Uh-oh, it looks like your Internet Explorer is out of date.

For a better shopping experience, please upgrade now.

Mastering Windows 2000 Server

Mastering Windows 2000 Server

by Mark Minasi

See All Formats & Editions

Mark Minasi, the world's #1 Windows NT authority, updates his #1 bestselling book for Windows 2000. Every system administrator needs this book! This high-level, irreverent yet readable explanation of Windows 2000 Server provides the best discussion of the architecture, features, and new utilities of the new OS in print. You'll learn from the expert: the differences


Mark Minasi, the world's #1 Windows NT authority, updates his #1 bestselling book for Windows 2000. Every system administrator needs this book! This high-level, irreverent yet readable explanation of Windows 2000 Server provides the best discussion of the architecture, features, and new utilities of the new OS in print. You'll learn from the expert: the differences between NT and 2000, the advantages (and potential pitfalls) of the the new OS; scores of undocumented secrets, tips, tricks, and workarounds, practical, hand's-on advice for installing and using Windows 2000 in an enterprise environment, and hundreds of useful and essential nuggets of information that will save you hundreds or thousands of dollars in calls to Microsoft's help desk.

Editorial Reviews

The Barnes & Noble Review
When it comes to Mark Minasi's Windows 2000 books, stories of near-mythical quality abound: Fast-food deliverers read them and are suddenly transformed into savvy enterprise network administrators; newbies crack the covers on Friday night, and by Monday morning they're setting up Active Directory and DNS without breaking a sweat. We can't vouch for those stories, but we can tell you this. With the latest edition of his Windows 2000 book, Minasi's outdone himself.

Mastering Windows 2000 Server, Third Edition has matured to reflect the best of the experience that can only be gained through hundreds of "live" Windows 2000 Server deployments. Minasi, who teaches Win2K nationwide, has gathered wisdom wherever he's traveled, and integrated it into this book, which was exceptional even in its first edition.

For example, this new edition includes extensive new coverage of Microsoft's poorly-documented tools for streamlining Windows 2000 rollouts, RIS and sysprep. Since you really need an in-depth understanding of DNS to make the most of Windows 2000 Server, Minasi has substantially expanded the book's DNS coverage.

Once you really understand Windows 2000 DNS, you're likely to be more willing to consider Active Directory -- and you'll appreciate this edition's improvements here, too: new coverage of sites, replication, operations masters, and above all, deeper coverage of migration. When should you implement multiple domains? When should a single domain be divided into organizational units? How come AD was working fine on Friday night, and on Monday morning it's dead as a doornail?

From user accounts to storage, Terminal Services to Macintosh clients, Minasi's coverage is practical, realistic -- and a pleasure to read. Much of what's in here is utterly indispensable -- for example, the 90-page chapter on preparing for and recovering from server failures, and the shorter chapter on scaling Windows 2000 for the enterprise. Minasi's been there, done that, and boy has he ever written about it: 1,800 pages, none of them wasted.

--Bill Camarda is a consultant and writer with nearly 20 years' experience in helping technology companies deploy and market advanced software, computing, and networking products and services. His 15 books include Special Edition Using Word 2000 and Upgrading & Fixing Networks for Dummies, Second Edition.

Product Details

Wiley, John & Sons, Incorporated
Publication date:
Mastering Series
Product dimensions:
7.90(w) x 9.34(h) x 3.03(d)

Read an Excerpt

Chapter 1: Windows 2000 Server Overview

After years of talk about "Cairo" (the Microsoft code name for their "ultimate" server software) and even more years of work, Microsoft has finally shipped Windows 2000. After training us to expect roughly annual releases of new versions of NT-NT 3.1 shipped in 1993, 3.5 in 1994, 3.51 in 1995, and 4 in 1996-NT 5 finally arrived, but it was considerably later than a year after the release of NT 4. Furthermore, NT 5 arrived with a new name: Windows 2000. But the name's not all that's new.

