service that
includes the following features:
■
A one-year warranty against content obsolescence that occurs as
the result of vendor product upgrades. We will provide regular web
updates for affected chapters.
■
Monthly mailings that respond to customer FAQs and provide
detailed explanations of the most difficult topics, written by content
experts exclusively for

.
■
Regularly updated links to sites that our editors have determined
offer valuable additional information on key topics.
■
Access to “Ask the Author”™ customer query forms that allow
readers to post questions to be addressed by our authors and
editors.
Once you've purchased this book, browse to
www.syngress.com/solutions
.
To register, you will need to have the book handy to verify your purchase.
Thank you for giving us the opportunity to serve you.

74_FM.qx 11/8/99 2:20 PM Page i
74_FM.qx 11/8/99 2:20 PM Page ii
WINDOWS 2000 SERVER
SYSTEM ADMINISTRATION HANDBOOK

74_FM.qx 11/8/99 2:20 PM Page iii
Syngress Media, Inc., the author(s), and any person or firm involved in the writing, editing, or production (col-
lectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the
Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold
AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci-
dental or consequential damages arising out from the Work or its contents. Because some states do not allow
the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not
apply to you.
You should always use reasonable case, including backup and other appropriate precautions, when working
with computers, networks, data, and files.
Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc. “Career Advancement Through
Skill Enhancement™” is a trademark of Syngress Media, Inc. Brands and product names mentioned in this book
are trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 F5H9L432M8
002 K93NCM5982
003 8AMC812KGF
004 28NNA9KJ2N
005 7VBAZZLNMA
006 PJMAL4N87G
007 9H11MDGS9H
008 UBAL848N61
009 Y78P98JL21
PUBLISHED BY
Syngress Media, Inc.
800 Hingham Street
Rockland, MA 02370
Windows 2000 Server System Administration Handbook

Copyright © 2000 by Syngress Media, Inc. All rights reserved. Printed in the United States of America. Except
as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in
any form or by any means, or stored in a database or retrieval system, without the prior written permission of
the publisher, with the exception that the program listings may be entered, stored, and executed in a computer
system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-928994-09-1
Copy edit by: Adaya Henis Proofreading by: Adrienne Rebello
Technical edit by: Sean Wallbridge Page Layout and Art by: Emily Eagar and
Index by: Bob Saigh Vesna Williams
Project Editor: Eva Banaszek
74_FM.qx 11/8/99 2:20 PM Page iv
We would like to acknowledge the following people for their kindness and
support in making this book possible.
Richard Kristof, Duncan Anderson, Jennifer Gould, Robert Woodruff, Kevin
Murray, Dale Leatherwood, Shelly Everett, and Robert Sanregret of Global
Knowledge, for their generous access to the IT industry’s best courses,
instructors and training facilities.
Ralph Troupe and the team at Rt. 1 Solutions for their invaluable insight
into the challenges of designing, deploying and supporting world-class
enterprise networks.
Karen Cross, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Michael
Ruggiero, Kevin Votel, Brittin Clark, Sarah Schaffer, Luke Kreinberg, Ellen
Lafferty and Sarah MacLachlan of Publishers Group West for sharing their
incredible marketing experience and expertise.
Peter Hoenigsberg, Mary Ging, Caroline Hird, Simon Beale, Julia Oldknow,
Kelly Burrows, Jonathan Bunkell, Catherine Anderson, Peet Kruger, Pia
Rasmussen, Denelise L'Ecluse, Rosanna Ramacciotti, Marek Lewinson,
Marc Appels, Paul Chrystal, Femi Otesanya, and Tracey Alcock of Harcourt

International for making certain that our vision remains worldwide in
scope.
Special thanks to the professionals at Osborne with whom we are proud to
publish the best-selling Global Knowledge Certification Press series.
And finally, to Thomas Edward O’Brien, for waiting.
v
Acknowledgments
74_FM.qx 11/8/99 2:20 PM Page v
At Global Knowledge we strive to support the multiplicity of learning styles
required by our students to achieve success as technical professionals. As
the world's largest IT training company, Global Knowledge is uniquely
positioned to offer these books. The expertise gained each year from pro-
viding instructor-led training to hundreds of thousands of students world-
wide has been captured in book form to enhance your learning experience.
We hope that the quality of these books demonstrates our commitment to
your lifelong learning success. Whether you choose to learn through the
written word, computer based training, Web delivery, or instructor-led
training, Global Knowledge is committed to providing you with the very
best in each of these categories. For those of you who know Global
Knowledge, or those of you who have just found us for the first time, our
goal is to be your lifelong competency partner.
Thank your for the opportunity to serve you. We look forward to serving
your needs again in the future.
Warmest regards,
Duncan Anderson
President and Chief Executive Officer, Global Knowledge
vi
From Global Knowledge
74_FM.qx 11/8/99 2:20 PM Page vi
vii

