Microsoft exam 70-290 preparation guide
Part 1: Installing and upgrading Windows 2003
Part 2: Managing and Maintaining Physical & logicel drives
Part 3: Managing users, computers and groups
Part 4: Managing and monitoring access to resources
Part 5: Managing and maintaining a server environment
Part 6: Managing and implementing disaster recovery
Part 7: Active directory primer
I have written this short preparation guide as a way for myself to ease studying for the Mcirosoft
70-290 exam titled: "Managing and maintaining Microsoft Windows 2003 server environment". I provide this guide as is, without any guarantees, explicit or implied, as
to its contents. You may use the information contained herein in your computer career, however
I take no responsibility for any damages you may incur as a result of following this guide.
You may use this document freely and share it with anybody as long as you provide the
whole document in one piece and do not charge any money for it. If you find any mistakes,
please feel free to inform me about them Tom Kitta. Legal stuff aside,
let us start.
Guide version 0.13 last updated on 28/05/2004
Part 1: Installing and upgrading Windows 2003
[1.1] Clean install
- During installation of Windows 2003 if you need to install special storage adapter that Windows does not have press F6
- You can install to a dynamic disk that was converted from boot or system volume (MBR presence)
- Product key
- Retail/OEM - one key per install, product activation
- Volume licensing - only one key for multiple instalations
- Product activation is a proof of ownership that uses 25 character key
- You have 14 days to activate your product, if you run out of time you can still start the server in safe mode (no network)
- Windows 2003 is a server software, some modules are disabled by defalut:
- No audio service (disabled by default)
- Limited video acceleration (DirectX off by default)
- Dynamic update that occurs during the installation is for critical updates only (not drivers) and need internet connection
- You must have the Unattend.txt or Winnt.sif (copy of unattend.txt when using CD for install) files if you
want to fully automate the remote installation of a Windows Server 2003 operating system.
[1.2] Windows editions
- Standard edition
- Maximum of 4 CPU
- Maximum of 4GB of RAM
- Network load balancing
- Enterprise edition
- Can be 32 or 64 bit (64bit edition needs Intel Itanium)
- Has hot add memory capability (on 32bit edition only), clustering
- Maximum of 32GB RAM, 64GB RAM on 64bit
- Maximum of 8 CPUs
- Up to 8 cluster nodes
- Datacentre edition
- Needs to be purchased through Microsoft
- Maximum of 64CPUs, 512GB RAM on 64bit edition
- Up to 8 cluster nodes
- Web edition
- Up to 2 CPUs and maximum of 2GB of RAM
- Used to host websites, web applications including DNS, no non-web based applications like SQL server
- OEM or volume licensing, cannot buy retail
- XP profesional
- Minimum P233, recommended PII 300
- Minimum 64Mb RAM, recommended 128Mb
- Minimum 1.5Gb of free space on HD, recommended 2Gb
[1.3] Hardware requierments
- CPU minimum 133Mhz (datacentre edition 400Mhz), recommended 550-733Mhz
- RAM minimum 128Mb (datacentre edition 512Mb), recommended 256Mb
- HD minimum 1.5Gb
- Pentium Pro and Pentium II multiprocessor systems have a bug in them, multiprocessor support is disabled
- To administer Windows 2003 OS licensing for sites or the enterprise, use Licensing in Administrative Tools.
- The Licensing option in Control Panel manages licensing requirements for a single computer running a Windows 2003 OS.
- You must have a Client Access License (CAL) for each device or user that connects to your server.
- Per Device or Per User licensing mode is the best option if your clients frequently use multiple servers on the
network. It is client side licensing used in enterprises. The number of simultaneous connections to any server is unlimited for every client.
- Per Server licensing mode is the best licensing option when a server product is installed on only one server
accessed at any time by no more than a subset of your users. For example if you have 5 CALs 5 clients can connect to your server on first come basis.
- Use license groups when there is 1 to many, many to 1 or many to many relationship between users and devices
- License Logging service is needed for license monitoring but not enforcment
- If a client PC is used by 10 or less users only 1 CAL is required
- For control panel licensing you got only 1 licensing type change, for enterprise licencing you will loose your licences
- You can find your licensing server in 'AD Sites and Services'
[1.5] General upgrade points
- You need at least Windows NT4 SP5 to upgrade to Windows 2003
- You must upgrade to the same or more powerful edition (i.e. for example from Windows 2000 Advanced Server to Windows 2003 Enterprise, cannot upgrade to Windows 2003 Standard)
- If the PC you are upgrading will be (or is) a domain controller you will need NTFS (among other things to store SYSVOL folder which stores GPO)
- Check partition size, you need minimum of 1.5GB for Windows 2003 installation
[1.6] Upgrading from Windows NT4 to Windows 2003
- You need to upgrade PDC 1st (Windows 2003 will emulate PDC for older clients). Note that Windows 2000 and XP PCs will
prefer to use Windows 2003 server over NT4. This can cause network congestion problems. Need to change registry on server to make it look like NT4 PDC.
- You need to upgrade RAS server before you upgrade last BDC (you want to get rid of the old NTLM authorization method)
- AD installation wizard will start after OS upgrade completes (if PC was a DC).
By default forest functionality level will be set to Windows 2003 interim.
- NT4 mirror and strip sets will not mount on Windows 2003, you need to
- Break mirror and\or kill stripe volume
- If you forget about above, use ftonline utility to mount NT mirror or stripe in read only mode on Windows 2003
[1.7] Upgrading from Windows 2000 to Windows 2003
- AD was introduced in Windows 2000 to manage authentication
- You will need to make sure all Windows DC have SP2 or above installed on them
- Before OS upgrade you need to run utility called adprep on the DC
- Adprep.exe is located on Windows 2003 CD. Its role is to go through Windows 2000 AD schema and include enchancments needed for Windows 2003 DC to be accepted
- You will need to run adprep.exe /forestprep first on the schema master. You will need to be a member of both Enterprise admins and Schema admins. It is recommended to take schema master PC offline during utility run.
- After you have run adprep.exe /forestprep you will need to run adprep.exe /domainprep on the infrastructure master in each domain.
You need to be a member of domain admins or enterprise admins. Make sure that before the run all changes from adprep.exe /forestprep replicated down to all DCs.
[1.8] Domain functional levels
- Forest functional level
- Effects all domains in the forest
- Windows 2000 (default) accepts NT4, 2000 and 2003 DC
- Windows 2003 Interim accepts NT4 and 2003 DC
- Windows 2003 accepts 2003 DC
- Domain functional level
- Effects only one domain
- Windows 2000 mixed (default) accepts NT4, 2000 and 2003 DC
- Windows 2000 native accepts 2000 and 2003 DC
- Windows 2003 interim (you will get this option if you upgraded a totaly NT4 domain) accepts NT4 and 2003 DC
- Windows 2003 accepts 2003 DC
Part 2: Managing and Maintaining Physical & logicel drives
[2.1] Plug & play
- For plug & play to operate we need the following:
- Plug & play BIOS
- OS that is plug & play capable
- Device that supports plug & play
- When Windows finds new hardware but is unable to install it we can go to Device Manager and run troubleshooter as well as look at the error codes
- Uninstalling the device using 'Device manager' only removes the driver and uninstalls it from
the OS (not from the PC!). If the device is not physically removed from the PC, it will be
detected the next time PC boots up. To prevent this from happening one must disable the device.
- When Windows 2003 fails to detect new hardware use 'Add new hardware wizard'
[2.2] Hardware supported
- Virtual Disk service API for storage systems, SANs (storage area networks)
- IEEE 1394, RAID, USB 2.0, Video, Sound
- Wireless supports
- Wireless and cable network bridging
- Roaming and autoconfiguration
- USB 2.0 supports up to 127 devices per root hub and up to 5 deep nested external hubs. You can see power & bandwith usage by checking out root properties.
- Windows 2003 has the ability to burn CD-R and CD-RW using IMAPI service, however it is disabled by default
- You will need a decoder for video DVDs (data DVDs are OK)
- DVD+RW and DVD-RW are not supported, need manufacturer's driver
[2.3] Access needed to install new hardware
- You will need to be a member of the Administrators group or have 'load and unload device drivers' user
privelage to install new hardware, unless
- Driver the the hardware uses is signed or has the Designed for Windows Logo
- No further action is required to install the device, no requirement for Windows to display a user interface. No need to use 'Add Hardware Wizard'
- Device driver is already on the system
- No network policy settings are preventing you from installing hardware.
- This way ordinary users can for example connect a USB pen drive to the PC without beeing member of the administrators group
[2.4] Device Manager can be accessed in 4 ways
- By going to start -> all programs -> administrative tools -> computer managment-> device manager tree selection
- Control panel -> system -> hardware tab -> device manager button
- R-click on 'My computer' and select properties ->hardware tab -> device manager button
- Custom made MMC snap-in
[2.5] Device Manager views
- Devices by type - when you use this view all network adapters present will be listed under 'network adapters', all disk drives under 'disk drives' etc. This is the default view.
- Devices by connection - you can for example see what devices are connected to the motherboard on the PCI slot by expanding Standard PC node and expanding PCI bus node.
- Resources by type - sorts devices by type, i.e. DMA devices, I/O devices, IRQ devices and memory devices. Good for IRQ conflict troubleshooting.
- Resources by connection - sorts devices by connection instead of type
- Show hidden devices - shows the non plug and play devices that have been removed from the
PC but have installed drivers.
