Configuring Windows 2000 Without Active Directory

(1)

1 YEAR UPGRADE

B U Y E R P R O T E C T I O N P L A N

WITHOUT

Active Directory

Configuring Windows 2000

Carol Bailey

Tom Shinder Technical Editor

Make the Most of Windows 2000 WITHOUT Active Directory

• Step-by-Step Instructions for Configuring Local Group Policy, Remote Access

Policies, Primary and Secondary DNS Zones, and more!

• Complete Coverage of the Pros and Cons of an Active Directory Migration

(2)

With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening.

Readers like yourself have been telling us they want an Internet-based ser-vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations.

Solutions@syngress.comis an interactive treasure trove of useful infor-mation focusing on our book topics and related technologies. The site offers the following features:

■ One-year warranty against content obsolescence due to vendor

product upgrades. You can access online updates for any affected chapters.

■ “Ask the Author”™ customer query forms that enable you to post

questions to our authors and editors.

■ Exclusive monthly mailings in which our experts provide answers to

reader queries and clear explanations of complex material.

■ Regularly updated links to sites specially selected by our editors for

readers desiring additional reliable information on key topics.

Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase.

Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening.

(3)

(4)

1 YEAR UPGRADE

B U Y E R P R O T E C T I O N P L A N

WITHOUT

Active Directory

Configuring Windows 2000

Carol Bailey

(5)

(collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci-dental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media®, Syngress®, and “Career Advancement Through Skill Enhancement®,”are registered trademarks of Syngress Media, Inc. “Ask the Author™,”“Ask the Author UPDATE™,”“Mission Critical™,”“Hack

Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

Configuring Windows 2000 Without Active Directory

Copyright © 2001 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

ISBN: 1-928994-54-7

Technical Editor: Dr.Thomas W. Shinder Cover Designer: Michael Kavish

Co-Publisher: Richard Kristof Page Layout and Art by: Shannon Tozier Acquisitions Editor: Catherine B. Nolan Copyedit by Syngress Editorial Team Developmental Editor: Jonathan Babcock Indexer: Julie Kawabata

Freelance Editorial Manager: Maribeth Corona-Evans

(6)

Acknowledgments

We would like to acknowledge the following people for their kindness and support in making this book possible.

Richard Kristof and Duncan Anderson of Global Knowledge, for their generous access to the IT industry’s best courses, instructors, and training facilities.

Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks.

Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, and Frida Yara of Publishers Group West for sharing their incredible marketing experience and expertise.

Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan Bunkell, and Klaus Beran of Harcourt International for making certain that our vision remains worldwide in scope.

Anneke Baeten and Annabel Dent of Harcourt Australia for all their help.

David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books.

Kwon Sung June at Acorn Publishing for his support.

(7)

(8)

Author

Carol Bailey(MCSE+Internet) is a Senior Technical Consultant

working for Metascybe Systems Ltd in London. Metascybe is a Microsoft Certified Partner that develops its own PC communications software as well as offers project work and consultancy. In addition to supporting these products and services for an internationally diverse customer base, Carol co-administers the company’s in-house IT resources.

With over 10 years in the industry, Carol has accumulated a wealth of knowledge and experience with Microsoft operating systems. She first qualified as an MCP with NT3.51 in 1995 and will remain qualified as MCSE as a result of passing the Windows 2000 exams last year. Her other qualifications include a BA (Hons) in English and an MSc in Information Systems.

Well known for her Windows 2000 expertise, Carol has a number of publications on this subject, which include co-authoring the following books in the best-selling certification series from Syngress\Osborne McGraw-Hill:MCSE Windows 2000 Network Administration Study Guide

(Exam 70-216). ISBN: 0-07-212383-4;MCSE Designing a Windows 2000 Network Infrastructure Study Guide(Exam 70-221). ISBN: 0-07-212494-6; and MCSE Windows 2000 Accelerated Boxed Set(Exam 70-240).

(9)

viii

Technical Editor

Thomas Shinder, M.D.(MCSE, MCP+I, MCT) is a technology trainer and consultant in the Dallas-Ft.Worth metroplex. He has con-sulted with major firms, including Xerox, Lucent Technologies, and FINA Oil, assisting in the development and implementation of IP-based com-munications strategies.Tom is a Windows 2000 editor for Brainbuzz.com and a Windows 2000 columnist for Swynk.com.

Tom attended medical school at the University of Illinois in Chicago and trained in neurology at the Oregon Health Sciences Center in

(10)

Configuring General Server Properties 570 Configuring Security Server Properties 570 Configuring IP Server Properties 572 Automatic Private IP Address 573 DHCP Address Allocation 573 TCP/IP Configuration Options 574 Configuring IPX Server Properties 577 Configuring NetBEUI Server Properties 577 Configuring PPP Server Properties 578 Configuring Event Logging Server

Properties 579 Configuring Dialup and VPN Connections 579 Configuring L2TP VPN Connections 582

Modifying the Default L2TP/IPSec

Policy 586 Using and Configuring Internet Authentication

Service (IAS) 590

Configuring RRAS and IAS 592

IAS Configuration with ISPs 595 Configuring Remote Clients with the

Connection Manager Administration Kit 598 Manually Defining Connections 600 Using the Connection Manager

Administration Kit 601

Preparation: Creating a Static Phone

Book 602 Preparation: Creating a Dynamic Phone

Book 605 Running the Connection Manager

(23)

Walkthrough: Configuring Remote Access

Policies 614 Summary 617

Chapter 10 Internet Connectivity 625

Introduction 626 Using and Configuring Internet Connection

Sharing (ICS) 628

ICS Settings 630

Using and Configuring RRAS Network

Address Translation (NAT) 632

Installing NAT 633

Adding NAT to RRAS 635

Configuring NAT 637

Configuring Global NAT Properties 638 Configuring NAT Internet Interface

Properties 641

Monitoring NAT 642

Controlling Connections 645

Configuring Demand-Dial Restrictions 646 Configuring Internet Filters 647 Using and Configuring Internet Security

and Acceleration (ISA) Server 649

Security Features 653

Web Proxy Client 665

SecureNAT Client 665 a good reason why I can’t run a PPTP server on my internal network configured as a SecureNAT client?

