active directory and other concepts

8/3/2019 Active Directory and Other Concepts

1/58

Active DirectoryAn active directory is a directory structure used on Microsoft Windows based computers and servers to

store information and data about networks and domains. It is primarily used for online information andwas originally created in 1996. It was first used with Windows 2000.

An active directory (sometimes referred to as an AD) does a variety of functions including the ability toprovide information on objects, helps organize these objects for easy retrieval and access, allows accessby end users and administrators and allows the administrator to set security up for the directory.

An active directory can be defined as a hierarchical structure and this structure is usually broken up into

three main categories, the resources which might include hardware such as printers, services for endusers such as web email servers and objects which are the main functions of the domain and network.

Understanding Active DirectoriesIt is interesting to note the framework for the objects. Remember that an object can be a piece of

hardware such as a printer, end user or security settings set by the administrator. These objects can hold

other objects within their file structure. All objects have an ID, usually an object name (folder name). In

addition to these objects being able to hold other objects, every object has its own attributes which allows

it to be characterized by the information it contains. Most IT professionals call these settings orcharacterizations schemas.

The type of schema created for a folder will ultimately determine how these objects are used. For

instance, some objects with certain schemas cannot be deleted, they can only be deactivated. Others

types of schemas with certain attributes can be deleted entirely. For instance, a user object can bedeleted, but the administrator object cannot be deleted.

When understanding active directories, it is important to know the framework that objects can be viewed

at. In fact, an active directory can be viewed at either one of three levels, these levels are called forests,

trees or domains. The highest structure is called the forest because you can see all objects includedwithin the active directory.

Within the Forest structure are trees, these structures usually hold one or more domains. Going furtherdown the structure of an active directory are single domains. To put the forest, trees and domains intoperspective, consider the following example.

A large organization has many dozens of users and processes. The forest might be the entire network of

end users and specific computers at a set location. Within this forest directory are now trees that hold

information on specific objects such as domain controllers, program data and system, among others.Within these objects are even more objects which can then be controlled and categorized.

How are Active Directories used?If you are a computer administrator for a large corporation or organization, you can easily update all endusers computers with new software, patches and files simply by updating one object in a forest or tree.

Because each object fits into a set schema and has specific attributes, a network administrator can easily

clear a person on a set tree or instantly give or deny access to select users for certain applications. The

Microsoft servers use trust to determine whether or not access should be allowed. Two types of trusts that

Microsoft active directories incorporate are transitive trusts and one way non transitive trusts. A transitive

trust is when there is a trust that goes further than two domains in a set tree, meaning two entities areable to access each other's domains and trees.

A one way transitive trust is when a user is al lowed access to another tree or domain; however, the other

domain does not allow access to the further domains. This can be summed up as a network administrator


2/58

and end user. The network administrator can access most trees in the forest including a specific end

user's domain. However, the end user, while able to access his or her own domain, cannot access othertrees.

It is important to note that active directories are a great way to organize a large organization or

corporation's computers' data and network. Without an active directory, most end users would have

computers that would need to be updated individually and would not have access to a larger networkwhere data can be processed and reports can be created. While active directories can be technical to a

good extent and require considerable expertise to navigate, they are essential to storing information anddata on networks.

DHCP Relay Agent OverviewThe Dynamic Host Configuration Protocol (DHCP) is a service that runs at the application layer of the

TCP/IP protocol stack to dynamically assign IP addresses to DHCP clients, and to allocate TCP/IP

configuration information to DHCP clients. This includessubnet maskinformation, default gateway IP

addresses, DNS IP addresses, and WINS IP addresses. TheDHCP protocol is derived from the

Bootstrap Protocol (BOOTP) protocol. The DHCP server is configured with a predetermined pool of IP

addresses (scopes), from which it allocates IP addresses to DHCP clients. During the boot process,DHCP clients request IP addresses, and obtain leases for IP addresses from the DHCP server.

When the DHCP client boots up on the network, the DHCP lease process occurs between the DHCP

server and DHCP client. During the DHCP lease process, the DHCP scopes configured for a DHCPserver is used to provide DHCP clients with IP addresses.

The DHCP lease process consists of four messages sent between the DHCP server and the DHCP client:

y DHCPDISCOVER message: This message is sent by a client when it boots up on the network to request an IPaddress lease from a DHCP server. The message is sent as a broadcast packetover the network, requesting for aDHCP server to respond to it

y DHCPOFFER message: This message is a response to a DHCPDISCOVER message, and is sent by one ornumerous DHCP servers.

y DHCPREQUEST message: The client sends the initial DHCP server which responded to its request a DHCP

Request message. The message indicates that the client is requesting the particular IP address for lease.y DHCPACK message: The DHCP Acknowledge message is sent by the DHCP server to the DHCP client and is the

process whereby which the DHCP server assigns the IP address lease to the DHCP client.

Because the DHCPDISCOVER message is a broadcast message,and broadcasts only cross other

segments when they are explicitly routed, you might have to configure a DHCP Relay Agent on the router

interface so that all DHCPDISCOVER messages can be forwarded to your DHCP server. Alternatively,

you can configure the router to forward DHCP messages and BOOTP message.In a routed network, youwould need DHCP Relay Agents if you plan to implement only one DHCP server.

For DHCP to operate, all of client computers should be able to contact the DHCP server. DHCP relies on

the network topology, and is in turn relied on by all TCP/IP based hosts within your networking

environment. Therefore, if your network has multiple segments, you have to perform either of thefollowing:

y Place a DHCP server on each segment

y Place a DHCP Relay Agent on each segmenty Configure your routers to forward broadcast messages.

The DHCP Relay Agent makes it possible for DHCP broadcast messages to be sent over routers that do

not support forwarding of these types of messages. The DHCP Relay Agent is therefore therouting

protocol that enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet,or

which is not located on the local subnet. If you have no configured DHCP Relay Agent, your clients would

only be able to obtain IP addresses from the DHCP server which is on the same subnet. To enable clients


3/58

to obtain IP addresses from a DHCP server on a remote subnet, you have to configure the DHCP Relay

Agent on the subnet that contains the remote clients, so that it can relay DHCP broadcast messages toyour DHCP server.

The systems that can use the DHCP Relay Agent are:

y

Windows NT Servery Windows 2000 Servery Windows Server 2003

In routed networks, you need to either enable your routers to forward DHCP broadcast messages orconfigure a DHCP Relay Agent for the following resons:

yThe router will drop DHCP broadcast messages if it is not configured to forward them, and no DHCP Relay Agentexists.

y The DHCP lease process would not be able to place. The initial message sent by the DHCP client is a broadcastmessage.

Configuring the DHCP Relay AgentThe process for configuring the DHCP Relay Agent is outlined below:

y Enable Routing and Remote Access Server (RRAS)

y Install the DHCP Relay Agent routing protocol

y Configure DHCP Relay Agent properties

y Configure/enable the DHCP Relay Agent on the router interface to forward DHCP broadcast messages.

y View statistical information on the operation of the DHCP Relay AgentHow to enable Routing and Remote Access Server (RRAS)

1. Click Start, All Programs, Administrative Tools and then click Routing and Remote Access to open the Routing AndRemote Access console.

2. Right-click the node of your server, and then choose Configure And Enable Routing and Remote Access from theshortcut menu.

3. The Routing and Remote Access Server Setup Wizard launches.4. Click Next on the initial page of the wizard.

5. On the Configuration page, select the Custom Configuration option. Click Next.6. On the Custom Configuration page, enable the LAN Routing checkbox. Click Next.7. Verify your configuration settings on the Summary page.8. Click Finish.9. Click Yes when prompted to start the RRAS service.

How to install the DHCP Relay Agent routing protocol

1. Open the Routing And Remote Access console2. Expand the IP Routing node in the console tree.3. Right-click the General node, and then select New Routing Protocol from the shortcut menu.4. The New Routing Protocol dialog box opens.5. Select DHCP Relay Agent.6. Click OK.

How to configure DHCP Relay Agent properties


2. Expand the IP Routing node in the console tree.3. Right-click the DHCP Relay Agent node, and then select Properties from the shortcut menu.4. On the General tab, enter the IP address of the DHCP server in the Server Address text box, and click Add.5. Repeat the above step for each DHCP server that you have to add.6. Click OK.

