Master of Computer Applications1[1]

MASTER OF COMPUTER APPLICATIONS(MCA)

Name:

Enrolment no:

Semester:

Subject:

SCHOOL OF COMPUTER AND INFORMATION SCIENCESINDIRA GANDHI NATIONAL OPEN UNIVERSITY

MAIDAN GARHI, NEW DELHI – 110068

1

NAME OF THE STUDY CENTER BMS College of Engineering,Bangalore.

Laboratory Certificate

This is to certify that Ms…………………………..

has satisfactorily completed the course of

experiments in

………………………………………………practical

prescribed by the IGNOU university 2sem MCA

course in the laboratory of this college in the

year 2005.

Date: Signature of Lab incharge

2

Name of the candidate:

Enrollment no:

Examination center:

DATA STRUCTURES

3

SESSION-1: ARRAYS

1. PROGRAM TO FIND THE MULITIPLICATION OF TWO MATRICES

#include<stdio.h># define size 10void main(){int r1,c1,r2,c2,i,j,k,x[size][size],y[size][size];int m[size][size];clrscr();printf("Enter the order of 1st matrice\n");scanf("%d%d",&r1,&c1);printf("Enter the order of 2nd matrice\n");scanf("%d%d",&r2,&c2);if(c1==r2){printf("enter the %d elements of first matrix\n",r1*c1);for (i=0;i<r1;i++)

{for(j=0;j<c1;j++)scanf("%d",&x[i][j]);}

printf("enter the %d elements of second matrix\n",r2*c2 );for (i=0;i<r2;i++)

{for(j=0;j<c2;j++)scanf("%d",&y[i][j]);}

printf("The given first matrix is:\n");for (i=0;i<r1;i++)

{for(j=0;j<c1;j++)printf("%d\t",x[i][j]);printf ("\n");}

printf("The given second matrix is:\n");for (i=0;i<r2;i++)

{for(j=0;j<c2;j++)printf("%d\t",y[i][j]);printf ("\n");}

for (i=0;i<r1;i++){

4

for(j=0;j<c2;j++){m[i][j]=0;for(k=0;k<r2;k++)m[i][j]=m[i][j]+x[i][k]*y[k][j];}}

printf("The product is:\n");for (i=0;i<r1;i++){for (j=0;j<c2;j++)printf(" %d\t",m[i][j]);printf("\n");}}else printf ("multiplication is not possible");

getch();}

2. PROGRAM TO ACCEPT 10 STRINGS AS INPUT & PRINT IN LEXICOGRAPHICORDER

#include <stdio.h>#include <string.h>void main(){char a[4][25],temp[25];int i,j;clrscr();printf("Enter the names\n");for (i=0;i<4;i++)gets(a[i]);for (i=0;i<3;i++)for (j=i+1;j<4;j++){if (strcmp(a[i],a[j])>0){strcpy(temp,a[i]);strcpy(a[i],a[j]);strcpy(a[j],temp);}}printf("Sorted strings are \n");for (i=0;i<4;i++)puts (a[i]);getch();}

3. PROGRAM TO TWO STINGS S1,S2 & CHECK IF S2 IS SUBSTRING OF S1 & ALSO THE POSITION OF THE SUBSSTRING IN S1.

5

#include<stdio.h>#include <string.h>void main(){char st1[25],st2[25];int cnt,i,j,k,c,len,m,sign;clrscr();printf("Enter the first string\n");gets(st1);printf("Enter the second string\n");gets(st2);len=strlen(st1);for(i=0;i<len;i++){ c=0; if (st1[i]==st2[c]) { m=i; sign=0; cnt=0; while(st2[c]!='\0' && sign!=1) { if (st1[m]==st2[c]) { m++;c++; cnt++; } else sign=1; } if (sign==0) { printf("The given string is present\n"); printf("The starting position %d & ending position %d\n",i+1,(i+cnt)); k=1; } }}if (k != 1)if (sign!=0)printf("The given string is not present\n");getch();}

4. PROGRAM TO CONCATENATE TWO STRINGS S1 & S2

#include<stdio.h>#include<string.h>void main(){char str1[10],str2[10],str[20];int i=0,j=0,k=0;clrscr();

6

printf ("enter the two strings\n");gets (str1);gets (str2);while (str1[i]!='\0'){str[k++]=str1[i++]; }while (str2[j]!='\0'){str[k++]=str2[j++]; }str[k]='\0';printf("The concatenated string is:");puts (str);getch();}

SESSION-2: STRUCTURES

1. PROGRAM TO FIND THE STUDENT INFORMATION & PRINT THE STUDENT INFORMATION & RANK SECURED IN ASCENDING ORDER.

#include<stdio.h>#include<conio.h>#define SIZE 50void main(){int num,i,j;int temp=0,tempe=0;char tempn[50];struct student{int eno ;char name[50];int avg;} st[SIZE];clrscr();printf("Enter the number of students\n");scanf("%d",&num); for(i=0;i<num;i++) { printf("Enter the name of the student\n"); scanf("%s",&st[i].name); printf("Enter the enrollment number\n"); scanf("%d",&st[i].eno); printf("Enter aggregate marks of enter students \n"); scanf("%d",&st[i].avg); } for(i=0;i<num-1;i++) for (j=i+1;j<num;j++)

7

{ temp=0;tempe=0; if (st[i].avg<st[j].avg) { temp=st[i].avg; st[i].avg=st[j].avg; st[j].avg=temp; strcpy(tempn,st[i].name); strcpy(st[i].name,st[j].name); strcpy(st[j].name,tempn); tempe=st[i].eno; st[i].eno=st[j].eno; st[j].eno=tempe; } }for(i=0;i<num;i++){printf("Enrollment number:%d\n Name:%s\n",st[i].eno,st[i].name);printf("Aggregate marks:%d\n Rank:%drank\n",st[i].avg,(i+1));}getch();}

SESSION 3: LINKED LISTS

1. PROGRAM FOR THE CREATION & DELETION OF A LIST USING POINTERS.a) SINGLY LINKED LIST:

#include<stdio.h>#include<stdlib.h>#include<string.h>struct info{char name[30];int eno;struct info *next;};struct info *head=NULL,*temp,*disp;void addrecord();void deleterecord();void disrecord();

void main(){ int ch; clrscr(); while (1) { printf("\n 1. To add records\n"); printf("\n 2. To delete a records\n"); printf("\n 3. To view the records\n"); printf("\n 4. To exit\n"); printf("\n Enter your choice\n"); scanf("%d",&ch); fflush(stdin); switch(ch)

8

{case 1:addrecord(); break;case 2:deleterecord(); break;case 3: disrecord(); break;case 4:exit(0);

} }}

void addrecord(){ struct info *add; char ans='y';

while (ans=='y') { add=(struct info*)malloc(sizeof(struct info)); printf("\n Enter the names:\n"); gets(add->name); fflush(stdin); printf("\n Enter the enrollment number:\n"); scanf("%d",&add->eno); fflush(stdin); if (head==NULL) {

head=add;add->next=NULL;temp=add;

} else {

temp->next=add;add->next=NULL;temp=add;

} printf("\n Would you like to enter another name(y\\n): \n"); ans = getchar(); fflush(stdin); }

}void deleterecord(){ struct info *delete; int teno, present=0;

if (head==NULL) { printf("\n No records to delete\n"); return; } printf("\n Enter the enrollment number to be deleted \n"); scanf("%d",&teno);

9

fflush(stdin);

for (delete=head;delete!=NULL;delete=delete->next) { if (delete->eno==teno) { if (head->eno==teno)

{ delete=head; head=head->next; free(delete); return; } else { temp->next=delete->next; free(delete); return; } } temp=delete;

}

if (present==0) printf("\nNo such enrollment number present\n");}

void disrecord(){ if (head==NULL) { printf("\n No records to view\n"); return; } for (disp=head;disp!=NULL;disp=disp->next) { printf("\n\n Name : %s",disp->name); printf("\n\n Number : %d",disp->eno); }}

b) DOUBLY LINKED LIST:

#include<stdio.h>#include<stdlib.h>struct info{char name[30];int eno;struct info *next;struct info *prev;};struct info *head=NULL,*temp,*disp;

10

void main(){void addrecord();void deleterecord();void disrecord();int ch;clrscr();while (1) { printf("\n 1. To add records\n"); printf("\n 2. To delete a records\n"); printf("\n 3. To view the records\n"); printf("\n 4. To exit\n"); printf("\n Enter your choice\n"); scanf("%d",&ch); fflush(stdin); switch(ch) {

case 1:addrecord(); break;case 2:deleterecord(); break;case 3: disrecord(); break;case 4:exit(0);

} }}


while (ans=='y') { add=(struct info*)malloc(sizeof(struct info)); printf("\n Enter the names:\n"); gets(add->name); fflush(stdin); printf("\n Enter the enrollment number:\n"); scanf("%d",&add->eno); fflush(stdin); if (head==NULL) {

head=add;add->next=NULL;add->prev=NULL;temp=add;

} else {

temp->next=add;add->prev=temp;add->next=NULL;temp=add;

11

} printf("\n Would you like to enter another name(y\\n): \n"); ans = getchar(); fflush(stdin); }

}void deleterecord(){ struct info *del; int teno;

if (head==NULL) { printf("\n No records to delete\n"); return; }

printf("\n Enter the enrollment number to be deleted \n"); scanf("%d",&teno); fflush(stdin);

del=(struct info*)malloc(sizeof (struct info)); del=head->next; if (head->eno==teno)

{ printf("\n Head data cannot be deleted\n"); return; }

while(del){ if(del->eno==teno) { del->prev->next=del->next;

if (del->next!=NULL){del->prev->next=del->next;del->next->prev=del->prev;}else{head->next=temp->next=NULL;temp=head;}return;

} else { del=del->next; } }

printf("\nInvalid input\n");}

12

void disrecord(){ if (head==NULL) { printf("\n No records to view\n"); return; } printf("\n From forward direction\n"); for (disp=head;disp!=NULL;disp=disp->next) { printf("\n\n Name : %s",disp->name); printf("\n\n Number : %d",disp->eno); } printf("\n Press any key to continue\n"); getchar(); printf("\n From backward direction\n"); for (disp=temp;disp!=NULL;disp=disp->prev) { printf("\n\n Name : %s",disp->name); printf("\n\n Number : %d",disp->eno); }

}

c) CIRCULARLY LINKED LISTS:

#include<stdio.h>#include<alloc.h>#include<conio.h>struct node{int data;struct node *next;};struct node *head=NULL;struct node *tail=NULL;void main(){void addrecord();void deleterecord();void disrecord();int ch;clrscr();do { printf("\n 1. To add records\n"); printf("\n 2. To delete a records\n"); printf("\n 3. To view the records\n"); printf("\n 4. To exit\n"); printf("\n Enter your choice\n"); scanf("%d",&ch); fflush(stdin); switch(ch) {

case 1:addrecord(); break;

13

case 2:deleterecord(); break;case 3: disrecord(); break;case 4:exit(0);

} } while (ch!=4);}

void addrecord(){ int new_data; char ans='y'; struct node *ptr,*prev,*temp; clrscr();

while (ans=='y') { temp=(struct node*)malloc(sizeof(struct node)); printf("\n Enter the new element:\n"); scanf("%d",&new_data); fflush(stdin); temp->data=new_data; temp->next=NULL; if (head==NULL) {

head=tail=temp;temp->next=head;

} else {

tail->next=temp;tail=temp;

} printf("\n Would you like to enter another data(y\\n): \n"); ans = getchar(); fflush(stdin); }

}void deleterecord(){ struct node *ptr,*prev,*delnode; int elt;

printf("\n Enter the enrollment number to be deleted \n"); scanf("%d",&elt); fflush(stdin);

if (head==NULL) { printf("\n No elements in the list \n"); return; }else

14

{ if (head->data==elt) {

delnode=head; if (head==tail) head=tail=NULL; else { head=head->next; tail->next=head; }

} else if (tail->data==elt) { for(ptr=head;(ptr!=tail);prev=ptr,ptr=ptr->next); delnode=tail; tail=prev; tail->next=head; } else { for(prev=ptr=head;(ptr->data!=elt)&&(ptr!=tail); prev=ptr,ptr=ptr->next); if(ptr->data==elt) { delnode=ptr; prev->next=ptr->next; printf("yes..."); } else { printf("Given element not found in the list"); getch(); return; } } } free(delnode);}

void disrecord(){ struct node *ptr,*prev=NULL;

if (head==NULL) { printf("\n No records to view\n"); return; } printf("\n The elements in the circular list are\n"); for (ptr=head;prev!=tail;prev=ptr,ptr=ptr->next) printf("\n\n %d",ptr->data); printf(" NULL\n\n "); getch();}

15

2. PROGRAM TO ACCEPT 2 SINGLY LINKED LISTS & PRINT A SINGLY LINKED LIST THOSE ELEMENTS ARE COMMON IN BOTH THE LIST.

#include<stdio.h>#include<stdlib.h>struct info{int num;struct info *next;};

struct node{int num1;struct node *next1;};

struct com{int num2;struct com *next2;};

struct info *temp,*disp,*head;struct node *temp1,*disp1,*head1;struct com *temp2,*disp2,*head2=NULL;

void addrecord();void disrecord();

void main(){int ch;clrscr();while (1) { printf("\n 1. To add records\n"); printf("\n 2. To view the records\n"); printf("\n 3. To exit\n"); printf("\n Enter your choice\n"); scanf("%d",&ch); fflush(stdin); switch(ch) {

case 1:addrecord(); break;case 2:disrecord(); break;case 3: exit(0);

} }}

16

void addrecord(){ struct info *add; struct node *add1;

char ans='y'; char choice='y';

while (ans=='y') { add=(struct info*)malloc(sizeof(struct info)); printf("\n Enter the element of the first list:\n"); scanf("%d",&add->num); fflush(stdin); if (head==NULL|| head->num>=add->num) {

add->next=head;head=add;

} else {

temp=head;while (temp->next!=NULL && temp->next->num < add->num){temp=temp->next;}add->next=temp->next;temp->next=add;

} printf("\n Would you like to enter another name(y\\n): \n"); ans = getchar(); }

while (choice=='y') { add1=(struct node*)malloc(sizeof(struct node)); printf("\n Enter the element of the second list:\n"); scanf("%d",&add1->num1); fflush(stdin); if (head1==NULL|| head1->num1>=add1->num1) {

add1->next1=head1;head1=add1;

} else {

temp1=head1;while (temp1->next1!=NULL && temp1->next1->num1 < add1->num1){temp1=temp1->next1;}add1->next1=temp1->next1;temp1->next1=add1;

} printf("\n Would you like to enter another name(y\\n): \n");

17

choice = getchar(); fflush(stdin); } }

void disrecord(){ struct com *add2; if (head==NULL) { printf("\n No records to view\n"); return; } for (disp=head;disp!=NULL;disp=disp->next) { printf("\n\n Number : %d",disp->num); } for (disp1=head1;disp1!=NULL;disp1=disp1->next1) { printf("\n\n Number : %d",disp1->num1); } for (disp=head;disp!=NULL;disp=disp->next) { for (disp1=head1;disp1!=NULL;disp1=disp1->next1) { if (disp->num==disp1->num1) {

add2=(struct com*)malloc(sizeof(struct com)); add2->num2=disp->num; printf("%d",add2->num2); if(head2==NULL) { head2= add2; add2->next2=NULL; temp2=add2; } else { temp2->next2=add2; add2->next2=NULL; temp2=add2; } }

} } printf("\n Sorted list is \n\n"); for (disp2=head2;disp2!=NULL;disp2=disp2->next2)

{printf("\n\n Number : %d",disp2->num2);}

}

3. PROGRAM TO ACCEPT A SINGLY LINKED LIST OF INTEGERS & SORT THE LIST IN ASCENDING ORDER.

18

#include<stdio.h>#include<stdlib.h>struct info{char name[30];int eno;struct info *next;};struct info *temp,*disp,*head;

void addrecord();void disrecord();

void main(){int ch;clrscr();while (1) { printf("\n 1. To add records\n"); printf("\n 2. To view the records\n"); printf("\n 3. To exit\n"); printf("\n Enter your choice\n"); scanf("%d",&ch); fflush(stdin); switch(ch) {

case 1:addrecord(); break;case 2:disrecord(); break;case 3: exit(0);

} }}


while (ans=='y') { add=(struct info*)malloc(sizeof(struct info)); printf("\n Enter the name:\n"); gets(add->name); fflush(stdin); printf("\n Enter the enrollment number:\n"); scanf("%d",&add->eno); fflush(stdin); if (head==NULL|| head->eno>=add->eno) {

add->next=head;head=add;

}

19

else {

temp=head;while (temp->next!=NULL && temp->next->eno < add->eno){temp=temp->next;}add->next=temp->next;temp->next=add;

} printf("\n Would you like to enter another name(y\\n): \n"); ans = getchar(); fflush(stdin); } }

void disrecord(){ if (head==NULL) { printf("\n No records to view\n"); return; } for (disp=head;disp!=NULL;disp=disp->next) { printf("\n\n Name : %s",disp->name); printf("\n\n Number : %d",disp->eno); }}

SESSION 4: STACKS

1. PROGRAM TO CONVERT A PREFIX EXPRESSION TO A POSTFIX USING POINTERS

#include<stdio.h>#include<string.h>

void push(char item[],int *top,char s[][20]){*top=*top+1;strcpy(s[*top],item);}

void *pop(int *top,char s[][20]){char *item;item=s[*top];*top=*top-1;return item;}

void pre_post(char prefix[],char postfix[]){ char s[20][20]; int top,i; char symbol,temp[2];

20

char *op1,*op2;

top=-1; strrev(prefix); for(i=0;i<strlen(prefix);i++) {

symbol=prefix[i];temp[0]=symbol;temp[1]='\0';switch (symbol){ case '+': case '-': case '*': case '/': case '^':

op1=pop(&top,s);op2=pop(&top,s);

strcpy(postfix,op1);strcat(postfix,op2);strcat(postfix,temp);push(postfix,&top,s);break;

default: push(temp,&top,s);

} }

}

void main(){ char prefix[20]; char postfix[20]; printf("\n\n Enter the prefix expression \n\n"); scanf("%s",prefix); pre_post(prefix,postfix); printf("\n\n The postfix expression is %s \n\n",postfix);}

2. PROGRAM TO REVERSE AN INPUT STRING

#include<stdio.h>#include<string.h>#define STACK_SIZE 20void push(char item,int *top,char s[]){ if (*top==STACK_SIZE-1) { printf("\n stack overflow\n"); return; } s[++(*top)]=item;}

21

char pop(int *top,char s[]){ char item_deleted; if (*top==-1) { return 0; } item_deleted=s[(*top)--]; return item_deleted;}

int is_rev(char str[]){ int i; int top=-1; char s[30] ; char stk_item=0;

for(i=0;i<strlen(str);i++) { push (str[i],&top,s); } printf("\n The reversed string is:"); for(i=0;i<strlen(str);i++) { stk_item= pop (&top,s); printf("%c",stk_item); } getch();}

void main(){ char str[20]; clrscr(); printf("\n Enter the string to be reversed\n"); scanf("%s",str); is_rev(str); }

SESSION-6: TREES & BINARY TREES

1. PROGRAM FOR THE CREATION OF BINARY TREE, PROVIDE INSERTION& DELETION.

#include<stdio.h>#include<conio.h>#include<alloc.h>struct node{int data;struct node *left,*right;};struct node *root;void insert(int x){ struct node *p,*previous,*current;

22

p=(struct node *)malloc(sizeof(struct node)); if(p==NULL) { printf("\n Out of memory"); } p->data=x; p->left=NULL; p->right=NULL; if(root=NULL) { root=p; return; } previous=NULL; current=root; while(current!=NULL) { previous=current; if(p->data<current->data)

current=current->left; else

current=current->right; }

if(p->data<previous->data)previous->left=p;

elseprevious->right=p;

}void inorder(struct node *t){ if (t!=NULL) { inorder(t->left); printf("\n %5d",t->data); inorder (t->right); }}void del(int x){ int tright=0,tleft=0; struct node *ptr=root; struct node *parent=root; struct node *t1=root; struct node *temp=root; while(ptr!=NULL&& ptr->data!=x) { parent=ptr; if (x<ptr->data)

ptr=ptr->left; else

ptr=ptr->right; } if (ptr==NULL) { printf("\n Delete element not found"); return ;

23

} else if(t1->data==x && (t1->left ==NULL || t1->right==NULL))

if(t1->left==NULL) t1=t1->right;else t1=t1->left;

else if (ptr->left==NULL) if (x<parent->data) parent->left=ptr->right; else parent->right=ptr->right; else if (ptr->right==NULL) if (x<parent->data) parent->left=ptr->left; else parent->right=ptr->left; else { temp=ptr; parent=ptr; if((ptr->left)>=(ptr->right)) { ptr=ptr->left; while(ptr->right!=NULL) {

tright=1; parent=ptr; ptr=ptr->right;

} temp->data=ptr->data; if(tright)

parent->right=ptr->left; else

parent->left=ptr->left; } else { ptr=ptr->right; while (ptr->left!=NULL) {

tleft=1; parent=ptr; ptr=ptr->left;

} temp->data=ptr->data; if(tleft)

parent->left=ptr->right; else

parent->right=ptr->right; } free(ptr); }}

void main()

24

{int op,n,srchno;root=(struct node *)malloc(sizeof(struct node));root->data=30;root->right=root->left=NULL;clrscr();do{ printf("\n 1.Insertion"); printf("\n 2.Deletion"); printf("\n 3.Inorder"); printf("\n 4.Quit"); printf("\n Enter your choice\n"); scanf("%d",&op);

switch (op) { case 1: printf("\n Enter the element to insert\n");

scanf("%d",&n); insert(n); break;

case 2: printf("\n Enter the element to be deleted\n"); scanf("%d",&srchno); del(srchno); break;

case 3: printf("\n The inorder elements are\n"); inorder(root); getch(); break;

default: exit(0); } }while(op<4); getch();

}

2. PROGRAM FOR PRE-ORDER,POST-ORDER & IN-ORDER TRAVERSALS OF A BINARY TREE.

#include<stdio.h>#include<conio.h>#include<alloc.h>

struct node{int data;struct node *left,*right;};struct node *root;

void ins(struct node *n,int val,int opt){ struct node *t; t=(struct node *)malloc(sizeof(struct node)); t->data=val; t->right=t->left=NULL;

25

if (opt==1) n->left=t; else n->right=t; printf("\n %d is inserted",val); if (opt==1) { printf("\tat the left\n"); getch(); } else { printf("\tat the right\n"); getch(); }}

void inser(struct node *t,int x){if (t->data >x)if (t->left==NULL)ins(t,x,1);elseinser(t->left,x);else if (t->data < x)if (t->right==NULL)ins(t,x,2);elseinser(t->right,x);else printf("\n Element is already present in the list\n");}

void inorder(struct node *p){ if (p!=NULL) { inorder(p->left); printf("\n %5d",p->data); inorder (p->right); }}

void preorder(struct node *p){ if (p!=NULL) { printf("\n %5d",p->data); preorder(p->left); preorder (p->right); }}

void postorder(struct node *p){ if (p!=NULL)

26

{ preorder(p->left); preorder (p->right); printf("\n %5d",p->data); }}

void main(){int op,n;root=(struct node *)malloc(sizeof(struct node));root->data=30;root->right=root->left=NULL;clrscr();do{ printf("\n 1.Insertion"); printf("\n 2.Preorder"); printf("\n 3.Inorder"); printf("\n 4.Postorder"); printf("\n 5.Quit"); printf("\n Enter your choice\n"); scanf("%d",&op);

switch (op) { case 1: printf("\n Enter the element to insert\n");

scanf("%d",&n); inser(root,n); break;

case 2: printf("\n The preorder elements are\n"); preorder(root); getch(); break;

case 3: printf("\n The inorder elements are\n"); inorder(root); getch(); break;

case 4: printf("\n The postorder elements are\n"); postorder(root); getch(); break;

default: exit(0); } }while(op<5); getch();

}

SESSION-9: SEARCHING & SORTING

1. PROGRAM TO IMPLEMENT LINEAR SEARCH USING POINTERS.

#include<stdio.h>

27

void main(){int *a[100],i,no,*srchno;clrscr();printf("\n Enter the number of elements\n");scanf("%d",&no);printf("\n Enter %d numbers\n",no);for(i=0;i<no;++i)scanf("%d",&a[i]);printf("Enter the search number\n");scanf("%d",&srchno);for(i=0;i<no;++i)if(srchno==a[i]){ printf("\n search number is present"); exit(0);} printf("\n Search number is not present");}

2. PROGRAM TO IMPLEMENT BINARY SEARCH USING POINTERS.

#include<stdio.h>void main(){int *a[100],i,no,*srchno,top,bottom,mid,j,*temp;clrscr();printf("\n Enter the number of elements\n");scanf("%d",&no);printf("\n Enter %d numbers\n",no);for(i=0;i<no;++i)scanf("%d",&a[i]);printf("Enter the search number\n");scanf("%d",&srchno);for(i=0;i<no-1;++i)for(j=i+1;j<no;++j)if(a[i]>a[j]){temp=a[i];a[i]=a[j];a[j]=temp;}printf("\n Sorted array in ascending order\n");for(i=0;i<no;++i)printf("%5d",a[i]);bottom=0;top=no-1;while(top!=bottom+1){ mid=(bottom+top)/2; if (a[mid]<=srchno) bottom=mid; else top=mid;}

28

if(a[bottom]==srchno) printf("\n search number is present");else printf("\n Search number is not present");}

3. PROGRAM TO IMPLEMENT QUICK SORT USING POINTERS.

#include<stdio.h>int *x[100],no,i;void display();void sort();

void main(){clrscr();printf("\n Enter the number of elements\n");scanf("%d",&no);printf("\n Enter %d numbers\n",no);for(i=0;i<no;++i)scanf("%d",&x[i]);sort(0,no-1);display();}void display (){printf("\n Sorted elements are:\n");for(i=0;i<no;++i)printf("%5d",x[i]);getch();}

void sort(int first,int last){ int *temp,*pivot,i,j; if (first<last) { pivot=x[first]; i=first; j=last; while(i<j) { while(x[i]<=pivot && i<last) i++; while(x[j]>=pivot && j>first) j--; if(i<j) {

temp=x[i]; x[i]=x[j];

29

x[j]=temp;}

} temp=x[first]; x[first]=x[j]; x[j]=temp; sort(first,j-1); sort(j+1,last); }}

4. PROGRAM TO IMPLEMENT HEAP SORT USING POINTERS.

#include<stdio.h>int *x[100],no,i;void buildheap();void sort();

void main(){ clrscr(); printf("\n Enter the number of elements\n"); scanf("%d",&no); printf("\n Enter %d numbers\n",no); for(i=1;i<=no;++i) scanf("%d",&x[i]); buildheap(); sort(); printf("\n Sorted elements are:\n"); for(i=1;i<=no;++i) printf("%5d",x[i]); getch();}

void buildheap(){ int j,k,*temp; for(k=2;k<no;++k) { i=k; temp=x[k]; j=i/2; while((i>1)&&(temp>x[j])) { x[i]=x[j]; i=j; j=i/2; if(j<1)j=1; } x[i]=temp; }}

void sort(){

30

int *temp,*value,j,k; for(k=no;k>=2;--k) {

temp=x[1]; x[1]=x[k]; x[k]=temp; i=1; value=x[1]; j=2; if ((j+1)<k) if(x[j+1]>x[j]) j++; while((j<=(k-1))&&(x[j]>value)) { x[i]=x[j]; i=j; j=2*i; if ((j+1)<k) if(x[j+1]>x[j]) j++; else if(j>no) j=no; x[i]=value; }

}

5. PROGRAM TO IMPLEMENT 2-WAY MERGE SORT USING POINTERS.

#include<stdio.h>int *a[100],*b[100],*c[100],i,j,k,item1,item2;void main(){ clrscr(); printf("\n Enter the number of elements in the first array\n"); scanf("%d",&item1); printf("\n Enter %d numbers\n",item1); for(i=0;i<item1;++i) scanf("%d",&a[i]); printf("\n Enter the number of elements in the second array\n"); scanf("%d",&item2); printf("\n Enter %d numbers\n",item2); for(i=0;i<item2;++i) scanf("%d",&b[i]); input1(); input2(); sort(); printf("Sorted merged array is:\n"); display();}

input1(){ bsort(a,item1); printf("\n Sorted first array\n"); for(i=0;i<item1;++i)

31

printf("%d\n",a[i]);}

input2(){ bsort(b,item2); printf("\n Sorted second array\n"); for(i=0;i<item2;++i) printf("%d\n",b[i]);}

bsort(int *m[],int n){ int swap=1,*temp; for(i=0;i<n && swap==1;++i) { swap=0; for(j=0;j<n-(i+1);++j) if (m[j]>m[j+1]) {

temp=m[j];m[j]=m[j+1];m[j+1]=temp;swap=1;

} }}

display(){ for (i=0;i<item1+item2;++i) printf("%d\n",c[i]);}

sort(){ int i,j,k; i=j=k=0; while ((i<item1)&& (j<item2)) { if (a[i]<b[j]) { c[k]=a[i]; i++; k++; } else { if (a[i]>b[j]) {

c[k]=b[j];j++;k++;

} else

32

{ c[k]=a[i]; i++; j++; k++;

} } } while(i<item1) { c[k]=a[i]; i++; k++; } while(j<item2) { c[k]=b[j]; j++; k++; }}}

6. PROGRAM TO IMPLEMENT BUBBLE SORT USING POINTERS.

#include<stdio.h>int *a[100],i,j,item;void main(){ void sort(),display(); int i; clrscr(); printf("\n Enter the number of elements in the first array\n"); scanf("%d",&item); printf("\n Enter %d numbers\n",item); for(i=0;i<item;++i) scanf("%d",&a[i]); sort(); display();}

void sort(){ int swap=1,*temp; for(i=0;i<item && swap==1;++i) { swap=0; for(j=0;j<item-(i+1);++j) if (a[j]>a[j+1]) {

temp=a[j];a[j]=a[j+1];a[j+1]=temp;swap=1;

} }

33

}

void display(){ printf("\n Sorted elements are:\n"); for(i=0;i<item;++i) printf("%d\n",a[i]); getch();}

OPERATING SYSTEM

34

Session 1: Network Configuration

Exercise 1:- Run the following commands and write the use of each command:a. Ipconfig

Displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration

Protocol (DHCP) and Domain Name System (DNS) settings. Used without parameters, ipconfig displays

the IP address, subnet mask, and default gateway for all adapters.

