|1| Chapter 1, Introduction to Microsoft
Windows 2000
|2| Chapter 1, Lesson 1
Windows 2000 Overview
|3| 1. Overview of Windows 2000
A. Introduction
1. Multipurpose OS with integrated support
for client/server and peer-to-peer networks
2. Incorporates technologies that reduce
total cost of ownership (TCO)
3. TCO includes software and hardware
updates, training, maintenance, administration, technical support, and lost
productivity.
4. Lost productivity can occur because of
user errors, hardware problems, software upgrades, and retraining.
|4| B. Windows 2000 Professional
1. High-performance, secure network client
computer and corporate desktop OS
2. Includes best features of Windows 98
3. Extends manageability, reliability,
security, and performance of Microsoft Windows NT Workstation 4.0
4. Can be used alone as a desktop OS,
networked in a peer-to-peer workgroup environment, or used as a workstation in
a Windows 2000 domain or Windows NT domain environment
5. Can be used with all the Microsoft BackOffice
products
6. Main Microsoft desktop OS for businesses
of all sizes
|5| C. Windows 2000 Server
1. Supports file, print, terminal,
application, and Web servers
2. Contains all of the features of Windows
2000 Professional, plus many new server-specific functions
3. Ideal for small- to medium-sized
enterprise application deployments, Web servers, workgroups, and branch offices
D. Windows 2000 Advanced Server
1. Powerful departmental and application
server
2. Supports large physical memories, clustering,
and load balancing
E. Windows 2000 Datacenter Server
1. Most powerful and functional server OS in
the Windows 2000 family
2.
Optimized for
large data warehouses, econometric analysis, large-scale simulations in science
and engineering, and server consolidation projects
Note I will
not be covering features
unique to Advanced Server and Datacenter Server in this class.
F.
New
features
Note The following list of new features is grouped together
by similarity of purpose; the textbook is organized in alphabetical order.
|6| 1. Active
Directory
a. Active Directory
(1) Enterprise-class directory service
(2) Scalable; built from the ground up using
Internet-standard technologies
(3) Simplifies administration and makes it
easier for users to find resources
(4) Features include group policy, scalability
without complexity, and support for multiple authentication protocols
b. Active Directory Service Interfaces (ADSI)
(1) Directory service model and a set of Component
Object Model (COM) interfaces
(2) Enables Windows 95, Windows 98, Windows NT,
and Windows 2000 applications to access several network directory services,
including Active Directory
(3) Supplied as a Software Development Kit
(SDK)
c. Lightweight
Directory Access Protocol (LDAP) support
(1) Industry standard; primary access protocol
for Active Directory
(2) Version 3 defined by the IETF
|7| 2. Lower
Total Cost of Ownership
a. Group Policy (part of Active Directory)
(1) Defines policies that apply across a given
site, domain, or organizational unit in Active Directory
(2) Simplifies OS updates, application
installation, user profiles, and desktop-system lock down
b. IntelliMirror
(1) Provides high levels of control on client
systems running Windows 2000 Professional
(2) Defines policies based on the respective
user’s business roles, group memberships, and locations
(3) Allows Windows 2000 Professional desktops
to be automatically reconfigured to meet a specific user’s requirements each
time that user logs on to the network, no matter where the user logs on
c. Remote Installation Services (RIS)
(1)
Allows remote installation of Windows
2000 Professional, without the need to visit each client
(2) Target clients must either support remote
booting with the Pre-Boot eXecution Environment (PXE)
ROM or be started with a remote-startup floppy disk.
(3) Installation of multiple clients becomes
much simpler
d. Windows Script Host (WSH)
(1) Provides the ability to automate actions,
such as creating a shortcut and connecting to and disconnecting from a network
server
(2) Language-independent, meaning scripts can
be written in common scripting languages such as VBScript and JScript
|8| 3. Performance
and Scalability
a. Message queuing
(1) Helps developers build and deploy
applications that run more reliably over networks, including the Internet
(2) Applications that developers build and
deploy with the aid of message queuing, interoperate with applications running
on different platforms
b. OS migration, support, and integration
(1) Interoperability with Windows NT Server
3.51 and 4.0
(2) Support for clients running a variety of OS’s, including Windows 3.x, Windows 95, Windows 98, and
Windows NT Workstation 4.0, as well as new features for supporting other
popular OSs
(3) Mainframe and midrange connectivity, using
S/390 and AS/400 transaction and queuing gateways through SNA Server
(4) Support for File Server for Macintosh,
allowing Macintosh clients to use the TCP/IP protocol to share files and to
access shares on a Windows 2000 server
c. Quality of Service (QoS)
(1) Controls how applications are allotted
network bandwidth
(2) Important applications can be given more
bandwidth, and less important applications can be given less bandwidth.