How to enable the DHCP Relay Agent on a router interface


4/58


2. Expand the IP Routing node in the console tree.3. Right-click the DHCP Relay Agent node and then select New Interface from the shortcut menu.4. Select the interface that is on the same subnet as the DHCP clients.5. Click OK.6. In the DHCP Relay Properties dialog box, ensure that the Relay DHCP Packets checkbox is selected on the General

tab.7. You can change the Hop-Count Threshold and Boot Threshold values.8. Click OK.

How to view statistical information on the operation of the DHCP Relay Agent


2. Select the DHCP Relay Agent node, and view the statistical information that is displayed in the details pane of theRouting And Remote Access console:

o Received requestso Received replieso Discarded requestso Discarded replies

Domain Name Service (DNS) OverviewDomain Name Service (DNS) enables applications and users to connect to hosts in TCP/IP based

networks by specifying

a name. DNS is a hierarchically distributed database that creates hierarchical names that can be resolved

to IP

addresses. The IP addresses are then resolved to MAC addresses. DNS therefore provides the means

for naming IP hosts,and for locating IP hosts when they are queried for by name.

The protocols and standards of DNS provide the following key components:

y The method for updating address information in a DNS database.

y The method for querying address information in a DNS database.

y he schema of the DNS database.

y The ability of replicating address information between DNS servers in the DNS topology.

The HOSTS files were used to resolve host names to IP addresses before DNS was in existence. The

HOSTS files were

manually maintained by administrators. The HOSTS file was located on a centrally administered server

on the Internet.

Each site or location that needed to resolve host names to IP addresses had to at regular intervals

download a new copy

of the HOSTS file. The size of the HOSTS file grew as the Internet grew. The traffic that was generatedfrom

downloading a new copy of the HOSTS file also grew. This led to the design and implementation of

Domain Name Service(DNS) in 1984, the hierarchically distributed database that can resolve host names to IP addresses.

The main design requirement of DNS provides the following key features over the HOST file.

y A hierarchical name space


5/58

y Hostnames in the DNS database can be distributed between multiple servers

y The database has an unlimited size.

y Extensible data types

y

Together with supporting host name to IP address mappings, different data types are supported as well.

y No degrade in performance as more servers are added . the database is scalable.

y Distribution of administration . naming can be managed individually for each partition.

From the days of Windows NT Server 4.0, DNS has been included with the operating system. DNS is the

primary name

registration and resolution service in Windows 2000 and Windows Server 2003, and provides the

following features andservices:

y A hierarchically distributed and scalable database.

y Provides name registration, name resolution and service location for Windows 2000 and Windows Server

2003clients.

y Locates domain controllers for logon.

The Differences between the NetBIOS Naming System and DNSBefore discussing the differences between the NetBIOS naming system and DNS, lets first look at the

different nametypes used in Windows operating systems:

y Computer name: This is the name which an administrator assigns to a computer. To verify the computer

name ofa computer:

1. Right-click My Computer, and select Properties from the shortcut menu.

2. Click the Computer Name tab to verify the computer.s name.

y NetBIOS name: A unique name used to identify a NetBIOS resource on the network. The NetBIOS name

is resolvedto an IP address for communication to occur.

y Host name: A host name is assigned to a computer to identify a host in a TCP/IP network. The host name

can

be described as being the alias that is assigned to a node, to identify it. When the host name is used andnot the IP

address, the host name has to be resolved to an IP address for IP communication to occur. The HOSTS

file is a text filethat contains host names to IP addresses mappings. The HOSTS file is stored locally.

y Fully qualified domain name (FQDN): This is the DNS name that is used to identify a computer on the

network.FQDNs have to be unique. The FQDN usually consists of the following:


6/58

1. Host name

2. Primary DNS suffix

3. Period

y

DN

SN

ame: A DNS name is name that can include a number of labels that are segregated by a dot.When a DNSname displays the entire path, it is known as the Fully Qualified Domain Name (FQDN).

y Alias: This is name used instead of another name. The Canonical Name (CNAME) is an alias name in

DNS.

y

Nickname: This is another name used for a host. It is usually an abbreviated version of the FQDN. A

nicknamehas to be unique for each node if you want to map it the FQDN.

y Primary DNS suffix: Computers running in a Windows Server 2003 network are assigned primary DNS

suffixes forname registration and name resolution purposes. The primary DNS suffix is also referred to as the

primary domain name,or domain name.

y Connection-specific DNS suffix: This is a DNS suffix which is assigned to an adapter. The

connection-specific DNS suffix is called the adapter DNS suffix.

The name differences between the NetBIOS naming system and DNS namespace are noted below:

y A NetBIOS name cannot be greater than 16 characters.

y With DNS, up to 255 characters can be used for names.

y The NetBIOS naming system is a flat naming system.

y The namespace used by DNS is a hierarchical space, or hierarchical system. The DNS naming system is

called the

domain namespacef. If you decide to use a private domain namespace, and there is no interaction with

theInternet, it does not have to be unique.

Understanding the DNS namespaceThe naming system used by DNS is a hierarchical namespace, called theDNS namespace. The DNS

namespace has a

unique root. The root can contain numerous subdomains. Each subdomain also can contain multiple

subdomains. The DNSnamespace uses a logical tree structure wherein an entity is subordinate to the entity which resides over

it. Each node

in the DNS domain tree has a name, which is called alabel. The label can be up to 63 characters. Nodes

that are

located on the same branch within the DNS domain tree must have different names. Nodes that reside on

separate branchesin the DNS hierarchy can have the same name.


7/58

Each node in the DNS domain tree or DNS hierarchy is identified by a FQDN. This is a DNS domain

name that specifies

the node.s location in relation to the DNS domain tree/hierarchy. A domain name can be defined as the

list of labels

along the path from the root of the DNS domain tree/hierarchy to a particular node. The FQDN is the

entire list of

labels for a specific node.

Each domain registered in DNS is connected to a DNS name server. The DNS server of a domain

provides authoritativereplies to queries for that particular domain.

Internet Corporation for Assigned Names and Numbers (ICANN) manages theDNS rootof the Internet

domain

namespace. ICANN manages the assignment of globally unique identifiers which are key to the operation

of Internet. Thisincludes the following components:

y Internet domain names

y IP addresses

y Port numbers

y Protocol parameters

Below the root DNS domain are the top-level domains. These top-level domains are also managed by

ICANN. Thetop-level domains managed by ICANN are:

y Organizational domains: Organizational domains have the following characteristics:

o Organizational domains can be used globally.

o They are named via a three-character code.

o The code defines the main function of the organizations of the DNS domain.

y Geographical domains: Geographical domains have the following characteristics:

o Geographical domains are usually used by organizations not residing in the United States.

o They are named via a two-character country and region codes.

o The codes were established by the International Organization for Standardization (ISO) 3166.

o The codes identify a country, such as .uk for theUnited Kingdom

y Reverse domains: These domains are used for IP address to name mappings. This is called reverse

lookups.

The additional top-level domains defined by ICANN in late 2000 are:

y .aero; for the air transportation industry


8/58

y .biz; for businesses

y .coop; for cooperatives

y .info; for information

y

.museum; for museums

y .name; for individual names

y .pro; for credentialed professions such as attorneys.

The common top-level domain names used are:

y .com; commercial organizations

y .edu; for educational institutes.

y .gov; for government.

y .int; for international organizations.

y .mil; for military organizations

y .net; for Internet providers, and networking organizations

y .org; non-commercial organizations

y .uk; United Kingdom

y .us; United States

y

.ca; Canada

y .jp; Japan

Understanding DNS Components and TerminologyThe components which DNS is dependant on and the terminology used when discussing and managing

DNS are listedbelow:

y DNS server: This is a computer running the DNS Server service, or BIND; that provides domain name

services.

The DNS server manages the DNS database that is located on it. The DNS server program, whether it is

the DNS Server

service or BIND; manages and maintains the DNS database located on the DNS server. The informationin the DNS database

of a DNS server pertains to a portion of the DNS domain tree structure or namespace. This information is

used toprovide responses to client requests for name resolution.