Sean Wallbridge (MCSE+i, MCSD, MCT, MCDBA, MSS, MCP+i, MCP+sb,
Compaq ASE, Novell CNA and Vinca VCE) is a Senior Consultant/Trainer
for NexGen Technologies based in Hamilton, Bermuda. As a consultant,
Sean provides turnkey networking solutions and takes great pride in creat-
ing satisfied customers. Sean has co-authored seven other books and tech-
nical publications. When not on the beach or in front of a computer, Sean
spends his time with his wife Wendy, Murphy- the-Bassett-Hound, and
their two cats.
Martin Weiss (MCSE, MCP+I, CNA, CIBS, A+, Network+) is a Senior
Information Management Specialist with ACS Government Solutions
Group, a provider of broad-based information technology solutions for
client organizations. Marty lives in New England with his wife Gin and son
Kobe. You can contact Martin via e-mail at
Ralph Crump (MCSE, CCNA, and a CNE 3.x, 4.x, and 5.x, with a Master
CNE in Integrating Windows NT) manages a team responsible for a large
scale Windows NT and Novell NetWare infrastructure for a major telecom-
munications company in Atlanta, Georgia. He specializes in Windows NT
and BackOffice applications as well as Novell Netware solutions. He is cur-
rently working in cooperation with Microsoft on Windows 2000 Rapid
Deployment projects.
Cameron Brandon (MCSE, CNE, CNA, MCSE+Internet, A+, Network+) is a
Network Engineer/Administrator in Portland, Oregon. He specializes in
Windows NT with BackOffice Integration and helped work on Intel
Corporation's large-scale migration at its Oregon facility to Windows NT.
He completed his MCSE, CNE, CNA, MCPS:Internet Systems, and A+ certi-
fications in five months’ time, proving once again that you can achieve
those things to which you set your mind.
Contributors
74_FM.qx 11/8/99 2:20 PM Page vii
Adam Quiggle (Master CNE, MCSE, CCNA) is a senior level network engi-

neer for Metamor Worldwide. In his most recent role, he served as remote
access project leader for one of North Carolina's largest state government
agencies, utilizing Windows NT Terminal Server, Metaframe and Cisco
Access Servers. He is president of the Research Triangle Park chapter of
the Cisco Professional Association Worldwide.
Holly Simard (MCSE, MCP+I) is a networking specialist in Victoria, BC.
Along with providing turnkey solutions for her clients, Holly also delivers
online instruction in her spare time. Holly lives with her husband Hervey,
who works as a multimedia developer, their springer spaniel Hubert, and
their cat Daisy.
Paul Shields (Certified MCSE) currently works as a network engineer for a
major telecommunications company. He has been working with, support-
ing, and writing about Windows NT for the last five years. His current proj-
ects revolve around the design and implementation of enterprise-class
servers in a mixed platform environment. He is also working on the roll-
out of Windows 2000 to the corporate desktop. Paul can be contacted at

Erik Sojka is a system administrator and trainer currently working for a
major software company. He is an MCSE and has a BS in Information
Science and Technology from Drexel University.
Eriq Oliver Neale is a technology strategist with Nortel Networks, research-
ing new technology solutions for inclusion in the designer workplace. He
has worked in the computer support industry for eleven years and in that
time has contributed to several computing technology publications. When
not writing, he and his wife try to keep up with seven cats, two dogs, and a
plethora of tropical fish.
Jay Tomlin works as a server-based computing software specialist for Citrix
Systems, Inc. in Fort Lauderdale. His primary duty is training the Citrix
Technical Support organization worldwide. Prior to joining Citrix, Jay stud-
ied Mathematics and Music Theory in college and graduate school. He can

be reached at
viii
74_FM.qx 11/8/99 2:20 PM Page viii
CHAPTER 1 The Windows 2000 System Administration
Migration Path 1
Brief Overview of Windows 2000 Server 2
Windows 2000 System Administration Overview 5
Increased Reliability, Availability, and Scalability 6
Core Operating System Services 6
Fault Tolerance 7
Disaster and System Recovery 8
Reliable Storage 9
Avoiding Crashes and Reboots 10
High-Availability Solutions 11
Improved Scalability 12
Easier Management and Lower Costs 13
Integrated Directory Services 13
Comprehensive Management Solutions 14
Comprehensive File, Print, and Web Services 15
Comprehensive Internet and Application Server 17
Application Services 17
Communications and Networking Services 19
Why the Change? 20
Migrating to Windows 2000 Server 23
Getting Ready 24
Streamlining 25
Planning 26
Architecture 27
Costs 28
Plan of Action 29

