Professional Server Network Directory Services: Exam Objectives
Professional Server Network Directory Services: Exam Objectives
Professional Server Network Directory Services: Exam Objectives
EXAM OBJECTIVES
The content of this chapter doesnt map directly to any one specific exam objective, but that doesnt mean its not important. The basics presented in this chapter are crucial to your understanding of Windows 2000. So, no matter which of the four core Windows 2000 exams youre preparing for, read on. You owe it to yourself to get a firm grasp of the Windows 2000 fundamentals early on, so you can dive into the rest of the chapters with confidence.
C HAP TE R
T
I
his chapter explores the basics of the four new Windows 2000 operating systems. Ever wondered which operating system to choose for a
given situation? Or whether to choose a workgroup or a domain model? These issues are explained and answered in this chapter. Youll want to read this chapter no matter which of the four core Microsoft Windows 2000 exams youre preparing for, because it spells out fundamental concepts youll need to know, including: Basic descriptions and features of the four new Windows 2000 operating systems: Professional, Server, Advanced Server, and Datacenter Server
I I I I
How the Windows 2000 user interface looks and feels Application environments supported by Windows 2000 Fundamentals of Windows 2000 architecture Explanations of basic Windows 2000 concepts: workgroups, domains, and an introduction to Active Directory
Part I
Chapter Pre-Test
1. List the four new Windows 2000 operating systems. 2. Does Windows 2000 support Plug and Play? 3. What are the five application types supported by Windows 2000? 4. Which hardware platforms are supported by Windows 2000? 5. What are the two primary modes in the Windows 2000 architecture? 6. What is Active Directory?
Chapter 1
Windows 2000 Professional Windows 2000 Server Windows 2000 Advanced Server Windows 2000 Datacenter Server
These four operating systems share a common user interface, share many common features and utilities, and are all 32-bit operating systems. In fact, all of these operating systems use the same kernel, which is based on Windows NT technology.
TIP
When you hear the name Windows 2000, you might think this operating system is a revised version of Windows 98. However, Windows 2000 is really the latest and greatest version of Windows NT, and was originally called Windows NT 5.0 before Microsoft changed its name to Windows 2000.
Although based on the same kernel, each of the four operating systems that make up the Windows 2000 operating system family is optimized for use in a specific environment. The following section explores some of the new common features shared by the four Windows 2000 operating systems.
New security protocol: Windows 2000 includes the Kerberos version 5 protocol.This is an Internet standard authentication protocol that provides a higher level of security and faster, more efficient authentication than the Windows NT/LAN Manager protocol.
Part I
Plug and Play: The Windows 2000 operating systems, unlike their Windows NT 4.0 predecessors, fully support Plug and Play architecture. Plug and Play automatically detects new hardware in a computer, and then automatically loads the appropriate device drivers and configures the device. Plug and Play also enables you to physically change a PC card in a laptop computer without turning the computer off. New file system support: Windows 2000 supports two new file systems: the FAT32 file system and the Encrypting File System (EFS).The FAT32 file system, which is supported by Windows 95 OSR2 and Windows 98, but was not supported by earlier versions of Windows NT, allocates disk space in a more efficient manner than previous versions of the FAT (file allocation table) file system, and supports drives as large as two terabytes. EFS enables you to store files on an NTFS partition in an encrypted format, so that even if an unauthorized user removes a hard disk from your computer, that user will be unable to access the sensitive data contained in the encrypted file. Power Options in Control Panel: This application enables you to configure energy saving settings for your computer. Primarily designed for use on laptop computers, Power Options help you get the most life out of your laptops battery. Internet Explorer 5: Microsofts newest Web browser, Internet Explorer 5, is an integral part of the Windows 2000 operating systems. Internet Explorer 5 sports several new features designed to save time and make browsing tasks easier to perform, including a Search Assistant, automatic configuration, and AutoComplete. Internet Explorer 5 also includes Microsoft Outlook Express 5, an e-mail and newsgroup client that enables multiple users to maintain individual e-mail accounts on the same computer.
These are just a few of the many new features of Windows 2000, but in my opinion, the most important. As you might guess, each of these components will be covered in depth in later chapters in this book. But first, allow me to introduce you to each of the new Windows 2000 operating systems.
Chapter 1
Hardware Requirements As with all new versions of operating systems, Windows 2000 Professional requires significantly more hardware resources than did either of its predecessors Windows NT Workstation or Windows 98.The minimum hardware required to successfully install and run Windows 2000 Professional on an Intel-based computer includes:
I I I
A Pentium/133MHz processor 32MB of RAM (64MB are recommended) 650MB of free hard disk space
In order to ensure operational success, all hardware should be on the Windows 2000 Hardware Compatibility List (HCL) that is shipped with the product and is also posted on Microsofts Web site.
CROSS-REFERENCE
For more information on the Hardware Compatibility List, including Web site information, see Chapter 3. For detailed information on the hardware requirements for installing Windows 2000 Professional, also see Chapter 3.
Application Support Windows 2000 Professional supports most MS-DOSbased applications, most 16-bit and 32-bit Windows-based applications, POSIX 1.x applications, and most OS/2 1.x applications. Specifically, Windows 2000 Professional supports many Windows 95/Windows 98 applications that were not supported by Windows NT Workstation 4.0. Windows 2000 Professional does not support applications that require direct hardware access (bypassing the Hardware Abstraction Layer [HAL]) because this
10
Part I
could compromise Windows 2000 Professionals security. It also does not support software applications that require an MS-DOS terminate-and-stayresident (TSR) program or a virtual device driver. Ill discuss the various application environments supported by Windows 2000 in more detail a bit later in this chapter.
