Tech Questions
Tech Questions
Tech Questions
Windows 2000 Native Windows Server 2003 Interim Windows Server 2003
Windows 2000 Mixed when you configure a new Windows Server 2003 domain, the default domain functional level is Windows 2000 mixed. Under this domain functional level, Windows NT, 2000, and 2003 domain controllers are supported. However, certain features such as group nesting, universal groups, and so on are not available. Windows 2000 Native Upgrading the functional level of a domain to Windows 2000 Native should only be done if there are no Windows NT domain controllers remaining on the network. By upgrading to Windows 2000 Native functional level, additional features become available including: group nesting, universal groups, SID History, and the ability to convert security groups and distribution groups. Windows Server 2003 Interim The third functional level is Windows Server 2003 Interim and it is often used when upgrading from Windows NT to Windows Server 2003. Upgrading to this domain functional level provides support for Windows NT and Windows Server 2003 domain controllers. However, like Windows 2000 Mixed, it does not provide new features. Windows Server 2003 The last functional level is Windows Server 2003. This domain functional level only provides support for Windows Server 2003 domain controllers. If you want to take advantage of all the features included with Windows Server 2003, you must implement this functional level. One of the most important features introduced at this functional level is the ability to rename domain controllers. How to control and use functional levels in Windows Server 2003 can be a great asset when needed. Many times, you are either asked or told that you may need to add functionality to your domain, and if you are using mixed versions of Windows (NT/2000/2003) you have to consider the functional level set to either the domain or the forest to get those desired or request features. In this article we will look at the functional levels available, how to determine what you have set on your production systems and how to change it if need be and some features you can get from deploying Windows Server 2003 as the functional level such as domain rename.
A new feature that you may want to use is 'domain rename'. This is only available if all your systems are running Windows Server 2003. This feature is a big help. Domain Rename allows you to replicate portions of a group change instead of the whole group again which cuts down on traffic sent accross the network and helps speed up Active Directory database convergence. Just to single out one new service, such as domain rename, you can see why you would want to verify and then possibly plan for a domain/forest functional level upgrade. Active Directory domain rename tools provide a way to rename one or more domains in an Active Directory forest. The DNS name and the NetBIOS name of a domain can be completely changed using domain rename. A future article will cover how to use domain rename. Identify your Functional Level Now that you know why you have a functional level (and what it is), you should understand how to identify it as well as change it. Before you do, there is one mandatory item you should complete, and thats to document (or update the documentation) on your current servers in your domain/forest. Its imperative that you list out all of the different Windows operating systems that you are currently running and that you plan to keep in your environment after you deploy Windows Server 2003. Having a mixed environment will ultimately keep you from using many features domain or forest-wide. The following graphic shows a sample worksheet you can create to get and list the levels on your production servers for quick analysis. The columns are easy to understand. You would want to have a host name and IP address for your system, the service pack level, the operating system version or level, as well as the current and future functional levels documented so you can plan your desired functional level.
Once you have collected this information you can use the next section to help you plan out what you need to do if you want to alter the functional level. Checking and Changing the Functional Level Now that you have your sheet, we need to fill it out. In this next section we will look at how to get the information you need to get the current functional level and how to change it. Note: To get your current service pack level (and OS level), go to your systems Control Panel and click on the System applet. This will show you the information you need. To get the hostname and current IP address, you can use the Start => Run = cmd => ipconfig /all command-line utility.
To find and then change the functional level, you do the following: 1. First, you need to open up the Active Directory Domains and Trusts MMC found in your Administrative Tools folder. (Also found in the Control Panel or in the Start Menu).
2. To check the domain functional level, right click on the current domain and select Properties, this will show you the current level. On mine, I specifically have it set lower and will show you how to upgrade it. 3. To raise the domain functional level, right click on the current domain and you will see an option to Raise Domain Functional Level select this option.
4. Once you select to raise the domain functional level, you will be shown the Raise Domain Functional Level dialog box where you can select to change the domain level (seen here at Windows 2000 native) to Windows Server 2003. In the 'Select an available domain functional level', change the functional level to Window Server 2003 and select Raise. You can see the warning exclamation point on the dialog box itself this means that you do not want to do this change if you want to change it back later because it can't be changed. Once set in motion, you will be hard pressed to revert back. Make sure you read the rest of this article before making any changes and always make changes on a test/lab system first.