Contents
ix
74_TOC.qx 11/8/99 1:25 PM Page ix
x Contents
Timeline 30
Testing 31
Deployment 31
Setting Up Windows 2000 Server 32
Installing Windows 2000 Server 32
Upgrading to Windows 2000 Server 35
Summary 37
FAQs 40
CHAPTER 2 Overview of Windows 2000 Administration 43
Introduction to Network Administration 44
Designing and Setting Up the Network 45
Managing the Network 46
Protecting the Network 46
Documenting the Network 48
Microsoft Management Console 51
Introduction to Active Directory 56
Key Concepts 56
Directory Service 57
Domains 57
Namespace 60
Global Catalog 61
Organizational Units 62
Groups 62
Name 64
Features and Benefits of Active Directory 65
Simplified Management 66

Added Security 67
Scalability 70
Replication of Information 70
Extended Interoperability 71
Integration with DNS 72
Beyond Active Directory 72
Volume Management 72
Disk Quotas 73
Defragmentation 74
Backup and Recovery 75
Hierarchical Storage Management 76
74_TOC.qx 11/8/99 1:25 PM Page x
Contents xi
File Service Management 76
Distributed File System 77
Using Windows 2000 Help 79
Summary 81
FAQs 83
CHAPTER 3 Setting Up User Accounts 87
Defining an Acceptable Use Policy 88
Template: Acceptable Use/Security Policy 90
Purpose 90
Interpretation 90
Definitions 90
Responsibility 91
Introduction to User Accounts 95
Requirements for New User Accounts 96
Default User Account Settings 97
Creating a Domain User Account 99
Active Directory Users and Computers 99

Creating User Accounts 100
Setting Password Requirements 103
Security Templates 103
Loading Security Snap-ins into the MMC 104
Loading the Security Templates 105
Changing Account (Password) Policies 106
Setting Properties for User Accounts 110
Modifying User Accounts 110
General 111
Address 112
Account 113
Profile 115
Telephones/Notes 116
Organization 118
Dial-in 119
Managing User Accounts 121
Deleting User Accounts 122
Changing User Passwords 122
Enabling an Account 123
Disabling an Account 123
74_TOC.qx 11/8/99 1:25 PM Page xi
xii Contents
Other Active Directory Users and
Computers Functions 123
Moving User Accounts 125
Mapping a Certificate to a User 125
Best Practices 128
Using Active Directory Users and Computers 129
Advanced Features 129
Filters 129

Administrative Logon 130
Account (Password) Policies 132
Summary 132
FAQs 133
CHAPTER 4 Using Groups to Organize User Accounts 135
Introduction to Groups 136
Group Type 139
Security Groups 139
Distribution Lists 139
Group Scope 140
Domain Local 140
Global 140
Universal 140
Implementing Group Strategies 142
Why Use Groups? 142
Structuring Groups 143
Implementing Groups 144
Preparing to Create Groups 144
Information Needed to Create a Group 144
Creating a Group 145
Assigning Users to a Group 147
Adding Users through the Group Setting 147
Adding User through the User Settings 149
Configuring Group Settings 151
General 152
Members 153
Member Of 153
Managed By 154
Object 154
74_TOC.qx 11/8/99 1:25 PM Page xii

Contents xiii
Security 156
Managing Groups 157
Changing a Group’s Scope 157
Finding a Group 158
Deleting a Group 159
Implementing Local Groups 160
Preparing to Create Local Groups 160
Creating a Local Group 161
Implementing Built-in Groups 162
Built-in Domain Local Groups 162
Built-in Global Groups 163
Built-in Local Groups 163
Built-in System Groups 164
Built-in Group Behavior 164
Best Practices 168
Managing Groups 169
Using Universal Groups 169
Switching Modes 170
Summary 172
FAQs 172
CHAPTER 5 Administering File Resources 175
Introduction 176
Using Microsoft Windows NT File System (NTFS)
Permissions 176
NTFS Folder Permissions 176
NTFS File Permissions 177
How Windows 2000 Applies NTFS Permissions 178
Access Control Lists 178
Combining NTFS Permissions 179

