Windows Server 2008 - New Active Directory FeaturesWindows Server 2008 Active Directory Directory Services

New developments for Active Directory in Windows Server 2008, include a Read-only domain controller (RODC), reducing domain controller reboots, and separating the domain administrator from the local machine administrator accounts.
Windows Server 2008 Active Directory Topics

    The Five Active Directory Roles
    How to Install an Active Directory Role
    Read-only Domain Controller (RODC)
    Re-startable AD
    STS (Security Token Service)
    DC (Domain Controller) / Domain Admin Separation

The Five Active Directory Roles

While 'Role' is normally such an insignificant word, in Windows Server 2008 Microsoft has elevated 'Role' to the status of a keyword.  The most important association for the word 'Role' is to invoke the correct installation wizard, who then installs all the necessary sub-components associated with that role.

1) AD DS - Active Directory, Directory Services.

This is the main Active Directory database for user and computer objects.  AD DS is a descendant of Active Directory in Windows 2000 --> 2003 --> 2008.  Remember the two sides of AD DS, the physical data store and the logical, forest, domains, OUs and sites.

2) AD CS - The Certificate Services (CS) specializes in managing digital certificates (PKI).  Security is the key, the idea is to protect data in these scenarios: S/Mime for email, SSL for websites, smartcard logon via VPN and for encrypting files (EFS).  Naturally, integrates with the above AD DS.

3) AD RMS - Rights Management Solution.  Can be used to protect documents sent in emails.  Users must first have an AD DS account.  Services using RMS must also be registered in Active Directory.

4) AD FS - Federation Services

Federation manages trust relationships between different organizations.  Also provides single sign on for web based applications, for example, online retailers.

5) AD LDS - Active Directory Lightweight Directory Services

This is like the ADAM (Active Directory Application Mode) service of Windows Server 2003.  Only use AD LDS for applications that cannot use the regular AD DS, for example where there are security worries, or you just need to test LDAP features.  Unlike the other roles, AD LDS is an alternative to the main Active Directory and not an extension.

Windows Server Catalog (Hardware Compatibility List)Windows Server 2008 SP1

Two minutes of checking your hardware against the WSC (Windows Server Catalog), will save you a lifetime of grief dealing with incompatibilities.  Because server hardware is relatively cheap, if you are installing Server 2008 on a production server, don't coble something together.  It's just not worth risking nearly-incompatible kit, sooner or later the mismatched component will come back and bite you.

The best answer is treat yourself to new kit which is plastered with the Logo - 'Certified for Windows Server 2008 hardware'.  Don't accept imitations, even at knock down prices.

Worth a look: check out the free Microsoft Assessment and Planning Solution Accelerator.  What this utility does is assess your present hardware, then produces an Excel report on the fitness of your machines to run Windows Server 2008.

Windows Server 2008 Editions

The purpose of this page is to help you choose the best version of Microsoft Windows Server 2008 for your circumstances.

Quick Question:  Which version should I buy?
Quick Answer:  Windows Server 2008 Enterprise edition (64bit). Choose Windows Server 2008 Enterprise Edition

My point is that if you are unsure, make the Windows Server 2008 Enterprise edition your default choice.  Another way to make sense of Microsoft's many versions is to start with the Enterprise version, assess what it has to offer; then use that knowledge as a baseline to evaluate the other versions.

Note: for the purpose of this article, I will use the terms 'edition' and 'version' interchangeably.
Microsoft's Windows Server 2008 Versions

    Windows Server 2008 Standard
    Windows Server 2008 Enterprise Edition (Recommended)
    Windows Server 2008 Datacenter

Other considerations before you order a Windows Server 2008 edition are, firstly, do you want a 32bit version, or do you have 64bit hardware waiting to install your server?  Secondly, would like to try the new Hyper-V technology?  Alternatively, do you need to save money and buy a version without Hyper-V.

One new feature shared by Server 2008 and Vista is that Microsoft supply just one DVD for all 64bit editions; consequently it's the Product Key that determines which edition you install.