Thats it you can see how easy it is to do, its the planning and design that takes the most time and work on this project. As you can see from the last graphic, the domain level is now set to Windows Server 2003, but the forest level is still set to Windows 2000. Again, if you have instances where you need to keep the older system in place, this would be ideal, but if you have all Windows Server 2003 systems, then surely go ahead and raise the Forest functional level to Window Server 2003. This can be done by going
back into Active Directory Domains and Trusts MMC and selecting the root of the console and right clicking it to Raise Forest Functional Level Following the same steps as above will lead you through the forest upgrade and you will be given similar warnings about making sure you want to make your change.
Note: You can also verify the functional level within the Active Directory Users and Computers MMC although you cant change it there you can still verify it. Right click on the Domain node (seen here as rsnetworks.net) and you can see in the General tab, the domain and forest functional levels.
Before you make these changes, you should definitely make sure you plan properly. Planning is the first step you should take in every deployment, especially one of this nature where you are changing Active Directory in a way in which it can't be reversed.
How to Plan
What may be confusing about how to plan is what needs to be done with mixed node networks? If you have NT, 2000 and 2003. With your handy information sheet, you can now plan out your strategy. You have NT, 2000 and 2003 to contend with (for now). If you are running Windows NT 4.0 and you are moving directly to 2003, not Windows 2000 - after you deploy the first Windows Server 2003based domain controller, raise the forest functional level to Windows Server 2003 interim to take advantage of the advanced features available at that forest functional level. If you have both NT 4.0 and 2000 servers in your environment, once you put in the new Windows Server 2003 domain controller you will want to keep the domain level to Windows 2000. Note: If you raise the domain (and/or forest) functional level to Windows Server 2003, you wont be able to add any new domain controllers that are running versions of Windows any earlier than Windows Server 2003 into that domain. Make sure you decide that you want to do this, what you plan to get out of it and then make sure you do it carefully.
Summary
In this article we covered functional level settings at the domain and forest level. We covered how to verify what they are, how to change them and what that brings you. In future articles we will cover how to do more with functional levels, especially if you have a pure Windows Server 2003 environment to work with.
2. Describe the different backup methods in Windows 2003 and explain shadow copying advantages? 3.What does a system state backup consist of? 2. How do you restore System state backup of a DC from a media ? 3. Can a infrastructure master be on a server that is a GC if no explain why cant we have that and If yes on what scenario it is allowed to have ( only all the DCs are GC then we can have it) ? 4. How does a Workstation know which is the GC that servers authentication for it? 5. I need to have SUS implemented on my network with clients pushed to the workstation to get automatic windows updates how would I do that? 6. What is the command used to transfer or seize roles? 7. Command to do an authoritative and non- authoritative restore explain with a scenario?
8. what is in-address arpa and where it is used ? 9. I have installed DNS in my DC when doing a DCPROMO unfortunately when I do nslookup I couldnt get the server resolved and when I check the DNS ZONE info I could find there is not enough entries regarding the DC tell me one command thru which I can resolve this issue? 10. What is the security issue with Windows 2000 on DNS Zone transfer that is not there in Windows 2003 by default. 11. What do you mean by deny logon interactively while allowing log on locally to the servers? 12. What is the dll used to register in order to open the schema management console? 13. What are the difference between Universal, Domain global, local, Security Groups. 14. List the difference between Symmetric and Assymentric algorithms in data encryption 15. What is PGP and how it is used 16. How does the Data sent from the server to the client or client to the server how does the handshake happens and how does it end. 1. What are the different Functional levels available in Windows 2003 and explain the usage?