Multiprocessing, Multithreading, and Multitasking Windows 2000 Professional supports symmetric multiprocessing with up to two processors. Multiprocessing refers to the capability of an operating system to use more than one processor in a single computer simultaneously. Symmetric multiprocessing is a type of multiprocessing in which system processes and applications can be run on any available processor.This is the most efficient form of multiprocessing currently available, because it does not tie a particular process or application to a specific, assigned processor. Windows 2000 Professional also supports multithreading and preemptive multitasking. A thread is the smallest unit of processing that can be scheduled by the Windows 2000 kernel. All applications require at least one thread.When an application has more than one thread, each thread can be executed independently of the others.This is referred to as multithreading. Individual threads within a single application can even be run on different processors in the same computer. In preemptive multitasking, the operating system allocates processor time between applications. Because Windows 2000 not the application allocates processor time between multiple applications, one application can be preempted by the operating system, and another application allowed to run. When multiple applications are alternately paused and then allocated processor time, they appear to run simultaneously to the user. Security Windows 2000 Professional supports a high level of security. User logon and authentication are required in order to use the operating system and in order to access local or network resources. Windows 2000 Professional supports a local user account database, and can also support either a Windows NT Server 4.0 domain user account database or user accounts from the Windows 2000 Active Directory. Two other security features of Windows 2000 Professional are smart card support and Internet Protocol Security.A smart card is a security device that contains a unique, encrypted set of authentication credentials.When used in
Chapter 1
11
conjunction with a smart card reader that has been installed on a computer, smart cards eliminate the need for users to transmit user names and passwords across the network when logging on. Internet Protocol Security (IPSec) encrypts TCP/IP traffic between two computers, thus preventing unauthorized users who capture network traffic from viewing or modifying sensitive data.
Hardware Requirements The minimum hardware required to successfully install and run Windows 2000 Server on an Intel-based computer includes:
I I I
A Pentium/133MHz processor 64MB of RAM (128MB are recommended) 950MB of free hard disk space (more disk space is required if the computer contains more than 64MB of RAM)
For more detailed information on hardware requirements for installing Windows 2000 Server, see Chapter 3.
File Management Windows 2000 Server supports two new file management tools, the Distributed file system (Dfs) and disk quotas. The Distributed file system (Dfs) is a file system that enables an administrator to make shares that are stored on various servers on the network appear to users as though they are stored within a single share on a single server. The use of Dfs makes finding network resources easier for users, because users dont have to know which server physically contains the shared resource they are trying to access.
12
Part I
Disk quotas is a volume management tool that is enabled on a volumeby-volume basis. Once enabled, disk quotas automatically track disk space usage on a user-by-user basis, and prevent individual users from exceeding the disk space limitations that they have been assigned by administrators. Disk quotas can also be used on Windows 2000 Professional computers, but it seems unlikely to me that they will be widely used on desktop client computers.
Application Support Windows 2000 Server supports the same software applications as Windows 2000 Professional. In addition,Windows 2000 Server is optimized to support the Microsoft BackOffice suite of products, including SQL Server, Systems Management Server, Internet Information Server, Exchange Server, and SNA Server, as well as many third-party server-based applications. Windows 2000 Server also supports Terminal Services. This application service, when run on a network server, enables users of client computers to remotely perform processor-intensive or network-intensive tasks from their client computers. The application runs on the server running Terminal Services, so the user can take advantage of the processing power and network connectivity of the server, while fully controlling the application from the client computers keyboard and monitor.
CROSS-REFERENCE
Multiprocessing, Multithreading, and Multitasking Like Windows 2000 Professional,Windows 2000 Server supports symmetric multiprocessing, but Windows 2000 Server accommodates up to four processors instead of only two. Also like Windows 2000 Professional, Windows 2000 Server supports multithreading and preemptive multitasking. Security Windows 2000 Server includes all of the security features of Windows 2000 Professional, and has additional security features of its own. Windows 2000 Server supports a local user account database, and can also support either a Windows NT Server 4.0 domain user account database, or user accounts from the Windows 2000 Active Directory. In addition, Windows 2000 Server can be configured as a domain controller, which
Chapter 1
13
contains a read/write copy of the Active Directory data store. Active Directory is a directory service that stores information about various types of network objects, including printers, shared folders, user accounts, and computers. These objects are placed in a hierarchical structure that can be organized to simplify administration.With Active Directory, users can gain access to any network resource (that the user has permissions to) with a single logon.
CROSS-REFERENCE
Active Directory is an important feature of Windows 2000. It is discussed briefly later in this chapter, and is the primary focus of Chapter 2.
Windows 2000 Server also includes support for Remote Authentication Dial-In User Service (RADIUS). RADIUS is an industry standard authentication service that provides centralized management of user authentication and authorization for remote access servers.
Networking Windows 2000 Server supports routing of the IP, IPX, and AppleTalk protocols over both LAN and WAN interfaces. Both the Routing Information Protocol (RIP) version 2 and the Open Shortest Path First (OSPF) routing protocols are supported for IP routing. Another new networking feature of Windows 2000 Server is the support this operating system provides for asynchronous transfer mode (ATM) network adapter cards. ATM technology makes possible the simultaneous transport of voice, data, video, and images over the network.