(24)

Walkthrough: Configuring NAT to Publish a

Web Server 670

Summary 674

Appendix The Windows 2000

Microsoft Management Console 683

Introduction 684

MMC Basics 684

Saving Configuration Changes 687 Exporting Information from MMC Snap-Ins 687

Adding Servers 688

Remote Administration 690

Command Line 690

Configuring and Creating Your Own MMCs 693

Using URL Links 695

Using Favorites in MMCs 696

Organizing Favorites 698

Saving Custom MMCs 699

Changing the Custom MMC View 702 Advanced MMC Configuration: Using Taskpads 703 The New Taskpad View Wizard 704 Adding Taskpad Views and Non-Snap-In

(25)

(26)

There is a tremendous variety and volume of literature available these days on how to install and configure Windows 2000, so you may ask “How is this book different?” As the title indicates, this book concentrates on configuring Windows 2000 Without

Active Directory. It’s about making the most of those Windows 2000 features and services that can be used independently of Active Directory–whether that’s in an existing NT4 domain environment, Novell’s NDS, UNIX, or even a standalone workgroup.

I was motivated to write this book because the existing books on Windows 2000 invariably explain the new features only in the context of Active Directory, with the result that many people just do not realize what is possible without Active Directory. This approach ignores the reality that many companies don’t want or need the ser-vices Active Directory offers and would prefer to keep their legacy serser-vices intact. Of course it’s easy enough to get a Windows 2000 computer up and running so it’s functional without Active Directory, but it’s entirely a different thing to fully use and exploit Windows 2000’s new features to your advantage. And yet, these exciting new features are there, and are yours for the taking.

This book is not anti-Active Directory. I won’t tell you why you should or shouldn’t use Active Directory. I won’t tell you which alternative directory service to use, or advocate everybody should be running P2P. Rather, this book is an acknowl-edgement that many corporations are currently running Windows 2000 without Active Directory for many reasons. Some of those reasons may boil down to timing and budget constraints, or perhaps a lack of suitably trained staff. It can take many months of designing, planning and testing before a migration deployment can even begin. Still recovering from Y2K upgrades, and with an economic downturn with

(27)

Other reasons for not migrating to Active Directory include a lack of confidence in Microsoft’s first version of an enterprise directory service, simply because it lacks matu-rity. It hasn’t yet stood the rigors and test of time that make IT Managers feel comfort-able enough to pull the plug on existing and working systems in a production

environment. An Active Directory upgrade or migration is not in the same league as any other Microsoft upgrade to date, and getting it wrong or running into problems has far-reaching consequences across the whole enterprise network. In comparison, this book shows you how to take relatively small, isolated steps with Windows 2000 systems without having to restructure existing infrastructures.This allows you to gradually introduce Windows 2000 at your own pace, allowing more staff to gain valuable expe-rience in the new operating system to help ease the learning curve. In fact, introducing Windows 2000 this way into your network offers a good stepping-stone as part of a company’s gradual migration process to Active Directory, rather than aiming for the “Big Bang” approach of implementing Active Directory first.This book is just as much about strategic decisions as it is technical implementation details. As such, it is equally applicable for both IT Implementers and IT Managers.

The first chapter examines in some detail why many companies have not

migrated to Active Directory, with some of the technical, political and strategic deci-sion markers you may also want to take onboard. If you are an IT implementer rather than a decision maker, you may still find this information useful so you have a better understanding of how some of the problems you may face will be more than just technical. It has long been said that politics make up the 8th layer of the OSI 7 layer model, and this is becoming increasingly true in today’s networks where the IT infrastructure is the business and profit of the corporation.

Just as it’s important to know about the features and services you can implement outside Active Directory, you should also be aware of which features and services cannot work without Active Directory.Too often Windows 2000 literature concentrates on the benefits of Active Directory, but without clearly identifying which of those ben-efits are dependent upon an Active Directory environment.The first chapter includes a section on these features and looks at both their advantages and disadvantages.This puts you in a better position of being able to make an informed decision on whether they justify implementing Active Directory, or whether they will change any migration plans or timescales.The more objective information you have, the more empowered you become to make the right decision for your particular circumstances, rather than having to make decisions based on literature with a marketing bias.

(28)

still strategic information available: for example designing, deploying, or upgrading issues that you may want to consider as part of longer-term plans, or configuration options which take into account political issues in addition to just technical problems.

Unfortunately, this book cannot cover every single Windows 2000 feature that can be used without Active Directory (or I would still be writing it!), but it does aim to cover the main areas that I think have most impact for the majority of company networks.This includes features that are particularly relevant to workstations, laptops and servers (for example, exactly how the security and reliability features work, which have already earned high praise in the industry), and specific services such as IIS5 and the highly acclaimed Terminal Services. Many of the improvements in Windows 2000 were on the networking side simply because they were necessary to accommodate Active Directory.This book shows you how you can cash in on those networking service improvements even though you’re not running Active

Directory–which include DDNS, DHCP,WINS, NLB, and complimenting services such as Certificate Services, IPSec, RAS and IAS, ICS/NAT, and even an introduc-tory look at ISA Server.

