Professional Documents
Culture Documents
- PROPRIETARY AND CONFIDENTIAL INFORMATION These education materials and related computer software program (hereinafter referred to as the "Education Materials") is for th e end users informational purposes only and is subject to change or withdrawal by Computer Associates International, Inc. ("CA") at any time. These Educat ion Materials may not be copied, transferred, reproduced, disclosed or distributed, in whole or in part, without the prior written consent of CA. These Education Materials are proprietary information and a trade secret of CA. Title to these Education Materials remain with CA, and these Education Materials are protected by the copyright, trademark and trade secret laws of the United States and international treaties. All authorized reproductions must be marked with this legend.
RESTRICTED RIGHTS LEGEND TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THESE EDUCATIONAL MATERIALS "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THESE EDUCATION MATERIALS, INCLUDING WITHOUT LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED OF SUCH LOSS OR DAMAGE. THE USE OF ANY PRODUCT REFERENCED IN THESE EDUCATION MATERIALS AND THESE EDUCATION MATERIALS IS GOVERNED BY THE END USERS APPLICABLE LICENSE AGREEMENT. The manufacturer of this documentation is Computer Associates International, Inc. Provided with "Restricted Rights" as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) or DFARS Section 252.227.7013(c)(1)(ii) or applicable successor provisions.
2000 Computer Associates International, Inc. - Mark Phillips, Contributing Editor - John Melendez, Managing Editor One Computer Associates Plaza, Islandia, NY 11749 All rights reserved. All trademarks, trade names, service marks or logos referenced herein belong to their respective companies. Call Computer Associates technical services for any information not covered in this manual or the related publications. In North America, see your Computer Associates Product Support Directory for the appropriate telephone number to call for direct support, or you may call 1 -800-645-3042 or 516342-4683 and your call will be returned as soon as possible. Outside North America, contact your local Computer Associates technical support center for assistance.
Table of Contents
1 Whats New in Windows 2000
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Microsoft Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 Task Pads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 Windows 2000 Enhanced Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 IntelliMirror Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 Remote Boot Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 Active Directory Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9 Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9 Offline Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10 Synchronization Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10 Windows Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10 Application Deployment Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11 Remote Installation Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12 Roaming Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12 Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13 Flexible Querying of Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14 Security of Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14 Replication of Information for Performance and Fault Tolerance . . . . . . . . . . . . . . . . . 1-15 Partitioning of Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15 Extensibility of the Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15 Integration with DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16 Interoperation with Other Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17 Active Directory Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20 Smart Card Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21 Terminal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23 Storage Features and Disk Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24 Disk Defragmenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24 Clustering Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25 Plug and Play and More . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-28
iii I
1
Whats New in Windows 2000
Introduction
From the outset, Microsoft designed Windows NT to provide a fully integrated, extensible networking architecture. They designed the NT operating system to be portable, robust, and reliable also ensuring the security and stability of network and server. Windows 2000 furthers these advances in distributed computing made by NT 4.0. Microsoft 2000 Server is a multipurpose operating system built on a reliable, secure, and open architecture. New features in Windows 2000 provide improved performance and more cost-effective networking. The advanced capabilities of Active Directory, Dynamic DNS, Microsoft Management Console, Zero Administration for Windows, and other features combine to make a powerful tool kit for developing and deploying enterprise applications. Microsoft Windows 2000 provides a scalable, reliable, and secure infrastructure capable of serving the overwhelming majority of enterprise customer needs.
I 1- 2
to your administrators. Microsoft provides standard tools with the operating system that help users perform everyday administrative tasks. These are part of the All Users profile of the computer and are located in the Administrative Tools group on the Startup menu.
A powerful feature of the Microsoft Management Console is that it enables system administrators to create special tools that delegate specific administrative tasks to users or groups. Building tools with MMCs standard user interface is simple. System administrators start with an existing console and modify or add components to fulfill their needs, or they can create an entirely new console. They can scale a tool up or down, integrate it seamlessly into the operating system, repackage it, and customize it. When they save these custom tools as MMC saved console (MSC) files, administrators can send the files by email, share them in a network folder, or post them on the Web. In addition, administrators can use system Group Policy settings to assign tools to users, groups, or computers. With the MMC, system administrators can create unique consoles for workgroup managers. When managers open a document, they may access only those tools provided by the administrator. Microsoft considers the MSC files a new paradigm for file types. Console files are like document files. MMC snap-ins initialize and manipulate MSC files. The MMC is part of the Software Developers Kit (SDK), thereby enabling developers to extend Microsoft tools. For example, in NT 4.0 the Event Viewer does not let developers extend its functionality to their own custom application. With the MMC, developers can write their own diagnostic snap-in and have the event log be an extension of their MMC snap-in. The default MSC files for the native administrative tool are in the \WINNT\system32 folder of the system root.
