ENGINEERING COLLEGE BIKANER DEPARTMENT OF INFORMATION TECHNOLOGY

MCSE- Summer Training Report

Submitted By:NAME ROLL no. YEAR NAME & LOCATION (COMPANY) : SOMESH VYAS : 08EEBIT055 : 4th year 7th sem. : Network Zones, Panchsati Circle, Bikaner

ACKNOWLEDGEMENT
A research work owes its success from commencement to completion, to the people in love with researchers at various stages. Let me in this page express my gratitude to all those who helped us in various stage of this study. First, I would like to express my sincere gratitude indebtedness to Mr. Ganesh Singh (HOD, Department of Information Technology, Engineering College, Bikaner) for allowing me to undergo the summer training of 30 days at Newtwork Zones. I am grateful to our guide Mr. Satish sir, for the help provided in completion of the project, which was assigned to me. Without his friendly help and guidance it was difficult to develop this project. Last but not least, I pay my sincere thanks and gratitude to all the Staff Members of Network Zones for their support and for making our training valuable and fruitful.

Submitted By: Somesh Vyas

PREFACE

I did my summer training in NETWORK ZONES, BIKANER I completed my summer training for 120 days. I got training in the study of MICROSOFT CERTIFIED SYSTEM ENGINEER. . Hence I am presenting the training report of MCSE. All the mistakes and problems had been carefully removed with the help of all the managers. So I am thankful to all the managers of NETWORK ZONES.

SOMESH VYAS

TABLE OF CONTENTS: Particular

1. Acknowledgment 2. Certificate 3. Preface 4. Company Profile 5. MCSE Overview 6. Windows server 2003 Editions Windows Small Business Server Web Edition Enterprise Edition Datacenter Edition Windows Compute Cluster Server Windows Storage Server Windows Home Server 7. Updates 8. Design and licensing considerations 9. Replication 10. Database 11. Light-weight directory service 12. Remote Installation Server 13. IIS 14. Microsoft Message Queuing or MSMQ 15. NTFS 16. ADS 17. Window Deployment Services 18. Microsoft Transaction Server 19. Group Policy Object 20. GPMC 21. PROJECT 15-17 17-21 22 22-24 24 25-26 27-30 30-31 31-32 32-37 37 38-39 39-40 41 42-55

pg. no.
2 3 4 6 7-9 10-14

22.Reference

56

PROFILE ABACUS NETWORK ZONES was started by two dedicated and experienced faculty members who understood the needs and problems of aspiring students from small town and villages who cannot afford high fees and had difficulty in understanding English. The main objectives was to create and maintain interest about computer hardware and networking amongst students of small towns/villages by taking quality educations in easy language, focused more on the demands of the job market today. The thrust at ABACUS NETWORK ZONES is more on practical training and courses content development. Hence the courses, devised and developed after vast research, are those that are latest and easy to understand. Individual attention, compulsory English language classes and direct job placement and affordable fees in easy installments has helped ABACUS NETWORK ZONES to make a name in the field of computer hardware, networking and security. QUALITY POLICY The Institute is committed to deliver new programs, training methodologies that meet and exceed customer expectations by: Setting quality objectives for the Institutions, our delivery and our people. Measuring performance and taking action to realize the objectives. Continually working to improve the effectiveness of the quality management system. Constantly improving our training system and manpower skills variability. Achieving operational excellence in all that we do. By developing employees and work places everywhere, we are delivering unmatched customer satisfaction through constant interaction with our Students & Faculty; we strive to continuously improve our performance to achieve the best.

MCSE Overview
The Microsoft Certified Systems Engineer (MCSE) certification shows clients and employers that you are skilled in designing, implementing, and administering infrastructures for business solutions based on Windows Server 2003 and Microsoft Windows 2000 Server. Implementation responsibilities include installing, configuring, and troubleshooting network systems. Course outline include following:

Planning, Implementing & Maintaing A Microsoft Windows Server 2003 Active Directory Infrastructure (70-294) Introduction to active Directory Implementing Active Directory Tree, Forest and Domain Structure Active Directory Objects Group Scoop Management Group Policy, Deploying Software By group policy, Redirect folders by using Group Policy Delegation Implementing Sites and global Catalog Managing Operation master roll Active Directory Backup and restore Evaluate the need to enable universal group caching Establish trust relationships. Types of trust relationships might include external trusts , shortcut trusts, and cross-forest trusts. Plan a Group Policy strategy by using Resultant Set of Policy (RSoP) Planning mode

Designing Security For Microsoft Networks (70-298) Introduction to designing security Creating a planning network security Identifying Threats IPSec (Internet protocol security) Certificates services Creating security design for computers Creating security design for data Creating security design for Network Parameters

Implemeting And Managing Microsoft Exchange Server 2003 (7000-284)) Microsoft Exchange Server 2003 And Active Directory Planning and Configuring an Microsoft Exchange Server 2003 Infrastructure

Coexistence with Microsoft Exchange Server and Other Mail Systems Installing Microsoft Exchange Server 2003 Clusters and Front- End and Back-End Servers Managing Recipient objects and address lists Public folders, Virtual server. Configuration of Connector. SMTP Protocol Configuration and Management Microsoft Exchange Server 2003 Security. Back and restore Monitoring Microsoft Exchange Server 2003 Managing Data Storage and hardware recourse Mailing between Different Exchange servers in Different Forest

MCSA / MCSE 2003 Installing, Configuring And Adminstering Microsoft Windows Xp Professinal (70-270) Installing Windows XP professional with Attended, Unattended Work-group configuration in Windows XP professional Sharing folder and permissions NTFS permissions and Features of NTFS Partition Offline Folders Remote assistance Windows XP boot process Configurations of internet explorer Adding hardware to Microsoft windows XP Managing A Microsoft Windos Server 2003 Environment (70-290) Introducing Microsoft Windows Server 2003 User accounts, group account Management Backup & Restore data Printers DFS Local Security policy Managing hardware device and drives Managing and maintaining physical and logical devices Manage basic disks and dynamic disks Monitor server hardware Managing and maintaining access to resources Managing and implementing Disaster Recovery Implementing A Microsoft Windows Server 2003 Network Infrastructure Network Services (70-291) Understanding windows server 2003 networks understanding TCP/IP Monitoring and troubleshooting TCP/IP Connection Implementing A DNS infrastructures

Monitoring and troubleshooting DNS Configuring DHCP Server and Clients Monitoring with Windows Server 2003 Configuring and managing Remote Access Managing Network Security Maintaining a Network Infrastructure Implementing, Managing, and Maintaining IP Addressing, Name Resolution, Network Security, Routing and Remote Access Maintaining a Network Infrastructure

Planning and Microsoft Windows Server 2003 Network Infrastructure Services (70-293) Planning a Network Topology, TCP/IP Network Infrastructure Planning Internet Connectivity Planning a Name Resolution Strategy Using Routing and Remote Access, VPN Maintaining Server Availability Clustering Server Deploying Security Configuration Creating and Managing Digital Certificates Securing Network Communications Using IPSec Designing a security Infrastructure Planning an Implementing Server Roles and Server Security Planning, Implementing and Maintaining a Network Infrastructure, Routing and Remote Access. Planning, Implementing and Maintaining Server Availability, Network Security

Windows server 2003

Windows Server 2003 (sometimes referred to as Win2K3) is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005. Its successor, Windows Server 2008, was released on 4 February 2008.

Editions
Windows Server 2003 comes in a number of editions, each targeted towards a particular size and type of business. In general, all variants of Windows Server 2003 have the ability to share files and printers, act as an application server, and host message queues, provide email services, authenticate users, act as an X.509 certificate server, provide LDAP directory services, serve streaming media, and to perform other server-oriented functions.

Windows Small Business Server

SBS includes Windows Server and additional technologies aimed at providing a small business with a complete technology solution. The technologies are integrated to enable small business with targeted solutions such as the Remote Web Workplace, and offer management benefits such as integrated setup, enhanced monitoring, a unified management console, and remote access. The Standard Edition of SBS includes Windows SharePoint Services for collaboration, Microsoft Exchange server for e-mail, Fax Server, and Active Directory for user management. The product also provides a basic firewall, DHCP server and NAT router using either two network cards or one network card in addition to a hardware router. The Premium Edition of SBS includes the features of the Standard edition plus Microsoft SQL Server 2000 and Microsoft Internet Security and Acceleration Server 2004. SBS has its own type of Client Access License (CAL) that is different and costs slightly more than CALs for the other editions of Windows Server 2003. However, the SBS CAL encompasses the user CALs for Windows Server, Exchange Server, SQL Server, and ISA Server, and hence is less expensive than buying all other CALs individually. SBS server has the following design limitations, mainly affecting Active Directory: Only one computer in a domain can be running Windows Server 2003 for Small Business Server. Windows Server 2003 for Small Business Server must be the root of the Active Directory forest. Windows Server 2003 for Small Business Server cannot trust any other domains. Windows Server 2003 for Small Business Server is limited to 75 users or devices depending on which type of CAL. Windows Server 2003 for Small Business Server is limited to a maximum of 4GB of RAM (Random Access Memory). A Windows Server 2003 for Small Business Server domain cannot have any child domains. Terminal Services only operates in remote administration mode on the server running SBS

2003, and only two simultaneous RDP sessions are allowed. (Change from SBS 2000 policy) To remove the limits from SBS server and upgrade from Small Business Server to regular Windows Server, Exchange Server, SQL and ISA server versions there is a Windows Small Business Server 2003 R2 Transition Pack.

Web Edition
Windows Server 2003, Web Edition is mainly for building and hosting Web applications, Web pages, and XML web services. It is designed to be used primarily as an IIS 6.0 Web server and provides a platform for rapidly[clarification needed] developing and deploying XML Web services and applications that use ASP.NET technology, a key part of the .NET Framework. Terminal Services is not included on Web Edition. However, Remote Desktop for Administration is available.. Only 10 concurrent file-sharing connections are allowed at any moment. It is not possible to install Microsoft SQL Server and Microsoft Exchange software in this edition without installing Service Pack 1. Despite supporting XML Web services and ASP.NET, UDDI cannot be deployed on Windows Server 2003 Web Edition. The .NET Framework version 2.0 is not included with Windows Server 2003, Web Edition, but can be installed as a separate update from Windows Update. Windows Server 2003 Web Edition supports a maximum of 2 physical processors with support for a maximum of 2GB of RAM. Additionally, Windows Server 2003, Web Edition cannot act as a domain controller.It is the only edition of Windows Server 2003 that does not require Client Access Licenses when used as the internet facing server front end for Internet Information Services and Windows Server Update Services. When using it for storage or as a backend with another remote server as the frontend, CALs may still be required.[clarification needed]

Standard Edition
Microsoft Windows Server 2003, Standard Edition is aimed towards small to medium sized businesses. [clarification needed] Standard Edition supports file and printer sharing, offers secure Internet connectivity[clarification needed], and allows centralized desktop application deployment.[clarification needed] The initial release of Windows Server 2003 was available solely for 32-bit processors; a 64-bit version supporting the x86-64 architecture (AMD64 and EM64T, called collectively x64 by Microsoft) was released in April 2005. The 32-bit version will run on up to 4 processors and up to 4 GB RAM; the 64-bit version is capable of addressing up to 32 GB of RAM and also supports Non-Uniform Memory Access. The 32-bit version is available for verified students to download free of charge as part of Microsoft's DreamSpark program.

Enterprise Edition
Windows Server 2003, Enterprise Edition is aimed towards medium to large businesses. It is a fullfunction server operating system that supports up to 8 processors and provides enterprise-class features such as eight-node clustering using Microsoft Cluster Server (MSCS) software and support for up to 64 GB of memory through PAE (added with the /PAE boot string). Enterprise Edition also comes in 64-bit versions for the Itanium and x64 architectures. The 64-bit versions of Windows Server 2003, Enterprise Edition are capable of addressing up to 1 TB of memory. Both 32-bit and 64-bit versions support NonUniform Memory Access (NUMA). It also provides the ability to hot-add supported hardware. Enterprise Edition is also required to issue custom certificate templates.

Datacenter Edition
Windows Server 2003, Datacenter Edition is designed for infrastructures demanding high security and reliability. Windows Server 2003 is available for x86, Itanium, and x86-64 processors. It supports a maximum of up to 32 processors on 32-bit or 64 processors on 64-bit hardware. 32-bit architecture also limits memory addressability to 64 GB, while the 64-bit versions support up to 1 TB. Windows Server 2003, Datacenter Edition, also allows limiting processor and memory usage on a per-application basis. Windows Server 2003 Datacenter Edition also supports Non-Uniform Memory Access. If supported by the system, Windows, with help from the system firmware will make use of NUMA kernel awareness, which is indicated by the presence of a firmware generatel ACPI Static Resource Affinity Table (SRAT) that defines the NUMA topology of the system. Windows then uses this table to optimize memory accesses, and provide NUMA awareness to applications, thereby increasing the efficiency of thread scheduling and memory management. Windows Server 2003, Datacenter Edition has better support for Storage Area Networks (SANs). It features a service which uses Windows sockets to emulate TCP/IP communication over native SAN service providers, thereby allowing a SAN to be accessed over any TCP/IP channel. With this, any application that can communicate over TCP/IP can use a SAN, without any modification to the application. Windows Server 2003, Datacenter Edition also supports 8-node clustering. Clustering increases availability and fault tolerance of server installations by distributing and replicating the service among many servers. This edition supports clustering with each cluster having its own dedicated storage, or with all cluster nodes connected to a common storage area network (SAN). The SAN can be runningon a Windows or non-Windows operating system and may be connected to other computers as well.