So what took so long? Was it worth the wait? For many, the answer will be "yes." Much of NT's foundation-the internal kernel structure, how drivers are designed, how Windows 2000 multitasks-hasn't changed all that terribly much from NT 4, but network professionals really don't see that part of NT. Instead, we network types will notice that the above-ground structures, the tools built atop the foundation, are so different as to render Windows 2000 Server almost unrecognizable as a descendant of NT 3.x and 4.x. For comparison's sake, and to extend the structural metaphor, think of using Windows NT 3.1 Advanced Server as renting a room in someone's basement, using NT 4 as renting a 2-bedroom apartment, and using Windows 2000 Server as living in Bill Gates's new mansion on Lake Washington: more rooms than anyone can count all filled with new and wonderful electronic gadgets.

In the mansion, many of the things that you know from the basement room are unchanged-the electricity comes out of sockets in the wall, the pipes are copper or PVC, bathrooms have sinks and commodes in them-but there's so much more of it all, as well asso many new things, both useful ("Hey, cool, a garden, and automatic sprinklers for it!") and of debatable value ("What does this bidet thing do, anyway?"). That's not to say that NT's underpinnings will never change, not at all-the next (and still-unnamed) version of NT will go a step further, digging up NT's 32-bit foundation and replacing it with a 64-bit one.

The main point, however, is this: If you're an NT network administrator, be prepared for culture shock. The difference between NT 4 and Windows 2000 is at least 10 times as great as the difference between NT 3.1 and NT 4. And if you've never worked with NT in any flavor, be prepared to find Windows 2000 both delightful and frustrating-as is the case with most Microsoft software.

It would be somewhat shortsighted of me to simply say, "Here are the new features you'll find in Windows 2000," and then to just dump the features-it sort of misses the forest for the trees. So let me start off by briefly discussing the big picture and what Microsoft's trying to accomplish; then I'll move along to those new features and, finally, take a look at a few of Windows 2000's shortcomings.

Microsoft's Overall Goals for Windows 2000

The changes in Windows 2000 from NT 4 are quite significant, but they were long in coming. What was the wait all about?

Make NT an Enterprise OS

Microsoft wants your company to shut off its mainframes and do your firm's work on big servers running NT. That's why there is a version of Windows 2000 Server called Datacenter Server. Microsoft is also hoping that "enterprise" customers will exploit new Windows 2000 Server facilities such as Active Directory and Microsoft Application Server (nee MTS) and COM+ to write gobs of new and hardware-hungry distributed applications. Before they can accomplish that, however, they need to clear three hurdles: reliability, availability, and scalability.

NT Must Be More Reliable
Since their appearance in the late '70s, microcomputer-based network operating systems have been seen as fundamentally different from "big-system" OSes like IBM's MVS and OS/400, Compaq's Open VMS, and the myriad flavors of Unix. PC-based network operating systems weren't exactly seen as toys, but neither were they seen as something that one would base one's business on, if one's business was truly critical. For example, it's hard to imagine the New York Stock Exchange announcing that they'd decided to get rid of their current trading system and to replace it with a Net-Ware 4.1 or NT 4-based client-server system. PC-based stuff just wasn't (and largely still isn't) seen as sufficiently reliable yet to take on the big guys.

Nor is that an unfair assessment. Most of us would be a bit uncomfortable about discovering in midflight that the state-of-the-art airliner taking us across the Pacific was run by NT, or that the Social Security Administration had decided to dump their old mainframe-based software in favor of a Lotus Notes-based system running atop NT. Years ago, many firms discovered that NT servers crashed far less often if rebooted weekly; it's hard to imagine running a heart-and-lung machine on something like that. But Microsoft wants to shed that image. They want very much to build an OS that is sufficiently industrial-strength in reliability so that one day it wouldn't be silly to suggest that AT&T's long distance network could run atop some future version of NT, Windows 2000-something. With Windows 2000, Microsoft believes that they've taken some steps in that direction.

NT Must Be More Available
A server being rebooted to change some parameters is just as down as one that is being rebooted after a Blue Screen Of Death, the symptom of a system crash that is all too familiar to NT 4 veterans. Many Windows 2000 parameters can be changed with-out a reboot where a change to the corresponding parameter in Windows NT 4 would require one. Unfortunately, as we will see, some of the most common parameter changes still require a reboot.

NT Must Be Able to "Scale" to Use Big Computers
Reliability's not the only big-network issue that Microsoft faces. The other one is the limit on the raw power that NT can use-to use a word that the PC industry created a few years ago, NT must be more scalable.