There is sister DVD for all 32bit versions.  Incidentally, Windows Server 2008 is the last Microsoft Operating system to have a 32bit version.
Three Specialist Editions of Server 2008

    Web - Very restricted, dedicated for one specialist role
    HPC (High Performance Computing) - For clustering
    Itanium-based.  These CPUs execute more instructions per clock cycle than x64 processors.  Two minor points,  Core Server is not available as installation option for Itanium-based systems.  Also there is no storage manager for SANs.

Windows Server 2008 Overview

Windows Server 2008 is the operating system which will replace W2K3 (Server 2003).  My aim on this page is to give you a look and feel of this new server.  If you are more interested in an itemized list than an overview, then here are the new features.

Remember that Windows 2008 is a Microsoft server, thus you are going to recognise features from W2K3.  You may also see tiny bits of NT 3.5, NT 4.0 and Windows Server 2000.  You may also recall that when each of those old servers was new it had a front-end make-over; so it is with Windows Server 2008, it has the latest Vista GUI.

Although Windows Server 2008 reports to be Version 6.0 (Windows Server 2003 R2 is 5.2), the progression seems more like the evolution from W2K to W2K3, than the revolution from NT 4.0 to W2K.  In addition to the headline new features such as Hyper-V, what we get is lots of small changes, each is relatively insignificant in itself, but together these little improvements add up to make Windows Server 2008 an impressive product.

It is also true to say that 2008/9 is make or break time for Microsoft.  Either Windows Server and Vista will work together to fuel future networks, or else Microsoft will crash and burn.