Windows Compute Cluster Server

Windows Compute Cluster Server 2003 (CCS), released in June 2006, is designed for high-end applications that require high performance computing clusters. It is designed to be deployed on numerous computers to be clustered together to achieve supercomputing speeds. Each Compute Cluster Server network comprises at least one controlling head node and subordinate processing nodes that carry out most of the work. Compute Cluster Server uses the Microsoft Messaging Passing Interface v2 (MS-MPI) to communicate between the processing nodes on the cluster network. It ties nodes together with a powerful interprocess communication mechanism which can be complex because of communications between hundreds or even thousands of processors working in parallel. The application programming interface consists of over 160 functions. A job launcher enables users to execute jobs to be executed in the computing cluster. MS MPI was designed to be compatible with the reference open source MPI2 specification which is widely used in High-performance computing (HPC). With some exceptions because of security considerations, MS MPI covers the complete set of MPI2 functionality as implemented in MPICH2, except for the planned future features of dynamic process spawn and publishing.

Windows Storage Server

Windows Storage Server 2003, a part of the Windows Server 2003 series, is a specialized server

operating system for Network Attached Storage (NAS). Launched in 2003[clarification needed] at Storage Decisions in Chicago, it is optimized for use in file and print sharing and also in Storage Area Network (SAN) scenarios. It is only available through Original equipment manufacturers (OEMs). Unlike other Windows Server 2003 editions that provide file and printer sharing functionality, Windows Storage Server 2003 does not require any Client access licenses. Windows Storage Server 2003 NAS equipment can be headless, which means that they are without any monitors, keyboards or mice, and are administered remotely. Such devices are plugged into any existing IP network and the storage capacity is available to all users. Windows Storage Server 2003 can use RAID arrays to provide data redundancy, fault-tolerance and high performance. Multiple such NAS servers can be clustered to appear as a single device. This allows for very high performance as well as allowing the service to remain up even if one of the servers goes down.[clarification needed] Windows Storage Server 2003 can also be used to create a Storage Area Network, in which the data is transferred in terms of chunks rather than files, thus providing more granularity to the data that can be transferred. This provides higher performance to database and transaction processing applications. Windows Storage Server 2003 also allows NAS devices to be connected to a SAN. Windows Storage Server 2003 R2, as a follow-up to Windows Storage Server 2003, adds file-server performance optimization, Single Instance Storage (SIS), and index-based search. Single instance storage (SIS) scans storage volumes for duplicate files, and moves the duplicate files to the common SIS store. The file on the volume is replaced with a link to the file. This substitution reduces the amount of storage space required, by as much as 70%. Windows Storage Server R2 provides an index-based, full-text search based on the indexing engine already built into Windows server. The updated search engine speeds up indexed searches on network shares. Storage Server R2 also provides filters for searching many standard file formats, such as .zip, AutoCAD, XML, MP3, and .pdf, and all Microsoft Office file formats. Windows Storage Server 2003 R2 includes built in support for Windows SharePoint Services and Microsoft SharePoint Portal Server, and adds a Storage Management snap-in for the Microsoft Management Console. It can be used to manage storage volumes centrally, including DFS shares, on servers running Windows Storage Server R2. Windows Storage Server 2003 R2 can be used as an iSCSI target with standard and enterprise editions of Windows Storage Server 2003 R2, incorporating WinTarget iSCSI technology which Microsoft acquired in 2006 by from StringBean software. This will be an add-on feature available for purchase through OEM partners as an iSCSI feature pack, or is included in some versions of WSS as configured by OEMs. Windows Storage Server 2003 can be promoted to function as a domain controller; however, this edition is not licensed to run directory services. It can be joined to an existing domain as a member server. Features Distributed File System (DFS): DFS allows multiple network shares to be aggregated as a virtual file system. Support for SAN and iSCSI: Computers can connect to a Storage Server over the LAN, and there is no need for a separate fibre channel network. Thus a Storage Area Network can be created over the LAN itself. iSCSI uses the SCSI protocol to transfer data as a block of bytes, rather than as a file. This increases performance of the Storage network in some scenarios, such as using a database server.

 Virtual Disc Service: It allows NAS devices, RAID devices and SAN shares to be exposed and managed as if they were normal hard drives. JBOD systems: JBOD (Just a bunch of discs) systems, by using VDS, can manage a group of individual storage devices as a single unit. There is no need for the storage units to be of the same make and model. Software and Hardware RAID: Windows Storage Server 2003 has intrinsic support for hardware implementation of RAID. In case hardware support is not available, it can use software enabled RAID. In that case, all processing is done by the OS. Multi Path IO (MPIO): It provides an alternate connection to IO devices in case the primary path is down. Editions Windows Storage Server 2003 R2 is available in the following editions: Express Edition Workgroup Edition Standard Edition Enterprise Edition 1-64

Number of physical CPUs[i] 1 1-4 32-bit and 64-bit versions Yes available Numbers of disk drives 2 4 Unlimited NICs 1 2 Unlimited Print service No Yes CALs required Yes iSCSI target support Optional Clustering No Yes 1. Microsoft defines a physical CPU/processor as a single socket/node on the systemboard. For O/S licensing purposes, a dual-socket single-core (Intel Pentium/4 Xeon, AMD Athlon/64) system counts as a total of 2 processors, whereas a single-socket quad-core CPU (such as AMD's Opteron and Intel's Xeon) counts as 1 processor. Microsoft's policy has no bearing on how third-party software vendors (such as Oracle) administer CPU licensing for its server applications. Windows Unified Data Storage Server is a version of Windows Storage Server 2003 R2 with iSCSI target support standard, available in only the standard and enterprise editions.

Windows Home Server

Windows Home Server is an operating system from Microsoft based on Windows Small Business Server 2003 SP2 (this can be seen in the directory listings of the install DVD). Announced on 7 January 2007 at the Consumer Electronics Show by Bill Gates, Windows Home Server is intended to be a solution for homes with multiple connected PCs to offer file sharing, automated backups, and remote access. Windows Home Server began shipment to OEMs on 15 September 2007.

Updates
Service Pack 1
On 30 March 2005, Microsoft released Service Pack 1 for Windows Server 2003. Among the improvements are many of the same updates that were provided to Windows XP users with Service Pack 2. Features that are added with Service Pack 1 include: Security Configuration Wizard: A tool that allows administrators to more easily research, and make changes to, security policies. Hot Patching: This feature is set to extend Windows Server 2003's ability to take DLL, Driver, and non-kernel patches without a reboot. IIS 6.0 Metabase Auditing: Allowing the tracking of metabase edits. Windows Firewall: Brings many of the improvements from Windows XP Service Pack 2 to Windows Server 2003; also with the Security Configuration Wizard, it allows administrators to more easily manage the incoming open ports, as it will automatically detect and select default roles. Other networking improvements include support for Wireless Provisioning Services, better IPv6 support, and new protections against SYN flood TCP attacks. Post-Setup Security Updates: A default mode that is turned on when a Service Pack 1 server is first booted up after installation. It configures the firewall to block all incoming connections, and directs the user to install updates. Data Execution Prevention (DEP): Support for the No Execute (NX) bit which helps to prevent buffer overflow exploits that are often the attack vector of Windows Server exploits. Windows Media Player version 10 Internet Explorer 6 SV1 (e.g. 'IE6 SP2') Support for fixed disks bearing data organized using the GUID Partition Table system A full list of updates is available in the Microsoft Knowledge Base.

Windows Server 2003 R2

Windows Server 2003 R2, an update of Windows Server 2003, was released to manufacturing on 6 December 2005. It is distributed on two CDs, with one CD being the Windows Server 2003 SP1 CD. The other CD adds many optionally installable features for Windows Server 2003. The R2 update was released for all x86 and x64 versions. Windows Server 2003 R2 Enterprise Edition was not released for Itanium. New features Branch Office Server Management Centralized management tools for file and printers Enhanced Distributed File System (DFS) namespace management interface More efficient WAN data replication with Remote Differential Compression. Identity and Access Management Extranet Single Sign-On and identity federation

 Centralized administration of extranet application access Automated disabling of extranet access based on Active Directory account information User access logging Cross-platform web Single Sign-On and password synchronization using Network Information Service (NIS) Storage Management File Server Resource Manager (storage utilization reporting) Enhanced quota management File screening limits files types allowed Storage Manager for Storage Area Networks (SAN) (storage array configuration) Server Virtualization A new licensing policy allows up to 4 virtual instances on Enterprise Edition and Unlimited on Datacenter Edition Utilities and SDK for UNIX-Based Applications add-on, giving a relatively full Unix development environment. Base Utilities SVR-5 Utilities Base SDK GNU SDK GNU Utilities Perl 5 Visual Studio Debugger Add-in

Service Pack 2
Service Pack 2 for Windows Server 2003 was released on 13 March 2007. The release date was originally scheduled for the first half of 2006. On 13 June 2006, Microsoft made an initial test version of Service Pack 2 available to Microsoft Connect users, with a build number of 2721. This was followed by build 2805, known as Beta 2 Refresh. The latest build is the build 3959. Microsoft has described Service Pack 2 as a "standard" service pack release containing previouslyreleased security updates, hotfixes, and reliability and performance improvements. In addition, Service Pack 2 contains Microsoft Management Console 3.0, Windows Deployment Services (which replaces Remote Installation Services), support for WPA2, and improvements to IPsec and MSConfig. Service Pack 2 also adds Windows Server 2003 Scalable Networking Pack (SNP), which allows hardware acceleration for processing network packets, thereby enabling faster throughput. SNP was previously available as an out-of-band update for Windows Server 2003 Service Pack 1. As of October 2009, no further Service Packs are planned for Windows Server 2003.

Support life-cycle
On July 13, 2010, Windows 2003 and its family of operating systems were moved from Mainstream Support to the Extended Support phase as it marks the progression of the legacy operating system through the Microsoft Support Lifecycle Policy. During the Extended Support Phase, Microsoft will continue to provide security updates every month for Windows 2003; however, free technical support, warranty claims, and design changes are no longer being offered.

Windows Small Business Server (SBS) (formerly Microsoft Small Business Server) is an integrated server suite from Microsoft designed for running network infrastructure (both intranet management and Internet access) of small and medium enterprises having no more than 75 workstations or users. Application server technologies are tightly integrated to enable small businesses with targeted solutions such as the Remote Web Workplace, and offer management benefits such as integrated setup, enhanced monitoring, a unified management console, and remote access. Windows Small Business Server is technically not an 'edition' of the Windows Server operating system but rather a customized SKU of server technologies targeted specifically at small businesses. As such, the application servers are not merely bundled with the OS but are tightly integrated into the operating system. Since the release of SBS 2003, the same service packs as those for Windows Server or other server products can be used to update the OS

Design and licensing considerations

Windows Small Business Server has its own type of Client Access License (CAL), that is different and costs slightly more than CALs for the usual editions of the Windows Server operating system. However, the SBS CAL encompasses the user CALs for Windows Server, Exchange Server and SQL Server, and hence is less expensive than buying all the other CALs individually. Windows Small Business Server has the following design restrictions: Only one computer in the domain can be running Windows Small Business Server. That is not to say that the domain only supports a single server. The domain supports multiple servers (including additional domain controllers) running any other operating system, such as Windows Server Standard Edition. Windows Small Business Server must be the root of the Active Directory forest. Windows Small Business Server cannot trust any other domains. It cannot have any child domains. Windows Small Business Server is limited to 75 users or devices depending on which type of CAL (SBS 2008 FE supports a maximum of 15 CALs). All Windows Small Business Server versions up to SBS 2003 are limited to 4 GB of RAM. 2008 requires a minimum of 4GB for installation, it needs more for performance. 2008 supports a maximum of 32GB. Windows Small Business Server versions prior to Windows Small Business Server 2008 are only available for the x86 (32-bit) architecture. Windows Small Business Server 2008 is only available for the x86-64 (64-bit) architecture. This is due to the requirements of Exchange Server 2007, whose production version is 64-bit only. The 32-bit version of Exchange Server 2007 is only supported for testing and non-production scenarios. The SQL Server which comes with SBS 2008 is "SQL Server 2008 Standard Edition for Small Business.". It cannot be installed outside of a network that has a domain controller and less than 75 PCs and/or users. Only the Remote Desktop for Administration mode is available because Small Business Server always runs on the domain controller, and only two simultaneous RDP sessions are allowed. (Change from SBS 2000 policy) Terminal Services in application sharing mode needs to be run on a second server on the network. This however is possible with SBS 2008 Premium edition

which includes a Windows Server 2008 license for running the second server. To remove these restrictions and upgrade to regular editions of Windows Server, Exchange Server, SQL Server and ISA Server, there is a Windows Small Business Server 2003 R2 Transition Pack.

