Windows Server 2003 bible, R2 and SP1 edition

Windows Server™

2003 Bible

R2 and SP1 Edition

Jeffrey R. Shapiro and Jim Boyce

01_754803 ffirs.qxp 2/6/06 3:10 PM Page iii

01_754803 ffirs.qxp 2/6/06 3:10 PM Page ii

Windows Server™

2003 Bible

R2 and SP1 Edition

01_754803 ffirs.qxp 2/6/06 3:10 PM Page i

01_754803 ffirs.qxp 2/6/06 3:10 PM Page ii

Windows Server™

2003 Bible

R2 and SP1 Edition

Jeffrey R. Shapiro and Jim Boyce

01_754803 ffirs.qxp 2/6/06 3:10 PM Page iii

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS

OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND

SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A

PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS.

THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS

SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING,

OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT

PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR

DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK

AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR

OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR

RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN

THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS

READ.

Windows Server™ 2003 Bible, R2 and SP1 Edition

Published by

Wiley Publishing, Inc.

10475 Crosspoint Boulevard

Indianapolis, IN 46256

www.wiley.com

Copyright © 2006 by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN-13: 978-0-471-75480-0

ISBN-10: 0-471-75480-3

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

1O/RT/QS/QW/IN

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means,

electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of

the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through

payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978)

750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley

Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at

http://www.wiley.com/go/permissions.

For general information on our other products and services or to obtain technical support, please contact our Customer

Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in

electronic books.

Library of Congress Cataloging-in-Publication Data

Shapiro, Jeffrey, 1959-

Windows Server 2003 Bible, R2 and SP1 edition/Jeffrey Shapiro and Jim Boyce.

p. cm.

ISBN-13: 978-0-471-75480-0

ISBN-10: 0-471-75480-3

1. Microsoft Windows Server. 2. Operating systems (Computers) I. Boyce, Jim, 1958- II. Title.

QA76.76.O63S536 2006

005.4’476--dc22

Trademarks: Wiley and related trade dress are registered trademarks of Wiley Publishing, Inc., in the United States and

other countries, and may not be used without written permission. All other trademarks are the property of their respective

owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book.

01_754803 ffirs.qxp 2/6/06 3:10 PM Page iv

About the Authors

Jeffrey R. Shapiro (Boca Raton, Florida) has worked in Information Technology for nearly

15 years. He has published more than 12 books on IT, network administration, and software

development, and has written for numerous publications over the years. He also regularly

speaks at events, and frequently participates in training courses on Microsoft systems.

In 2003, he was selected to lead Broward County’s NetWare to Windows Server 2003

migration project. His mission was to consolidate hundreds of NetWare Servers to 50 high￾performance Windows Server 2003 servers. Jeffrey continues to architect and design sys￾tems, specializing in the data tier. He also writes the Windows Server 2003 column for

serverpipline at www.serverpipeline.com.

Jim Boyce (Rothsay, Minnesota) is a freelance author and former contributing editor

and monthly columnist for WINDOWS magazine. Jim has authored and co-authored more

than 45 books about computer software and hardware, and is a frequent contributor to

techrepublic.com and other technical publications. He has been involved with computers

since the late 1970s as a programmer and systems manager in a variety of capacities. He

has a wide range of experience in the DOS, Windows, Windows NT, Windows Server 2003,

and Unix environments.

01_754803 ffirs.qxp 2/6/06 3:10 PM Page v

Credits

Executive Editor

Chris Webb

Acquisitions Editor

Katie Mohr

Development Editor

Kevin Shafer

Technical Editor

Todd Meister

Production Editor

William A. Barton

Copy Editor

Luann Rouff

Editorial Manager

Mary Beth Wakefield

Production Manager

Tim Tate

Vice President & Executive Group

Publisher

Richard Swadley

Vice President and Publisher

Joseph B. Wikert

Project Coordinator

Michael Kruzil

Graphics and Production Specialists

Andrea Dahl

Lauren Goddard

Denny Hager

Barbara Moore

Rashell Smith

Alicia South

Quality Control Technician

Laura Albert

Proofreading and Indexing

TECHBOOKS Production Services

01_754803 ffirs.qxp 2/6/06 3:10 PM Page vi

Acknowledgments

God knows how hard writing a book is . . . and then to get it published. We are thankful for the

team that has helped us bring this baby into the world.