When a DNS server is queried it can do one of the following:

o Respond to the request directly by providing the requested information.


9/58

o Provide a pointer (referral) to another DNS server that can assist in resolving the query

o Respond that the information is unavailable

o Respond that the information does not exist

A DNS server is authoritative for the contiguous portion of the DNS namespace over which it resides.

The following types of DNS servers exist:

o Primary DNS server: This DNS server owns the zones defined in its DNS database, and can make

changes tothese zones.

o Secondary DNS server: This DNS server obtains a read-only copy of zones via DNS zone transfers. A

secondary

DNS server cannot make any changes to the information contained in its read-only copy. A secondary

DNS server can

however resolve queries for name resolution. Secondary DNS servers are usually implemented for the

following reasons:

Provide redundancy: It is recommended to install one primary DNS server, and one secondary DNS

server for

each DNS zone (minimum requirement). Install the DNS servers on different subnets so that if one DNS

server fails, theother DNS server can continue to resolve queries.

Distribution of DNS processing load: Implementing secondary DNS servers assist in reducing the load of

theprimary DNS server.

Provide fast access for clients in remote locations: Secondary DNS servers can also assist in preventing

clients from transversing slow links for name resolution requests.

y DNS zones: A DNS zone is the contiguous portion of the DNS domain name space over which a DNS

server has

authority, or is authoritative. A zone is a portion of a namespace . it is not a domain. A domain is a branch

of the

DNS namespace. A DNS zone can contain one or more contiguous domains. A DNS server can be

authoritative for multipleDNS zones.

y Zone files store resource records for the zones over which a DNS server has authority.

y DNS client: This is a machine that queries the DNS server for name resolution. To issue DNS requests to

theDNS server, DNS resolvers are used.

y Queries:The types of DNS queries which can be sent to a DNS server are:

o Recursive queries

o Iterative queries


10/58

y DNS resolvers: These are programs that use DNS queries to request information from the DNS servers.

In

Windows Server 2003, the DNS Client service performs the function of the DNS resolver. A DNS resolver

can

communicate and issue name queries to remote DNS servers, or to the DNS server running locally. When

a DNS resolver

receives a response from a DNS server, the resolver caches the information locally. The local cache isthen used if thesame information is requested.

y Resource records: The DNS database contains resource records (entries) that are used to resolve name

resolution queries sent to the DNS server. Each DNS server contains the resource records it needs to

respond to nameresolution queries for the portion of the DNS namespace for which it is authoritative.

y Root servers: A root server performs the following functions when a query cannot be resolved from the

localzone files:

o Returns an authoritative answer for a particular domain.

o Returns a referral to another DNS server that can provide an authoritative answer

How DNS Resolves QueriesA DNS client queries a DNS server to resolve a name. The query contains the following importantinformation:

y The DNS domain name in the FQDN format.

y The query type

y The class for the DNS domain name

A DNS client uses one ofthree query types to query a DNS server:

y Iterative queries: The DNS server provides the best answer it can. This can be:

o The resolved name

o A referral to a different DNS server

y Recursive queries: The DNS server has to reply with the requested information, or with an error. The

DNSserver cannot provide a referral to a different DNS server.

y Inverse queries: The query sent to the DNS server is to resolve the host name associated with a knownIPaddress. All the domains have to be queried to provide a correct answer to the query.

If a DNS server cannot find a match for a queried name in its zone information, or in its cache; the DNS

server

performs recursion to resolve the name. This is the default configuration for DNS servers.Recursion is

the

process whereby which the DNS server queries other DNS servers for the client. By the initial DNS server


11/58

querying theother DNS servers, recursion actually ends up making the initial DNS server a DNS client!

In order to perform recursion, root hints assist the DNS server in determining where in the DNS

namespace it

should commence searching for the queried name. Root hints is a collection of resource records which

the DNS Serverservice utilizes to locate DNS servers who are authoritative for the root of the DNS domain namespace

structure. If you

are using Windows Server 2003 DNS, a preconfigured root hints file named Cache.dns already exists.

The file can be

found in the WINDOWS\System32\Dns directory. Cache.dns contains the addresses of root servers in the

Internet DNSnamespace, and is preloaded to memory when the DNS Server service initiates.

If however recursion is disabled for the DNS server, and the DNS server cannot find a match for the

queried name in

its zone information, or in its cache; the client begins to perform iterative queries. The root hint referrals

from the

DNS server are used for iterative queries. When a client performsiterative queries, the client sendsrepeatedrequests to different DNS servers to resolve the queried name.

The events that occur to resolve a name requested in a queryare explained below:

1. The resolver sends a recursive DNS query to its local DNS server, to request the IP address of a

particularname.

2. Because the local DNS server cannot refer the resolver to a different DNS server, the local DNS server

attempts toresolve the requested domain name.

3. The local DNS server checks its zones.

4. If it finds no zones for the requested domain name, the local DNS server sends an iterative query for the

requestedname to the root DNS server.

5. The root DNS server is authoritative for the root domain. It responds with an IP address of a name server

for thespecific top-level domain.

6. The local DNS server next sends an iterative query for the requested name to this name server who in

turn replies

with the IP address of the particular name server servicing the requested domain name.

7. The local DNS server then sends an iterative query for the requested name to the particular name server

servicingthe particular domain.

8. The name server responds with the requested IP address.

9. The IP address is returned to the resolver.


12/58

The different query response typeswhich can be returned from the DNS server are:

y Authoritative answer: This is a positive response which is returned to a client. The authority bit set in

the DNS message indicates that the reply was received from a DNS server that has direct authority for

the name queriedin the message.

y Positive answer: This response type returns the queried resource record that corresponds to the name

andrecord type queried in the original query.

y Referral answer: A referral response is returned if the DNS server does not support recursion. A referral

contains additional resource records for resolving the request.

y Negative answer: A negative answer is returned to the client when the following events occur:

o The name queried does not exist in the DNS namespace. This information is obtained from an

authoritativeserver.

o The authoritative server indicated that the name queried does exist in the DNS namespace. However,

there are noresource records of this type present for the requested name.

How caching works in DNSIn DNS, caching is used to reduce traffic on the network that is generated from queries sent to DNS

servers. The DNS

Server service and the DNS Client service both utilize caching to improve DNS performance, and reduce

DNS specifictraffic.

y DNS Server Cache: When the DNS server performs recursive queries for clients, the DNS server stores

theresource records in its DNS server cache. If the same information is requested again, the cached

information is used.

The contents of the DNS server cache is removed when the DNS Server service is stopped. You can also

manually remove

the contents of the DNS server cache by using the DNS console, the management console foradministering DNS.

y DNS Client Cache: This cache is also referred to as the DNS resolver cache. Information is added to the

DNSclient cache when the following events occur:

o The DNS Client service starts: The records in the HOSTS file are loaded into the DNS client cache.

o The DNS server responds to a client.s request: When the DNS server returns a response to a query, the

informationis added to the DNS client cache.

The contents of the DNS client cache is removed when the DNS Client service is stopped.

Understanding the FAT File Systems


13/58

The FAT file system was initially introduced with the MS-DOS operating system (OS) when hard disks

were generally much smaller, and the structure of folders was not as intricate as it is in networks today.

The FAT file system continues to be supported by each Microsoft OS since its advent. The initial FAT file

system could only support a maximum partition size of 2GB. What this meant was that where a

computer's hard disk drive was greater than 2GB, you had to partition the drive into a number of smallerpartitions, with each partition size not exceeding 2GB.

The FAT file system protects files by storing two copies of the file allocation table on the FAT volume. In

cases where one copy of the file allocation table is corrupt, the other copy of the file allocation table is

utilized. The file allocation table's location is specified in the BIOS Parameter Block (BPB) of the FAT boot

sector. It is also stored on the volume in a specified byte offset. This ensures that any files necessary tostart the system can be found.

The actual numbers in the names of the different FAT file systems are associated with the number of bits

utilized for a file allocation table entry. For instance, FAT12 utilizes a 12-bit file allocation table entry,

FAT16 utilizes a 16-bit file allocation table entry, and FAT32 utilizes a 32-bit file allocation table entry.

