logo

Configuring Windows 2000 without Active Directory P1

1 YEAR UPGRADE BUYER PROTECTION PLAN Configuring Windows 2000 WITHOUT Active Directory Make the Most of Windows 2000 WITHOUT Active Directory • Step-by-Step Instructions for Configuring Local Group Policy, Remote Access Policies, Primary and Secondary DNS Zones, and more! • Complete Coverage of the Pros and Cons of an Active Directory Migration • Master Windows 2000 Networking Service Improvements Without Running Active Directory Carol Bailey Tom Shinder Technical Editor [email protected] With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. [email protected] is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: s One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. s “Ask the Author”™ customer query forms that enable you to post questions to our authors and editors. s Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. s Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening. www.syngress.com/solutions 1 YEAR UPGRADE BUYER PROTECTION PLAN Configuring Windows 2000 WITHOUT Active Directory Carol Bailey Dr. Thomas W. Shinder Technical Editor Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci- dental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, and “Career Advancement Through Skill Enhancement®,”are registered trademarks of Syngress Media, Inc. “Ask the Author™,”“Ask the Author UPDATE™,”“Mission Critical™,”“Hack Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 MKE783FV2P 002 BH8UZ237VB 003 DNVN5T5QL9 004 JDKJR4PP9D 005 ZLA99G2FLW 006 234UFVKLMA 007 94JGV3MDK2 008 FKA3234KP3 009 J3AWV4MLSD 010 NK3VL8SE4N PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Configuring Windows 2000 Without Active Directory Copyright © 2001 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-54-7 Technical Editor: Dr.Thomas W. Shinder Cover Designer: Michael Kavish Co-Publisher: Richard Kristof Page Layout and Art by: Shannon Tozier Acquisitions Editor: Catherine B. Nolan Copyedit by Syngress Editorial Team Developmental Editor: Jonathan Babcock Indexer: Julie Kawabata Freelance Editorial Manager: Maribeth Corona-Evans Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada. Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof and Duncan Anderson of Global Knowledge, for their generous access to the IT industry’s best courses, instructors, and training facilities. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, and Frida Yara of Publishers Group West for sharing their incredible marketing experience and expertise. Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan Bunkell, and Klaus Beran of Harcourt International for making certain that our vision remains worldwide in scope. Anneke Baeten and Annabel Dent of Harcourt Australia for all their help. David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. v Author Carol Bailey (MCSE+Internet) is a Senior Technical Consultant working for Metascybe Systems Ltd in London. Metascybe is a Microsoft Certified Partner that develops its own PC communications software as well as offers project work and consultancy. In addition to supporting these products and services for an internationally diverse customer base, Carol co-administers the company’s in-house IT resources. With over 10 years in the industry, Carol has accumulated a wealth of knowledge and experience with Microsoft operating systems. She first qualified as an MCP with NT3.51 in 1995 and will remain qualified as MCSE as a result of passing the Windows 2000 exams last year. Her other qualifications include a BA (Hons) in English and an MSc in Information Systems. Well known for her Windows 2000 expertise, Carol has a number of publications on this subject, which include co-authoring the following books in the best-selling certification series from Syngress\Osborne McGraw-Hill: MCSE Windows 2000 Network Administration Study Guide (Exam 70-216). ISBN: 0-07-212383-4; MCSE Designing a Windows 2000 Network Infrastructure Study Guide (Exam 70-221). ISBN: 0-07-212494-6; and MCSE Windows 2000 Accelerated Boxed Set (Exam 70-240). ISBN: 0-07-212383-4. vii Technical Editor Thomas Shinder, M.D. (MCSE, MCP+I, MCT) is a technology trainer and consultant in the Dallas-Ft.Worth metroplex. He has con- sulted with major firms, including Xerox, Lucent Technologies, and FINA Oil, assisting in the development and implementation of IP-based com- munications strategies.Tom is a Windows 2000 editor for Brainbuzz.com and a Windows 2000 columnist for Swynk.com. Tom attended medical school at the