Parameters

/all : Displays the full TCP/IP configuration for all adapters. Without this parameter, ipconfig displays

only the IP address, subnet mask, and default gateway values for each adapter. Adapters can represent

physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.

/renew [Adapter] : Renews DHCP configuration for all adapters (if an adapter is not specified) or for a

specific adapter if the Adapter parameter is included. This parameter is available only on computers with

adapters that are configured to obtain an IP address automatically. To specify an adapter name, type the

adapter name that appears when you use ipconfig without parameters.

/release [Adapter] : Sends a DHCPRELEASE message to the DHCP server to release the current DHCP

configuration and discard the IP address configuration for either all adapters (if an adapter is not specified)

or for a specific adapter if the Adapter parameter is included. This parameter disables TCP/IP for adapters

configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that

appears when you use ipconfig without parameters.

/flushdns : Flushes and resets the contents of the DNS client resolver cache. During DNS troubleshooting,

you can use this procedure to discard negative cache entries from the cache, as well as any other entries

that have been added dynamically.

/displaydns : Displays the contents of the DNS client resolver cache, which includes both entries

preloaded from the local Hosts file and any recently obtained resource records for name queries resolved

by the computer. The DNS Client service uses this information to resolve frequently queried names

quickly, before querying its configured DNS servers.

35

/registerdns : Initiates manual dynamic registration for the DNS names and IP addresses that are

configured at a computer. You can use this parameter to troubleshoot a failed DNS name registration or

resolve a dynamic update problem between a client and the DNS server without rebooting the client

computer. The DNS settings in the advanced properties of the TCP/IP protocol determine which names are

registered in DNS.

/showclassid Adapter : Displays the DHCP class ID for a specified adapter. To see the DHCP class ID for

all adapters, use the asterisk (*) wildcard character in place of Adapter. This parameter is available only on

computers with adapters that are configured to obtain an IP address automatically.

/setclassid Adapter [ClassID] : Configures the DHCP class ID for a specified adapter. To set the DHCP

class ID for all adapters, use the asterisk (*) wildcard character in place of Adapter. This parameter is

available only on computers with adapters that are configured to obtain an IP address automatically. If a

DHCP class ID is not specified, the current class ID is removed.

b. PingVerifies IP-level connectivity to another TCP/IP computer by sending Internet Control Message Protocol

(ICMP) Echo Request messages. The receipt of corresponding Echo Reply messages are displayed, along

with round-trip times. Ping is the primary TCP/IP command used to troubleshoot connectivity,

reachability, and name resolution. Used without parameters, ping displays help.

C:\>ping example.microsoft.com

Pinging example.microsoft.com [192.168.239.132] with 32 bytes of data:

Reply from 192.168.239.132: bytes=32 time=101ms TTL=124




c. diskperf

Both Logical and Physical Disk Performance counters on this system are automatically enabled on demand.For legacy applications using IOCTL_DISK_PERFORMANCE to retrieve raw counters,you can use -Y or -N to forcibly enable or disable. No reboot is required.

d. NetstatDisplays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP

routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6,

ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, netstat displays active

TCP connections.

To display both the Ethernet statistics and the statistics for all protocols, type the following command:

netstat -e -s

To display the statistics for only the TCP and UDP protocols, type the following command:

netstat -s -p tcp udp

To display active TCP connections and the process IDs every 5 seconds, type the following command:

nbtstat -o 5

36

To display active TCP connections and the process IDs using numerical form, type the following

command:

nbtstat -n -o

e. PathpingProvides information about network latency and network loss at intermediate hops between a source and

destination. Pathping sends multiple Echo Request messages to each router between a source and

destination over a period of time and then computes results based on the packets returned from each router.

Because pathping displays the degree of packet loss at any given router or link, you can determine which

routers or subnets might be having network problems. Pathping performs the equivalent of the tracert

command by identifying which routers are on the path. It then sends pings periodically to all of the routers

over a specified time period and computes statistics based on the number returned from each. Used

without parameters, pathping displays help.

f. TftpTransfers files to and from a remote computer, typically a computer running UNIX, that is running the

Trivial File Transfer Protocol (TFTP) service or daemon. Used without parameters, tftp displays help.

g. FcCompares two files and displays the differences between them.

h. NbtstatDisplays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local

computer and remote computers, and the NetBIOS name cache. Nbtstat allows a refresh of the NetBIOS

name cache and the names registered with Windows Internet Name Service (WINS). Used without

parameters, nbtstat displays help.

i. RcpCopies files between a Windows XP computer and a system running rshd, the remote shell service

(daemon). Windows XP and Windows 2000 do not provide rshd service. Used without parameters, rcp

displays help.

j. LprSends a file to a computer running Line Printer Daemon (LPD) in preparation for printing. Used without

parameters, lpr displays command-line help for the lpr command.

Syntax

Lpr [-S ServerID] -P PrinterName [-C BannerContent] [-J JobName] [{-o | -o l}] [-d] [-x] FileName

TracertDetermines the path taken to a destination by sending Internet Control Message Protocol (ICMP) Echo

Request messages to the destination with incrementally increasing Time to Live (TTL) field values. The

path displayed is the list of near-side router interfaces of the routers in the path between a source host and

a destination. The near-side interface is the interface of the router that is closest to the sending host in the

path. Used without parameters, tracert displays help.

37

NslookupDisplays information that you can use to diagnose Domain Name System (DNS) infrastructure. Before

using this tool, you should be familiar with how DNS works. The Nslookup command-line tool is

available only if you have installed the TCP/IP protocol.

RouteDisplays and modifies the entries in the local IP routing table. Used without parameters, route displays

help.

Syntax

route [-f] [-p] [Command [Destination] [mask Netmask] [Gateway] [metric Metric]] [if Interface]]

LpqDisplays the status of a print queue on a computer running Line Printer Daemon (LPD). Used without

parameters, lpq displays command-line help for the lpq command.

Syntax

lpq -S ServerName -P PrinterName [-l]

RshRuns commands on remote computers running the RSH service or daemon. Windows XP and

Windows 2000 do not provide an RSH service. An RSH service called Rshsvc.exe is provided with the

Windows 2000 Server Resource Kit. Used without parameters, rsh displays help.

Syntax

rsh [Host] [-l UserName] [-n] [Command]

ChkdskCreates and displays a status report for a disk based on the file system. Chkdsk also lists and corrects

errors on the disk. Used without parameters, chkdsk displays the status of the disk in the current drive.

Syntax

chkdsk [volume:][[Path] FileName] [/f] [/v] [/r] [/x] [/i] [/c] [/l[:size]]

HostnameDisplays the host name portion of the full computer name of the computer.

net accountThe syntax of this command is:

NET [ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP | HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION | SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW]

Exercise 2:

38

ArpDisplays and modifies entries in the Address Resolution Protocol (ARP) cache, which contains one or

more tables that are used to store IP addresses and their resolved Ethernet or Token Ring physical

addresses. There is a separate table for each Ethernet or Token Ring network adapter installed on your

computer. Used without parameters, arp displays help.

C:\Documents and Settings\sandipo>arp -a

Interface: 10.115.4.157 --- 0x10003 Internet Address Physical Address Type 10.115.4.1 00-05-5e-37-07-02 dynamic

Exercise 3:Ipxroute

Displays and modifies information about the routing tables used by the IPX protocol. Used without

parameters, ipxroute displays the default settings for packets that are sent to unknown, broadcast, and

multicast addresses.

Syntax

ipxroute servers [/type=x]

ipxroute ripout network

ipxroute resolve {guid | name} {guid | AdapterName}

ipxroute board=n [def] [gbr] [mbr] [remove=xxxxxxxxxxxx]

ipxroute config

Parameters

servers [/type=x] : Displays the Service Access Point (SAP) table for the specified server type. x must be

an integer. For example, /type=4 displays all file servers. If you do not specify /type, ipxroute servers

displays all types of servers, listing them by server name.

ripout network : Discovers if network is reachable by consulting the IPX stack's route table and sending

out a rip request if necessary. Network is the IPX network segment number.

resolve {guid | name} {guid | AdapterName} : Resolves the name of the guid to its friendly name, or the

friendly name to its guid.

board=n : Specifies the network adapter for which to query or set parameters.

def : Sends packets to the ALL ROUTES broadcast. If a packet is transmitted to a unique Media Access

Card (MAC) address that is not in the source routing table, ipxroute sends the packet to the SINGLE

ROUTES broadcast by default.

gbr : Sends packets to the ALL ROUTES broadcast. If a packet is transmitted to the broadcast address

(FFFFFFFFFFFF), ipxroute sends the packet to the SINGLE ROUTES broadcast by default.

mbr : Sends packets to the ALL ROUTES broadcast. If a packet is transmitted to a multicast address

(C000xxxxxxxx), ipxroute sends the packet to the SINGLE ROUTES broadcast by default.

remove=xxxxxxxxxxxx : Removes the given node address from the source routing table.

config : Displays information about all of the bindings for which IPX is configured.

39

Exercise 4:

With Netsh.exe you can easily view your TCP/IP settings. Type the following command in a Command Prompt window (CMD.EXE):

netsh interface ip show config

With Netsh.exe, you can easily configure your computer's IP address and other TCP/IP related settings. For example:

The following command configures the interface named Local Area Connection with the static IP address 192.168.0.100, the subnet mask of 255.255.255.0, and a default gateway of 192.168.0.1:

netsh interface ip set address name="Local Area Connection" static 192.168.0.100 255.255.255.0 192.168.0.1

Exercise 6:

Routing is configured on a W2K Server / Windows Server 2003 machine by use of the RRAS snap-

in. However, this console is NOT available on a W2K Pro or XP Pro machine.

If you have 2 small network segments populated with no more than a handful of computers per

segment, you CAN use a W2K Pro / XP Pro machine as a router between these segments.

First, you need to install at least 2 NICs on the machine.

Now you need to configure each NIC with the appropriate IP address for the segments that it's

connected to.

Next, you need to configure that IP as the Default Gateway for all the computers on that NIC.

For example, if you have 2 segments (we'll call them Segment A and Segment B respectively) with

the following Network IDs:

Segment A - 192.168.0.0/24 Segment B - 192.168.1.0/24

(/24 means 255.255.255.0 )

and on your computer you have 2 NICs (we'll call them NIC A and NIC B respectively) with the

following IP addresses:

NIC A - 192.168.0.1 NIC B - 192.168.1.1

Then the IP addresses of NIC A and NIC B will be the Default Gateways for segment A and B

respectively.

Next, you need to configure IP Routing between the segments. As I said, this feature is not

configurable via any GUI in W2K Pro and XP Pro, so you'll need to edit the registry:

1. In the Run command type Regedit.exe and press Enter.

40

2. In the registry navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

3. Select the "IPEnableRouter" entry (by default the value is 0) and change it's value to 1.4. Close Regedit.5. Reboot.

NETSH (Win2k &standard command in XP)

Configure interfaces, routing protocols, filters, routes, RRAS, .

Syntax NETSH [-r router name] [-a AliasFile] [-c Context] [Command | -f ScriptFile]

Key context may be any of: DHCP, ip, ipx, netbeui, ras, routing, autodhcp, dnsproxy, igmp, mib, nat, ospf, relay, rip, wins.

Under Windows XP the available contexts are: AAAA, DHCP, DIAG, IP, RAS, ROUTING, WINS

To display a list of commands that can be used in a context, type the context name followed by a space and a ? at the netsh> command prompt. e.g. netsh> routing ?

command may be any of:

/exec script_file_name Load the script file and execute commands from it.

/offline Set the current mode to offline. changes made in this mode are saved, but require a "commit" or "online" command to be set in the router.

/online Set the current mode to online. Changes in this mode are immediately reflected in the router.

/commit Commit any changes made in the offline mode to the router.

/popd Pop a context from the stack.

/pushd Push current context onto the stack.

/set mode [mode =] online | offline Set the current mode to online or offline.

/abort Discard changes made in offline mode.

/add helper DLL-name Install the helper .dll file in netsh.exe.

41

/delete helper .dll file name Remove the helper .dll file from Netsh.exe.

/show alias list all defined aliases. /show helper list all top-level helpers. /show mode show the current mode.

/alias List all aliases.

/alias [alias_name] Display the string value of the alias.

/alias [alias_name] [string1] [string2 ...] Set alias_name to the specified strings.

/unalias alias_name Delete an alias.

/dump - file name Dump or append configuration to a text file.

/bye Exit NETSH /exit Exit NETSH /quit Exit NETSH /h Display help /help Display help /? Display help

42

Session 5:-

Exercise 2: Add different users and groups. Also configure their permission.

To add a new user to the computer

When you add a user to your computer, you are allowing that individual to have access to files and

programs on your computer.

The steps to perform this task differ depending on whether your computer is a member of a network

domain or is part of a workgroup (or is a stand-alone computer).

My computer is on a domain

You must be logged on as an administrator or a member of the Administrators group in order to complete

this procedure. If your computer is connected to a network, network policy settings might also prevent you

from completing this procedure.

1. Open User Accounts in Control Panel. 2. On the Users tab, click Add. 3. Follow the instructions on the screen to add a new user.

Add New User gives an existing domain user permission to use the computer. You can only add existing domain users by using User Accounts. To add a new local user, on the

Advanced tab, click the Advanced button. In Local Users and Groups, click Users, and then on the Action menu, click New User.

You should not add a new user to the Administrators group unless the user will perform only administrative tasks. For more information, click Related Topics.

My computer is not on a domain

You must have a computer administrator account on the computer to add a new user to the computer.

1. Open User Accounts in Control Panel. 2. Click Create a new account. 3. Type a name for the new user account, and then click Next. 4. Click Computer administrator or Limited, depending on the type of account you want to assign

to the new user, and then click Create Account.

The name you assign to the account is the name that will appear on the Welcome screen and the Start menu.

The first user you add to the computer must be assigned a computer administrator account.

To change a user's group or account type

When your computer is part of a network domain, users are assigned to user groups and are granted the

rights and permissions granted to the group. When your computer is part of a workgroup or is a stand-

alone computer, users are assigned types of user accounts and are granted the rights and permissions

associated with the user account.

43

The steps to perform this task differ depending on whether your computer is a member of a network

domain or is part of a workgroup (or is a stand-alone computer).

Exercise 3:- Connect and configure your computer with a Network Printer.

To add a printer attached to your computer

1. Connect the printer to the appropriate port on your computer according to the printer manufacturer's documentation, and verify that it is ready to print.

2. Although Windows automatically detects and installs most printers, you might need to provide additional information to complete the installation. Choose from the following, depending on the type of printer you have.

Install a parallel port (LPT) attached printer

Install a USB or IEEE 1394 printer

universal serial bus (USB)IEEE 1394

Install an infrared printer

infrared capable devicesstatus areataskbar

3. If you could not install your printer using Plug and Play , or if the printer is attached to your computer with a serial (COM) port, then open Printers

4. Double-click Add Printer to start the Add Printer wizard, and then click Next.

5. Click Local printer, and then click Next.

6. Follow the instructions on the screen to finish setting up the printer by selecting a printer port, selecting the manufacturer and model of your printer, and typing a name for your printer.

In Windows 2000 Server, the Add Printer wizard shares the printer and publishes it in Active Directory by default, unless you select Do not share this printer in the wizard's Printer Sharing screen. In Windows 2000 Professional, the Add Printer wizard doesn't share the printer automatically; you need to select Share as to share and publish the printer.

To open Printers, click Start, point to Settings, and then click Printers.

If you add and set up a Plug-and-Play printer (USB, IEEE 1394, LPT, Infrared, etc.), you do not need to have administrative privileges. However, to add and set up a non Plug-and-Play printer connected directly to your computer, you must be logged on as an administrator or a member of the Administrators group. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure.

If you intend to share the printer with clients other than Windows 2000, you need to install the appropriate printer drivers for these clients on the print server. When clients on Windows NT 4.0, Windows 95, and Windows 98 connect to the printer, the system automatically downloads the correct driver to the client.

When you are adding a new printer that is connected to a computer and the Add Printer wizard prompts you to select the printer port, you normally select from the Existing list one

44

of the parallel (LPT) ports. For some plotters you might need to select one of the serial (COM) ports.

The following Group Policy settings can change the default behavior of the Windows 2000 Server Add Printer wizard:

Allow printers to be published is enabled by default; you can disable it to prevent printers from being published.

Automatically publish new printers in the Active Directory is enabled by default; you can disable it to prevent the Add Printer wizard from automatically publishing printers when adding a new printer.

Display the down level page in the Add Printer wizard is enabled by default; you can disable it to prevent the Add Printer wizard from browsing the network for shared printers.

Share your printer

To share your printer

1. Open Printers

2. Right-click the printer you want to share, and then click Sharing.

3. On the Sharing tab, click Shared as and then type a name for the shared printer

If you share the printer with users on different hardware or different operating systems, click Additional Drivers. Click the environment and operating system for the other computers, and then click OK to install the additional drivers

If you are logged on to a Windows 2000 domain , you can make the printer available to other users on the domain by clicking List in the Directory to publish the printer in the Directory.

4. Click OK, or if you have installed additional drivers, click Close.

Note


Printers are not shared by default when you install them on Windows 2000 Professional, but you can choose to share any printer you install on your computer. (On Windows 2000 Server, the printer is shared by default when you add the printer.)

When you publish a printer in Active Directory , other users logged onto the Windows 2000 domain will be able to search for the printer based on its location and features such as how many pages it prints per minute and whether color printing is supported.

To set or remove permissions for a printer

1. Open Printers

2. Right-click the printer for which you want to set permissions, click Properties, and then click the Security tab.

45

http://www.microsoft.com/windows2000/en/advanced/help/print_sharing.htm

3. Do one of the following:

To change or remove permissions from an existing user or group, click the name of the user or group.

To set up permissions for a new user or group, click Add. In Name, type the name of the user or group you want to set permissions for, click Add, and then click OK to close the dialog box.

4. In Permissions, click Allow or Deny for each permission you want to allow or deny, if necessary. Or, to remove the user or group from the permissions list, click Remove.

Note

To change device settings, you must have the Manage Printers permission. For information about printing security permissions, see Related Topics.


To view or change the underlying permissions that make up Print, Manage Printers, and Manage Documents, click the Advanced button.

A printer must be shared in order for the permission settings to affect the users and groups listed.

You can also view the permissions assigned to you by clicking the group you belong to on the Security tab. For information on finding out what group you belong to, see Related Topics.

Exercise 4:- Install and configure Windows 2000 Active Directory and Domain Controller.

You can install Active Directory by selecting "Start", "Run", and typing "Dcpromo.exe" in the text box or

follow the following selections:

1. Click "Administrative Tools". 2. Select "Configure Your Server". 3. Select "Active Directory Installation Wizard".

Directory Service Client

On non Windows 2000 systems, the Directory Service Client can be installed which will allow those

systems to:

Search the Active Directory. Change passwords on domain controllers. Use D6 shares that are fault tolerant.

Internet Explorer 4.01 or later must be installed on any system that the Directory Service Client is to be

installed on in order for the install wizard to run. To install Directory Service Client:

1. Place the Windows 2000 CD in the CDROM drive. 2. Indicate that you do not want to upgrade Windows and close the dialog box. 3. Open a DOS prompt and change drives to the drive letter of the CDROM drive, 4. Type "cd \clients\win9x" and type "dsclient".

46

5. Follow the wizard prompts to complete the installation.

DNS

DNS is required to use Active Directory since clients use DNS to locate Active Directory controllers.

Servers and client computers register their names and IP addresses with the DNS server. The DNS server

must support Service Resource Records (SRVs) according to RFC 2052 and dynamic update protocol

according to RFC 2136. DNS can be installed with the Active Directory server or on a separate DNS

server.

Active Directory Installation Effects

The server becomes a domain controller. A new Windows 2000 domain is created. A new domain tree and forest is created.

In each child domain, Active Directory must be installed on the first domain controller.

Verification of Active Directory

Select "Start", "Programs", "Administrative Tools", "Active Directory Users and Computers" and click the

+ next to the domain. Highlight the domain controllers folder, and the computer Active Directory was

installed on should appear in the right pane.

Domain Controllers hold copies of the user database and authenticate users in a Windows NT and Windows 2000 Domain structure. In Windows NT, a domain contained a single Primary Domain Controller (PDC) and several Backup Domain Controllers (BDC). In Windows 2000 there are no official Primary Domain Controllers, only Domain Controllers (some of which can have special attributes). We've put together a few resources to help you manage all of your domain controllers and keep them healthy.

Windows 2000: Configure Active Directory

You can continue the configuration at this time, but you can also select to close this windows

and to configure other items on the system or to install some other software, because this window

will be shown on each new logon until you have made the configuration and selected that this

windows will NOT be displayed anymore.

47

You can display thiswindow at any time byselecting in the menu"Configure Your Server",which is part of the"Administrative Tools"

There are multiple possibilities to configure a server for "Active Directory", depending on

whether you have a small network with just one server or a larger network with multiple server or

even a WAN with server in multiple countries.

In this installation example below, I assume that this is the only Windows 2000 server on the

network.

If you have no special needs for the configuration, then you can simply follow the instructions

of this wizard to configure your system:

- select "This is the only server in my network"

- continue with "Next":

48

This selection would "automatically configure" the server with all required components:

- the Active Directory

- a DHCP-server

- a DNS-server (which is required for the Active Directory)

49

Before allowing this wizard to reconfigure completely my system, I requested to

"Show more details":

50

The wizard would define for me the IP-address for the server and the subnet for my

complete network , which I did not like: I needed to use a different IP-address.

I decided therefore to cancel this step and to follow the advise to go back to "Home"

to select the other option : "One or more servers are already running in my network" :

51

No more fully automated installation by a wizard:

52

We need now to select manually the services to be installed from the menu on the left.

Lets select "Active Directory":

53

You have the possibility toread more about the detailsof domain controller andon how to define multipledomain-controllers in a network.( since this example assumes onlyONE Windows 2000 server on thenetwork, I will not discuss here theterms "Tree" and "Forest")

Important:the installation of the Active Directiryrequires that at least ONE partitionon the harddisk is formated with NTFS.If you do not yet have such a partition, you can cancel here theinstallation of the Active Directory,prepare a partition in NTFS andthen restart this configuration.

It is up to you to decide, whichpartition to use with NTFS.I personally prefer to keep theC-drive ("system drive") inFAT format, so I formatted in thisexample the F-drive in NTFS .

Continue the installation with

54

http://www.windowsnetworking.com/j_helmig/w2ksvrin.htm#restart

http://www.windowsnetworking.com/j_helmig/w2ksvrin.htm#restart

"Start the Active Direcory Wizard"

just "Next"

We are installing thefirst Domain Controller

55

Again, we are installing afirst domain controller andfor this domain, we need tocreate a new domain tree.

Example: I will call below mydomain "JHHOME.COM".If I would now create asecond domain called:"SUPPORT.JHHOME.COM",it would be part of the samedomain tree as JHHOME.COM

Like in nature, trees usually grow in a forest , and using thiscomparison, we need to define the forest for our domain tree.

In general, each new top-level domain name(like: JHHOME.COM)would be a new forest.