Features unique to Small Business Server

Remote Web Workplace POP3 Connector (for Exchange Server) Shared Modem Service (Modem server, not supported in Small Business Server 2003 and later)

Versions
October 22, 1997 BackOffice Small Business Server 4.0 based on Windows NT Server 4.0 SP3 and includes Exchange Server 5.0 SP1, IIS 3.0, SQL Server 6.5 SP3, Proxy Server 1.0, Internet Explorer 3.02 or 4.01, and Outlook 97; allows 25 client licenses. May 24, 1999 BackOffice Small Business Server 4.5 based on Windows NT Server 4.0 SP4 and includes Exchange Server 5.5 SP2, IIS 4.0, SQL Server 7.0, Proxy Server 2.0, Internet Explorer 5.0, Outlook 2000, and FrontPage 2000; allows 50 client licenses. February 21, 2001 Microsoft Small Business Server 2000 based on Windows 2000 Server (including Internet Explorer 5.0 and IIS 5.0) and includes Exchange 2000 Server, SQL Server 2000 Standard Edition, Internet Security & Acceleration Server 2000, Outlook 2000 and FrontPage 2000; allows 50 client licenses. October 9, 2003 Windows Small Business Server 2003 (codenamed Bobcat) based on Windows Server 2003 and includes Microsoft Exchange Server 2003, Microsoft Outlook 2003, Windows SharePoint Services 2.0, and optionally Microsoft SQL Server 2000, ISA Server 2000 (upgrade to ISA Server 2004 in Small Business Server Premium SP1), and Microsoft FrontPage 2003 in Premium edition; allows 75 client licenses. Service Pack 1 for Windows Small Business Server 2003 was released on July 25, 2005. July 29, 2006 - Windows Small Business Server 2003 R2 based on Windows Server 2003 (Not R2) and includes Microsoft Exchange Server 2003, Microsoft Outlook 2003, Windows SharePoint Services 2.0, and optionally Microsoft SQL Server 2005 Workgroup Edition , ISA Server 2004, and Microsoft FrontPage 2003 in Premium edition; allows 75 client licenses. A major addition is a built-in patch management solution optimized for small businesses, based on Microsoft Windows Server Update Services. Exchange database size limit is set to 18 GB by default but can be expanded to 75 GB using a registry key. August 21, 2008 - Windows Small Business Server 2008 (codenamed Cougar) based on Windows Server 2008 and includes Microsoft Exchange Server 2007, Windows SharePoint Services 3.0 and 120-day trial subscriptions of new security products from Microsoft, namely, Forefront Security for Exchange and Windows Live OneCare for Server. The standard edition of SBS 2008 will be a single server solution for small businesses. The premium edition will contain a license for Windows Server 2008 and SQL Server 2008 Standard Edition, with the option to run SQL Server on either the main SBS server, or a second server. The premium edition will therefore be targeted at dual-server scenarios such as terminal services application sharing, Line of Business applications, edge security, secondary domain controllers, and virtualization. In

addition to features present in previous versions, new features include: A streamlined administration and management console that is designed around tasks to be accomplished rather than underlying technologies Built-in support for registering and configuring domain name and DNS records via multiple registrars Monitoring reports that gather data from both servers and clients on the network, including Security Center status (anti-virus, spyware, and client firewall) from all the clients New features in the Remote Web Workplace, such as the ability to define default and allowed PCs for each user Office Live Small Business integration for and configuring a public web site or extranet New server backup features, based on the incremental block-based backup technology in Windows Server 2008 (tape backup no longer supported via native tools, but continues to be supported via 3rd parties) SBS 2008 requires installation behind a separate network firewall device. In contrast with SBS 2003, it does not support being installed directly on the edge of the network, ISA Server is no longer bundled and a dual-NIC configuration is not possible. SBS 2008 was released to manufacturing on August 21st, 2008 and was launched on November 12th, 2008. Windows Small Business Server 2008 supports organizations with up to 75 users or devices. A notable change from SBS 2003 is that CALs are not enforced electronically. December 13, 2010 - Windows Small Business Server 2011 Microsoft announced two successors to the SBS series during WPC 2010, both based on Windows Server 2008 R2. One successor (code name "Aurora") supports a maximum of 25 users, removes the traditional on-premises components of Exchange, SharePoint and WSUS, and is oriented to attach cloud services. The other successor (code name "SBS 7") is the more direct successor of SBS 2008, and continues to support a maximum of 75 users, and will continue to include the next generation on-premises versions of Exchange, SharePoint and WSUS. Late in 2010, Microsoft announced the official branding for the 2011 wave. SBS "7" will be branded as Windows Small Business Server 2011 Standard, and "Aurora" will introduce a new edition to the SBS product line: Windows Small Business Server 2011 Essentials. Additionally, changes to the premium edition were announced. Whereas formerly, the premium edition of SBS was packaged as a superset of the standard edition, in the 2011 wave it will be available as an add-on edition, containing standalone copies of SQL Server 2008 R2 and Windows Server 2008 R2, and available to add on to either SBS 2011 Essentials or Standard. In mid-December, Microsoft released Windows Small Business Server 2011 Standard to Technet/MSDN Subscribers for evaluation. Microsoft has also announced that Windows SBS 2011 Standard will be available to Volume Licensing in Early January and as a Trial in MidJanuary. Windows SBS 2011 Essentials is still going under testing. SBS 2011 requires an Internet connection. Windows Home Server, code-named Quattro, is a home server operating system from Microsoft. Announced on 7 January 2007, at the Consumer Electronics Show by Bill Gates, Windows Home Server is intended to be a solution for homes with multiple connected PCs to offer file sharing, automated backups, print server, and remote access. Windows Home Server was released to manufacturing on 16 July 2007 and officially released on 4 November 2007. Power Pack 1 for Windows Home Server was released on 20 July 2008, Power Pack 2 was released on 24 March 2009, and Power Pack 3 was released on 24 November 2009. Windows Home Server is also the name of a family of server products for home users. The latest member of this family is Windows Home Server 2011, released on 6 April 2011.

Compatibility
Windows Home Server features integration with Windows XP (SP2 or newer), Windows Vista, and Windows 7 (after the release of Power Pack 3) through a software installation, either from a client CD or via a network share. The connector software may also be installed by accessing http://yourserver:55000/, where a link is provided to download the connector software and to install troubleshooting tools. Files stored on Windows Home Server are also available through a Windows share, opening compatibility to a wide variety of operating systems. Also, the Administration console is available via Remote Desktop, allowing administration from unsupported platforms. Windows Home Server does not support Microsoft's own MSE anti-virus program. 64-bit Windows client support was introduced in Power Pack 1, though the Restore Wizard on the Windows Home Server Restore CD is unable to restore clients running 64-bit operating systems. Windows XP Professional x64 isn't officially supported. However, unofficial workarounds allow Connector software to work on XP x64. Integration of the file sharing service as a location for Mac OS X's Time Machine was apparently being considered, but upon Mac OS X Leopard's release, Apple had removed the ability to use the SMB file sharing protocol for Time Machine backups. One WHS provider, HP, provides their own plug-in with their home server line capable of Time Machine backup to a home server. Windows Home Server has not officially supported Domain Controller capability and cannot readily join a Windows Server domain. Wireless networking is not currently supported.

Minimum system requirements

The following minimum specs are needed: 1.0 GHz Intel Pentium 3 (or equivalent) processor 512 MB RAM 65 GB internal hard drive as primary drive 100 Mbit/s wired Ethernet Note: These requirements have been upgraded for Windows Home Server 2011 Additionally, the following are required for installation of the operating system only: Bootable DVD drive or USB stick Display Keyboard and mouse Dedicated devices will have the operating system pre-installed and may be supplied with a server recovery disk which reloads the OS over a network connection. This is utilized on the HP MediaSmart Server, and the Fujitsu Siemens Scaleo Home Server.

Resolved issues File corruption

The first release of Windows Home Server, RTM (Release to manufacturing), suffered from a file corruption flaw whereby files saved directly to or edited on shares on a WHS device could become

corrupted. Only the files that had NTFS Alternate Data Streams were susceptible to the flaw. The flaw led to data corruption only when the server was under heavy load at the time when the file (with ADS) was being saved onto a share. Backups of client PCs made by Windows Home Server were not susceptible to the flaw. Even though the issue was first acknowledged in October 2007, Microsoft formally warned users of the seriousness of the flaw on 20 December 2007. Microsoft then issued a list of applications, including Windows Live Photo Gallery, Microsoft OneNote, Microsoft Outlook and SyncToy 2.0, which might have triggered the flaw if they were used to edit the files on a WHS share directly. This issue was fixed by Power Pack 1, released on July 21, 2008.

No native backup
Windows Home Server RTM did not include a mechanism for backing up the server. Power Pack 1 added the ability to back up files stored on the Shared Folders, to an external drive. Users can also subscribe to 3rd-party online services, for a fee. However, there remains no way to back up the installed server operating system. Backing-up of the client backup database is available either manually using the instructions provided by Microsoft on page 24 of this document or can be done using the WHS BDBB add-in written by Alex Kuretz and available from this website.

Physical matters
Sites are physical (rather than logical) groupings defined by one or more IP subnets. AD also holds the definitions of connections, distinguishing low-speed (e.g., WAN, VPN) from high-speed (e.g., LAN) links. Site definitions are independent of the domain and OU structure and are common across the forest. Sites are used to control network traffic generated by replication and also to refer clients to the nearest domain controllers. Microsoft Exchange Server 2007 uses the site topology for mail routing. Policies can also be defined at the site level. Physically the Active Directory information is held on one or more peer domain controllers (DCs), replacing the NT PDC/BDC model. Each DC has a copy of the Active Directory. Servers joined to Active Directory that are not domain controllers are called Member Servers. The Active Directory database is organized in partitions, each holding specific object types and following a specific replication pattern. AD synchronizes changes using multi-master replication. Microsoft often refers to these partitions as 'naming contexts'. The 'Schema' partition contains the definition of object classes and attributes within the Forest. The 'Configuration' partition contains information on the physical structure and configuration of the forest (such as the site topology). Both replicate to all domain controllers in the Forest. The 'Domain' partition holds all objects created in that domain and replicates only to Domain Controllers within its domain. So, for example, a user created in Domain X would be listed only in Domain X's domain controllers. A subset of objects in the domain partition replicate to domain controllers that are configured as global catalogs. Global catalog (GC) servers provide a global listing of all objects in the Forest. Global Catalog servers replicate to themselves all objects from all domains and hence, provide a global listing of objects in the forest. However, in order to minimize replication traffic and to keep the GC's database small, only selected attributes of each object are replicated. This is called the partial attribute set (PAS). The PAS can be modified by modifying the schema and marking attributes for replication to the GC. Earlier versions of Windows used NetBIOS to communicate. Active Directory is fully integrated with DNS and requires TCP/IPDNS. To be fully functional, the DNS server must support SRV resource records or service

records.

Replication
Active Directory replication is 'pull' rather than 'push', meaning that replicas pull changes from the server where the change was effected. The Knowledge Consistency Checker (KCC) creates a replication topology of site links using the defined sites to manage traffic. Intrasite replication is frequent and automatic as a result of change notification, which triggers peers to begin a pull replication cycle. Intersite replication intervals are typically less frequent and do not use change notification by default, although this is configurable and can be made identical to intrasite replication. Each link can have a 'cost' (e.g., DS3, T1, ISDN etc.) and the site link topology will be altered accordingly by the KCC. Replication may occur transitively through several site links on same-protocol site link bridges, if the cost is low, although KCC automatically costs a direct site-to-site link lower than transitive connections. Site-to-site replication can be configured to occur between a bridgehead server in each site, which then replicates the changes to other DCs within the site. Replication of Active Directory uses Remote Procedure Calls (RPC) over IP (RPC/IP). Between Sites you can use SMTP for replication, but only for changes in the Schema, Configuration, or Partial Attribute Set (Global Catalog) NCs. SMTP cannot be used for replicating the default Domain partition.

Database
The Active Directory database, the directory store, in Windows 2000 Server uses the JET Blue-based Extensible Storage Engine (ESE98) and is limited to 16 terabytes and 2 billion objects (but only 1 billion security principals) in each domain controller's database. Microsoft has created NTDS databases with more than 2 billion objects. (NT4's Security Account Manager could support no more than 40,000 objects). Called NTDS.DIT, it has two main tables: the data table and the link table. In Windows Server 2003 a third main table was added for security descriptor single instancing.

Programmatic interface
The features of Active Directory may be accessed programmatically via the COM interfaces provided by Active Directory Service Interfaces.

Single server operations

Flexible Single Master Operations (FSMO, sometimes pronounced "fizz-mo") operations are also known as operations master roles. Although domain controllers allow simultaneous updates in multiple places, certain operations are supported only on a single server. These operations are performed using the roles listed below: Scope 1 per Schema Master forest Domain 1 per Naming Master forest Role Name Description Schema modifications Addition and removal of domains if present in root domain

Provides backwards compatibility for NT4 clients for PDC operations (like password changes). The PDC runs domain specific processes such as 1 per the Security Descriptor Propagator (SDPROP), and is the master time PDC Emulator domain server within the domain. It also handles external trusts, the DFS consistency check, holds current passwords and manages all GPOs as default server. 1 per Allocates pools of unique identifiers to domain controllers for use when RID Master domain creating objects 1 per Synchronizes cross-domain group membership changes. The infrastructure Infrastructure domain/pa master cannot run on a global catalog server (GCS) (unless all DCs are Master rtition also GCs, or environment consists of a single domain).