Being an "enterprise" operating system requires two different kinds of scalability which are somewhat at odds with each other: performance scalability and administrative scalability. The first asks, "If I need to do more work with NT, can I just run it on a bigger computer?" The second asks, "If I need to support more users/computers/giga-bytes of hard disk/etc., can I do it without hiring more administrators?"

Performance Scalability CPUs are simply not getting all that much faster in terms of the things they can do. To create faster or higher-capacity computers, then, computer manufacturers have been putting more and more CPUs into a box. And while NT has in theory been designed to use up to 32 processors since its first incarnation, in reality, very few people have been able to get any use out of more than 4 processors. With Windows 2000, Microsoft claims to have improved the scalability of NT-although I've not yet heard anyone say with a straight face that Windows 2000 will "run like a top" on a 32-processor system.

Besides the ability to use a larger number of CPUs, there were internal restrictions within Windows NT, such as the number of users that a SAM database would allow, that simply had to go. With Active Directory, many restrictions, including this one, have been removed.

The three versions of Server support different numbers of CPUs. Windows 2000 Server supports four processors. Windows 2000 Advanced Server supports 8 processors, and Windows 2000 Datacenter Server supports 32 processors.

NOTE Oh, and if you're looking in your Webster's for a definition of scalability, don't bother; it's not a real word. Microsoft made it up a few years ago. Basically, scalable roughly means, "As the job's demands grow, you can meet them by throwing in more hardware-processors and memory-and the system will meet the needs." It's become an issue because, while NT has theoretically supported 32 processors since its inception, much of the basic NT operating system itself can't use many processors-for example, adding a ninth processor to an eight-processor domain controller won't produce any faster logins. That's also true of NT programs; depending on whom you ask, SQL Server maxes out at four or eight processors. Beyond that, adding more processors does nothing more than run up the electric bill.

Administrative Scalability/Manageability Large enterprises do not like to add headcount in their core business areas, much less just to administer Windows NT. Windows 2000 Server contains a number of facilities such as Intellimirror, designed to allow customers to support more users running with more complex desktop environments with fewer support personnel. Microsoft typically refers to this area as "Manageability," though I think "Administrative Scalability" better captures the flavor of the topic.

In this area, one of the most important additions to Windows 2000 is its support for both issuing and honoring digital certificates in place of userids and passwords for identification and authentication. The overall system needed to manage the life cycles of digital certificates and verify their authenticity and current validity is called Public Key Infrastructure (PKI). PKI-based security is both more secure and vastly more administratively scalable than userid+password-based security, but it is also much, much more technically complex.

Modernize NT

Three years can be an awfully long time in the computer business. The years since 1996 have seen the emergence of Universal Serial Bus, IEEE 1394, Fiber Channel, and 3-D video cards, just to name a few areas of technological growth, as well as the introduction of hundreds of new network cards, video boards, sound cards, SCSI host adapters, and so on. A new crop of network-aware PCs has appeared, PCs that under-stand networking right in their BIOSes and that are designed to be taken straight out of the box without anything on their hard drives, plugged into the network, and started up from the network rather than from any on-disk software. And on a more mundane note, nearly every PC sold in the past five years supports a hardware system called Plug and Play (PnP).

NT supports none of these things right out of the box. Some of these devices can be made to work, but some can't. Hardware support has always been something of an afterthought in NT, and it's amazing that Microsoft shipped NT 4 without any Plug-and- Play support, save an undocumented driver that could sometimes make a PnP ISA board work but that more commonly simply rendered a system unusable. NT 4's off-hand support, of PC Card laptops and its near-complete lack of support for Cardbus slots forced many an NT-centric shop to put NT Server on their servers, NT Workstation on their corporate desktop and Windows 95 on their laptops. One of Windows 2000's goals, then-and an essential one-is to support the new types of hardware and greatly improve the way that it works on laptops.

Make NT Easier to Support

The past 10 years have seen the rise of the graphical user interface (GUI), which brought a basically uniform "look and feel" to PC applications and made learning a PC application and PCs in general so much easier for users. We've seen programming tools go from some very simple development environments that crashed more often than they worked to today's very stable 32-bit suite of programming tools, making it possible for developers to create large and powerful 32-bit applications. Users and developers are better off-sounds good, doesn't it?