I 1- 4
The console does not manage behaviorthe MMC is essentially a web browser (albeit highly powerful and flexible). Administrators no longer need to isolate problems through Network Monitor and open an additional container to configure or troubleshoot these problems. Instead, they do all work through the MMC and its snapins. The MMC snap-ins are actually COM programs that either stand alone or serve as extensions to existing, independent snap-ins. For example, the Event Viewer and other native administration tools can serve as independent snap-ins or as extensions to a customized snap-in written by Microsoft or third-party developers. The MMC graphical interface has two views that are very similar to Microsoft Explorer. The leftmost view is the Scope Pane, which displays the master tree of the saved console file. The other view is the Results Pane, which shows details of a selected area of the Scope Pane. Here are the major features and enhancements that the MMC offers:
I I I I
Author mode (gives administrative control to author of file) Help file index integration with snap-ins Auto-code downloading from server in Windows 2000 Dynamic extensions
Note A snap-in or extension can dynamically load another snap-in or extension
as needed. The stand-alone snap-in will turn on or off other extensions without manual intervention.
The MMC offers two modes: author mode and user mode. In author mode, the author (administrator) of the console file has total control over its contents as well as the MMC toolbar, the snap-in toolbar, and similar administrative elements. Author mode also controls access in user mode; user mode has access only to those items so designated in author mode. The user must be in author mode to change the console file (e.g., load/ unload a snap-in or web page). Through delegated access, administrators can create custom console files that grant full access to users in user mode while restricting those users from loading or unloading snap-ins or changing window views. The MMC also performs enterprise management by supporting roaming users, by controlling access to individual snap-ins, and by customizing the tools to support multitiered management support. Administrators use the Group Policy component to specify users or groups who may author console files, as well as the snap-ins they may use.
Task Pads
By using Dynamic HTML Task Pads, you can help administrators who work in a taskoriented environment rather than the typical object-oriented environment. For example, you may have Internet Information Server with multiple roots and may want only a particular administrator to manage the Sales virtual root. You delegate this granular level of task through a simplified DHTML-controlled display to accommodate less experienced administrators. This helps them perform particular tasks without having to load or unload the proper snap-in (similar to a customized Administrative Wizard). We recommend installing and storing consoles in a shared volume on the server where all the console files reside together. Administrators may open, load, or unload console files from any machine, or they may have snap-ins load automatically.
I 1- 6
IntelliMirror Features
I
Operating system and application deployment for computers and users (administered via central code server) Scheduled inter-site replication Improved replication topology management Partial replica global catalog Application Deployment Editor tool for publishing and assigning applications
I I I I
Simplify management of server images (the most costly challenge of remote boot today) Automatic O/S update and simple repair Maintain ability to function off line
I I
Mirroring of user data to the network and caching of selected network data locally
Active Directory, Group Policy, Offline Folders, Synchronization Manager, Disk Quota, and enhancements to the Windows shell Active Directory, Group Policy, Windows Installer, Application Deployment Editor, Add/Remove Programs control panel, and enhancements to the Windows shell Active Directory, Group Policy, Offline Folders, Roaming User Profiles, and enhancements to the Windows shell Active Directory, Group Policy, Remote Installation Service, Remote Install capable workstation (NetPC, or PC98)
Software Installation
Robust just-in-time software installation (applications, service packs, and operating system upgrades) to users and computers Mirroring of user settings to the network and application of administrator set defaults to the users environment Operating system installation from network servers
Remote OS Installation
I 1- 8
From this tool, an administrator can manage each of the domains in the forest, manage trust relationships between domains, configure the mode of operation for each domain (Native or Mixed Mode), and configure the alternative User Principal Name (UPN) suffixes for the forest.
Group Policy
Group Policy is the central component of the change and configuration management features of Microsoft Windows 2000. Group Policies specify settings for groups of users and computers, including software policies, software installation, security settings, scripts (computer startup and shutdown; user logon and logoff), and user documents and settings. The administrator uses the Group Policy Editor (GPE) to manage policy. The GPE contains various built-in features for setting policy that third parties can extend the GPE to host other policy settings. A Group Policy Object (GPO) stores all of the data generated by the GPE and these GPOs replicate to all Domain Controllers within a single domain. Group Policy reduces Total Cost of Ownership (TCO) by allowing administrators to enhance and control users desktops. Enabled by Windows 2000 Active Directory, Group Policy includes filtering based on security group membership. Microsoft Windows 2000 Group Policy includes:
I
Software policies registry settings that are written to the HKEY_LOCAL_MACHINE (HKLM) and HKEY_CURRENT_USER (HKCU) trees to configure the behavior of system services, desktop look and feel, and application settings. Software installation the ability to assign or publish an application. Security settings local computer, domain and network security settings
I I
File deployment improved features for administrators to more easily determine the files, folders, and applications that a user will be able to access. Administrators have the capability to remotely deploy a file to a users desktop or restrict a group of users from using an application. Folder redirection a unique feature of Windows 2000 that allows users and administrators to redirect the path of a folder to a new location. The new location can be a folder on the local machine or a directory on a network share. Users have the ability to work with shared documents on a secure server as if the documents were based on the local drive. Scripts run by the computer at startup and shutdown or when the user logs on or off the computer.
Offline Folders
Offline folders make it possible for users to work with shared documents. When users enable files or folders to be available offline, they are able to read the copy of the shared files stored on the local machine even if a network failure occurs. When users regain network access, they copy the edited documents back to the network share.