14
Part I
The minimum hardware requirements of Windows 2000 Advanced Server are virtually the same as those for Windows 2000 Server. As noted previously, however, Windows 2000 Advanced Server can support more processors and more RAM than Windows 2000 Server. Windows 2000 Advanced Server includes all of the features of Windows 2000 Server. In addition, Windows 2000 Advanced Server includes Windows Clustering. A cluster is a group of computers that, from a client and application point of view, appear as a single computer. Windows Clustering is a technology which, when implemented on 2 to 32 Windows 2000 Advanced Server computers, provides two important features:
I
High availability: This feature is important for mission-critical applications. In Windows Clustering, if a computer in the cluster that is running a critical application fails, another computer in the cluster will automatically start the application, and users will be seamlessly directed to the computer that takes over running the application. Load balancing: This feature refers to spreading utilization across multiple computers. For example, if a Web server experiences more utilization than a single computer can handle, it can be run on all of the computers in the cluster. Users will be seamlessly directed to the computer with the lowest utilization.
Windows Clustering is implemented on Windows 2000 Advanced Server by installing the Cluster Service.
Chapter 1
15
Server, on the other hand, only supports up to eight processors and up to 8GB of RAM. The minimum hardware requirements of Windows 2000 Datacenter Server are the same as those for Windows 2000 Server.As noted previously, however, Windows 2000 Datacenter Server can support more processors and more RAM than either Windows 2000 Server or Windows 2000 Advanced Server. The features of Windows 2000 Datacenter Server are identical to the features of Windows 2000 Advanced Server. The only advantage of Windows 2000 Datacenter Server is its capability to utilize more processors and more RAM.
Because of the similarities of the Windows 2000 operating systems, throughout this book, except where differences are noted, when you read Windows 2000 you can assume Im referring to all three of the most commonly used Windows 2000 operating systems: Windows 2000 Professional, Windows 2000 Server, and Windows 2000 Advanced Server. Windows 2000 Datacenter Server is beyond the scope of this book, and its differences will not be discussed in this book.
If this is your first exposure to the newer Windows operating systems, Figure 1-1 shows the appearance of the Windows 2000 Server desktop interface. The following is a brief explanation of the Windows 2000 user interface, including the desktop and Windows Explorer. Because the user interfaces of the Windows 2000 operating systems are identical, I havent described each desktop individually.
16
Part I
Chapter 1
17
There are several icons on the desktop, as well as a taskbar. Each of these items is discussed in the following sections.
My Documents The My Documents icon represents the My Documents folder of the logged-on user.This folder is the default storage location for user-created documents. Double-clicking the My Documents icon displays the contents of the My Documents folder. My Computer Double-clicking the My Computer icon displays the My Computer dialog box. This dialog box graphically represents every drive on the computer (including network drives, if any), as well as the Control Panel folder. If you double-click any icon in the My Computer dialog box, a dialog box is displayed showing the contents of the drive or folder you clicked.
TIP
Windows 2000 offers you a choice of whether to single-click or doubleclick to open an item, such as My Computer. The default setting is double-click. If you want to change this setting, open My Computer, then select Tools Folder Options. In the Folder Options dialog box, select the Single-click to open an item option. This setting applies not only to My Computer, but to the other items on the desktop, and also to all items displayed in Windows Explorer.
My Network Places If you double-click the My Network Places icon, a dialog box is displayed that contains an icon for Add Network Place, an icon for Computers Near Me, and an icon for the Entire Network. Use the Add Network Place icon when you want to connect to a shared folder on the network, or connect to an FTP or Web site. This icon is a simplified wizard for mapping a network drive or connecting to a Web site, and creating a shortcut to this drive or Web site in the My Network Places folder. If you double-click the Computers Near Me icon, all of the computers in your workgroup or domain are displayed.You can double-click any of these computers to display the shared folders and shared printers on that computer.The Printers and Scheduled Tasks folders on the selected computer are also displayed.
18
Part I
The Entire Network icon, when double clicked, opens a dialog box that gives you three options.You can select a link that will search for a particular computer on the network.You can also select a link that will search for specific files or folders located anywhere on the network. Finally, you can select a link that will let you view and browse all of the workgroups, domains, and computers on your network.
Recycle Bin The Recycle Bin icon is a politically correct version of the Macintosh trash can icon.When you delete files, the files are moved from their original location into the Recycle Bin folder. If you later want those files back, you can move them from the Recycle Bin to another location.When you delete items in the Recycle Bin, the items are removed permanently from your computer. Its normally a good idea to periodically empty your Recycle Bin so that a large amount of valuable disk space is not taken up by deleted files. Internet Explorer When you double-click the Internet Explorer icon, Microsoft Internet Explorer 5 starts.You can use this application to browse Web pages located on the Internet or on your companys intranet. Connect to the Internet When you double-click the Connect to the Internet icon, the Internet Connection Wizard starts. You can use this wizard to sign up for a new account with an Internet service provider (ISP), to transfer your existing Internet account settings to the computer youre working on, or you can elect to bypass this wizard and manually configure your Internet connection. A tutorial that explains in more detail how to use the Internet Connection Wizard is included. You can access this tutorial by clicking tutorial on the first screen in the wizard. Taskbar The taskbar at the bottom of the desktop contains the Start button, a Quick Launch toolbar, a button for each program that is currently running, and a clock. Ill get to the Start button and Quick Launch toolbar in a minute, but first let me explain how you can use the other elements in the taskbar.