Trust
To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, and implicit, transitive trust is automatic for all domains within a forest.

Terminology
One-way trust One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. Two-way trust Two domains allow access to users on both domains. Trusting domain The domain that allows access to users from a trusted domain. Trusted domain The domain that is trusted; whose users have access to the trusting domain. Transitive trust A trust that can extend beyond two domains to other trusted domains in the forest. Intransitive trust A one way trust that does not extend beyond two domains. Explicit trust A trust that an admin creates. It is not transitive and is one way only. Cross-link trust An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains. Shortcut Joins two domains in different trees, transitive, one- or two-way Forest Applies to the entire forest. Transitive, one- or two-way Realm Can be transitive or nontransitive, one- or two-way External Connect to other forests or non-AD domains. Nontransitive, one- or two-way. Windows 2000 Server supports two-way transitive and one-way intransitive trusts. Administrators can create shortcuts.

Windows Server 2003 the forest root trust. This trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts are transitive for all the domains in the trusted forests. Forest trusts, however, are not transitive.

Lightweight Directory Service

Active Directory Lightweight Directory Service (AD LDS), formerly known as Active Directory Application Mode (ADAM), is a light-weight implementation of Active Directory. AD LDS is capable of running as a service on computers running Microsoft Windows Server. AD LDS shares the code base with Active Directory and provides the same functionality as Active Directory, including an identical API, but does not require the creation of domains or domain controllers. Like Active Directory, AD LDS provides a Data Store for storage of directory data and a Directory Service with an LDAP Directory Service Interface. Unlike Active Directory, however, multiple AD LDS instances can be run on the same server.

Unix integration
Varying levels of interoperability with Active Directory can be achieved on most Unix-like operating systems through standards-compliant LDAP clients, but these systems usually do not interpret many attributes associated with Windows components, such as Group Policy and support for one-way trusts. Third-parties offer Active Directory integration for Unix platforms (including UNIX, Linux, Mac OS X, and a number of Java- and UNIX-based applications), including: Centrify DirectControl (Centrify Corporation) Active Directory-compatible centralized authentication and access control Centrify Express (Centrify Corporation) A suite of free Active Directory-compliant services for centralized authentication, monitoring, file-sharing and remote access UNAB (Computer Associates) TrustBroker (CyberSafe Limited) An implementation of Kerberos PowerBroker Identity Services, formerly Likewise (BeyondTrust, formerly Likewise Software) Allows a non-Windows client to join Active Directory Authentication Services (Quest Software) ADmitMac (Thursby Software Systems) Samba Can act as a domain controller The schema additions shipped with Windows Server 2003 R2 include attributes that map closely enough to RFC 2307 to be generally usable. The reference implementation of RFC 2307, nss_ldap and pam_ldap provided by PADL.com, support these attributes directly. The default schema for group membership complies with RFC 2307bis (proposed). Windows Server 2003 R2 includes a Microsoft Management Console snap-in that creates and edits the attributes. An alternate option is to use another directory service such as 389 Directory Server (formerly Fedora Directory Server, FDS), eB2Bcom ViewDS v7.1 XML Enabled Directory or Sun Microsystems Sun Java System Directory Server, which can perform two-way synchronization with AD and thus provide a "deflected" integration, as Unix and Linux clients authenticate to FDS and Windows Clients authenticate to AD. Another option is to use OpenLDAP with its translucent overlay, which can extend entries in any remote LDAP server with additional attributes stored in a local database. Clients pointed

at the local database see entries containing both the remote and local attributes, while the remote database remains completely untouched. Active Directory can be automated by Powershell.

REMOTE INSTALLATION SERVER

RIS, Remote Installation Services is a Microsoft-supplied server that allows PXE BIOS-enabled computers to remotely execute boot environment variables.

Background
At boot time, a workstation that has been set to boot from PXE will issue a BOOTP request via the network. Once the request is received, the DHCP Server will supply an IP address to the machine, and the DNS server will point the client computer to the RIS server, which in turn will issue a disk boot image (often called the "OS Chooser"). Once the OS Chooser environment has been booted, the user must authenticate against the Domain Controller, and can then select a Windows image to install. The source files for each image can be customized with 3rd party utilies such as NLite to slipstream updates and service packs, apply tweaks, perform unattended installations, and include software with the operating system.

History
Remote Installation Services was introduced with Windows 2000 as an optional component when installed on Windows 2000 Server. Initially, it supported only the distribution of Windows 2000 Professional, but with Service Pack 3 allowed for the remote installation of Windows 2000 Server. RIS was updated twice; once to support Windows XP, and again to support Windows Server 2003. With the release of Service Pack 2 for Windows Server 2003, RIS was replaced with Windows Deployment Services.

Overview
On Windows 2003, two services are required to provide Remote Installation Services: DHCP and Remote Installation Service. The Remote Installation Server doubles as a proxy DHCP server to provide Boot Server and Filename instructions to clients. Remote Installation Service utilizes UDP port 4011 to provide clients the contents of each page the OS Chooser displays. Additionally, this service can provide drivers to clients; it is often used to provide the workstation's network card driver, which is required to launch the OS Chooser and mount the share where images are stored.

Installation Using RIS

RIS can be used only for clean installations and cannot be used to upgrade a previous version of Windows. A RIPrep image can contain the operating system and applications. Computers that are connected to the same network as the server, and have been enabled, automatically start the RIS sequence. File Replication Service is a Microsoft Windows Server service for distributing shared files and Group Policy Objects. It replaced the (Windows NT) Lan Manager Replication service ,and has been partially

replaced by Distributed File System Replication. It is also known as NTFRS after the name of the executable file that runs the service.

Details
When the File Replication Service (FRS) detects a change to a file, such as the creation of a new file or the modification to an existing file, it replicates it to other servers in the group. To deal with conflicts (when two copies of the files are edited at the same time on different servers) the service resolves any issues by using the file with latest date and time. One of the main uses of FRS is for the SYSVOL directory share. The SYSVOL directory share is particularly important in a Microsoft network as it is used to distribute files supporting Group Policy and scripts to client computers on the network. Since Group Policies and scripts are run each time a user logs on to the system, it is important to have reliability. Having multiple copies of the SYSVOL directory increases the resilience and spreads the workload for this essential service. The SYSVOL directory can be accessed by using a network share to any server that has a copy of the SYSVOL directory (normally a Domain Controller) as shown below:
\\server\SYSVOL

Or by accessing it using the domain name:

\\domain.com\SYSVOL

Servers that work together to provide this service are called Replication Partners. To control file replication: 1. 2. 3. 4. 5. Use the Active Directory Sites and Services from Administrative Tools. Select the Sites container to view a list of sites. Expand the site that to be viewed. This will provide the list of servers in that site. Expand the server to be viewed, right click the NTDS settings, and select Properties. Under the Connections tab, the list of servers that are being replicated can be seen.

DFS Replication
In Windows Server 2003 R2 and Windows Server 2008, DFS Replication is available as well as the File Replication Service. DFS Replication is a state-based replication engine for file replication among DFS shares, which supports replication scheduling and bandwidth throttling. It uses Remote Differential Compression to detect and replicate only the change to files, rather than replicating entire files, if changed. Windows Vista also includes a DFS Replication Service which is limited to peer-topeer DFS Replication service groups. FRS is still used for SYSVOL replication, but optionally, DFS replication may be used instead of FRS replication for SYSVOL shares , and the FRS stopped. On uplevel Windows Server 2008 domain controllers, SYSVOL replication is performed using DFS replication, by default although NTFRS replication is also supported. On Windows Server 2008/R2 uplevel domain controllers, SYSVOL replication is performed using DFS replication, and NTFRS replication is disabled altogether.

Internet Information Services (IIS) formerly called Internet Information Server is a

web server application and set of feature extension modules created by Microsoft for use with Microsoft Windows. It is the most used web server after Apache HTTP Server. IIS 7.5 supports HTTP, HTTPS, FTP, FTPS, SMTP and NNTP. It is an integral part of Windows Server family of products, as well as certain editions of Windows XP, Windows Vista and Windows 7. IIS is not turned on by default when Windows is installed.

History
The first Microsoft web server was a research project at European Microsoft Windows NT Academic Centre (EMWAC), part of the University of Edinburgh in Scotland, and was distributed as freeware. However, since the EMWAC server was unable to scale sufficiently to handle the volume of traffic going to microsoft.com, Microsoft was forced to develop its own web server, IIS. Almost every version of IIS was released either alongside or with a version of Microsoft Windows operating system. IIS 1.0 was initially released as a free add-on, a set of web-based services for Windows NT 3.51. However, IIS 2.0 was included with Windows NT 4.0. IIS 3.0, which was included with Service Pack 3 of Windows NT 4, introduced the Active Server Pages dynamic scripting environment. IIS 4.0 was released as part of an "Option Pack" for Windows NT 4.0 and dropped support for the Gopher protocol. IIS 5.0 shipped with Windows 2000 and introduced additional authentication methods, management enhancements including a new MMC based administration application, support for the WebDAV protocol, and enhancements to ASP. IIS 5.1 was shipped with Windows XP Professional, and was nearly identical to IIS 5.0 on Windows 2000 except for several limitations Microsoft introduced. IIS 5.1 supported only 10 simultaneous connections and supported only a single web site. IIS 6.0, included with Windows Server 2003 and Windows XP Professional x64 Edition, added support for IPv6 and included a new worker process model that increased security as well as reliability. IIS 7.0 was a complete redesign and rewrite of IIS, and was shipped with Windows Vista and Windows Server 2008. IIS 7.0 included a new modular design that allowed for a reduced attack surface and increased performance. IIS 7.0 also introduced a hierarchical configuration system allowing for simpler site deploys, a new Windows Forms based management application, new command line management options and increased support for the .NET Framework. IIS 7.0 on Vista does not limit the number of allowed connections as IIS on XP did, but limits concurrent requests to 10 (Windows Vista Ultimate, Business, and Enterprise Editions) or 3 (Vista Home Premium). Additional requests are queued, which hampers performance, but they are not rejected as with XP. The current shipping version of IIS is IIS 7.5, included in Windows 7 and Windows Server 2008 R2. IIS 7.5 improved WebDAV and FTP modules as well as command line administration in PowerShell. It also introduced Best Practices Analyzer tool and process isolation for application pools.

Versions
IIS 1.0, Windows NT 3.51 available as a free add-on IIS 2.0, Windows NT 4.0 IIS 3.0, Windows NT 4.0 Service Pack 2 IIS 4.0, Windows NT 4.0 Option Pack IIS 5.0, Windows 2000

 IIS 5.1, Windows XP Professional and Windows XP Media Center Edition (requires retail CD) IIS 6.0, Windows Server 2003 and Windows XP Professional x64 Edition IIS 7.0, Windows Server 2008 and Windows Vista (Home Premium, Business, Enterprise and Ultimate editions) IIS 7.5, Windows Server 2008 R2 and Windows 7 (Home Premium, Professional, Enterprise and Ultimate editions)

Usage
As of October 2011, IIS is the second most used server in the world, after Apache HTTP Server. It is used on 15.66% of servers and responds to 12.46% of total requests.

Security
Earlier versions of IIS were hit with a number of vulnerabilities, especially the CA-2001-13 which led to the infamous Code Red worm; however, both versions 6.0 and 7.0 currently have no reported issues with this specific vulnerability. In IIS 6.0 Microsoft opted to change the behaviour of pre-installed ISAPI handlers, many of which were culprits in the vulnerabilities of 4.0 and 5.0, thus reducing the attack surface of IIS. In addition, IIS 6.0 added a feature called "Web Service Extensions" that prevents IIS from launching any program without explicit permission by an administrator. In the current release, IIS 7, the components are provided as modules so that only the required components have to be installed, thus further reducing the attack surface. In addition, security features are added such as Request Filtering, which rejects suspicious URLs based on a user-defined rule set. By default IIS 5.1 and lower run websites in-process under the SYSTEM account, a default Windows account with 'superuser' rights. Under 6.0 all request handling processes have been brought under a Network Services account with significantly fewer privileges so that should there be a vulnerability in a feature or in custom code it won't necessarily compromise the entire system given the sandboxed environment these worker processes run in. IIS 6.0 also contained a new kernel HTTP stack (http.sys) with a stricter HTTP request parser and response cache for both static and dynamic content. According to Secunia, as of June 2011, IIS 7 had a total of 6 resolved vulnerabilities while IIS 6 had a total of 11 vulnerabilities out of which 1 was still unpatched. The unpatched security advisory has a severity rating of 2 out of 5. In June 2007, a Google study of 80 million domains concluded that while the IIS market share was 23% at the time, IIS servers hosted 49% of the worlds malware, same as Apache servers whose market share was 66%. The study also observed the geographical location of these dirty servers and suggested that the cause of this could be the use of pirated copies of Windows for which security updates were unavailable. This is no longer the case: Microsoft supplies security updates to all users.