We would first like to thank our agent, David Fugate, for his effort over the past seven years

in bringing us together with the team at Wiley Publishing. If an Olympic team for computer

writers existed, David would surely be the head coach. Special honors also go to the Wiley

Publishing editorial team. In particular, we would like to “flag” our development editor, Kevin

Shafer, who did an outstanding job of bringing together the pieces of the puzzle.

The technical editor “Oscar” goes to Todd Meister and Chris Thibodeaux, not only for read￾ing our lines, but for reading in between them as well. In addition, we would no doubt have

gotten no farther than this acknowledgments page without the expert cyber-pencil of our

copy editor, Luann Rouff.

For every hour spent writing these words, at least ten were spent testing and toying with

Windows Server 2003. How do a bunch of authors get this far? Simple—you gather around

you a team of dedicated professionals who help you build a killer lab and then help you test

everything from the logon screen to the shutdown command.

Much of this book was written throughout 2002 on the foundation laid down by the Windows

2000 Server Bible, published in 2000; it was revised in 2003 and then revised again in 2005,

during the release of SP1 and the much anticipated R2. It would not have been survivable

for us without two special souls that we worked with. Omar Martinez takes the gold for

always being available for advice on just about any subject that involves a PC or a server . . .

hardware or software. He is the best Microsoft engineer we have worked with and redefines

the meaning of “operating system.”

The “home” team always gets the last mention, but without their support, input, and love, the

soul in this work would not have taken flight. Special thanks to Kim and Kevin Shapiro and

the ever-expanding Boyce clan.

01_754803 ffirs.qxp 2/6/06 3:10 PM Page vii

Contents at a Glance

Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv

Part I: Windows Server 2003 Architecture . . . . . . . . . . . . . . . . . . . . . 1

Chapter 1: Introducing Windows Server 2003. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2: Windows Server 2003 and Active Directory . . . . . . . . . . . . . . . . . . . . . 21

Chapter 3: Windows Server 2003 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Chapter 4: .NET Framework Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Part II: Planning, Installation, and Configuration. . . . . . . . . . . . . . . . 109

Chapter 5: Planning for Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Chapter 6: Installing Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Chapter 7: Configuring Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Part III: Active Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . 241

Chapter 8: Planning for Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Chapter 9: Organizing a Logical Domain Structure . . . . . . . . . . . . . . . . . . . . . . . 263

Chapter 10: Active Directory Physical Architecture. . . . . . . . . . . . . . . . . . . . . . . 301

Chapter 11: Active Directory Installation and Deployment. . . . . . . . . . . . . . . . . . . 345

Chapter 12: Active Directory Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Chapter 13: Managing Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

Chapter 14: Change Control, Group Policy, and Workspace Management . . . . . . . . . . 449

Part IV: Networking and Communication Services . . . . . . . . . . . . . . . 499

Chapter 15: Windows Server 2003 Networking. . . . . . . . . . . . . . . . . . . . . . . . . . 501

Chapter 16: DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547

Chapter 17: DNS and WINS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571

Chapter 18: Routing and Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617

Part V: Availability Management . . . . . . . . . . . . . . . . . . . . . . . . . 677

Chapter 19: Storage Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679

Chapter 20: Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713

Chapter 21: Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751

Chapter 22: The Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763

02_754803 ftoc.qxp 2/6/06 3:10 PM Page viii

Chapter 23: Auditing Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . 777

Chapter 24: Service Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785

Chapter 25: Windows Server 2003 High Availability Services . . . . . . . . . . . . . . . . . 807