Chapter 1
19
You can use the taskbar to quickly switch between two or more applications that are running by clicking the button that represents the application you want to use.You can configure the properties of the taskbar by right-clicking anywhere on the taskbar, and then selecting Properties. Finally, you can easily set the time and date by double-clicking the clock in the taskbar.
Start Button The Start button is located on the left side of the taskbar at the bottom of the desktop. Clicking the Start button opens a menu that enables you to quickly access programs, recently used documents, favorites, settings (such as the Control Panel and Printers folders), and Help. The menu also includes a Windows Update option, which is a link to Microsofts Web site where you can download new Windows features and operating system updates. In addition, this menu enables you to run applications from a command line, find a document, log off, and shut down your computer. You can customize your Start menu by dragging and dropping program icons from one Start menu folder to another location in the Start menu. For example, when I select Start Programs Accessories Windows Explorer, I can click Windows Explorer, and drag and drop it directly in the Programs folder in my Start menu. From then on, when I want to run Windows Explorer, I will select Start Programs Windows Explorer. I could also have dropped Windows Explorer directly on the top section of my Start menu, above Programs. If I had dropped Windows Explorer here, I would select Start Windows Explorer to run this program. Quick Launch Toolbar The Quick Launch toolbar is located directly to the
right of the Start button in the taskbar. By default, the Quick Launch toolbar consists of the Show Desktop icon, the Internet Explorer icon, and the Outlook Express icon. The purpose of the Quick Launch toolbar is to enable you to easily start any of the applications whose icons appear in the toolbar by clicking the icon for the desired application.You can customize the Quick Launch toolbar by dragging and dropping shortcuts from your desktop, the Start menu, or Windows Explorer on the toolbar. You can place the Quick Launch toolbar anywhere on your desktop by clicking the left end of the toolbar, and then dragging and dropping it to the desired location on your desktop.
20
Part I
FIGURE 1-2 The close, minimize, and maximize buttons in the My Computer dialog box
At the upper right-hand corner of every window is a button, marked with an X. This button is called the close button and is used to close the window and exit the application. Many windows have two additional buttons located adjacent to the close button: the minimize and maximize buttons. The minimize button looks like an underscore on a button. Clicking this button will minimize the application to its icon on the taskbar. The maximize button looks like either a single box with a dark line across the top, or like two overlapping boxes, each with a dark line across the top. Clicking the maximize button switches between a small view of the window and a full screen view of the window.
Windows Explorer
A discussion of the Windows 2000 user interface wouldnt be complete without mentioning Windows Explorer. You can access any file, folder, printer, or application on your computer or on the network in Windows Explorer. Windows Explorer replaces Windows NT Explorer from earlier versions of Windows NT. Windows Explorer is a useful tool for copying, moving, and deleting files.You can also share folders and configure file and folder security by using this program.
Chapter 1
21
To access Windows Explorer, select Start Programs Accessories Windows Explorer. That pretty much wraps up the Windows 2000 user interface.The next sections discuss, in detail, the various application environments supported by Windows 2000.
A basic understanding of the application environments will serve you well when youre optimizing and troubleshooting applications, and also when you sit down to take the Windows 2000 Professional exam, which has a stated objective on this very topic. For now Ill begin by laying the groundwork, and later Ill present more detailed information on optimizing and troubleshooting applications in Chapter 22.
Windows 2000 is designed to run applications created for several different types of operating system environments.Windows 2000 supports these different application types by using multiple environment subsystems. These subsystems each include the application programming interface (API) of the operating system or environment that the subsystem is designed to support.The subsystems enable applications to run in the Windows 2000 environment as if they were running in the operating system environment they were designed for. The application types and operating system environments supported by Windows 2000 include:
I I
MS-DOS applications (MS-DOS environment) 16-bit Windows applications, such as those written for Windows 3.x and Windows for Workgroups (Win16 environment)
22
Part I
32-bit Windows applications, such as those written for Windows 95,Windows 98,Windows NT, and Windows 2000 (Win32 environment) POSIX applications, such as those written for POSIX-compliant UNIX operating systems (POSIX environment) OS/2 applications, such as those written for OS/2 1.x (OS/2 environment)
MS-DOS Environment
Applications designed for the MS-DOS environment are typically legacy applications that use a character-based, command-line interface. A character-based, command-line interface is one that relies on keyboard input rather than mouse input.Additionally, the screen display does not necessarily match the printed output its not What You See Is What You Get (WYSIWYG). Many utilities designed for MS-DOS are still useful even though they havent been rewritten for use in the Windows graphical environment. Windows 2000 includes support for MS-DOS applications via a subsystem called a Virtual DOS Machine (VDM). A VDM is a Win32 application that emulates an Intel 486 computer running the MS-DOS operating system. Most MS-DOS applications are supported by Windows 2000 in a VDM. However, MS-DOS applications that make direct calls to hardware are not supported by Windows 2000. These applications could compromise the NTFS file and folder security provided by the Windows 2000 operating system if they were permitted to directly access the computers hard disk. The other reason direct calls to hardware are not permitted is to protect against the possibility of an application accessing and modifying memory that is in use by Windows 2000, and thereby causing the system to crash. Windows 2000 enables multiple VDMs to be run, and each MS-DOS application runs in its own separate VDM. Because each application runs in its own separate VDM, if an MS-DOS application crashes, other applications are not affected.Additionally,Windows 2000 can preemptively multitask multiple MS-DOS applications.