University of Illinois in Chicago and trained in neurology at the Oregon Health Sciences Center in Portland, Oregon. His fascination with interneuronal communication ulti- mately melded with his interest in internetworking and led him to focus on systems engineering.Tom and his wife, Debra Littlejohn Shinder, design elegant and cost-efficient solutions for small- and medium-sized businesses based on Windows NT/2000 platforms.Tom has authored several Syngress books, including Configuring ISA Server 2000: Building Firewalls for Windows 2000 (ISBN: 1-928994-29-6), Configuring Windows 2000 Server Security (ISBN: 1-928994-02-4), Managing Windows 2000 Network Services (ISBN: 1-928994-06-7), and Troubleshooting Windows 2000 TCP/IP (ISBN: 1-928994-11-3). viii Contents Foreword xxv Why Use Windows Chapter 1 Why Not Active Directory? 1 2000 without Active Introduction 2 Directory? Why Use Windows 2000 without Active Directory? 2 There is more to Windows 2000 than just Active Why Use Windows 2000? 2 Directory features—as this The Acceptance of Windows into the book shows. But there’s Corporate Workplace 3 no doubt that Windows The Acceptance of Microsoft in the 2000 was written with Active Directory in mind, Corporate Workplace 3 which is reflected in the The Emergence of Windows 2000 4 standard documentation Windows 2000 Track Record 5 that accompanies the software. Chapter 1 will Windows 2000 Today 5 begin to answer these Why Not Use Active Directory? 6 questions. Designing and Deploying Active Directory: More Than a Technical Challenge 7 The Purpose of This Book 9 Who Should Read This Book 11 IT Managers 11 IT Implementers 11 What This Book Will Cover 13 Chapter 2:Workstations 13 Chapter 3: Laptops 14 Chapter 4: File and Print Services 15 Chapter 5:Terminal Services 15 ix x Contents Chapter 6: Networking Services— DNS, DHCP,WINS, NLB 16 Chapter 7: Internet Services— IIS5 and Certificate Services 17 Chapter 8: Secure Communication—IPSec 18 Chapter 9: Remote Access— RAS,VPN, IAS, and CMAK 18 Chapter 10: Internet Connectivity— ICS, NAT, and ISA Server 19 Appendix A:The Windows 2000 Microsoft Management Console 20 What This Book Won’t Cover 21 Exchange 2000 and Other Active Directory Dependent Applications 22 Intellimirror Features 25 Enterprise Related Group Policy Objects 28 Quick Resource Searches across the Enterprise Network, with the Ability to Extend the Schema 29 Universal Groups, Group Nesting, and Changes in Group Membership 32 Task Delegation 33 Kerberos Rather Than NTLM Authentication 34 Automatic Transitive Trusts 35 Multimaster Domain Controllers 36 Enterprise Encrypting File System (EFS) Recovery Agents 38 Enterprise Certificate Authorities 39 Quality of Service 40 Active Directory Integration 43 Migrating Networks 45 Fractional Networks 46 Dangers of Fractional Networks Running Active Directory 47 External Networks 47 Contents xi Walkthrough: Managing User Accounts and Securing the Local Administrator Account 49 Summary 56 Solutions Fast Track 57 Frequently Asked Questions 59 Chapter 2 Workstations 65 Introduction 66 Using Local Group Policy 67 Group Policy Objects 69 Locating Local Group Policy 70 Local Security Policy 71 TIP Complete Local Group Policy Settings 71 You can always check Configuring Local Group Policy 73 the current version of Useful Group Policy Objects 75 Windows (build and Computer Startup/Shutdown Service Pack if and User Logon/Logoff Scripts 76 applied) by running Password Options 77 WinVer.exe, which Internet Explorer Settings 81 displays the About Windows dialog box. Disabling Installation from Removable Media 81 Controlling Access to Control Panel and Components 81 Screen Saver Options 83 Disabling the Command Prompt, Disabling the Registry Editor, Running Only Specified Windows Applications 83 Deploying Local Group Policy Objects 84 Security Configuration Using Templates 84 Security Templates 85 Default Security Template 87 Secure Security Template 87 Highly Secure Template 87 Compatible Template 88 Out of the Box Templates 88 Viewing and Modifying Templates 88 Viewing Template Settings 88 xii Contents Modifying Template Settings 91 Applying Templates 91 Security Configuration and Analysis 92 Configure Computer Now 92 Analyze Computer Now 94 Deploying Security Templates Automatically with Secedit 95 Secedit /Configure Options 95 Improvements in System Reliability 96 Device Driver Signing 97 Driver Signing Options 98 Driver Signing Verification 98 Windows File Protection and System File Checker 99 How Windows File Protection and System