(3) Provides a guaranteed, end-to-end, express
delivery system for information across the network
|9| 4. Network Security
a. Certificate Services
(1) Allow for the deployment of a public key
infrastructure
(2) Implement standards-based technologies,
including smart card logon capabilities, client authentication, secure e-mail,
digital signatures, and secure connectivity
b. Component Services
(1) Set of services based on extensions of COM
and on Microsoft Transaction Server
(2) Provide improved threading and security,
transaction management, object pooling, queued components, and application
administration and packaging
c. Encrypting File System (EFS)
(1) Complements existing access controls and
adds a new level of protection for data
(2) Runs as an integrated system service,
making it easy to manage, difficult to attack, and transparent to the user
d. Kerberos V5
Protocol support
(1) Mature, industry-standard network
authentication protocol
(2) A fast, single logon process gives users
the access they need to Windows 2000 Server–based enterprise resources, as well
as to other environments that support this protocol
(3) Provides additional benefits such as mutual
authentication and delegated authentication
e. Layer 2
Tunneling Protocol (L2TP) support
(1) More secure version of PPTP
(2) Used for tunneling, address assignment, and
authentication
f. Public key infrastructure (PKI) and smart
card infrastructure
(1) Enables deployment of a public key
infrastructure
(2) Implements standards-based technologies
such as smart card logon capabilities, client authentication, secure e-mail,
digital signatures, and secure connectivity
(3) Sets up and manages certification
authorities that issue and revoke X.509V3 certificates
(4) Not dependent on commercial client
authentication services
(5) Allows for integration of commercial client
authentication into a PKI
g. Smart card infrastructure
(1) Allows for the deployment of a public key
infrastructure
(2) Implements standards-based technologies,
including smart card logon capabilities, client authentication, secure e-mail,
digital signatures, and secure connectivity
|10| 5. Networking
and Communication Services
a. Asynchronous Transfer Mode (ATM)
(1) High-speed, connection-oriented protocol
designed to transport voice, data, image, and video across a network
(2) Applies to both LANs and WANs
b. DHCP with DNS and Active Directory
(1) No need for administrator to assign and
track static IP addresses
(2) Dynamically assigns IP addresses to
computers or other resources connected to an IP network
c. Indexing Service
(1) Provides a fast, easy, and secure way for
users to search for information locally or on the network
(2) Offers powerful queries to search files in
different formats and languages, either through the Start menu Search command
or through HTML pages
d. Routing and
Remote Access service
(1) Single integrated service that terminates
connections from either dial-up or VPN clients, or provides routing, or does
both
(2) A Windows 2000 server can function as a
remote access server, a VPN server, a gateway, or a branch-office router.
e. TAPI 3.0
(1) Unifies IP and traditional telephony
(2) Enables developers to create a new
generation of powerful computer telephony applications that work as effectively
over the Internet or an intranet as over the traditional telephone network
f. Terminal Services
(1) Integrates terminal emulation services
(2)
Allows a user to
access programs running on the server from a variety of older devices providing
this capability for both Windows and non-Windows client devices
Note Non-Windows devices require add-on software by Citrix
Systems.
g. Virtual Private Network (VPN)
(1) Allows users ready access to the network
even when away from the office, and reduces the cost of this access
(2) Users can easily and securely connect to
the corporate network.
(3) Connection is made through a local ISP,
which reduces connect-time charges.
(4) Windows 2000 Server allows use of several
new, more secure protocols, including L2TP and IPSec.