Chapter 1 also contains a section outlining subsequent chapter contents in more detail which provides more information on the breath and scope of the book, and the Windows 2000 features that will be covered.You may also find this section useful if you want to dip into chapters out of sequence. Each chapter was written to stand alone as much as possible, but occasionally it was necessary to refer to material in previous chapters to prevent duplication.When this has been the case, the reference is clearly stated.

A walkthrough accompanies each chapter, and these aim to provide useful, practical, hands-on exercises that should be possible even on production computers. This book aims to bring Windows 2000 features out from the test network, and into the production environment.Written by somebody working in the industry full time, it is aimed at real-world networks, real-world computing practices, and real-world relevance, today.

(29)

(30)

Why Not Active

Directory?

Solutions in this chapter:

■ Why Use Windows 2000 without

Active Directory?

■ The Purpose of This Book ■ Active Directory Integration

Walkthrough: Managing User Accounts and Securing the Local Windows 2000 Administrator Account

Summary

Solutions Fast Track

(31)

Introduction

Welcome to Configuring Windows 2000 WITHOUT Active Directory, which quite simply aims to demonstrate how you can make the most of Windows 2000 out-side an Active Directory environment. Microsoft spent conout-siderable time and money, and bet its future business, to update its already successful platforms of Windows NT 4.0 and Windows 98 to be today’s version of Windows 2000. Although it’s true that Windows 2000 was written around and for Active Directory (Microsoft’s first offering of an enterprise directory service), it also offers many new and improved features that you can take advantage of immedi-ately, with little or minimal risk to your existing network infrastructure, because they are independent from Active Directory.

If you are running a Windows NT 4.0 style domain, a Novell NDS or equiv-alent alternative directory service, a workgroup (peer-to-peer) network, or even have a standalone computer, you can still benefit greatly from Microsoft’s new technologies if you have computers running Windows 2000.You may already have Windows 2000 computers on your network—laptops, desktops, and servers—but not realize their full potential simply because you are unsure about which of the new features will work independently from Active Directory or because you do not know how to configure and use them in your own network environment.This book is for you—to show you what features can be used out-side Active Directory and how to get the best out of them in a production envi-ronment today.

Why Use Windows 2000

without Active Directory?

We’re actually asking two different questions here:Why use Windows 2000 at all, and why use Windows 2000 without Active Directory? There is more to

Windows 2000 than just Active Directory features—as this book shows. But there’s no doubt that Windows 2000 was written with Active Directory in mind, which is reflected in the standard documentation that accompanies the software. Both questions deserve a separate look.

Why Use Windows 2000?

(32)

Despite the accolades of alternative platforms, it has to be recognized that no computer system (hardware or software) is 100 percent perfect.You may have personal preferences based on experience and knowledge—and therefore you have to decide which operating system best fits your requirements.

The Acceptance of Windows

into the Corporate Workplace

In this context of no computer system is perfect, many corporations decided on Microsoft operating systems because they offer an easy-to-use interface.This factor alone substantially reduces costs for both end-user training and network administration. It also makes recruiting staff easier simply because there’s a better choice and greater availability of people in the marketplace with varying degrees of experience with and competence in this operating system.

Additionally,Windows comes from an established company, is widely avail-able, is widely supported by the industry, and offers solutions within the bud-geting requirements of most companies and even individuals with home

networks.True, there are cheaper alternatives—but the overall cost of a computer is more than the cost of its initial hardware and operating system.These days we are more aware of Total Cost of Ownership (TCO), which takes into account factors such as ease of installation, ease of use and maintenance, choice of hard-ware, choice of drivers and packages, and availability of training material, qualified staff, and vendor support, among other considerations.

It is also true that there are alternative platforms that can boast a history of offering better security and reliability, but at the cost of lack of flexibility, less support for third-party drivers and applications, more extensive training require-ments, and higher recruiting costs.Taking the whole equation into account, it’s no wonder that many corporations today include Microsoft operating systems on both workstations and servers.

The Acceptance of Microsoft

in the Corporate Workplace

(33)

the majority inherit the choices of their predecessors and know it is unrealistic to replace a working system with an alternative (unless there are exceptional cir-cumstances). And for every IT manager with the authority to make that choice, there are many more people working in the IT industry who simply do not have that decision to make.Their job is to implement and support the current and past choices of other people. Corporate networks are built on historical decisions and politics rather than purely technical choice.

The Emergence of Windows 2000

Microsoft spent more than three years on improving Windows NT 4.0 and Windows 9xbefore finally releasing its next version, which it decided to call Windows 2000. And for all the current marketing about Windows XP, and Windows.NET, these too will be built on today’s standard Windows 2000 technologies.

As somebody who is involved with both producing software solutions and supporting them, I’m aware that the best products are a result of evolution.They build on previous technical knowledge and experience while incorporating feed-back from the trenches. By “best” I include good design (both visually and struc-turally), reliability, and a feature set that is both useful and relevant to the end user (rather than simply bloatware).The maturity of the product and company is important simply because it is against the odds that a completely new product will meet these needs if it has no such foundation. More often than not, perspira-tion wins over inspiraperspira-tion.

Although heralded as a new operating system,Windows 2000 is evidently more the result of a reinvention rather than a new invention—which offers a confidence factor appreciated by those not willing to learn by fire.When redesigning Windows NT 4.0 for Windows 2000, Microsoft had the luxury of learning from past mistakes and improving on successful features.This learning wasn’t just from its own products but also from other peoples’ products that had earned market share and stood the test of time.