Domain functionality
Domain functionality enables features that will affect the entire domain and that domain only. Four domain functional levels are available: Windows 2000 mixed (default), Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. By default, domains operate at the Windows 2000 mixed functional level. The following table lists the domain functional levels and their corresponding supported domain controllers. Domain functional Domain controllers supported level Windows 2000 mixed (default) Windows NT 4.0 Windows 2000 Windows Server 2003 family Windows 2000
Windows Server 2003 family Windows Server 2003 interim Windows NT 4.0 Windows Server 2003 family Windows Server 2003 family
Forest functionality
Windows 2000 (default) Windows NT 4.0 Windows 2000 Windows Server 2003 family Windows Server 2003interim Windows NT 4.0 Windows Server 2003 family Windows Server 2003 fami
These functional levels provide configuration support for the Active Directory features in Windows Server 2003 and ensure compatibility with domain controllers running Windows 2000 Server and Windows NT 4.0.
2) Describe the different backup methods in Windows 2003 and explain shadow copying advantages
Types of Backup Type Description Copy backup Copies all the files that you select, but does not mark each file as having been backed up (in other words, the archive attribute is not cleared). Copying is useful if you want to back up files between normal and incremental backups because copying does not affect these other backup operations. Daily backup Copies all the files that you select that have been modified on the day that the daily backup is performed. The backed-up files are not marked as having been backed up (in other words, the archive attribute is not cleared). Differential Copies files that have been created or changed since the last normal or incremental backup. It does not mark files as having been backup backed up (in other words, the archive attribute is not cleared). If you are performing a combination of normal and differential backups, you must have the last normal as well as the last differential backup to restore files and folders. Incremental Backs up only those files that have been created or changed since the last normal or incremental backup. It marks files as having backup been backed up (in other words, the archive attribute is cleared). If you use a combination of normal and incremental backups, you will need to have the last normal backup set as well as all incremental backup sets to restore your data. Normal Copies all the files that you select and marks each file as having been backed up (in other words, the archive attribute is cleared). backup With normal backups, you only need the most recent copy of the backup file or tape to restore all of the files. You usually perform a normal backup the first time you create a backup set.
Backup uses the Volume Shadow Copy service to ensure that: Applications can continue to write data to the volume during a backup. Backups can be performed at any time, without locking out users
If you choose to disable the volume shadow copy using advanced options or if the service fails, Backup will revert to creating a backup without the Volume Shadow Copy service technology. If this occurs, Backup skips files that are open or in use by other applications at the time of the backup
9.
NOTE: When you choose to restore a file to an alternative location or to a single file, not all system state data is restored. These options are used mostly for boot files or registry keys. 10. Click Start Restore. 11. After the restore process is finished, restart the computer
5) Can a infrastructure master be on a server that is a GC if no explain why cant we have that and If yes on what scenario it is allowed to have ( only all the DCs are GC then we can have it) ? Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain. 6) How does a Workstation know which is the GC that servers authentication for it? A workstation that is logging on to a Windows 2000 domain queries DNS for SRV records to Find the GC. How its works. *************
need to have SUS implemented on my network with clients pushed to the workstation to get automatic windows updates how would I do that?
the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred. 2. Click Start, click Run, type ntdsutil in the Open box, and then click OK. 3. Type roles, and then press ENTER. Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER. Type connections, and then press ENTER. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to. At the server connections prompt, type q, and then press ENTER. Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.
4. 5. 6. 7.
8.
7) Command to do an authoritative and non- authoritative restore explain with a scenario? The Authoritative Restore feature allows an administrator to select specific objects or subtrees of objects from an archived Active Directory database and restore them to a domain controller Performing an authoritative restore
After the data has been restored, use Ntdsutil.exe to perform the authoritative restore. To do this, follow these steps: 1. At a command prompt, type ntdsutil, and then press ENTER. 2. Type authoritative restore, and then press ENTER.