Chapter 1
23
VDMs have three threads.Two of these threads are used to maintain the VDM environment.The third thread is used by the application. An application that runs in a VDM is referred to as a singled-threaded application, because only one thread is used by the application. Some MS-DOS applications require environmental settings that would normally be configured in the MS-DOS computers Autoexec.bat or Config.sys files. For example, a path to the application may need to be specified, or a terminate-and-stay-resident (TSR) program may need to be loaded prior to starting the application.To provide the same environmental settings in a Windows 2000 environment, you can edit the Autoexec.nt and Config.nt files to include any necessary instructions. Settings contained in the Autoexec.nt and Config.nt files are executed each time a VDM is started.These files are edited in the same manner as you would edit an Autoexec.bat or Config.sys file. The Autoexec.nt and Config.nt files are stored in the SystemRoot\System32 folder. The default Autoexec.nt and Config.nt files contain instructions for editing and configuring these files.
TIP
Throughout this book, I use the term SystemRoot to refer to the folder that Windows 2000 is installed in. The default installation folder for Windows 2000 is C:\Winnt.
Win16 Environment
Win16 environment applications consist of 16-bit Windows applications designed for Windows 3.x and Windows for Workgroups.These applications are graphical applications that accept input from both a mouse and keyboard. Often the screen display matches the printed output (WYSIWYG). Windows 2000 provides support for 16-bit Windows applications via a special subsystem called WOW, for Win16-on-Win32. The WOW subsystem is a special purpose VDM, called a Win16 VDM, that emulates an Intel 486 computer running MS-DOS and Windows 3.1. Most 16-bit Windows applications are supported by Windows 2000. However, 16-bit Windows applications that make undocumented calls to the operating system or that require specific device drivers that make direct calls to hardware may not run correctly on Windows 2000.
24
Part I
By default, when multiple Win16 applications are run at the same time, they all run in a single Win16 VDM.This means that, by default, all Win16 applications share the same memory space. Because the Win16 applications share the same memory space, if one application crashes, other Win16 applications may also crash. Because multiple Win16 applications share a single Win16 VDM,Windows 2000 cant preemptively multitask multiple Win16 applications. To prevent a rogue Win16 application from crashing all of your other Win16 applications, and to allow Win16 applications to be preemptively multitasked,Windows 2000 permits Win16 applications to be run in separate Win16 VDMs.This is referred to as running Win16 applications in separate memory spaces.
CROSS-REFERENCE
For details on how to configure a Win16 application to run in a separate memory space, see the section on optimizing applications in Chapter 22.
Win32 Environment
The Win32 environment is Windows 2000s native application environment. It is the preferred and fastest environment for running applications on Windows 2000, because no emulation or workarounds are required. Win32 environment applications consist of 32-bit Windows applications written specifically for Windows 95, Windows 98, Windows NT, and Windows 2000. Windows 2000 provides support for Win32 applications via the Win32 subsystem. Each Win32 application runs in its own separate memory space. Because of this, if a Win32 application crashes, other applications are not affected. Windows 2000 can preemptively multitask multiple Win32 applications.
POSIX Environment
Portable Operating System Interface for Computing Environments (POSIX) was developed as a set of accepted standards for writing applications for use on various UNIX computers. POSIX environment applications consist of applications developed to meet the POSIX standards. These applications are sometimes referred to as POSIX-compliant applications.
Chapter 1
25
Windows 2000 provides support for POSIX-compliant applications via the POSIX subsystem.To fully support POSIX-compliant applications, at least one NTFS partition is required on the Windows 2000 computer. Each POSIX application runs in its own separate memory space. Because of this, if a POSIX application crashes, other applications are not affected.Windows 2000 can preemptively multitask POSIX applications.
OS/2 Environment
OS/2 environment applications consist of 16-bit, character-based applications designed for OS/2 version 1.x. Applications designed for other versions of OS/2, including OS/2 2.x, 3.x, and Presentation Manager applications, are not supported by Windows 2000.Windows 2000 provides support for OS/2 applications via the OS/2 subsystem. Some OS/2 applications, called real-mode applications, can be run in an MS-DOS environment. Because Windows 2000 supports MS-DOS VDMs, real-mode OS/2 applications can be run in a VDM by using the Forcedos.exe command to start the application. Each OS/2 application runs in its own separate memory space. This means that if an OS/2 application crashes, other applications are not affected.Windows 2000 can preemptively multitask OS/2 applications.
26
Part I
An understanding of the Windows 2000 architecture will also help you to become a good troubleshooter and all four of the core Windows 2000 exams contain numerous troubleshooting objectives.
Windows 2000 uses a modular architecture. This means each component (or module) within the architecture has sole responsibility for the function it is designed to provide. In addition, no other module repeats the functions performed by another. Figure 1-3 illustrates the modular architecture of Microsoft Windows 2000. Notice that the operating system has two parts, or modes: user mode and kernel mode.