FAT16 works effectively on small disks and uncomplicated folder structures, while FAT32 works

effectively on large disks that have intricate folder structures. FAT16 in MS-DOS, Windows 3.x, Windows

95, Windows 98 and Windows 2000 operates in the identical manner with each OS. FAT32 was

introduced with Windows 98's second release (OSR2). FAT32 operates the same in the Windows 98OSR2 and Windows 2000.

The FAT16 File SystemThe FAT16 file system is compatible with the majority of operating systems. This is evident by MS DOS,

Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000 and Windows XP being able to

utilize the FAT16 file system. FAT16 generally works well in managing disk space when the size of the

volume is less than 256MB. You should refrain from using FAT16 on volumes that are larger than 512MB.FAT16 cannot be utilized on volumes that exceed 4 GB.

FAT16 maps clusters on the FAT partition. A cluster is the smallest unit that the OS operating systemutilizes when it assigns space on the partition. A cluster is also at times referred to as anallocation unit.

The file allocation table identifies a cluster in the FAT partition as either:

y Unused

y Cluster in use by a file

y Bad cluster

y Last cluster in a file

The FAT16 volume is structured as follows:

y Boot sectoron the system partition

y Theprimary file allocation table

y The copy or duplicate file allocation table

y A root folder

y Other folders and all f iles


14/58

The root folder holds an entry for each file and folder stored on the FAT16 volume and has its maximum

number of table entries set at 512 for each disk drive. A file's or folder's entry contains the informationlisted below:

y Name: This is in 8.3 format

y

Attribute: 8 bits

y Create time: 24 bits

y Create date: 16 bits

y Last access date: 16 bits

y Last modified time: 16 bits

y Last modified date: 16 bits

y Starting cluster number in the f ile allocation table: 16 bits

y File size: 32 bits

The Attribute byte in a folder indicates what kind of entry it is and is generally controlled by the OS. Fourbits of the attribute byte can be enabled or disabled by the user. These are:

y Archive, System, Hidden, Read-only

Files are allocated the first available location on the FAT16 volume. The first cluster's address utilized by

the file i the starting cluster number in the file allocation table. Clusters also have a pointer to the next

cluster in the file. The cluster at the end of the file however contains a hex indicator which indicates thatthis particular cluster is the end of the file.

A few disadvantages associated with the FAT16 file system are summarized below:

y The FAT16 file system has no local security for the file system or compression features.

y The boot sector is not backed up.

y The root folder can only have a maximum of 512 entries which means that files which have long namescan greatly decrease the number of entries available.

y FAT16 does not work well with volume sizes that are large.

The FAT32 File SystemThe FAT32 file system can handle larger partitions than what the FAT16 file system can handle. FAT32

can support partitions up to 2047 GB in size compared to FAT16's 4 GB. With FAT32, there is norestriction on the number of entries that the root folder can contain. With FAT16, the root folder could only

contain a maximum of 512 entries. The boot sector is also backed up on FAT32 volumes. A FAT32volume must however have a minimum of 65,527 clusters.

The FAT32 architecture is very much like the architecture of the FAT16 file system. FAT32 was designed

with little architectural changes to ensure compatibility with existing programs and device drivers. What

this means is that device drivers and FAT tools used for FAT16 partitions would continue to work forFAT32 partitions.


15/58

FAT32 does however need 4 bytes in the file allocation table to store cluster values. This has led to therevision or expansion of internal data structures, on-disk data structures and published APIs.

A few disadvantages associated with the FAT32 file system are summarized below:

y Like the FAT16 file system, the FAT32 file system includes no local security for the files system or

compression features.

y The MS-DOS, Windows 95, and Windows NT 4.0 OSs are unable to access or read FAT32 partitions.

y Both FAT16 and FAT32 partitions do not scale well - the file allocation table increases in size as the

volume grows.

An Overview of NTFS

y

In order to store data on a local partition on a Windows server, you have to format it with a file

system. The system that you use influences the manner in which data is stored on the disk. Italso specifies the security that can be defined for folders and fi les stored on the partitions.

Although Windows servers offer support for the File Allocation Table (FAT) file system, NT file

system (NTFS), and CDFS (Compact Disc File System), the file systems generally utilized by

local partitions is the FAT file system and NTFS file system.

y

The FAT partitions utilized by operating systems such as Microsoft DOS, Windows 95, Windows 98, and

Windows Me do not allow you to specify security for the file system after a user has logged on. What this

means is that any data stored in a FAT partition is available to each user that shares the same computer.

The FAT file system also includes no support for file compression, or encryption. You cannot store

Macintosh files on FAT partitions. Because Windows 2000, Windows XP and Windows Server 2003 support

FAT32, you may choose to configure FAT32 partitions if you need dual-boot capability to Windows 95,

Windows 98 and Windows Me.NTFS partitions on the other hand enable you to specify security for the file system after a user has

logged on. NTFS permissions control the access users and groups have to files and folders on NTFS

partitions. You can set an access level for each particular user to the folders and files hosted on NTFS

partitions. You can allow access to the NTSF files and folders, or you can deny access to the NTFS files

and folders. In this manner,NTFS supports local security. The NTFS file system also includes other

features such as encryption, disk quotas, file compression, mounted drives, NTFS change journal, andmultiple data streams. You can also store Macintosh files on NTFS partitions.

Comparing NTFS 4.0 and NTFS 5.0The two available versions of NTFS are:

y NTFS 4.0: This is the version of NTFS utilized with Windows NT 4.0. Even though it supports access control on filesand folders, it does not support the majority of Windows 2000 and Windows Server 2003 file system features. It doeshowever include support for file compression.


16/58

y NTFS 5.0: This version of NTFS supports all the previously mentioned features of the NTFS file system. NTFSversion 5.0 is utilized with Windows 2000 and Windows Server 2003.Windows NT 4.0 systems that are runningService Pack 4 or later are able to access NTFS 5.0 files and folders.

The key differences between NTFS 4.0 and NTFS 5.0 are summarized below:y

Maximum volume size:

y NTFS 4.0: 32 GB

y NTFS 5.0: 2 terabytes on Master Boot Record (MBR) disks, and 18 exabytes on GUID Partition Table (GPT) disks.

y Maximum file size:

y

NTFS 4.0: 32 GB

y NTFS 5.0: With NTFS 5.0, file size is limited by the size of the volume.

y Support for advanced file access permissions:

y NTFS 4.0: Yes

y NTFS 5.0: Yes

y Support for file compression:

y NTFS 4.0: Yes

y NTFS 5.0: Yes

y Support for encryption, disk quotas, sparse files, remote storage and Active Directory structures:

y NTFS 4.0: No

y NTFS 5.0: Yes

NTFS File and Folder PermissionsThe main feature of the NTFS file system is that you can defines local security for files and folders stored


17/58

on NTFS partitions. You can specify access permissions on files and folders which control which users

can access the NTFS files and folders. You can also specify what level of security is allowed for users or

group. NTFS enables you to specify more precise permissions that what share permissions enable. You

can only specify share permissions on folders. NTFS permissions can be set for folers and files. On NTFS

partitions, permissions are applied to users who access the computer locally, and who access a NTFSfolder which has been shared over the network.

By default, permissions of NTFS volumes are inheritable. What this means is that files and subfolders

inherit permissions from their associated parent folder. You can however, configure files and subfoldersnot to inherit permissions from their parent folder.

You can specify NTFS permissions at the file level and the folder level. The NTFS permissions that canbe set at the folder level are listed below:

yFull Control: Enables a user to view or change a folders attributes, permissions and take ownership. A user is alsoable to create, modify and delete folders. Users can also traverse folders and execute files that contain programsstored in a folder. The Full Control permissions allow users to compress files as well.

y Read and Execute: The rights enabled by this permission include traversing folders and executing files in the folders,listing a folders content, and viewing the attributes of folders.

y Write: Users are able to create new folders, new subfolders and new files in the folders. A user is also able to changea folders attributes.

y ListFolder Contents: Users are able to transverse folders, list the contents of the folder, and view a folders attributes.

y Modify: A user can change the properties of a folder, create new folders, and also delete folders.

y Read: This permission enables a user to view the folder, and any subfolders and files stored within the folder.