3. Type restore database, press ENTER, click OK, and then click Yes. Back to the top
Restoring a subtree
Frequently, you may not want to restore the whole database because of the replication impact this would have on your domain or forest. To authoritatively restore a subtree within a forest, follow these steps: 1. Restart the domain controller. 2. When the Windows 2000 Startup menu is displayed, select Directory Services Restore Mode, and then press ENTER. 3. Restore the data from backup media for an authoritative restore. To do this, follow these steps: a. In Directory Services Restore mode, click Start, point to Programs, point to Accessories, point to System Tools, and then click Backup to start the Windows 2000 Server Backup utility. b. Click Restore Wizard, and then click Next. c. Select the appropriate backup location, and then make sure that at least the System disk and System State containers are selected. d. Click Advanced, and then make sure that you restore junction points. If you do not use the Advanced menu, the restore process will not be successful. e. In the Restore Files to list, click Original Location. f. Click OK, and then complete the restore process. A visual progress indicator is displayed. g. When you are prompted to restart the computer, do not restart. 4. At a command prompt, type ntdsutil, and then press ENTER. 5. Type authoritative restore, and then press ENTER. 6. Type the following command, and then press ENTER: restore subtree ou=OU_Name,dc=Domain_Name,dc=xxx
Note In this command, OU_Name is the name of the organizational unit that you want to restore, Domain_Name is the domain name that the OU resides in, and xxx is the top-level domain name of the domain controller, such as "com," "org," or "net." 7. Type quit, press ENTER, type quit, and then press ENTER. 8. Type exit, and then press ENTER. 9. Restart the domain controller
Non-Authoritative Restore Using the Windows 2000 Backup Tool There are a number of different scenarios in which a restore of Active Directory may be necessary. In some cases, the domain controller might have failed due to an operating system failure or hardware failure. In other cases, Active Directory on that domain controller may fail, stop responding, or become corrupt. The Active Directory restore procedures are slightly different for these scenarios and are detailed below: In this scenario, the entire computer needs to be rebuilt complete with operating system and Active Directory. To restore Active Directory to a failed domain controller: 1. 2. 3. 4. 5. 6. At a healthy domain controller in the same domain, click Start, Programs, Administrative Tools, and then click Active Directory Sites and Services. In Active Directory Sites and Services, navigate to the site in which the failed domain controller was a member. Delete any references to the failed domain controller. Install the appropriate version of the Windows 2000 operating system, complete with any necessary Service Packs, on the computer that will replace the failed server. During the installation of Windows 2000 Server, specify the name of the failed domain controller as the computer name when prompted. After installation, make sure the backup media containing Active Directory is available. Alternatively, copy the
backup file (.bkf) over the network locally to the computer. On the Start menu, click Run, and then type Ntbackup On the Welcome page, click Restore Wizard. Click Next, and then select the backup set from which you want to restore. Select SystemState, and then click Next. 10. Click Finish. 7. 8. 9.
addr.arpa was used for reverse DNS lookup for IP addresses . For example the IP address 212.30.222.56 is mapped to a host name by issuing a DNS query for the PTR record for the special host name 56.222.30.212.in-addr.arpa.
9) have installed DNS in my DC when doing a DCPROMO unfortunately when I do nslookup I couldnt get the server resolved and when I check the DNS ZONE info I could find there is not enough entries regarding the DC tell me one command thru which I can resolve this issue? 1. At a command prompt, type ipconfig /flushdns to purge the DNS resolver
cache, and then type ipconfig /registerdns to register the DNS resource records.
What is the dll used to register in order to open the schema management console?
To register the Schema snap-in, open a command console, navigate to C:Windows\System32, and run regsvr32 schmmgmt.dll
What are the difference between Universal, Domain global, local, Security Groups? Domain local groups
Domain local security groups are most often used to assign permissions for access to resources. You can assign these permissions only in the same domain where you create the domain local group. Members from any domain may be added to a domain local group.
The domain local scope can contain user accounts, universal groups, and global groups from any domain. In addition, the scope can both contain and be a member of domain local groups from the same domain.
Global groups
Global security groups are most often used to organize users who share similar network access requirements. Members can be added only from the domain in which the global group was created. A global group can be used to assign permissions for access to resources in any domain. The global scope can contain user accounts and global groups from the same domain, and can be a member of universal and domain local groups in any domain. Note: Groups created in the Active Directory at Indiana University should be global groups. Since there is a single ADS Domain at IU, this is the most appropriate group to use.
Universal groups
Universal security groups are most often used to assign permissions to related resources in multiple domains. Members from any domain may be added. Also, you can use a universal group to assign permissions for access to resources in any domain. Universal security groups are not available in mixed mode. The full feature set of Windows 2000 and later Microsoft NT-based operating systems is available in only native mode. The universal scope can contain user accounts, universal groups, and global groups from any domain. The scope can be a member of domain local or universal groups in any domain. Note: Though it is possible to create universal groups in the Active Directory at IU, it is unnecessary because the ADS at IU is a single domain. Global groups are preferable because they use fewer resources.