[2.6] Device properties tab
- General - for example manufacturer and device status
- Advanced settings - optional, not every device has them. For example, for a network card
we could have card link speed selector.
- Resources tab - shows things like IRQ assignments. You can only edit IRQ if there is a conflict.
Also the device has to be plug and play capable.
- Power managment - not applicable to servers
- Hardware profiles - good mostly for laptops, when say you have different hardware connected to your
PC at the office and at home office. Also can be used for troubleshooting, you can limit the hardware in each profile.
[2.7] Driver properties
- Details of installed driver
- Update driver
- Roll back driver (new in Windows 2003)
- Uninistall driver
- Driver signing:
- Harmful driver install prevention
- HCL - Hardware compatabilty list, to be replaced by Windows catalog
- Run d:\i386\winnt32 /checkupgradeonly from Windows 2003 CD to check hardware compatability
- Command line sigverif.exe is used to check drivers from command line
- By default system is set to warn user if he or she is installing unsigned driver (other options are: ignore and block)
- Unsigned driver means that the driver was not tested by Microsoft and is not supported by Microsoft. For most part these drivers are still OK
- When driver is signed by Microsoft it and the hardware are tested by Microsoft
- Some older devices (like CD-ROM etc.) plug into LPT port on the PC.
You will need to set LPT port to "Legacy plug and play support" on port settings tab for older devices to work.
- The easiest way to solve embedded device conflict with an add on device is to disable the onboard device.
For example, to use add on music card, you will need to disable onboard music card
- Many problems are caused by incorrect drivers, for example graphic card that displays only 800x600 resolution. Update driver to solve these problems.
[2.8] HAL - hardware abstraction layer
- Computer driver which is the interface to BIOS, kernel is build on top of this driver
- You can choose HAL during install by pressing F5
- Multiple processors - when installing a 2nd processor in a single processor system (UP - uni processor) you will need to update
HAL for the CPU from single CPU to multiple CPU (SMP - symmetric multi processor driver)
- Do not upgrade from standard HAL to ACPI (advanced configuration and power interface) HAL and vice versa
[2.9] Windows update & automatic update
- 1st appeared in Windows 98
- Windows 2003 adds scheduling of updates capability
- To access follow: control panel -> system -> system properties -> automatic update button
- Can set up Windows update properties via GP settings
- Specify Intranet Microsoft Update service location
- Configure automatic updates
- Reschedule Automatic updates scheduled installations
- No auto-restart for scheduled automatic updates
- Printer - this is how we call a piece of software on your PC
- Print device - this is the actual hardware printer
- Print server - PC to which a local printer is connected - any Windows PC. It is the computer that sends print jobs to the print device. For a network printer you send jobs to the server as well.
- Print spooler - also referred to as print queue this is a directory on print server where jobs are being stored prior to being printed
- Print processor - also known as rendering is the process that determines whatever a print job needs further processing once job has been sent to the spooler
- Printer pool - configuration that allows to use one printer for multiple print devices
- Print driver - piece of software that understands your print device codes
- Physical port - port through which a printer is directly connected to the computer, COM or LPT
- Logical port - port through which a printer with a network card is attached to network, much faster than a physical port
- Local printer - printer that uses a physical port and has not been shared
- Network printer - printer that is available to local and network users, can use either physical or logical port
- Windows server 2003 can be in a "print server" role. In this role the server is
set to manage network printers (this includes local printers connected to other PCs which are shared)
- You can use UNIX (LPR) protocol, for this you will need to add LPR port. LPR is included in "print services" for
UNIX, which is installed as a separate component of Windows Server 2003
- You can also have print services for Macintosh and for Netware
- Whenever you hear anything that deals with: LPR, LPD, LPQ think UNIX
- You can load into your Windows 2003 server in "print server" role additional drivers for
other Windows versions (Windows 95/98/NT4/2000/XP)
- You can set printer priority (1-99) as well as printer avability (which means when the printer will be
available timewise) to different user groups as well as access to the print device itself to different user groups and individual users.
- For network printers that are attached using ethernet cable to the network and use TCP/IP for communication any Windows 2003 server can be a print server provided that it is connected to the same network
- To implement above you need to create a new TCP/IP port
- To create a port you will also need IP of the network printer or its share name (so IP can be pulled from active directory)
- You can print from Windows XP clients to print server computers running a Windows 2003 by using a Uniform Resource Locator (URL). Internet printing uses Internet Printing Protocol (IPP).
- For example to use different print priority for two groups you need to setup two print devices, restrict their use and set priority on them
- If you want to know printer utilization track print queue object in system monitor
- %systemdir%\system32\spool\printers\ is the default location of the spool folder. You should change it if your server serves many printers.
- A port is defined as the interface that allows the PC to communicate with the print device. Local ports are for print devices attached to the PC directly.
- Separator pages are used in multi user environments, sample files are found in %systemroot/system32/ folder with .sep ending
- Print.exe - sends a text file to a printer
- Net Print - displays information about a specified printer queue, displays information about a specified print job, or controls a specified print job
[2.11] Printer Poling
- One printer, multiple print devices
- Think of it as load balancing for printers, used in larger enterprises
- Need to use the same driver for all print devices that are member of the pool. Many
newer printer devices will work with older driver, use driver that is the newest for the oldest printer.
[2.12] Management of printers using print server role of Windows 2003 server
- Surf to http://printserver/printers/ where 'printserver' is the name (or IP) of your print server PC
- Can restrict access to this web interface using group policy
- For above to work you will need to install IIS 6
[2.13] Redirecting print jobs
- You can redirect print jobs provided both printers use the same driver
- When user placed into a queue a request to print a document on a print device which failed to print BEFORE
comencment of printing you can redirect printing to another printer
- To redirect a print job select print device you want jobs redirected from
- If the new printer is on this print server, just select new port to which the new printer is attached, otherwise
- Click on 'ports' tab
- Click on 'add port', select local printer and click on 'new port'
- Type in UNC share name of the printer you want the job redirected to, in format \\other_print_server\share_name
- Check the check box next to the port you just created
[2.14] Disk drives
- SCSI 15000RPM, 20Mbps transfer
- IDE 7200RPM, 16.7Mbps transfer
- SATA (similar to IDE)
- Both SCSI and SATA support up to 15 drives on a single controller
- IDE drives have 'cable select' option on them which automatically determines master and slave.
It is best practice to manually set jumpers for master and slave.
[2.15] ARC path designation (Advanced RISC computing)
- ARC dates back to NT 3.5 days (in the form presented here, otherwise NT 3.1)
- The file boot.ini is used to find '\windows\' directory
- Bootcfg.exe configures, queries, or changes Boot.ini file settings
- Boot.ini switches:
- /debug - for debugging (/nodebug)
- /bootlog - enable boot logging
- /sos - display driver names while they are being loaded during the Windows boot
- Please note that Microsoft has changed the default install directory from WINNT to WINDOWS for Windows server 2003.
For upgrades we will still use WINNT directory.
- Identifies the controller physical disk is on
- Multi(x) syntax of the ARC path is only used on x86-based computers
- For IDE or pure SCSI disks when OS is on the 1st or 2nd SCSI drive
- The Multi(x) syntax indicates to Windows NT that it should rely on the computers BIOS to load system files.
This means that the operating system will be using interrupt (INT) 13 BIOS calls to find and load NTOSKRNL.EXE and any other files needed to boot Windows NT.
- Numbering starts at 0, for example Multi(0), due to technical reasons it should always be 0
- In a pure IDE system, the Multi(x) syntax will work for up to the 4 drives on the primary and secondary channels of a dual-channel controller
- In a pure SCSI system, the Multi(x) syntax will work for the first 2 drives on the first SCSI controller (that is, the controller whose BIOS loads first)
- In a mixed SCSI and IDE system, the Multi(x) syntax will work only for the IDE drives on the first controller
- Identifies the controller physical disk is on
- The SCSI(x) syntax is used on both RISC and x86-based computers
- Using SCSI() notation indicates that Windows NT will load a boot device driver and use that driver to access the boot partition
- On an x86-based computer, the device driver used is NTBOOTDD.SYS, on a RISC computer, the driver is built into the firmware
- Numbering starts at 0, for example SCSI(0)
- Windows NT Setup always uses Multi(x) syntax for these first two drives
- Identifies the physical disk attached to controller
- 0 if Multi(x) present, Disk is only for SCSI
- For SCSI value of Disk(x) is the SCSI ID and can be 0-15 Note: one channel is always reserved for the controller itself
- Numbering starts at 0, for example Disk(0)
- Identifies the physical disk attached to controller
- Almost always 0 if SCSI(x) is present, Rdisk is for Multi(x), ordinal for the disk, usually number 0-3
- Numbering starts at 0, for example Rdisk(0)
- Refers to the partition on the hard disk where Windows system folder is located on
- All partitions receive a number except for type 5 (MS-DOS Extended) and type 0 (unused) partitions,
with primary partitions being numbered first and then logical drives
- A partition is a logical definition of hard drive space
- Numbering starts at 1, for example Partition(1)
- Used when system BIOS or controller hosting the boot partition cannot use INT-13 Extensions
- The signature() syntax is equivalent to the scsi() syntax
- Using the signature() syntax instructs Ntldr to locate the drive whose disk signature matches the value in the parentheses, no matter which SCSI controller number the drive is connected to
- The signature() value is extracted from the physical disk's Master Boot Record (MBR)
[2.16] Easy way to memorize ARC
- There are 5 letters in the word 'Multi' and 5 letters in the word 'Rdisk'
- There are 4 letters in the word 'SCSI' and 4 letters in the word 'Disk'
- 'SCSI' works together with 'Disk' while 'Multi' works together with 'Rdisk'
- When system uses Multi(x) it uses BIOS INT-13 Extensions, so on board BIOS has to be enabled
[2.17] Disk Managment MMC snap-in
- To activate: start -> all programs -> administrative tools -> computer managment -> disk managment tree node
- Another ways is to r-click on My computer and select 'manage' from the list
- Finally you can just create a custom MMC snap in
- Using disk managment, among other things, you can:
- Initialize new disks
- Create new volumes and partitions
- If you r-click and select properties -> general tab you can see location heading with a number. That number is the ARC number of the HD.