(34)

Windows 2000 Track Record

Over a year from its release and two service packs later,Windows 2000 is no longer bleeding-edge technology. Many companies have been successfully run-ning Windows 2000 in various guises (with and without Active Directory) for some time with proven successful results. It’s steadily gaining an almost

begrudging respect from the previously cynical IT users who were all too

familiar with regular blue screens and lockups and the need for third-party appli-cations to supplement limitations in the operating system’s feature set. Now that the MCSE Windows NT 4.0 exams are officially retired by Microsoft, more IT staff by necessity (to retain their MCP or MCSE titles) are learning Windows 2000 and its new features.

T

IP

For more information on current Microsoft certifications, see “Microsoft Technical Certifications” on the Microsoft site (www.microsoft.com/ trainingandservices/default.asp?PageID=mcp&PageCall=

certifications&SubSite=cert).

Windows 2000 Today

Windows 2000 is the current Microsoft operating system today, which is reflected in the computing resources available from Microsoft and elsewhere.Your trusted Windows NT 4.0 and Windows 9xare already branded down-level, which is syn-onymous with legacy to clearly indicate that they are not considered current. These operating systems now have a ticking shelf life—Microsoft has announced that it won’t be supporting them beyond June 2003, and the decision to not roll out any more service packs for Windows NT 4.0 is perhaps indicative that Microsoft is gearing down its support for the older platforms.

(35)

Why Not Use Active Directory?

Despite its title, this book is certainly not anti-Active Directory. In fact, because I know Active Directory is built on the tried and test distributed technology of Exchange 5.5, which has proved successful for some time, I probably had more faith in Microsoft’s first release of a distributed directory service than many. As a network administrator, I’m well aware of the benefits a hierarchical directory can offer with scalable and central administration, and the ability to delegate and fine-tune control at lower levels. And, finally, there’s the recognition that applications don’t always run only over reliable and fast networks!

I’m also aware, though, that many companies are running Microsoft operating systems in a non-Active Directory environment for any of the following reasons:

■ _{The company doesn’t have the resources to migrate to Active Directory}

in the short or even medium term.

■ _{The company has experienced delays in the migration design, testing,}

and rollout phrase.

■ _{The company has decided not to trust Microsoft’s as yet relatively new}

technology—particularly if a working Windows NT 4.0 domain struc-ture is already in place with an alternative directory services infrastruc-ture and the company cannot afford disruption to the everyday running of IT services.

■ _{The company has decided that the overheads of both upgrading and}

maintaining Active Directory are not cost-effective when set against its network requirements.

(36)

With no current grafting andpruning facilities (where domain trees can be merged, split, and renamed) and a lack of current management tools (for

example, simple drag-and-drop features), many companies just aren’t prepared to risk an Active Directory migration until the product offers the improved versa-tility and flexibility that are required for an existing enterprise network. In fact, it speaks volumes about the lack of built-in tools to handle existing networks when you realize that Microsoft itself resorted to a third-party domain migration tool to help migrate its Windows NT 4.0 domains (Fast Lane Technologies DM/ Consolidator). Its own utility,Active Directory Migration Tool (ADMT), just isn’t suitable for all but the simplest and smallest of Windows NT 4.0 domain migrations. For a start, it can’t handle in-place upgrades—it works only when the Active Directory domain you’re migrating to is in Native mode, and many cor-porate network administrators will need and want to remain in Mixed mode for a safety period.

But it’s not just domain restructuring and moving users you need to con-sider—you also need to factor in an extensive and thorough inventory of hard-ware/memory/BIOS versions and software packages to identify required upgrades.There’s also the tedious and time-consuming logistical nightmare of moving a considerable amount of data for servers that are migrated or consoli-dated. All this takes time.

Added to all this, you have IT managers and administrators who remember the teething problems and rather painful learning curves that accompanied Novell’s NDS when it was first available. I think we’re a little wiser and more cautious these days, learning from experience that it takes time for such a product to be robust enough, and flexible enough, to meet the requirements of a true production environment.

Designing and Deploying Active Directory:

More Than a Technical Challenge

(37)

political choices and decisions that must meet the requirements of disparate managerial sections.

It’s all very well for Active Directory migration documentation to talk glibly about “involving all parties for a consensus design,” but in reality achieving that can be near impossible simply because of internal politics. Some companies have resorted to creating multiple forests simply because a consensus was not a work-able solution. Each forest can then be configured to trust each other forest—but then you lose the power of a single enterprise directory and end up with little more than your original Windows NT 4.0 multimaster domain configuration. It’s not a scalable solution, and it is not future-proofed. For example, installing a product that modified the schema (for example, Exchange 2000) would not be able to extend further than the current forest.With no grafting and pruning facil-ities, the only alternative would be to start over.

From a business perspective, Active Directory adoption is also a difficult pro-ject to quantify and qualify. Many companies quote the lack of a compelling business reason as one of the main reasons why they haven’t yet migrated to Active Directory. Although they can perceive long-term benefits, these have to be offset against the immediate costs and risks associated with restructuring and redesigning an existing working network infrastructure from the top down.

In fact, you can see the cost justification in delaying because the longer a company doesn’t migrate to Active Directory, the more the product will mature as bugs will be discovered and fixed, customer feedback will be integrated into new releases, and a greater choice of third-party products becomes available. Additionally, there will be a wider choice of staff in the marketplace with Windows 2000 experience and qualifications.