The NTFS permissions that can be set at the file level are listed below:

y Full Control: Enables a user to view or change a files attributes, create and delete files, compress files, view theattributes of files, and add data to files. A user can also execute files.

y Read and Execute: The rights enabled by this permission include executing files in the folders, and viewing theattributes of files.

y Write: Users are able to create new files, change a files attributes, write data to files, view file ownership andpermissions, and overwrite files

y Modify: A user can change the properties of a file, create new files, delete files, write data to files, and view theattributes of files.

y Read: This permission enables a user to view files and the files attributes.

With Windows Server 2003, basic NTFS permission settings are assigned for five default users and

groups when a new NTFS partition is created. The users/groups and the default permissions created forthem are summarized below:


18/58

y Administrators: Full Control Allow

y System: Full Control Allow

y Users: Read Allow, Read and Execute Allow, List Folder Contents Allow

y Creator Owner: Have no default permissions set

y Everyone: Have no default permissions set

Before you can apply NTFS permissions, you have to format the disk partition as an NTFS partition.

NTFS permissions are applied through Windows Explorer. You simply have to right-click the particular file

or folder that you want to control access to and select Properties from the shortcut menu. The Properties

dialog box of NTFS files and folders contains a Security tab. This the tab utilized to apply NTFSpermissions.

How to configure NTFS permissions for files and folders on NTFS partitions

1. Navigate to Windows Explorer

2. Right-click the particular file or folder that you want to control access to, and click Properties from the shortcut menu.

3. When the Properties dialog box of the folder/file opens, click the Security tab

4. If you want to specify new ermissions, click the Add button.

5. The Select Users, Computers, Or Groups dialog box opens next.

6. In the Enter The Object Names To Select section of the dialog box, insert the name of the user/group that you want tospecify permissions for. Click OK

7. When the Security tab appears, highlight the user or group in the topmost box, and then set the permissions thatshould be applied for that particular user or group.

8. Click OK.

How to configure permission inheritanceClick the Advanced button on the Security tab to access the Advanced Security Settings dialog box. This

is where you configure permission inheritance. You can set the following permission inheritance options:

y Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these withentries explicitly defined here.

y Replace permission entries on all child objects with entries shown here that apply to child objects.


19/58

When you clear the Allow inheritable permissions from the parent to propagate to this object and all child

objects. Include these with entries explicitly defined here checkbox, a security dialog box is displayed.

The security dialog box allows you to either completely remove the existing inherited permissions, orchange the existing inherited permissions to explicit permissions.

How to configure NTFS special permissionsNTFS special permissions enable administrators to set precise user access permissions for NTFS files

and folders. Special permissions is the result of the basic file and folder permissions being split even

further into more precise or specific permissions. NTFS special permissions are also referred to as NTFS

advanced permissions. You can specify NTFS special permissions by clicking the Advanced button from

the Security tab of the file or folders Property dialog box. The Advanced Security Settings dialog box

opens. You can view existing special permission entries by selecting the particular user/group, and then

clicking the Edit button. Clicking the Edit button opens the Permission Entry dialog box. This is where youcan perform the following:

y The Change button can be used to modify the set of users or groups stored in the Name box.

y You can use the Allow checkbox and Deny checkbox to change the permission entries.

y The Apply Onto drop-down list box can be used to apply the special permissions to specific objects.

The NTFS special permissions are listed below:

y Full Control: The user can perform all the NTFS special permissions listed below

y Traverse Folder/Execute File: Traverse Folder enables users to navigate through folders and files beneath thelocation at which the permission is applied. Execute File enables application programs to be run.

y ListFolder/Read Data: List Folder either allows or denies the names of files and subfolders of a folder to be viewed.Read Data enables the data within the files to be read.

y Read Attributes: Either allows or denies the attributes of folders and files to be read.

y Read Extended Attributes: Either allows or denies the extended attributes of folders and files to be read.

y Create Files/Write Data: Create Files allows or denies new files to be created within folders. Write Data either allowsor denies changes to be made to files, and to overwrite files.

y Create Folders/Append Data: Either allows or denies new subfolders to be created within a folder, and allows ordenies changes to be made to the end of a file.

y Write Attributes: Allows the attributes on a subfolder and file to be changed.

y Write Extended Attributes: Allows the extended attributes on a subfolder and file to be changed


20/58

y Delete Subfolders andFiles: Allows files and subfolders to be deleted even though the elete permission is notgranted on the subfolder or file.

y Delete: Enables file or folders to be deleted.

y Read Permissions: Allows the permissions that have been applied to folders and files to be viewed.

y Change Permissions: Allows the permissions that have been applied to folders and files to be changed.

y Take Ownership: Allows the user to modify the owner of the file or folder.

How to determine NTFS effective permissionsYou typically need to determine a users effective permissions before you assign any other permissions tothe particular user for a folder/file. A users effective permissions are determined by:

y Individual user permissions

y Permissions inherited from parent folders

y Permissions inherited from group membership

You can view the effective permissions of a user on the Effective Permissions tab on the AdvancedSecurity Settings dialog box.

1. Open Windows Explorer

2. Right-click the particular file or folder and choose Properties from the shortcut menu

3. When the Properties dialog box of the file/folder opens, click the Security tab

4. To open the Advanced Security Settings dialog box, click the Advanced button

5. When the Advanced Security Settings dialog box opens, click the Effective Permissions tab.

6. To specify the user or group that you want to determine effective permissions for, click Select, and enter the name ofthe particular user or group. Click OK

7. The effective permissions for the user or group that you have chosen to view are displayed next.

How to determine NTFS permissions for copied or moved filesWhen you copy or move NTFS files to different locations, it is possible that the NTFS permissions that

have been originally specified for the files can indeed change in the new file location. Whether thepermissions changes or not, is determined by the following:


21/58

y Was the file moved to an NTFS volume or a partition that is not NTFS formatted such as FAT partitions

y Was the file copied to a different location on the identical NTFS volume, or was it copied to a different NTFS volume

y

Was the file moved or copied

You can use the rules detailed next to determine whether an NTFS file that is moved or copied wouldretain its prior permissions:

y Files that are copied or moved to FAT partitions do not retain any of their prior NTFS permissions in the new location.

y Files that are moved from one folder to a different location on the identical NTFS volume keep all its prior NTFSpermissions.

y Files that are copied from one folder to a different location on the identical NTFS volume inherit the NTFSpermissions of the destination location or folder.

y Files that are moved from one location or folder to a folder on a different NTFS volume inherit the NTFS permissionsof the destination location or folder.

How to configure folder and file auditing on NTFS partitionsBefore you can configure folder and file auditing on NTFS partitions, auditing for object access - Audit

Object Access; has to be enabled for the computer. You have to be a member of the local Administrators

group to enable an audit policy on the local machine. If you want to set auditing policy via Active

Directory, you must be a member one of the following groups: Domain Admins, Enterprise Admins. After

auditing for object access has been enabled, you can define the files or folders that should be audited;and specify the users and groups that should be tracked. You either audit events for success or failure.

Use the steps below to configure NTFS folder and file auditing,

1. Right-click the folder or file you want to set auditing for and choose Properties, from the shortcut menu.

2. Click the Security ta when the Properties dialog box of the file or folder opens.

3. Click the Advanced button

4. When the Advanced Security Settings dialog box opens, click the Auditing tab.

5. Click the Add button to open the Select User, Computer, Or Group dialog box.

6. Insert the names of the users or groups whose actions you want to track. Click OK.

7. When the Auditing Entry For Data dialog box is displayed, select the events that should be audited.


22/58

Volume Shadow Copies OverviewVolume shadow copies, a new Windows Server 2003 feature, are used to create copies of files at a

specific point in time, or set time interval. Shadow copies can only be created on NTFS volumes to create

automatic backups of files or data per volume. When enabled, the Shadow copies feature protects you

from accidentally losing important files in a network share. Remember that when users delete f iles from

over the network, those files are permanently deleted. Because shadow copies enable users to view

previous versions of files, the feature allows them to restore a backup of deleted files.