- If you need a disk formatted in FAT or FAT32 you cannot do it from disk manager, you need to use: format x: /fs:FAT32 Note Windows can format FAT 32 disks up to maximum of 32Gb but can read higher capacity drives
- DiskPart.exe - you can create scripts to automate tasks, such as creating volumes or converting disks to dynamic.
- Fsutil.exe - perform many NTFS file system related tasks, such as managing disk quotas, dismounting a volume, or querying volume information.
- Mountvol.exe to mount a volume at an NTFS folder or unmount the volume from the NTFS folder.
[2.18] Remote managment
- Computer managment is not just for the local machine, you can also manage other PCs,
to activate r-click on computer managment (local) and select 'connect to another pc'
- By default Domain Admins are part of local administrators group and you need these right to connect and administer remote PCs
- If you cannot access Device Manager from the Computer Management extension snap-ins on a remote computer, ensure that the
Remote Registry service is started on the remote computer.
- Computer Management does not support remote access to computers that are running Windows 95.
- In remote managment 'Device Manager' is in read only mode
[2.19] Basic Disks
- Primary partition is the only one that is bootable and there is a maximum of 4 primary partitions
- Extended partitions are not bootable
- Logical drives are created in extended partitions. There are no limits as to the number of logical drives each extended partition may have.
- Primary partitions and logical drives are assigned drive letters
- Basic Disk FAT is located on the first sector of the hard disk; space is shared with the MBR
[2.20] Dynamic disks
- Fault tolerance better than basic disks, due to multiple storage places for information. 1Mb database is placed at the end of each
physical hard disk containing information about all dynamic disk located in this particular system, this creates multiple storage spaces of the same data.
- Can be one of the following:
- Simple volume:
- Single disk
- No fault tolerance
- Can be NTFS or FAT
- Spanned volume:
- maximum of 32 disks
- Cannot extend spanned volumes, need to delete and recreate if not NTFS or contain system files
- For more information see MS knowledge base paper
- No fault tolerance
- Extendeding simple volume:
- Similar to spanned volume but uses the same physical HD with simple volume
- You can extend a simple volume only if it does not have a file system or if it is formatted using the NTFS file system.
You also need free space on HD and the volume could not have been originally a basic disk partition
(when the conversion from basic to dynamic has been made on Windows 2000).
- You cannot extend volumes formatted using FAT or FAT32
- You cannot extend a system volume, boot volume, striped volume, mirrored volume, or RAID-5 volume
- Mirror volume:
- Also known as RAID 1
- The only volume besides simple volume in Windows 2003 which can boot and system partitions can both reside on
- Can be NTFS or FAT
- Fault tolerance, data is the same on both disks
- To replace the failed mirror in a mirrored volume, right-click the failed mirror and then click Remove Mirror, and then right-click the other volume and click Add Mirror to create a new mirror on another disk
- Variation of mirroring called duplexing uses HD connected to different controllers for even more fault tolerance
- Striped volume:
- Also known as RAID 0
- Maximum of 32 disks
- Breaks data into 64Kb chunks for writing to different disks that make up the stripe
- It is recommended to use same type of hard drives for member drive
- Windows 2003 cannot be installed on software RAID 0
- You cannot extend striped volume, need to recreate it
- No fault tolerance
- RAID 5:
- Made up of three disks with each storing parity information
- Fault tolerance when one disk fails
- Maximum of 32 disks, minimum of 3
- Not available in Windows XP professional
- To replace the failed disk region in a RAID-5 volume, right-click the RAID-5 volume and then click Repair Volume
- Only in Windows XP Professional, windows 2000 Professional and Windows 2003 Server (all editions) you can use dynamic disks
- Note: if disk fails for which ARC path is in boot.ini system will not boot. You should have a disk with modified boot.ini
- Mounted volumes - can mount HD as a NTFS folder
- Uninstall disks prior to moving them, Re-scan disk when you attach it
- Dynamic disks can be re-configured without re-boot
- When your boot disk is also a dynamic disk, then you will not be able to dual boot into OS that is not dynamic disk capable
- Dynamic disks are not supported on laptops due to luck of advantage over basic disks in this scenario
- Dynamic disk partition table types:
- dynamic GUID partition table (GPT) disks, for 64bit editions of Windows
- dynamic MBR disks, for 32 and 64bit editions of Windows
- The Foreign status occurs when you move a dynamic disk to the local computer from another computer
- You can have a maximum of 2000 volumes on a dynamic disk, recommended maximum is 32
- Volumes created after the 26th drive letter has been used must be accessed using volume mount points
- Hard drives that are connected to the Pc using USB or IEEE 1394 can not be converted to dynamic volumes
- Volume status descriptions
- Failed - basic or dynamic volume cannot be started automatically or the disk is damaged
- Failed Redundancy - data on a mirrored or RAID-5 volume is no longer fault tolerant because one of the underlying disks is not online, has substatuses
- Formatting - occurs only while a volume is being formatted with a file system
- Healthy - normal volume status on both basic and dynamic volumes, no known problems, has substatuses
- Regenerating - occurs when a missing disk in a RAID-5 volume is reactivated
- Resynching - occurs when creating a mirror or restarting a computer with a mirrored volume
- Unknown - occurs when the boot sector for the volume is corrupted
- Data Incomplete - displayed in the Foreign Disk Volumes dialog box, and occurs when data spans multiple disks, but not all of the disks were moved.
- Data Not Redundant - displayed in the Foreign Disk Volumes dialog box when you import all but one of the disks in a mirrored or RAID-5 volume
- Stale Data - displayed in the Foreign Disk Volumes dialog box, and occurs when a mirrored or RAID-5 volume has stale mirror information, stale parity information, or I/O errors
[2.21] Converting to dynamic disk and back to basic disk
- If you convert a boot disk, or if a volume or partition is in use on the disk you attempt to convert, you must restart the computer for the conversion to succeed.
- The conversion may fail if you change the disk layout of a disk to be converted or if the disk has I/O errors during the conversion.
- After you convert a basic disk into a dynamic disk, any existing partitions on the basic disk become (dynamic) simple volumes.
- If you are using shadow copies and they are stored on a different disk then original you must first dismount and take
offline the volume containing the original files before you convert the disk containing shadow copies to a dynamic disk.
- If you are converting disks form dynamic to basic the disk being converted must not have any volumes on it nor contain any data before you can change it back to a basic disk. If you want to keep your data, back it up before you convert the disk to a basic disk.
[2.22] File systems
- FAT 16 bit (File Allocation Table)
- FAT 32 bit
- NTFS (New Technology File System)
- To convert from FAT to NTFS use: convert x: /fs:NTFS
[2.23] Folder compression (zipped)
- Create new compressed folder (zipped)
- All new items added to that folder will be compressed (zipped)
- For command line operations use compress.exe, which acts like winzip
[2.24] Compression (NTFS)
- When you compress a whole folder:
- All files are compressed automatically when added but not current folder occupants
- Compression can also be applied to current files and subfolders
- Decompression is a reverse process of compression
- Moving a file on the same volume means that the file location is moved in MFT only, not the physical file itself.
- When you copy a file, no matter whatever on the same volume or not, the destination file will inherit the destination folder's permissions
- When you move a file on the same volume, it keeps its original permissions (explicit permissions only). When you move a file to another volume, the
move is treated as a copy operation and the file permissions are inherited from the destination folder.
- All file attributes behave in the same way with the exception of encryption
- File compression is supported only on NTFS volumes with cluster sizes 4 KB and smaller
- For command line use compact.exe, it can display and modify compression attributes but it works only on NTFS
- Only users who created the files, users whom owner gave access to view the file
(new in Windows 2003, additional users need to already be issued certificates) and recovery agents can decrypt the file
- When moving encrypted file from one volume to another volume, it stays encrypted. When copying file it also stays encrypted. This behaviour is unique for encryption!
- Note that user which has NTFS permissions to an encrypted file can delete that file, even if he/she cannot view that file
- Cannot encrypt and compress at the same time (due to encryption process using pseudo random salt which cannot be further compressed due to its nature)
- You can zip 1st then encrypt to get encrypted and compressed file
- Executable file cipher.exe is a command line encryption utility
- By default, the recovery agent is the Administrator account on the 1st DC, there is no default for stand alone server
- For encryption property, moving/copying a file to a FAT system decrypts file without warning
- It is recommended to store recovery agent certificate on a floppy disk in secured location. It is also recommended to copy their file to
be recovered to the recovery agent PC where it will be recovered.
[2.26] How EFS (encrypted file system) works
- When the user chooses to encrypt a file, a file encryption key is generated
- This encryption key, together with encryption algorithm is used to encrypt the contents of the file
- The file encryption key is encrypted itself using user's public key and stored together with the encrypted file. The file
encryption key is also protected by the public key of each additional EFS user that has been authorized to decrypt the file and each recovery agent.