Well, it is, for them. But many of us fall into a third category: support staff. And while some things have gotten better-the graphical nature of many of NT's administrative tools helped get many new admins started on a networking career-the actual job of sup-port hasn't gotten any easier. Consider this: Would you rather rebuild a CONFIG.SYS file to stitch back together a damaged DOS machine from memory, or would you prefer to pick through a broken Registry trying to figure out what's ailing it?

Microsoft's competition knew that support was the Achilles' heel of both Windows and NT, and so in the mid-'90s, Sun and others began extolling the importance of considering the Total Cost of Ownership (TCO) of any desktop system. It wasn't hard to make the argument that the biggest cost of putting Windows on a desktop isn't the hardware or the software-it's the staff hours required to get it up and keep it running. With Windows 2000, Microsoft starts to reduce desktop TCO. A group of Windows 2000 improvements called Change and Configuration Management tools makes life easier for support folks and network administrators in general.

Specific New Capabilities and Features

So much for the good intentions. What about the new goodies?

Microsoft lists pages and pages of enhancements to Windows 2000-the PR people have, after all, had over three years to cook up those lists. I'm sure they're all of value to someone, but here are the things that I find most valuable in Windows 2000, arranged according to my three earlier categories-making NT more enterprise ready, modernizing NT, and improving its administrative tools/lowering TCO.

Making Windows 2000/NT More "Enterprising"

Several functions help push NT's latest incarnation to a place in the big leagues. In particular, the most significant "big network" changes to NT include:

  • Active Directory
  • Improved TCP/IP-based networking infrastructure
  • More scalable security infrastructure options
  • More powerful file sharing with the Distributed File System and the File Replication Service
  • Freedom from drive letters with junction points and mountable drives
  • More flexible online storage via the Removable Storage Manager

Active Directory

The crown jewel of Windows 2000, Active Directory is also the single most pervasive piece of the OS. Many of the things you'll read about in this book, many of the compelling features of Windows 2000, simply cannot function without Active Directory. Group policies, domain trees and forests, centralized deployment of applications, and the best features of the Distributed File System (to name a few) will not operate until you've got a system acting as an Active Directory server.

NOTE The whys and wherefores of Active Directory are complex enough that they'll get a chapter all their own. In Chapter 2, you'll read about what Active Directory is trying to accomplish, how it does so, and how you can best design the Active Directory for your enterprise.

Network Infrastructure Improvements

Anyone building an NT-based network around the TCP/IP protocol needed three important infrastructure tools:

  • The Windows Internet Name Service (WINS), which helped Windows 2000-and NT-based servers and workstations locate domain controllers (which handled logins and authentication in general) as well as file and print servers.

  • The Dynamic Host Configuration Protocol (DHCP), which simplified and centralized the once-onerous task of configuring TCP/IP on workstations.

  • The Domain Name System (DNS), which did the same kind of job as WINS-it keeps track of names and addresses-but instead of helping workstations locate domain controllers and file/print servers, DNS helps programs like Web browsers and e-mail clients to find Web and mail servers. Some firms have avoided moving their networks to TCP/IP, staying instead with IPX (a protocol that owes its popularity to Novell's networking products) or NetBEUI (the main protocol for Microsoft networking prior to 1995). But with Windows 2000, pretty much everyone should be using TCP/IP, making DHCP, WINS, and DNS essential parts of any Windows 2000-based network.


Why did NT have two services-WINS and DNS-that kept track of names? This was the case because of a questionable choice that Microsoft made back in 1994. Of the two, WINS was the most troublesome and, for some networks, unfortunately the most vital. Thus, it was to many people quite excellent news when Microsoft announced that Windows 2000 would be the end of WINS.

Reports of its death, however, turned out to be greatly exaggerated. The actual story is that, if you have a network that is 100-percent Windows 2000, both on the workstation and server, then yes, you can stop using WINS. But most of us won't have that for years, so Windows 2000 still has a WINS service. Thankfully, it's greatly improved; one expert commented to me that it's ironic that Microsoft finally "fixed" WINS, just as they were about to kill it. Chapter 18 shows you how to set it up and make it work.


DNS was something of a sidelight under NT 4 as NT didn't really need DNS-DNS's main value was to assist Internet-oriented programs like Web, FTP, and POP3/SMTP mail clients in finding their corresponding servers. Under Windows 2000, however, DNS takes center stage. Without it, Active Directory won't work.