Natwork Address Translation

What Does NAT Do?
NAT is like the receptionist in a large office. Let's say you have left instructions with the receptionist not to forward any calls to you unless you request it. Later on, you call a potential client and leave a message for that client to call you back. You tell the receptionist that you are expecting a call from this client and to put her through.
The client calls the main number to your office, which is the only number the client knows. When the client tells the receptionist that she is looking for you, the receptionist checks a lookup table that matches your name with your extension. The receptionist knows that you requested this call, and therefore forwards the caller to your extension.
Developed by Cisco, Network Address Translation is used by a device ( firewall , router or computer ) that sits between an internal network and the rest of the world. NAT has many forms and can work in several ways:
Static NAT - Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network.
In static NAT, the computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110.
Dynamic NAT - Maps an unregistered IP address to a registered IP address from a group of registered IP addresses.
In dynamic NAT, the computer with the IP address 192.168.32.10 will translate to the first available address in the range from 213.18.123.100 to 213.18.123.150.
Overloading - A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. This is known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.
In overloading, each computer on the private network is translated to the same IP address (213.18.123.100), but with a different port number assignment.
Overlapping - When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses. It is important to note that the NAT router must translate the "internal" addresses to registered unique addresses as well as translate the "external" registered addresses to addresses that are unique to the private network. This can be done either through static NAT or by using DNS and implementing dynamic NAT.
The internal IP range (237.16.32.xx) is also a registered range used by another network. Therefore, the router is translating the addresses to avoid a potential conflict with another network. It will also translate the registered global IP addresses back to the unregistered local IP addresses when information is sent to the internal network.
The internal network is usually a LAN (Local Area Network) , commonly referred to as the stub domain . A stub domain is a LAN that uses IP addresses internally. Most of the network traffic in a stub domain is local, so it doesn't travel outside the internal network. A stub domain can include both registered and unregistered IP addresses. Of course, any computers that use unregistered IP addresses must use Network Address Translation to communicate with the rest of the world.
If you are reading this article, you are most likely connected to the Internet and viewing it at the HowStuffWorks Web site. There's a very good chance that you are using Network Address Translation (NAT) right now.
The Internet has grown larger than anyone ever imagined it could be. Although the exact size is unknown, the current estimate is that there are about 100 million hosts and more than 350 million users actively on the Internet. That is more than the entire population of the United States ! In fact, the rate of growth has been such that the Internet is effectively doubling in size each year.
So what does the size of the Internet have to do with NAT? Everything! For a computer to communicate with other computers and Web servers on the Internet, it must have an IP address . An IP address (IP stands for Internet Protocol) is a unique 32-bit number that identifies the location of your computer on a network. Basically, it works like your street address -- as a way to find out exactly where you are and deliver information to you.
When IP addressing first came out, everyone thought that there were plenty of addresses to cover any need. Theoretically, you could have 4,294,967,296 unique addresses (2 32 ). The actual number of available addresses is smaller (somewhere between 3.2 and 3.3 billion) because of the way that the addresses are separated into classes, and because some addresses are set aside for multicasting, testing or other special uses.
With the explosion of the Internet and the increase in home networks and business networks, the number of available IP addresses is simply not enough. The obvious solution is to redesign the address format to allow for more possible addresses. This is being developed (called IPv6 ), but will take several years to implement because it requires modification of the entire infrastructure of the Internet.
The NAT router translates traffic coming into and leaving the private network.
This is where NAT ( RFC 1631 ) comes to the rescue. Network Address Translation allows a single device, such as a router , to act as an agent between the Internet (or "public network") and a local (or "private") network. This means that only a single, unique IP address is required to represent an entire group of computers.
But the shortage of IP addresses is only one reason to use NAT. In this edition of HowStuffWorks , you will learn more about how NAT can benefit you. But first, let's take a closer look at NAT and exactly what it can do...
NAT Configuration
NAT can be configured in various ways. In the example below, the NAT router is configured to translate unregistered (inside, local) IP addresses, that reside on the private (inside) network, to registered IP addresses. This happens whenever a device on the inside with an unregistered address needs to communicate with the public (outside) network.
An ISP assigns a range of IP addresses to your company. The assigned block of addresses are registered, unique IP addresses and are called inside global addresses . Unregistered, private IP addresses are split into two groups. One is a small group ( outside local addresses ) that will be used by the NAT routers. The other, much larger group, known as inside local addresses , will be used on the stub domain. The outside local addresses are used to translate the unique IP addresses, known as outside global addresses , of devices on the public network.
IP addresses have different designations based on whether they are on the private network (stub domain) or on the public network (Internet), and whether the traffic is incoming or outgoing.
Most computers on the stub domain communicate with each other using the inside local addresses.
Some computers on the stub domain communicate a lot outside the network. These computers have inside global addresses, which means that they do not require translation.
When a computer on the stub domain that has an inside local address wants to communicate outside the network, the packet goes to one of the NAT routers.
The NAT router checks the routing table to see if it has an entry for the destination address. If it does, the NAT router then translates the packet and creates an entry for it in the address translation table. If the destination address is not in the routing table, the packet is dropped.
Using an inside global address, the router sends the packet on to it's destination.