Permissions Are Cumulative 179
File Permissions Override Folder Permissions 179
Deny Overrides All Other Permissions 180
Permission Inheritance 180
Assigning NTFS Permissions 181
Planning NTFS Permissions 181
Managing NTFS Permissions 182
Special Access Permissions 185
74_TOC.qx 11/8/99 1:25 PM Page xiii
xiv Contents
Take Ownership 185
Change Permissions 187
Other Special Permissions 187
Using Special Access Permissions 188
Setting the Special Access Permissions 188
Taking Ownership of Files and Folders 190
Changing NTFS Permissions 191
Copying and Moving Files and Folders 192
Copying Files 192
Moving Files 193
Sharing Resources 196
Securing Network Resources 196
Shared Folder Permissions 197
Creating Shared Folders 198
Developing a Shared Folder Strategy 198
Shared Applications 199
Shared Data 200
Sharing Folders 200
Administrative Shares 201
Creating a Shared Folder 202

Assigning Permissions to a Shared Folder 204
Managing Shared Folders 206
Connecting to a Shared Folder 208
NTFS Permissions and Shared Folders 211
Troubleshooting Access Problems 213
Solving Permission Problems 213
Typical Permission-Related Access Problems 213
Solving Permission-Related Access Problems 214
Best Practices 214
Avoiding Permission-Related Access Problems 215
Guidelines for Managing Shared Folder Permissions 216
Summary 217
FAQs 218
CHAPTER 6 Administering User Accounts 221
Managing User Profiles 222
User Profiles Overview 222
Types of User Profiles 223
74_TOC.qx 11/8/99 1:25 PM Page xiv
Contents xv
Contents of a User Profile 223
All Users 224
Settings Saved in a User Profile 225
Local User Profiles 226
Roaming User Profiles 227
Creating Individualized Roaming User Profiles 228
Mandatory Profiles 229
Setting Up a Roaming User Profile 230
Assigning Customized Roaming Profiles 231
Creating Home Folders 235
Home Directories and My Documents 235

Creating Home Directories 236
Introduction to Group Policies 239
Applying Group Policy 240
Order of Application 240
Filtering Policy Based on Security Group
Membership 241
Blocking Policy Inheritance 241
Enforcing Policy from Above 241
Best Practices 242
Allowing for Different Hardware Configurations 242
Combining the Power of Profiles and Policies 242
Tightening Security on Home Directories 243
Summary 244
FAQs 244
CHAPTER 7 Administering Printer Resources 247
Introduction to Administering Printers 248
Terminology 248
Planning the Print Environment 248
Dedicated vs. Non-dedicated Print Servers 249
Local, Remote, and Network Printers 250
Creating the Print Environment 250
Installing a Local Printer 250
Installing a Network Printer 254
Installing a Printer from Another Server 256
Other Types of Network Printers 257
Loading Printer Drivers 259
74_TOC.qx 11/8/99 1:25 PM Page xv
xvi Contents
Printer Properties 261
General 261

Sharing 262
Ports 262
Advanced 263
Security 263
Device Settings 265
Managing Printer Permissions 265
Security/Sharing Permissions 266
Printer Ownership 268
Managing Printers 269
Assigning Forms to Paper Trays 269
Assigning Separator Pages 270
Creating a Printer Pool 272
Specifying Printer Priorities 273
Redirecting a Printer 274
Removing Printer Drivers 275
Managing Documents in a Print Queue 276
Setting Priority, Notification, Printing Time 277
Administering Printers by Using
a Web Browser 278
Best Practices 281
Organize Printers by Business Function
or Geographic Location 281
Put Print Devices on a Separate Network 282
Allow Clients Access to Web Printing Interfaces 282
Restart Print Spool Service Periodically 283
FAQs 283
CHAPTER 8 Managing Storage Data 285
Managing Data Compression 286
Compressing Files and Folders 286
Determining Compression Status 289

Disk Space Requirements 291
Compression State 292
Compression Rules 292
Copying and Moving Compressed
Files and Folders 292
74_TOC.qx 11/8/99 1:25 PM Page xvi
Contents xvii
Managing Disk Quotas 297
Encrypting Data 305
File Encryption 308
Decryption of Files 308
Storing Encrypted Files on Remote Servers 308
Accessing Encrypted Data 309
Moving and Renaming Encrypted Data 309
Decrypting Data 309
The Recovery Agent 310
Using Disk Defragmenter 311
Analyzing a Drive 314
Viewing Reports 315
Defragmenting NTFS File System Partitions 316
Troubleshooting Data Storage 317
Best Practices 318
FAQs 319
CHAPTER 9 Monitoring Event Logs 321
Introduction to Monitoring Event Logs 322
Viewing Event Logs 325
Monitoring Security Events 336
Auditing Files and Folders 342
Auditing Registry Entries 347
Analyzing Security Events 353