- File can only be decrypted by using user's private key, by using private key of users given permission to view the file and private key of recovery agent
- Private/public pair is created using user's certificate
- On stand alone machines user's certificate is created the 1st time he or she tries to encrypt a file
- For domain user certificate is issued by the certification authority - user needs permission to get a certificate
- Files marked with the System attribute cannot be encrypted, nor can files in the systemroot directory structure.
- Before users can encrypt or decrypt files and folders that reside on a remote server, an administrator must designate the remote server as trusted for delegation.
- If you open the encrypted file over the network, the data that is transmitted over the network by this process is not encrypted.
- Users can use EFS remotely only when both computers are members of the same Windows Server 2003 family forest
- Encrypted files are not accessible from Macintosh clients
- Encrypting File System (EFS) no longer requires a recovery agent
Part 3: Managing users, computers and groups
[3.1] User accounts
- User account consist of:
- Name and password
- SID (security identifier) - consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain. SIDs are unique in the network.
- Can have other attributes, like group membership
- User accounts and computer accounts (as well as groups) are also referred to as security principals
- Security principals are directory objects that are automatically assigned security IDs (SIDs)
- Can be either local or domain
- All local user accounts are stored in local database that every PC has except the domain controller.
- Local accounts cannot be used to grant access to network resources
- At logon time user select whatever he wants to logon into a domain or local PC. depending on his or her selection system uses local or AD user database
- Username must be unique, for pre-2000 maximum of 20 characters, spaces and period are OK, but no special characters. Usernames are not case sensitive while passwords are.
- InetOrgPerson is used in several non-MS LDAP and X.500 directory services to represent people within an organization, in AD for compatibility
- In order to interactively log in to DC user needs to be member of Domain admins, Enterprise admins, Account Operators, Administrators, Backup Operators, Print Operators, and Server Operators or explicitly granted permission to logon
[3.2] Build in local user accounts
- Administrator - even when the Administrator account has been disabled, it can still be used to gain access to a computer using Safe Mode
- Guest (by default in disabled state)
- Support account (Support_388945a0)
[3.3] Build in local groups
- Administrators - full control, by default it's member is the Administrator account. This account cannot be removed.
When joined to a domain, Domains Admin global group is also added to local administrators group.
- Backup Operators - can backup and restore files on the server ignoring security settings
that protect these files. Can access server from the network,logon locally and shout down the system.
- DHCP Administrators (installed with the DHCP Server service) - have administrative access to the Dynamic Host Configuration Protocol (DHCP) Server service.
- DHCP Users (installed with the DHCP Server service) - have read-only access to the DHCP Server service.
- Guests - temporary profile created at the logon time, deleted at log off. Member of the Guest group, no default user rights.
- Help service group - used to set up right common to all support applications,
only member is Support_388945a0, do not add users
- Network configuration operators - can make changes to TCP/IP
- Performance log users - can manage performance counters, logs and alerts locally or remotely
- Performance monitor users - can monitor performance counters only, locally or remotely
- Power users - they can add users/shares/groups. The power users cannot: change Administrators group membership,
take ownership of files, load or unload device drivers and manage security logs.
- Print operators - can manage printers and print queue
- Remote Desktop Users - can remotely logon to the server
- Replicator - the only member should be domain user account used to logon the replicator service on a DC. Do not add users to this group
- Terminal Server Users - users who are currently logged on to the system using Terminal Server
- Users - can do common task such as running programs and printing stuff. Can access locally or through network, all user accounts are members of the Users group by default.
- WINS Users (installed with WINS service) - permitted read-only access to Windows Internet Name Service (WINS)
[3.4] Complex passwords
- Complex password needs to be at least 6 characters long
- Cannot use any part (or all of) of user account name
- A complex password need to consist of 3 out of these 4:
- English uppercase characters
- English lowercase characters
- Base 10 digits
- A special character, such as [,),^
- By default, complex passwords are enabled on DC, disabled on stand alone servers
- Windows 2003 passwords can be up to 127 characters long. Windows 95/98 passwords can be up to 14 characters long.
- Password reset disks are used on stand alone servers to recover user password, otherwise users will loose encrypted data
- On DC on Windows 2000 local users & groups display red X, on Windows 2003 there is no local users & groups
- When installing AD local user accounts and groups are moved to the AD and local DB is deleted
- Data that is allowed to be stored in the active directory is defined in the active directory "schema".
- OU (organizational units) are acting as a container for groups, users and other OU
- You can limit users to logon only on certain computers (but not exclude them from certain PCs). You can also limit users login hours.
[3.6] Using profile for local PC
- Local profile is located in 'documents and settings' directory on local PC
- You can use network share for profile location (can be used for backup)
- Mandatory profile - users cannot save changes (they can delete, but it comes back!)
- Home folders - where you automatically go after you hit 'save as'
- Folder redirection - allows Administrators to redirect personal folders for all users to a single location
- All user settings and preferences are stored in a file ntuser.dat
[3.7] Roaming profile
- User sees the same thing on every PC (network profile)
- Enebled on user properties screen in Active Directory Users and Computers; Cannot be modified using GPO.
- ntuser.dat is stored on network share
- Local profile on local PC is used if network connection cannot be established
- Network problems can occur (network congestion) if large files are saved to the desktop or 'My Computer'. To resolve this
issue use GPO - set file processing only if user wants to use given file
- Only files that have been changed since the profile was last loaded are saved
[3.8] Other profile information
- To create a mandatory profile rename ntuser.dat to ntuser.man
- Terminal service profile - different look and feel when connecting through terminal server. This may be needed if regular profile
could have adverse effect on the network (contains options that for example use a lot of bandwidth)
[3.9] Account and password options
- Available options are:
- User must change password at the next logon
- User cannot change password
- Password never expires
- Store password using reversible encryption
- Account is disabled
- Smart card required for interactive logon
- Account is trusted for delegation
- Account is sensitive and cannot be delegated
- Use DES encryption for this account
- Do not require kerberos for preauthentication
[3.10] Terminal services
- Thin clients are like good old dumb terminals
- Terminal services are part of user settings
- Remote control: user in terminal services application mode, similar to remote assistance
- Use Terminal services Configuration to set session timeouts
[3.11] Remote access (VPN/Dial-in)
- Remote access is denied by default
- Remote access policy which can use either RRAS or IAS (RADIUS)
- Remote access policy is much more flexible than user Dial-in properties (which in turn override remote access policy)
- For traveling executive, set 'callback' option to 'set by caller'
- Dial-in properties allow you to assign a specific IP to user
- This is the only way in Windows 2003 that you can assign a specific IP to a user
- Routing and remote access protocols
- MS-chap (Microsoft Challenge Handshake Authentication Protocol) still supports NTLM (but not by default) Same
encryption key is used for all connections, both authentication and connection data are encrypted
- MS-chap v2 no NTLM and stronger encryption (like salting passed encrypted password strings) both MS-chap protocols are
the only ones that can change passwords during the authentication process. New key is used for each connection and direction.
- Chap - need to enable storage of a reversibly encrypted user passwords, encryption of authentication data
through MD5 hashing. No encryption of connection data.
- PAP (Password Authentication Protocol) passwords are unencrypted as well as connection data
- SPAP (Shiva Password Authentication Protocol) - less secure than CHAP or MS-CHAP, no encryption of connection data
- EAP-TLS (Extensible Authentication Protocol - transport level security) - certification based authentication
(EAP) used with smart cards, both authentication and connection data are encrypted, not supported on stand
alone servers - only for domains.
- EAP-MD5 CHAP (Extensible Authentication Protocol - Message Digest 5 Challenge Handshake Authentication protocol) -
this is a version of Chap that was ported to EAP framework. Encrypts only authentication data, not connection data, same like Chap.
- Unauthenticated access - connections without credentials, good for testing
[3.12] DC/OU/CN example
Here is how DC/OU/CN work. User is CN - canonical name, DN - distinguished name. For example,
DC - energyshop
DC - com
OU - IT
CN - John Doe
[3.13] UPN - user principal name
- User principal name in e-mail format which can be used when logging in and not using dropdown, example firstname.lastname@example.org. UPN must be unique in the forest.
[3.14] Dealing with user passwords
- Do not delete user accounts, disable them instead
- Rename users as a quick way to set up new accounts
- To move users to a different domain in the same forest use movetree.exe (initiated on the RID master of the domain
where object lives). For different forest need ADMT (AD migration tool).
[3.15] Password policy
- Enforce password history
- Maximum password age
- Minimum password age
- Minimum password length
- Complexity requirement
- Store passwords using reversible encryption
[3.16] Account lockout policy
- Account lockout duration
- Account lockout threshold
- Reset account lockout counter after X minutes
[3.17] Computer accounts
- Managed PCs are computers whose OS was installed using RIS service (remotely)
- For RIS to work you need a network card that is PXE (pre-execution environment) enabled
- If you network card is non-PXE but is PCI based you can use Rbfg.exe to create remote boot disk
- No computer account for Windows 98 systems, Windows 98 can still log in to the domain, provided that AD client is installed and SMB signing is disabled
- To create computer accounts you need to have 'create computer accounts' permission
- You can set up common attributes on several user accounts at once using the multiselect option, you can set: Profile, Organization, Account Tab, Address, General Tab
[3.18] RIS - remote installation service
- Each PC has a GUID (globally unique identifier) sometimes called UUID
- You can get PC's GUID from
- From DHCP discovery pockets PC sends when it wants to get IP address from DHCP server
- PC documentation
- PC startup screen (BIOS)
- RIS options
- Respond to client PCs requesting service
- Do not respond to unknown PCs (unknown PCs are not found in the AD)
- For RIS following must be available on the network
- Active Directory
- These are not user accounts
- They are used to add people that are outside of your domain
- Bulk import data into active directory using csvde.exe (comma separated value directory exchange), using CSV format. It is easier to modify spreadsheet to confirm to csvde than ldifde.