You can easily appreciate how an IT manager reading through some of the bugs listed as fixed in the two Windows 2000 service packs will rejoice in the company’s inertia and be grateful it wasn’t his or her network that was vulnerable to particular critical problems.With the Microsoft marketing machinery now revving up for Windows XP and Windows.NET Servers, it makes it an even easier excuse to put off the migration process and wait for these to be released and fixed—and you’re back where you started!

With these political issues in mind, the question of “How soon should we migrate to Active Directory?” often turns into “How late can we migrate to Active Directory?”

(38)

but usually have a mixture of other platforms. Such corporations will want to carefully consider whether a cross-platform directory service would offer a better alternative to Active Directory before committing themselves to a restricted solu-tion.The concept of being sucked into a Microsoft monopoly at the moment is a very sensitive issue, and it is just as much a political issue as a technical one.

The Purpose of This Book

Most Windows 2000 books (and Microsoft references) either cover very basic material on Windows 2000 (for example, how to drive the new interface) or expect you to migrate fully over to Active Directory. Any Windows NT 4.0 domain or workgroup seems to exist only with a view of upgrading/migrating later—and all the new features are just around this corner.Very few (if any) con-centrate on how to get the best out of Windows 2000 before or without running

Substantiating Return on Investment (ROI)

Some Active Directory adoptions have occurred after identifying two specific business justifications. The first has been when the company has identified a product its business requires that will run only on Active Directory (the most obvious current example is Exchange 2000). The second has been for new networks where upgrading hardware, modi-fying existing services and procedures, and restructuring considerations have not been an issue.

In addition, many of the companies that migrated to Active Directory so that they could run Exchange 2000 were previously running Exchange 5.5. This meant the IT staff could leverage their Exchange 5.5 knowledge to more quickly understand and apply the similar concepts and building blocks in Active Directory. This no doubt helps to alleviate the retraining and staffing issues that many corporations flag as being one of the problems with an Active Directory migration.

(39)

This viewpoint also makes it difficult to pinpoint features that run indepen-dently from Active Directory so that even if your network has migrated to Active Directory, those who are non-Enterprise administrators can be aware of how to get the best out of their departmental servers.

As somebody who works full time in the IT industry, I see the need for this information every day, without it being met elsewhere.To date, the only

Windows 2000 information I’ve seen falls into the following categories:

■ _{Plenty of literature from Microsoft (for example, Resource Kits,}

TechNet, MS Press) that assumes people either have migrated or are migrating whole-heartedly over to Windows 2000 and Active Directory.

■ _{Study guides aimed at those wishing to upgrade their MCP and MCSE}

(and equivalent) to the new Windows 2000 track, where all the new fea-tures exist only in an Active Directory environment.

■ _{From the Field}_{references from the few that have actually migrated over}

to Windows 2000 and Active Directory and can pass on relevant, prac-tical information to those about to walk in the same footsteps.

■ _{Specialized books on certain Windows 2000 topics, such as Web hosting,}

DNS, Exchange 2000, security, and more.

As previously mentioned, the purpose of this book is to cover some of the main features in Windows 2000 that you can use immediately and independently from Active Directory.This approach is much more than simply making a

Windows 2000 computer function in your existing environment—we’re looking at using and exploiting to the full new features that might not be immediately obvious and that can all be configured independently from Active Directory.

This approach also provides a way of allowing you to adopt Windows 2000 slowly, at your own pace. Many companies seem to be adopting a mixed deploy-ment where Windows 2000 computers coexist with down-level systems as desk-tops and servers are gradually replaced with upgrades in line with natural refresh cycles. In many cases such in-place upgrades are seen as seamless because the new version offers the same functionality as the previous, so the risk is minimal.

This is very different from Microsoft’s pro-Active Directory stance and its assumption that everybody will be running Active Directory networks sooner rather than later. I can’t help thinking that it is a more sensible approach to take, and one that even Microsoft will benefit from in the long term.

(40)

control people feel they have lost as a consequence of Microsoft’s pro-Active Directory stance. And for those companies that are planning to move to Active Directory, it offers an interim compromise and stepping stone as you move from your stable Windows NT 4.0 networks to Windows 2000 Active Directory.

Who Should Read This Book

This book is for two different, and yet complementary, types of IT people: IT managers and IT implementers.The distinction between the two is blurred these days, and I recognize that many job functions will involve both roles.

IT Managers

I wanted to provide information for what I saw as a rather badly represented target audience: IT managers. I’ve seen books and whitepapers and I’ve attended seminars that are supposedly aimed at the “IT Decision Maker,” which I’ve taken to mean IT managers. But they rarely seem to successfully address the require-ments of the IT managers I come across every day in my work.

In my experience, IT managers are the people who have a high level of IT knowledge and can appreciate what is technically possible, together with

knowing how to amalgamate this with business acumen within the restrictions of their company resources.They are the ones who make the important decisions to translate theory into practice, within the context of company policies.They have to battle with resource deficiencies and company politics.They risk their job, rep-utation, and blood pressure on making such decisions.

This book aims to provide useful information on what is technicallypossible (and how) while still taking into account real-life issues such as minimal risk, minimal cost, and identifying isolated steps that offer easily obtainable goals and short-term practical results. Once armed with this information, you will be in a stronger position to decide how and when to translate these new features into project plans and schedule realistic time frames and resources to put them into action.

(41)

environment, but without having to also take on Active Directory. All too often, standard Windows 2000 literature discusses new features only in the context of Active Directory so that you may not be aware of what features and services you can use (and how) independently from Active Directory.Therefore, you’re being asked to learn Active Directory, the new features,andthe new interface all at once—which usually relegates it to a testing environment or your home study network.This book aims to provide the information you need to start using Windows 2000 productively in your current working environment.