Since this is our first domain,we need to create a new "forest"for our "Domain Tree" (which is then the only tree in our forest).Here is a difference compared tonature: one tree is just one tree andnot a forest, but with computers, it isjust a matter of definition)

56

It is now required to definethe name of the new domain.

As I was used with Windows9xand Windows NT4 networking,I selected the name of theworkgroup to become the newname of my domain.

However, note already theexact message:"Full DNS name for new domain".As you are used to see withInternet Domain names, anetwork Domain should havenow a second part separatedby a dot.

57

To avoid problems, I amredefining my domain nameto be now: "JHHOME.COM",which looks like an InternetDomain name.(I am not sure, but if you insist onusing no "dot-something", Windows 2000 will add itself ".DOM" )

It does NOT matter, whetherthis name is registered and inuse already on the Internet,because you will be using itonly on your own network,and as long as you are notregistering this domain nameas Internet Domain name, itwill NOT be known by theInternet users.

58

While a network with ONLYWindows2000 systems can work using only DNS, anynetwork with "legacy" versions of Windows (WfW, Windows95/98/ME,Windows NT4) requires theuse of "NetBIOS", eitherusing "NetBEUI" -protocol orusing "NetBIOS over TCP/IP",for which I need to define aNetBIOS compatible Domainname.Here I can use now the nameof the workgroup, which Ilike to change to a domain.

59

You need to define the locationfor the database and Log-filefor the Active Directory.

(on my system, I did not havethe 200 Mbyte free disk capacityon my C:- system drive, so I wasrequired = forced by the installion wizard to store this informationto a different drive )

Remember the window with the information on theActive Direcory stating theneed to a partition in NTFS ?

At this time, the "SYSVOL"folder must be defined onan NTFS Disk-partition.

The SYSVOL folder will belater visible as part of the"Network Neighborhood"or "My Network Places"and will contain user specificfile, and to be able to controlthe access to these files, that

60

http://www.windowsnetworking.com/j_helmig/w2ksvrin.htm#ntfs



partition must be NTFS(since it is not possible to use a FAT -partition to define Access rights)

Active Directory is based onusing a DNS-server.Since I did not yet install /configure a DNS-server,it is now required to install it.

Unless you are an expert onDNS-server setup, pleasefollow the recommondationof the wizard to let thewizard install now theDNS-server.

61

http://www.windowsnetworking.com/j_helmig/tcpip.htm#dns

Again the question:will you have a network withsome "legacy" systems(= all pre-Windows 20000,like Windows95/98/ME/NT4)

Let's hope, that we will never have to use this passwordfor a Restore operation......

62

The summary of all theinformation collected in theprevious steps.

Selecting now "Next"will start the installationof the Active Direcory andof the DNS-server.

You may have to be patient nowfor a LONG time :Please, just WAIT !

63

It will need to install DNS

You may have to insert your Windows2000 CD-ROM or pointthe wizard to the installation fileson the disk (if you copied them fromCD-ROM to an I386 folder, as it isoften done on NT-installations)

64

Finished !

You need to restart !

After making the Logon, you will be shown again the window for "Configure Your Server":

65

the information has changed, since you did already make the basic configuration.

You can now select to NOT "Show this screen at startup".

You are now able to define Active Directory Users.

If you need to change your configuration and make the system again a Stand-alone server,

you can un-install Active Directory.

Exercise 6:

To share folders with other users on your network

1. Open My Documents in Windows Explorer. Click Start, point to All Programs, point to Accessories,

and then click Windows Explorer.

2. Click the folder you want to share.

3. Click Share this folder in File and Folder Tasks.

4. In the Properties dialog box select the radio button Share this folder to share the folder with other

users on your network, as shown in Figure 1 below.

66

Figure 1. Sharing a folder on a network

5. To change the name of the folder on the network, type a new name for the folder in the Share name

text box. This will not change the name of the folder on your computer.

Note The Sharing option is not available for the Documents and Settings, Program Files, and Windows

system folders. In addition, you cannot share folders in other users’ profiles.

To set, view, change, or remove file and folder permissions

1. Open Windows Explorer, and then locate the file or folder for which you want to set permissions. To

open Windows Explore click Start, point to All Programs, point to Accessories, and then click

Windows Explorer.

2. Right-click the file or folder, click Properties, and then click the Security tab as shown in Figure 2

below.

67

Figure 2. Setting file and folder permissions

3. To set permissions for a group or user that does not appear in the Group or user names box, click Add.

Type the name of the group or user you want to set permissions for and then click OK, as shown in

Figure 3 below.

Figure 3. Adding new group or user permissions

4. To change or remove permissions from an existing group or user, click the name of the group or user

and do one of the following, as shown in Figure 2 above:

68

• To allow or deny a permission, in the Permissions for...box, select the Allow or Deny check

box.

• To remove the group or user from the Group or user names box, click Remove.

Notes

• In Windows XP Professional, the Everyone group no longer includes Anonymous Logon.

• You can set file and folder permissions only on drives formatted to use NTFS.

• To change permissions you must be the owner, or have been granted permission to do so by the owner.

• Groups or users granted Full Control for a folder can delete files and subfolders within that folder

regardless of the permissions protecting the files and subfolders.

• If the check boxes under Permissions for user or group are shaded or if the Remove button is

unavailable, then the file or folder has inherited permissions from the parent folder.

• When adding a new user or group, by default, this user or group will have Read & Execute, List Folder

Contents, and Read permissions.

Exercise:-7

Installing the TCP/IP Protocol

You may have installed the TCP/IP protocol when you installed Windows 2000. To check, go to the

"Network and Dial-up Connections" Control Panel (right-click "My Network Places" and choose

"Properties") and right-click on "Local Area Connection". Choose "Properties" from the menu.

If you've previously installed TCP/IP, it will appear in the list of installed protocols. If this is the case, you

should skip to the "Configuring TCP/IP" section of this document below. If it is not in the list, you will need

to install it.

To install the TCP/IP protocol,

69

http://www.ncsu.edu/resnet/windows/2000/win2k.php#Configuring%23Configuring

1. Click on the "Install" button. 2. Double-click "Protocol." 3. Double-click "TCP/IP." 4. Insert the Windows 2000 CD-ROM if prompted to do so.

Configuring TCP/IP

To configure the TCP/IP protocol, go to the Network and Dial-up Connections Control Panel (right-click

"My Network Places" and choose "Properties") and right-click on "Local Area Connection". Choose the

"Properties" from the menu. Highlight the TCP/IP entry and press the "Properties" button.

70

Check both the Obtain an IP address automatically and the Obtain DNS server address automatically

radio buttons. Click on the Advanced button.

STEPS 5 and 6 are extremely important.

Click on the DNS tab at the top of the screen.

71

Locate the check box next to Register this connection's addresses in DNS towards the bottom of the

screen. If the box is checked, uncheck it. If it is already unchecked, leave it alone.

72

Click OK to close this dialog box, and close the Network control panel. You will need to reboot your

computer for the changes to take effect.

Exercise 8:

The Domain Name System (DNS) is the Active Directory locator in Windows 2000. Active

Directory clients and client tools use DNS to locate domain controllers for administration and logon.

You must have a DNS server installed and configured for Active Directory and the associated client

software to function correctly. This article guides you through the required DNS configuration.

Install Microsoft DNS Server

1. Click Start, point to Settings, and then click Control Panel.2. Double-click Add/Remove Programs.3. Click Add and Remove Windows Components.4. The Windows Components Wizard starts. Click Next.5. Click Networking Services, and then click Details.6. Click to select the Domain Name System (DNS) check box, and then click OK.7. Click OK to start server Setup. The DNS server and tool files are copied to your computer.8. Continue to the next step to configure the DNS server.

73

Configure the DNS Server Using DNS Manager

These steps guide you through configuring DNS by using the DNS Manager snap-in in Microsoft

Management Console (MMC).

1. Click Start, point to Programs, point to Administrative Tools, and then click DNS Manager. You see two zones under your computer name: Forward Lookup Zone and Reverse Lookup Zone.

2. The DNS Server Configuration Wizard starts. Click Next.3. If the Wizard does not auto-start, right-click your server name object in the DNS Manager

console and choose Configure your Server.

4. Choose to add a forward lookup zone. Click Next. The new forward lookup zone must be a primary zone so that it can accept dynamic updates. Click Primary, and then click Next.

5. The zone name must be exactly the same as your Active Directory Domain name, or, if on a stand-alone or workgroup environment - the same as the suffix for all of the network computers that are to register with this DNS server. Type the name of the zone, and then click Next.

6. Accept the default name for the new zone file. Click Next.

7. Choose to add a reverse lookup zone now. Click Next.

74

8. Click Primary, and then click Next.9. Type the name of the zone, and then click Next. The zone name should match the Network

ID of your local subnet. For example, if your subnet range is from 192.168.0.1 to 192.168.0.254, type 192.168.0 in the name value.


11. Click Finish to complete the Server Configuration Wizard.

After the Server Configuration Wizard is finished, DNS Manager starts. Proceed to the next step to

enable dynamic update on the zone you just added.

A caching-only DNS server reduces outgoing DNS traffic and speeds up name resolution. It receives queries from clients, performs the queries against other name servers, caches the results, and returns those results to the client. In this Windows 2000 Server tip, Jim Boyce tells you how to configure a caching-only DNS forwarder.

If you want to reduce network traffic for DNS and improve DNS lookup, one solution is to create a caching DNS forwarder on your network. A caching-only DNS server receives queries from clients, performs the queries against other name servers, caches the results, and returns those results to the client.

It then returns subsequent queries for the specified host from the cache instead of submitting them to an external server. This reduces outgoing DNS traffic and speeds up name resolution.

You can set up a caching-only server by configuring the DNS service with one or more forwarders, which are upstream DNS servers to which the local DNS server will forward queries (essentially acting as a DNS client).

75

You can configure the DNS service to work with forwarders either nonexclusively or exclusively. In nonexclusive mode, the DNS server checks its cache for the host. If the lookup fails, it forwards the query to the specified forwarder. If that query fails, the DNS server attempts to resolve the query on its own through the root servers.

In exclusive mode, the DNS service also checks its cache. If the lookup fails, it forwards the query to the forwarder.

If the upstream servers fail the query, the DNS server doesn't attempt resolution on its own; instead, it fails the query to the client. A DNS server acting in exclusive mode with a forwarder is a caching-only slave.

To configure forwarding, follow these steps:

1. Open the DNS console, right-click the server, and choose Properties. 2. On the Forwarders tab, choose Enable Forwarders, and add the IP addresses of the upstream DNS

servers to which you want to forward queries. 3. If you want the DNS service to work in exclusive mode, select the Do Not Use Recursion option. 4. Click OK to apply the change.

Keep in mind that restarting the server will clear the DNS cache, so a caching-only server works best when it's been running for an extended period of time.

Exercise 9

Starting with a Windows 2000-Based Standalone Server

This server becomes a DNS server for your network. In the first step, you assign this server a static Internet Protocol (IP) address. DNS servers should not use dynamically assigned IP addresses because a dynamic change of address could cause clients to lose contact with the DNS server.

Step 1: Configure TCP/IP

1. Click Start, point to Settings, and then click Control Panel.2. Double-click Network and Dial-up Connections.3. Right-click Local Area Connection, and then click Properties.4. Click Internet Protocol (TCP/IP), and then click Properties.5. Assign this server a static IP address, subnet mask, and gateway address.6. Click Advanced, and then click the DNS tab.7. Click Append primary and connection specific DNS suffixes.8. Click to select the Append parent suffixes of the primary DNS suffix check box.9. Click to select the Register this connection's addresses in DNS check box.

Note that Windows 2000-based DNS severs should point to themselves for DNS. If this server needs to resolve names from its Internet service provider (ISP), you should configure a forwarder. Forwarders are discussed later in this article.

10. Click OK to close Advanced TCP/IP Settings properties.11. Click OK to accept the changes to your TCP/IP configuration.12. Click OK to close Local Area Connections properties.

NOTE: If you receive a warning from the DNS Caching Resolver service, click OK to dismiss the warning. The caching resolver is trying to contact the DNS server, but you have not finished

76

configuring the server.

Step 2: Install Microsoft DNS Server

1. Click Start, point to Settings, and then click Control Panel.2. Double-click Add/Remove Programs.3. Click Add and Remove Windows Components.4. The Windows Components Wizard starts. Click Next.5. Click Networking Services, and then click Details.6. Click to select the Domain Name System (DNS) check box, and then click OK.7. Click OK to start server Setup. The DNS server and tool files are copied to your computer.

Step 3: Configure the DNS Server Using DNS Manager

These steps guide you through configuring DNS by using the DNS Manager snap-in in Microsoft Management Console (MMC). 1. Click Start, point to Programs, point to Administrative Tools, and then click DNS. 2. Right-click Forward lookup zones, and then click New Zone. 3. When the New Zone Wizard starts, click Next. You are then prompted for a zone type. The zone types

include: • Active Directory-integrated: An Active Directory-integrated zone stores the DNS zone information

in Active Directory instead of in a .dns file.• Standard primary: A standard primary zone stores the DNS zone information a .dns text file instead

of in Active Directory.• Standard secondary: A standard secondary zone copies all of the information from its master DNS

server. A master DNS server can be an Active Directory, primary, or secondary zone that is configured for zone transfers. Note that you cannot modify the zone data on a secondary DNS server. All of its data is copied from its master DNS server.

4. The new forward lookup zone must be a primary or an Active Directory-integrated zone so that it can accept dynamic updates. Click Primary, and then click Next.

5. The new zone contains the locator records for this Active Directory-based domain. The name of the zone must be the same as the name of the Active Directory-based domain, or be a logical DNS container for that name. For example, if the Active Directory-based domain is named "support.microsoft.com", valid zone names are "support.microsoft.com" only.


NOTE: Experienced DNS administrators may want to create a reverse lookup zone, and are encouraged to explore this branch of the wizard. A DNS server can resolve two basic requests: a forward lookup and a reverse lookup. A forward lookup is more common. A forward lookup resolves a host name to an IP address with an "A" or Host Resource record. A reverse lookup resolves an IP address to a host name with a PTR or Pointer Resource record. If you have your reverse DNS zones configured, you can automatically create associated reverse records when you create your original forward record. For additional information about reverse DNS configuration, click the following article number to view the article in the Microsoft Knowledge Base: 174419 How to configure a subnetted reverse lookup zone on Windows NT, Windows 2000, or Windows Server 2003

A Windows 2000-based DNS server follows specific steps in its name-resolution process. A DNS server first queries its cache, then it checks its zone records, then it sends requests to forwarders, and finally it tries resolution by using root servers.

By default, a Microsoft DNS server connects to the Internet to further process DNS requests with root hints. When you use the Dcpromo tool to promote a server to a domain controller, the domain controller requires DNS. If you install DNS during the promotion process, you get a root zone. This root zone indicates to your DNS server that it is a root Internet server. Therefore, your DNS server does not use forwarders or root hints in the name-resolution process.

77

To Remove the Root DNS Zone

1. In DNS Manager, expand the DNS Server object. Expand the Forward Lookup Zones folder. 2. Right-click the "." zone, and then click Delete.Windows 2000 can take advantage of DNS forwarders. This feature forwards DNS requests to external servers. If a DNS server cannot find a resource record in its zones, it can send the request to another DNS server for additional attempts at resolution. A common scenario might be to configure forwarders to your ISP's DNS servers.

To Configure Forwarders1. In DNS Manager, right-click the DNS Server object, and then click Properties.2. Click the Forwarders tab.3. Click to select the Enable Forwarders check box.4. In the IP address box, type the first DNS server to which you want to forward, and then click Add.5. Repeat step 4 until you have added all the DNS servers to which you want to forward.

To Configure Root Hints

Windows includes the ability to use root hints. The Root Hints resource records can be stored in either Active Directory or text files (%SystemRoot%\System32\DNS\Cache.dns files). Windows uses the standard InterNIC root server. Also, when a Windows 2000-based server queries a root server, it updates itself with the most recent list of root servers. 1. Click Start, point to Programs, point to Administrative Tools, and then click DNS. 2. In the DNS Management console, right-click the server name, and then click Properties.3. Click the Root Hints tab. Your DNS server's root servers are listed on this tab.

If the Root Hints tab is unavailable, your server is still configured as a root server. See the "To Remove the Root DNS Zone" section in this article. You may need to use custom root hints that are different from the default. However, a configuration that points to the same server for root hints is always incorrect. You should not modify your root hints. If your root hints are incorrect and need to be replaced, see the following Microsoft Knowledge Base article:

249868 Replacing root hints with the Cache.dns file

To Configure DNS Behind a Firewall

Proxy and Network Address Translation (NAT) devices can restrict access to ports. DNS uses UDP and TCP port 53. The DNS Service Management console also uses remote procedure call (RPC). RPC uses port 135. These are potential issues that could arise when you configure DNS and firewalls.

Session 6:-

Exercise 4: Install and Configure the DHCP Server Service

Installing the DHCP Service

You can install DHCP either during or after the initial installation of Windows 2000 Server or Advanced Server, although there must be a working DNS in the environment. To validate your DNS server, click Start, click Run, type cmd, press ENTER, type ping friendly name of an existing DNS server in your environment, and then press ENTER. An unsuccessful reply generates an "Unknown Host My DNS server name" message.

78

To install the DHCP Service on an existing Windows 2000 Server: 1. Click Start, click Settings, and then click Control Panel.2. Double-click Add/Remove Programs, and then click Add/Remove Windows Components.3. In the Windows Component Wizard, click Networking Services in the Components box, and then

click Details.4. Click to select the Dynamic Host Configuration Protocol (DHCP) check box if it is not already

selected, and then click OK.5. In the Windows Components Wizard, click Next to start Windows 2000 Setup. Insert the Windows

2000 Advanced Server CD-ROM into the CD-ROM drive if you are prompted to do so. Setup copies the DHCP server and tool files to your computer.

6. When Setup is complete, click Finish.

Configuring the DHCP Service

After you install and start the DHCP service, you must create a scope (a range of valid IP addresses that are available for lease to the DHCP clients). Each DHCP server in your environment should have at least one scope that does not overlap with any other DHCP server scope in your environment. In Windows 2000, DHCP servers within an Active Directory domain environment must be authorized to prevent rogue DHCP servers from coming online and authorizing a DHCP Server.

When you install and configure the DHCP service on a domain controller, the server is typically authorized the first time that you add the server to the DHCP console. However, when you install and configure the DHCP service on a member server, you need to authorize the DHCP server.

Note A stand-alone DHCP server cannot be authorized against an existing Windows Active Directory.

To authorize a DHCP server: 1. Click Start, click Programs, click Administrative Tools, and then click DHCP.

Note You must be logged on to the server with an account that is a member of the Enterprise Administrators group.

2. In the console tree of the DHCP snap-in, select the new DHCP server. If there is a red arrow in the bottom-right corner of the server object, the server has not yet been authorized.

3. Right-click the server, and then click Authorize.4. After a few moments, right-click the server again and then click Refresh. The server should display a

green arrow in the bottom-right corner to indicate that the server has been authorized.To create a new scope: 1. Click Start, click Programs, point to Administrative Tools, and then click DHCP.

Note In the console tree, select the DHCP server on which you want to create the new DHCP scope.2. Right-click the server, and then click New Scope. In the New Scope Wizard, click Next, and then type a

name and description for the scope. This can be any name that you choose, but it should be descriptive enough to identify the purpose of the scope on your network. For example, you might use Administration Building Client Addresses.

3. Type the range of addresses that can be leased as part of this scope, for example, a starting IP address of 192.168.100.1 to an ending address of 192.168.100.100. Because these addresses are given to clients, they should all be valid addresses for your network and not currently in use. If you want to use a different subnet mask, type the new subnet mask. Click Next.

4. Type any IP addresses that you want to exclude from the range you entered. This includes any addresses that may have already been statically assigned to various computers in your organization. Click Next.

5. Type the number of days, hours, and minutes before an IP address lease from this scope expires. This determines the length of time that a client can hold a leased address without renewing it. Click Next to

79

select Yes, I want to configure these options now, and then extend the wizard to include settings for the most common DHCP options. Click Next.

6. Type the IP address for the default gateway that should be used by clients that obtain an IP address from this scope. Click Add to place the default gateway address into the list, and then click Next.

Note When DNS servers already exist on your network, type your organization's domain name in Parent domain. Type the name of your DNS server, and then click Resolve to ensure that your DHCP server can contact the DNS server and determine its address. Then click Add to include that server in the list of DNS servers that are assigned to the DHCP clients. Click Next.

7. Click Yes, I want to activate this scope now, to activate the scope and allow clients to obtain leases from it, and then click Next. Click Finish.

Troubleshooting

• Clients are unable to obtain an IP addressIf a DHCP client does not have a configured IP address, it generally means that the client has not been able to contact a DHCP server. This is either because of a network problem or because the DHCP server is unavailable. If the DHCP server has started and other clients have been able to obtain a valid address, verify that the client has a valid network connection and that all related client hardware devices (including cables and network adapters) are working properly.

• The DHCP server is unavailableWhen a DHCP server does not provide leased addresses to clients, it is often because the DHCP service has failed to start. If this is the case, the server may not have been authorized to operate on the network. If you were previously able to start the DHCP service, but it has since stopped, use Event Viewer to check the system log for any entries that may explain the cause.

Note To restart the DHCP service, click Start, click Run, type cmd, and then press ENTER. Type net start dhcpserver, and then press ENTER.

Exercise 5

To install WINS, DNS, DHCP, and the other networking options that are included in Windows 2000, use the following steps: 1. Click Start, point to Settings, click Control Panel, and then double-click Add/Remove Programs. 2. Click Add/Remove Windows Components.3. In the Windows Components Wizard, click Networking Services, and then click Details. You can add or

remove networking services components in this window.

Exercise 6:-

Windows 2000 VPN client

Configuration

1) Double click on My Computer.

2) Double click on Control Panel. Once the Control Panel window is opened, double click on the

Network and Dial-Up Connections icon.

3) Once the Dial-Up Connections window opens, double click Make New Connection. The Connection

Wizard is launched.

80

4) Advance to the next window of options by clicking Next. Select the third option: Connect to a private

network through the Internet.

5) Select Do not dial the initial connection then click Next.

81

6) Type in the VPN server address: "inside.mcgill.ca".

7) Optional: make this available under your log-in only or for everyone. Click Next.

82

8) Assign a name ("McGill VPN") to the connection and click Finish.

Connecting

1) If you are running Firewall software, please note that to connect to VPN you must open TCP port #1723

for PPTP.

2) Next, connect to your ISP as you normally would.

3) After you have established a connection to the Internet, to connect to the VPN server, double click on

the VPN icon located on your desktop.

83

4) Enter your username and password and click the Connect button.

User name: firstname.lastname

Password: DAS password

5) You will see a Connection Established window once you have successfully connected to VPN.

Exercise 7

Microsoft DFS (Distributed file system) Windows NT/Windows 2000 includes Microsoft's new hierarchical distributed file system. DFS is a true distributed file system that lets administrators create custom hierarchical trees that group file resources from anywhere in the organization.

Microsoft DFS is designed to make it easier to access files on networks. It provides a way to unite files on different computers under a single name space. To the user, files appear as if they are in one location, rather than on separate computers. A hierarchical tree provides a view of these files, and users can "drill down" through the tree to find just the information they are looking for.

The user does not need to know or care about the physical location of the file, only where it is located in the hierarchical view. That means that users no longer search for files by opening file servers and disk drives, and looking through a separate directory structure on each. Instead, users look through a logical directory that places shared information in a place that makes more sense to users and administrators alike. With DFS, an administrator does up-front work to logically organize information, so users don't have trouble finding it later on.

As an analogy, think of a city library system in which the book catalog at each library lists all the books available at libraries throughout the city. You can order any book and it will be delivered from its current location. The important point is that there is one library catalog system that provides a list of all the books available, no matter what their physical location. DFS provides a single "catalog" view of files on your network, no matter where those files are located.

Some of the benefits of DFS are outlined here:

In Windows 2000, DFS takes advantage of the Active Directory. The DFS tree topology is automatically published to the Active Directory, resulting in fault tolerance for the DFS root.

Users can access information with DFS's hierarchical view of network resources. Administrators can create custom views to make file access easier for users.

Volumes consist of individual shares, and those shares can be at many different locations. A share can be taken offline without affecting the rest of the volume. The volumes that you add to a DFS root are the leaves or branch nodes that represent shared network directories.

User access to DFS volumes is controlled with standard Windows NT/Windows 2000 security, such as group access rights.

To ensure that critical data is always available, administrators can set up alternate locations for accessing data by simply including the alternate locations under the same logical DFS name. Client software automatically chooses to use data on a server that is closest to the user. If one of the locations goes down, another location is automatically selected.

Response time can be improved by load balancing the system. Often-accessed files can be stored in multiple locations, and the system will automatically distribute requests across the drives to balance traffic during peak usage periods.

Users don't need to know about the physical location of files. Administrators can physically move files to other drives; but to the user, the files still appear under the same location in the hierarchical tree.

Client access to shares is cached to improve performance. The first time a user accesses a published directory, the information is cached and used for future references.

84

DFS simplifies enterprise backups. Since a DFS tree can be built to cover an entire enterprise, the backup software can back up this single "tree," no matter how many servers/shares are part of the tree. The tree can include Windows 95 and Windows NT/Windows 2000 desktops as well.

A graphical administration tool makes it easy to configure volumes, DFS links, and remote DFS roots.

DFS fits into an organization's Internet and intranet strategy. The Web page of individual departments or even users can be included within the directory tree. DFS can also hold HTML links; so, if linked pages are moved to a different physical location, all links pointing to the pages will not have to be reconfigured.

DFS Volumes

A DFS volume starts out by being hosted by a specific computer. There may be many individual DFS volumes available on a network, and each will have its own distinct name. Windows NT/Windows 2000 servers are currently the only systems that can host DFS volumes. An organization might have a master DFS volume that contains links to other DFS volumes at the department or division level. Another volume might tie together shares that are common in each department, such as public documents.

In the DFS volume name shown here, the hosting computer name is Server_Name:

\\Server_Name\DFS Share Name\path\name

Like a local file system, a DFS volume has a root that is its starting point. This is represented by DFS_Share_Name. The reference to path\name can be any valid pathname.

Exercise 8:-

The Microsoft Certificate Server (MCS) enables you to install the Certificate Server service as either its own Root Certificate Authority (Root CA) or as a service that will use an external (public) Certificate Authority (non-Root CA). These two configurations require very different configuration processes, and are mutually exclusive. Your Certificate Server can be either a Root CA or a non-Root CA, but not both.

Before you install the MCS on your server, you need to evaluate how you are going to use it. For example, if your use of the MCS is to provide your corporate intranet users with secure communications, then you would want to install the MCS as a Root CA, and issue your own self-signed certificates to your servers and users.