Synchronization Manager
Synchronization Manager compares items on the network to those opened or updated while working offline, and making the most current version available to both your computer and the network. By using Synchronization Manager, you ensure that you have the latest information from your network or the Internet when you are disconnected and working offline. Every time you log on and off your computer, you can have Synchronization Manager automatically synchronize the information that is available to you offline. By synchronizing when you log on, any changes you made offline are saved to the network. In general, you can synchronize any offline items created by programs that support Synchronization Manager, such as Offline Folders or Internet Explorer. You can synchronize individual files, entire folders, and offline Web pages, as well as other items.
Windows Installer
Software installation leverages the new Windows Installer that is a part of the Windows family of operating systems. To manage applications you need applications that can be loaded by Windows Installer. These packages should contain both the Windows Installer instructions for installation, as well as the actual application files and components. Applications that you manage, including the application packages and the application files, have to be available on a network share on your evaluation network. Users need the ability to read from the network share. You accomplish this by creating a network share, copying the Windows Installer packages to the network share, and setting the appropriate permissions for the share (Everyone = Read; Administrators = Full Control, Change, Read). Group Policy ties software installation to the Active Directory. The Application Deployment Editor (ADE) is an extension to the Group Policy Editor (GPE) snap-in to the Microsoft Management Console (MMC). The Active Directory Manager I 1-10
(MMC snap-in) in the Administrative Tools program group already has a GPE snap-in and an ADE extension. You may either follow these steps to configure your own snap-in and extension, or use the Active Directory Manager. Advertising an application makes it appear to be installed on a users desktop. However, an advertised application may not actually be installed. When an application is advertised, the shortcuts for the application are added to the appropriate locations, including the Start menu or the Desktop, and the appropriate collection of Registry entries for the application are added to the local Registry. The Windows Installer then installs the application the first time that the user either selects the application's shortcut from the Start menu or opens a document associated with the application. For example, an administrator at Microsoft might assign the Microsoft Word application to everyone working there. Microsoft Word will be advertised, and therefore it will now be available on everyone's desktop. The next time a person logs on to Windows NT, Microsoft Word will appear on the persons Start menu and the Registry will be updated with the information about the application, including the location of the package and the location of the source files for the installation. With this advertisement information on the users PC, the application will then install the first time that the user activates it. An administrator can assign an application to any person or any computer in a Group Policy Object (GPO). A GPO is typically associated with an Active Directory container, such as a Site, Domain, or Organizational Unit (SDOU). Additionally, an administrator can use a GPO to provide additional granularity for Software Installation. A package contains all the information necessary to describe how to install an application in every conceivable situationon different platforms, with different sets of previously installed products, with previous versions of a product, and with different default installation locations. An administrator may choose to publish an application that is not necessarily required for people to perform their jobs but might occasionally be helpful to them. For example, Microsoft Image Composer is a powerful application that allows people to create illustrations and drawings. Not everyone in an organization may need Image Composer, but some would benefit from having this application available. Therefore, an administrator could decide to publish Image Composer. Published applications do not appear to be installed on the local machine. Published applications are advertised, but the advertisement is made to the Active Directory, rather than to the local PC Registry.
users will be available via the Add/Remove Programs control panel so those users can install the application. People will use the Add/Remove Programs control panel to modify, repair, or remove applications that they have on their computers. The Add/ Remove Programs control panel uses the Windows Installer service to install and subsequently modify, repair, or remove applications from their systems.
User freedom from setup Setup and installation transparent to the user Applications run without installation Applications update automatically
Roaming Profiles
Roaming profiles allow users to roam among computers within the corporate network. Users who have a roaming user profile may log on to a machine, run applications, edit documents, and log off. At logoff, their user profile is copied to a server. When they log on to another computer, all of their profile informationincluding their Start menu customizations and the contents of their My Documents folderis copied to the second machine.
I 1-12
Directory Services
Active Directory (AD) Flexible Querying of Information Security of Information Replication of Information for Performance and Fault Tolerance Partitioning of Information Extensibility of the Directory
Directory Services
Active Directory (AD), the directory service contained in Windows 2000, stores information about objects on the computer network and makes that information easy for administrators and users to find and use. AD extends the features of previous Windows-based directory services and adds entirely new features to provide improved query capabilities, simplified domain administration, and administration that supports delegation of authority. With AD, network users can access resources anywhere on the network with a single network logon. Similarly, administrators have a single point of administration for all objects on the network, and can organize these objects into a hierarchical structure.
Active Directory
Active Directory consists of the directory itselfa store of all objects known on the networkand the services that AD provides to make the information about those objects accessible and useful. Objects stored in the directory include users, groups, computers, domains, organizational units, and security policies. You do not have to keep the information for all objects on the network in one store. Instead, each domain keeps its own directory store that holds the information for all objects for that domain. Each domain directory also contains metadata, such as the list of all domains and domain trees in the enterprise, the location of all global catalog servers, and the schema.
Computer Associates International Discovering and Deploying Windows 2000 MS120 1-13