Features
The architecture of IIS 7 is modular. Modules, also called extensions, can be added or removed individually so that only modules required for specific functionality have to be installed. IIS 7 includes native modules as part of the full installation. These modules are individual features that the server uses to process requests and include the following: HTTP modules Used to perform tasks specific to HTTP in the request-processing pipeline,

such as responding to information and inquiries sent in client headers, returning HTTP errors, and redirecting requests. Security modules Used to perform tasks related to security in the request-processing pipeline, such as specifying authentication schemes, performing URL authorization, and filtering requests. Content modules Used to perform tasks related to content in the request-processing pipeline, such as processing requests for static files, returning a default page when a client does not specify a resource in a request, and listing the contents of a directory. Compression modules Used to perform tasks related to compression in the request-processing pipeline, such as compressing responses, applying Gzip compression transfer coding to responses, and performing pre-compression of static content. Caching modules Used to perform tasks related to caching in the request-processing pipeline, such as storing processed information in memory on the server and using cached content in subsequent requests for the same resource. Logging and Diagnostics modules Used to perform tasks related to logging and diagnostics in the request-processing pipeline, such as passing information and processing status to HTTP.sys for logging, reporting events, and tracking requests currently executing in worker processes. IIS 6.0 and higher support the following authentication mechanisms: Anonymous authentication Basic access authentication Digest access authentication Integrated Windows Authentication UNC authentication .NET Passport Authentication (Removed in Windows Server 2008 and IIS 7.0) Certificate authentication IIS 7.5 includes the following additional or enhanced security features: Client Certificate Mapping IP Security Request Filtering URL Authorization Authentication changed slightly between IIS 6.0 and IIS 7, most notably in that the anonymous user which was named "IUSR_{machinename}" is a built-in account in Vista and future operating systems and named "IUSR". Notably, in IIS 7, each authentication mechanism is isolated into its own module and can be installed or uninstalled.

IIS Express
IIS Express, a lightweight version of IIS, is available as a standalone freeware server and may be installed on Windows XP with Service Pack 3 and subsequent versions of Microsoft Windows. IIS 7.5 Express supports only the HTTP and HTTPS protocols. IIS Express can be downloaded separately or as a part of Microsoft WebMatrix.

Extensions
IIS releases new feature modules between major version releases to add new functionality. The

following extensions are available for IIS 7.5: FTP Publishing Service Lets Web content creators publish content securely to IIS 7 Web servers with SSL-based authentication and data transfer. Administration Pack Adds administration UI support for management features in IIS 7, including ASP.NET authorization, custom errors, FastCGI configuration, and request filtering. Application Request Routing Provides a proxy-based routing module that forwards HTTP requests to content servers based on HTTP headers, server variables, and load balance algorithms. Database Manager Allows easy management of local and remote databases from within IIS Manager. Media Services Integrates a media delivery platform with IIS to manage and administer delivery of rich media and other Web content. URL Rewrite Module Provides a rule-based rewriting mechanism for changing request URLs before they are processed by the Web server. WebDAV Lets Web authors publish content securely to IIS 7 Web servers, and lets Web administrators and hosters manage WebDAV settings using IIS 7 management and configuration tools. Web Deployment Tool Synchronizes IIS 6.0 and IIS 7 servers, migrates an IIS 6.0 server to IIS 7, and deploys Web applications to an IIS 7 server.

Microsoft Message Queuing or MSMQ is a Message Queue implementation developed

by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95. The latest Windows 7 also includes this component. In addition to its mainstream server platform support, MSMQ has been incorporated into Microsoft Embedded platforms since 1999 and the release of Windows CE 3.0

Overview
MSMQ is essentially a messaging protocol that allows applications running on separate servers/processes to communicate in a failsafe manner. A queue is a temporary storage location from which messages can be sent and received reliably, as and when conditions permit. This enables communication across heterogeneous networks and between computers which may not always be connected. By contrast, sockets and other network protocols assume that direct connections always exist. MSMQ has been available to developers on Microsoft platforms since 1997, and has commonly been used in enterprise software built with Visual Studio, both in the native pre-.NET incarnation (version 5 and 6), and in Visual Studio .NET. Microsoft also has incorporated MSMQ in its messaging technology framework, Windows Communication Foundation (WCF). Under WCF, MSMQ can be used for providing secure, reliable transport with a unified programming model compatible with other communications standards. MSMQ is responsible for reliably delivering messages between applications inside and outside the enterprise. MSMQ ensures reliable delivery by placing messages that fail to reach their intended destination in a queue and then resending them once the destination is reachable. It also supports security and priority based messaging. Dead letter queues can be created for looking at messages which

timed out or failed for other reasons. MSMQ also supports transactions. It permits multiple operations on multiple queues, with all of the operations wrapped in a single transaction, thus ensuring that either all or none of the operations will take effect. Microsoft Distributed Transaction Coordinator (MSDTC) supports transactional access to MSMQ and other resources. The following ports are used for Microsoft Message Queuing operations: TCP: 1801 RPC: 135, 2101*, 2103*, 2105* UDP: 3527, 1801 * These port numbers may be incremented by 11 if the initial choice of RPC port is being used when Message Queuing initializes. Port 135 is queried to discover the 2xxx ports.

NTFS (New Technology File System) is the standard file system of Windows NT,
including its later versions Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008, Windows Vista, and Windows 7. NTFS supersedes the FAT file system as the preferred file system for Microsofts Windows operating systems. NTFS has several improvements over FAT and HPFS (High Performance File System) such as improved support for metadata and the use of advanced data structures to improve performance, reliability, and disk space utilization, plus additional extensions such as security access control lists (ACL) and file system journaling.

History
In the mid 1980s, Microsoft and IBM formed a joint project to create the next generation of graphical operating system. The result of the project was OS/2, but Microsoft and IBM disagreed on many important issues and eventually separated. OS/2 remained an IBM project. Microsoft started to work on Windows NT. The OS/2 file system HPFS contained several important new features. When Microsoft created their new operating system, they borrowed many of these concepts for NTFS. Probably as a result of this common ancestry, HPFS and NTFS share the same disk partition identification type code (07). Sharing an ID is unusual since there were dozens of available codes, and other major file systems have their own code. FAT has more than nine (one each for FAT12, FAT16, FAT32, etc.). Algorithms which identify the file system in a partition type 07 must perform additional checks. It is also clear that NTFS owes some of its architectural design to Files-11 used by VMS. Dave Cutler was the main lead for both VMS and Windows NT.

Versions
The NTFS on-disk format has five released versions: v1.0 with NT 3.1, released mid-1993 v1.1 with NT 3.5, released fall 1994 v1.2 with NT 3.51 (mid-1995) and NT 4 (mid-1996) (occasionally referred to as "NTFS 4.0", because OS version is 4.0) v3.0 from Windows 2000 ("NTFS V5.0" or "NTFS5") v3.1 from Windows XP (autumn 2001; "NTFS V5.1") Windows Server 2003 (spring 2003; occasionally "NTFS V5.2")

 Windows Server 2008 and Windows Vista (mid-2005) (occasionally "NTFS V6.0") Windows Server 2008 R2 and Windows 7 (occasionally "NTFS V6.1"). V1.0 and V1.1 (and newer) are incompatible: that is, volumes written by NT 3.5x cannot be read by NT 3.1 until an update on the NT 3.5x CD is applied to NT 3.1, which also adds FAT long file name support. V1.2 supports compressed files, named streams, ACL-based security, etc. V3.0 added disk quotas, encryption, sparse files, reparse points, update sequence number (USN) journaling, the $Extend folder and its files, and reorganized security descriptors so that multiple files which use the same security setting can share the same descriptor. V3.1 expanded the Master File Table (MFT) entries with redundant MFT record number (useful for recovering damaged MFT files). Windows Vista introduced Transactional NTFS, NTFS symbolic links, partition shrinking and selfhealing functionality though these features owe more to additional functionality of the operating system than the file system itself. The NTFS.sys version (i.e. NTFS v5.0 introduced with Windows 2000) should not be confused with the on-disk NTFS format version (v3.1 since Windows XP). The NTFS v3.1 on-disk format is unchanged from the introduction of Windows XP and is used in Windows Server 2003, Windows Server 2008, Windows Vista, and Windows 7. The confusion arises when no differentiation is made when features are implemented into the NTFS.sys driver within the Windows OS rather than in the NTFS on-disk format. An incident of this was when Microsoft detailed new features within NTFS in Windows 2000 and they called it NTFS v5.0, yet it is the NTFS.sys driver that is at that version and the on-disk format is only at v3.0.

Alternate data streams (ADS)

Alternate data streams allow more than one data stream to be associated with a filename, using the filename format "filename:streamname" (e.g., "text.txt:extrastream"). Alternate streams are not listed in Windows Explorer, and their size is not included in the file's size. Only the main stream of a file is preserved when it is copied to a FAT-formatted USB drive, attached to an e-mail, or uploaded to a website. As a result, using alternate streams for critical data may cause problems. NTFS Streams were introduced in Windows NT 3.1, to enable Services for Macintosh (SFM) to store Macintosh resource forks. Although current versions of Windows Server no longer include SFM, third-party Apple Filing Protocol (AFP) products (such as Group Logic's ExtremeZ-IP) still use this feature of the file system. Malware has used alternate data streams to hide its code; some malware scanners and other special tools now check for data in alternate streams. Microsoft provides a tool called Streams to allow users to view streams on a selected volume. Very small ADS are also added within Internet Explorer (and now also other browsers) to mark files that have been downloaded from external sites: they may be unsafe to run locally and the local shell will require confirmation from the user before opening them. When the user indicates that he no longer wants this confirmation dialog, this ADS is simply dropped from the MFT entry for downloaded files. Some media players have also tried to use ADS to store custom metadata to media files, in order to organize the collections, without modifying the effective data content of the media files themselves (using embedded tags when they are supported by the media file formats such as MPEG and OGG containers); these metadata may be displayed in the Windows Explorer as extra information columns, with the help of a registered Windows Shell extension that can parse them, but most media players prefer to use their own separate database instead of ADS for storing these information (notably because ADS are visible to all users of these files, instead of being managed with distinct per-user security settings and having their values defined according to user preferences).

Sparse files
Sparse files are files which contain sparse data sets, which are files with segments stored at different file offsets with no actual storage space used for the space between segments. When a file is read back, the file system driver returns zeros for any data that does not actually exist, so the file may appear to be mostly filled with zeros. Database applications, for instance, sometimes use sparse files. Because of this, Microsoft has implemented support for efficient storage of sparse files by allowing an application to specify regions of empty (zero) data. An application that reads a sparse file reads it in the normal manner with the file system calculating what data should be returned based upon the file offset. As with compressed files, the actual sizes of sparse files are not taken into account when determining quota limits.

File compression
NTFS can compress files using LZNT1 algorithm (a variant of the LZ77 ). Files are compressed in 16cluster chunks. With 4kB clusters, files are compressed in 64kB chunks. If the compression reduces 64kB of data to 60kB or less, NTFS treats the unneeded 4kB pages like empty sparse file clusters they are not written. This allows not unreasonable random-access times. However, large compressible files become highly fragmented as then every 64k chunk becomes a smaller fragment. Compression is not recommended by Microsoft for files exceeding 30MB because of the performance hit. The best use of compression is for files which are repetitive, written seldom, usually accessed sequentially, and not themselves compressed. LOG files are an ideal example. Compressing files which are less than 4kB or already compressed (like .zip or .jpg or .avi) may make them bigger as well as slower. Avoid compressing executables like .exe and .dll (they may be paged in and out in 4kB pages). Never compress system files used at bootup like drivers or NTLDR or winload.exe or BOOTMGR. Although readwrite access to compressed files is often, but not always transparent, Microsoft recommends avoiding compression on server systems and/or network shares holding roaming profiles because it puts a considerable load on the processor. Single-user systems with limited hard disk space can benefit from NTFS compression for small files, from 4+kB to 64kB or more, depending on compressibility. Files less than 900 bytes or so are stored with the directory entry in the MFT. The slowest link in a computer is not the CPU but the speed of the hard drive, so NTFS compression allows the limited, slow storage space to be better used, in terms of both space and (often) speed. (This assumes that compressed file fragments are stored consecutively.) NTFS compression can also serve as a replacement for sparse files when a program (e.g., a download manager) is not able to create files without content as sparse files.

Volume Shadow Copy

The Volume Shadow Copy Service (VSS) keeps historical versions of files and folders on NTFS volumes by copying old, newly-overwritten data to shadow copy (copy-on-write). The old file data is overlaid on the new when the user requests a revert to an earlier version. This also allows data backup programs to archive files currently in use by the file system. On heavily loaded systems, Microsoft recommends setting up a shadow copy volume on a separate disk.