- Executable file ldifde.exe stands for: LDAP data interexchange format directory exchange
- Executable file ldifde is used to import AND modify active directory, csvde can only import
- Import creates accounts with blank passwords, best to create accounts in disabled state by specifying user control value of 514
[3.21] Build in domain user accounts
- Administrator - when the Administrator account is disabled, it can still be used to gain access to a domain controller using Safe Mode
- Guest (in disabled state by default)
[3.22] Domain Groups
- Security - can have object permissions (but also works just for e-mail distribution)
- Distribution - only for e-mail
- Group scopes:
- Domain local
[3.23] Built in domain local groups
- Domain local groups can contain users and groups from any trusted domain.
- Account operators - can create and administer domain user accounts and groups
- Administrators - full control over domain
- Backup operators - ignores security in order to backup or restore files
- Guests - has same access as domain users group
- Incoming forest trust builders - can create incoming, one way trusts to this forest
- Network configuration operators - can modify network settings like TCP/IP
- Performance log users - can remotely configure and view performance logs
- Performance monitor users - can remotely view performance logs
- Pre-Windows 2000 computer access (for win NT) - has read permission to all users and groups in the domain and the right to access DC from network
- Print operators - administrator for printers
- Remote desktop users - can logon into any PC in the domain remotely (only logon ability, nothing else)
- Replicators - supports file replication in the domain
- Server operators - can manage DC, shout down, create shares, manage disks and more
- Terminal server license servers - local group for Terminal Server license servers
- Users - cannot install new applications, can run applications that already exist, cannot logon to DC
[3.24] Global groups
- Used to organize users but only from its own domain
- Create by job function or job description
- DNS update proxy - can preform updates to the DNS on behalf of other clients.
When secure dynamic updates are enabled on DNS, the DHCP servers must be made members of this group to be able to update clients.
- Domain admins - complete administrative rights in the domain. Member of Administrators domain local group (as well as local Administrators group on all PCs)
- Domain computers - all PCs that are joined to the domain
- Domain controllers - all DC are members of this group
- Domain guests - used to grant access to users that don't have valid user account in the domain. Member of domain local guest group by default
- Domain users - all users are members of this group. Normal access to workstations. When new share gets created, they get 'read' access
- Group policy creator owner - members can create and mange GP. Administrator account is a member of this group by default.
[3.25] Universal groups
- Used for many to many relationships, like many users that need to access resources in many domains
- Can contain users, global groups, local groups from any domain in the forest
- Cannot contain users from domains that are outside the forest
- Universal groups are used to organize users across domains
- It is recommended to place only global groups inside universal groups
- You need to have domain functional level set to at least Windows 2000 native
- Build in (admin in root domain is the only member) :
- Enterprise admins - have access to all domains in the forest
- Schema admins
[3.26] Access between domains
- We trust in the authentication of another DC
- Automatic trusts between parent and child domains are set in Windows 2000 native or above
- 2 way trusts (NT4 domains) - need to be set up at both sides (i.e. from domain A to B 1 setup and 1 from B to A == no automation)
- 2 way transitive trusts (Windows 2000)
- Forest trust (Windows 2003)
[3.27] Remember the acronym AGLP
- Accounts - create users accounts
- Global groups - place users in global groups
- Local groups - place global group into local group
- Permissions - assign permissions to the local group
[3.28] Windows 2000/Windows 2003 domain vis mixed mode
- Universal group is added in Windows 2000 native mode
- Group nesting - same type of group in same type
- Changing of group types (distribution vis security) is enabled in Windows 2000 native mode
- For Windows 2000/ Windows 2003 domain we are going to use AGULP
- U stands for universal group
- We place global groups into universal group and universal groups into local groups
- Access control
- Author mode - full customization of the MMC console
- User mode-full access - as author mode, except that users cannot add or remove snap-ins, change console options, create Favorites, or create taskpads
- User mode-limited access, multiple windows - access only to those parts of the console tree that were visible when the console file was saved. Users can create new windows but cannot close any existing windows.
- User mode-limited access, single window - as 'user mode limited access, multiple windows' but users cannot create new windows
[3.30] Special groups (special identities)
- Anonymous Logon - users and services that access a computer and its resources through the network without using an account name, password, or domain name
- Everyone - all current network users
- Network - users currently accessing a given resource over the network
- Interactive - all users currently logged on to a particular computer and accessing a given resource located on that computer
- Special groups can be assigned rights and permissions to resources but their memberships cannot be modified or viewed and scopes do not apply. Users are added automatically.
[3.31] Other points
- Home folder can be on local PC or a network share
- Rename Guest and Administrator accounts, for local accounts use GPO
- PC and DC use a secure channel to communicate password changes every 30 days. If they
are out of synchronization you will need to reset the PC (message is: 'Domain member failed to authenticate'). This is by going to the computer
account and clicking on 'reset account'.
Part 4: Managing and monitoring access to resources
[4.1] ACL - access control list
- Every object in AD has ACL
- ACE - access control entries
- ACL is a list of ACEs. Each ACE has deny or accept action and an associated SID (security identifier).
- The process of checking user access is preformed in this way:
- User SID is checked against ACE on ACL list of the resource user wants to access
- Also groups that the user belongs to (group SID) is checked against ACE in ACL
- If there is no entry, then access is denied
- Accept if ACE = SIDs in ACL and associated ACE action is accept
- Windows resolves SID and presents name as ACE
- Deny right takes precedence over allow right in group and user security context. This is true even for Administrator and object owner.
[4.2] General NTFS permissions for files
- Read - also allows for viewing of file attributes
- Read and execute
- Modify = read + write + delete + execute
- Full control
[4.3] General NTFS permissions for folders
- Read - also allows to view folder attributes
- Read and execute
- Modify = read, execute, write, delete
- List folder contents, includes subfolders
- Full control = all of above permissions plus permission change permission plus ownership change permission
[4.4] Share permissions
- Only applicable for folders, no share permissions for files
- Read = read file data, file names and subfolder names + execute (default assigned to everyone group)
- Change = read permission + delete files and subfolders + write
- Full control = all of above permissions + change of share permissions right only
- Share permissions do not apply to users that are logged into the OS interactively (i.e. locally)
- NTFS general permissions always apply, even for a share i.e. user needs two read permissions in order to access a file over the network
- Use NTFS permissions to tighten security
- To add share form command prompt: net share 'folder name'='path'
- To delete share form command prompt: net delete 'folder name'
- When a share name ends in $ it is hidden and cannot be browsed to, full name needs to be typed in
- Share permissions are not included in a backup or restore of a data volume
- Share permissions do not replicate through the File Replication service
[4.5] Special permissions
- In Windows 2003 object ownership can be given to another user, not just taken by the current user as in Windows 2000
- When user is in multiple groups the least restrictive permissions are chosen
- Special permissions:
- Traverse folder/ execute file
- List folder/ read data
- Read attributes
- Read extended attributes (created by program)
- Create file/write data
- Create folders/append data
- Write attribute
- Write extended attribute
- Delete subfolders and files
- Read permissions
- Change permissions
- Take ownership
- Synchronize (not users and groups)
- Everyone group is no longer granted full control (it is granted read and execute only).
The built-in Everyone group includes Authenticated Users and Guests, but no longer includes members of the Anonymous logon group.
- A quick way to see the permission structure is to click on 'view effective permissions'
- The Effective Permissions tool only produces an approximation of the permissions that a user has.
The actual permissions the user has may be different, since permissions can be granted or denied based on how a user logs on.
This logon-specific information cannot be determined by the Effective Permissions tool, since the user is not logged on;
therefore, the effective permissions it displays reflect only those permissions specified by the user or group and not the permissions specified by the logon.
[4.6] Explicit permissions and inherited permissions for files and folders
- There are two types of permissions: explicit permissions and inherited permissions.
- Explicit permissions are those that are set by default when the object is created, by user action.
- Inherited permissions are those that are propagated to an object from a parent object.
Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all
objects within a given container.
- Explicit permissions take precedence over inherited permissions, even inherited Deny permissions. This has nothing to do with user and group security context.
[4.7] Inherited permissions (file and folders)
- All files and folders inherit their permissions from the parent folder by default
- There are three ways to make changes to inherited permissions:
- Make the changes to the parent folder, and then the file or folder will inherit these permissions. Remember this is not related to user and group security!
- Select the opposite permission (Allow or Deny) to override the inherited permission.
- Clear the 'Allow inheritable permissions from the parent to propagate to this object and all child objects. Include
these with entries explicitly defined here' check box.
You can then make changes to the permissions or remove the user or group from the permissions list.
However, the file or folder will no longer inherit permissions from the parent folder. You be presented with a confirmation dialog that has these options
- You can 'copy' permission entries making all entries explicit (convert inherited entries into explicit)
- Or you can remove all inherited permissions and keep only the current explicit permissions
- You cannot change parent permissions inside a child object - they show as grayed out if inheritance is on.
- If the object is inheriting conflicting settings from different parents
then the setting inherited from the parent closest to the object in the subtree will have precedence.