Chapter 1
27
OS/2 application
Win32 application
POSIX application
Logon process
OS/2 subsystem
Win32 subsystem
POSIX subsystem
Security subsystem
User mode Kernel mode Executive Services I/O Manager Cache Manager File System Drivers Device Drivers Microkernel Hardware Abstraction Layer (HAL) Window Manager Graphics Device Drivers Virtual Security Reference Memory Manager Monitor Object Manager Process Manager Plug and Play Manager Power Manager IPC Manager
Local Procedure Call (LPC) Facility Remote Procedure Call (RPC) Facility
Hardware
User Mode
Applications and their subsystems run in user mode.This mode is referred to as a less-privileged processor mode because it does not have direct access to hardware. User mode applications are limited to assigned memory address spaces and cant directly access other memory address spaces. User mode uses specific application programming interfaces (APIs) to request services from a kernel mode component. The purpose of separating the applications in user mode from the hardware, of restricting the memory address spaces that applications can access, and of forcing the applications to run all requests for services through the kernel mode, is to protect against the possibility of an application crashing the system, and also to protect against unauthorized user access.
28
Part I
Examine Figure 1-3 again, and notice that there are four main subsystems in user mode: the OS/2 subsystem, the Win32 subsystem, the POSIX subsystem, and the Security subsystem. The OS/2 subsystem is required to run OS/2 1.xcompatible applications. The OS/2 subsystem obtains its user interface and its screen functions from the Win32 subsystem, and requests Executive Services in kernel mode to perform all other functions for it. (Executive Services is covered in the next section of this chapter.) The Win32 subsystem is the primary application subsystem. All 32-bit Windows applications run in this subsystem. The Win32 subsystem provides its own screen and keyboard functions, and requests Executive Services in kernel mode to perform all other functions for it.The Win32 subsystem also provides screen and keyboard functions for all of the other subsystems. The POSIX subsystem is designed to run POSIX 1.xcompatible applications. It functions very much like the OS/2 subsystem.The POSIX subsystem uses the Win32 subsystem to provide all of its screen and graphical displays, and it requests Executive Services in kernel mode to perform all other functions for it. Finally, the Security subsystem, which is also referred to as the Integral subsystem, supports the logon process.This subsystem also supports and provides the security for Active Directory. The Security subsystem obtains its user interface and its screen functions from the Win32 subsystem, and requests Executive Services in kernel mode to perform all other functions for it. In addition to the four formal subsystems, a Virtual DOS Machine (VDM) is a feature of user mode. Its function is to run MS-DOSbased and Windows 3.xbased (all 16-bit) applications. Because the VDM is a Win32 application, all of its services, including screen and keyboard functions, are provided by the Win32 subsystem.
Kernel Mode
Kernel mode refers to a highly privileged mode of operation. It is called highly privileged because all code that runs in kernel mode can access the hardware directly, and can also directly access memory. A process running in kernel mode is not restricted to its own specific memory address space as is an application running in user mode. The entire set of services that comprise kernel mode is called Executive Services (or sometimes the Windows NT Executive, or the Executive, for
Chapter 1
29
short). Executive Services provide kernel mode services as requested by applications in user mode.
TIP
Notice that I mentioned that Executive Services is sometimes called the Windows NT Executive. Because Windows 2000 is the next version of Windows NT, the name Windows NT will periodically crop up in descriptions of Windows 2000 operating system components and processes.
Notice how Figure 1-3 graphically presents the pieces of kernel mode. Kernel mode is made up of numerous components integral to the major Windows 2000 operating system functions. The Executive Services component functions as an interface between user mode and kernel mode. Its purpose is to pass information between user mode subsystems and kernel mode components. In addition, Executive Services is responsible for the transfer of information and instructions between the various kernel mode components. Executive Services can be thought of as the glue that holds Windows 2000 together. As mentioned earlier, Executive Services is also called the Windows NT Executive, or the Executive, for short. The I/O Manager is responsible for all input and output to disk storage subsystems.As it manages input and output, the I/O Manager also serves as a manager and supporter of communication between the various drivers.The I/O Manager can communicate directly with system hardware if it has the appropriate hardware device drivers. Subcomponents of the I/O Manager include a Cache Manager, File System Drivers, and Device Drivers. Window Manager is responsible for providing the graphical user interface. Window Manager communicates directly with the graphics device drivers, which in turn communicate directly with the hardware. In the early days of Windows NT (versions 3.51 and earlier), Window Manager was an integral part of the Win32 subsystem in user mode.When Windows NT 4.0 came along, the developers moved Window Manager from user mode to kernel mode. This change enabled faster access to the graphics device drivers and eliminated the need for user mode applications to switch back and forth between kernel mode and user mode to make calls for graphics services. For these reasons,Window Manager continues to be a kernel mode component in Windows 2000. There are six other kernel mode subsystems: the Security Reference Monitor, the Virtual Memory Manager, the Object Manager, the Plug and
30
Part I
Play Manager, the Power Manager, and the IPC Manager. Each one of these subsystems communicates directly with the Microkernel. The Microkernel is the very heart of the Windows 2000 operating system. It handles interrupts, schedules threads, and synchronizes processing activity. The Microkernel, in turn, communicates with the Hardware Abstraction Layer (HAL). The HAL is designed to hide the varying characteristics of hardware so that all hardware platforms appear the same to the Microkernel.As a result, only the HAL, and not the entire Microkernel, needs to address each and every hardware platform. The HAL can communicate directly with the computers hardware. Now that youve been introduced to user mode and kernel mode, youre ready to move on to the last major architecture topic: the Windows 2000 memory model.
Chapter 1
31
virtual memory. If it is in a paging file on the hard disk, the Virtual Memory Manager will move some pages of memory that have not recently been used from RAM to a paging file on the hard disk. It will then recover the pages that were requested by the application from the paging file on the hard disk and move them back into RAM, where the application can access them.