(5) With IPSec, virtually everything above the
networking layer can be encrypted.
|11| 6. Internet
Integration
a. Internet Authentication Service (IAS)
(1) Provides a central point for managing
authentication, authorization, accounting, and auditing of dial-up or Virtual
Private Network (VPN) users
(2) Uses the Internet Engineering Task Force
(IETF) protocol, called Remote Authentication Dial-In User Service (RADIUS)
b. Internet connection sharing
(1) Connects a home network or small office network
to the Internet
(2) Provides network address translation,
addressing, and name resolution services for all computers on the network
c. Internet Information Services (IIS) 5.0
(1) Part of Windows 2000 Server only
(2) Makes it easy to share documents and
information across a company intranet or the Internet
(3) Deploys scalable and reliable Web-based
applications, and brings existing data and applications to the Web
(4) Includes Active Server Pages and other
features
d. Internet
Security (IPSec) support
(1) Secures communications within an intranet
and creates secure VPN solutions across the Internet
(2) Designed by the IETF and is an industry
standard for encrypting TCP/IP traffic
e. Network Address Translation (NAT)
(1) Hides internally managed IP addresses from
external networks by translating private internal addresses to public external
addresses
(2) Reduces IP address registration costs by
using unregistered IP addresses internally, with translation to a small number
of registered IP addresses externally
(3) Hides the internal network structure,
reducing the risk of attacks against internal systems
f. Windows Media Services
(1) Allows for delivery of high-quality
streaming multimedia
(2) Can deliver multimedia to users on the
Internet and intranets
|12| 7. Administrative
Tools
a. Disk quota support
(1) Uses volumes formatted with the NTFS file
system to monitor and limit the amount of disk space available to individual
users
(2) Allows customized responses that result
when users exceed specified thresholds
b. Graphical Disk Management
(1) Graphical tool for managing disk storage
(2) New features include dynamic volumes,
online disk management, local and remote drive management, and Volume Mount
Points
c. Microsoft
Management Console (MMC)
(1) Arranges the administrative tools and
processes needed within a single interface
(2) Delegates tasks to specific users by
creating preconfigured MMC consoles that provide the user with the tools
selected
|13| 8. Hardware
Support
a. Plug and Play
(1) Combination of hardware and software
support
(2) Server can recognize and adapt to hardware
configuration changes automatically without intervention or restarting.
b. Removable Storage and Remote Storage
(1) Removable Storage makes it easy to track
removable storage media and to manage the hardware libraries, such as changers
and jukeboxes, that contain them.
(2) Remote Storage uses specific criteria to
automatically copy little-used files to removable media.
(3) If hard-disk space drops below specified levels, Remote Storage
removes the cached file content from the disk; if the file is needed later, the
content is automatically recalled from storage.
(4) Storage costs are decreased because
removable optical discs and tapes are less expensive per megabyte than hard
disks.
c. Safe mode startup
(1) Offers the ability to start Windows 2000
with a minimal set of drivers and services and then view a log showing the
sequence of events at startup
(2) Allows the administrator to diagnose
problems with drivers and other components that might be preventing normal
startup
2. Windows 2000 Network Environments
A. Overview
1. A Windows 2000–based network environment
can be set up using either a workgroup model or a domain model.
2. Windows 2000 Professional and Windows
2000 Server can participate in either of these two models.
3. Administrative differences between the
two products depend on the network environmental model.
|14| B. Windows 2000 workgroup model
1. Overview
a. A logical grouping of networked computers
that share resources, such as files and printers
b. Referred to as a peer-to-peer network
c. All computers can share resources as
equals, or peers, without a dedicated server
d. Each computer, running either Windows 2000
Server or Windows 2000 Professional, maintains a local security database
e. A local security database is a list of
user accounts and resource security information for the computer on which it
resides.
f. Administration of user accounts and
resource security is decentralized
|15| 2. Advantages
a. Does not require a computer running
Windows 2000 Server to hold centralized security information
b. Simple to design and implement
c. Does not require the extensive planning
and administration that a domain requires
d. Convenient for
a limited number of computers in close proximity
|16| 3. Disadvantages
a. To gain access, user must have a user
account on each computer.
b. Any changes to user accounts must be made
on each computer in the workgroup.
c. Device and file sharing is handled by
individual computers, and only for the users who have accounts on each
individual computer.
d.