PGP (Pretty Good Privacy) If you use the email plugins under Windows encrypting and "signing" a message may be done simply by clicking an Icon and choosing a public or private key respectively. A typical scenario follows: You give your public key to correspondents. You can email it to them for example. or post your public key on a remote keyserver, then anyone who visits that keyserver can be your secure correspondent; that's the purpose of a keyserver. Two remote keyservers are made available during the installation of PGP. The Windows PGP install process automatically offers to put your public key on a keyserver. Also this install process will allow you to easily install PGPemail plugin(s) for: Eudora, Netscape, and/or Exchange/Outlook Express. A correspondent writes a message with their email client and then uses your public key to encrypt that message before sending it to you. Or you use their public key to encrypt a message to them. You then use your private (secret) key maintained on your local computer system to decrypt a message sent to you. Email plugins do this automatically, prompting you for your private key pass-phrase. Since t he message was encrypted with your public key, only your private key, and no one elses
keys, can decrypt this message. So only you can decrypt such messages. A senders private key may also be used to "sign" messages. You then use the senders public key to decrypt the signature. No one elses public or private key can decrypt this signature. Thus the signature is unique and if it decrypts using the senders public key, this is proof that electronic signature is the senders and no one elses. Also as stated in the PGP manual, "a signed message verifies that the information within it has not been tampered with in any way." Such secure electronic signing assumes of course, that private keys are in fact known only to their owners; that is, it is assumed that keylogger spyware has not invaded the system using PGP.
List the difference between Symmetric and Assymentric algorithms in data encryption
Differences between symmetric and asymmetric algorithms. Symmetric algorithms encrypt and decrypt with the same key. Main advantages of symmetric algorithms are its security and high speed. Asymmetric algorithms encrypt and decrypt with different keys. Data is encrypted with a public key, and decrypted with a private key. Asymmetric algorithms (also known as public-key algorithms) need at least a 3,000-bit key to achieve the same level of security of a 128-bit symmetric algorithm. Asymmetric algorithms are incredibly slow and it is impractical to use them to encrypt large amounts of data. Symmetric algorithms are about 1,000 times faster than asymmetric ones.
I need to have SUS implemented on my network with clients pushed to the workstation to get automatic windows updates how would I do that?
Software Update Services is Microsofts new server for distributing hotfixes and patches across the enterprise
After the updates are downloaded to the SUS server, they are approved. During the installation process, you can select either automated approval or manual approval. If you selected automated approval, no action is necessary. If you selected manual approval, you must look through the list of downloaded updates periodically and manually approve them. Once the updates are downloaded and approved, it's time to have the Automatic Updates client installed on each of your PCs contact the SUS server. This is most often done through a group policy, but it can also be done manually, either through registry entries or
by using the Automatic Updates template for the local policy editor. The Automatic Updates client will do as instructed, typically downloading the updates and installing them at a predetermined time in the early morning. In fact, when you tell Automatic Updates to automatically install updates, it defaults to 3 A.M. Using group policies, you can force the workstation to install updates and reboot if necessary, even if the user is logged in and has not saved his or her files. This can be dangerous but provides reasonable assurance that the updates will definitely be applied. The Automatic Updates client will contact the SUS server at a pseudorandom interval that is approximately 17 hours after the last contact or approximately five minutes after the client settings are changed. Using a pseudorandom interval helps prevent every client from attempting to contact the SUS server at the same moment. This could quickly overwhelm the SUS server. Once the Automatic Updates client has determined which approved updates are available from the SUS server that applies to it, they are downloaded. The Automatic Updates client displays an icon on the toolbar if the user who is logged in is an administrative user. The icon allows the administrator to apply the updates immediately. If an administrative user is not logged in, or if the administrative user does not install the updates immediately, the updates will be applied at the scheduled time. If a user is logged in at that time and a reboot is required, a message will appear warning that he or she must log off or be forcibly logged off to support the reboot.