Transactional NTFS
As of Windows Vista, applications can use Transactional NTFS to group changes to files together into a transaction. The transaction will guarantee that all changes happen, or none of them do, and it will guarantee that applications outside the transaction will not see the changes until they are committed. It uses similar techniques as those used for Volume Shadow Copies (i.e. copy-on-write) to ensure that overwritten data can be safely rolled back, and a CLFS log to mark the transactions that have still not been committed, or those that have been committed but still not fully applied (in case of system crash during a commit by one of the participants). Transactional NTFS does not restrict transactions to just the local NTFS volume, but also includes other transactional data or operations in other locations such as data stored in separate volumes, the local registry, or SQL databases, or the current states of system services or remote services. These transactions are coordinated network-wide with all participants using a specific service, the DTC, to ensure that all participants will receive same commit state, and to transport the changes that have been validated by any participant (so that the others can invalidate their local caches for old data or rollback their ongoing uncommitted changes). Transactional NTFS allows, for example, the creation of network-wide consistent distributed filesystems, including with their local live or offline caches.

Encrypting File System (EFS)

Main article: Encrypting File System EFS provides strong and user-transparent encryption of any file or folder on an NTFS volume. EFS works in conjunction with the EFS service, Microsoft's CryptoAPI and the EFS File System Run-Time Library (FSRTL). EFS works by encrypting a file with a bulk symmetric key (also known as the File Encryption Key, or FEK), which is used because it takes a relatively small amount of time to encrypt and decrypt large amounts of data than if an asymmetric key cipher is used. The symmetric key that is used to encrypt the file is then encrypted with a public key that is associated with the user who encrypted the file, and this encrypted data is stored in an alternate data stream of the encrypted file. To decrypt the file, the file system uses the private key of the user to decrypt the symmetric key that is stored in the file header. It then uses the symmetric key to decrypt the file. Because this is done at the file system level, it is transparent to the user. Also, in case of a user losing access to their key, support for additional decryption keys has been built in to the EFS system, so that a recovery agent can still access the files if needed. NTFS-provided encryption and NTFS-provided compression are mutually exclusive; however, NTFS can be used for one and a third-party tool for the other. The support of EFS is not available in Basic, Home and MediaCenter versions of Windows, and must be activated after installation of Professional, Ultimate and Server versions of Windows or by using enterprise deployment tools within Windows domains.

Quotas
Disk quotas were introduced in NTFS v3. They allow the administrator of a computer that runs a version of Windows that supports NTFS to set a threshold of disk space that users may use. It also allows administrators to keep track of how much disk space each user is using. An administrator may specify a certain level of disk space that a user may use before they receive a warning, and then deny access to the user once they hit their upper limit of space. Disk quotas do not take into account NTFS's transparent file-compression, should this be enabled. Applications that query the amount of free space will also see the amount of free space left to the user who has a quota applied to them.

The support of disk quotas is not available in Basic, Home and MediaCenter versions of Windows, and must be activated after installation of Professional, Ultimate and Server versions of Windows or by using enterprise deployment tools within Windows domains.

Reparse points
This feature was introduced in NTFS v3. Reparse points are used by associating a reparse tag in the user space attribute of a file or directory. When the object manager (see Windows NT line executive) parses a file system name lookup and encounters a reparse attribute, it will reparse the name lookup, passing the user controlled reparse data to every file system filter driver that is loaded into Windows. Each filter driver examines the reparse data to see whether it is associated with that reparse point, and if that filter driver determines a match, then it intercepts the file system call and executes its special functionality. Reparse points are used to implement Volume Mount Points, Directory Junctions, Hierarchical Storage Management, Native Structured Storage, Single Instance Storage, and Symbolic Links. Volume mount points Volume mount points are similar to Unix mount points, where the root of another file system is attached to a directory. In NTFS, this allows additional file systems to be mounted without requiring a separate drive letter (such as C: or D:) for each. Once a volume has been mounted on top of an existing directory of another volume, the contents previously listed in that directory become invisible and are replaced by the content of the root directory of the mounted volume. The mounted volume could still have its own drive letter assigned separately. The file system does not allow volumes to be mutually mounted on each other. Volume mount points can be made to be either persistent (remounted automatically after system reboot) or not persistent (must be manually remounted after reboot). Mounted volumes may use other file systems than just NTFS; notably they may be remote shared directories, possibly with their own security settings and remapping of access rights according to the remote file system policy. Directory junctions Directory junctions are similar to volume mount points, but reference other directories in the file system instead of other volumes. For instance, the directory C:\exampledir with a directory junction attribute that contains a link to D:\linkeddir will automatically refer to the directory D:\linkeddir when it is accessed by a user-mode application. This function is conceptually similar to symbolic links to directories in Unix, except that the target in NTFS must always be another directory (typical Unix file systems allow the target of a symbolic link to be any type of file) and have the semantics of a hardlink (i.e., they must be immediately resolvable when they are created). Directory joins (which can be created with the command MKLINK /J junctionName targetDirectory and removed with RMDIR junctionName from a console prompt) are persistent, and resolved on the server side as they share the same security realm of the local system or domain on which the parent volume is mounted and the same security settings for its contents as the content of the target directory; however the junction itself may have distinct security settings. Unlinking a directory junction join does not delete files in the target directory. Note that some directory junctions are installed by default on Windows Vista, for compatibility with previous versions of Windows, such as Documents and Settings in the root directory of the system

drive, which links to the Users physical directory in the root directory of the same volume. However they are hidden by default, and their security settings are set up so that the Windows Explorer will refuse to open them from within the Shell or in most applications, except for the local built-in SYSTEM user or the local Administrators group (both user accounts are used by system software installers). This additional security restriction has probably been made to avoid users of finding apparent duplicate files in the joined directories and deleting them by error, because the semantics of directory junctions is not the same as hardlinks; the reference counting is not used on the target contents and not even on the referenced container itself. Directory junctions are soft links (they will persist even if the target directory is removed), working as a limited form of symbolic links (with an additional restriction on the location of the target), but it is an optimized version which allows faster processing of the reparse point with which they are implemented, with less overhead than the newer NTFS symbolic links, and can be resolved on the server side (when they are found in remote shared directories). Symbolic links Symbolic links (or soft links) were introduced in Windows Vista. Symbolic links are resolved on the client side. So when a symbolic link is shared, the target is subject to the access restrictions on the client, and not the server. Symbolic links can be created either to files (created with MKLINK symLink targetFilename) or to directories (created with MKLINK /D symLinkD targetDirectory), but (unlike Unix symbolic links) the semantic of the link must be provided with the created link. The target however need not exist or be available when the symbolic link is created: when the symbolic link will be accessed and the target will be checked for availability, NTFS will also check if it has the correct type (file or directory); it will return a not-found error if the existing target has the wrong type. They can also reference shared directories on remote hosts or files and subdirectories within shared directories: their target is not mounted immediately at boot, but only temporarily on demand while opening them with the OpenFile() or CreateFile() API. Their definition is persistent on the NTFS volume where they are created (all types of symbolic links can be removed as if they were files, using DEL symLink from a command line prompt or batch). See also: Computer shortcut Single Instance Storage (SIS) When there are several directories that have different, but similar, files, some of these files may have identical content. Single instance storage allows identical files to be merged to one file and create references to that merged file. SIS consists of a file system filter that manages copies, modification and merges to files; and a user space service (or groveler) that searches for files that are identical and need merging. SIS was mainly designed for remote installation servers as these may have multiple installation images that contain many identical files; SIS allows these to be consolidated but, unlike for example hard links, each file remains distinct; changes to one copy of a file will leave others unaltered. This is similar to copy-on-write, which is a technique by which memory copying is not really done until one copy is modified. Hierarchical Storage Management (HSM) Hierarchical Storage Management is a means of transferring files that are not used for some period of time to less expensive storage media. When the file is next accessed, the reparse point on that file

determines that it is needed and retrieves it from storage. Native Structured Storage (NSS) NSS was an ActiveX document storage technology that has since been discontinued by Microsoft. It allowed ActiveX Documents to be stored in the same multi-stream format that ActiveX uses internally. An NSS file system filter was loaded and used to process the multiple streams transparently to the application, and when the file was transferred to a non-NTFS formatted disk volume it would also transfer the multiple streams into a single stream.

Windows Deployment Services

Windows Deployment Services is a technology from Microsoft for network-based installation of Windows operating systems. It is the successor to Remote Installation Services. WDS is intended to be used for remotely deploying Windows Vista, Windows 7 and Windows Server 2008, but also supports other operating systems because unlike its predecessor RIS, which was a method of automating the installation process, WDS uses disk imaging, in particular the Windows Imaging Format (WIM). WDS is included as a Server Role in all 32-bit and 64-bit versions of Windows Server 2008, and is included as an optionally installable component with Windows Server 2003 Service Pack 2.

Overview
The Windows Deployment Service is the combined updated and redesigned versions of Remote Installation Service (RIS) and Automated Deployment Services (ADS). The deployment of Windows 7, Windows Vista, Windows Server 2008, Windows Server 2003, and Windows XP can be fully automated and customized through the use of unattended installation scripting files. Tasks that can be made automatic include naming the machine, having the machine join a domain, adding or removing programs and features, and installing server roles (in the case of Windows Server 2008). Windows Vista and Windows Server 2008 are installed from a set of source files on the server, often copied from the product's installation media. WDS expands upon simple scripted installation by giving the technician the ability to capture, store, and deploy image-based installation packages. A major new feature available in the Windows Server 2008 versions of WDS is that it supports IP Multicast deployments. Multicasting allows new clients to join an existing multicast deployment that has already started; the WDS server will wrap the multicast so that any client who joined the deployment after it started can receive data it is missing. WDS's multicast uses the standard internet protocol IGMP. WDS also supports x64-based computers with Extensible Firmware Interface (EFI). WDS contains the ability to deploy other operating systems such as Windows PE, Windows XP, and Windows 2000, but the installation of these operating systems cannot be performed with source files or controlled with unattended scripts. The unsupported operating system to be deployed must first be installed and configured on a workstation; an image of the finished operating system configuration is then captured with the Windows Automated Installation Kit, and this captured image can be deployed through WDS.

Microsoft Transaction Server

Microsoft Transaction Server (MTS) was software that provided services to Component Object Model (COM) software components, to make it easier to create large distributed applications. The major services provided by MTS were automated transaction management, instance management (or just-intime activation) and role-based security. MTS is considered to be the first major software to implement aspect-oriented programming. MTS was first offered in the Windows NT 4.0 Option Pack. In Windows 2000, MTS was enhanced and better integrated with the operating system and COM, and was renamed COM+. COM+ added object pooling, loosely-coupled events and user-defined simple transactions (compensating resource managers) to the features of MTS. COM+ is still provided with Windows Server 2003 and Windows Server 2008, and the Microsoft .NET Framework provides a wrapper for COM+ in the EnterpriseServices namespace. The Windows Communication Foundation (WCF) provides a way of calling COM+ applications with web services. However, COM+ is based on COM, and Microsoft's strategic software architecture is now web services and .NET, not COM. There are pure .NET-based alternatives for many of the features provided by COM+, and in the long term it is likely COM+ will be phased out.

Architecture
A basic MTS architecture comprises: the MTS Executive (mtxex.dll) the Factory Wrappers and Context Wrappers for each component the MTS Server Component MTS clients auxiliary systems like: COM runtime services the Service Control Manager (SCM) the Microsoft Distributed Transaction Coordinator (MS-DTC) the Microsoft Message Queue (MSMQ) the COM-Transaction Integrator (COM-TI) etc. COM components that run under the control of the MTS Executive are called MTS components. In COM+, they are referred to as COM+ Applications. MTS components are in-process DLLs. MTS components are deployed and run in the MTS Executive which manages them. As with other COM components, an object implementing the IClassFactory interface serves as a Factory Object to create new instances of these components. MTS inserts a Factory Wrapper Object and an Object Wrapper between the actual MTS object and its client. This interposing of wrappers is called interception. Whenever the client makes a call to the MTS component, the wrappers (Factory and Object) intercept the call and inject their own instancemanagement algorithm called the Just-In-Time Activation (JITA) into the call. The wrapper then makes this call on the actual MTS component. Interception was considered difficult at the time due to a lack of extensible metadata.

In addition, based on the information from the component's deployment properties, transaction logic and security checks also take place in these wrapper objects. For every MTS-hosted object, there also exists a Context Object, which implements the IObjectContext interface. The Context Object maintains specific information about that object, such as its transactional information, security information and deployment information. Methods in the MTS component call into the Context Object through its IObjectContext interface. MTS does not create the actual middle-tier MTS object until the call from a client reaches the container. Since the object is not running all the time, it does not use up a lot of system resources (even though an object wrapper and skeleton for the object do persist). As soon as the call comes in from the client, the MTS wrapper process activates its Instance Management algorithm called JITA. The actual MTS object is created "just in time" to service the request from the wrapper. And when the request is serviced and the reply is sent back to the client, the component either calls SetComplete()/SetAbort(), or its transaction ends, or the client calls Release() on the reference to the object, and the actual MTS object is destroyed. In short, MTS uses a stateless component model. Generally, when a client requests services from a typical MTS component, the following sequence occurs on the server : 1. acquire a database connection 2. read the component's state from either the Shared Property Manager or from an already existing object or from the client 3. perform the business logic 4. write the component's changed state, if any, back to the database 5. close and release the database connection 6. vote on the result of the transaction. MTS components do not directly commit transactions, rather they communicate their success or failure to MTS. It is thus possible to implement high-latency resources as asynchronous resource pools, which should take advantage of the stateless JIT activation afforded by the middleware server.