- Only inheritable permissions are inherited by child objects. When setting permissions on the parent object, you can decide whether folders or subfolders can inherit them with Apply onto.
- Ownership general points:
- To decrypt a file owner still needs correct private/public key pair
- File owner always has 'change permissions' permission
- An administrator who needs to repair or change permissions on a file must begin by taking ownership of the file.
- Every object has an owner, whether in an NTFS volume or Active Directory. By default, in the Windows Server 2003 family, the owner is the Administrators group.
- Transferring ownership (new in Windows 2003) is preferred to giving users 'take ownership right'.
- Ownership can be taken by:
- An administrator. By default, the Administrators group is given the Take ownership of files or other objects user right.
- Anyone or any group who has the Take ownership permission on the object in question.
- A user who has the Restore files and directories privilege.
- Ownership can be transferred in the following ways:
- The current owner can grant the Take ownership permission to another user, allowing that user to take ownership at
any time. The user must actually take ownership to complete the transfer. Or transfer ownership by using 'Other users or groups' button.
- An administrator can take ownership.
- A user who has the Restore files and directories privilege can use 'Other users or groups' button and choose any
user or group to assign ownership to.
[4.9] Ways to create shares in Windows 2003
- Using MMC
- Server roles (file server role)
- Using explorer
[4.10] Share options
- Offline caching occurs when users have local copies of network files
- Offline caching is also controled by the use of group policy
- Offline caching is turned on by default when a share is created on the server
- The following settings are available on the client
- Use of the offline feature
- Synchronize when logging on
- Encrypt offline files cache
- Prohibit making available file and folders offline
- Configure slow link speed
- Windows XP computer can allow a maximum of 10 simultaneous connections to a shared folder
- Share permissions are managed like NTFS permissions but you cannot block inheritance and there are no special permissions
[4.11] Special shares
- drive letter$ - shared resource that enables administrators to connect to the root directory of a drive
- ADMIN$ - resource that is used during remote administration of a computer. The path of this resource is always the path to the system root (ex. c:\windows)
- IPC$ - resource that shares the named pipes that are essential for communication between programs. You use IPC$
during remote administration of a computer and when you view a computer's shared resources. You cannot delete this resource.
- NETLOGON - required resource that is used on domain controllers
- SYSVOL - required resource that is used on domain controllers
- PRINT$ - resource that is used during remote administration of printers
- FAX$ - shared folder on a server that is used by fax clients in the process of sending a fax
- You cannot browse to $ shares (cannot see them in Explorer)
[4.12] Web sharing
- You can share your folders online, web sharing of folders - viewed using IE
- You need to install IIS on the server
- You will need to allow directory browsing permission for files other then .htm and .asp to be accessible
[4.13] Shadow copies (new in Windows 2003)
- Accidental deletions
- Accidental overwrites
- File corruption
- Need to run VSS - volume shadow copy service
- Snapshot are taken at default or user defined intervals
- There can be at any time maximum of 64 different snapshots stored on the system
- Windows XP and 2000 need installation of client software, twcli32.msi
- Information is stored in the hidden system folder 'system volume information'
- Form command prompt: vssadmin create shadow /for=volume
- If you need to restore a file using shadow copies that has been deleted you will need to restore the whole folder
- Shadow copies can be accessed from:
- Windows explorer
- Shared folders snap-in
- Command prompt
- If you want to move shadow copy storage location you need to destroy and recreate the shadow
[4.14] Distributed file system (DFS)
- DFS exposes shared folders without explicitly starting where it is located
- DFS is like an index for shares on the network
- Domain based root (preferred) or standalone root
- Replication fault tolerance (for domain only)
- Stored in active directory (DFS root - domain based)
- To access distributed file system go to start -> all programs -> Administrative tools -> Distributed file system
- DFS on the Windows 2003 can only be used with the NTFS file system
- Set replication policy for DFS
- Do not create FRS replica sets on a volume that is managed by Remote Storage (performance hit)
- Automatic file replication through the File Replication service (FRS) is only available with domain DFS
- Dfsutil.exe and dfscmd.exe are command line tools used to administer DFS
[4.15] Enabling auditing for files, folders and printers
- You will need to enable auditing for object access policy
- And you also need to enable auditing for individual files and folders through NTFS security or through printer security
- Account logon events - success or failure of domain logon
- Account logon management - events such as resetting passwords and modifying user properties
- Directory services - any time user access AD an event is generated
- Logon events - success or failure of local logon or logon to a share
- Object access - file, folder or printer access
- Policy change - success or failure of change of security options, user rights, account policies and audit policies. Both domain and local PC changes are tracked.
- Process tracking - useful for applications
- System - system events such as shutting down PC or clearing the logs
[4.17] Terminal services
- Any Windows PC with client installed can connect to the terminal server
- There is no need to install terminal services if one intends only to use it for administrative purposes
- Terminal server can be transparent to users (for example thin clients)
- In order for the user to connect to the terminal server he or she needs local logon right
- All clients need a CAL (Windows 2000 and XP have one build in)
- You need to have terminal services licensing installed on DC in a single domain environment,
it will need to connect to Microsoft. If it cannot connect to Microsoft clearing house it will still issue temporary licenses.
It can also connect to the clearing house by fax or phone.
- Licensing server can issue temporary CAL (non-renewable) for 120 days
- Terminal server client connection uses RDP protocol
- There is an option of remote control of user if server is in application server role
- Terminal services are not installed by default
- Before users can use terminal services you will need to grant users access to RDP in Terminal Services configuration
- Tscc.msc - terminal services clients and connections MMC, you can override AD user account settings
- To install Terminal Services programs use 'Add & remove programs' when all user sessions are disconnected
- There are compatability scripts available for many popular programs
- Use Terminal Services GP to configure one or more terminal servers, or to manage Terminal Server user settings
[4.18] Remote desktop
- Remote desktop connection = terminal services client
- Remote desktop is installed and activated by default. For multiple remote desktop connections try Remote Desktops MMC.
- Remote desktop depends on terminal services service
[4.19] Remote assistance
- For Windows 2003 and XP
- Concurrent session with logged in user
- Logged in user has to authorize access
- You can send invitation from 'Help and Support' menu. You can send invitations through e-mail or Microsoft messanger. You also need to supply a connection password.
- You can also offer remote assistance to others (disabled in GP by default)
[4.20] User rights
- Administrators can assign specific rights to group accounts or to individual user accounts.
If a user is a member of multiple groups, the user's rights are cumulative, which means that the user has more than
one set of rights. The only time that rights assigned to one group might conflict with those assigned to another
is in the case of certain logon rights.
- There are two types of user rights:
- Privileges, such as the right to back up files and directories
- Logon rights, such as the right to logon to a system locally
[4.21] Security best practices
- Use Deny permission to exclude users
- Use security templates rather than individual permissions
- Avoid changing default permission on system objects (including AD objects)
- Never deny Everyone group access to an object. Instead just remove Everyone group.
- Assign permissions as high as possible up the inheritance tree
- Privileges can sometimes override permissions
- Assign permissions to groups rather than single users
- Avoid giving 'Full control' permission, give users what they need to do their work
- Minimize the number of ACEs that apply to children (are inheritable)
- Assign the same permissions to multiple objects, this way the AD will only have to store one copy of ACL
- When possible, assign access rights on a broad level rather then specific
Part 5: Managing and maintaining a server environment
[5.1] Performance and system events
- Task manager
- Event viewer
- System monitor (to activate you can run prefmon.exe from command line)
- Performance logs and alerts
- Network monitor
- To set process priority at run time, go use start "process name" /"priority value"
- Another way is to: cmd /c start /"priority setting""application name" -- you cannot use this from the run menu
- Priority types:
- Real time (you will need Administrator access to set this priority level)
- Above normal
- Below normal
- Relog - extracts performance counters from performance counter logs into other formats, such as text-TSV, text-CSV, binary-BIN, or SQL
- Logman - manages and schedules performance counter and event trace log collections on local and remote systems
[5.3] Performance indicators
- Memory: pages faults/sec - data not found in CPU cache creates a fault, most processors can handle large amounts of soft page faults, compare with memory: pages/sec
- Available memory in bytes - need more if less than 10% available (could be an application memory leak)
- Memory: pages/sec - hard drive access to page file, a rate of 20 or more indicates a need for more RAM
- Page file percent close to 100, need more space on file or more RAM
- Physical disk: percentage disk time above 70% - is too high, if paging file usage is excessive as well it indicates more RAM is needed otherwise a disk is the bottleneck
- Physical disk average queue length above 2 - check paging file and physical memory
- Physical disk current queue length - a value above 2 indicates a problem
- CPU close to 100% - need more CPU power if situation continues for excessive amounts of time
- Number of open files indicates how busy the server is, compare to baseline
- Server: bytes total/sec - indicates network throughput
- Baselining is the process of determining average/normal system performance. Should be done over a period of 3 to 4 weeks using counter logs.
- Performance logs and alerts are used to perform long term analysis:
- Using the default Windows 2003 data provider or another application provider, trace logs record detailed system application
events when certain activities, such as a disk I/O operation occurs. When the event occurs, your OS logs the system data to a file.
A parsing tool is required to interpret the trace log output, like Tracerpt
- When counter logs are in use, the service obtains data from the system when the update interval has elapsed, rather than waiting for a specific event.