A workgroup is
impractical in environments with more than 10 computers.
Note In a workgroup, a computer running Windows 2000 Server
that is not a member of a Windows 2000 domain is called a stand-alone server.
|17| C. Windows 2000 domain model
1. Overview
a. A domain is a logical grouping of network
computers that share a central directory database.
b. A directory database contains user accounts
and security information for the domain.
c. A directory database is the database
portion of Active Directory, which is the Windows 2000 directory service.
d. Active Directory replaces all previous
domain information storage containers, including multiple domains.
e. The directory resides on computers that
are configured as domain controllers.
f. A domain controller is a server that
manages all security-related aspects of user-domain interactions.
g. Security and administration are
centralized
h. Only computers running Windows 2000 Server
can be designated as domain controllers.
i. A domain
does not refer to a single location or specific type of network configuration.
j. Computers in a domain can share physical
proximity on a small LAN or be located in different parts of the world,
communicating over any number of physical connections.
|18| 2. Benefits
a. Allows
centralized administration
b. Provides a single logon process for users
to gain access to network resources, such as file, print, and application
resources for which they have permissions
c. Provides scalability so that an
administrator can create very large networks
3. Contains the following types of
computers:
a. Domain controllers running Windows 2000
Server
(1) Each domain controller stores and maintains
a copy of the directory.
(2) A user account is created only once;
Windows 2000 records it in the directory.
(3) When a user logs on to a computer in the
domain, a domain controller checks the directory for the user name, password,
and logon restrictions to authenticate the user.
(4) If multiple domain controllers exist, they
periodically replicate their directory information to other domain controllers.
b. Member servers running Windows 2000 Server
(1) Not configured as domain controllers
(2) Do not store directory information and
cannot authenticate domain users
(3)
Provide shared
resources such as shared folders or printers
Note Member servers can also be database servers, Web servers,
and application servers.
c. Client computers running Windows 2000
Professional
(1) Run a user’s desktop environment
(2) Allow the user to gain access to resources
in the domain
|19| Chapter 1, Lesson 2
Windows 2000 Architecture Overview
|20| 1. Windows 2000 Layers,
Subsystems, and Managers
A. User mode
1. Environment subsystems
a. Overview
(1) Enable Windows 2000 to run applications
written for different OS’s
(2) Emulate different OSs by presenting the application programming interfaces
(APIs) that the applications expect to be available
(3) Accept API calls made by the application,
convert the API calls to a format understood by Windows 2000, and then pass the
converted API to the Executive Services for processing
b. Included with Windows 2000
(1) The Windows 2000 32-bit Windows-based subsystem
(Win32) is responsible for controlling Win32 applications, as well as providing
an environment for Win16 and MS-DOS applications.
(2) The OS/2 subsystem provides a set of APIs
for 16-bit character mode OS/2 applications.
(3) The Portable Operating System Interface for
UNIX (POSIX) subsystem provides APIs for POSIX applications.
c. Limitations and restrictions
(1) No direct access to hardware or device
drivers
(2) No access to certain Clipboard API
operations, certain Microsoft CD-ROM Extensions (MSCDEX), or task-switching
APIs
(3) Limited to an assigned address space
(4) Forced to use hard disk space as virtual
RAM whenever the system needs memory
(5) Runs at a lower priority level than kernel
mode processes
(6) Less access to CPU cycles than kernel mode
processes
|21| 2. Integral
subsystems
a. Security subsystem
(1) Tracks rights and permissions associated
with user accounts
(2) Tracks which system resources are audited
(3) Accepts user logon requests
(4) Initiates logon authentication
b. Workstation service
(1) Provides an API to access the network
redirector
(2) Allows a user running Windows 2000 to
access the network
c. Server service
(1) Provides an API to access the network
server
(2) Allows a computer running Windows 2000 to
provide network resources
B. Kernel mode
1. Overview
a. Has access to system data and hardware
b. Provides direct access to memory and
executes in an isolated memory area
c. Has four
components: Windows 2000 Executive, Device Drivers, Microkernel, and the
Hardware Abstraction Layer (HAL)
2. Windows 2000 Executive
a. Performs most of the I/O and object
management, including security
b. Does not perform screen and keyboard I/O
c. Contains the Windows 2000 kernel mode
components, each of which provides the following two distinct sets of services
and routines:
(1) System services
(2) Internal routines
|22| d. Components:
(1) I/O Manager: Manages input from, and the
delivery of output to, different devices
(2) Security Reference Monitor: Enforces security
policies on the local computer
(3) Interprocess
Communication (IPC) Manager: Manages communication between clients and servers
(4) Virtual Memory Manager (VMM): Implements
and controls virtual memory, a memory management system that provides and protects
the private address space for each process
(5) Process Manager: Creates and terminates
processes and threads
(6) Plug and Play: Maintains central control of
the Plug and Play process
(7) Power Manager: Controls power management
APIs, coordinates power events, and generates power management requests
(8) Window Manager and Graphical Device
Interface (GDI): Implemented as a single device driver named Win32k.sys, manage
the display system
(9)
Object Manager:
Creates, manages, and deletes objects that represent OS resources
Note See Table 1.4 on page 15 for more details about Windows
2000 Executive components.
3. Device Drivers
a. Translate driver calls into hardware
manipulation
4. Microkernel
a. Manages access to the microprocessor only
b. Coordinates all I/O functions and
synchronizes the activities of the Executive Services
5. Hardware Abstraction Layer
a. Hides the hardware interface details,
making Windows 2000 more portable across different hardware architectures
b. Contains the hardware-specific code that
handles I/O interfaces, interrupt controllers, and multiprocessor communication
mechanisms
c. Allows Windows 2000 to run on both Intel-
and Alpha-based systems without two separate versions of Windows 2000 Executive
|23| Chapter 1, Lesson 3
Windows 2000 Directory Services Overview
1.
What Is
a Directory Service?
Note In DPT224, the terms directory and directory
service refer to the directories found in public and private networks.
A. Directory
1. Stores collection of information about
objects that are related
2. Facilitates
locating and managing network resources
B. Directory service
1. A network service that identifies all
resources on a network and makes them accessible to users and applications
2. Differs from a directory in that it is
both the source of the information and the services making the information
available to the users
3. Acts as the main switchboard of the NOS
4. The central authority that manages the
identities and brokers the relationships between distributed resources,
enabling them to work together
5. Tightly coupled with the management and
security mechanisms of the OS to ensure the integrity and privacy of the
network
6. Plays a critical role in an
organization’s ability to define and maintain the network infrastructure,
perform system administration, and control the overall user experience of a
company’s information systems
|24| 2. Why Have a Directory Service?
A. Primary functions
1. Organizes and simplifies access to resources
of a networked computer system
2. Allows users and administrators to locate
objects by the object’s attributes
3. Administrative tool and end user tool
B. Other functions of the directory service
1. Enforces security to protect the objects
in its database
2. Distributes a directory across many
computers in a network
3. Replicates a directory to make it
available to more users and resistant to failure
4. Partitions a directory into multiple
stores that are located on different computers across the network
3. Windows 2000 Directory Services
A. Overview
1. Active Directory includes the directory,
as well as all the services that make the information available and useful.
2. Resources stored in the directory, such
as user data, printers, servers, databases, groups, services, computers, and
security policies, are known as objects.
3. Active Directory is integrated within
Windows 2000 Server.
|25| B. Active Directory provides:
1. Simplified administration
a. Resources are organized hierarchically in
domains, which are the basic unit of replication and security in a Windows 2000
network.
b. A domain is a logical grouping of servers
and other network resources under a single domain name.
c. Each domain includes one or more domain
controllers.
d. A domain controller is a computer running
Windows 2000 Server that manages user access to a network.
e. All domain controllers in the domain are
equal.
f. Changes made to any domain controller are
replicated to all other domain controllers in the domain.
g. Active Directory provides a single point
of logon for all network resources.
2. Scalability
a. Active Directory stores information by
organizing the directory into sections that permit storage for a very large
number of objects.
b.
The directory can
expand as an organization grows.
Note Directory information can be distributed across several
computers.
3. Support for open standards
a. Overview
(1) Active Directory integrates the Internet
concept of a namespace with the Windows 2000 directory services.