However, if you intend to use the MCS on your Internet server to provide your Internet users with secure communications so they can safely provide confidential purchasing information (such as credit card numbers), then you would want to install the MCS as a non-Root CA and obtain a validating certificate from an external CA such as VeriSign.

Because of the differences between installing the MCS for external (non-Root CA) and internal (Root-CA) use, we have described each of these uses separately later in this chapter, following the section on installation.

To install the Microsoft Certificate Server, you must install the Windows NT 4.0 Option Pack using the Custom option, and select the Certificate Server for installation. You have two distinct options for installing Certificate Server:

Installing MCS as a stand-alone Certificate Authority by specifying it as the Root CA (commonly used for intranet implementations)

Installing MCS to use a public Certificate Authority hierarchy by specifying it as a non-Root CA (commonly used for Internet servers)

85

http://www.windowsitlibrary.com/Content/405/17/2.html#%23

This selection is significant in determining where the certificates supplied by MCS derive their validation (from your enterprise or from a public agency verifying your identity). This important option is selected in step 2 in the following list.

Note: Certificate Server cannot be installed on a Windows NT Server that is a Backup Domain Controller (BDC). The Certificate Server must either be installed on a Primary Domain Controller (PDC) or a stand-alone Server.

During the installation of the Windows NT 4.0 Option Pack, you are prompted with several dialog boxes to configure the Certificate Server settings.

The following list walks you through the dialog boxes used in installing Certificate Server:

1. Following the installation dialog boxes for SMTP, NNTP, and MSMQ (if selected), the Windows NT 4.0 Option Pack installation process switches to installing the Certificate Server, and you are prompted with several dialog boxes to configure Certificate Server settings.

You must set the following options in the Microsoft Certificate Server Setup dialog box:

The Configuration Data Storage Location must be set to a local directory that is shared on the network, so users can access and install certificates. The local pathname for this shared directory must be specified in full, including the drive letter (for example, D:\CertFile).

The Database Location folder defaults to the %systemroot%\system32\ CertLog directory, but it can be modified by clicking Browse and selecting a different directory.

The Log Location folder also defaults to the %systemroot%\system32\ CertLog directory, and may be changed by clicking Browse and selecting a different directory.

The Show Advanced Configuration checkbox, by default, is not selected, and the defaults for MCS specify that it will install as a Root CA. This default is acceptable only if you are going to use the MCS as a Root CA on your intranet. If you want to employ this installation of MCS on an Internet server, you will likely want to setup MCS as a non-Root CA and obtain a server certificate from a public CA source (such as VeriSign).

Note: This option is very important in the installation of MCS, because you cannot change from a Root CA to a non-Root CA without reinstalling.

The Show Advanced Configuration checkbox enables you to set up MCS as a non-Root CA or to modify any other Advanced option. If you want to configure MCS as a non-Root CA, in its subsequent dialog box select the Non-Root CA option.

Once you have selected the desired directories and enabled the Show Advanced Configuration option (if needed), click Next to continue.

2. If the Show Advanced Configuration checkbox is checked, the next dialog box, shown in Figure 17-2, will request you to set MCS as a Root or non-Root CA, as well as select a Cryptographic Services Provider (CSP) and a hash algorithm. In this version of Certificate Server, the Microsoft Base Cryptographic Provider is the only CSP option available, and the MD5 hashing algorithm is selected by default.

Note: As indicated by the README.TXT for Service Pack 4, do not use the HMAC hashing algorithm, or the MCS installation will fail.

86

http://www.windowsitlibrary.com/Content/405/17/files/fig17_2.html

http://www.windowsitlibrary.com/Content/405/17/files/fig17_2.html

This dialog box offers the following options:

A checkbox enabling you to use existing keys (not selected by default). This option is useful when restoring Certificate Server or when you want to use keys generated by other applications. When the Use Existing Keys option is enabled, the remaining options in the bottom half of the dialog boxes are disabled.

A checkbox option to remove existing certificate information, which is not selected by default. To remove existing certificate data, click the checkbox next to Erase all previous configuration information.

This Certificate Server installation will be automatically set as the default Certificate Server. To allow a different Certificate Server to be the default, clear the checkbox next to Make this Certificate Server the default.

The Certificate Authority Hierarchy is specified in this dialog box, and by default assigns the selected CSP Root Certificate Authority that creates a root certificate for the Certificate Authority. When the Root CA option is selected, the Certificate Server Configuration Wizard creates a public/private pair of keys and a self-signed root (signature) and key exchange certificates for your newly created Root CA.

If Non-Root CA is selected, a Root CA certificate is not generated, and only a CA certificate request file is created. The non-Root CA must be selected if you want to use a public CA certificate on this server for Internet applications.

Note: This non-Root CA certificate request file must be submitted to a CA (such as VeriSign or MCS) in order to generate a certificate. This externally validated non-Root CA certificate would be used in a CA hierarchy, though only limited support for CA hierarchies (for use with Exchange) is included in this version of MCS. Full support for CA hierarchies is planned for the Windows 2000 version of MCS. This certificate request file is not a server certificate request file, and does not contain a Common Name (that is, DNS name) value required for valid server certificates. You should use Key Manager to create a server certificate request file after you have completed the installation.

Once you have selected the desired options, click Next to continue.

3. In the next Certificate Server dialog box, asked to provide the Certificate Authority name, organization, organizational unit, locality, state, country, and description for this Certificate Authority. Fill in the information for your enterprise and click Next to continue.

4. Upon completion of the identifying information, the Configuration Wizard does one of two things, depending upon the type of CA that was selected.If a Root CA was selected, the Configuration Wizard creates the root (signature) and key exchange certificates for your newly created Root CA. The keys, certificates, and configuration data are handled in the following manner:

The keys are stored in the local machine’s key repository, and configuration information is written to the registry.

The certificates will be stored in the Configuration Data Storage Location specified in the first Certificate Server installation dialog box. You will be able to use these certificates for server and client authentication in support of SSL sessions for your Web sites.

The newly created CA certificate will be added to the Certificate Authority Certificate List Web page, which enables clients to install a CA certificate via their Web browser. This process is discussed in the “Installing a CA Certificate on the Client” section later in this chapter.

The Certificate Server configuration file is written to the Configuration Data Storage Location in a text file called CertSrv.txt.

This CA requires that both IPSec peers transact with a Registration Authority (RA), which then forwards the requests through to the CA. Both the remote IPSec peer and the local IPSec peer must be configured

87

http://www.windowsitlibrary.com/Content/405/17/2.html#%23

with the both the CA and RA public keys. The CA and RA public keys are signature and encryption key pairs, which must be generated and enrolled for authentication to occur.

Session 7:-

Exercise 3:- Install the routing and remote access services for IP Routing.

You can install Routing and Remote Access Service by downloading the installation files from the

Microsoft web site to your computer.

You can download the Routing and Remote Access Service files to a client or workstation computer, but

Routing and Remote Access Service can only be installed on a computer that runs Windows NT Server

version 4.0. To install Routing and Remote Access Service on another computer, see the procedure

"Installing Routing and Remote Access Service by Using a Network Connection to the Setup Files" in this

chapter.

Note Routing and Remote Access Service running on Windows NT Server version 4.0 is also referred to

as the Windows NT router.

Preparing Your System

Before you can install Routing and Remote Access Service, you must have a computer running Windows

NT Server version 4.0 with Service Pack 3 or later installed.

You must remove any previous versions of the Remote Access Service (RAS) and MultiProtocol Routing

(MPR) version 1 (the RIP for IP, RIP for IPX, and DHCP Relay Agent services) on that computer. You

must pause the SNMP Service on your Windows NT Server computer before installing Routing and

Remote Access Service.

Caution By removing RAS and MPR version 1, you erase your current Remote Access Service and MPR

version 1 configurations.

To remove a service 1. Double-click Network in Control Panel.

2. Click the Services tab.

3. Click the service you want to remove, and then click Remove.

The Routing and Remote Access Service installation program prompts you to remove RAS and pause the

SNMP Service if it detects that you are running them.

If you do not already have the services and protocols shown in Table 2.1 and you plan to use them, you

should install them prior to installing Routing and Remote Access Service.

Table 2.1 Services and Protocols to Install Before Routing and Remote Access Service

If you want Install this service or protocol

IP routing TCP/IP protocol

IPX routing NWLink IPX/SPX–compatible transport

SNMP management SNMP Service

88

Installing Media

Before you install Routing and Remote Access Service, install all the hardware on your computer that you

will need for a router. This includes modems, ISDN devices, or other remote access devices for remote

access connectivity, as well as network adapters for network connectivity. Use the manufacturer's

instructions to install these devices on your computer.

Note Installing LAN and WAN hardware prior to installing Routing and Remote Access Service is

recommended. You do not need to reinstall Routing and Remote Access Service if you change or add

hardware.

You should also install the Windows NT drivers for the network adapters before installing Routing and

Remote Access Service.

To install network adapter drivers 1. In Network in Control Panel, click the Adapters tab.

2. Click Add.

3. In the Select Network Adapter dialog box, select the driver for your network adapter from the list. If

your network adapter is not on the list, click Have Disk and supply a disk with a Windows NT driver

from the manufacturer.

After you install Routing and Remote Access Service, you must add the remote access devices to the

Routing and Remote Access Service.

To add remote access devices 1. In Network in Control Panel, select Routing and Remote Access Service from the Services

tab.

2. Click Properties.

3. In the Remote Access Setup dialog box, click Add.

System Requirements

Table 2.2 describes the system requirements for Routing and Remote Access Service.

Table 2.2 System Requirements for Routing and Remote Access Service

Category Requirement

Hardware A 32-bit x86-based microprocessor (such as Intel 80486/50 or higher), Intel Pentium, or

supported RISC-based microprocessor, such as the Digital Alpha Systems

One or more network adapter cards,WAN cards, or modems

VGA or higher-resolution monitor

One or more hard disks, with 40 MB minimum free disk space on the partition that will

contain the Routing and Remote Access Service system files

Operating Windows NT Server version 4.0 plus Service Pack 3 or later

89

Category Requirement

System

Memory 16 MB RAM minimum

Optional

components

Recommended: A mouse or other pointing device

Installing Routing and Remote Access Service

During Routing and Remote Access Service Setup, you can install the Routing and Remote Access Service

files on the same computer on which you downloaded the files, or you can download the files and then

install Routing and Remote Access Service on another computer.

To set up Routing and Remote Access Service by downloading from the Web, see "Downloading and

Installing Routing and Remote Access Service from the Web."

To set up Routing and Remote Access Service on another computer, see "Installing Routing and Remote

Access Service by Using a Network Connection to the Setup Files."

Downloading and Installing Routing and Remote Access Service from the WebTo download and install Routing and Remote Access Service from the Web, you need to follow the

steps outlined in the following sections:

• Download the Routing and Remote Access Service files

• Install Routing and Remote Access Service options

• Finish installation if you install a RAS Server

Download the Routing and Remote Access Service Files1. In your Web browser, go to Routing and Remote Access Service Update for Windows NT Server 4.0 .

2. Follow the instructions on the screen to download the Routing and Remote Access Service installation

files to your computer.

Specify the path and directory where you want to put the Routing and Remote Access Service

installation files. These files are kept on your computer for future configuration or installations.

After copying the files to a directory on your computer, you can then continue Setup and install Routing

and Remote Access Service, or you can exit Setup to install Routing and Remote Access Service at a later

time or on another computer.

Note If Setup detects that you have a previous version of RAS or are running the SNMP Service, it

prompts you to delete RAS and pause the SNMP Service. If you choose to delete RAS, Setup prompts you

to restart your computer. The Setup program automatically continues when the computer restarts.

Install Routing and Remote Access Service Options

During Routing and Remote Access Service Setup the dialog box shown in Figure 2.1 appears

automatically.

90

Figure 2.1 Setting Routing and Remote Access Service options

You can use this dialog box to install any or all of the options described in Table 2.3. If do not install an

option, such as Remote access service, and you later want this functionality, you must run mprsetup

again to install it. For information on how to use this command, see the procedure "Run Setup" in the

section "Installing Routing and Remote Access Service by Using a Network Connection to the Setup

Files" later in this chapter.

Table 2.3 Routing and Remote Access Service Installation Options

Option Effect if selected

Remote access

service

Installs support for client dial-up networking.

LAN routing Installs support for LAN-to-LAN routing (including WAN cards that support LAN

emulation).

Demand-dial

routing

Installs support for routing over WANs and dial-up media, such as ISDN and PPTP.

Finish Installation If you Install a RAS ServerIf you install Remote Access Service (RAS), you must configure additional Setup dialog boxes.

Additionally, you can choose to use Remote Authentication Dial-In User Service (RADIUS)

authentication instead of Windows NT authentication to authenticate remote clients.

1. In the Add RAS Device dialog box, select the remote access devices, such as modems or PPTP VPNs,

that you want to use for demand-dial routing and RAS, and click OK.

2. In the Routing and Remote Access Setup dialog box, click Network.

3. In the Network Configuration dialog box, select the network protocols (IP or IPX) you want to use

for your router.

4. If you want to use RADIUS authentication, in the Authentication provider box, click the RADIUS

option and click Configure.

You can then select and configure RADIUS servers to use as your provider.

5. In the Routing and Remote Access Setup dialog box, click Continue.

91

After you have finished installing Routing and Remote Access Service, the Routing and RAS Admin tool

is installed in your Start/Programs/Administrative Tools (Common) folder. Any network adapters that

you have installed automatically appear as interfaces in Routing and RAS Admin. If you plan to use

routing protocols, you must add the protocols and then add interfaces to them before you can begin to use

the Windows NT router. For more information on how to add these see Chapter 3, "Administering Routing

and Remote Access Service."

Installing Routing and Remote Access Service by Using a Network Connection to the Setup Files

You can download the files as described in "Downloading and Installing Routing and Remote Access

Service from the Web," and then install Routing and Remote Access Service on another computer.

Although you can download the Routing and Remote Access Service files to any client or workstation

computer, Routing and Remote Access Service can be installed only on a computer running Windows NT

Server.

To install Routing and Remote Access Service on another computer, you need to follow the steps

outlined in the following sections:

• Copy Setup files

• Run Setup

Copy Setup Files

Copy the file mprsetup.exe from the directory where you stored the installation files to Systemroot\

System32 on your computer running Windows NT Server.

Run Setup1. On the computer running Windows NT Server, open a Command Prompt window.

2. Run mprsetup and type the path to the installation files.

For example, type:

mprsetup \\Computername\Share

92

Exercise 4:-

The "Routing and Remote Access" administrative tool is used to enable routing on a Windows 2000

server that is multihomed (has more than one network card). Windows 2000 professional cannot be a

router. The "Routing and Remote Access" administrative tool or the "route" command line utility can be

used to configure a static router and add a routing table. A routing table is required for static routing.

Dynamic routing does not require a routing table since the table is built by software. Dynamic routing does

require additional protocols to be installed on the computer. When using the "Routing and Remote Access"

tool, the following information is entered:

Interface - Specify the network card that the route applies to which is where the packets will come from.

Destination - Specify the network address that the packets are going to such as 192.168.1.0. Network Mask - The subnet mask of the destination network. Gateway - The IP address of the network card on the network that is configured to forward the

packets such as 192.168.1.1. Metric - The number of routers that packets must pass through to reach the intended network. If

there are more than 1, the Gateway address will not match the network address of the destination network.

Dynamic Routing

Windows 2000 Server supports Network Address Translation (NAT) and DHCP relay agent. Three

Windows 2000 supported Dynamic routing protocols are:

Routing Information Protocol (RIP) version 2 for IP Open Shortest Path First (OSPF) Internet Group Management Protocol (IGMP) version 2 with router or proxy support.

The "Routing and Remote Access" tool is used to install, configure, and monitor these protocols and

routing functions. After any of these dynamic routing protocals are installed, they must be configured to

use one or more routing interfaces.

OSPF Terms

Area border router - A router that interfaces to subnets in more than one OSPF area. Autonomous system - Routing areas that are administered by a single organization. Autonomous system boundary router - A router that connects an autonomous system to another

autonomous system or the internet. Backbone area - The main OSPF or root routing area that is connected to all other areas with an

ID of 0.0.0.0 (ID number does not reflect any IP address). Internal router - Router that does internal routing. Internal routing - Routing done in one routing area. Routing area - A group of IP subnets connected by links with an ID similar to an IP address that

is used to identify the area. In Active Directory, a routing area would likely be configured for each site. Passwords are used for each routing area.

Routing Configuration Issues

RIP - Tabs:

93

o On the security tab of the RIP properties dialog box there as a selection of one of: Accept announcements from all routers Accept announcements from listed routers only - A list must be created. Ignore announcements from all listed routers - A list must be created.

o General - Maximum delay setting controlling how long the router waits to update other routers. Includes logging controls.

OSPF - Property box tabs: o Areas - In the OSPF properties dialog box (Areas tab?) select one of the following

network types: Broadcast - For normal local area networks. Point-to-point - For demand dial interfaces. Non-broadcast multiple access (NBMA) - For frame relay or X.25 networks.

o General - Includes logging controls along with "Router Identification field" and "Enable Autonomous System Boundary Router" checkbox.

o Virtual Interfaces - If an OSPF area is not connected directly to the backbone area, a virtual interface must be created to allow for it to go through one or more intermediate networks. The virtual interface tells OSPF which router has an interface that connects to the backbone area. The entered password must be the one required by the router with the interface connecting to the backbone area that packets are being sent to.

o External Routing - Allow or reject external route table sources. Internet Group Management Protocol (IGMP) version 2 Router and Proxy is used to manage

routing of multicast network traffic. o Routers must be configured with IGMP to use multicasting on a network. The interface

may be configured as an IGMP router or an IGMP proxy. An IGMP router will update its table with group information and forward multicast traffic.

The "Routing and Remote Access" tool server properties dialog box contains these tabs:

General - Can enable the computer as a router for LAN routing only or for LAN and demand dialing. Also the computer may be enables as a Remote Access Server (RAS).

Security - Can select Windows Authentication or RADIUS authentication for remote access and dial on demand connections. A provider to log all sessions with the router can be selected. Chioces are none, Windows accounting, or RADIUS accounting.

IP - Can "Enable IP routing", and "Allow IP-based remote access and demand-dial connections". The computer may also be configured to use a DHCP server to assign IP addresses to client computers or to use a static IP address pool.

PPP - Options: o Multilink connections o Dynamic bandwidth control using BAP or BACP o Link control protocol (LCP) extensions o Software compression

Event Logging - Can enable or disable PPP logging. Other options: o Log errors only o Log errors and warnings o Log the maximum amount of information o Disable event logging

Exercise 6:-

94

Terminal Services provides remote computers access to Windows-based programs that are running on the server. Microsoft Windows 2000 Server and Microsoft Windows 2000 Advanced Server includes Terminal Services Client Software to support 16 and 32-bit Windows-based clients. In remote administration mode, Terminal Services provides access to physically or logically distant servers. In Application Server mode, Terminal Services provides a multisession environment for server-side computing. This step by step article describes how to install Terminal Services using the Application Server mode.

Installing Terminal ServicesThere are three components necessary to understand when you are installing and enabling the Windows 2000 Terminal Services. The following list briefly describes these components: • Server - The computer in which nearly all of the computing resources reside that will be used in the

Terminal Services networking environment. The server will receive and process the keystrokes and mouse movements that take place at the client computer. The server displays the desktop and running applications within a window on the client computer.

• Messaging - This communication occurs between the server and clients by way of the Remote Desktop Protocol (RDP). RDP is an application-layer protocol that relies on TCP/IP.

• Clients - The computer on the network from which it is possible to open a window containing a terminal session. In this window is the remote desktop running on the server. Applications and windows that are opened on this desktop are actually running on the server.

Enabling Terminal Services in Application Server Mode

To enable Terminal Services in Application Server mode on the domain controller, the information technology (IT) administrator logs on to server as the administrator and performs the following procedures.

To enable Terminal Services: 1. Click Start, point to Settings, click Control Panel, and then double-click Add/Remove Programs. 2. Click Add/Remove Windows Components to start the Windows Components Wizard. In the

Components list, to add or remove a component, click to select a check box. A shaded box indicates that only part of the component will be installed. Select the Terminal Services check box, and then click Next.

3. In the Windows Components Wizard with Terminal Services selected, click Details to see what is included in the component. You will see the two following sub-components:

• Client Creator Files - Enables the creation of installation floppy disks for Terminal Services Client computers.

• Enable Terminal Services - Enables the Terminal Services software on your computer.

4. Click Next to continue.5. On the next screen, you are prompted to install Terminal Services to run in one of two modes:

• Remote Administration - This mode permits two Terminal Services client connections to the server. This mode does not require licensing, but allows only members of the Administrators group to access the server. This is an excellent choice for non-Terminal Services servers, to enable remote control-type access to remote servers.

• Application Server - This mode permits more than two simultaneous connections by non-administrators, but requires the Terminal Services Licensing service to be installed on a domain controller (for which you can use any server in a workgroup environment). A Terminal Services Client Access License is also required for non-Windows 2000 Professional clients.

NOTE: Terminal Services Licensing is a required component that licenses clients on a Terminal server in Application Server mode. For computers that are in a Windows 2000 domain, Microsoft recommends that you do not enable Terminal Services Licensing on the same computer with Terminal Services.

95

6. In Terminal Services Setup, verify that Application Server mode is selected, and then click Next.

NOTE: In Terminal Services Setup, you may see programs listed that will not work properly when Terminal Services is enabled. You need to reinstall these programs for multisession access by using the Add/Remove Programs tool after you enable Terminal Services.

7. In the next screen, click the appropriate option to specify whether you want permissions to be compatible with Windows 2000 Users or with Terminal Server 4.0 Users. Use the Permissions compatible with Windows 2000 Users option for the most secure environment in which to run applications.

8. In Terminal Services Licensing Setup, specify whether you want the license server to serve your entire enterprise or your domain/workgroup, and then provide the directory location for the database. Wait for the installation to finish, and then click Finish. In the Add/Remove Programs window, click Close.

NOTE: The required files are copied to your hard disk, and you can use server software after you restart the computer.

Exercise -9:- Install and configure a Web Server

Below is the step-by-step guide for setting up a World Wide Web server for anonymous access in a Windows 2000 environment.

Installing Internet Information ServicesMicrosoft Internet Information Services (IIS) is the Web service that is integrated with Windows 2000. To install IIS: 1. Click Start, point to Settings, and then click Control Panel.2. In Control Panel, double-click Add/Remove Programs.3. Click Add/Remove Windows Components.4. In the Windows Components Wizard, select the Internet Information Services (IIS) check box, and

then click Details.5. Clear all the check boxes, and then select the following check boxes:

Common FilesDocumentationFrontPage 2000 Server ExtensionsInternet Information Services Snap-InInternet Services ManagerWorld Wide Web Server

6. Click OK, and then on the Windows Components page, click Next. If you are prompted to do so, insert the Windows 2000 CD-ROM, and then click OK.

7. On the "Completing the Windows Components Wizard" page, click Finish.8. In the Add/Remove Programs dialog box, click Close.

Configuring Anonymous Authentication1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Services

Manager. (In Windows 2000 Professional, you can start Administrative Tools from Control Panel.)2. Right-click * server name (where server name is the name of the server), and then click Properties.3. In the Master Properties box, click WWW Service (if it is not already selected), and then click the Edit

button that is next to the Master Properties box.4. Click the Directory Security tab.5. Under Anonymous access and authentication control, click Edit.6. Under Authenticated access, select the Integrated Windows authentication check box.7. Select the Anonymous access check box, and then click Edit. Note the user account in the Username

box. This account is used by Windows to authenticate anonymous users when they browse the Web site. 8. Click OK, click OK, click OK, and then click OK.

96

Basic Web Site Configuration

1. Start Internet Services Manager.2. In the Tree list, expand * server name (where server name is the name of the server).3. Right-click Default Web Site, and then click Properties.4. If you have multiple IP addresses assigned to your computer, click the IP address that you want to

assign to this Web site in the IP Address box.5. If you do not want unlimited connections to the Web site, click Limited To, and then type the number

of concurrent connections that you want.

NOTE: Windows 2000 Professional is limited to 10 concurrent connections.

Each client that browses the Web site generally uses about 3 connections.6. Click the Performance tab.7. Move the Performance tuning slider to the position that you want.8. If you want to limit the amount of network bandwidth that is available for connections to this Web site,

select the Enable bandwidth throttling check box, and then type the amount that you want in the Maximum network use box.

9. If you want to limit the amount of computer processing time spent servicing requests for content on this Web site, select the Enable process throttling check box, and then type the amount that you want in the Maximum CPU use box.

This prevents the Web site from consuming too much processor time to the detriment of other computer processes.

NOTE: Bandwidth throttling is not available in Windows 2000 Professional.For additional information, click the article number below to view the article in the Microsoft Knowledge Base: 263857 Items in the ISM Are Missing or Appear Dimmed on Windows 2000 Professional

10. Click the Home Directory tab. • If you want to use Web content that is stored on the local computer, click A directory located on

this computer, and then type the path that you want in the Local Path box. For example, the default path is C:\Inetpub\wwwroot.

NOTE: For added security, do not create Web content folders in the root folder.• If you want to use Web content that is stored on a different computer, click A share located on

another computer, and then type the location that you want in the Network Directory box that appears.

• If you want to use Web content that is stored on another Web address, click A redirection to a URL, and then type the location that you want in the Redirect to box. Under The client will be sent to, select the appropriate check box.

11. Click the Documents tab. Note the list of documents that IIS can use as the default start documents. If you want to use Index.html as your start document, you must add it. To do this: a. Click Add.b. In the Add Default Document dialog box, type Index.html, and then click OK.c. Click the up-arrow button until Index.html is displayed at the top of the list.

12. Click the Operators tab. Note the user accounts that have operator privileges on this Web site. Click Add to add additional user accounts to operate this Web site.

NOTE: The Operators tab is not available in Windows 2000 Professional.For additional information, click the article number below to view the article in the Microsoft Knowledge Base: 263857 Items in the ISM Are Missing or Appear Dimmed on Windows 2000 Professional

97

13. Click OK to return to the Internet Information Services window.14. Right-click Default Web Site, and then click Stop.15. Right-click Default Web Site, and then click Start.The server is now configured to accept incoming Web requests to the default Web site. You can replace the content of the default Web site with the Web content that you want, or you can create a new Web site.

Session 8:- Windows 2000: Security

Exercise 1:-

You can use IP Security (IPSec) in tunnel mode to encapsulate Internet Protocol (IP) packets and optionally encrypt them. The primary reason for using IPSec tunnel mode (sometimes referred to as "pure IPSec tunnel") in Microsoft Windows 2000 is for interoperability with third-party routers or gateways that do not support Layer 2 Tunneling Protocol (L2TP)/IPSec or PPTP Virtual Private Networking (VPN) tunneling technology.