Workgroups
A workgroup is a logical grouping of networked computers in which one or more of the computers has one or more shared resources, such as a shared folder or a shared printer. In a Windows 2000 (or Windows NT) workgroup environment, user account security is maintained individually at each separate computer through the use of a local user account database. Resources and administration are distributed throughout the computers that make up the workgroup. In a workgroup configuration there is no centrally maintained user accounts database, nor any centralized security.This means that a user must have a user account on each computer in the workgroup that contains a shared resource that the user needs to access. Figure 1-4 illustrates how user account security is distributed throughout a workgroup environment. Notice that user account security is maintained individually at each separate computer in the workgroup.
32
Part I
User account security maintained at local PC Shared hard disk User account security maintained at local PC PC User account security maintained at local PC
PC
Shared printer
Typically, all of the computers in a workgroup run desktop operating systems, such as Windows 2000 Professional or Windows NT Workstation. Computers in a workgroup may also run Windows 95 or Windows 98, but these operating systems do not support a local user account database. Workgroups are most often implemented in small networks where no centralized security or administration is desired. When a workgroup is used, the user of each computer controls access to the specific resources that are shared by that users computer, and also maintains the computers local user account database. It stands to reason, then, that the larger the workgroup, the more time and effort users must spend administering their local computers. Because a workgroup requires each user to be somewhat proficient in managing local user account security and the shared resources the user is responsible for, a workgroup is ideal for a small group of developers or other technically-savvy users. A workgroup is probably not be a good choice if the users are not comfortable with or do not have the skills necessary to administer their own computers.
Chapter 1
33
As a network becomes larger and more complex, administration and security become harder to manage. In these situations a domain (which is the subject of the next section) will most likely be used instead of a workgroup.
Domains
A domain is a logical grouping of networked computers in which one or more of the computers has one or more shared resources, such as a shared folder or a shared printer, and in which all of the computers share a common central domain directory database that contains user account security information. One distinct advantage of using a domain, particularly on a large network, is that administration of user account security for the entire network can be managed from a centralized location. In a domain, a user has only one user account, which is stored in the domain directory database.This user account enables the user to access shared resources (that the user has permissions to access) located on any computer in the domain. Figure 1-5 illustrates how user account security is centralized in a domain environment. Note that all user account security is maintained by the domain controller.
User account security maintained at domain controller Windows 2000 Server domain controller or Windows NT 4.0 Primary Domain Controller (PDC) Sales.com Domain Shared printer
PC
Shared printer
PC
34
Part I
Domains are implemented differently in Windows 2000 than they are in Windows NT 4.0.The following sections explore the similarities and differences between Windows NT 4.0 domains and Windows 2000 domains.
Windows NT 4.0 Domains In a Windows NT 4.0 domain, at least one of the networked computers is a server that runs Windows NT Server 4.0. This server is configured as a primary domain controller (PDC), which maintains the domain directory database. Typically, there is at least one additional server that also runs Windows NT Server. This additional server (or servers) is usually configured as a backup domain controller (BDC).The other computers on the network normally run a client operating system, such as Windows 95, Windows 98, or Windows NT Workstation. Resources, such as hard disks and printers, can be shared from any computer on the network. Windows 2000 Domains In a Windows 2000 domain, at least one of the networked computers is a server that runs Windows 2000 Server.This server is configured as a domain controller, which maintains the Active Directory data store.Typically, there is at least one additional server computer that also runs Windows 2000 Server. This additional computer is also usually configured as a domain controller, which contains a read/write copy of the Active Directory data store. The purpose of the additional server (or servers) is to provide fault tolerance and load balancing for the Active Directory data store.The other computers on the network normally run a client operating system, such as Windows 2000 Professional, Windows NT Workstation, Windows 95, or Windows 98 (although they may utilize Windows 2000 Server or other operating systems).As in Windows NT 4.0 domains, resources, such as hard disks and printers, can be shared from any computer on the network. At first glance, it appears that theres not much difference between Windows NT 4.0 domains and Windows 2000 domains. However, the two types of domains are significantly different.The main reason for these differences is Active Directory, which is briefly introduced in the next section, and is the entire focus of Chapter 2.
Active Directory
Active Directory is the directory service used by Windows 2000. A directory service is a centralized, hierarchical database that contains information about
Chapter 1
35
users and resources on a network. In Windows 2000, this database is called the Active Directory data store.The Active Directory data store contains information about various types of network objects, including printers, shared folders, user accounts, groups, and computers. In a Windows 2000 domain, a read/write copy of the Active Directory data store is physically located on each domain controller in the domain. Three primary purposes of Active Directory are:
I I
To provide user logon and authentication services To enable administrators to organize and manage user accounts, groups, and network resources To enable authorized users to easily locate network resources, regardless of where they are located on the network
Active Directory is a complex subject. Volumes can be written about Active Directory in fact, its so important that the entire next chapter is devoted to this topic. Active Directory topics are also woven throughout several other chapters in this book. I think youll find this new feature of Windows 2000 to be both exciting and challenging.