Managing Event Logs 354
Best Practices 359
Summary 360
FAQs 361
CHAPTER 10 Backing Up and Restoring Data 363
Introduction to Backing Up and Recovering Data 364
Types of Backups 367
Normal Backup 367
Daily Backup 367
Copy Backup 368
Incremental Backup 368
Differential Backup 369
Necessary Permissions and User Rights 370
74_TOC.qx 11/8/99 1:25 PM Page xvii
xviii Contents
System State Data 371
Emergency Repair Disk 372
Back Up and Restore Options 373
Advanced Options 378
Backing Up Data 380
Back Up Files to File or a Tape 382
Scheduling 384
Using Batch Files 387
Restoring Data 389
Restore Files from a File or Tape 389
Restore System State Data 390
Authoritative Restore 391
Maintaining Media 393
Best Practices 394
Summary 396

FAQs 397
CHAPTER 11 Advanced Administration of Windows 2000 399
Administering Windows 2000 400
Microsoft Management Console 400
Windows 2000 System Administration 402
Computer Management Console 402
Event Viewer 406
License Manager 406
Performance 407
Windows 2000 Network Administration 410
Adapters and Protocols 410
Configuring Adapters and Protocols 412
DHCP Manager 415
DNS Management 419
Windows Internet Naming Service (WINS) 424
Terminal Services 425
Quality of Service 429
Routing and Remote Access 430
Remote Access Service Dial Out 437
Virtual Private Networks 440
Demand Dial Routing 443
Network Address Translation (NAT) 445
74_TOC.qx 11/8/99 1:25 PM Page xviii
Contents xix
Internet Authentication Service 447
Connection Manager Administration Kit 450
Customizing Windows 2000 Tools
for Your Environment 452
Creating Custom MMC Consoles 453
Using the Task Scheduler 458

Understanding the Logon Process 460
Logon Authentication 460
Secondary Logon Services 461
Windows 2000 Resource Kit 462
Direct X Diagnostic Utility 462
Command Line Kill 463
Sysprep 463
Setup Manager 464
Sysdiff 465
Dependency Walker 466
Shutdown 467
Netdiag 467
Summary 467
FAQs 467
CHAPTER 12 Administering Active Directory 469
Introduction to Administering
Active Directory 470
Active Directory Concepts 471
Directory 471
Namespace 472
Naming Conventions 474
Schema 476
Global Catalog 477
Replication 479
Client Software 481
Active Directory Components 482
Objects 482
Site 484
Domain 485
Trees and Forests 485

Using Active Directory Management Utilities 486
74_TOC.qx 11/8/99 1:25 PM Page xix
xx Contents
DCPromo 486
Active Directory Users and Computers 493
Active Directory Domains and Trusts 496
Active Directory Sites and Services 498
Publishing Objects in Active Directory 503
Sharing Resources 503
Locating Objects in Active Directory 506
Controlling Access to Objects 508
User Authentication 509
Object-based Access Control 509
Active Directory Permissions 512
Delegating Administrative
Control of Objects 512
Delegation of Control Wizard 513
Overview of Active Directory Service Interface (ADSI) 515
Best Practices 516
Summary 517
FAQs 521
CHAPTER 13 Implementing Group Policy 523
Introduction to Windows 2000
Group Policy 524
Group Policy Structure 525
Types of Configurations 526
Computer Configuration 526
User Configuration 526
Configuration Subfolders 526
Type of Group Policies 530

Software Deployment 530
Software Policies 530
Desktop File\Folder Management 531
Scripts 531
Security 531
Group Policy Objects 531
Group Policy Containers 532
Group Policy Templates 532
GPT Contents 533
GPT.INI 534
74_TOC.qx 11/8/99 1:25 PM Page xx
Contents xxi
How Group Policy Is Applied in Active Directory 536
Order of Inheritance 536
Creating a Group Policy Object 538
Group Policy and Slow Networks 540
Filtering the Scope of GPO 541
Modifying Group Policy Inheritance 542
Modifying Group Policy 543
Group Policy Tab 544
Group Policy Editor 546
Adding Administrative Templates 548
Using the Group Policy Management Snap-in 549
Group Policy Configuration Example 549
Delegating Administrative Control of a Group Policy Object 550
Creating a Group Policy Object 552
Modifying a Group Policy Object 554
Managing a Group Policy Object Link to a Site,
Domain, or Organizational Unit 555
Guidelines for Implementing Group Policy 557