A few advantages of enabling volume shadow copies on shared folders are:

y If volume shadow copies are enabled for shared folders, you can restore or recover files which have been

accidentally deleted or which have become corrupt. The prior versions of files can be copied to the samelocation, or to another location.

y Through volume shadow copies, you can recover files which have been overwritten when you need to

use a previous version of the file.

y Volume shadow copies also enable you to compare changes between a current version of the file and a

previous version of the file.

y The integrity of the previous file versions are maintained because they are read-only copies, thereby

preventing any user from changing a file which was shadow copied. If users need to change a previous

version of a file, they have to copy the version to a different location, and then perform the necessarychanges.

As mentioned previously, you can only configure volume shadow copies on NTFS volumes. The shadow

copies feature is in fact a new NTFS feature introduced with Windows Server 2003. Shadow copies are

used to create shadowed copies of files, at a specified point in time and on a per volume basis, which

means that you basically configure shadow copies at the volume level. You cannot therefore specify onlycertain files and folders for volume shadow copies.

The main requirements for enabling the shadow copies feature are:

y Shadow copies must be configured on NTFS volumes, and on a per volume basis.

y The NTFS volume that you want to configure for volume shadow copies must have 100MB of free volume

space (minimum requirement). The maximum is 10% of the volume's free disk space, by default.

A few important points to consider when working with shadow copies are:

y Each volume enabled for shadow copies can only store 64 shadow copies. When this limit is reached on

a volume, the oldest shadow copy is permanently deleted, and cannot be restored. You can thereforeonly view a maximum of 64 previous versions of files.

y Shadow copies should not be utilized to replace performing regular backups, but should be used to

enhance the backup strategy of your organization.

Configuring Shadow CopiesTo enable shadow copies on a volume,

y You must be a member of the Administrators group on the local machine.

y Shadow copies must be enabled on the server.


23/58

y For clients to access shadow copies, they need to have the Previous Versions Client software installed.

The software can be found in the %windir%\system32\clients\twclient folder.

y The software can be distributed or deployed via Group Policy, Systems Management Server (SMS), oryou can create a share so that clients can download the necessary software.

You can enable shadow copies through the Computer Management console which can be accessedthrough the Administrative Tools folder. Shadow copies are enabled from the Shared Folders folder in the

left pane of the Computer Management console. To navigate to the Shared Folders folder, expand

System Tools. To open the Shadow Copies dialog box, right-click Shared Folders, select All Tasks, and

then click the Configure Shadow Copies option on the shortcut menu. This is the location where youmanage and configure the volume shadow copies feature.

Te Shadow Copies dialog box is made up of the following panes:

y The uppermost pane of the Shadow Copies dialog box is where you enable shadow copies for the

particular volume.

o To enable shadow copies, click the Enable button.

o If you do not want a volume to use shadow copies, click the Disable button.

o To change the configuration settings of existing enabled shadow copies, click the Settings button to openthe Settings dialog box. The Settings dialog box is divided into the following two sections:

Storage Area: This is where you change the storage location of shadow copies, and the amount of spaceused to store shadow copies.

Schedule: This where you configure how often, or when shadow copies are to be created.

The settings which you can configure for enabled shadow copies on the Settings dialog box are:

Location on this volume drop-down list box: This drop-down list box is used to specify the volume on theserver on which the shadow copies are to be stored. In cases where only one volume exists, then this isthe volume which is automatically selected, and you are unable to select other volumes.

Details button: Click this button to view information on the disk space available, and the total disk space.

Maximum Size - No limit option: To specify that unlimited disk space can be used to store shadow copies,click the No limit option under the Maximum Size option.

Maximum Size - Use Limit option: To specify the disk space which can be used to store shadow copies,

click the Use Limit option under the Maximum Size option, and then set how much disk space, inmegabytes (MB) can be used to store shadow copies.

Schedule button: To specify the interval when shadow copies are created, click the Schedule button. Theintervals which can be set for when shadow copies are created are

Daily

Weekly

Monthly

Once


24/58

At System Startup

At Logon

When idle

o

The bottom pane of the Shadow Copies dialog box displays a list of all the existing shadow copies whichhave been created.

How to enable shadow copieso Click Start, Programs, Administrative Tools, and then click Computer Management.

o Expand the System Tools node in the left pane of the console to navigate to the Shared Folders folder.

o Right-click Shared Folders, select All Tasks, and then select Configure Shadow Copies from the shortcutmenu.

o The Shadow Copies dialog box opens next.

o

Choose the specific volume for which you want to enable shadow copies, and then click the Enablebutton.

o The Enable Shadow Copies message box displays, prompting you to verify that shadow copies should be

enabled for the particular volume. The message also informs you that the default settings will be utilizedfor the particular shadow volume. Click Yes to continue with enabling shadow copies.

o After you have enabled shadow copies, click the Settings button on the Shadow Copies tab to configuresettings for the shadow copies.

o Select either the Maximum Size option's No Limit option, or the Use Limit option to configure the diskspace which can be used to store shadow copies.

o

Click the Schedule button to create a schedule which defines when shadow copies are created.

o Click New in the dialog box that opens to define a new schedule for the shadow copies.

o From the Schedule Task drop-down list box, choose one of the following intervals:

Daily

Weekly

Monthly

Once

At System Startup

At Logon

When idle

o The default schedule used to create the shadow copies specifies that they are created Monday - Friday,two times a day (7:00 A.M. and 12:00 P.M)


25/58

o After you have configured the schedule for the shadow copies, click OK.

o To close the Shadow Copies dialog box, click OK.

How to manually create the first shadow copyo Click Start, Programs, Administrative Tools, and then click Computer Management.

o To connect to the computer which you want to work with, right-click Computer Management in the leftpane, and select Connect To Another Computer on the shortcut menu.

o When the Select Computer dialog box opens, select the computer.

o In the left pane, expand the Storage Node, and select Disk Management.

o All the volumes on the computer are listed in the details pane.

o Right-click the appropriate volume, and click Properties on the shortcut menu.

o On the Shadow Copies tab, using the Select A Volume listing choose the volume, and then click the

Settings button.

o Configure all necessary configuration settings for the shadow copies on the Settings dialog box, and clickOK.

o On the Shadow Copies tab, click the Create Now button to force the creation of the first shadow copy.

o Click OK.

How to install the client software for shadow copiesy For clients to access shadow copies, they need to have the Previous Versions Client software installed.

The software can be found in the %windir%\system32\clients\twclient folder. You can use one of the

methods listed below to install the Previous Versions Client software through a Windows Installer

Package on client computers:

o Double-clicking the Windows Installer Package launches a wizard which al lows the user to install thePrevious Versions Client software.

o You can use the software deployment feature of Group Policy to install the software for client computers.

o You can create a share, copy the Windows Installer Package to the shared folder, and inform clients todownload the necessary software.

o You can use Systems Management Server (SMS).

How to access previous versions of a filey

To access previous versions of a file, access the Properties of the particular folder or file through ashared folder, and then select the Previous Versions tab. The Previous Versions tab lists the previous

versions of the file. This Previous Versions tab is only displayed if you have enabled the shadow copies

feature on the particular server, and if you access the Properties of the particular folder or file through ashared folder. You cannot view the Previous Versions tab if the file is located on the local hard drive.

y The tasks which can be performed from the Previous Versions tab are:

o To view a read-only previous version of a specific file, click the View button on the Previous Versions tab.


26/58

o To copy a previous version of a particular file to a different location, click the Copy button on the Previous

Versions tab. When the Copy Items dialog box opens, specify the location to which you want to copy theprevious version of the file.

o To replace the current version of a particular file with a previous version of the file, click the Restore

button on the Previous Versions tab. Click Yes, to the message which appears, warning you that current

version the file will be replaced with this particular previous version of the file.

To access shadow copies from a client that has the Previous Versions Client software installed,

o Open Windows Explorer.

o Right-click the particular network share, and then click Properties from the shortcut menu.

o Click the Previous Versions tab.

o Click the previous version which you want to work with, and then select one of the following buttons:

Click View to view a previous file version.

Click Copy to copy the shadow copy to a different location.

Click Restore to replace the existing version with a previous version.

How to install the Previous Versions Client software and view files from shadow copieso Open Windows Explorer.

o Navigate to the system32\clients\twclient folder on the server to access the Windows Installer package.Double-click the Windows Installer package.

o The Previous Versions Client Wizard launches next.

o

On the initial page of the Wizard, click Next to install the Previous Versions Client software.

o Once the Previous Versions Client software is installed, access the Properties of the particular folder orfile through a shared folder.

o Click the Previous Versions tab.

o Choose the previous version of the file that you want to work with, and click the View button.