GPO (Group Policy Object) refresh

The Group Policy client will refresh the policy settings for workstations and servers on a "pull" model every 90 minutes (by default) (Domain Controllers every 5 minutes) with a random +30 min offset. During this refresh period it will collect the list of GPOs appropriate to the machine and logged on user (if any). The Group Policy client will then apply those GPOs that will thereafter affect the behavior of policy-enabled operating system components. Some settings, however, are only applied during reboot and/or logon of the user to the computer (e.g. Software Installation for computers and drive mapping for users). Since Windows XP, a refresh of the group policy can be manually initiated by the user using the "gpupdate" command from a command prompt.

Local Group Policy

Local Group Policy (LGP) is a more basic version of the Group Policy used by Active Directory. In versions of Windows before Windows Vista, LGP can configure the Group Policy for a single local computer, but unlike Active Directory Group Policy, can not make policies for individual users or groups. It also has far fewer options overall than Active Directory Group Policy. The specific-user

limitation can be overcome by using the Registry Editor to make changes under the HKCU or HKU keys. LGP simply makes registry changes under the HKLM key, thus affecting all users. The same changes can be made under HKCU or HKU to only affect certain users. Microsoft has more information on using the Registry Editor to configure Group Policy available on TechNet. LGP can be used on a computer on a domain, and it can be used on Windows XP Home Edition. Windows Vista supports Multiple Local Group Policy objects (MLGPO), which allows setting local Group Policy for individual users.

Processing order for policy settings

Group policies are processed in the following order: 1. Local Group Policy objects - This applies to any settings in the computer's local policy (accessed by running gpedit.msc). Previous to Windows Vista, there was only one local group policy stored per computer. There are now individual group policies settable per account of a Windows Vista and 7 machine. 2. Site - Next, the computer processes any group policies that are applied to the site the computer is currently in. If multiple policies are linked to a site, these are processed in the order set by the administrator using the Linked Group Policy Objects tab, policies with the lowest link order are processed last and have the highest precedence. 3. Domain - Any policies applied at the domain level (default domain policy) are processed next. If multiple policies are linked to a domain, these are processed in the order set by the administrator using the Linked Group Policy Objects tab, policies with the lowest link order are processed last and have the highest precedence. 4. Organizational Unit - Last, group policies assigned to the organizational unit that contains the computer or user are processed. If multiple policies are linked to an organizational unit, these are processed in the order set by the administrator using the Linked Group Policy Objects tab, policies with the lowest link order are processed last and have the highest precedence. Inheritance - Inheritance can be blocked or enforced to control what policies are applied at each level. If a higher level administrator (enterprise administrator) creates a policy that has inheritance blocked by a lower level administrator (domain administrator), this policy will still be processed. Where a Group Policy Preference Settings is configured and there is also an equivalent Group Policy Setting configured, then the value of the Group Policy Setting will take precedence.

Group Policy Preferences

They are a set of group policy setting extensions that were previously known as PolicyMaker. Microsoft bought PolicyMaker and then integrated them with Windows Server 2008. Microsoft has since released a migration tool that allows users to migrate PolicyMaker items to Group Policy Preferences. Group Policy Preferences adds a number of new configuration items. These items also have a number of additional targeting options that can be used to granularly control the application of these setting items. Group Policy Preferences are compatible with x86 and x64 versions of Windows XP, Windows Server 2003, and Windows Vista with the addition of the Client Side Extensions (also known as CSE).

Client Side Extensions are now included in Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Group Policy Management Console

Originally, Group Polices were modified using the Group Policy Edit tool that was integrated with Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, but it was later split into a separate MMC snap-in called the Group Policy Management Console (GPMC). The GPMC is now a user component in Windows Server 2008 and Windows Server 2008 R2 and is provided as a download as part of the Remote Server Administration Tools for Windows Vista and Windows 7.

Advanced Group Policy Management

Microsoft has also released a tool to make changes to Group Policy called Advanced Group Policy Management (a.k.a. AGPM). This tool available for any organisation that has licensed the Microsoft Desktop Optimization Pack (a.k.a. MDOP). This advanced tool allows administrators to have a check in/out process for modification Group Policy Objects, track changes to Group Policy Objects, and implement approval workflows for changes to Group Policy Objects. To use this software you must license all of your Windows Active Directory clients for MDOP.

Security
Group Policy settings are enforced voluntarily by the targeted applications. In many cases, this merely consists of disabling the user interface for a particular function without disabling lower-level means of accessing it. Alternatively, a malevolent user can modify or interfere with the application so that it cannot successfully read its Group Policy settings, thus enforcing potentially lower security defaults or even returning arbitrary values

PROJECT
Overview of VPN Components of a VPN How to install and Turn on a VPN Server How to Configure the VPN Server How to Configure the Remote Access Server as a Router How to Modify the Number of Simultaneous Connections How to Manage Addresses and Name Servers How to Manage Access Access by User Account Access by Group Membership How to Configure a VPN Connection from a Client Computer Troubleshooting Troubleshooting Remote Access VPNs

SUMMARY
In this project I describes how to install virtual private networking (VPN) and how to create a new VPN connection in servers that are running Windows Server 2003. With a virtual private network, I can connect network components through another network, such as the Internet. I can make your Windows Server 2003based computer a remote-access server so that other users can connect to it by using VPN, and then they can log on to the network and access shared resources. VPNs do this by "tunneling" through the Internet or through another public network in a manner that provides the same security and features as a private network. Data is sent across the public network by using its routing infrastructure, but to the user, it appears as if the data is sent over a dedicated private link.

Overview of VPN
A virtual private network is a means of connecting to a private network (such as your office network) by way of a public network (such as the Internet). A VPN combines the virtues of a dial-up connection to a dial-up server with the ease and flexibility of an Internet connection. By using an Internet connection, you can travel worldwide and still, in most places, connect to your office with

a local call to the nearest Internet-access phone number. If you have a highspeed Internet connection (such as cable or DSL) at your computer and at your office, you can communicate with your office at full Internet speed, which is much faster than any dial-up connection that uses an analog modem. This technology allows an enterprise to connect to its branch offices or to other companies over a public network while maintaining secure communications. The VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link. Virtual private networks use authenticated links to make sure that only authorized users can connect to your network. To make sure data is secure as it travels over the public network, a VPN connection uses Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP) to encrypt data.

Components of a VPN
A VPN in servers running Windows Server 2003 is made up of a VPN server, a VPN client, a VPN connection (that portion of the connection in which the data is encrypted), and the tunnel (that portion of the connection in which the data is encapsulated). The tunneling is completed through one of the tunneling protocols included with servers running Windows Server 2003, both of which are installed with Routing and Remote Access. The Routing and Remote Access service is installed automatically during the installation of Windows Server 2003. By default, however, the Routing and Remote Access service is turned off. The two tunneling protocols included with Windows are: Point-to-Point Tunneling Protocol (PPTP): Provides data encryption using Microsoft Point-to-Point Encryption. Layer Two Tunneling Protocol (L2TP): Provides data encryption, authentication, and integrity using IPSec. Your connection to the Internet must use a dedicated line such as T1, Fractional T1, or Frame Relay. The WAN adapter must be configured with the IP address and subnet mask assigned for your domain or supplied by an Internet service provider (ISP). The WAN adapter must also be configured as the default gateway of the ISP router. NOTE: To turn on VPN, you must be logged on using an account that has administrative rights.

How to install and Turn on a VPN Server

To install and turn on a VPN server, follow these steps: 1. Click Start, point to Administrative Tools, and then click Routing and Remote Access. 2. Click the server icon that matches the local server name in the left pane of the console. If the icon has a red circle in the lower-left corner, the

3. 4. 5.

6.

7.

Routing and Remote Access service has not been turned on. If the icon has a green arrow pointing up in the lower-left corner, the Routing and Remote Access service has been turned on. If the Routing and Remote Access service was previously turn on, you may want to reconfigure the server. To reconfigure the server: 1. Right-click the server object, and then click Disable Routing and Remote Access. Click Yes to continue when you are prompted with an informational message. 2. Right-click the server icon, and then click Configure and Enable Routing and Remote Access to start the Routing and Remote Access Server Setup Wizard. Click Next to continue. 3. Click Remote access (dial-up or VPN) to turn on remote computers to dial in or connect to this network through the Internet. Click Next to continue. Click to select VPN or Dial-up depending on the role that you intend to assign to this server. In the VPN Connection window, click the network interface which is connected to the Internet, and then click Next. In the IP Address Assignment window, click Automatically if a DHCP server will be used to assign addresses to remote clients, or click From a specified range of addresses if remote clients must only be given an address from a pre-defined pool. In most cases, the DHCP option is simpler to administer. However, if DHCP is not available, you must specify a range of static addresses. Click Next to continue. If you clicked From a specified range of addresses, the Address Range Assignment dialog box opens. Click New. Type the first IP address in the range of addresses that you want to use in the Start IP address box. Type the last IP address in the range in the End IP address box. Windows calculates the number of addresses automatically. Click OK to return to the Address Range Assignment window. Click Next to continue. Accept the default setting of No, use Routing and Remote Access to authenticate connection requests, and then click Next to continue. Click Finish to turn on the Routing and Remote Access service and to configure the server as a Remote Access server.

How to Configure the VPN Server

To continue to configure the VPN server as required, follow these steps. How to Configure the Remote Access Server as a Router For the remote access server to forward traffic properly inside your network, you must configure it as a router with either static routes or routing protocols, so that all of the locations in the intranet are reachable from the remote access server. To configure the server as a router: 1. Click Start, point to Administrative Tools, and then click Routing

and Remote Access. 2. Right-click the server name, and then click Properties. 3. Click the General tab, and then click to select Router under Enable this computer as a. 4. Click LAN and demand-dial routing, and then click OK to close the Properties dialog box. How to Modify the Number of Simultaneous Connections The number of dial-up modem connections is dependent on the number of modems that are installed on the server. For example, if you have only one modem installed on the server, you can have only one modem connection at a time. The number of dial-up VPN connections is dependent on the number of simultaneous users whom you want to permit. By default, when you run the procedure described in this article, you permit 128 connections. To change the number of simultaneous connections, follow these steps: 1. Click Start, point to Administrative Tools, and then click Routing and Remote Access. 2. Double-click the server object, right-click Ports, and then click Properties. 3. In the Ports Properties dialog box, click WAN Miniport (PPTP), and then click Configure. 4. In the Maximum ports box, type the number of VPN connections that you want to permit. 5. Click OK, click OK again, and then close Routing and Remote Access. How to Manage Addresses and Name Servers The VPN server must have IP addresses available to assign them to the VPN server's virtual interface and to VPN clients during the IP Control Protocol (IPCP) negotiation phase of the connection process. The IP address assigned to the VPN client is assigned to the virtual interface of the VPN client. For Windows Server 2003-based VPN servers, the IP addresses assigned to VPN clients are obtained through DHCP by default. You can also configure a static IP address pool. The VPN server must also be configured with name resolution servers, typically DNS and WINS server addresses, to assign to the VPN client during IPCP negotiation. How to Manage Access Configure the dial-in properties on user accounts and remote access policies to manage access for dial-up networking and VPN connections. NOTE: By default, users are denied access to dial-up networking.

Access by User Account To grant dial-in access to a user account if you are managing remote access on a user basis, follow these steps: 1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 2. Right-click the user account, and then click Properties. 3. Click the Dial-in tab. 4. Click Allow access to grant the user permission to dial in. Click OK. Access by Group Membership If you manage remote access on a group basis, follow these steps: 1. Create a group with members who are permitted to create VPN connections. 2. Click Start, point to Administrative Tools, and then click Routing and Remote Access. 3. In the console tree, expand Routing and Remote Access, expand the server name, and then click Remote Access Policies. 4. Right-click anywhere in the right pane, point to New, and then click Remote Access Policy. 5. Click Next, type the policy name, and then click Next. 6. Click VPN for Virtual Private Access access method, or click Dial-up for dial-up access, and then click Next. 7. Click Add, type the name of the group that you created in step 1, and then click Next. 8. Follow the on-screen instructions to complete the wizard.

If the VPN server already permits dial-up networking remote access services, do not delete the default policy. Instead, move it so that it is the last policy to be evaluated.