(2) Active Directory uses DNS for its name
system and can exchange information with any application or directory that uses
LDAP or HTTP.
b. Support for
HTTP and LDAP
(1) HTTP is the standard protocol for
displaying pages on the Web.
(2) A user can display every object in Active
Directory as an HTML page in a Web browser.
(3) LDAP is a version of the X.500 directory
access protocol.
(4) Active Directory supports LDAP versions 2
and 3.
(5)
Active Directory
uses LDAP to exchange information between directories and applications.
Note For more information about LDAP, use your Web browser to
search for RFC 1777 and retrieve the text of this Request for Comment.
Note Active Directory also shares information with other
directory services that support LDAP version 2 and version 3, such as Novell
Directory Services (NDS).
c. DNS
(1) Windows 2000 domain names are also DNS
names.
(2) Windows 2000 Server uses Dynamic DNS
(DDNS).
(3) DDNS enables clients with dynamically
assigned addresses to register directly with a server running the DNS service
and update the DNS table dynamically.
(4)
DDNS eliminates
the need for other Internet naming services, such as Windows Internet Name
Service (WINS).
Note For Active Directory and associated client software to function
correctly, you must have installed and configured the DNS service.
|26| 4. Support
for standard name formats
a. RFC 822: Takes the form of someone@domain and is familiar to most users as an Internet
e-mail address
b. HTTP Uniform
Resource Locator (URL): Takes the form of http://domain/path-to-page
and is familiar to users with Web browsers
c. Universal Naming Convention (UNC): Takes
the form of \\microsoft.com\xl\BUDGET.XLS
and is used in Windows 2000 Server–based networks to refer to shared volumes,
printers, and files
d. LDAP URL:
Active Directory supports a draft to RFC 1779 and uses the attributes in the
following example: LDAP://someserver.microsoft. com/CN=FirstnameLastname, OU=sys,OU=product, OU=division,DC=devel
Where
CN represents Common Name; OU represents Organizational Unit Name; and DC
represents Domain Component Name
|27| 4. Active Directory in the Windows
2000 Architecture
A. Windows 2000 uses modules and modes that
combine to provide OS services to applications.
B. Kernel and user access modes divide the
lower-level, platform-specific processes from the upper-level processes.
C. Each application runs in a separate module
in user mode, from which it requests system services through an API that gains
limited access to system data.
D. An application process begins in user mode
and is transferred to kernel mode; the actual service is provided in a
protected environment and then transferred back to user mode.
E. Active Directory runs in the security
subsystem in user mode.
F. The security reference monitor
1. The primary authority for enforcing the
security rules of the security subsystem
2. Runs in kernel mode
3. Enforces the access control applied to
Active Directory objects
G. Access to all directory objects first
requires authentication.
|28| 5. Active Directory Architecture
A. Layered architecture in which the layers
represent the server processes that provide directory services to client
applications
B. Consists of three service layers and
several interfaces and protocols that work together to provide directory
services
C. Three service layers accommodate the
different types of information required to locate records in the directory
database.
D. Protocols and APIs are above the service
layers and enable communication between clients and directory services.
|29| E. Key service components include the
following:
1. Directory System Agent (DSA) builds a
hierarchy from the parent-child relationships stored in the directory.
2. Database Layer provides an abstraction
layer between applications and the database.
3. Extensible Storage Engine communicates
directly with individual records in the directory data store on the basis of
the object’s relative distinguished name attribute.
4. Data store (the database file NTDS.DIT) is
manipulated only by the Extensible Storage Engine database engine.
a. Stored in the \Winnt\NTDS\
folder on the domain controller
b. Administered using the NTDSUTIL tool,
located in the \Winnt\system32 folder
|30| F. DSA supports the following mechanisms by
which clients access Active Directory:
1. Lightweight Directory Access Protocol
(LDAP)/Active Directory Service Interfaces (ADSI)
a. Windows 2000 clients, as well as Windows
98 and Windows 95 clients with Active Directory client components installed,
use LDAP version 3.
b. ADSI is a means of abstracting the LDAP
API.
c. Active Directory uses only LDAP.