How to delete a shadow copyo Click Start, Programs, Administrative Tools, and then click Computer Management.

o To connect to the computer which you want to work with, right-click Computer Management in the left

pane, and select Connect To Another Computer on the shortcut menu.



o All the volumes on the computer are listed in the details pane.



27/58

o On the Shadow Copies tab, using the Select A Volume listing choose the volume.

o The Shadow Copies Of Selected Volume area displays all the shadow copies of the volume which youhave selected.

o Select the shadow copy that must be deleted, and click the Delete Now button.

How to disable shadow copieso Click Start, Programs, Administrative Tools, and then click Computer Management.

o To connect to the computer which you want to work with, right-click Computer Management in the leftpane, and select Connect To Another Computer on the shortcut menu.




o

On the Shadow Copies tab, using the Select A Volume listing select the volume, and then click theDisable button.

o Click Yes to verify that you want to disable shadow copies.

How to manage shadow copies from the command-lineShadow copies can also be managed from the command-line. The Vssadmin command which is usedand its associated parameters are:

vssadmin [Add ShadowStorage] [Create Shadow] [Delete Shadow] [Delete Shadow Storage] [ListProviders] [List Shadows] [List ShadowStorage] [List Volumes ] [List Writers] [Resize ShadowStorage]

o Add ShadowStorage; sets the location where the shadow copies should be stored for a particular volume.

o Create Shadow; to force the creation of a shadow copy.

o Delete Shadow; to delete a particular shadow copy.

o Delete Shadow Storage; to delete the link between a volume and the location that stores the shadowcopies.

o List Providers; to list the shadow copy providers.

o List Shadows; to list all shadow copies.

o List ShadowStorage; to list the volume locations that store shadow copies.

o List Volumes; to list the volumes that have the shadow copies feature enabled.

o List Writers; to list all applications using shadow copies.

o Resize ShadowStorage; to change the space available for storing shadow copies.

Shadow Copies Best PracticesThe factors to remember when working with shadow copies, and a few shadow copies best practices aresummarized below:


28/58

o Shadow copies should not be utilized as a replacement for regular backups. You should thereforecontinue to perform regular backups of the system.

o Shadow copies should not be utilized on dual boot computers because a previous version could become

corrupted if the computer is booted to an operating system OS which is not Windows Server 2003.Enable shadow copies on computers running only Windows Server 2003.

o Be careful when determining the amount of hard disk space needed for shadow copies. If you configurethe limit too small, you could have an insufficient quantity of shadow copies created.

o When shadow copies are enabled, remember that mounted drives are excluded when shadow copies arecreated.

o When you define the schedule for shadow copies, base it on when users make changes to files. For

instance, it would be unnecessary to schedule shadow copies to be created over the weekend if files arenot modified during this time frame.

o It is recommended to not schedule shadow copies to take place at an interval greater than once per hour.

The interval or frequency for which you configure shadow copies to be created affects how space is

utilized.

o You have to restore a shadow copy to change the contents of a shadow copy.

o A file that is restored keeps its file permissions.

o If you recover a deleted file, the file's permissions are the default permissions of the directory.

o Before you disable shadow copies on a volume, delete the shadow copies schedule.

IPSec OverviewIPSec is a suite of protocols which was designed by Internet Engineering Task Force (IETF) to protect

data by signing and encrypting data before it is transmitted over public networks. The IETF Request for

Comments (RFCs) 2401-2409 defines the IPSec protocols with regard to security protocols, securityassociations and key management, and authentication and encryption algorithms. IPSec is a framework

of open standards for encrypting TCP/IP traffic within networking environments. IPSec works by

encrypting the information contained in IP datagrams through encapsulating. This in turn providesnetwork level data integrity, data confidentiality, data origin authentication, and replay protection.

The primary features of IPSec are:

y Authentication; protects the private network and the private data it contains. IPSec secures private data

from man-in-the-middle attacks, from attackers attempting to access the network, and from an attackerchanging the contents of data packets.

y Encryption; conceals the actual content of data packets so that it cannot be interpreted by unauthorized

parties.

IPSec can be used to provide packet filtering capabilities. It can also authenticate traffic between two

hosts and encrypt traffic passed between the hosts. IPSec can be used to create a virtual private network

(VPN). IPSec can also be used to enable communication between remote offices and remote accessclients over the Internet.

IPSec operates at the network layer to provide end-to-end encryption. This basically means that data is

encrypted at the source computer sending the data. All intermediate systems handle the encrypted


29/58

portion of the packets as payload. Intermediate systems such as routers merely forward the packet to i ts

end destination. Intermediate systems do not decrypt the encrypted data. The encrypted data is onlydecrypted when it reaches the destination.

IPSec interfaces with the TCP/UDP transport layer and the Internet layer, and is applied transparently to

applications. IPSec is transparent to users as well. This basically means that IPSec can provide security

for most of the protocols within the TCP/IP protocol suite. When it comes to applications, all applicationsthat use TCP/IP can enjoy the security features of IPSec. You do not have to configure security for each

specific TCP/IP based application. By using rules and filters, IPSec can receive network traffic and select

the required security protocols, determine which algorithms to use, and can apply cryptographic keysrequired by any of the services.

The security features and capabilities of IPSec can be used to secure the private network and privateconfidential data from the following

y Denial-of-service (Dos) attacks

y Data pilfering.

y Data corruption.

y Theft of user credentials

In Windows Server 2003, IPSec uses the Authentication Header (AH) protocol and EncapsulatingSecurity Payload (ESP) protocol to provide data security on:

y Client computers

y Domain servers

y Corporate workgroups

y

Local area networks (LANs)

y Wide area networks (WANs)

y Remote offices

The security functions and features provided by IPSec are summarized below:

y Authentication; a digital signature is used to verify the identity of the sender of the information. IPSec can

use Kerberos, a preshared key, or digital certificates for authentication.

y Data integrity; a hash algorithm is used to ensure that data is not tampered with. A checksum called a

hash message authentication code (HMAC) is calculated for the data of the packet. When a packet is

modified while in transit, the calculated HMAC changes. This change will be detected by the receivingcomputer.

y Data privacy; encryption algorithms are utilized to ensure that data being transmitted is undecipherable.

y Anti-replay; prevents an attacker from resending packets in an attempt to gain access to the

privatenetwork.

y Nonrepudiation; public key digital signatures are used to prove message origin.


30/58

y Dynamic rekeying; keys can be created during data sending to protect segments of the communication

with different keys.

y Key generation; the Diffie-Hellman key agreement algorithm is used to enable two computers toexchange a shared encryption key.

y

IP Packet filtering; the packet filtering capability of IPSec can be used to filter and block specific types oftraffic, based on either of the following elements or on a combination of them:

o IP addresses

o Protocols

o Ports

What New in Windows Server2003 IPSecA few new IPSec features have been included in Windows Server 2003, together with enhancements tosome IPSec features which existed in previous Windows operating systems:

y Windows Server 2003 includes the new IP Security Monitor tool which is implemented as an MMC snap-in. The IP Security Monitor tool provides enhanced IPSec security monitoring. With the IP SecurityMonitor tool, you can perform the following administrative activities:

o Customize the IP Security Monitor display

o Monitor IPSec information on the local computer.

o Monitor IPSec information on remote computers.

o View IPSec statistics.

o View information on IPSec policies

o View security associations information.

o View generic filters

o View specific filters

o Search for specific filters based on IP address

y You can configure IPSec using the Netsh command-line utility. The netsh command-line utility replaces

the previously used Ipsecpol.exe command-line utility.

y IPSec supports the new Resultant Set of Policy (RSoP) feature of Windows Server 2003. The Resultant

Set of Policies (RSoP) calculator can be used to determine the policies which have been applied to aparticular user or computer. Resultant Set of Policy (RSoP) sums all group policies which are applied to a

user and computer in a domain. This includes all filters and exceptions. You can use the feature through

the Resultant Set Of Policy (RSoP) Wizard or from the command-line to view the IPSec policy that isapplied.

y IPSec integration with Active Directory enables you to centrally manage security policies.