Installing SUS
The first step in the process of installing SUS is to download the Microsoft Installer file from the Microsoft SUS site. Then, double-click on the Installer to launch the Microsoft Software Service Setup Wizard. It works like almost every other wizard youve ever used when installing Microsoft software. Advance through the Welcome and License Agreement screens by clicking Next. When you encounter the Choose Setup Type screen, you can choose Typical or Custom. Custom gives you a little more control over the installation, so click it. Next, youll see the Choose File Locations screen shown in Figure A. Here, you can select the directories where you want to store the SUS service and the associated content. Figure A
The next screen, Language Setting, enables you to choose the language of the updates you want to store. Specify whether you want to download updates for English, Specific Languages, or All Available Languages, and click Next to continue. Youll then see the Update Approval Settings screen, shown in Figure B. Specify whether you want to accept updates automatically or manually approve updates. Figure B
SUS can automatically approve updates for you, or you can choose to approve them manually.
Clicking Next will bring up the Ready To Install screen. Click the Install button to begin the installation process. After the files finish copying, youll see the final page of the wizard, which lists the URL your users will use to access SUS files on your network, as shown in Figure C. Click the Finish button to begin using SUS. Figure C
Unlike most wizards, the final screen is actually useful, showing you the URL your users will use to access SUS.
Configuring SUS
Once SUS is installed, it is time to do a bit of configuration. SUS must be synchronized with the Microsoft Windows Update servers to download content and should ideally be set up to download updates on a regular schedule. To do the configuration you will need to go to http://localhost/SUSAdmin. Obviously, you'll swap out localhost with the name of the server you installed SUS on. A Web browser opens automatically after the installation process, as shown in Figure D.
To configure your SUS Server, click the Synchronize Server link in the left pane. When the Synchronize Server page appears (Figure E), click the Synchronize Now button to start the initial synchronization. This will ensure that the SUS server can contact the Microsoft Windows Update servers. Figure E
Synchronization progress will be displayed on the Web page, and you will receive a message when the initial synchronization is complete. Click OK to return to the Synchronize Server page. This process can take quite awhile, depending upon the speed of your network connection and the number of updates currently available. After you complete the initial synchronization, click the Synchronization Schedule button to bring up the Synchronization Schedule dialog box. Here, you can set a synchronization schedule that causes the SUS server to contact the Microsoft servers for updated packages. You can choose to have SUS synchronize daily or weekly. The Daily option is appropriate for most organizations. When you finish, click the OK button. Next, you should click the Set Options button to go to the Options page. Scroll down to the Select How You Want To Handle New Versions Of Previously Applied Updates section. Select the appropriate option to specify whether you want to automatically allow updates to approved packages. (This option is relevant only when you have chosen to manually approve updates.) Then, Click the Apply button. The final step in the installation and configuration of your SUS server also applies only if you have chosen to manually approve updates. In that case, you must approve at least one update. Select the Approve Updates link from the left pane. When the page is displayed, select the check boxes to the left of the updates that you want to approve. Now, click the Approve button.
Updates testing
The final step is to test that the updates are being delivered. The easiest way to do this is to configure a workstation to automatically download and install updates. From there, run Windows Update and take inventory of the critical updates that are available. Wait until the next day to see whether that number has gone down.
Note that even with SUS working, you may not get the critical updates to zero. Remember that SUS won't deliver service packs, although Microsoft delivers Internet Explorer updates under the category of critical updates. As a result, you may still have a critical update even if SUS is working SUS Server Components
SUS is a new, free download from Microsoft that has one function: To help automate your hotfix and security patch rollouts. Microsoft has dedicated a new Web site to this endeavor, and it can be found at
http://microsoft.com/windows2000/windowsupdate/sus/default.asp
. The idea is simple. Set up a server that contacts Microsoft and automatically downloads the latest patches. Then paw through the myriad available patches, flagging and approving the ones you need for your environment. After youve approved them, your Windows client machines simply connect up to your server (not Microsofts) to receive the patches you approve. Setting up the SUS server components is relatively easy, but a bit tedious. First, youll need to earmark a server to do the job of housing and doling out the security and hotfixes you approve. This machine must be a member server running Service Pack 2 (and cant be a domain controller or Small Business Server.) It also needs to be loaded with IIS 5.0 and Internet Explorer 5.5 (a long download and consequent install.) Once youre set up, youll be ready to download the SUS server components, which can be found as an MSI package off the home page listed previously. The file is named SUSSetup.msi and weighs in at a whopping 48MB. The installation is fairly routine, provided all the above requirements are met. However, the installation does run Microsofts new IIS Lockdown Wizard. This is important to note because, if you choose to run other applications on the same IIS server, youll need to be aware of what that wizard does to your other applications. After installation is complete, youre ready to configure your server to talk with Microsoft. To get to the heart of SUS, you can either click the newly installed Microsoft Software Update Services icon now located on the Administrative Tools menu of the Start menu or simply fire up IE 5.5 and type in http://{servername}/SUSAdmin. Start by clicking the Synchronize Server line item on the left-hand side, then configuring a schedule for automatically updating your server (see Figure 1).