Windows 2000 supports IPSec tunneling for situations where both tunnel endpoints have static IP addresses. This is primarily useful in gateway-to-gateway implementations, but may also work for specialized network security scenarios between a gateway/router and a server (like a Windows 2000 router routing traffic from its external interface to an internal Windows 2000-based computer securing the internal path by establishing an IPSec tunnel to the internal server providing services to the external clients).

Windows 2000 IPSec tunneling is not supported for client remote access VPN use because the IETF IPSec RFCs do not currently provide a remote access solution in the Internet Key Exchange (IKE) protocol for client-to-gateway connections. The IETF RFC 2661 for Layer 2 Tunneling Protocol (L2TP) was specifically developed by Cisco, Microsoft, and others for the purpose of providing client remote access VPN connections. In Windows 2000, client remote access VPN connections are protected using an automatically generated IPSec policy that uses IPSec transport mode (not tunnel mode) when the L2TP tunnel type is selected.

Windows 2000 IPSec tunneling also does not support protocol and port-specific tunnels. While the Microsoft Management Console (MMC) IPSec Policy snap-in is very general and allows you to associate any type of filter with a tunnel, make sure you use only address information in the specification of a filter for a tunnel rule.

Details on how the IPSec and IKE protocols work can be found in the Microsoft Windows 2000 Resource Kit and in the Windows 2000 IPSec end-to-end walkthrough. Information about where you can find these documents is included at the end of this article.

This article explains how to configure an IPSec tunnel on a Windows 2000 gateway. Because the IPSec tunnel secures only traffic specified in the IPSec filters you configure, this article also describes how to configure filters in Routing and Remote Access Service (RRAS) to prevent traffic outside the tunnel from being received or forwarded. This article outlines the following scenario to make it easy to follow the configuration steps:

NetA - Windows 2000 gateway --- Internet --- third-party gateway - NetB W2KintIP W2KextIP 3rdExtIP 3rdIntIP

NetA is the network ID of the Windows 2000 gateway internal network.

W2KintIP is the IP address assigned to the Windows 2000 gateway internal network adapter.

98

W2KextIP is the IP address assigned to the Windows 2000 gateway external network adapter.

3rdExtIP is the IP address assigned to the third-party gateway external network adapter.

3rdIntIP is the IP address assigned to the third-party gateway internal network adapter.

NetB is the network ID of the third-party gateway internal network. The goal is for the Windows 2000 gateway and the third-party gateway to establish an IPSec tunnel when traffic from NetA needs to be routed to NetB or when traffic from NetB needs to be routed to NetA so traffic is routed over a secure session.

You need to configure an IPSec policy. You must build two filters; one to match packets going from NetA to NetB (tunnel 1), and one to match packets going from NetB to NetA (tunnel 2). You need to configure a filter action to specify how the tunnel should be secured (a tunnel is represented by a rule, so two rules are created).

Typically, a Windows 2000 gateway is not a member of a domain, so a local IPSec policy is created. If the Windows 2000 gateway is a member of a domain that has IPSec policy applied to all members of the domain by default, this prevents the Windows 2000 gateway from having a local IPSec policy. In this case, you can create an Organizational Unit (OU) in Active Directory, make the Windows 2000 gateway a member of this OU, and assign the IPSec policy to the Group Policy Object (GPO) of the OU.

1. Use the MMC to work on the IP Security Policy Management snap-in (a quick way to load this is to click Start, click Run, and then type secpol.msc).

2. Right-click IP Security Policies on Local Machine, and then click Create IP Security Policy.3. Click Next, and then type a name for your policy (for example, IPSec Tunnel with third-party Gateway).

NOTE: You can also type more information in the Description box.4. Click to clear the Activate the default response rule check box, and then click Next.5. Click Finish (keep the Edit check box selected).NOTE: The IPSec policy is created with default settings for the IKE main mode (phase 1) on the General tab, in Key Exchange. The IPSec tunnel consists of two rules, each of which specifies a tunnel endpoint. Because there are two tunnel endpoints, there are two rules. The filters in each rule must represent the source and destination IP addresses in IP packets that are sent to that rule's tunnel endpoint.

In the IP Security Policies on Local Machine MMC snap-in, right-click your new policy, and then click Assign. A green arrow appears in the folder icon next to your policy.

After your policy is assigned, you have two additional active filters (RRAS automatically creates IPSec filters for L2TP traffic). To see the active filters, type the following command at a command prompt: netdiag /test:ipsec /debugYou can optionally redirect the output of this command to a text file so you can view it with a text editor (such as Notepad) by typing the following command: netdiag /test:ipsec /debug > filename.txtThe netdiag command is available after you install the Microsoft Windows 2000 Resource Kit, which you can install from your Windows 2000 CD-ROM. To install the kit, locate the Support\Tools folder, and then double-click the Setup.exe file. After installation, you may need to run the netdiag command from the %SystemRoot%\Program Files\Support Tools folder (where %SystemRoot% is the drive where Windows 2000 is installed).

The tunnel filters look similar to the following example: Local IPSec Policy Active: 'IPSec tunnel with {tunnel endpoint}' IP Security Policy Path:SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{-longnumber-}

There are two filters

99

From NetA to NetBFilter ID: {-long number-}Policy ID: {-long number-}IPSEC_POLICY PolicyId = {-long number-}Flags: 0x0Tunnel Addr: 0.0.0.0PHASE 2 OFFERS Count = 1Offer #0:ESP[ DES MD5 HMAC] Rekey: 0 seconds / 0 bytes. AUTHENTICATION INFO Count = 1Method = Preshared key: -actual key-Src Addr: NetA Src Mask: -subnet mask-Dest Addr: NetB Dest Mask: -subnet mask-Tunnel Addr: 3rdExtIP Src Port: 0 Dest Port: 0Protocol: 0 TunnelFilter: YesFlags : OutboundFrom NetB to NetAFilter ID: {-long number-}Policy ID: {-long number-}IPSEC_POLICY PolicyId = {-long number-}Flags: 0x0Tunnel Addr: 0.0.0.0PHASE 2 OFFERS Count = 1Offer #0:ESP[ DES MD5 HMAC] Rekey: 0 seconds / 0 bytes. AUTHENTICATION INFO Count = 1Method = Preshared key: -actual key-Src Addr: NetB Src Mask: -subnet mask-Dest Addr: NetA Dest Mask: -subnet mask-Tunnel Addr: W2KextIP Src Port: 0 Dest Port: 0Protocol: 0 TunnelFilter: YesFlags: Inbound

Exercise- 2

Traditionally, a firewall has been a dedicated piece of hardware meant to allow two networks to communicated in a limited way. A typical setup is to allow users behind the firewall to access web pages and email without allowing users on the outside to access any computers on the internal network. In recent years, software firewalls have come into use, and they pose a cost effective solution for many users, such as those with home or small office broadband networks. Note that Windows XP (prior to SP2) comes with a software firewall built in called Internet Connection Firewall, which is often the source of connection problems. Windows XP systems running Service Pack 2 have a much more functional "Windows Firewall" which replaces the problematic "Internet Connection Firewall".

Exercise 3

This step-by-step article describes how to configure TCP/IP Filtering on Microsoft Windows 2000-based computers.

Windows 2000-based computers support several methods of controlling inbound access. One of the most simple and most powerful methods of controlling inbound access is by using the TCP/IP Filtering feature. TCP/IP Filtering is available on all Windows 2000-based computers that have the TCP/IP stack installed.

10

TCP/IP Filtering is useful from a security standpoint because it works in Kernel mode. In contrast, other methods of controlling inbound access to Windows 2000-based computers, such as by using the IPSec Policy filter and the Routing and Remote Access server, depend on User-mode processes or the Workstation and Server service.

You can layer your TCP/IP inbound access control scheme by using TCP/IP Filtering with IPSec filters and Routing and Remote Access packet filtering. This approach is especially useful if you want to control inbound and outbound TCP/IP access. TCP/IP Security controls only inbound access.

To configure TCP/IP security:

1. Click Start , point to Settings , click Control Panel , and then double-click Network and Dial-up Connections .

2. Right-click the interface on which you want to configure inbound access control, and then click Properties .

3. In the Components checked are used by this connection box, click Internet Protocol (TCP/IP) , and then click Properties .

4. In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced . 5. Click the Options tab. 6. Click TCP/IP filtering , and then click Properties . 7. Select the Enable TCP/IP Filtering (All adapters) check box. When you select this check box, you

enable filtering for all adapters, but you configure the filters on a per-adapter basis. The same filters do not apply to all adapters.

8. There are three columns with the following labels: TCP PortsUDP PortsIP ProtocolsIn each column, you must select either of the following options: Permit All . If you want to permit all packets for TCP or UDP traffic, leave Permit All activated.

Permit Only . If you want to allow only selected TCP or UDP traffic, click Permit Only , click Add , and then type the appropriate port in the Add Filter dialog box. If you want to block all UDP or TCP traffic, click Permit Only , but do not add any port numbers in the UDP Ports or TCP Port column. You cannot block UDP or TCP traffic by selecting Permit Only for IP Protocols and excluding IP protocols 6 and 17.

Note that you cannot block ICMP messages, even if you select Permit Only in the IP Protocols column and you do not include IP protocol 1.

TCP/IP Filtering can filter only inbound traffic. This feature does not affect outbound traffic or response ports that are created to accept responses from outbound requests. Use IPSec Policies or packet filtering if you require more control over outbound access.

Exercise 8:-

Installing Network Monitor

As you may have already figured out, the Windows Setup program doesn’t install Network Monitor by

default. To install the Windows version of Network Monitor, open the Control Panel and select the Add /

Remove Programs option. Next, click the Add / Remove Windows Components button to launch the

Windows Components wizard. Scroll through the list of components until you locate the Management and

Monitoring Tools option. Select the Management and Monitoring Tools option and click the Details

button. Select the Network Monitor Tools option and click Next. Windows will now begin the installation

10

process. You may be prompted to insert your Windows installation CD. Click Finish to complete the

installation process.

Running Network Monitor

After the installation process completes, you can launch Network Monitor by selecting the Network

Monitor command found on Window’s Administrative Tools menu. When Network Monitor initially

loads, you will see a dialog box asking you to select a network that you can capture data from. Click OK

and you will see the Select a Network dialog box. Simply expand the My Computer container and then

select the network adapter that you want to monitor. Click OK to continue.

At this point, you will see the main Network Monitor screen, shown in Figure A. Right now, Network

Monitor isn’t capturing any data. It’s up to you to initiate the data capture process. Before you do though,

you might want to set up a capture filter.

Figure A: This is the main Network Monitor screen

The reason why filtering is so important is because there is a tremendous amount of traffic that flows into

and out of most servers. You can easily capture so much traffic that analyzing it becomes next to

impossible. To help cut down on the amount of traffic that you must analyze, Network Monitor allows you

to use filters. There are two different types of filters that you can use; capture filters and display filters.

Capture filters allow you to specify which types of packets will be captured for analysis. For example, you

may decide that you only want to capture HTTP packets. The main advantage to implementing a capture

filter is that by filtering packets during the capture, you will use a lot less hard disk space than you would

if you captured every packet.

10

Display filtering works similarly to capture filtering except that all network traffic is captured. You filter

the data that you want to analyze at the time of analysis rather than at the time of capture. Display filtering

uses a lot more hard disk space than capture filtering, but you will have the full dataset on hand just in case

you decide to analyze something other than what you originally intended.

Capturing Data

If you have decided that you want to filter the data being captured, select the Filter option from the

Capture menu, and configure your filter. Otherwise, you can start the capture process by selecting the Start

command found on the Capture menu. You can see what the capture process looks like in Figure B. When

you have captured the data that you want, then select the Stop command from the Capture menu.

Figure B: This is what the capture process looks like

Analyzing the Data

To analyze the captured data, select the Display Captured Data command from the Capture menu. When

you do, you will see the screen shown in Figure C.

10

Figure C: This is a summary of the captured data

The screen shown in Figure C shows a summary of all of the captured packets in the sequence that those

packets were captured. The data that you are looking at is unfiltered. You could set up a display filter at

this point by selecting the Filter option from the Display menu.

Once you have located a packet that you are interested in, double click on the packet to see it in greater

detail. When you do, you will see the screen that’s shown in Figure D.

10

Figure D: This is the screen that you will use to analyze a packet

As you can see in the figure, the packet screen is divided into three sections. The top section is simply a

condensed view of the summary screen. You can use this section to select a different packet to analyze

without having to go back to the mail summary screen.

The second section contains the packet’s contents in a decoded, tree format. For example, in the screen

capture, you can see that the top portion of the tree says FRAME: Base Frame Properties. If you expand

this portion of the tree, you can see the date and time that the frame was captured, the frame number, and

the frame length.

The third section contains the raw data that makes up the frame. In this section, the column to the far left

shows the base address of the bytes on that line in hexadecimal format. The middle section shows the

actual hexadecimal data that makes up the frame. The hexadecimal code is positions wide. To determine

the address of any of the hex characters, start with the base address for that line, and then count the

position of the character that you are interested in. For example, if the base address is 00000010, and the

character that you are interested in is in the twelfth position, then the character’s address would be

0000001B.

The column to the far right contains a reprint of the data in decimal notation. This is probably the most

useful part of the screen because anything that has been transmitted in clear text is clearly readable in this

column. For example, if an E-mail were transmitted in an unencrypted format and the transmission were

captured, you could read the contents of the message in this location (assuming that you could locate the

correct packet). If you look closely at Figure D, you will notice that this is an LDAP packet that I have

10

captured. The decimal portion of the packet clearly shows a call to the Active Directory

(CN=Configuration, DC=production, DC=com).

Exercise:-9

PPTP is a popular VPN protocol because it is very secure and easy to set up. You can deploy PPTP easily in both Microsoft-only and mixed environments. You can configure your Windows 2000-based Routing and Remote Access service VPN server to drop non-PPTP packets by using packet filters.

How to Configure PPTP Input Filters to Allow Inbound Traffic from PPTP VPN Clients

1. Start the Routing and Remote Access console from the Administrative Tools menu.2. In the left pane of the Routing and Remote Access console, expand your server, and then expand the IP

Routing node.3. Click the General node. Right-click the external interface, and then click Properties.4. On the General tab, click Input Filters.5. Click Add.6. Select the Destination network check box. In the IP address box, type the IP address of the external

interface. In the Subnet mask box, type 255.255.255.255. 7. In the Protocol box, click TCP. In the Destination port box, type 1723. Click OK.8. Click Drop all packets except those that meet the criteria below.9. Click Add.10. Select the Destination network check box. In the IP address box, type the IP address of the external

interface. In the Subnet mask box, type 255.255.255.255. In the Protocol box, click Other. In the Destination port box, type 47. Click OK.

11. Click OK.

How to Configure PPTP Output Filters to Allow Outbound Traffic to PPTP VPN Clients

1. On the General tab in the External_interface Properties dialog box, click Output Filters.2. Click Add.3. Select the Source network check box. In the IP address box, type the IP address of the external

interface. In the Subnet mask box, type 255.255.255.255. In the Protocol box, click TCP. In the Source port box, type 1723. Click OK.

4. Click Drop all packets except those that meet the criteria below option.5. Click Add.6. Select the Source network check box. In the IP address box, type the IP address of the external

interface. In the Subnet mask box, type 255.255.255.255. In the Protocol box, click Other. In the Destination port box, type 47. Click OK.

7. Click OK.8. Click OK.NOTE: After you make these changes, only PPTP traffic is allowed into and out of the external interface of the Routing and Remote Access service VPN server. These filters support communications with a PPTP VPN client that initiates an inbound call to the Routing and Remote Access service VPN server.

10

Session 9 Windows 2000: Network Management

Exercise 1:-

To create or delete a Group Policy object1. Open Group Policy Management.

2. Depending upon whether you want to create or delete, use one of the following

procedures:

• Create

• Create and

link

• Delete

Create1. In the console tree, right-click Group Policy Objects in the forest and domain in which you want to

create a Group Policy object (GPO).

Where?

Forest name/Domains/Domain name/Group Policy Objects

2. Click New.

3. In the New GPO dialog box, specify a name for the new GPO, and then click OK.

Create and link1. In the console tree, right-click the domain name in the forest in which you want to create and link a

Group Policy object (GPO).

Where?

Forest name/Domains/Domain name

2. Click Create and Link a GPO Here.

3. In the New GPO dialog box, specify a name for the new GPO, and then click OK.

Delete1. In the console tree, double-click Group Policy Objects in the forest and domain containing the Group

Policy object (GPO) that you want to delete.

Where?

Forest name/Domains/Domain name/Group Policy Objects

2. Right-click the GPO, and then click Delete.

3. When prompted to confirm the deletion, click OK.

Notes

• To create a GPO, you must have GPO creation privileges. By default only domain administrators,

enterprise administrators, and members of the Group Policy creator owners group can create Group

Policy objects. To delegate GPO creation permissions to additional groups and users, go to Group

10

Policy Objects in the desired domain and click the Delegation tab.

• To delete a GPO, you must have Edit Settings, Delete, Modify Security permissions for the GPO.

• When you use this procedure to create a GPO, no links are created to the GPO, but you can add links

within the same forest by right-clicking any domain, site, or organizational unit, and then clicking Link

Existing GPO. Alternatively, you can both create and link a GPO by right-clicking any domain or

organizational unit and then clicking Create and Link a GPO Here.

• When you delete a GPO, Group Policy Management attempts to delete all links to that GPO in the

domain of the GPO. However, to delete a link to a GPO, you must have permission to link Group Policy

objects for the organizational unit or domain. If you do not have rights to delete a link, the GPO will be

deleted, but the link will remain. Links from other domains and sites are not deleted. The link to a

deleted GPO appears in Group Policy Management as Not Found. To delete Not Found links, you must

either have permission on the site, domain or organizational unit containing the link, or ask someone

with sufficient rights to delete it.

• Group Policy objects are distinguished in the Active Directory by GUID, and it is theoretically possible

for more than one GPO to have the same friendly name. The Group Policy Management snap-in prevents

the creation of Group Policy objects with duplicate friendly names, but the Group Policy infrastructure

does not enforce uniqueness of friendly names. Therefore, it is possible for duplication of friendly names

to occur if you use legacy tools to create Group Policy objects, if replication is slow, or if you use a script

to perform operations on Group Policy objects.

• You cannot delete the Default Domain Controllers policy or the Default Domain policy.

• Before deleting a GPO, you can check for cross-domain links by navigating to the Scope tab of the GPO

you want to delete and, in the Display links in this location box, selecting Entire Forest. You can then

select all links, right click the selection, and click Delete link. This procedure ensures that cross-domain

links are deleted before you delete the GPO.

You can start Group Policy Object Editor in several ways, depending on the action that you want to perform. The following sections describe how to start Group Policy Object Editor in a variety of scenarios.

To Edit a Group Policy Setting on the Local Computer

To start Group Policy Object Editor to edit the local GPO, click Start, click Run, type gpedit.msc, and then click OK.

To Edit a Group Policy Setting on Another Computer

Open the local GPO that is stored on the Windows 2000-based network computer, and then locate the network computer. You must be an administrator of the network computer to complete this procedure.

To Edit a Group Policy Setting on a Site

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

2. In the console tree, right-click the site for which you want to configure a Group Policy setting, click Properties, and then click the Group Policy tab.

3. Click an existing GPO in the Group Policy object links list, click Edit, and then link a GPO to the

10

intended site.

To Edit a Group Policy Setting on a Domain

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

2. In the console tree, right-click the domain or organizational unit for which you want to configure a Group Policy setting, click Properties, and then click the Group Policy tab.

3. Click Edit to open the GPO that you want to edit, and then link a GPO to the intended domain.

To Edit a Group Policy Setting on an Organizational Unit

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

2. In the console tree, right-click the domain or organizational unit for which you want to configure a Group Policy setting, click Properties, and then click the Group Policy tab.

3. Click Edit to open the GPO that you want to edit, and then link a GPO to the intended organizational unit.

You can also link a GPO to an organizational unit that is higher in the Active Directory hierarchy so that the organizational unit can inherit Group Policy settings.

How to Filter the Scope of Group Policy According to Security Group Membership

1. Open the GPO whose scope you want to filter.2. Right-click the root node of the console to display the Group Policy icon that has the following label:

GPO_name [domain_controller_name.domain_name] Policy 3. Click Properties, click the Security tab, and then click the security group for which you want to filter

this GPO.

To change the list of security groups for which you want to filter this GPO, click either Add or Remove to add or remove security groups.

4. Set the permissions as they are described in the following table, and then click OK.

Your intention Set these permissions The result

You want to apply this GPO to members of this security group.

Set Apply Group Policy to Allow. Set Read to Allow.

This GPO applies to members of this security group unless they are members of at least one other security group that has Apply Group Policy set to Deny, Read set to Deny, or both.

Members of this security group are exempt from this GPO.

Set Apply Group Policy to Deny. Set Read to Deny.

This GPO never applies to members of this security group regardless of the permissions those members have in other security groups.

Membership in this security group does not determine if the GPO is applied.

Do not set Apply Group Policy to either Allow or Deny. Do not set Read to either Allow or Deny.

This GPO applies to members of this security group if they have both Apply Group Policy and Read set to Allow as members of at least one other security group. They also must not have Apply Group, Policy, or Read set to Deny as members of any other security group.

NOTE: GPOs are applied only to sites, domains, and organizational units. Group Policy settings affect only the users and the computers that they contain. Specifically, GPOs are not applied to security groups.

10

The location of a security group in Active Directory does not affect filtering through that security group as it is described in this procedure.

If a user or a computer is not contained in a site, a domain, or an organizational unit that is subject to a GPO either directly through a link, or indirectly through inheritance, you cannot set any combination of permissions on any security group to make those Group Policy settings affect that user or computer.

Filtering at the GPO level, as it is described in this procedure, causes the GPO to be processed or not processed as a whole. The Software Installation extension and the Folder Redirection extension use security groups to refine control beyond the GPO level. Except for Folder Redirection and Software Installation, security groups are not used to filter individual settings or subsets of a GPO. For control over individual settings, edit or create a GPO instead.

How to Find the Sites, Domains, and Organizational Units to Which a GPO Is Linked

1. Start Group Policy Object Editor with the GPO that you want to find at the root node of the console.2. Right-click the root node of the console, and then click Properties.3. Click the Links tab, and then click Find Now.

The sites, domains, and organizational units to which the GPO is linked are listed in the Sites, Domains or Organizational Units found box. NOTE: If the GPO is linked to more than one domain, you can limit your search for organizational units to one domain at a time by using the list in the Domain box.

How to Turn Off the User Configuration Settings in a GPO

1. Open the GPO that you want to edit.2. Right-click the console root, which appears as the following line:

GPO_name [domain_name] Policy 3. Click Properties, make sure that Disable User Configuration settings is selected, and then click

OK.NOTE: The User Configuration settings in this GPO no longer affect any site, domain, or organizational unit to which this GPO is linked.

How to Turn Off the Computer Configuration Settings in a GPO

1. Open the GPO that you want to edit.2. Right-click the console root, which appears as the following line:

GPO_name [domain_name] Policy 3. Click Properties. 4. Make sure Disable Computer Configuration settings are selected, and then click OK.NOTE: After you

turn off the Computer Configuration settings in a GPO, they no longer affect any site, domain, or organizational unit to which this GPO is linked.

Exercise 4:-

In general, groups are used to grant permissions to similar types of users, to make contact of multiple users

easier, and to simplify administration. For example, instead of having to enter 10 email addresses in the

message header, a message can be sent to one group email, which is then fanned out to all 10 email

addresses in the group.

Group Types and Scopes

Microsoft Windows 2003 defines different group types, with each group having a unique scope. The three

group types that can be created within Active Directory are

11

Security Groups—Groups used to secure access to network resources via permissions; they can also be used to distribute email messages.

Distribution Groups—Groups that can be used only to distribute email; they have a fixed membership that can’t be used to access network resources.

Query-Based Distribution Groups (QBDGs)—These groups are new to Exchange 2003. Their membership is based on a LDAP (Lightweight Distribution Access Protocol) query that can be used only to distribute email. Using LDAP, a member list is created whenever messages are sent to a group.

So what is the main difference between a security and a distribution group? Although both groups can

have an email address associated with them, a distribution group cannot be used to set security settings.

For example, you cannot create a distribution group called Project Team and then assign security rights to

that group.

When you are working with distribution and security groups, there are many things that can or cannot be

done, depending on the group’s scope and the mode that Windows Server is running. The are three types

of scopes—global, domain local, and universal—and two type of modes, mixed or native. See Table 3.1

for a summary of what can and cannot be done according to the network operating mode.

Table 3.1 Understanding Group Scope, Group Membership, and Windows Operating Mode

Scope Group MembershipWindows Mixed

ModeWindows Native Mode

Domain

Local

Permission assigned only in the

same domain; can be put into

other domain local groups.

Global groups and

accounts from any

domain.

Global groups, accounts, and universal

groups from any domain. Domain local

groups can be only from the same

domain.

Global

Permissions assigned in any

domain; can be put into other

groups.

Can contain

accounts only from

the same domain.

Global groups and accounts only from

the same domain.

Universal

Can be assigned permissions in

any domain and can be put into

other groups.

Not available in

mixed mode

domains.

Regardless of scope, can contain

accounts or groups from any domain.

Creating Security or Distribution Groups

Using the following steps, administrators can create security or distribution groups:

1. Open Active Directory User and Computers. Right-click in the container where you want to create a new group, select New, and then select Group.

2. As shown in Figure 3.3, the New Object-Group dialog box will appear. In the Group Name field, type up to a 64 character name for the new group. The first 20 characters will be automatically inserted for the Pre-Windows 2000 group name and must be unique for the domain. If needed, you can type a unique name into this field.

11

Figure 3.3 Creating security and distribution groups through Active Directory Users and

Computers.

3. Select a group type of either Domain local, global, or universal (available only in native mode). The recommended scope type is universal; if you are unsure about which scope to use, choose universal.

4. Select Security or Distribution for your group type and click Next.5. If the Exchange is set up properly, the Create an Exchange Email Address option will be

available. Make sure that the box is checked and that the correct Alias name for the email address is displayed. (By default, the alias name is set to the group name.) If an Exchange email address isn’t needed, uncheck this option.

6. Click Next and then click Finish, creating the group. If creation of an email address was selected, SMTP and X.400 email addresses will be automatically created.

After the group is created, administrators can change additional group properties, such as adding members

to the group, setting message size-restriction limits, adding or removing email addresses, or limiting which

users can send messages to the group.

Creating Query-Based Distribution Groups

Query-based distribution groups do not have a scope that is domain local, global, or universal. Their

membership can contain users and groups from other domains or forests or members of the local domain.

Their scope is determined by the container associated with the group when it is created. For example, if the

container associated with the group is pandoranetworks.com, the query filter is applied to all recipients in

the domain. If a filter is applied to a specific organization unit (OU) in a domain, the filter applies to all

recipients in the container and those in any containers below.