Best Practices 560
Summary 562
FAQs 565
CHAPTER 14 Managing User Environments Using
Group Policy 567
Introduction to Managing User Environments 568
Types of Group Policy for Managing
User Environments 569
Group Policy Snap-In for the Microsoft
Management Console 570
Using Administrative Templates 573
Assigning Registry-Based Policies 576
Creating Custom Administrative Templates 579
Adding Administrative Templates 585
Using Scripts 586
Assigning Script Policies to Users and Computers 588
Folder Redirection 590
FAQs 593
74_TOC.qx 11/8/99 1:25 PM Page xxi
xxii Contents
CHAPTER 15 Managing Software by Using Group Policy 595
Introduction 596
Introduction to Managing Software Deployment 596
Deploying Software 597
Creating Software Packages 599
Creating a Non-Windows Installer Package File 601
Managing Software 605
Maintaining Software 615
Upgrading Software 621
Removing Software 623

Summary 624
FAQs 625
CHAPTER 16 Administering User Accounts and Groups 629
Introduction to Administration of User Accounts
and Groups 630
Creating Multiple User Accounts 631
Migrating Users from an NT 4.0 Domain 632
Creating New Active Directory Users in Bulk 634
How Does the Script Work? 634
Importing Users from Novell Directory
Services (NDS) 636
Administering Logon Names 636
Lockout Settings 636
Password Requirements 639
Configuring Account Policies Using Group Policy 641
Troubleshooting User Logon Problems 646
Unable to Find a Domain Controller 646
Unable to Load the User Profile 648
Missing Computer Account 650
Redirecting User Data to a Network Share 651
Setting Up Accounts for Mobile Users 655
Multilink and Bandwidth Allocation
Protocol (BAP) 658
Using Universal Groups 660
Windows NT 3.x and 4.x Groups Types 660
Windows 2000 Group Types 661
Best Practices 663
74_TOC.qx 11/8/99 1:25 PM Page xxii
Contents xxiii
Summary 665

FAQs 666
CHAPTER 17 Implementing Security in a Windows 2000
Network 669
Introduction to Securing a Windows 2000 Network 670
Applying Security Policies 671
The Security Settings Extension to Group Policy 672
Order of Precedence 674
Creating, Modifying, and Analyzing Security
Configurations 675
Security Configuration and Analysis Snap-in 675
SECEDIT.EXE 677
Configuring an Audit Policy 679
Audit Event Types 682
Analyzing Security Configurations 683
Security Configuration Templates 685
Implementing Public Key Security 687
Components of Public Key Services 688
Certificates 688
Certificate Authority 689
Group Policies 691
Hardware Add-ons 692
Using Public Key Services 693
Enabling and Administering File Encryption 702
Encrypted File System Architecture 703
Encryption and Decryption 703
Data Recovery 704
Using the Encrypted File System 705
Guidelines for Using EFS 709
Best Practices 710
Summary 712

FAQs 715
CHAPTER 18 Sharing File Resources by Using DFS 717
Introduction to DFS 718
Setting Up a Fault-Tolerant DFS Root 722
Setting Up a Stand-Alone DFS Root 730
74_TOC.qx 11/8/99 1:25 PM Page xxiii
xxiv Contents
Setting Up Child Nodes 736
Configuring Child Nodes as Replica Sets 738
Administering DFS 741
Connecting to an Existing DFS Root 742
Command-Line Administration 743
Removing DFS Roots and Nodes 745
Removing a Child Node 745
Removing a DFS Root 746
Forced Removal of DFS Information 747
Client Interactions with DFS 748
Security Concerns 748
Best Practices 749
Summary 750
FAQs 750
CHAPTER 19 Implementing Disaster Protection 753
Introduction 754
Protecting a Windows 2000 Network
from Disasters 754
Backing Up Data 758
The Recovery Console 765
Advanced Startup Options 766
Recovering from a System Failure 768
Repairing and Restoring Active Directory 771

Authoritative Restore 779
Summary 779
FAQs 780
Index 783
74_TOC.qx 11/8/99 1:25 PM Page xxiv