Figure 1. Configure your automatic update schedule through Schedule Synchronization. Once you synch to the mothership at Microsoft, you can approve the updates that are right for your company. Note that the first synchronization can take quite a while (and the longer you wait to get started, the more updates will be waiting for you.) Simply click on the Approve Updates line item at the left and choose which updates you want to send on. You can sort the updates by Status, Date, Title or Platform. Simply select the updates you want, then click the Approve button (see Figure 2).
Figure 2. There are many updates to choose from, so plan on your first patch/hotfix download from Microsoft taking a while.
Now that youve got the server side standing by, youre ready to prepare your clients. Note that SUS only works with Win2K, Windows XP and Windows Server 2003 as targets. Windows NT and the like are left out in the cold. This doesnt appear to be because of any hard-and-fast technical requirement; my hunch is that SUS client-side administration is to be performed entirely with Group Policy, and only newer clients can process Group Policy. To set up your clients, youll need to perform several steps. Youll first need to download and deploy the SUS client installation file WUAU22.MSI. The file comes as an MSI package, which is handy as youll have to leverage Group Policy once again to deploy this to your Win2K and XP population. (Note that downloading and deploying is unnecessary for Win2K SP3 or Windows XP SP1 clients, as the package is integrated into the service pack.) Next, youll need to configure your SUS clients. Youll do this with a file youll swipe off the newly loaded SUS server you prepared in the last section. Its called WUAU.ADM and is found in c:winntinf. Copy that file to the Win2K DC, which houses the PDC Emulator role. Place the file in the directory c:winntinf. Now, youre ready to use Active Directory Users and Computers to put these two pieces together. Youll need to decide how you want to deploy updates: either to some computers, by placing them into a specific organizational unit (OU), or all computers, by deploying to all computers in the domain. When ready, create a new Group Policy Object (GPO) at the level you choose; name it whatever you wish, SUS Updates for example; then edit the GPO. If needed, assign the WUAU22.MSI to the client computers you wish and ensure that they reboot to take the change and install the new software. You have two steps left: Tell the client computers which SUS server to use and how to implement the updates they receive. To do this, import the WUAU.ADM template file copied from the SUS server onto the DC. Right-click the Administrative Templates entry, click Add/Remove Templates, click Add, find the WUAU.ADM file and add it in as one of the templates (see Figure 3).
Figure 3. The wuau.adm file tells the computers receiving updates from the SUS server how to implement them. When you do, youll be able to traverse to Administrative Templates | Windows Components | Windows Update and find two new policies: Configure Automatic Updates and Specify intranet Microsoft update service location (Figure 4).
Figure 4. Applying the template from Figure 3 creates two new policies, seen in the right pane. In the Configure Automatic Updates policy, you can specify how clients should react to changes. Specifically, how and when patches should be automatically downloaded or installed. In the Specify intranet Microsoft update service location policy, youll need to pipe in which server these clients will point to to grab updates. Use the syntax: Http://{yourSUSservername} Its that easy! Youve just set a schedule for clients with the SUS client software to accept the updates you approve on your SUS server.
Figure 5. Schedule updates from the SUS server through this screen.