How to Configure a VPN Connection from a Client Computer

To set up a connection to a VPN, follow these steps. To set up a client for virtual private network access, follow these steps on the client workstation: NOTE: You must be logged on as a member of the Administrators group to follow these steps. NOTE: Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps. 1. On the client computer, confirm that the connection to the Internet is correctly configured. 2. Click Start, click Control Panel, and then click Network Connections. Click Create a new connection under Network Tasks,

and then click Next. 3. Click Connect to the network at my workplace to create the dial-up connection. Click Next to continue. 4. Click Virtual Private Network connection, and then click Next. 5. Type a descriptive name for this connection in the Company name dialog box, and then click Next. 6. Click Do not dial the initial connection if the computer is permanently connected to the Internet. If the computer connects to the Internet through an Internet Service Provider (ISP), click Automatically dial this initial connection, and then click the name of the connection to the ISP. Click Next. 7. Type the IP address or the host name of the VPN server computer (for example, VPNServer.SampleDomain.com). 8. Click Anyone's use if you want to permit any user who logs on to the workstation to have access to this dial-up connection. Click My use only if you want this connection to be available only to the currently logged-on user. Click Next. 9. Click Finish to save the connection. 10. Click Start, click Control Panel, and then click Network Connections. 11. Double-click the new connection. 12. Click Properties to continue to configure options for the connection. To continue to configure options for the connection, follow these steps: If you are connecting to a domain, click the Options tab, and then click to select the Include Windows logon domain check box to specify whether to request Windows Server 2003 logon domain information before trying to connect. If you want the connection to be redialed if the line is dropped, click the Options tab, and then click to select the Redial if line is dropped check box. To use the connection, follow these steps: 1. Click Start, point to Connect to, and then click the new connection. 2. If you do not currently have a connection to the Internet, Windows offers to connect to the Internet. 3. When the connection to the Internet is made, the VPN server prompts you for your user name and password. Type your user name and password, and then click Connect. Your network resources must be available to you in the same way they are when you connect directly to the network.NOTE: To disconnect from the VPN, right-click the connection icon, and then click Disconnect.

Troubleshooting
Troubleshooting Remote Access VPNs Cannot Establish a Remote Access VPN Connection Cause: The name of the client computer is the same as the name of another computer on the network. Solution: Verify that the names of all computers on the network and computers connecting to the network are using unique computer names. Cause: The Routing and Remote Access service is not started on the VPN server. Solution: Verify the state of the Routing and Remote Access service on the VPN server. See Windows Server 2003 Help and Support Center for more information about how to monitor the Routing and Remote Access service, and how to start and stop the Routing and Remote Access service. Click Start to access the Windows Server 2003 Help and Support Center. Cause: Remote access is not turned on on the VPN server. Solution: Turn on remote access on the VPN server. See the Windows Server 2003 Help and Support Center for more information about how to turn on the remote access server. Click Start to access the Windows Server 2003 Help and Support Center. Cause: PPTP or L2TP ports are not turned on for inbound remote access requests. Solution: Turn on PPTP or L2TP ports, or both, for inbound remote access requests. See the Windows Server 2003 Help and Support Center for more information about how to configure ports for remote access. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The LAN protocols used by the VPN clients are not turned on for remote access on the VPN server. Solution: Turn on the LAN protocols used by the VPN clients for remote access on the VPN server. See the Windows Server 2003 Help and Support Center for more information about how to view properties of the remote access server. Click Start to access the Windows Server 2003 Help and Support Center. Cause: All of the PPTP or L2TP ports on the VPN server are already

being used by currently connected remote access clients or demand-dial routers. Solution: Verify that all of the PPTP or L2TP ports on the VPN server are already being used. To do so, click Ports in Routing and Remote Access. If the number of PPTP or L2TP ports permitted is not high enough, change the number of PPTP or L2TP ports to permit more concurrent connections. See the Windows Server 2003 Help and Support Center for more information about how to add PPTP or L2TP ports. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The VPN server does not support the tunneling protocol of the VPN client. By default, Windows Server 2003 remote access VPN clients use the Automatic server type option, which means that they try to establish an L2TP over IPSec-based VPN connection first, and then they try to establish a PPTP-based VPN connection. If VPN clients use either the Point-to-Point Tunneling Protocol (PPTP) or Layer-2 Tunneling Protocol (L2TP) server type option, verify that the selected tunneling protocol is supported by the VPN server. By default, a computer running Windows Server 2003 Server and the Routing and Remote Access service is a PPTP and L2TP server with five L2TP ports and five PPTP ports. To create a PPTP-only server, set the number of L2TP ports to zero. To create an L2TP-only server, set the number of PPTP ports to zero. Solution: Verify that the appropriate number of PPTP or L2TP ports is configured. See the Windows Server 2003 Help and Support Center for more information about how to add PPTP or L2TP ports. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The VPN client and the VPN server in conjunction with a remote access policy are not configured to use at least one common authentication method. Solution: Configure the VPN client and the VPN server in conjunction with a remote access policy to use at least one common authentication method. See the Windows Server 2003 Help and Support Center for more information about how to configure authentication. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The VPN client and the VPN server in conjunction with a remote access policy are not configured to use at least one common

encryption method. Solution: Configure the VPN client and the VPN server in conjunction with a remote access policy to use at least one common encryption method. See the Windows Server 2003 Help and Support Center for more information about how to configure encryption. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The VPN connection does not have the appropriate permissions through dial-in properties of the user account and remote access policies. Solution: Verify that the VPN connection has the appropriate permissions through dial-in properties of the user account and remote access policies. For the connection to be established, the settings of the connection attempt must: Match all of the conditions of at least one remote access policy. Be granted remote access permission through the user account (set to Allow access) or through the user account (set to Control access through Remote Access Policy) and the remote access permission of the matching remote access policy (set to Grant remote access permission). Match all the settings of the profile. Match all the settings of the dial-in properties of the user account. See the Windows Server 2003 Help and Support Center for an introduction to remote access policies, and for more information about how to accept a connection attempt. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The settings of the remote access policy profile are in conflict with properties of the VPN server. The properties of the remote access policy profile and the properties of the VPN server both contain settings for: Multilink. Bandwidth allocation protocol (BAP). Authentication protocols. If the settings of the profile of the matching remote access policy are in conflict with the settings of the VPN server, the connection attempt is rejected. For example, if the matching remote access policy profile specifies that the Extensible Authentication Protocol - Transport Level Security (EAP-TLS) authentication protocol must be used and EAP is not enabled on the VPN server, the connection attempt is rejected. Solution: Verify that the settings of the remote access policy profile are not in conflict with properties of the VPN server.

See the Windows Server 2003 Help and Support Center for more information about additional information about multilink, BAP and authentication protocols. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The answering router cannot validate the credentials of the calling router (user name, password, and domain name). Solution: Verify that the credentials of the VPN client (user name, password, and domain name) are correct and can be validated by the VPN server. Cause: There are not enough addresses in the static IP address pool. Solution: If the VPN server is configured with a static IP address pool, verify that there are enough addresses in the pool. If all of the addresses in the static pool have been allocated to connected VPN clients, the VPN server cannot allocate an IP address, and the connection attempt is rejected. If all of the addresses in the static pool have been allocated, modify the pool. See the Windows Server 2003 Help and Support Center for more information about TCP/IP and remote access, and how to create a static IP address pool. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The VPN client is configured to request its own IPX node number and the VPN server is not configured to permit IPX clients to request their own IPX node number. Solution: Configure the VPN server to permit IPX clients to request their own IPX node number. See the Windows Server 2003 Help and Support Center for more information about IPX and remote access. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The VPN server is configured with a range of IPX network numbers that are being used elsewhere on your IPX network. Solution: Configure the VPN server with a range of IPX network numbers that is unique to your IPX network. See the Windows Server 2003 Help and Support Center for more information about IPX and remote access. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The authentication provider of the VPN server is improperly configured. Solution: Verify the configuration of the authentication provider. You can configure the VPN server to use either Windows Server 2003 or Remote Authentication Dial-In User Service (RADIUS) to authenticate the credentials of the VPN client.

See the Windows Server 2003 Help and Support Center for more information about authentication and accounting providers, and how to use RADIUS authentication. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The VPN server cannot access Active Directory. Solution: For a VPN server that is a member server in a mixed-mode or native-mode Windows Server 2003 domain that is configured for Windows Server 2003 authentication, verify that: The RAS and IAS Servers security group exists. If not, create the group and set the group type to Security and the group scope to Domain local. The RAS and IAS Servers security group has Read permission to the RAS and IAS Servers Access Check object. The computer account of the VPN server computer is a member of the RAS and IAS Servers security group. You can use the netsh ras show registeredserver command to view the current registration. You can use the netsh ras add registeredserver command to register the server in a specified domain. If you add (or remove) the VPN server computer to the RAS and IAS Servers security group, the change does not take effect immediately (because of the way that Windows Server 2003 caches Active Directory information). To immediately effect this change, restart the VPN server computer. The VPN server is a member of the domain. See the Windows Server 2003 Help and Support Center for more information about how to add a group, how to verify permissions for the RAS and IAS security group, and about netsh commands for remote access. Click Start to access the Windows Server 2003 Help and Support Center. Cause: A Windows NT 4.0-based VPN server cannot validate connection requests. Solution: If VPN clients are dialing in to a VPN server running Windows NT 4.0 that is a member of a Windows Server 2003 mixedmode domain, verify that the Everyone group is added to the PreWindows 2000 Compatible Access group with the following command: "net localgroup "Pre-Windows 2000 Compatible Access"" If not, type the following command at a command prompt on a domain controller computer, and then restart the domain controller computer: net localgroup "Pre-Windows 2000 Compatible Access" everyone /add See the Windows Server 2003 Help and Support Center for more information about Windows NT 4.0 remote access server in a Windows Server 2003 domain. Click Start to access the Windows Server 2003 Help and Support Center. Cause: The VPN server cannot communicate with the configured RADIUS server.

Solution: If you can reach your RADIUS server only through your Internet interface, do one of the following: Add an input filter and an output filter to the Internet interface for UDP port 1812 (based on RFC 2138, "Remote Authentication Dial-In User Service (RADIUS)"). or Add an input filter and an output filter to the Internet interface for UDP port 1645 (for older RADIUS servers), for RADIUS authentication and UDP port 1813 (based on RFC 2139, "RADIUS Accounting"). -or -or- Add an input filter and an output filter to the Internet interface for UDP port 1646 (for older RADIUS servers) for RADIUS accounting. See the Windows Server 2003 Help and Support Center for more information about how to add a packet filter. Click Start to access the Windows Server 2003 Help and Support Center. Cause: Cannot connect to the VPN server over the Internet using the Ping.exe utility. Solution: Because of the PPTP and L2TP over IPSec packet filtering that is configured on the Internet interface of the VPN server, Internet Control Message Protocol (ICMP) packets used by the ping command are filtered out. To turn on the VPN server to respond to ICMP (ping) packets, add an input filter and an output filter that permit traffic for IP protocol 1 (ICMP traffic). See the Windows Server 2003 Help and Support Center for more information about how to add a packet filter. Click Start to access the Windows Server 2003 Help and Support Center. Cannot Send and Receive Data Cause: The appropriate demand-dial interface has not been added to the protocol being routed. Solution: Add the appropriate demand-dial interface to the protocol being routed. See the Windows Server 2003 Help and Support Center for more information about how to add a routing interface. Click Start to access the Windows Server 2003 Help and Support Center. Cause: There are no routes on both sides of the router-to-router VPN connection that support the two-way exchange of traffic. Solution: Unlike a remote access VPN connection, a router-to-router VPN connection does not automatically create a default route. Create routes on both sides of the router-to-router VPN connection so that traffic can be routed to and from the other side of the router-to-router VPN connection.

You can manually add static routes to the routing table, or you can add static routes through routing protocols. For persistent VPN connections, you can turn on Open Shortest Path First (OSPF) or Routing Information Protocol (RIP) across the VPN connection. For on-demand VPN connections, you can automatically update routes through an autostatic RIP update. See Windows Server 2003 online Help for more information about how to add an IP routing protocol, how to add a static route, and how to perform auto-static updates. Click Start to access the Windows Server 2003 Help and Support Center. Cause: A two-way initiated, the answering router as a remote access connection is interpreting router-to-router VPN connection. Solution: If the user name in the credentials of the calling router appears under Dial-In Clients in Routing and Remote Access, the answering router may interpret the calling router as a remote access client. Verify that the user name in the credentials of the calling router matches the name of a demand-dial interface on the answering router. If the incoming caller is a router, the port on which the call was received shows a status of Active and the corresponding demand-dial interface is in a Connected state. See Windows Server 2003 online Help for more information about how to check the status of the port on the answering router, and how to check the status of the demand-dial interface. Click Start to access the Windows Server 2003 Help and Support Center. Cause: Packet filters on the demand-dial interfaces of the calling router and answering router are preventing the flow of traffic. Solution: Verify that there are no packet filters on the demand-dial interfaces of the calling router and answering router that prevent the sending or receiving of traffic. You can configure each demand-dial interface with IP and IPX input and output filters to control the exact nature of TCP/IP and IPX traffic that is permitted into and out of the demand-dial interface. See Windows Server 2003 online Help for more information about how to manage packet filters. Click Start to access the Windows Server 2003 Help and Support Center. Cause: Packet filters on the remote access policy profile are preventing the flow of IP traffic. Solution: Verify that there are no configured TCP/IP packet filters on the profile properties of the remote access policies on the VPN server (or the RADIUS server if Internet Authentication Service is used) that are preventing the sending or receiving of TCP/IP traffic. You can use remote access policies to configure TCP/IP input and output packet filters that control the exact nature of TCP/IP traffic permitted on the

VPN connection. Verify that the profile TCP/IP packet filters are not preventing the flow of traffic. See Windows Server 2003 online Help for more information about how to configure IP options. Click Start to access the Windows Server 2003 Help and Support Center.

Reference:- www.wikipeda.org