[5.4] Log file settings
- Maximum log size
- Overwrite log events as needed
- Overwrite log events older than X days
- Do not overwrite events (clear log manually)
- Microsoft recommends keeping 7 day logs
[5.5] Log files
- DefaultDefalut log files:
- Active directory adds:
- Directory service log
- File replication service log
- DNS adds: DNS service log
- Log file extension is .evt (files with this extension can be viewed by event viewer)
- Tracerpt - processes event trace logs or real-time data from instrumented event trace providers
[5.6] Log filtering
- Event type
- Event source
- Event ID
- Date range
[5.7] Event information
- Eventvwr - used to lunch event viewer
- Eventtriggers.exe - displays and configures event triggers on local or remote machines.
- Eventcreate.exe - enables an administrator to create a custom event in a specified event log
- Eventquery.vbs - lists the events and event properties from one or more event logs
[5.8] Page file
- Page file size should be at least 1-1.5 times the size of physical RAM
- Don't let system manage the size of the page file (fragmentation of page file due to constant resizes)
- Set minimum=maximum size of the page file in order to prevent any page file resizes
- If you move page file from the system drive you will no longer get any memory dumps
- You will need to restart your PC once you make changes to the page file
[5.9] Disk quotas
- Disk quota applies to everyone using the volume except administrators
- Remember that every user needs few Mb (min 2) for storage of the profile which is needed for logging in
- Quota entry can be created per user but not per group, only volumes and users have quota entries
- Quota limit is calculated using the uncompressed file size, thus compressing files will not create more space
- The default quota entry is for all users of given volume. You can add additional quota entries on per user basis only.
- Once again, quota entries are per user per volume, no groups are allowed.
- Remember that once a user uses a volume with quota set on it an entry is automatically added.
Thus, if you had a general entry for all users and later on some users run out of space and need more you modify quota entries not add new ones.
- Disk quota is only applied to the files that are being added after the quota entry got created, it doesn't apply to files that were already there
- Each file can contain up to 64kb of metadata that is not applied towards users quota limit
- Fsutil is used to manage quota from command line
- To free some space run disk cleanup, from command prompt: cleanmgr.exe (note it doesn't clear internet temporary files)
- You will need at least 15% of free HD space in order to defragment
- You may need to repeat the process several times in order to achieve planned results
- Defragmenting should be done on every volume every 1 to 2 months
- You cannot schedule defragmenting task (unless you use custom scripts)
- Windows defragmenter works with FAT16, FAT32 and NTFS
- On modern computer systems that use NTFS and don't use the file system extensively (desktops) the benefits of defragmenting
a hard drive are measurable but not noticable for the end user. Thus defragmenting is only significant performance tool for
[5.11] Internet Information server 6 (IIS.6)
- Can server files from local/network/redirected URL
- IIS runs as w3wp.exe process
- You can run multiple sites using one of these methods:
- Different IP per site
- Use headers, not preferred method, no SSL/HTTPS, need HTTP 1.1 compliant browser
- Different port per site
- Front page extensions are to be used with front page only
- To create Virtual directory you can use regular wizard or web share a folder
- IIS 6 is not installed by default in Windows 2003 (it was in Windows 2000)
- For anonymous access IIS6 uses IUSR_computerName account
- IWAM_computerName account is for IIS to start out of process applications
- All users of the website have to authorize to the domain, even anonymous users (by default users are anonymous)
- You can backup just IIS using the IIS manager or isbackup.vbs.
Backup copies store only the metabase configuration and schema. (not site content)
- Custom error templates (.htm) are located in %systemroot%\help\iishelp\common\
- Can change home directory
- Can change default document name
- You can limit bandwidth and total connections numbers
- Different logging options
- Certificates are used with SSL, can have personal certificates
- SMTP and e-mail services are not the best, use in emergency, try to avoid
- ISAPI filters - internet server application programming interface filters
- Content expiry - this setting tells client browser whatever it should use cached copy or load new data from the website
- Web service access permission and NTFS permissions work together, more restrictive choosen, recommended to use NTFS
[5.12] Application pools in IIS.6
- IIS modes of operation
- Worker process isolation mode, which runs all processes in an isolated environment (needed for application pools)
- IIS 5.0 isolation mode, in which you can run Web applications that are not compatible with worker process isolation mode
- Application pools are like separate memory spaces in which sites live. More formally, an application pool is a
configuration that links one or more applications to a set of one or more worker processes.
- Two ways to recycle the assigned worker process
- By default, the worker process that is to be terminated is kept running until after a new worker process is started up
- Alternatively, the WWW service can terminate a worker process and then start a new worker process
- An application pool that uses more than one worker process is called a Web garden
- When more than one server is used to host a website we have a web farm
[5.13] Authentication methods
- Integrated Windows authorization, uses kerberos or NTLM depending on client capability, popular on intranets.
Uses domain user or local user account information passed hashed over the network. If AD (not required) is installed can use Kerberos if not NTLM.
- Digest authorization, uses MD5 algorithm transmission, no password are transmitted.
Values are compared to AD (user needs account in AD, AD needs to be installed).
This is used when integrated Windows authorization is not available. Requires the accounts to store passwords using
reversible encryption. Internet Explorer 5.0, HTTP 1.1 at minimum.
- Basic authorization, uses clear text passwords (base64 encoded), supported by almost any environment, AD or local account
- .Net authorization - native Windows XP and 2003 support
- Can restrict access based on IP or/and domain name
- Kerberos authentication is used by computers that have account in AD and are above Windows NT4.
[5.14] Website Logging
- Web site logging can be out of synchronization with local time - enable log rollover for local time.
- Web site logging formats:
- W3C Extended Log File Format (default)
- Microsoft IIS Log File Format
- NCSA Common Log File Format
- ODBC Logging
[5.15] SUS - software update service
- SUS - software update service, can distribute updates (need to be approved by the admin before distribution occurs) to clients.
- Minimum requirements for the clients to connect to SUS are Windows XP SP1, or Win2k SP3 or later.
- SUS server is really just a webpage with ActiveX functionality that piggybacks on top of IIS.
- In order for SUS to work you need to point client computers to SUS server using GPO
- You need to install SUS10SP1.exe on the server
- Server computer must be running at least version 5 of IIS
- SUS virtual administrative directory http://yourservername/SUSadmin
- SUS needs NTFS with at least 100Mb to install package and 6Gb for storing updates, SUS runs from the 'default website'
and stores all data there
- SUS notification is shown for Administrators only
- If you have P III 700, 512Mb RAM SUS server can handle up to 15000 clients
- SUS server is not set to synchronize with Windows update site by defalut, administrator must do that or manually synchronize
- HTTP - hypertext transfer protocol TCP port 80
- SSL - Secure socket layers TCP port 443
- SMTP - TCP port 25. Files stored in LocalDrive:\Inetpub\Mailroot
- SNMP - simple network management protocol used to provide information about TCP/IP hosts, UDP port 161.
- FTP - only basic authentication allowed, TCP port 20 (data) TCP port 21 (control). Files stored in LocalDrive:\Inetpub\Ftproot
- POP - TCP port 110
- DNS - UDP port 53 (query) TCP port 53 (zone transfer)
- NNTP - TCP port 119. Files stored in LocalDrive:\Inetpub\Nntpfile\Root
- PPTP - Point to point tuneling protocol TCP port 1723
- L2TP/IPSec - UDP ports 500, 1701 and 4500
[5.17] Other points
- By default Windows 2003 Server uses 25% of RAM for system cache (Windows 2003 server assumes it will be a file server)
- Dos and 16bit programs run as NTVDM processes. Windows 64bit editions cannot run 16bit programs.
- You should assign more RAM for the system cache if server is a file server
Part 6: Managing and implementing disaster recovery
- Document everything in your plan, test your plan
- Posses a 'recovery toolkit' with stuff like backup utilities/system utilities etc.
- Make sure you backup:
- User data
- Critical system files
- Critical applications
- Recovery point - how much data can we loose? Most medium size companies are OK with loosing up to 24h - thus daily backup is OK.
- Time frame for recovery - how long does it take to recover affected systems
- Hot sites are ultimate backup solution (a hot site can take on all functions of the current site, is kept synchronized and is in a different physical location)
- Backup files have .bkf extension
- When files are backed up they retain all of their original attributes including encryption
- File attributes are lost when you restore backup to a FAT volume
[6.2] Backup types
- Normal (full) - Clears archive bit, backs up all data on volume that is beeing baced up.
- Incremental - backs up only these files that have their archive bit set to 1 (since last full or incremental backup).
Clears archive bit. Restore process will have to chain multiple incremental backups. This backup is fastest when combined with normal backup.
- Differential - backs up only these files whose archive bit is set to 1. Does not clear archive bit, no chaining of backups during restore process
- Copy - only backup type that can back up registry and other critical system files. Like full backup, but does not
clear or set any archive bits. This type of backup is used for archiving or when backing up between incremental and normal backup routine.
- Daily - backs up only these files that were modified today. Does not clear archive bit.
- You can exclude files from being backed up
- System state - boot and system files, AD (if DC), SYSVOL directory (if DC), COM+ Class Registration database, registry,
Cluster service information (if server is part of a cluster), IIS Metadirectory (if installed) - only for local system!
- All backed up files keep their file attributes, unless you are restoring to FAT
- For command prompt use: ntbackup.exe
- Backup cannot be preformed to CD-R and DVD-R
- When NTBackup creates a backup set it also creates a listing of files and folders included on the set, called a catalog.
It is stored on both the disk of the server and the backup set itself.