SUS is a quantum leap in hotfix and patch management. However, there is certainly room for improvement. For instance, SUS stops being useful when you have a specific patch for a specific group of machines. Recall earlier that all client computers are now pointing to a specific SUS server that has been approved with specific updates.
However, if you have a case that requires special action, chances are youll still have to trot out to the desktop and load that special fix. If you dont want to, theres a kludgy workaround: Set up another SUS server, approve all the specific updates for those clients, and point those clients to use this special, additional SUS server. To counteract this thorny problem, Microsoft will soon be releasing a Software Update Services Feature Pack for SMS, which should allow for specific targeting of hotfixes to machines (though it will require a full deployment of Microsofts SMS in order to do so). Note that SUS doesnt deploy service packsits only for hotfixes and security fixes. This isnt really a shortcoming, as Win2K and Windows XP service packs have been a breeze to install all along via Group Policy. SUS doesnt update Office, Exchange, SQL or anything elseits strictly for updating the Windows OS. Other future areas of improvement for SUS Id like to see are in the areas of load balancing; specific targeting (without the need for SMS); and a better flow for updating, testing, approving and targeting to the client computers. This doesnt mean SUS should be passed over. Indeed, SUS definitely works as advertised; if you dont care about targeting specific fixes to specific client computers, this may be the (free) ticket you seek. Its a terrific technology, and one Im delighted to see Microsoft add to its arsenal to protect the systems we use. Jeremy Moskowitz, MVP, MCSE founder of Moskowitz, Inc. (Moskowitz-inc.com ), is an independent consultant and trainer for Windows technologies. He runs GPanswers.com , and WinLinAnswers.com community forums to answer tough Group Policy and Windows/Linux Integration questions. His popular book on Group Policy is entitled Group Policy, Profiles and IntelliMirror . His latest book is Practical Windows and Linux Integration: Hands-on Solutions for a Mixed Environment . Jeremy frequently contributes to both Redmond magazine and is the Linux track manager at TechMentor . You can contact Jeremy about "Patching the Holes" at jeremym@moskowitz-inc.com
. What is the difference between the Global Catalog and the Infrastructure Master?
The Global Catalog server maintains a partial, read-only copy of every domain in a forest, and is used for universal group storage and logon processing, among other things.
The Infrastructure Master is a Flexible, Single-Master Operations role-holder in each Active Directory domain that maintains internal references to objects that reside in other domains. I was wondering how many users can be implemented in a Windows Server 2003 Active Directory? I called Microsoft and they did not know even know The number of users that AD can support is dependent on the amount of space that each object takes up, which will increase if you're using many directory-enabled applications such as Microsoft Exchange that will increase the amount of storage required for each user object. The physical NTDS.DIT file that stores AD information on each domain controller can be many terabytes in size, and thus AD can scale to millions of objects. For an interesting discussion on what happens when you have a really large DIT file, check out this
blog entry
from one of Microsoft's developers:
How many partitions are there in a Windows 2000 Active Directory? there are a minimum of three: the Configuration NC contains forest-wide configuration data and is replicated to every domain controller in a forest. The Schema NC contains schema information and is also replicated forest-wide. Finally, each AD domain within a forest has a Domain Naming Context that is fully replicated to the domain controllers within the individual domain, while Global Catalog Servers (GCs) maintain a partial, read-only replica of every domain NC in the forest. I am administering a Windows 2000 Server domain controller. I have installed Active Directory and login drives as Z: drive for the daily work on that domain controller. However, users who want to access the Internet have to set the proxy again and again if they sit on another system. Is there a way that I can apply proxy settings automatically on all the workstations?
Very simply, in fact. The easiest way to do this is to configure a workstation to have the correct settings for the proxy server and other details such as any sites which should bypass the proxy. Then use this machine to edit the policy settings under User ConfigurationWindows SettingsInternet Explorer Maintenance . You can directly import the "Connection Settings" from the machine you are on if you need to, then check and edit them before clicking OK to set them in the policy. Alternatively you can just configure the "Proxy Settings" to set the proxy server address and exceptions list (to exclude sites such as your intranet from having to go through the proxy unnecessarily). You would also want to look at the various security settings under User configuration Administrative Templates Windows Components Internet Explorer to lock down the IE interface to prevent users from changing the settings themselves.