NOTE

Query-based distribution groups are available only when Exchange is running in native mode and all

servers in the enterprise are at least running Exchange 2000 SP3 or later. An administrator can check

which mode Exchange is in by opening ESM, clicking the Exchange Organization, and then selecting

Properties. Review the Operation Mode section to see what mode your Exchange server is currently

running in.

The beauty of query-based distribution groups is that less time is spent managing group membership. In

most organizations, people move around the company to different roles, departments, or eventually leave

the company. Instead of specifying static user memberships, query-based distribution groups minimize the

amount of time spent adding or removing users from groups by allowing LDAP queries to dynamically

build membership in the distribution group. The group membership is created on-the-fly. An LDAP query

11

is run every time an email is sent to this dynamic distribution list. Thus, using query-based distribution

groups can dramatically reduce the administrative costs.

CAUTION

Query-based distribution groups work best when the member list results are 25 to 30 members or fewer.

Potential member lists in the hundreds or thousands will put severe processing demands on a global

catalog server because of the inefficient nature of the LDAP queries. If query-based distribution groups

have potential to grow to larger numbers, switching the processing tasks from the global catalog server to a

dedicated LDAP expansion server will help in resolving large distribution lists more quickly.

Because groups are used to manage email distribution and permissions, remember to create groups that

will contain similar types of users. Typically, administrators create groups for users who work in the same

departments and need access to similar network resources, users who have similar roles in an organization

(executives, directors, engineers, and so on), or for users on specific company projects. Using the

following steps, administrators can create query-based distribution groups:

1. Open Active Directory User and Computers. Right-click in the container where you want to create a new group, select New, and then select Query-Based Distribution Group.

2. As shown in Figure 3.4, the New Object-Query-based Distribution Group dialog box will appear. Type in a group name and, if required, a different alias for the group. Otherwise, the group name will be automatically inserted for the Exchange alias and will be used to set the group email address.

Figure 3.4 Creating query-based distribution groups through Active Directory Users and

Computers.

3. The container in which the group is created defines the scope of the LDAP query. This means the query filter will apply to all recipients of the container selected and below the specified container. Choose one of the preconfigured filters; otherwise, select the Customize Filter option and click Customize. The Find Exchange Recipients dialog box, as shown in Figure 3.5, appears.

Figure 3.5 Customizing the LDAP query filter parameters in the Find Exchange Recipients dialog

box.

4. Use the following tabs to configure additional parameters:

11

o General—Used to select the recipient types in the group.o Storage—Used to limit the mailbox to a specific server or mailbox store.o Advanced—Used to create combinations of fields, operators, and search criteria.

5. When you’re finished selecting criteria, click OK to return to the wizard. Click Next and then click Finish to create the group. As with other groups, if creation of an email address was selected, SMTP and X.400 email addresses will be automatically created.

Again, after the group is created, administrators can manage additional group properties, such as adding

members to the group, setting message size-restriction limits, changing, adding, or removing email

addresses, limiting which users can send messages to the group, adding an expansion server, or

configuring out-of-office options and nondelivery settings. Many settings can be configured; explore the

ones that best fit your organization.

Renaming and Deleting Groups

Renaming and deleting groups each has a different effect on the security identifier (SID); object values are

used to identify, handle, and track permissions independently of group names. When a group is renamed,

the group is given a new label. Changing the name does not affect the SID, Exchange alias, or email

addresses associates with the group. The group can be renamed in ADUC in two easy steps:

1. Right-click the group name and then select Rename. Type in the new group name and press Enter.

2. When the Rename Group dialog box appears, press Tab and type in a new pre-Windows 2000 group name; then click OK to complete the group rename.

Deleting a group removes it permanently from Active Directory. In theory, after a group is deleted, a

group with the same name cannot be created with the same permissions of the original group. Group

names can be reused, but because the SID of the new group name will not match the SID of the original

group name, the permission settings must be manually re-created. Deleting a group is accomplished by

highlighting the appropriate group, right-clicking, and selecting Delete or pressing the Delete key.

NOTE

Windows has built-in security features that will not allow deletion of built-in groups. There is no right-

click Delete option and pressing Delete yields no results.

Exercise -5 Backup and restore all files in a domain

During a typical file restore operation, Microsoft Windows Backup operates in nonauthoritative restore mode. In this mode, Windows Backup restores all files, including Active Directory objects, with their original Update Sequence Number (USN) or numbers. The Active Directory replication system uses the USN to detect and replicate changes to Active Directory to all the domain controllers on the network. All data that is restored nonauthoritatively appears to the Active Directory replication system as old data. Old data is never replicated to any other domain controllers. The Active Directory replication system updates the restored data with newer data from other domain controllers. Performing an authoritative restore resolves this issue.

Note Use an authoritative restore with extreme caution because of the effect it may have on Active

11

Directory. An authoritative restore must be performed immediately after the computer has been restored from a previous backup, before restarting the domain controller in normal mode. An authoritative restore replicates all objects that are marked authoritative to every domain controller hosting the naming contexts that the objects are in. To perform an authoritative restore on the computer, you must use the Ntdsutil.exe tool to make the necessary USN changes to the Active Directory database.

There are certain parts of Active Directory that cannot or should not be restored in an authoritative manner: • You cannot authoritatively restore the schema.• The configuration naming context is also very sensitive, because changes will affect the whole forest.

For example, it does not make sense to restore connection objects. Connection objects should be recreated by the Knowledge Consistency Checker (KCC) or manually. Restoring server and NTDS settings objects makes sense when no destructive troubleshooting was done before.

• In the domain context, do not restore any objects that deal with relative identifier (RID) pools. This includes the subobject "Rid Set" of domain controller computer accounts and the RidManager$ object in the SYSTEM container.

• Another issue is that many distinguished name-type links may break when you restore. This may affect objects that are used by the File Replication Service (FRS). These exist underneath CN=File Replication Service,CN=System,DC=yourdomain and CN=NTFRS Subscriptions,CN=DC computer account.

• Attempts to authoritatively restore a complete naming context will always include objects that can disrupt the proper functionality of crucial parts of Active Directory. You should always try to authoritatively restore a minimal set of objects.

• Finally, similar issues might exist for objects created by other applications. These go beyond the scope of this article.

A system state restore replaces all new, deleted, or modified objects on the domain controller that is being restored.

A system state restore of a naming context that contains two or more replicas is an authoritative merge. In an authoritative merge, all objects that are deleted or modified are rolled back to when the backup was made. Objects that were created after the backup are replicated from naming context replicas. An authoritative merge represents a merge of the state that existed when the backup was made with new objects that were created after the backup.

When you nonauthoritatively restore a naming context that contains a single replica, you actually perform an authoritative restore.

Performing an authoritative restore

After the data has been restored, use Ntdsutil.exe to perform the authoritative restore. To do this, follow these steps: 1. At a command prompt, type ntdsutil, and then press ENTER.2. Type authoritative restore, and then press ENTER.3. Type restore database, press ENTER, click OK, and then click Yes.

Restoring a subtree

Frequently, you may not want to restore the whole database because of the replication impact this would have on your domain or forest. To authoritatively restore a subtree within a forest, follow these steps:1. Restart the domain controller.2. When the Windows 2000 Startup menu is displayed, select Directory Services Restore Mode, and then

press ENTER.3. Restore the data from backup media for an authoritative restore. To do this, follow these steps:

11

a. In Directory Services Restore mode, click Start, point to Programs, point to Accessories, point to System Tools, and then click Backup to start the Windows 2000 Server Backup utility.

b. Click Restore Wizard, and then click Next. c. Select the appropriate backup location, and then make sure that at least the System disk and System

State containers are selected. d. Click Advanced, and then make sure that you restore junction points. If you do not use the Advanced

menu, the restore process will not be successful. e. In the Restore Files to list, click Original Location. f. Click OK, and then complete the restore process. A visual progress indicator is displayed. g. When you are prompted to restart the computer, do not restart.

4. At a command prompt, type ntdsutil, and then press ENTER.5. Type authoritative restore, and then press ENTER.6. Type the following command, and then press ENTER:

restore subtree ou=OU_Name,dc=Domain_Name,dc=xxx

Note In this command, OU_Name is the name of the organizational unit that you want to restore, Domain_Name is the domain name that the OU resides in, and xxx is the top-level domain name of the domain controller, such as "com," "org," or "net."

7. Type quit, press ENTER, type quit, and then press ENTER.8. Type exit, and then press ENTER.9. Restart the domain controller.

Exercise 7

Intrusion detection is a process that proactively detects inappropriate, incorrect, or anomalous activity

from an external network (Internet) against the IT infrastructure of an organization. Some of the popular

intrusion methods include port scanning, WinNuke, DoS attacks, or ping of death, which a regular firewall

cannot detect. The intrusion could be accidental or intended with the purpose of disrupting work or

damaging the reputation of the organization. Unless these attacks are detected well in advance and

appropriate actions taken, they can lead to financial losses and customer dissatisfaction.

Many organizations sell intrusion detection tools for additional cost. ISA Server 2004 has an integrated

basic intrusion detection tool licensed from Internet Security Systems (ISS). This provides a cost-effective

intrusion detection solution for any medium business, and is recommended by the Medium Business

Solution for Core Infrastructure.

Based on the recommendations provided in this chapter, Lucerne Publishing decided to make use of the

built-in intrusion detection feature of ISA Server 2004 instead of investing in a separate intrusion detection

software.

Application Filtering

Application layer protocol traffic, such as SMTP, HTTP, DNS, RPC (Remote Procedure Call), PPTP, and

FTP, can contain malicious codes and scripts, inappropriate commands, and binary files containing

viruses. These codes, scripts, commands, and viruses can cause serious damage if they reach the internal

network of the organization. Application filtering scans the traffic passing through the firewall and filters

out packets that have malicious code, scripts, or viruses. Both inbound and outbound traffic should be

11

scanned. Outgoing traffic is scanned to ensure that the organization is not a source for spreading viruses

and worms on the Internet.

The firewall server should be able to provide application filtering for various application layer

protocols. Some examples of how application filtering can be used in the medium IT environment

are as follows:

• SMTP filtering protects internal mail servers from security threats that include buffer overflow attacks

caused by malicious SMTP request designed and sent by the attackers.

• HTTP (and secure HTTP (HTTPS)) filtering enables a device to scan the HTTP and tunneled FTP traffic

for hidden security threats. Possible threats include:

• Malicious code, viruses, and worms in content that is downloaded from the Internet. This includes

Code Red and Nimda viruses.

• Web requests containing malicious code inside the HTTP header or data, which can cause internal

Web servers to malfunction and send malicious code to other systems on the network. Examples

include directory traversal attacks, buffer overflow attacks, cross-site scripting attacks, and high-bit

encoding attacks.

• Malicious code hidden inside an SSL connection, sent by a client computer connecting to the internal

secure Web sites.

In the Medium Business Solution for Core Infrastructure, the following two choices were considered for

providing application filtering:

• Application filtering feature built into ISA Server.

• Non-Microsoft application filtering software.

The following table presents the advantages and disadvantages of these choices.

Choice Advantages Disadvantages

Application filtering

built into ISA Server

Cost-effectiveness: The ISA Server has

built-in application layer filtering capability

for most of the popular applications,

including SMTP, HTTP, FTP, DNS, RPC,

H.323, MMS, and PPTP.

SSL bridging: ISA Server provides SSL-

to-SSL bridging capability for decrypting

SSL traffic and checking the content for

malicious code before forwarding traffic to

the internal server through secure SSL

connection.

Limited filtering capabilities: The built-

in application-filtering feature of the ISA

Server provides filtering capabilities for a

limited number of application layer

protocols compared to non-Microsoft

application filtering software. In addition,

the built-in feature lacks the richness of

the feature sets supported by non-

Microsoft application filtering software.

Non-Microsoft

application filtering

software

Enhanced features: Some of non-

Microsoft software provides enhanced

filtering features for a variety of

applications.

Monitoring and reporting: Provides real-

Additional hardware: Requires

additional hardware resources for

installing the software on a system.

Additional cost for software: The

software needs to be purchased separately.

11


time monitoring and reporting and

graphical data output for various analysis

purposes.

This leads to additional cost incurred for

hardware resources and maintenance of

the software.

Requirement for training: The IT

generalists might require training.

Table 3. Application Filtering Choices

The Medium Business Solution for Core Infrastructure recommends using the built-in application-filtering

feature of ISA Server 2004. Lucerne Publishing decided to follow this recommendation and implement

cost-effective and easy-to-manage application filtering.

Web Proxy

The Web proxy feature enables the firewall to provide proxy services to Web requests coming from the

internal network behind the firewall or proxy server. The firewall or proxy server creates connections to

the Web servers on the Internet on behalf of clients on the internal network. The firewall receives

responses from the Web server, inspects the content for any vulnerability, and forwards the responses to

the client on the internal network that requested the connection. The choice to be made is whether to use

Web proxy in the medium IT environment.

The following table presents the advantages and disadvantages of using Web proxy.

Advantages Disadvantages

High security: Web proxy acts as a gatekeeper by

preventing direct communication between Web

clients on the internal network and computers on

the Internet, thereby protecting the internal Web

clients from direct attacks.

Monitoring: Web proxy monitors the Web traffic

based on user name and client IP address as well as

the URL visited and the application used to access

the Internet.

Low performance: Web proxy has a slight negative

impact on the performance of Internet access. This is

because the firewall needs to do additional processing

to handle client requests.

Configuration overhead: Clients computers in the

internal network need to be configured.

Table 4. Advantages and Disadvantages of Using Web Proxy

The Medium Business Solution for Core Infrastructure recommends using Web proxy. Following this

recommendation, Lucerne Publishing decided to use the built-in Web proxy feature of the ISA Server.

They decided to remove the existing proxy server thereby reducing the additional overhead involved in

maintaining a dedicated proxy server.

Web Caching

Web caching provides improved performance for users who download content from HTTP or FTP sites.

Caching improves the response time for internal clients who access Internet Web servers as well as for

external Internet users accessing an internal Web server.

11

When internal users request content from Web servers on the Internet for the first time, the content

is cached by the Web cache. When the same content is requested again by an internal user, the

content is served from the Web cache. This provides the following benefits:

• Improved response time: Serving the content from the cache is much faster than downloading the

content from the Web server on the Internet.

• Reduced Internet bandwidth consumption: Because the data is downloaded only once, the Internet

bandwidth, which is expensive, is conserved.

• Data availability: If the Internet or the Web server is not available for some reason, data can still be

served to users from the cache.

A similar process of Web caching takes place when external users request content from the Web

server on the internal network. The difference, however, is that the cashing happens for outgoing

traffic and the benefits provided include:

• Reduced load on the Web server: Because the Web server does not need to serve the same content

multiple times.

• Data availability: If the internal Web server is not available for some reason, data can still be served to

external users from the cache.

In the Medium Business Solution for Core Infrastructure, the following two choices were considered for

providing Web caching:

• Web caching built into ISA Server.

• Non-Microsoft Web caching

software.

The following table presents the advantages and disadvantages of using these two choices.


Web caching built

into ISA Server

Cost-effectiveness: Provides a very cost-

effective solution.

Scheduled caching: Enables caching of

Web content at predefined schedules.

Scheduling during off-peak hours enables

the organization to efficiently use the

Internet bandwidth.

Limited management: Provides a limited

set of management features when

compared to non-Microsoft Web caching

software.

Performance: Performance is lower in

Web caching built into ISA Server. This is

because Web caching is enabled along

with other services on firewall server.

Non-Microsoft Web

caching software

Wide variety of features: Provides a wide

variety of features that are not available

with the ISA Server, such as virus scan and

policy triggers based on user attributes and

MIME type.

Better management: Specialized Web

caching software provide better

management features.

High cost: Expensive and requires extra

hardware resources.

Table 5. Web Caching Software Choices

11

The Medium Business Solution for Core Infrastructure recommends using the ISA Server 2004 built-in

Web caching. Network performance is one of their current pain areas for Lucerne Publishing and they

decided to follow the Medium Business Solution for Core Infrastructure recommendation to use the built-

in Web caching feature of ISA Server 2004 and improve the network performance.

Exercise 9

Registry Editor and Registry Administration

Windows NT 4.0 includes two tools for viewing and editing the Registry, both called Registry Editor. The

traditional tool, Regedt32.exe, is featured in this chapter. The new tool, Regedit.exe, written for Windows

95, has many of the same functions as Regedt32 and uses the Windows NT Explorer interface. Both tools

are installed automatically when you install Windows NT on any computer.

You can use either Registry editor to add, delete, or modify Registry entries. This chapter describes the

Registry editors and how to use them, with an emphasis on protecting the Registry contents and using

Registry editors to monitor and maintain the system configuration on remote computers.

The following topics are included in this chapter:

• Using Registry editors and Windows NT Diagnostics (Winmsd.exe)

• Viewing the Registry of a remote computer

• Editing Registry value entries

• Maintaining the Registry

It is recommended that, wherever possible, you make changes to the system configuration by using

Control Panel or the applications in the Administrative Tools (Common) group.

Caution You can impair or disable Windows NT with incorrect changes or accidental deletions if you (or

other users) use Registry Editor to change the system configuration. Wherever possible, you should use the

Control Panel, Windows NT Diagnostics, and Administrative Tools in Windows NT to change the

Registry. Registry Editor should be used only as a last resort.

Using Registry Editors and Windows NT Diagnostics

The Registry editors, Regedt32 and Regedit, do not appear in any menus or as icons in any window.

However, they are installed automatically when you install Windows NT.

To run a Registry editor 1. Start Regedt32.exe or Regedit.exe from Windows NT Explorer.

– Or –

Click Start, point to Run, then type Regedt32 or Regedit in the Run dialog box.

– Or –

Type Regedt32 or Regedit at the command prompt, and press ENTER.

2. Regedt32 has a read-only mode that protects the Registry contents from unintentional changes while

you explore its structure and become familiar with the entries. From the Options menu in Regedt32,

click Read Only Mode.

12

3. Click any folder icon to display the contents of that key.

Working in the Registry Editor WindowsYou can use the mouse or commands to manipulate the windows and panes in a Registry editor. For

example:

• Double-click a folder or key name to expand or collapse that entry. Or, use commands on the View and

Tree menus to control the display of a selected key and its data.

• Use the mouse or the arrow keys to move the vertical split bar in each window to control the size of the

left and right panes.

• From the Window menu, click Tile or Cascade to arrange the Registry Editor windows.

• From the Options menu in Regedt32 click Auto Refresh to update the display continuously, or update it

manually by clicking Refresh All or Refresh Active on the View menu. Regedit does not have an

automatic refresh feature. To update the display when you are using Regedit, from the View menu, click

Refresh or press F5.

Tip Turning off Auto Refresh in Regedt32 improves its performance.

• To search for keys and subkeys, value entries, and values in Regedit, use the Find command on the Edit

menu. You search for a key or subkey by using the Find Key command on the View menu in Regedt32,

but you cannot search for value entries or values.

Table 24.1 shows some methods of using the keyboard to display data in each of the Registry Editor

windows.

Procedure Keyboard action

Expand one level of a selected Registry key. Press ENTER.

Expand all of the levels of the predefined handle in the

active Registry window.

Press CTRL + *.

Expand a branch of a selected Registry key. Press the asterisk (*) key on the numeric

keypad.

Collapse a branch of a selected Registry key. Press ENTER or the minus (–) sign on the

numeric keypad.

For more information about Regedt32 and Regedit, click Help Topics on the Help menu of either

application.

Using Windows NT Diagnostics to View System Configuration Data

You can also use the Windows NT Diagnostics tool to view configuration data in the Registry. Windows

NT Diagnostics (Winmsdp.exe) is installed in the Administrative Tools (Common) group on the Start

menu and in Windows NT Explorer in the Systemroot\System32 directory when you set up Windows NT.

When you want to browse for system information, Windows NT Diagnostics is the best tool to choose.

Figure 24.1 shows the Windows NT Diagnostics dialog box.

12

Figure 24.1 The Windows NT Diagnostics dialog box

In the Windows NT Diagnostics dialog box, click a tab to display data from the Registry in an easily

readable format.

Tip You cannot edit value entries by using Windows NT Diagnostics, so the Registry contents are

protected while you browse for information. However, you can select and copy any value if you want to

paste information by using Registry Editor or a text editor.

Adding a Key

You can add a key to store data in the Registry. For example, you can add a subkey under

CurrentControlSet\Services to start a service process you have written or to install a device driver that

doesn't have an installation program.

To do this, you must have Create Subkey access permission for the key under which you are adding a

subkey, as described in "Assigning Access Rights to Registry Keys," later in this chapter.

To add a key to the Registry by using Regedt32 1. Select the key or subkey under which you want the new key to appear.

2. From the Edit menu, click Add Key or press the INS key.

3. In the Key Name box of the Add Key dialog box, type the name that you want to assign to your key.

12

The key name cannot contain a backslash (\), and it must be unique in relation to other subkeys at the

same level in the hierarchy. That is, Key1 and Key2 can each have a subkey named Key3, but Key1

cannot have two subkeys named Key3.

4. Leave the Class box blank. This box is reserved for a future use.

5. Click OK to display the new key in the Registry Editor window.

To add a key to the Registry with Regedit 1. Select the key or subkey under which you want the new key to appear.

2. From the Edit menu, click New, then click Key. A new folder appears under the selected key, with the

name of the folder selected so that you can edit it.

3. Type a name for the key and press ENTER.

Adding a Value Entry to a Registry Key

You can use the Registry editors to assign a new value entry to a key or edit the value entry of an existing

key. When you do this, the value that you add appears in the data pane of the selected Registry window.

To determine value entries you might add, see the tuning and troubleshooting information in Regentry.hlp,

which is included in the Windows NT Workstation Resource Kit CD.

To add a value entry to a Registry key by using Regedt32 1. Select the subkey to which you want to add a value entry.

2. From the Edit menu, click Add Value.

Tip To quickly open the Add Value dialog box, switch to the right pane by using the TAB key or the

mouse, then press the INS key.

3. In the Add Value dialog box, type the name you want to assign to the new value entry.

4. In the Data Type box, select the type that you want to assign to the value entry.

The data types are described in "Value Entries in the Registry Keys" in Chapter 23, "Overview of the

Windows NT Registry."

5. Click OK, then type the value in the String Editor dialog box. Click OK again to display the new

entry in the Registry Editor window.

To add a value entry to a Registry key by using Regedit 1. Select the subkey to which you want to add a value entry.

2. From the Edit menu, click New, then click String Value, Binary Value, or DWORD Value

depending upon the data type of the value you are adding.

3. The new value entry appears in the right panel with the name of the value entry selected so you can edit

it.

4. Type a name for the value entry.

5. To edit the value, double-click the value entry, then edit the value in the Value data box of the

Datatype Editor dialog box, then click OK.

12

Deleting a Key or a Value Entry

To remove selected keys or value entries from the Registry, you can use the Delete command from the

Edit menu or you can press the DELETE key. However, you cannot delete any of the predefined subtrees

or change the name of a key.

Caution There is no Undo command for deletions. Registry Editor prompts you to confirm the deletions if

Confirm On Delete is selected from the Options menu. When you delete a key, the message does not

include the name of the key you are deleting. Check your selection carefully before proceeding. To recover

a subkey of HKEY_LOCAL_MACHINE \System \CurrentControlSet, restart the computer. Press the

spacebar immediately when you see the message Press spacebar now to invoke Hardware Profile/Last

Known Good Menu.

In Regedt32, you can protect the Registry from accidental deletions by using the following methods:

• Protect data through read-only mode.

From the Options menu, select Read Only Mode. When this option is selected, Regedt32 does not save

any changes. This protects the data from accidental changes.

• Protect data through confirmation.

From the Options menu, select Confirm On Delete. When this option is selected, Regedt32 prompts

you to confirm deletion of any key or value.

Exercise 10

Many networks were installed to provide basic file and printer sharing. As business requirements have

expanded, however, so have the demands on computing infrastructures. These same networks must now

support a growing number of new capabilities and services, such as electronic commerce, remote

communications, Web publishing, e-mail, and database applications in a client/server processing model.

To provide these services to small and large businesses, many information technology professionals

are using Microsoft® Windows® 2000 Server-based computing environments. Windows 2000

Server serves as a unifying foundation that does the following:

• Combines and enhances the capabilities of diverse server operating systems.

• Enables organizations to extend a consistent set of system services, applications, and user interfaces

across a network. System services are typically core operating system functions running at either the

executive- or user-mode in the Windows 2000 Server operating system architecture. Applications run in

user mode and, more often than not, require a user logon to run.

The core server technology of Small Business Server 2000 is Windows 2000 Server, which is designed to

work with the many client network operating systems. This protects the network investments of the small

business and provides the necessary flexibility for a small business to keep up with evolving business

computing demands.

This chapter describes the requirements for interoperability between Small Business Server 2000 and other

operating system environments.

12

Interoperability Layers When assessing interoperability issues, think of your organization's computing infrastructure in

terms of four layers: network, data, applications, and management. Depending on the platforms

combined, one or more of these areas must be addressed:

• Network layer. Consists of low-level communication protocols, such as Internet Packet Exchange (IPX)

and TCP/IP, which are used to transport data. Also includes such functionality as terminal emulation or

print services.

• Data layer. Provides access to both structured (primarily database) and unstructured (primarily file

systems) data sources. In addition, includes access to other critical information, such as e-mail.

• Application layer. Addresses the way an organization's application infrastructure can allow applications

running on different operating systems to work together. For example, this layer defines how two

applications can participate in transactions, or how an application can be delivered to multiple client

platforms.

• Management layer. Focuses on cross-platform user, system, and network management.

Operating System Environments Supported by Windows 2000 Server Windows 2000 Server supports all the standards required to interoperate with the following

operating systems:

• NetWare 2.x/3.x/4.x/5.x

• UNIX

• Macintosh System 6.0.7 or higher

• Windows 2000 Professional

• Windows NT® Workstation

• Windows Me

• Windows 95 and Windows 98

• Windows 3.x

• MS-DOS®

• OS/2

Windows 2000 Server also supports the following network protocols:

• TCP/IP

• Internet Packet Exchange/Sequenced Packet Exchange

(IPX/SPX)

• Network Basic Enhanced User Interface (NetBEUI)

• AppleTalk

• Data Link Control (DLC)

• Hypertext Transfer Protocol (HTTP)

• Systems Network Architecture (SNA)

• Point-to-Point Protocol (PPP)

• Point-to-Point Tunneling Protocol (PPTP)

12

NetWare Interoperability Small Business Server 2000 integrates easily with the infrastructures of NetWare 2.x, 3.x, 4.x, and

5.x (in bindery emulation mode). This helps to lower operating costs, increase resource use, and

enables a platform for innovative client/server solutions. To ease the integration, Microsoft

developed a set of utilities that enables Windows 2000 Server to fully integrate with most NetWare

networks. These technologies address NetWare interoperability at the network, data, and

management layers. The following utilities are part of the Windows 2000 Server application in Small

Business Server 2000:

• Gateway Service for NetWare (GSNW)

• Client Services for NetWare (CSNW)

• NWLink (an IPX/SPX-compatible protocol)

Also, File and Print Services for NetWare (FPNW) can be purchased to further enhance Windows 2000

Server and NetWare interoperability.