Armed with this information and a clear view of what is possible with Windows 2000 when running it outside an Active Directory domain (and what isn’t possible without Active Directory) you will then be better equipped to dive into the standard Microsoft documentation and build on this knowledge.This then may or may not include Active Directory features—but the choice will then be yours, rather than having it decided for you.

By knowing what is possible without Active Directory and how to imple-ment it, you should gain a level of knowledge and a perspective that is difficult to obtain from the standard Microsoft documentation.Throughout the book we will have special information sidebars for IT implementers where the topic identifies a relevant Configuring & Implementing consideration to help provide addi-tional technical information.

Microsoft Certified Professionals and System Engineers

Although not specifically aimed at MCPs and MCSEs, this book may also be of benefit to MCP/MCSE candidates looking to supplement their Windows 2000 exam knowledge and extend it into the realities of the workplace.

It may also help NT professionals transition their skills to Windows 2000 because new features can be learned within the context of a Windows NT 4.0 domain, instead of trying to take these on board at the same time as learning Active Directory.There’s nothing so reassuring as starting from familiar ground rather than feeling as if you’re starting everything from scratch again. Interestingly, Microsoft’s fairly recent addition of exam 70-244, “Supporting and Maintaining a Microsoft Windows NT Server 4.0 Network” (available since April 2001), shows its acknowledgment that Windows NT 4.0 domains are still prevalent in the workplace and as such need to be supported by competent professionals.

(42)

Directory in a typical departmental setting. Note, however, that this book is not

written as a MCSE study guide for a specific Microsoft exam; there are plenty of good alternatives for these already.

What This Book Will Cover

This book will cover a wide range of topics that encompass a diversity of the new features and services that Windows 2000 offers.This will include everything from features particularly relevant for workstations, laptops, and servers, to specific services such as IIS and Certificate Services,Terminal Services, and Remote Access to networking services such as Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP), Internet Protocol Security (IPSec), and Network Address Translation (NAT). All these and more will be explained outside the context of Active Directory—clearly outlining what is pos-sible and what isn’t, and also what is pospos-sible with certain limitations.

Additionally, each chapter contains a walkthrough that includes step-by-step information on how you might implement some of the features covered in the chapter.These are practical exercises that reinforce some of the chapter contents and that should be useful on most production environments to help provide some hands-on experience.

Chapter 2:Workstations

Many people have Windows 2000 now as their standard desktop operating system, but they might not realize how to make the most of the new features it offers. In fact, I’ve often seen people treat Windows 2000 as if it were Windows NT 4.0 with the interface annoyingly changed, totally unaware of the new features and benefits “under the hood,” just there for the taking! The new interface isn’t to everybody’s liking, but it is highly configurable—if you know where to look.

(43)

Active Directory Group Policies have had a lot of coverage as being one of the biggest reasons to migrate to Active Directory so that you can centrally con-trol and secure users’ and computers’ environments.They offer far more extensive configuration options than System Policies ever did—and they do so without

tattooingthe registry. But did you realize that you can use them outside Active Directory, even within a Windows NT 4.0 domain? Local Group Policies are one of Windows 2000 best-kept secrets! Using them together with security tem-plates, you can centrally configure and deploy your security and administrative templates on Windows 2000 computers—for example, you can lockdown desk-tops for users and enforce tight security configurations.

Chapter 3: Laptops

It’s not difficult to see why the laptop market was the first to embrace Windows 2000. It offered the Plug and Play (PnP) features and Device Manager loved in Windows 9x, but with the secure logon and NTFS security that was needed for a mobile existence. Added onto that, EFS, the Encrypting File System in Windows 2000, offered increased protection, which was a new security feature that was easy to use immediately without Active Directory. But you do know how to best use EFS and what restrictions and limitations it has? Do you want to disable it to ensure that you don’t end up with inaccessible files, but you are not sure how to do that without Active Directory?

Those are some of the best-known features and reasons for running Windows 2000 on laptops, but it also offers some great new features for integrating a mobile environment with the corporate network—including automatic hardware profiles and a Synchronization Manager. Files and content can be cached when the laptop is online, which can then be used when the laptop is disconnected and synchronized when next online.This can greatly improve productivity, reduce bandwidth, and help eliminate the problems of lost modifications when multiple versions are used.

(44)

Chapter 4: File and Print Services

The workhorses of the network that fulfill various file and print services have a lot to gain from Windows 2000. Storing and retrieving data can be made easier with features such as Distributed File System (Dfs) to help you reorganize shares without actually moving any data, an Indexing service that lets users search for files and content across the network, and disk quotas to help you control and plan disk storage and capacity.

Disk management has become easier with the new dynamic disk storage pro-viding on-the-fly changes without rebooting. Remote disk management is now possible, and the Remote Storage service can provide instant increased disk storage by dynamically migrating less often used data to tape.The built-in backup utility has an improved interface with an inbuilt graphical scheduler, and you can now leave Performance Monitor running as a service to help keep an eye on the general health of your servers (for example, emailing the administrator when crit-ical factors such as low disk space and memory are identified).

There’s plenty of printing improvements too, including support for the new Internet Printing Protocol (IPP), which allows intranet and Internet users to install and manage their printers through a browser.

Chapter 5:Terminal Services

I think Windows 2000 Terminal Services earns its spot as my favorite feature in the Windows 2000 feature set. Now part of the base operating system rather than a separate product,Terminal Services is installed as a service just like any other operating system service. Best of all, it comes in two flavors: Administrator Mode and Application Mode.