2. Messaging API (MAPI)
a. Legacy MAPI clients (Microsoft Outlook)
connect to the DSA by using the MAPI RPC address book provider interface.
3. Security Accounts Manager (SAM)
a. Windows clients using Windows NT 4.0 or
earlier use the SAM interface to connect to the DSA.
b. Replication from backup domain controllers
in a mixed-mode domain goes through the SAM interface.
4. Replication (REPL)
a. DSAs connect to
each other using a proprietary RPC interface when performing directory
replication.
|31| Chapter 1, Lesson 4
Logging On to Windows 2000
1. Logging On to a Domain
A. A user name and password must be provided.
B. Windows 2000 authenticates the user during
the logon process to verify the user’s identity.
C. Only valid users can gain access to
resources and data on a computer or on the network.
D. Windows 2000 authenticates users who log
on to either the domain or a local computer.
E. Pressing Ctrl+Alt+Delete
displays the Log On To Windows dialog box.
|32| F. Default options on the Log On To Windows
dialog box
1. User Name box: A valid unique user logon
name assigned by an administrator or a user with administrative rights
2. Password box: Case-sensitive; components
appear on the screen as asterisks (*) to maintain privacy
3. Log On To list: Domain that contains your
user account; contains all of the domains in the domain tree
4. Log On Using Dial-Up
Connection check box: Permits a user to connect to a domain server by
using dial-up networking
5. Shutdown button: Closes all files, saves
all OS data, and prepares the computer so that a user can safely turn it off
6.
Options button:
Toggles on and off the Log On To list and the Log On
Using Dial-Up Connection check box
Note A user cannot log on to either
the domain or the local computer from any computer running Windows 2000 Server
unless that user is assigned the Log On Locally user right by an administrator
or has administrative privileges for the server. Domain controllers do not
maintain a local security database.
2. Logging On to a Local Computer
A. Users can log on locally to a computer
that is a member of a workgroup.
B. Users can log on locally to a computer
that is a member of a domain but is not a domain controller.
|33| 3. Windows 2000 Authentication
Process
A. Access token
1. Provides user identity and security
settings
2. Enables a user to gain access to
resources and perform system tasks
|34| B. Authentication process steps
1. User provides user name and password.
a. If the user is logging on to a domain,
Windows 2000 forwards this information to a domain controller.
b. If the user is logging on locally, Windows
2000 forwards this information to the security subsystem of the local computer.
2. Windows 2000 compares the logon
information with the user information that is stored in the appropriate
database.
a. If the user is logging on to a domain, the
domain controller contains a copy of the directory that Windows 2000 uses to
validate the logon information.
b. If the user is logging on locally, the
security subsystem of the local computer contains the local security database
that Windows 2000 uses to validate the logon information.
3. If the information matches and the user
account is enabled, then:
a. Windows 2000 creates an access token for
the user
b. An access token is the user’s
identification for the computers in the domain or for that local computer, and
it contains the user’s security settings, including the user’s security ID
(SID)
c. The SID is a unique number that
identifies user, group, and computer accounts
4.
If the logon
information does not match or the user account is not validated, access to the
domain or local computer is denied.
Note In addition to the logon process, any time a user makes
a connection to a computer or to other resources, that computer or resource
authenticates the user and returns an access token. This authentication process
is invisible to the user.
|35| Chapter 1, Lesson 5
The Windows Security Dialog Box
1. Using the Windows Security Dialog Box
A. Provides easy access to important security
functions
B. Displays the user account currently logged
on, the domain or computer to which the user is logged on, and the date and
time at which the user logged on
C. Accessed by pressing Ctrl+Alt+Delete
|36| 2. Buttons on the Windows Security
Dialog Box
A. Lock Computer: Allows you to secure the
computer without logging off; all programs remain running
B. Log Off: Allows you to log off as the
current user and close all running programs, but leaves Windows 2000 running
C. Shut Down: Allows you to close all files,
save all OS data, and prepare the computer so that you can safely turn it off
D. Change Password: Allows you to change your
user account password
E. Task Manager: Provides a list of the
current programs that are running, a summary of overall CPU and memory usage,
and a quick view of how each program, program component, or system process is
using the CPU and memory resources