File Checker Work 100 WFP Configuration Options 102 WFP Limitations 104 Service Pack Application 105 Slip-Streaming Service Packs 105 Limitations of Service Packs 106 Improvements in Usability 107 Desktop Changes 108 Personalized Menus 109 Start Menu Settings 109 Display Options 111 Folder Options 112 Hardware Support 113 Wizards and Help 114 Wizards 114 Help 116 Walkthrough: Configuring Local Group Policy 119 Summary 122 Solutions Fast Track 123 Frequently Asked Questions 125 Contents xiii Chapter 3 Laptops 129 Introduction 130 Integrating Mobile Computing with the Corporate Network 131 Switching between Working Environments 133 Power Management and Preservation 133 Offline Files and Synchronizing Data 140 Dialup Access 151 Securing Data Outside the Company Environment 153 Switching between Encrypting Folders and Files 155 Working Environments Limitations and Considerations when Using EFS 156 There are a number of Disabling EFS 156 features that help users switch seamlessly between Remote Access Security 158 their different working Mobile Maintenance and Troubleshooting 158 environments. These Safe Mode and the Recovery Console 159 include: s Power management Using the Recovery Console 163 and preservation Task Scheduler 165 s Offline folders and Configuring Scheduled Tasks 166 synchronizing data Task Manager 168 s Dialup access Walkthrough: Using Offline Files 172 Summary 176 Solutions Fast Track 178 Frequently Asked Questions 180 Chapter 4 File and Print Services 185 Introduction 186 Sharing Data: Storing and Retrieving 187 Distributed File System (DFS) 191 Configuring Dfs 194 Volume Mount Points 197 Configuring Mounted Drives 199 Indexing Service 200 Configuring Index Catalogs 204 xiv Contents Sharing Printers: Installing and Managing 207 Standard TCP/IP Port Monitor 210 IP Printing 210 NOTE Printing Permissions Over the Internet 214 The general advice Better Monitoring 214 when planning disk User Options 216 space for indexing is Managing Servers 216 to allow at least 30 Disk Management 217 percent and prefer- ably 40 percent of Using the Disk Management Utility 220 the total amount of Data Management 222 disk space you index Remote Storage 222 (known as the Windows 2000 Backup Utility 224 corpus). It would Disk Quotas 225 also be prudent to Configuring Disk Quotas 226 host the index cata- Monitoring 229 logs on a different Counter Logs 232 disk from the Alerts 232 operating system. Trace Logs 233 Using Performance Data 233 Auditing Events and the Security Log 234 Auditing the Registry 236 Auditing Administrative Actions 237 Configuring Counter and Alert Logs 238 Configuring and Using the Event Logs 240 Walkthrough: Setting an Audit Policy 244 Summary 252 Solutions Fast Track 253 Frequently Asked Questions 256 Chapter 5 Terminal Services 261 Introduction 262 Why Use Windows 2000 Terminal Services? 263 Fast Connections Over Low Bandwidths 264 Remote Administration 265 Remote Administration Using Terminal Services 266 Contents xv Terminal Services Remote Management Limitations 267 Recovering from Disconnected Sessions 269 Tighter Security 270 Using the Application Security Tool 274 Shadowing Users 276 Seamless Integration Between PC and Server 278 Clipboard Copy and Paste 279 Drive Mappings 280 Local Printer Support 280 Profiles 281 Understand the Home Directories 282 specific technical Multilanguage Support 283 features and options Preinstallation Considerations 283 available with Windows 2000 Licensing 284 Terminal Services, Installing Terminal Services Licensing 286 including: How Terminal Service Licensing Works 288 Activating a Terminal Services License s Fast connections over Server 290 low bandwidths Upgrading from TSE 293 s Remote Unattended Installations 295 administration s Application Suitability 295 Tighter security s Shadowing (remote Capacity and Scaling 298 control) Limitations 301 s Seamless integration Configuring and Managing Windows 2000 between PC and Terminal Services 302 server Configuring Clients to Use Terminal Services 308 Terminal Services Client 308 Terminal Services Advanced Client 314 Automating Terminal Services Client Setup 317 Using TSAC as a Diagnostic Utility 319 Walkthrough: Remotely Administering a Windows 2000 Server With Terminal Services 321 Summary 327 Solutions Fast Track 329 Frequently Asked Questions 332 xvi Contents Chapter 6 Networking Services 337 Introduction 338 Name Resolution with DNS 340 Do You Need to Run DNS? 340 Advantages of Microsoft’s Windows 2000 DNS 344 Dynamic Updates 345 WINS Integration 347 Service