31/58

y Kerberos 5 authentication is the default authentication method used by IPSec policies to verify the identity

of computers.

y IPSec is backward compatible with the Windows 2000 Security Framework.

y If a local policy or Active Directory based policy cannot be applied to a computer, you now have the

option of creating a persistent policy for the specific computer. The characteristics of persistent policiesare:

o Persistent policies can only be configured through the Netsh command-line utility.

o Persistent policies are always positive.

o Persistent policies cannot be overridden.

y In Windows Server 2003 IPSec deployments, only Internet Key Exchange (IKE) traffic is exempt from

IPSec. Previously, Resource Reservation Protocol (RSVP) traffic, Kerberos traffic, and IKE traffic wasexempt from IPSec.

y

IPSec in Windows Server 2003 includes support for the Group 3 2048-bit Diffie-Hellman key exchange.The Group 3 key is much stronger and more complex than the previous Group 2 1024-bit Diffie-Hellman

key exchange. If however you need backward compatibility with Windows 2000 and Windows XP, thenyou have to use the Group 2 1024-bit Diffie-Hellman key exchange.

y IPSec ESP packets can pass over Network Address Translation (NAT) through User Datagram Protocol-Encapsulating Security Payload (UDP-ESP) encapsulation in Windows Server 2003 IPSec deployments.

Understanding IPSec TerminologyThis section of the Article lists the commonly used IPSec terminology and concepts:

y Authentication Header (AH): This is one of the main security protocols used by IPSec. AH provides data

authentication and integrity, and can therefore be used on its own when data integrity and authentication

are relevant factors and confidentiality is not. This is because AH does not provide for encryption, andtherefore cannot provide data confidentiality. Authentication Header (AH) and Encapsulating Security

Payload (ESP) are the main security protocols used in IPSec. These security protocols and can be usedseparately, or together.

y Encapsulating Security Payload (ESP): This is one of the main security protocols used by IPSec. ESP

ensures data confidentiality through encryption, data integrity, data authentication, and other features that

support optional anti-replay services. To ensure data confidentiality, a number of symmetric encryptionalgorithms are used.

y Certificate Authorities (CAs): This is an entity that generates and validates digital certificates. The CAadds its own signature to the public key of the client. CAs issue and revoke digital certificates.

y Diffie-Hellman groups: Diffie-Hellman Key Agreement enables two computers to create a shared privatekey that authenticates data and encrypts an IP datagram. The different Diffie-Hellman groups are listedhere:

o Group 1; provides 768-bit key strength




32/58

y Internet Key Exchange (IKE): The IKE protocol is used by computers to create a security association (SA)

and to exchange information to generate Diffie-Hellman keys. IKE manages and exchanges cryptographic

keys so that computers can have a common set of security settings. Negotiation occurs on whichauthentication method, and encryption algorithm and hashing algorithm the computers will use.

y IPSec Driver: The IPSec driver performs a number of operations to enable secure network

communication, including the following:

o Creates IPSec packets

o Generates checksums.

o Initiates the IKE communication

o Adds the AH and ESP headers

o Encrypts data before it is transmitted.

o Calculates hashes and checksums for incoming packets.

y IPSec Policies: IPSec policies define when and how data should be secured, and defines which security

methods to use for securing data. IPSec policies contain a number of elements:

o Actions.

o Rules

o Filter lists

o Filter actions.

y IPSec Policy Agent: This is a service running on a computer running Windows Server 2003 that accesses

IPSec policy information. The IPSec Policy Agent accesses the IPSec policy information in either theWindows registry or in Active Directory.

y Oakley key determination protocol: The Diffie-Hellman algorithm is used for two authenticated entities to

negotiate and be in agreement on a secret key.

y Security Association (SA): A SA is a relationship between devices that define how they use securityservices and settings.

y Triple Data Encryption (3DES): This is a strong encryption algorithm used on client machines running

Windows, and on Windows Server 2003 computers. 3DES uses 56-bit keys for encryption.

Understanding How IPSec Works

A security association (SA) has to first be established between two computers before data can besecurely passed between the computers. A Security Association (SA) is a relationship between devices

that define how they use security services and settings. The SA provides the information necessary for

two computers to communicate securely. Internet Security Association and Key Management Protocol

(ISAKMP) and the IKE protocol are the mechanism that enables two computers to establish security

associations. When an SA is established between two computers, the computers negotiate on which

security settings to utilize to secure data. A security key is exchanged and used to enable the computersto communicate securely.


33/58

The security association (SA) contains the following:

y The policy agreement which dictates which algorithms and key lengths the two computers will use to

secure data.

y The security keys used to secure data communication.

y The security parameters index (SPI).

With IPSec, two separate SAs are established for each direction of data communication:

y One SA secures inbound traffic.

y One SA secures outbound traffic.

In addition to the above, there is a unique SA for each IPSec security protocol. There are thereforebasically two types of SAs:

y ISAKMP SA: When traffic flow is two directional and IPSec needs to establish a connection between

computers, an ISAKMP SA is established. The ISAKMP SA defines and handles security parametersbetween the two computers. The two computers agree on a number of elements to establish the ISAKMPSA:

o Determine which connections should be authenticated.

o Determine the encryption algorithm to use.

o Determine the algorithm to verify message integrity.

After the above elements have been negotiated between the two computers, the computers use the

Oakley protocol to agree on the ISAKMP master key. This is the shared master key which will be usedwith the above elements to enable secure data communication.

After a secured communication channel is established between the two computers, the computers start tonegotiate the following elements:

o Determine whether the Authentication Header (AH) IPSec protocol should be used for the connection.

o Determine the authentication protocol which should be used with the AH protocol for the connection.

o Determine whether the Encapsulating Security Payload (ESP) IPSec protocol should be used for theconnection.

o Determine the encryption algorithm which should be used with the ESP protocol for the connection.

y

IPSec SA: IPSec SAs pertain to the IPSec tunnel and IP packet, and define security parameters to useduring a connection. The IPSec SA is derived from the above four elements just negotiated between thetwo computers.

To secure and protect data, IPSec uses cryptography to provide the following capabilities:

y Authentication: Authentication deals with verifying the identity of the computer sending the data, or the

identity of the computer receiving the data. The methods which IPSec can use to authenticate the senderor receiver of data are:


34/58

o Digital certificates: Provides the most secure means of authenticating identities. Certificate authorities

(CAs) such as Netscape, Entrust, VeriSign, and Microsoft provide certificates which can be used forauthentication purposes.

o Kerberos authentication: A downside of using the Kerberos v5 authentication protocol is that the identity

of the computer remains unencrypted up to the point that the whole payload is encrypted at

authentication.

o Pre-shared keys; should be used when none of the former authentication methods can be used.

Anti-replay ensures that the authentication data cannot be interpreted as it is sent over the network. In

addition to authentication, IPSec can provide nonrepudiation. With nonrepudiation, the sender of the datacannot at a later stage deny actually sending the data.

y Data integrity: Data integrity deals with ensuring that the data received at the recipient has not been

tampered with. A hashing algorithm is used to ensure that the data is not modified as it is passed over thenetwork. The hashing algorithms which can be used by IPSec are:

o Message Digest (MD5); a one-way hash that results in a 128-bit hash which is used for integrity checking.

o Secure Hash Algorithm 1 (SHA1); a 160-bit secret key to generate a 160-bit message digest whichprovides more security than MD5.

y Data confidentiality: IPSec ensures data confidentiality by applying encryption algorithms to data before it

is sent over the network. If the data is intercepted, encryption ensures that the intruder cannot interpretthe data. To ensure data confidentiality, IPSec can use either of the following encryption algorithms:

o Data Encryption Standard (DES); the default encryption algorithm used in Windows Server 2003 whichuses 56-bit encryption.

o Triple DEC (3DES); data is encrypted with one key, decrypted with another key, and encrypted again witha different key.

o 40-bit DES; the least secure encryption algorithm.

Understanding the IPSec ModesIPSec can operate in one of the following modes:

y Tunnel mode: IPSec tunnel mode can be used to provide

active directory and other concepts

Documents