[6.3] Backup log
- By default 10 backup logs are kept on the server
- There are three logging options:
- No log
- Summary log (default)
- Detailed log
[6.4] Restore options
- Do not replace files (default)
- Replace only if the file on disk is older
- Always replace files
- Options do you have to restore the files to
- Restore to alternate location
- Restore to single folder
- Restore to original location
[6.5] Authorative vis normal (non-authorative restore) vis primary restore
- DC use Universal sequence numbers (USN) to keep track of state
- Authorative restore makes sure that the current DC is the one with master copy
- Authorative restore is used in situations when you accidentally deleted something in AD and now want it undeleted
- To run restore, use: ntdsutil.exe
- Use ntdsutil.exe utility is used to mark specific objects as authorative
- A primary restore is used to rebuild a domain from backup when the only DC in domain or all domain controllers have failed.
- Select primary restore only when restoring the first replica set to the network.
[6.6] Running normal (non-authorative restore) steps
- Boot the DC into Directory Services restore mode and enter restore password
- Run ntbackup.exe and restore system state backup. After restore completes you need to restart the PC
[6.7] Running authorative restore steps
- Preform steps like in 5.6 except the reboot in step 2
- Start ntdsutil.exe utility and type 'authorative restore'
- At the ntdsutil prompt type 'restore database'
- When restore completes reboot your DC
[6.8] Running primary restore steps
- Proceed as in normal (non-authorative) restore, but when restoring replicated data sets, mark the 'restored data as the primary data for
all replicas' box
[6.9] Boot problems
- Hit F8 for boot menu during startup
- Last known good configuration is the control set in the registry (current settings, like used drivers)
- Last known good configuration is still good choice only if user has not logged on since problem arouse
- Safe mode does not backup the 'Last known good configuration'
- To access recovery console: 'winnt32.exe /cmdcons' - this places recovery console option into boot.ini
- Recovery console is good for missing boot files
- Can run recovery console from Windows 2003 CD, to run console from CD boot from CD and press R (repair installation)
- When boot files are missing you will have to copy new ones from installation CD
- Directory services restore mode:
- This is like a safe mode for a domain controller
- Active directory is not started
[6.10] Advanced boot options
- Safe mode - in boot.ini /safeboot:minimal /sos /bootlog /noguiboot
- Safe mode with networking - in boot.ini /safeboot:network /sos /bootlog /noguiboot
- Safe mode with command prompt - in boot.ini /safeboot:minimal(alternateshell) /sos /bootlog /noguiboot
- Enable boot logging - in boot.ini /bootlog
- Enable VGA mode - in boot.ini /basevideo
- Last known good configuration - in boot.ini
- Directory services restore mode (Windows domain controllers only) - in boot.ini /safeboot:dsrepair /sos
- Debugging mode - in boot.ini /debug
[6.11] ASR - Automated system recovery
- Replaces ERD (emergency repair disk)
- Stores system state data
- Need Windows 2003 CD and ASR floppy to do a clean install and apply system settings
- ASR is needed to recover from boot failures
- To create ASR disk either run ntbackup.exe from command prompt or go to: start -> all programs -> accessories -> system tools ->backup
- Using ASR recovers the system up to the point ASR was created
- If you create ASR for system without floppy files are saved to the %systemroot%\repair folder on the server. ASR restore will not work without a floppy drive and the floppy disk.
- To preform ASR recovery you need:
- ASR floppy disk
- ASR Backup set
- Windows 2003 setup CDROM
[6.12] Best practices for backup
- Develop backup and restore strategies and test them; train people.
- Always create an Automated System Recovery (ASR) backup set when the operating system changes
- Always choose to create a backup log for each backup
- Keep at least three copies of the backup media. Secure both the storage device and the backup media.
- Perform a trial restoration periodically to verify that your files were properly backed up
- Use volume shadow copies when performing a backup (default setting)
[6.13] Other points
- System state data can only be restored and backed up locally (there are 3rd party software utilities that can restore and backup over the network)
- Using 'last known good configuration' can be used to recover from most stop errors if the user has not logged in BUT
server must be able to boot, i.e. if ntldr error need to use ASR or recovery console
- For major hardware failures such as motherboard replacement you will need to reinstall Windows Server 2003.
However, you will still need to restore system state prior to full Windows boot in order to preserve original SID.
- Recovery password can be different than administrator password
- For problems with boot files use recovery console and copy needed files over from the CD
Part 7: Active directory primer
[7.1] The operations master roles (FSMO (Flexible Single Master Operations) roles)
- Every forest must have the following roles: Schema master and Domain naming master
- Every domain in the forest must have the following roles: PDC emulator master, RID master and Infrastructure master
- At any time, there can be only one DC acting out his role in his respective scope
- Domain naming master - addition or removal of domains in the forest
- Infrastructure master
- Responsible for updating references from objects in its domain to objects in other domains
- Compares its data with that of a global catalog
- Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog.
- Primary domain controller (PDC) emulator master
- Needed for computers operating without Windows 2000 or Windows XP Pro client software or if domain contains Windows NT BDCs
- PDC is responsible for synchronizing the time on all DCs throughout the domain
- External time source net time \\ServerName /setsntp:TimeSource
- If a logon authentication fails at another DC due to a bad password, that DC will forward the authentication request
to the PDC emulator before rejecting the logon attempt since PDC emulator gets preferential treatment
- Supports both NTLM and Kerberos authentication
- Relative ID (RID) master - allocates sequences of relative IDs (RIDs) to each of the various domain controllers in its domain
- Schema master - all updates and modifications to the schema, need additional DLL to be registered if transferred
[7.2] AD troubleshooting and seizing a FSMO role
- Use ntdsutil.exe to transfer FSMO roles
- Use ntdsutil.exe utility for AD related tasks
- Do not seize the FSMO role if you can transfer it instead. Seizing the FSMO role is a drastic step that should be
considered only if the current operations master will never be available again.
- Before seizing the chosen FSMO role, use the repadmin utility to verify whether the new operations master
has received any updates performed by the previous role holder, and then remove the current operations master from the network.
[7.3] Other AD information
- Dcpromo.exe is used to promote member service to DC and to demote DC back to member service
- A global catalog is a DC that stores a copy of all AD objects in a forest. It stores a full copy of all objects in
the directory for its host domain and a partial copy of all objects for all other domains in the forest. It is managed from 'Active Directory Sites and Services'.
- Netdom - This command-line tool enables administrators to manage Windows 2003 and Windows 2000 domains and
trust relationships from the command line (need support tools suptools.msi)
- The DS*.exe family of tools
- Dsadd - adds a computer, contact, group, organization unit, or user to a directory
- Dsmove - moves any object from its current location in the directory to a new location, as long as the move can
be accommodated within a single domain controller, and renames an object without moving it in the directory tree
- Dsquery - queries and finds a list of computers, groups, organizational units, servers, or users in the directory by using specified search criterion
- Dsrm - deletes an object of a specific type or any general object from the directory
- Dsget - displays selected attributes of a computer, contact, group, organizational unit, server or user in a directory
- Dsmod - modifies an existing object of a specific type in the directory
[7.4] Other GP information
- GPUpdate - refreshes local GP settings and GP settings that are stored in AD, including security settings
- Order in which Group Policies get applied: Local computer, Site, Domain, OU. This means that Site GP are more relevant than Local, Domain more relevant than Site and OU the most relevant.
- OU is the smallest scope to which you can delegate authority or apply GP against
- RSoP.msc - Resultant set of Policies is a GP tool that can be loaded as a Management Console snap-in.
Resultant set of policies is the final set of policies that is applied to the user and computer.
- Gpedit.msc - GP editor MMC
- Dhcploc.exe - displays the DHCP servers active on the subnet including unauthorized servers
- DHCP server must be authorized in the AD before it can give out addresses
- IP autoconfiguration - when PC does not get IP address from DHCP it by default autoconfigures itself to address in range 169.254.x.x
[7.6] Other points
- Whoami - returns domain name, computer name, user name, group names, logon identifier, and privileges for the user who is currently logged on
- Removable Storage makes it easy for you to track your removable storage media (tapes and optical disks). Use rss or rsm utilities
- Media pool description:
- Blank or Foreign tape - unrecognized
- Newly formatted tape - free
- Tapes previously used by NTBackup - backup
- Tapes not cataloged - import
- Windows File Protection (WFP) - prevents the replacement of protected system files such as .sys, .dll, .ocx, .ttf,
.fon, and .exe files. Turned on by default. Original files are stored in %SYSTEMROOT%\system32\dllcache
- Systeminfo.exe or msinfo32 (has to be executed from Run window NOT command line) - can be used to display system information
- MBSA Microsoft Baseline Security Analyzer
- mbsacli.exe for command line, mbsa.exe for GUI
- Windows NT 4.0 Service Pack 4 (SP4) and later (remote scan only), Windows 2000, XP, 2003
- IIS 4.0, 5.0, 5.1 or 6.0 are supported by scan
- Internet Explorer 5.01 or later are supported by scan
- SQL 7.0, 2000 are supported by scan
- Office 2000, Office XP, or Office 2003 are supported by scan
- Security update checks, password checks, Windows system check
- Regedit.exe - used to edit registry (only one editor in 2003)
- Runas is also known as secondary logon, you need to have Secondary Logon service running to use it.
This command line utility is used to run programs within different user's security context. For example, network administrator
is logged on as a regular user and needs to run system utility that requires administrative privelages. Instead of loging out
and back in as an administrator, the user could use runas command which uses the following syntax: runas /user:ComputerName\UserName "program name"
- qchain.exe is used for multiple hot fixes (so as not to have to restart server multiple times)