Gateway Service for NetWare

GSNW is a Microsoft utility that enables a Windows 2000 Server-based computer to act as a gateway to

resources on a NetWare LAN, as illustrated in Figure 20.1.

Figure 20.1 Gateway Service for NetWare configuration

GSNW offers the following features:

• Protocol availability.

Enables the small business to use any protocol on client desktops without losing NetWare LAN connectivity. For

example, Windows 2000 Professional-based clients can access NetWare resources by using TCP/IP without

requiring a NetWare client redirector on an IPX/SPX protocol stack. The efficiency of GSNW reduces the

administrative load for each client, improving network performance.

GSNW also enables the technology consultant to deploy TCP/IP as the strategic protocol without incurring the

additional costs of replacing older technologies.

• Remote access to NetWare file and print servers.

Small Business Server can be deployed as a communications server to enable remote user access to the NetWare

LAN. This feature of GSNW enables NetWare, MS-DOS, or Windows operating system-based clients to use the

Windows 2000 Server Routing and Remote Access Service (RRAS) to maintain a reliable and secure connection

when connecting to the LAN.

• Novell Directory Services (NDS) support.

12

This feature enables users to do the following:

• Navigate NDS trees.

• Authenticate with an NDS-aware server.

• Print from NDS.

• Get NetWare 4.x and 5.x logon script support.

Client Services for NetWare

CSNW enables Windows 2000 Professional-based clients to gain access to files and print resources on a

NetWare 4.x or 5.x server with a single logon and password. CSNW supports Novell's NDS authentication

to multiple NDS trees and provides full support for NDS property pages, passwords, and processing of

NetWare login scripts.

NWLink

NWLink is an IPX/SPX-compatible protocol that provides NetWare clients with access to Windows 2000

Server-based applications. With this protocol, NetWare clients can gain access to applications such as

Microsoft SQL Server™ 2000 or Microsoft Exchange 2000 Server without changing any client-side

software. NWLink also establishes a means of communication for the tools that interoperate with

NetWare.

Microsoft's implementation of IPX/SPX and Novell NetBIOS-compatible protocols can coexist with other

protocols on the same network adapter card. This means you can have several networks running

independently on the same network hardware connection. NWLink also supports Windows Sockets,

Novell NetBIOS, and Named Pipes protocols.

File and Print Services for NetWare

The FPNW component, an add-on purchased separately, enables Small Business Server to act like a

NetWare Server to all NetWare clients currently on the network. It supports NetWare 2.x, 3.x, 4.x, and 5.x

(in bindery emulation mode) clients without any changes to their configurations and enables Small

Business Server to appear in each client's Windows Explorer list of NetWare-compatible servers. FPNW

enables the Windows 2000 Server application of Small Business Server to emulate a NetWare file and

print server while providing file and print resources that use the same dialog boxes as a NetWare Server.

With FPNW installed on Small Business Server 2000, a NetWare client can do the following:

• Map to a shared volume and directory on Small Business Server.

• Connect to a Small Business Server printer.

• Log on to Small Business Server and execute login scripts.

• Use Small Business Server applications and services.

More Information

For additional information about NetWare integration with Small Business Server 2000, refer to Appendix

B, "Migrating from a NetWare Environment."

12

UNIX Interoperability

Small Business Server 2000 integrates easily with an existing UNIX infrastructure. This helps lower

operating costs, increases resource utilization, and assures a smooth migration from legacy UNIX

environments. To facilitate the integration of UNIX environments with the Windows 2000 Server

application, Microsoft offers Services for UNIX. The components of this package include technologies for

resource sharing, remote administration, password synchronization, and common scripting across

platforms. Support for these technologies is described in the following sections with respect to the

network, data, application, and management layers.

Network Layer Interoperability

For basic integration with UNIX systems, Small Business Server 2000 includes support for industry-

standard protocols used by UNIX, such as TCP/IP, and Domain Name Service (DNS). These and other

common protocols found on UNIX systems are all included in the underlying Windows 2000 Server

operating system. The sections that follow describe the interoperability characteristics of Windows 2000

Server and UNIX at the network layer.

TCP/IP

Windows 2000 Server includes TCP/IP, the primary transport protocol for the Internet, intranets, and

homogeneous or heterogeneous networks. With TCP/IP built into its operating system, Windows 2000

Server can exchange data with both UNIX hosts and the Internet.

File Transfer and Hypertext Transfer Protocols

With File Transfer Protocol (FTP) and HTTP services, users can copy files across heterogeneous networks

and then manipulate them locally as text files or Microsoft Word documents.

Domain Name Service

The DNS is a set of protocols and services on a TCP/IP network that enables network users to employ

hierarchical user-friendly names to find other computers rather than using Internet Protocol (IP) addresses.

Windows 2000 Server has a built-in, standards-based DNS service. This enables the technology consultant

to easily migrate an existing DNS to the Windows 2000 Server DNS, or coexist with a non-Microsoft

DNS.

Dynamic Host Configuration and Boot Protocols

Dynamic Host Configuration Protocol (DHCP) configures a host during boot up on a TCP/IP network and

can change IP settings while the host is attached. This allows storage of IP addresses in a central database,

along with associated configuration information, including the subnet mask, gateway IP address, and the

DNS server IP address. Because DHCP for Windows 2000 Server is based on industry standards, requests

from any type of client platform using these standards are supported. The Microsoft DHCP server also

offers Boot Protocol (BOOTP) support, used for booting diskless workstations.

12

Network File System

The Network File System (NFS) is included in the Services for UNIX, an add-on that is purchased

separately, as a standard for sharing files and printers in the UNIX environment. The NFS client and server

software allows Windows 2000 Server users to access files on UNIX, and UNIX users to access files on

Windows 2000 Server.

Note Services for UNIX does not provide print services. Windows 2000 Server, however, includes native

line printer remote (LPR) and line printer daemon (LPD) UNIX print services. This printing support can

be installed through Print Services for UNIX (from the Control Panel, double-click the Add/Remove

Programs icon, click Add/Remove Windows Components, and then select Other Network File and

Printer Services).

Data Layer Interoperability

At the data layer, Windows 2000 Server includes support for data source interoperability with UNIX

systems, as described in the sections that follow.

Oracle Database Access

Microsoft Visual Studio® Enterprise Edition offers comprehensive support for Oracle 7.3 and later

databases running on UNIX platforms. Using Visual Studio, developers can visually build or edit data-

driven Web pages quickly from multiple data sources. In addition, developers can use Visual Studio to

build and edit stored procedures, database diagrams, triggers, and scripts.

Database Connectivity Tools

Open Database Connectivity (ODBC) is a software interface that separates data access from the data

sources, to make it easier to gain access to a database on a network. The ODBC database access interface

enables programmers to gain access to data from a diverse set of sources, using a standard series of

functions and commands. This means that application developers using ODBC can create applications that

connect to databases running on UNIX or Windows 2000 Server, and their application code will run

exactly the same way on either platform. With ODBC, developers avoid having to code to each specific

data source's requirements—efficiency that significantly increases productivity.

Object Linking and Embedding Database (OLE DB) takes ODBC a step further. While ODBC is designed

around accessing relational data sources using Structured Query Language (SQL), OLE DB is focused on

providing access to any data, anywhere.

Application Layer Interoperability

At the application layer, Windows 2000 Server supports interoperability with UNIX systems, as described

in the sections that follow.

Telnet

Users can access character-based UNIX applications through Windows 2000 Server support for remote

logon. By running terminal emulation software (Telnet) built into Windows 2000 Professional, Windows

Me, Windows 95, Windows 98, and Windows NT client operating systems, users can log on to a UNIX

12

timesharing server. After entering an authorized user name and password, users can access applications

residing on the remote UNIX system as if they were logged on locally.

Microsoft Internet Explorer for UNIX

Microsoft Internet Explorer for UNIX enables Web applications and Internet or intranet access to be

delivered to UNIX desktops, using the familiar Internet Explorer interface. Also, client/server applications

can be designed to operate within the browser, across multiple platforms.

Transaction Internet Protocol

Transaction Internet Protocol (TIP) is a standard two-phase commit protocol that enables a UNIX

transaction manager to coordinate distributed transactions. It can be used with any application protocol,

but is especially important for the Internet HTTP protocol.

Microsoft Transaction Server 2.0 and Oracle 7.3 Support

Microsoft Transaction Server (MTS) 2.0 is a component-based transaction processing system included

with Small Business Server. It combines the features of a transaction processing monitor and an object

request broker. MTS defines a programming model, provides a run-time environment, and is also a

graphical administration tool.

Microsoft has enhanced the Microsoft Oracle ODBC driver to work with MTS 2.0. In addition, Oracle 8i

supports the XA interface. As a result, Small Business Server users can access an Oracle database in a

coexisting UNIX operating environment and the database can participate in MTS-based transactions.

For example, users can update a Microsoft SQL Server database in Small Business Server and an Oracle

database on a UNIX system under a single atomic transaction. If the transaction commits, both databases

are updated. If the transaction quits, all work performed on each database is rolled back to a pre-

transaction state.

MTS interoperates with any Oracle platform accessible from Windows 2000, Windows NT, Windows Me,

or Windows 95 and Windows 98. Microsoft Distributed Transaction Coordinator (DTC) does not need to

be running on UNIX and other non-Windows 2000 platforms in order for an MTS component to update an

Oracle database.

MTS also works with Oracle version 8 databases. However, users must access the Oracle 8 database server

by using the Oracle 7.3 client. Also, the Microsoft Oracle ODBC driver supplied with MTS 2.0 must be

used with the Oracle database, because it is the only Oracle OBDC driver that works with MTS.

Distributed Component Object Model and UNIX

The Component Object Model (COM) is a Microsoft specification for developing distributed transaction-

based applications and defining the manner by which objects interact through an exposed interface.

Distributed Component Object Model (DCOM) extends the COM model and provides applications with a

way to interact remotely over a network.

Microsoft is working with partners to port DCOM onto UNIX and other platforms. This enables the

DCOM application programming interface (API) of Windows 2000 Server to appear on UNIX servers.

DCOM on a UNIX server enables consistent application behavior in a heterogeneous environment of

Windows 2000 and UNIX clients. By employing DCOM on UNIX, users can do the following:

13

• Port DCOM server applications from Windows 2000 Server-based operating environments to UNIX

operating environments.

• Create wrappers for existing UNIX applications, providing DCOM access to the applications by clients

running Windows.

• Develop new distributed UNIX applications that take advantage of the DCOM distribution mechanism.

These applications can make the most of the DCOM reuse, version independence, and language

independence capabilities.

Management Layer Interoperability

At the management layer, Windows 2000 Server supports interoperability with UNIX systems, as

described in the sections that follow.

Simple Network Management Protocol

Simple Network Management Protocol (SNMP) service is included in Windows 2000 Server and

Windows 2000 Professional. This means that SNMP management software, such as Hewlett-Packard

OpenView and IBM NetView, can be used to manage Windows systems. Using these products, the

technology consultant can manage UNIX clients from the Windows 2000 Server operating system in

Small Business Server 2000.

Administrative ToolsServices for UNIX offers the following three features to simplify the administration of combined

Windows 2000 Server and UNIX networks:

• Password synchronization between Windows 2000 Server and UNIX servers. This reduces user

confusion and the technology consultant's workload.

• Telnet administration of both UNIX and the Windows 2000 Server operating system, including access to

network administration from a single client workstation.

• Korn Shell (a UNIX command line interface) and common UNIX commands, thus enabling UNIX shell

scripts to run on Windows 2000 Server. This means that UNIX administrators can use familiar UNIX

commands on Windows 2000 Server.

Macintosh Interoperability

Services for Macintosh is an integrated component of Windows 2000 Server that enables Windows and

Macintosh clients to collaborate and share information across the small business network. Macintosh users

can connect to a Windows 2000 Server in the same way that they connect to an AppleShare Server. The

service supports an unlimited number of simultaneous Apple Filing Protocol (AFP) connections to a

Windows 2000 Server, and the Macintosh sessions are integrated with Windows 2000 sessions. Windows

2000 Server is transparent to the Macintosh user—its presence is revealed only by the quick

responsiveness of the network.

Graphics Performance

In the past, Macintosh clients used UNIX servers to facilitate the heavy performance requirements of

moving large graphics files across a network. With optimization for high bandwidth networks, such as Fast

13

Ethernet and its full-featured functionality, Windows 2000 Server can handle the most demanding needs of

Macintosh users. Windows 2000 Server is also ideal for the publishing marketplace, because most of the

major server applications are already using it.

File Sharing

Services for Macintosh enables Macintosh users to access and share files on a Windows 2000 Server-

based network. The service includes a full AFP 2.0 file server. All Macintosh file system attributes, such

as resource data forks, are supported. As a file server, all filenames, icons, and access permissions are

intelligently managed. For example, a Word for Windows file appears on the Macintosh computer with the

correct Word for Windows icons. These applications can also be run from the file server as Macintosh

applications. When files are deleted, no orphaned resource forks remain to be cleaned up.

Macintosh-accessible volumes can be created in My Computer. Services for Macintosh automatically

create a Public Files volume at installation time. At the same time, Windows 2000 file and directory

permissions are translated into corresponding Macintosh permissions.

Printer Sharing

Services for Macintosh enables Macintosh users to gain access to and share printers on a Windows 2000

Server-based network. With Services for Macintosh, Macintosh users can gain access to the print server

through the Chooser dialog box, and can print PostScript jobs to either PostScript or non-PostScript

printers, using the Windows 2000 Server print services.

Administration

Services for Macintosh can be administered from Control Panel. It can also be started transparently,

provided that the technology consultant has configured the server to use the service.

Connecting Macintosh Computers to the Internet

Windows 2000 Server application, included with Small Business Server, has all the features necessary to

connect Macintosh clients to the Internet or corporate intranet. With built-in DHCP, Small Business Server

has full compatibility with Macintosh clients running Open Transport 1.1, allowing them to use

dynamically assigned IP addresses. For example, a Macintosh PowerBook can be moved anywhere in the

network with no disruption to network services.

Security

With Internet Security and Acceleration (ISA) Server 2000, which is included with Small Business Server,

Macintosh clients have fast and secure access to the Internet. Also, Services for Macintosh fully supports

and complies with Windows 2000 security. It presents the AFP security model to Macintosh users and

enables them to gain access to files on volumes that reside on compact discs or other read-only media. The

AFP server also supports both clear text and encrypted passwords at logon time.

Note The technology consultant has the option of configuring the server to not accept clear text passwords.

13

Interoperability Benefits of Services for Macintosh

The following table summarizes the interoperability benefits that Services for Macintosh, included in

Small Business Server, has for Macintosh users.

Table 20.1 Services for Macintosh Interoperability Benefits

Feature Benefit

Seamless connectivity for

Macintosh users

Macintosh users can access the Windows 2000 Server as easily as an

AppleShare Server, using the familiar Chooser dialog box.

High performance file and

print services

Macintosh users can make the most of Windows 2000 Server performance, with

its ability to move large graphics files faster than any other network operating

system.

Full-featured AppleTalk

routing

With its built-in Multi-Protocol Router, a Windows 2000 Server can replace a

dedicated AppleTalk router.

Universal printing Macintosh users can print PostScript jobs to either PostScript or non-PostScript

printers, using the Windows 2000 print server. Server-side spooling means a

faster return to the client application and increased user productivity.

The Windows 2000 print subsystem handles AppleTalk de-spooling errors and

uses the Windows 2000 Server built-in printer support. A PostScript-compatible

engine enables Macintosh users to print to any Windows 2000 printer as if they

are printing to a LaserWriter.

AppleTalk/PostScript

printing for Windows users

Windows users can send print jobs to PostScript printers on an AppleTalk

network, which provides them with access to more network resources.

A user interface in Services for Macintosh allows for publishing a print queue

on AppleTalk and for choosing an AppleTalk printer as a destination device.

User identification and

directory permissions

Users can log on to Small Business Server from either a Windows PC or a

Macintosh computer, using the same user identification. Windows 2000 Server

directory permissions for Macintosh users can be set in exactly the same way as

an AppleShare Server, eliminating the need for Macintosh users to learn a new

security model.

High volume capacity Macintosh users use a Windows 2000 Server NTFS volume.

Flexible server hardware

options

Windows 2000 Server supports more hardware options than any other network

operating system. Thus, Macintosh users can choose the server hardware

platform that best suits their needs, including PowerPC platforms.

-: Session 10:-

13

Exercise 1:-

Run the Recovery Console on a Computer that Does Not Start

NOTE: You must be logged on as an administrator or a member of the Administrators group to complete the following procedure. Also, if your computer is connected to a network, network policy settings may prevent you from completing this procedure.

To run the Recovery Console on a computer that does not start: 1. Insert the Windows 2000 Server Setup Disk 1 floppy disk into your disk drive, or, if you have a bootable

CD-ROM drive, you can instead insert the Windows 2000 Server CD-ROM into your CD-ROM drive. 2. Restart your computer.3. Follow the directions that are displayed on the screen. If you are using the Setup disks, you are prompted

to insert the other Setup disks into the disk drive. It may take several minutes to load files. Select the appropriate options to repair your Windows 2000 installation and to start the Recovery Console.

4. Once in the Recover Console, type HELP, and then press ENTER to see a list of commands.

NOTE: As an alternative, you can install the Recovery Console on your computer so it is always available. See the "Precautionary Measures" section of this article for information about how to install the Recovery Console on a working computer.

How to encrypt files and folders on a remote Windows 2000 Server

. Connect to the server that contains the files or folders that you want to encrypt. 2. Right-click the file or folder that you want to encrypt, and then click Properties.3. On the General tab, click Advanced. 4. Click to select the Encrypt contents to secure data check box, click OK, and then click OK.

Note that if you encrypt a folder, you are prompted to confirm how you want to apply the attributes. Click either of the following options, and then click OK: • Apply to this folder only• Apply changes to this folder, subfolders and files

5. Repeat steps 2 through 4 for each file or folder that you want to encrypt.NOTE: The data is encrypted when it is stored on disk, not when it is sent across the network. When you open an encrypted file over the network, the data that is transferred over the network is not encrypted. You must use a network protocol such as Secure Sockets Layer/Private Communications Technology (SSL/PCT) or Internet Protocol Security (IPSec) to encrypt data that is transmitted across a network.

Exercise 4:-

How to back up the recovery agent Encrypting File System (EFS) private key in Windows 2000, and in Windows XP.

INTRODUCTION

This article describes how to back up the recovery agent Encrypting File System (EFS) private key in Windows Server 2003, in Windows 2000, and in Windows XP. You can use the recovery agent's private key to recover data in situations when the copy of the EFS private key that is located on the local computer is lost.

You can use EFS to encrypt data files to prevent unauthorized access. EFS uses an encryption key that is dynamically generated to encrypt the file. The File Encryption Key (FEK) is encrypted with the EFS public key and is added to the file as an EFS attribute that is named Data Decryption Field (DDF). To decrypt the FEK, you must have the corresponding EFS private key from the public-private key pair. After

13

you decrypt the FEK, you can use the FEK to decrypt the file.

If your EFS private key is lost, you can use a recovery agent to recover encrypted files. Every time that a file is encrypted, the FEK is also encrypted with the Recovery Agent's public key. The encrypted FEK is attached to the file with the copy that is encrypted with your EFS public key in the Data Recovery Field (DRF). If you use the recovery agent's private key, you can decrypt the FEK, and then decrypt the file.

By default, if a computer that is running Microsoft Windows 2000 Professional is a member of a workgroup or is a member of a Microsoft Windows NT 4.0 domain, the local administrator who first logs on to the computer is designated as the default recovery agent. By default, if a computer that is running Windows XP or Windows 2000 is a member of a Windows Server 2003 domain or a Windows 2000 domain, the built-in Administrator account on the first domain controller in the domain is designated as the default recovery agent.

Note that a computer that is running Windows XP and that is a member of a workgroup does not have a default recovery agent. You have to manually create a local recovery agent. The local administrator is not always the default Encrypting File System recovery agent

Important After you export the private key to a floppy disk or other removable media , store the floppy disk or media in a secure location. If someone gains access to your EFS private key, that person can gain access to your encrypted data.

Export the recovery agent’s private key from a computer that is a member of a workgroup

To export the recovery agent’s private key from a computer that is a member of a workgroup, follow these steps: 1. Log on to the computer by using the recovery agent’s local user account. 2. Click Start, click Run, type mmc, and then click OK.3. On the File menu, click Add/Remove Snap-in, and then click Add. 4. Under Available Standalone Snap-ins, click Certificates, and then click Add.5. Click My user account, and then click Finish.6. Click Close, and then click OK. 7. Double-click Certificates - Current User, double-click Personal, and then double-click Certificates. 8. Locate the certificate that displays the words "File Recovery" (without the quotation marks) in the

Intended Purposes column. 9. Right-click the certificate that you located in step 8, point to All Tasks, and then click Export. The

Certificate Export Wizard starts. 10. Click Next.11. Click Yes, export the private key, and then click Next. 12. Click Personal Information Exchange – PKCS #12 (.PFX).

Note We strongly recommend that you also click to select the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above check box to protect your private key from unauthorized access.

If you click to select the Delete the private key if the export is successful check box, the private key is removed from the computer and you will not be able to decrypt any encrypted files.

13. Click Next. 14. Specify a password, and then click Next. 15. Specify a file name and location where you want to export the certificate and the private key, and then

click Next.

Note We recommend that you back up the file to a disk or to a removable media device, and then store the backup in a location where you can confirm the physical security of the backup.

13

16. Verify the settings that are displayed on the Completing the Certificate Export Wizard page, and then click Finish.

Export the domain recovery agent's private key

The first domain controller in a domain contains the built-in Administrator profile that contains the public certificate and the private key for the default recovery agent of the domain. The public certificate is imported to the Default Domain Policy and is applied to domain clients by using Group Policy. If the Administrator profile or if the first domain controller is no longer available, the private key that is used to decrypt the encrypted files is lost, and files cannot be recovered through that recovery agent.

To locate the Encrypted Data Recovery policy, open the Default Domain Policy in the Group Policy Object Editor snap-in, expand Computer Configuration, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.

To export the domain recovery agent's private key, follow these steps: 1. Locate the first domain controler that was promoted in the domain.2. Log on to the domain controller by using the built-in Administrator account.3. Click Start, click Run, type mmc, and then click OK.4. On the File menu, click Add/Remove Snap-in, and then click Add. 5. Under Available Standalone Snap-ins, click Certificates, and then click Add.6. Click My user account, and then click Finish.7. Click Close, and then click OK. 8. Double-click Certificates - Current User, double-click Personal, and then double-click Certificates. 9. Locate the certificate that displays the words "File Recovery" (without the quotation marks) in the

Intended Purposes column. 10. Right-click the certificate that you located in step 9, point to All Tasks, and then click Export. The

Certificate Export Wizard starts. 11. Click Next.12. Click Yes, export the private key, and then click Next. 13. Click Personal Information Exchange – PKCS #12 (.PFX).

Note We strongly recommend that you click to select the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or abovecheck box to protect your private key from unauthorized access.

If you click to select the Delete the private key if the export is successful check box, the private key is removed from the domain controller. As a best practice, we recommend that you use this option. Install the recovery agent's private key only in situations when you need it to recover files. At all other times, export, and then store the recovery agent's private key offline to help maintain its security.

14. Click Next. 15. Specify a password, and then click Next. 16. Specify a file name and location where you want to export the certificate and the private key, and then

click Next.

Note We recommend that you back up the file to a disk or to a removable media device, and then store the backup in a location where you can confirm the physical security of the backup.

17. Verify the settings that are displayed on the Completing the Certificate Export Wizard page, and then click Finish.

Exercise 6:-

Cannot Print to a Network Printer After Adding Internet Connection Sharing

13

After you add Internet Connection Sharing to the network, you cannot print. This problem occurs because Connection Sharing uses a Class C subnet with an address range of 198.168.0.x. To fix this issue, reset the IP address of the printer to match the subnet of the computers that are using Connection Sharing.

Cannot Send a Print Job to a Windows 98 Client

You cannot send a print job to a Windows 98-based client that is using a password for the printer share from Window 2000. To resolve this issue, use the following command: net use LPT1 \\computer\printerpassword /persistent:yes Replace computer with the computer name of the Windows 98-based computer that is sharing the printer, replace printer with the name of the printer share, and replace password with the password for the share.

Error Messages Typically Caused by Local Port Monitor Problems

When you restart the computer or restart the Print Spooler service, you receive the following error message: Spoolsv.exe failed to startWhen you open the printer's properties, you receive the following error message Out of Resources ErrorWhen you try to print a document, you receive an "Access violation" (Dr. Watson) error message. The Dr. Watson log points to Spoolsv.exe with error code C0000005.

You receive the following error message, and the print spooler stops: The instruction at 'address' referenced memory at 'address'. The memory could not be read. Attempting to restart the Print Spooler service or open the Printers folder causes the same message.

These problems may occur if the default local port monitor is changed by a third-party program. Fixing these problems requires editing the registry.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. 1. Start Registry Editor.2. Locate the Local Port value under the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Local Port 3. Double-click the Driver subkey, and then edit the value. Change the string value to Localspl.dll, and

then click OK.4. Check the following registry key for third-party monitors. Remove any non-default monitors:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors The default port monitors are: AppleTalk Printing Devices (When Services for Macintosh is installed)BJ Language MonitorLocal PortPJL Language MonitorStandard TCP/IP PortUSB MonitorWindows NT Fax Monitor

** LPR Port NOTE: Do not remove LPR Port Monitor unless advised by a Microsoft Support Professional.

5. Check the following registry key for third-party print providers. Remove any non-default print providers: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers The default print providers are: Internet Print ProviderLanMan Print Services

13

6. Check the following registry key for third-party print processors. Remove any non-default print processors: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows NT x86\Print Processors The default print processor is: WinPrint To find out what printer is using the print processor, use the Microsoft Product Support Reporting Tool (MPS_REPORTS) tool to open MachineName_PRINTDRIVERS.TXT, and then search for the third-party print processor and for the queues that are using the print processor.

7. Change the third-party print processor to WinPrint.8. Click Start, point to Settings, and then click Control Panel.9. Double-click Printers, right-click the printer, and then click Properties.10. On the Advanced tab, click Print Processor.11. In the Print Processor box, click WinPrint.12. Click OK two times.13. Quit Registry Editor.After you edit the registry, restart the print spooler. To do so, start Microsoft Management Console (MMC) and add the Computer Management or the Services snap-in. Right-click Print Spooler Service, and then click Start.