(45)

place. Conversely, there may be times when you want to integrate that environ-ment with the user’s local operating system, so you need to know whether this is possible and how.Terminal Services means that any Windows 32-bit user can have a Windows 2000 operating system environment—without having to change his or her hardware.This could be a permanent arrangement in an attempt to centralize all applications and administration or a stepping-stone as you slowly migrate users’ desktops to Windows 2000.

There are some great new features and improvements in Windows 2000 Terminal Services that previously were possible only with the Citrix add-on, Metaframe—for example, improved throughput, mapping of local printers and drives, copying files between the two systems, and, of course, shadowing (which Microsoft calls Remote Control), which lets an administrator see and take over a user’s session. Particularly for remote sites, the last feature can be a godsend for IT Help Desks and dramatically reduce user problems and increase the turnaround of logged calls.

I found that additional features supplied with Service Pack 1 (interestingly no longer included with Service Pack 2 but downloadable from the Microsoft site), and from the Windows 2000 Server Resource Kit were indispensable for produc-tion use of Terminal Services, and so I’ve included these in this chapter.

The only fly in the ointment with Windows 2000 Terminal Services is the new requirement for running Terminal Services Licensing.You must run these when running Windows 2000 in Application Mode.They require consideration before installation, and for this you have to know exactly how they work and what configuration options you have. Once you have identified Terminal Services as a possible resource for your company, learn about Terminal Services licensing requirements before you make any deployment plans!

Chapter 6: Networking Services—

DNS, DHCP,WINS, and NLB

(46)

problems. Although you might not be ready to move to Active Directory, there is no reason why you can’t benefit from those networking services improvements.

Although DNS, DHCP, and WINS are independent services, they work so closely together to produce the same goal of computer-to-computer communica-tion that it is difficult to talk about one in isolacommunica-tion from the others. Each

involves central management, configuration control, and security.The Network Load Balancing (NLB) built into Windows 2000 Advanced Server (and

Datacenter Server) also offers high availability and load balancing of networking services.With a view to distributed networking, scalability, and reliability,

Network Load Balancing complements the Windows 2000 networking services very well.

Chapter 7: Internet Services—

IIS5 and Certificate Services

There are some great improvements to IIS, which no doubt help to account for some of the Windows NT 4.0 server upgrades to Windows 2000 outside Active Directory.There are improvements in reliability, administration, security, and per-formance—all good news for standalone public Web servers. Many of these are hidden, behind-the-scenes changes, so it pays to know exactly what they are and how they function.

There are also improvements for the intranet environment with WebDAV

(Web Distributed Authoring and Versioning), as Microsoft continues to blur the distinction between Web servers and file servers, making the browser a universal desktop interface.

Certificate Services is a separate service to IIS, but it’s easy to see how the two complement each other—particularly outside Active Directory. Certificate Services complements IIS by offering server and user certificates for a highly secure form of authentication and encryption. IIS5 complements Certificate Services by offering its Web-based certificate forms for requesting and receiving certificates.These certificates can be for both user authentication (for example, used with Web authentication) and also computer authentication (for example, used with IPSec).

(47)

utilities outside Active Directory.This chapter is the exception, where it assumes and concentrates on a Standalone installation.

Chapter 8: Secure Communication—IPSec

This chapter builds on the previous chapter because it covers using computer certificates that are requested and granted with Certificate Services and IIS5. Computer certificates are an alternative authentication method to Kerberos when using IPSec, and although Kerberos is the default authentication (except with L2TP/IPSec) you cannot use Windows 2000 Kerberos outside Active Directory. Computer certificates make IPSec possible and secure when used outside Active Directory.

In addition to explaining the authentication methods, this chapter explains how the built-in IPSec policies work and how you must modify them when out-side Active Directory. It also explains the various components and utilities that support IPSec. Additionally, it covers how to build your own custom policies so that you are firmly in control of what traffic you accept and block and how to track and monitor it.

This chapter is very much a need-to-know and hands-on, practical look at implementing IPSec rather than offering a theoretical exploration of how cryp-tography-based security works. I’ve found this level of detail very difficult to find elsewhere, particularly when implementing IPSec outside Active Directory. And yet to me, this is what network administrators should focus on as a starting point in implementing IPSec.

Chapter 9: Remote Access—

RAS,VPN, IAS, and CMAK

The improved VPN support is well known in Windows 2000, and it’s usually L2TP/IPSec that grabs the limelight for this. I think the new remote access policies are the greatest improvement for securing and fine-tune configuring a server for remote access connections.These apply for dialup, for PPTP and L2TP/IPSec VPN connections, and when using IAS (Internet Authentication Service). Somehow remote access policies have earned the reputation of not being applicable outside Active Directory, and this is just not true.What is true is that they must be config-ured slightly differently when used on a Windows 2000 member server within a Windows NT 4.0 domain, so it’s vital to understand exactly how they work.

(48)

and administrative overhead (server and remote computer both need computer certificates, for example). Not all platforms support IPSec either.When

L2TP/IPSec is not an appropriate choice, you need to know how to configure PPTP with the tightest security.

When L2TP/IPSec can be used, this chapter explains how this can be config-ured outside Active Directory, exactly what security is being used, and how you can monitor it.You may be surprised by some of the defaults Microsoft selects for you, and you may want to change them.