Part VI: File, Print, Web, and Application Services . . . . . . . . . . . . . . . 879

Chapter 26: Windows Server 2003 File Systems . . . . . . . . . . . . . . . . . . . . . . . . . 881

Chapter 27: Sharing and Securing Files and Folders. . . . . . . . . . . . . . . . . . . . . . . 949

Chapter 28: Print Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001

Chapter 29: Web, FTP, and Intranet Services . . . . . . . . . . . . . . . . . . . . . . . . . . 1037

Chapter 30: Terminal Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1085

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1121

02_754803 ftoc.qxp 2/6/06 3:10 PM Page ix

02_754803 ftoc.qxp 2/6/06 3:10 PM Page x

Contents

Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv

Part I: Windows Server 2003 Architecture 1

Chapter 1: Introducing Windows Server 2003 . . . . . . . . . . . . . . . . . . . 3

Welcome to Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Understanding the Windows Server 2003 Architecture . . . . . . . . . . . . . . . . . . 4

Operating system modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

User mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Kernel mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Windows 2003 processing architecture . . . . . . . . . . . . . . . . . . . . . . . . 9

Windows 2003 memory management . . . . . . . . . . . . . . . . . . . . . . . . . 9

Paging in depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

The Zero Administration Windows Initiative . . . . . . . . . . . . . . . . . . . . . . . . 11

Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Microsoft Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Server and client in unison: IntelliMirror . . . . . . . . . . . . . . . . . . . . . . 12

Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Availability services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Distributed security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Interoperation and integration services. . . . . . . . . . . . . . . . . . . . . . . 16

Hardware support and plug and play . . . . . . . . . . . . . . . . . . . . . . . . 16

Storage and File System Services. . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Internet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Communications Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Terminal Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 2: Windows Server 2003 and Active Directory . . . . . . . . . . . . . 21

The Omniscient Active Directory: Dawn of a New Era . . . . . . . . . . . . . . . . . . 22

Why do we need directories? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

What is Active Directory? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

The grandfather of the modern directory: The X.500 specification . . . . . . . 26

The father of the modern directory: LDAP . . . . . . . . . . . . . . . . . . . . . 28

After X.500. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

The open Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

How the registry fits in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

02_754803 ftoc.qxp 2/6/06 3:10 PM Page xi

xii Contents

The Elements of Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Namespaces and naming schemes . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Active Directory and the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Active Directory everywhere . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Inside Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

If it walks like a duck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

The Active Directory database structure . . . . . . . . . . . . . . . . . . . . . . 37

Active Directory objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Active Directory schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Object attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Walking the Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Naming conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Domain objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Organizational units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Forests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

The global catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

My active directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Bridging the Divide: Legacy NT and Windows Server 2003. . . . . . . . . . . . . . . . 50

Single point of access and administration. . . . . . . . . . . . . . . . . . . . . . 52

Domains and more domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Intra-domain trust relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Access control lists and access tokens . . . . . . . . . . . . . . . . . . . . . . . 54

Reality Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Chapter 3: Windows Server 2003 Security. . . . . . . . . . . . . . . . . . . . . 57

An Overview of Windows 2003 Security . . . . . . . . . . . . . . . . . . . . . . . . . . 57

The Need for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Data input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Data transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Why the threat exists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Rising to the Security Challenge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Understanding Encryption Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Getting to Know Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Private keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Public keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Session keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Key certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Digital signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Understanding Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Kerberos and the Single Sign-On initiative . . . . . . . . . . . . . . . . . . . . . 67

Psst . . . this is how Kerberos works . . . . . . . . . . . . . . . . . . . . . . . . . 67

Time authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Key distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Session tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Kerberos and trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Locating KDCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Getting to Know IPSec. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

02_754803 ftoc.qxp 2/6/06 3:10 PM Page xii