Exercise 9:-

SYMPTOMS

When you use a dial-up remote access service (RAS) connection to browse the Internet or to connect to a corporate network, your computer may stop responding (hang) and return a Stop error (an error on a blue screen) similar to the following:STOP: 0x0000000A (0xC104027E, 0x00000002, 0x00000000, 0x804A5DE6)IRQL_NOT_LESS_OR_EQUAL

CAUSE

This problem may be caused by the Winacpci.sys driver that is supplied by your modem manufacturer. For additional information about the Winacpci.sys driver, please contact your modem manufacturer.

RESOLUTION

To resolve this issue, disable the Winacpci.sys driver by using the Recovery Console. To do so, follow these steps: 1. Start your computer with the Windows 2000 boot disks, or with the Windows 2000 CD-ROM if your

computer can start from the CD-ROM drive.2. In the Welcome to Setup screen, press R to repair the Windows 2000 installation.3. In the Windows 2000 Repair Options screen, press C to use the Recovery Console.4. Select the Windows installation that you want to log on to by typing the number of the installation and

then pressing ENTER.5. Type the Administrator password for your computer, and then press ENTER.6. At the prompt, type cd system32, and then press ENTER.7. Type listsvc, and then press ENTER.8. Locate the Winacpci.sys driver in the list that is provided.

WARNING: Make sure that you locate the Winacpci.sys driver in the list that is provided. Using the wrong file in the following steps may result in more problems.

13

9. Type disable Winacpci.sys, and then press ENTER.

NOTE: The Disable command prints the old start_type values of the service before it resets the service to SERVICE_DISABLED. Record the old start_type information, in case you have to restore the service later.

10. Type exit.

The computer restarts automatically. Allow the computer to start normally.

WORKAROUND

The Winacpci.sys driver that this article mentions comes from the modem manufacturer. To possibly work around this problem, use the Windows 2000 version driver. Windows 2000 includes the Winacpci.sys driver in the I386\driver.cab file with a date of Friday, September 24, 1999, 11:55:30 PM.

To use the Windows 2000 Winacpci.sys driver, follow these steps: 1. Right-click My Computer, and then click Manage.2. Click Device Manager, locate the modem, and then right-click it.3. Click Update Driver.

Follow the on-screen instructions. Windows finds and installs the driver from the Windows 2000 CD.

Exercise 7

How to enable / disable call waiting on computer.

Cause:

You may want to enable call waiting for users with one phone line. This will disconnect the computer from the phone line when a call comes through.

It may be required that call waiting be disabled to ensure it is not causing the computer modem to not function.

Solution:

To enable call waiting:

Before attempting to enable call waiting you must ensure that the phone company has enabled this extra feature on your phone line. If this feature is enabled and the phone line does not have this feature it is likely that the modem will not work. Below are steps for Windows 95 and 98 users to ensure that call waiting is not enabled on the computer.

1. Click Start / Settings / Control Panel 2. Double click Modems within Control Panel 3. Click the dialing properties button 4. Verify that the box for 'disable call waiting' is not checked.

To disable call waiting:

The following are steps on how to disable call waiting. It is important to remember if you have one phone line and disable call waiting no one will be able to reach you.

13

MS-DOS and Windows 3.x users can enable call waiting by following the below steps:

1. When dialing a BBS or Internet number place one of the following prefix codes in front of the phone number. Generally this is *70 however may vary in your area. The available numbers are:*70#701170

To separate this number and the phone number generally a comma is required. The following is an example of what this may look like:*70,18011231234

Windows 95 / 98 users can disable call waiting by following the below steps:

1. Click Start / Settings / Control Panel 2. Double click Modems within Control Panel 3. Click the dialing properties button 4. Check the box to disable call waiting 5. Select the appropriate code to disable call waiting, generally this code is *70

Exercise 2:- Troubleshoot the “NTLDR is missing “ Error Message in machine.

This problem may occur if the basic input/output system (BIOS) on your computer is outdated, or if one or more of the following Windows boot files are missing or damaged: NtldrNtdetect.comBoot.ini To resolve this issue, verify that the BIOS on your computer is current, and then use one or more of the following methods, as appropriate to your situation, to repair the Windows 2000 startup environment.

IMPORTANT: Microsoft recommends that you fully back up your data on a regular basis. This is the best defense against data loss, and it must be a part of any disaster recovery plan.

Verify That the BIOS on the Computer Is Current

Make sure that the latest revision for BIOS is installed on the computer. Contact the computer manufacturer to inquire about how to obtain, and then install the latest BIOS update that is available for the computer.

For information about how to configure and how to verify the correct BIOS settings for the computer, see the computer documentation or contact the manufacturer of the computer.

To repair the Windows startup environment, use one or more of the following methods, as appropriate to your situation.

Method 1: Use a Boot Disk to Start the Computer1.2. Create a Windows 2000 boot disk that contains the following files:

NtldrNtdetect.comBoot.iniNtbootdd.sys

14

3. Modify the Boot.ini file to point to the correct hard disk controller and to the correct volume for your

Windows installation. 4. Insert the boot disk into the computer's floppy disk drive, and then restart the computer.5. Copy the Ntldr file, the Ntdetect.com file, and the Boot.ini file from the boot disk to the system partition

of the local hard disk.

Method 2: Use the Recovery Console

1. Use the Windows 2000 Setup disks to restart the computer, or use the Windows 2000 CD-ROM to restart the computer.

2. At the Welcome to Setup screen, press R to repair the Windows 2000 installation.3. Press C to repair the Windows 2000 installation by using the Recovery Console.4. Type the number that corresponds to the Windows installation that you want to repair, and then press

ENTER. For example, type 1, and then press ENTER. 5. Type the Administrator password, and then press ENTER.6. Type map, and then press ENTER. Note the drive letter that is assigned to the CD-ROM drive that

contains the Windows 2000 CD-ROM.7. Type the following commands, pressing ENTER after you type each one, where drive is the drive letter

that you typed in step 4 of "Method 2: Use the Recovery Console," of this article: copy drive:\i386\ntldr c:\

copy drive:\i386\ntdetect.com c:\If you are prompted to overwrite the file, type y, and then press ENTER.

NOTE: In these commands, there is a space between the ntldr and c:\, and between ntdetect.com and c:\.

8. Type the following command, and then press ENTER: type c:\Boot.iniA list similar to the following list appears:

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINNT [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect

If you receive the following message, the Boot.ini file may be missing or damaged: The system cannot find the file or directory specified.

9. If the Boot.ini file is missing or damaged, create a new one. To do so, follow these steps: a. Use a text editor, such as Notepad or Edit.com, to create a boot loader file similar to the following

boot loader file:


b. Save the file to a floppy disk as Boot.ini.

NOTE: If you used Notepad to create the file, make sure that the .txt extension is not appended to the Boot.ini file name.

c. Type the following command at the Recovery Console command prompt to copy the Boot.ini file from the floppy disk to the computer: copy a:\Boot.ini c:\

10. Type exit, and then press ENTER. The computer restarts.

14

Method 3: Use the Windows 2000 CD-ROM

1. Insert the Windows 2000 CD-ROM into the computer's CD-ROM drive or DVD-ROM drive, and start Windows 2000 Setup.

2. On the Welcome to Setup page, press R.3. On the Windows 2000 Repair Options page, press R.4. When you are prompted to select one of the repair options, press M.5. Press the UP ARROW, press the UP ARROW again, to select Verify Windows 2000 system files, and

then press ENTER to clear the selection.6. Press the DOWN ARROW to select Continue (perform selected tasks), and then press ENTER. The

following message appears: You need an Emergency Repair disk for the Windows 2000installation you want to repair.

7. Do one of the following, as appropriate to your situation: • If you have an Emergency Repair Disk, follow these steps:

-or- • If you do not have an Emergency Repair Disk, follow these steps:

If Setup Cannot Locate Windows 2000If you do not have a Windows 2000 Emergency Repair Disk, and if Setup cannot locate the Windows 2000 installation, follow these steps:

1. Start Windows 2000 Setup.2. On the Setup will install Windows 2000 on partition page, select Leave the current file system

intact (no changes), and then press ENTER.3. Press ESC to install Windows 2000 to a new folder.4. In the Select the folder in which the files should be copied box, type \tempwin, and then press

ENTER.

Setup installs a new copy of Windows 2000.5. Log on to the new copy of Windows 2000.6. Click Start, and then click Run.7. In the Open box, type cmd, and then click OK.8. At the command prompt, type drive:, where drive is the boot drive of the computer, and then press

ENTER. For example, type c:, and then press ENTER.9. Type attrib -h -r -s Boot.ini, and then press ENTER.10. Type edit Boot.ini, and then press ENTER.

Edit.com opens a Boot.ini file that is similar to the following file:

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\TEMPWIN [operating systems] multi(0)disk(0)rdisk(0)partition(1)\TEMPWIN="Microsoft Windows 2000 Professional" /fastdetect

11. Replace all instances of TEMPWIN with WINNT. The Boot.ini file that appears is similar to the following file:


14

12. Press ALT+F, and then press S.13. Press ALT+F, and then press X.14. Type attrib +h +r +s Boot.ini, and then press ENTER.15. Type exit to quit the command prompt.16. Restart the computer.17. At the Please select the operating system to start screen, use the ARROW keys to select Microsoft

Windows 2000, and then press ENTER.18. Start Windows Explorer, locate the following folders, and then delete them:

TempwinAll Users.Tempwin

14

DATABASE MANAGEMENT

SYSTEM

(DBMS)

14

Session 1

Step1: CREATE table Employee;

Step2: CREATE table Department;

Step3: CREATE table Department_Location;

Step4: CREATE table Project;

14

Step5: CREATE table Works_on;

Step6: CREATE table Dependent;

Queries: 1. List the Department wise details of all the employees SELECT Department.Dept_no, Department.Dept_name, Department_Location.Dept_location,

Employee.Employee_id, Employee.First_name, Employee.Last_name FROM (Department INNER JOIN Department_Location ON Department.Dept_no = Department_Location.Dept_no) INNER JOIN Employee ON Department.Dept_no = Employee.Dept_no ORDER BY Department.Dept_no;

14

2. Find out all those departments that are located in more than one location. SELECT [Department].[Dept_name], [Department].[Dept_no], [Department_Location].[Dept_location] FROM

Department INNER JOIN Department_Location ON [Department].[Dept_no] = [Department_Location].[Dept_no] WHERE ((([Department].[Dept_name])="CPMU"));

3. Find the list of projects. SELECT [Project].[Proj_name], [Project].[Proj_no] FROM Project ORDER BY [Project].[Proj_no];

4. Find out the list of employees working on a project. SELECT Employee.Employee_id, Employee.First_name, Employee.Last_name, Project.Proj_no,

Project.Proj_name FROM (Employee INNER JOIN [Works-on] ON Employee.Employee_id = [Works-on].Employee_id) INNER JOIN Project ON [Works-on].Proj_no = Project.Proj_no WHERE (((Project.Proj_no)=310)) ORDER BY Employee.Employee_id;

14

5. List the dependents of the employee whose employee id is ‘111’. SELECT Employee.Employee_id, Employee.First_name, Employee.Last_name,

Dependent.Dependent_name, Dependent.Relationship FROM Employee INNER JOIN Dependent ON Employee.Employee_id = Dependent.Employee_id WHERE (((Employee.Employee_id)=111));

Session 2

Step1: CREATE table BookRecords;

Step2: CREATE table Books;

14

Step3: CREATE table Members;

Step4: CREATE table BookIssue;

Queries: Display the structure of the tables.

14

Query 5 a): Get the list of all books (No need to find the no. of copies) SELECT * FROM Books;

Query 5 b): Get the list of all members SELECT [Member_Name] FROM Members;

Query 5 c): Get the Accession no of the books, which are available in the library SELECT BookIssue.AccNumber FROM BookIssue WHERE (((BookIssue.IssueDate) Is Null));

Query 5 e): List the books issued on 01-Jan-2005SELECT [BookIssue].[AccNumber], [BookIssue].[IssueDate] FROM BookIssue WHERE ((([BookIssue].[IssueDate])=#1/1/2005#));

15

Query 5 f): Get the list of all books having price greater than Rs. 500/- SELECT Books.ISBN_No, Books.Author, Books.Publisher, Books.Price FROM Books WHERE

(((Books.Price)>500));

Query 5 g): Get the list of members who did not have any books issued at any time SELECT Members.Member_Name FROM BookIssue INNER JOIN Members ON BookIssue.Member_id =

Members.Member_id WHERE (((BookIssue.IssueDate) Is Null));

Query 5 h): Get the list of members who have not returned the book SELECT BookIssue.Member_id, Members.Member_Name FROM BookIssue INNER JOIN Members ON

BookIssue.Member_id = Members.Member_id WHERE (((BookIssue.ReturnDate) Is Null) AND ((BookIssue.IssueDate) Is Not Null));

Query 5 i): Display member ID and the list of books that have been issued to him/her from time to time SELECT BookIssue.Member_id, BookIssue.IssueDate, BookIssue.AccNumber FROM BookIssue WHERE

(((BookIssue.IssueDate) Is Not Null)) ORDER BY BookIssue.Member_id, BookIssue.IssueDate;

15

Query 5 j): Find the number of copies of each book (A book accession no would be different but ISBN no would be the same)

SELECT Count(BookRecords.AccNumber) AS CountOfAccNumber, BookRecords.ISBN_No FROM BookRecords GROUP BY BookRecords.ISBN_No ORDER BY BookRecords.ISBN_No;

Query 5 k): Find the number of copies available of a book of given ISBN no. (Here we assume the ISBN No = 265498)

SELECT QSes2_5j.CountOfAccNumber, QSes2_5j.ISBN_No FROM BookRecords, QSes2_5j GROUP BY QSes2_5j.CountOfAccNumber, QSes2_5j.ISBN_No HAVING (((QSes2_5j.ISBN_No)="265498"));

Session 4:

CREATE table Customer;

Queries: b) Print the entire customer table.

15

SELECT * from Customer;

d) Find the customer belonging to area ‘abc’. SELECT [Customer].[Name], [Customer].[Area] FROM Customer WHERE ((([Customer].[Area])="abc"));

e) Delete record where area is NULL. DELETE Customer.Area from Customer WHERE ((Customer.Area)Is Null));

f) Display all records in increasing order of name.

SELECT Customer.Name, Customer.Customer_id, Customer.Area, Customer.Phone FROM Customer ORDER BY Customer.Name;

15

g) Create table temp from customer having customer-id, name and area field only. SELECT Customer.Customer_id, Customer.Name, Customer.Area INTO temp FROM Customer;

h) Display area and number of records within each area (Use Group by clause). SELECT Count(Customer.Area) AS CountOfArea, Customer.Area FROM Customer GROUP BY

Customer.Area;

15

JAVA PROGRAMMING

15

1. class Acc{ String name,acct_type,address; float initial_amt,curr_bal; int acct_no; Acc(String n,int an,float in) { name=n; acct_no=an; initial_amt=in; } Acc(String n,int an,String a,String at,float c) { name=n; acct_no=an; address=a; acct_type=at;

15

curr_bal=c; } void deposit() { float deposit=500; } void withdraw() { float withdraw=200; } void get_balance() {// float bal=(deposit-withdraw); // return bal; }}

class Account{ public static void main(String args[]) { Acc r=new Acc("yamini",7097,500); Acc r1=new Acc("prasanna",7098 ,"rvcolony","savings",1000); r.deposit(); r.withdraw(); //bal1=r.get_balance(); r1.deposit(); r1.withdraw(); r1.get_balance(); System.out.println("\tName="+r.name+"\tAccount number="+r.acct_no+"\tInitial amount "+r.initial_amt); System.out.println("\tName="+r1.name+"\tAccount number="+r1.acct_no+"\tAddress="+r1.address); System.out.println("\tAccount type="+r1.acct_type+"\tCurrent balance="+r1.curr_bal); //System.out.println("Balance is="+bal1); }}

2.class Area { public static void main(String args[]) { double h=12.0,w=5.0; double area=(h*w); System.out.println("The area of a rectangle is" +area); } }

15

3.

class Avg{public static void main (String args[]){

double m1=82;double m2=65;double m3=90;double m4=73;double avg=(m1+m2+m3+m4)/4;System.out.println("The average of four subjects:"+avg);}

}

4. class Break { public static void main(String args[]){ int i=0; System.out.println("This is to illustrate break statement"); while(i<100){

if(i==10) break; System.out.println("i:"+i);

i++;}

System.out.println("Loop complete");

System.out.println("This is to illustrate continue statement");

outer: for(i=0;i<10;i++){for(int j=0;j<10;j++){if (j>i){ System.out.println();

continue outer;}System.out.println(" "+(i*j));

}} System.out.println();

}}

5. public class Byzero{ public static void main(String args[]) { int b=100,res=0; int a[]={0,1,2,5,0,25,0,50,0}; for (int i=0;i<9;i++)

{

15

try{res=res+(b/a[i]);

System.out.println(" "+res);}

catch (ArithmeticException e) { a[i]=1; } } }}

6.

public class Enonnumeric{

public static void main(String args[]){

int sum=0;int invalid=0;for(int i=0;i<args.length;i++){

try {

sum+=Integer.parseInt(args[i]); } catch(NumberFormatException e) { invalid++; } }

System.out.println("Total number of arguments:"+args.length);System.out.println("Invalid numbers:"+invalid);

System.out.println("Sum:"+sum); }}

7. class Exam{public static void main(String args[])

throws java.io.IOException{int m1[]=new int[2];System.out.println("Enter 2 elements");for(int i=0;i<2;i++){m1[i]=(int) System.in.read ();

16

System.out.println( );}

for(int. i=0;i<2;i++)System.out.print(m1[i]+" ");

}

}

8.

import java.util.*;public class Except{ public static void main(String args[]) { int a[]={1,2,3,4,5,6,7,8,9,1,7,8,9,0};

int num=0; for (int i=0;i<20;i++)

{ try

{ System.out.println(" "+a[i]); } catch(ArrayIndexOutOfBoundsException e) {

num++; } }

System.out.println("Index has been out of bounds by:"+num); }}

9.

class Expression { public static void main(String args[]) { byte a=10,b=5;

int c,d,e,f; c=(a<<2)+(b>>2); d=(a)|(b>0);

e=(a+b*100)/10;f=(a&b);System.out.println("(a<<2)+(b>>2)="+c);System.out.println("(a)|(b>0)="+d);System.out.println("(a+b*100)/10=" +e);

16

System.out.println("a&b=" +" "+f); }}

10.

//create a super classclass A{ int i; private int j; void setij(int x,int y) { i=x; j=y; }} class B extends A{ int total; void sum() { total=i+j; }}

class Inh1{ public static void main(String args[]) { B obj=new B(); obj.setij(10,12); obj.sum(); System.out.println("Total is="+obj.total); }}

11.

import java.io.*;public class Matrix { public static int readInt() throws IOException { BufferedReader b =new BufferedReader(new InputStreamReader(System.in));

int i=Integer.parseInt(b.readLine());return i;

}

16

public static void main(String args[]) throws IOException {

int m1[][]=new int[2][3];int m2[][]=new int[3][2];int m3[][]=new int[2][2];

System.out.println("Enter the 6 numbers");for(int i=0;i<2;i++)for(int j=0;j<3;j++)m1[i][j]=readInt();for(int i=0;i<2;i++){ for(int j=0;j<3;j++) { System.out.print("\t "+m1[i][j]); } System.out.println();}

System.out.println("Enter the 6 numbers");for(int i=0;i<3;i++)for(int j=0;j<2;j++)m2[i][j]=readInt();

for(int i=0;i<3;i++){for(int j=0;j<2;j++){System.out.print("\t "+m2[i][j]);}System.out.println();}

for(int i=0;i<2;i++){ for(int j=0;j<2;j++) { m3[i][j]=0;

for(int k=0;k<3;k++) m3[i][j]=m3[i][j]+m1[i][k]*m2[k][j]; } }

System.out.println("The product of two matrices is:");for(int i=0;i<2;i++){for(int j=0;j<2;j++){

System.out.print("\t "+m3[i][j]);}System.out.println();}

16

}}

12.

class Player{ String name; Player(String nm) { name=nm; } }class Cricket_player extends Player{ Cricket_player(String nm) { super(nm); } void play() { System.out.println("play cricket:"+name); }}class Football_player extends Player{ Football_player(String nm) { super(nm); } void play() { System.out.println("play Football:"+name); }}

class Hockey_player extends Player{ Hockey_player(String nm) { super(nm); } void play() {

16

System.out.println("play hockey:"+name); }}

class Player1{ public static void main(String args[]) {

Cricket_player c=new Cricket_player("sachin tendulkar"); Football_player f=new Football_player("peley"); Hockey_player h=new Hockey_player("Helen mary");

c.play();

f.play();

h.play(); }}

13.

class Rect{ double width,length,area; String colour; void set_length(double x) { length=x; } void set_width(double y) { width=y; } String set_colour(String z) { colour=z; return colour; } double find_area() { area=length*width; System.out.println("Area of rectangle="+area); return area; } }

16

class Rectangle{

public static void main(String args[]){

double area1, area2;String st1,st2;Rect r1=new Rect();Rect r2=new Rect();r1.set_length(5.0);r1.set_width(6.0);st1=r1.set_colour("blue");area1=r1.find_area();r2.set_length(5.0);r2.set_width(6.0);st2=r2.set_colour("green");area2=r2.find_area();if ((area1==area2) && st1.equals(st2)){ System.out.println("Matching rectangles");}else{System.out.println("Non matching rectangles");}

}}

14.

abstract class Worker { public String name; public double sal_rate,pay; int hours; Worker(String nm,double sr) { name=nm; sal_rate=sr; } abstract void compay(); }

class Daily_worker extends Worker{ int days_worked; Daily_worker(String nm,double sr,int dw) {

16

super(nm,sr); days_worked=dw; } void compay() { pay=days_worked*sal_rate; System.out.println("\t Name:"+name+ "\tsalary per day"+sal_rate+"\tpay per week"+pay); }}class Salaried_worker extends Worker{ Salaried_worker(String nm,double sr) { super(nm,sr); } void compay() {

pay=(40*sal_rate); System.out.println("\t Name:"+name+ "\tsalary per hour:"+sal_rate+"\tpay per week:"+pay); }}

public class Salary{ public static void main(String args[]) { Daily_worker d=new Daily_worker("ramesh" ,50.0 ,6); Salaried_worker s=new Salaried_worker("das",20.0); d.compay(); s.compay(); }}

15.

class Strin1{public class void main(String args[]){ int cnt=0; String s="yaminiprasanna"; System.out.println("The length of the string is:"+s.length()); int len=s.length();

16

for (int i=0;i<len;i++) { if (Character.a(s.charAt(i)) { System.out.println("a is at the position :"i); cnt++; } else System.out.println("a is not present in the string"); } System.out.println("a has occured "+cnt+"times"); }}

16.

class Strin1{public static void main(String args[]){ int cnt=0; Character s1=new Character('a'); String s="yaminiprasanna"; System.out.println("The length of the string is:"+s.length()); int len=s.length(); for (int i=0;i<len;i++) { Character s2=new Character(s.charAt(i)); if ( s1.equals(s2)) { System.out.println("a is at the position :"+i); cnt++; } } System.out.println("a has occured "+cnt+"\ttimes"); }}

17.

public class Strin3{ public static void main(String args[]) {

String s="I am studying in ignou at bangalore";

16

System.out.println("First occurence of character 'a' is at position:"+s.indexOf('a')); System.out.println("Last occurence of character 'a' is at position:"+s.lastIndexOf('a')); }}

18.import java.io.*;public class Strin4{ public static void main(String args[]) throws IOException { String var,var1;

BufferedReader str=new BufferedReader(new InputStreamReader(System.in));System.out.println("Enter any statement");var=str.readLine();var1=var.toUpperCase();

System.out.println("The statement in uppercase is\n"+var1);

}}

19.

import java.io.*;

class Sumdigits{public static void main(String args[])

throws IOException{BufferedReader br=new BufferedReader(new InputStreamReader(System.in));String str;int num,rem;int sum=0;

System.out.println("Enter a 5 digit number");str=br.readLine();num=Integer.parseInt(str);while(num>0){rem=num%10;sum=sum+rem;num=num/10;}System.out.println("The sum of the digits"+sum);

}}

20.

16

class Fivetable extends Thread{ public void run() { for (int i=1;i<=5;i++) System.out.println("5 *"+i+"="+(5*i)); }}class Sixtable extends Thread{ public void run() { for (int i=1;i<=5;i++) System.out.println("6 *"+i+"="+(6*i)); }}class Seventable extends Thread{ public void run() { for (int i=1;i<=5;i++) System.out.println("7 *"+i+"="+(7*i)); }}class Eighttable extends Thread{ public void run() { for (int i=1;i<=5;i++) System.out.println("8 *"+i+"="+(8*i)); }}class Ninetable extends Thread{ public void run() { for (int i=1;i<=5;i++) System.out.println("9 *"+i+"="+(9*i)); }}

public class Thr1{ public static void main(String args[]) throws InterruptedException { Fivetable f=new Fivetable(); Sixtable s=new Sixtable(); Seventable se=new Seventable();

17

Eighttable e=new Eighttable(); Ninetable n=new Ninetable(); f.setPriority(7); s.setPriority(2); se.setPriority(10); e.setPriority(5); n.setPriority(8); f.sleep(1500); if (f.isAlive()) System.out.println("Thread 5 is alive"); else System.out.println("Thread 5 is not alive"); s.start(); if (s.isAlive()) System.out.println("Thread 6 is alive"); else System.out.println("Thread 6 is not alive"); se.sleep(1000); if (se.isAlive()) System.out.println("Thread 7 is alive"); else System.out.println("Thread 7 is not alive"); e.start(); if (e.isAlive()) System.out.println("Thread 8 is alive"); else System.out.println("Thread 8 is not alive"); n.start(); if (n.isAlive()) System.out.println("Thread 9 is alive"); else System.out.println("Thread 9 is not alive"); }}

21.abstract class worker { String name; double sal_rate; worker(String nm,double sr);

17

{ name=nm; sal_rate=sr; } abstract void compay() }class Daily_worker extends worker{ int days_worked; Daily_worker(String nm,double sr,int dw) { super(nm,sr); days_worked=dw; } void compay() { double pay=(days_worked*sal_rate) System.out.println("\t Name:"+name+ "\tsalary per day"+sal_rate+"\tpay per week"+pay); }}class Salaried_worker extends worker{ Daily_worker(String nm,double sr) { super(nm,sr); } void compay() { double pay=(40*sal_rate) System.out.println("\t Name:"+name+ "\tsalary per hour"+sal_rate+"\tpay per week"+pay); }}

17

Master of Computer Applications1[1]

Documents

Transcript of Master of Computer Applications1[1]