CMAK is the Connection Manager Administration Kit, which allows admin-istrators to deploy central connection details bundled into a dialer.This means remote users have to run only your supplied executable to easily connect to your remote access services.You can use either a static phone book to supply the actual connection details or a dynamic phone book that the user checks each time he or she connects and automatically downloads any changes. Not only can this look very professional—for example, by customizing the dialer with com-pany logos and a personalized message with Help Desk details—but it can also dramatically reduce Help Desk calls from remote users trying to set up and/or amend the required connection details. For example, although Windows 2000 Professional can automatically prompt for an underlying ISP connection to be made before a VPN connection, down-level clients do not. Many users simply do not understand or forget that they should first connect to their ISP and then make an additional connection to the VPN server.The custom dialer can be con-figured to do this automatically for the user.

Chapter 10: Internet Connectivity—

ICS, NAT, and ISA Server

All three of these Microsoft solutions—Internet Connection Sharing, Network Address Translation on RRAS, and the Internet Security and Acceleration Server—offer different solutions for connecting multiple workstations on a local area network to the Internet, by means of one computer that is connected to both the internal and external network.

(49)

flexibility in configuration—for example, it is able to take advantage of multiple public addresses and reserve certain addresses for specific services. Neither, how-ever, can accommodate controlling access by users—and to do this you’ll need something more like ISA Server, which is the Windows 2000 upgrade to Microsoft Proxy Server 2.

ISA Server has a lot more to offer than just controlling user access—highly configurable caching, bandwidth control, and firewalling features are only some of its impressive feature set. As an additional product (not built into the operating system like ICS and NAT), it’s important to appreciate exactly how this product works with its limitations and restrictions as well as its features. For example, although it was written to integrate with Active Directory, unlike Exchange 2000 it can be used both inside and outside Active Directory. Some of the features you might want to use may be available only when it’s integrated with Active

Directory, and it’s important to realize this if you are currently running a Windows NT 4.0 domain.This is particularly important if you’re planning to upgrade Proxy Sever 2 while Microsoft is offering an attractive upgrade deal. If you are not installing ISA Server into Active Directory you may lose some of the functionality you had (such as arrays). It’s very important to realize all the impli-cations of upgrading, and I’ve found that Microsoft documentation generally assumes that an ISA Server that is required for caching will be installed in Active Directory, and that only the firewall features will be installed on computers out-side Active Directory.While this chapter cannot cover each ISA feature and how to configure it, it will outline the new features and cover upgrading issues and how to configure/install it outside Active Directory.

Appendix A:The Windows 2000

Microsoft Management Console

Common to most Windows 2000 graphical configuration utilities is the Microsoft Management Console (MMC). In my experience, most people find this intuitively easy to use at its basic level, and so throughout the book I’ve made the assumption that step-by-step instructions are not required on how to navigate around the MMC when using the built-in Administrative tools.

(50)

that are logically linked—for example, DNS and DHCP, or the Security event log with IPSec policies so that you can easily monitor which policies are being used.

I don’t understand why administrators don’t use custom MMCs like this more often and logically group together tools that they frequently use. It’s so much easier to call up a single MMC with everything you need rather than having to load lots of different MMCs and then on each having to navigate to the correct level. It’s incredibly quick and easy to create custom MMCs, so I can only conclude that most administrators are not aware or forget that this is pos-sible.This technique also works well with remote administration and the pow-erful RunAs command that lets you call up an application with an administrator’s privileges while still logged on with a standard user account.

Other people may not be aware of the true flexibility and power of the MMC—for example, creating and using Taskpads as simpler GUI utilities that can be easily distributed for delegated administration or integrated into applications. ISA Server, for example, makes good use of MMC Taskpads, as Chapter 10

shows.With its Web-based support, I suspect using MMC Taskpads is another area that Microsoft and vendors will continue to develop, in line with the PC-to-Web integration concept that is prevalent throughout Microsoft’s new features and platforms.This appendix serves as a good introduction to creating your own Taskpads without any programming knowledge so that you too can leverage the simplified user interface.

Configuring Windows 2000 Without Active Directory

1 YEAR UPGRADE

WITHOUT

Active Directory

Configuring Windows 2000

Make the Most of Windows 2000 WITHOUT Active Directory

• Step-by-Step Instructions for Configuring Local Group Policy, Remote Access

Policies, Primary and Secondary DNS Zones, and more!

• Complete Coverage of the Pros and Cons of an Active Directory Migration

1 YEAR UPGRADE

WITHOUT

Active Directory

Configuring Windows 2000

Acknowledgments

Author

Technical Editor

Contents

Why Not Active

Directory?

Solutions in this chapter:

Introduction

Why Use Windows 2000

without Active Directory?

Why Use Windows 2000?

The Acceptance of Windows

into the Corporate Workplace

The Acceptance of Microsoft

in the Corporate Workplace

The Emergence of Windows 2000

Windows 2000 Track Record

T

Windows 2000 Today

Why Not Use Active Directory?

Designing and Deploying Active Directory:

More Than a Technical Challenge

The Purpose of This Book

Substantiating Return on Investment (ROI)

Who Should Read This Book

IT Managers

Microsoft Certified Professionals and System Engineers

What This Book Will Cover

Chapter 2:Workstations

Chapter 3: Laptops

Chapter 4: File and Print Services

Chapter 5:Terminal Services

Chapter 6: Networking Services—

DNS, DHCP,WINS, and NLB

Chapter 7: Internet Services—

IIS5 and Certificate Services

Chapter 8: Secure Communication—IPSec

Chapter 9: Remote Access—

RAS,VPN, IAS, and CMAK

Chapter 10: Internet Connectivity—

ICS, NAT, and ISA Server

Appendix A:The Windows 2000

Microsoft Management Console

What This Book Won’t Cover