NT 4's DNS server was a pleasure to work with, although that's just my opinion: I've spoken with people who tell me that it couldn't handle high volume loads. I didn't have any bad experiences with it, so I can't comment. NT 4's DNS wrapped a well-designed GUI around a standard DNS implementation, making basic DNS tasks simpler than they would be for a Unix DNS implementation at the time. Windows 2000 takes that a step further with improved wizards. First-time DNS administrators will find that Windows 2000's DNS server almost does all the hand-holding you could need.

Additionally, Windows 2000's DNS supports dynamic updates, a process wherein adding information about new machines to a DNS database can be automated. Based on the Internet standard document RFC 2136 (the Internet's standards are described in documents called Request for Comments, or RFCs), it combines the best of NT 4's WINS and DNS servers. The DNS server also supports another Internet standard, RFC 2052, which greatly expands the kind of information that DNS servers can hold onto. For example, a pre-2052 DNS server could tell you what machines acted as mail servers for a given Internet domain, but not which machines were Web or FTP servers. 2052-compliant DNS servers can do that, and more: Active Directory now uses RFC 2052 to allow DNS to help workstations find domain controllers and other Active Directory-specific server types.

NOTE Chapter 18 covers how Active Directory uses RFC 2052 in more detail. DHCPB

DHCP frees network administrators from having to walk around and visit every single desktop in order to configure the TCP/IP protocol. The basic idea is that a workstation broadcasts over the network, seeking an IP address (every computer on an intranet must have a unique IP address); a DHCP server hears the plea and assigns that computer its own unique IP address.

The End of Rogue DHCP Servers This is in general great, but now and then some dodo would decide to "practice" with DHCP by setting up a DHCP server on some PC. The budding new administrator's new DHCP server would then start handing out completely bogus addresses to unsuspecting workstations. Those workstations would then have IP addresses, but they'd be worthless ones, and as a result those workstations would be unable to function on the company's network.

With Windows 2000, however, not just anyone can create a DHCP server. Now, DHCP servers must be authorized in the Active Directory before they're allowed to start handing out addresses. This is a great advance, the end of what we used to call "rogue" DHCP servers.

DHCP Works with DNS to Register Clients You read before that the new DNS supports dynamic updates, a process standardized in RFC 2136 whereby the DNS server will automatically collect address information about machines on the network. This is an improvement over NT 4's DNS server because that DNS server couldn't automatically collect DNS information about machines-you, the administrator, had to type the names and IP addresses of new machines into the DNS Manager administration tool.

Windows 2000's DNS server collects its information about machines on the net-work with the help of those machines. When a machine starts up, one of the things it's doing while booting up-one of the reasons that booting modern PCs takes so long-is contacting the DNS server to tell the DNS server that the machine exists. In effect, each workstation and server on the network must know to register itself with the DNS server.

Unfortunately, as RFC 2136 is a fairly recent development in the DNS world, most existing operating systems-DOS, Windows for Workgroups, Windows 9x, NT 3.x, and 4.x-do not know to register themselves with a DNS server. That's where Windows 2000's DHCP server helps out. You can optionally tell the DHCP server to handle the DNS registrations for non-2136-aware workstations. This is a very useful new feature because, without it, dynamic updates wouldn't be worth much except for the rare firm that runs solely Windows 2000 on its desktops, laptops, and servers. NOTE You can read more about DHCP in Chapter 18.

Quality of Service
The Internet's underlying protocols, TCP/IP, have something of an egalitarian nature; when the Net's busy, it's first come, first served. But the protocols have always had a built-in capability that would theoretically allow an Internet operator to give greater priority to one user over another, to dial in a better response time for some than for others. That's called Quality of Service, or QoS. It was always there but not really implemented as it sort of ran against the way the Net was run.

The growth of corporate intranets, however, changes that story. Network operators in corporate networks aren't serving a mass public; rather, they're serving a diverse and hierarchical organization whose leaders may well want to be able to say, "We direct that this individual get more bandwidth and faster access to network resources than this other individual." That's possible if you're using expensive Cisco routers- but now you can do it if you use Windows 2000 machines as your IP routers as well.