Windows 2000 Professional: Optimized for use on desktop computers Windows 2000 Server: Optimized for use on network file, print, application, and Web servers
Windows 2000 Advanced Server: Optimized for servers in an enterprise network environment
Windows 2000 Datacenter Server: Optimized for enterprise applications, such as extremely large databases and real-time online transaction processing
Some of the new features common to all of the Windows 2000 operating systems are:
New security protocol Kerberos version 5 protocol Fully supports Plug and Play
36
Part I
Supports two new file systems: FAT32 and the Encrypting File System (EFS)
The application environments supported by Windows 2000 include the MSDOS environment, the WIN16 environment, the Win32 environment, the POSIX environment, and the OS/2 environment.
Windows 2000 supports only the Intel Pentium/166MHz (and higher) hardware platform.
Fundamental terms relating to the Windows 2000 architecture include user mode, kernel mode, and the Windows 2000 virtual memory model. User mode does not have direct access to hardware. In contrast, all code that runs in kernel mode can access the hardware directly, and can also directly access memory. The Windows 2000 virtual memory model utilizes demand paging.
Three other important Windows 2000 concepts are workgroups, domains, and Active Directory.
A workgroup is a logical grouping of networked computers in which one or more of the computers has shared resources, such as a shared folder or a shared printer.
A domain is a logical grouping of networked computers in which one or more of the computers has one or more shared resources and in which all of the computers share a common central domain directory database that contains user account security information.
37
STUDY GUIDE
This section contains several exam readiness questions designed to test your knowledge and help you prepare for the exams. You can find the answers to these questions at the end of this chapter.
EXAM TIP
I urge you to take the time to answer the questions in the Assessment Questions section at the end of each chapter. These questions are specifically designed to help you to apply the facts and concepts youve just learned. Your investment of time now will pay off later when you take the exams!
Assessment Questions
1. You are choosing a Windows 2000 operating system to use on a new
computer at your company.This new computer will be used exclusively as an employees desktop computer.Which operating system should you choose? A. Windows 2000 Professional B. Windows 2000 Server C. Windows 2000 Advanced Server D. Windows 2000 Datacenter Server 2. You are choosing a Windows 2000 operating system to use on a new computer at your company.This new computer will be used exclusively as a network file server.Which operating system should you choose? A. Windows 2000 Professional B. Windows 2000 Server C. Windows 2000 Advanced Server D. Windows 2000 Datacenter Server
38
computer at your company.This new computer will be a heavily used SQL server in your enterprise network environment.Which operating system should you choose? A. Windows 2000 Professional B. Windows 2000 Server C. Windows 2000 Advanced Server D. Windows 2000 Datacenter Server 4. Which hardware platform (or platforms) are supported by Windows 2000? (Choose all that apply.) A. The Intel Pentium/166MHz (and higher) platform B. The Compac Alpha platform C. The PowerPC platform D. The MIPS R4000 platform E. All hardware platforms 5. Which component in the Windows 2000 architecture supports the logon process and Active Directory? A. User mode B. Microkernel C. Win32 subsystem D. Security subsystem 6. In which part of the Windows 2000 architecture do applications run in? A. User mode B. Kernel mode C. Window Manager D. Executive Services 7. Several factors must be weighed when deciding whether to use a workgroup or a domain.Which factors, when present, indicate that a workgroup may be the best choice? (Choose two.) A. When the network consists of a small number of computers, and all of the computers run Windows-based desktop operating systems B. When the network consists of a large number of computers, and all of the computers run Windows 2000 Server
39
administration, and users are technically savvy D. When centralized network administration and security is desired, and users have minimal computer skills and are not comfortable administering their own computers 8. Figure 1-6 is a partially filled-in chart illustrating the Windows 2000 modular architecture. Fill in the missing titles to solidify your understanding of the Windows 2000 architecture.
Virtual DOS (VDM)
OS/2 application
Win32 application
POSIX
Logon process
OS/2
POSIX subsystem
Services I/O Security Reference Monitor Object Manager Process Manager (LPC) Facility and Manager Power Manager IPC Manager
Hardware
40
Professional,Windows 2000 Server,Windows 2000 Advanced Server, and Windows 2000 Datacenter Server. 2. Yes,Windows 2000 fully supports Plug and Play. 3. The five application types supported by Windows 2000 are MS-DOS applications, 16-bit Windows applications, 32-bit Windows applications, POSIX applications, and OS/2 applications. 4. Windows 2000 is supported on only the Intel Pentium (and higher) platform. 5. The two primary modes in the Windows 2000 architecture are user mode and kernel mode. 6. Active Directory is the directory service used by Windows 2000.
Assessment Questions
1. A. Windows 2000 Professional is optimized for use on desktop
computers. 2. B. Windows 2000 Server is optimized for use on network file, print, application, and Web servers. 3. C. Windows 2000 Advanced Server is optimized for use on servers (such as SQL servers) in an enterprise network environment. 4. A. The Intel Pentium/166MHz (and higher) platform is the only hardware platform supported by Windows 2000. 5. D. The Security subsystem, which is also referred to as the Integral subsystem and is a user mode component, supports the logon process. It also supports and provides the security for Active Directory. 6. A. Applications and their subsystems run in user mode.
41
be a better choice than a domain for a particular situation.These factors include when the network consists of just a few computers, when all of the computers run desktop operating systems, when neither centralized security nor administration is desired, and when users are technically savvy. 8. Figure 1-7 displays the answers to this question.
OS/2 application
Win32 application
POSIX application
Logon process
OS/2 subsystem
Win32 subsystem
POSIX subsystem
Security subsystem
Local Procedure Call (LPC) Facility Remote Procedure Call (RPC) Facility
Hardware