Records 349 Unicode and the Underscore 352 Incremental Transfers 355 Easy to Use GUI Administration 356 Integrating Microsoft DNS and UNIX DNS 357 Justifications for running DNS include: Server Roles and Zones 357 Transferring Zones 360 Importing Zone Files 361 s Having UNIX DHCP for Central Configuration and Control computers s of Addresses 363 Running Internet services TCP/IP Configuration Options 366 s Running Active Vendor and User Class Options 367 Directory BOOTP and Multicast Scopes 368 s Preparing for Active Automatic Private IP Addressing (APIPA) 370 Directory s Superscopes 371 Looking to integrate UNIX and Microsoft Multinets 372 communication Server Consolidation 373 Migrating Users from One Scope to Another (Address Reallocation) 374 Name Resolution with WINS 375 Improved WINS Manager 380 Data Integrity 381 Backup Policy 383 Controlling Replication Partners 383 Replication Policy 383 Removing Old Mappings 384 Database Verification 385 Contents xvii High Performance 386 Burst Mode Handling 386 Persistent Connections 386 High Availability with Network Load Balancing (NLB) 388 Network Load Balancing Components 392 Addresses and Priorities 393 Port Rules 395 The WLBS Command Line Utility 398 Configuring Network Load Balancing 399 Configuring Cluster Parameters 400 Configuring Host Parameters 402 Configuring Port Rules 402 Monitoring and Administering Network Load Balancing 405 Walkthrough: Configuring DNS Primary and Secondary Zones 407 NOTE Summary 413 Solutions Fast Track 414 Internet Explorer 3.0, Netscape Navigator Frequently Asked Questions 418 2.0, and later ver- Chapter 7 Internet Services 423 sions of both Introduction 424 browsers support the Installing IIS5 425 use of host header names. Older Improvements in Reliability 427 browsers do not. Application Protection 427 Additionally, you Setting Application Protection 428 cannot use host IISreset 429 headers with SSL Restarting IIS from the Internet because the host Information Services Snap-In 429 header will be Restarting IIS Using the Command Line 429 encrypted—this is an Additional Control When Stopping important point for Web servers using IIS Services 430 SSL for additional Backup/Restore Configuration 431 security. Limitations of Backup/Restore Configuration 433 xviii Contents FTP Restart 433 Limitations of FTP Restart 433 Improvements in Administration and Management 434 Wizards and Tools 435 Security Settings Permission Wizard 435 Windows 2000 Internet Server Security Configuration Tool 437 Certificate Wizard and Certificate Trust Lists Wizard 438 IIS Migration Wizard 440 Improved Logging for Process Accounting 440 Improved Remote Administration 441 Web Site Operators 443 Improvements in Security 444 Windows Integrated 446 Digest 446 Fortezza 447 Improvements in Performance 447 HTTP Compression 448 Configuring HTTP Compression 449 ASP Improvements 451 Bandwidth Throttling 452 Configuring Bandwidth Throttling 452 Process Throttling 453 Socket Pooling 454 Document Collaboration with WebDAV 455 Using WebDAV 456 Certificate Services 458 Certificate Authorities and Roles 459 Installing and Configuring a Standalone CA 461 Server Certificates 462 Installing the Web Server’s Certificate Offline with a Standalone CA 463 How Users Request and Manage Certificates 465 Contents xix Using Secure Communication (SSL) on the Web Server 468 Client Certificate Mapping 469 Configuring One-to-One Account Mappings 470 Configuring Many-to-One Account Mappings 472 Walkthrough: Configuring Multiple Web Sites on a Single Web Server 474 Summary 483 Solutions Fast Track 484 Frequently Asked Questions 488 Chapter 8 Secure Communication 491 Introduction 492 Secure communication IPSec Planning—Working Out What You Want can be broken down to Secure and How 493 into the following five Password Based 496 components: Certificate Based 497 IP Security Utilities—For Configuring and s Nonrepudiation Monitoring Secure Communication 498 s Antireplay Using IP Security Policies on Local s Integrity Machines 499 s Confidentiality Using IP Security Monitor 500 s Authentication Using the IPSec Policy Agent Service 502 Using TCP/IP | Advanced | Options 503 Using Certificates Snap-In 504 Using the Security Log 505 Using the NetDiag Support Tool 507 IPSec Built-in Policies—For Minimal Administrator Configuration 508 Client (Respond Only) 509 Server (Request Security) 510 Secure Server (Require Security) 510 IPSec Policy Components 511 IP Filter Rules and Lists 511
Tải về miễn phí
DMCA.com Protection Status Copyright by webtailieu.net