New Security Infrastructure

As one security expert once said to me, "We knew that NT had `made it' when hackers started targeting it." Hardly a month goes by without word of a new security hole in NT 4 and the hot fixes that are intended to plug that hole. Patch a plaster wall with Spackle enough and eventually you have to wonder if you've got a plaster wall or a Spackle wall-so Microsoft must have decided early on that one of the things that Windows 2000 couldn't live without was a new security system.

So they built two.

Originally, Windows 2000 was supposed to replace NT 4's authentication system, known as NTLM (for NT LAN Manager), with a system popular in the Unix world called Kerberos. Kerberos is well understood and works well in large-scale systems, assisting Microsoft in their "scalability" (there's that nonword again) goal. Partway through the Windows 2000 development process, Microsoft decided to supplement Kerberos with a third security system, a public key system based on the X.509 standard. They did that mainly because a public key system is considered far more scalable than either an NTLM or Kerberos system. Several companies offer hard-ware readers that allow users to log in by inserting credit card-sized devices called smart cards into the readers.

Kerberos and public key provide as a side effect a feature that NT administrators have asked after for a long time-transitive trust relationships.

Distributed File System

NT's first and probably still most prevalent job is as a file server. And as time has gone on and versions have appeared, it's gotten better at it. Some benchmarks have rated it as fast or faster than NetWare, the guys to beat. And where NT 4's file server software was largely unable to deliver throughput faster than 90Mbps, Windows 2000 can transfer data almost 10 times faster.

Disconnecting Physical Locations from Names
But NT's file server system is hampered by the way it addresses shares on servers. A share named DATA on a server named WALLY would be accessed as \\WALLY \DATA .

Although that makes sense, it's limiting. Suppose the WALLY server goes up in a puff of smoke? We install a new server, perhaps named SALLY rather than WALLY, restore the data from WALLY, and re-create the DATA share. But now it's \\SALLY \DATA rather than \\WALLY \DATA , and configurations that are hardwired to look for and expect \\WALLY \DATA will fail. In other words, if a share's physical location changes, so must its "logical" location-its name. It'd be nice to be able to give a share a name that it could keep no matter what server it happened to be on.

Windows 2000 takes NT beyond that with the Distributed File System. In combination with Active Directory, Dfs-note the lowercase in the acronym; apparently some-one already owned DFS when Microsoft started working on the Distributed File System-allows you to give all of your shares names like \\domainname \sharename rather than \\servername \sharename . You needn't know the name of the file server that the share is on.

Fault Tolerance
You probably know that Windows 2000 offers you many ways to add reliability to your network through RAID storage and two-system computer clusters. RAID boxes aren't cheap, and clusters require a lot of hardware (two identical machines, external SCSI storage, extra network cards, and either the Advanced or Datacenter edition of Windows 2000 Server). But there are some very inexpensive fault tolerance options for Windows 2000 networks as well; Dfs provides one.

If you have a file share that you want to be available despite network misfortune and failure, then one way to accomplish that is with a fault tolerant Dfs share. To create one, just create two or more file shares that contain the same information, then tell Dfs to treat them like one share. So, for example, in a domain named ROCKS, you might have a share named STUFF on a server named S1 and a share named STUFF on a server named S2. To the outside world, however, only one share would be visible as \\ROCKS \STUFF . Then, when someone tries to access \\ROCKS \STUFF , Dfs will basically flip a coin and either send her to \\S1 \STUFF or \\S2 \STUFF . It's not full-blown fault tolerance-if S1 goes down, nothing automatically transfers people from \\S1 \STUFF to \\S2 \STUFF -but it's a low-cost way to increase the chance that a given share will be available, even under network "fire...."

Meet the Author

Mark Minasi, MCSE, is recognized as one of the world's best teachers of NT/2000. He teaches NT/2000 classes in 15 countries and is a much sought-after speaker at conferences. His firm, MR&D, has taught tens of thousands of people to design and run NT networks. Among his eight other Sybex books are Mastering TCP/IP for NT Server, Troubleshooting Windows, and The Complete PC Upgrade and Maintenance Guide, which has sold a million copies and been translated into 12 languages.

Customer Reviews

Average Review:

Post to your social network


Most Helpful Customer Reviews

See all customer reviews