A computer on the public network sends a packet to the private network. The source address on the packet is an outside global address. The destination address is an inside global address.
The NAT router looks at the address translation table and determines that the destination address is in there, mapped to a computer on the stub domain.
The NAT router translates the inside global address of the packet to the inside local address, and sends it to the destination computer.
NAT overloading utilizes a feature of the TCP/IP protocol stack , multiplexing , that allows a computer to maintain several concurrent connections with a remote computer (or computers) using different TCP or UDP ports . An IP packet has a header that contains the following information:
Source Address - The IP address of the originating computer, such as 201.3.83.132
Source Port - The TCP or UDP port number assigned by the originating computer for this packet, such as Port 1080
Destination Address - The IP address of the receiving computer, such as 145.51.18.223
Destination Port - The TCP or UDP port number that the originating computer is asking the receiving computer to open, such as Port 3021
The addresses specify the two machines at each end, while the port numbers ensure that the connection between the two computers has a unique identifier. The combination of these four numbers defines a single TCP/IP connection. Each port number uses 16 bits, which means that there are a possible 65,536 (2 16 ) values. Realistically, since different manufacturers map the ports in slightly different ways, you can expect to have about 4,000 ports available.
Dynamic NAT and Overloading
Here's how dynamic NAT works:
An internal network (stub domain) has been set up with IP addresses that were not specifically allocated to that company by IANA ( Internet Assigned Numbers Authority ), the global authority that hands out IP addresses. These addresses should be considered non-routable since they are not unique.
The company sets up a NAT-enabled router. The router has a range of unique IP addresses given to the company by IANA.
A computer on the stub domain attempts to connect to a computer outside the network, such as a Web server.
The router receives the packet from the computer on the stub domain.
The router saves the computer's non-routable IP address to an address translation table . The router replaces the sending computer's non-routable IP address with the first available IP address out of the range of unique IP addresses. The translation table now has a mapping of the computer's non-routable IP address matched with the one of the unique IP addresses.
When a packet comes back from the destination computer, the router checks the destination address on the packet. It then looks in the address translation table to see which computer on the stub domain the packet belongs to. It changes the destination address to the one saved in the address translation table and sends it to that computer. If it doesn't find a match in the table, it drops the packet.
The computer receives the packet from the router. The process repeats as long as the computer is communicating with the external system.
Here's how overloading works:
An internal network (stub domain) has been set up with non-routable IP addresses that were not specifically allocated to that company by IANA.
The company sets up a NAT-enabled router. The router has a unique IP address given to the company by IANA.
A computer on the stub domain attempts to connect to a computer outside the network, such as a Web server.
The router receives the packet from the computer on the stub domain.
The router saves the computer's non-routable IP address and port number to an address translation table. The router replaces the sending computer's non-routable IP address with the router's IP address. The router replaces the sending computer's source port with the port number that matches where the router saved the sending computer's address information in the address translation table. The translation table now has a mapping of the computer's non-routable IP address and port number along with the router's IP address.
When a packet comes back from the destination computer, the router checks the destination port on the packet. It then looks in the address translation table to see which computer on the stub domain the packet belongs to. It changes the destination address and destination port to the ones saved in the address translation table and sends it to that computer.
The computer receives the packet from the router. The process repeats as long as the computer is communicating with the external system.
Since the NAT router now has the computer's source address and source port saved to the address translation table, it will continue to use that same port number for the duration of the connection. A timer is reset each time the router accesses an entry in the table. If the entry is not accessed again before the timer expires, the entry is removed from the table.
Stub Domains
Look at this table to see how the computers on a stub domain might appear to external networks.
Source Computer
Source Computer's IP Address
Source Computer's Port
NAT Router's IP Address
NAT Router's Assigned Port Number
A
192.168.32.10
400
215.37.32.203
1
B
192.168.32.13
50
215.37.32.203
2
C
192.168.32.15
3750
215.37.32.203
3
D
192.168.32.18
206
215.37.32.203
4
As you can see, the NAT router stores the IP address and port number of each computer in the address translation table. It then replaces the IP address with it's own registered IP address and the port number corresponding to the location, in the table, of the entry for that packet's source computer. So any external network sees the NAT router's IP address and the port number assigned by the router as the source-computer information on each packet.
You can still have some computers on the stub domain that use dedicated IP addresses. You can create an access list of IP addresses that tells the router which computers on the network require NAT. All other IP addresses will pass through untranslated.
The number of simultaneous translations that a router will support are determined mainly by the amount of DRAM (Dynamic Random Access Memory) it has. But since a typical entry in the address-translation table only takes about 160 bytes, a router with 4 MB of DRAM could theoretically process 26,214 simultaneous translations, which is more than enough for most applications.
IANA has set aside specific ranges of IP addresses for use as non-routable, internal network addresses. These addresses are considered unregistered (for more information check out RFC 1918: Address Allocation for Private Internets , which defines these address ranges). No company or agency can claim ownership of unregistered addresses or use them on public computers. Routers are designed to discard (instead of forward) unregistered addresses. What this means is that a packet from a computer with an unregistered address could reach a registered destination computer, but the reply would be discarded by the first router it came to.
There is a range for each of the three classes of IP addresses used for networking:
Range 1: Class A - 10.0.0.0 through 10.255.255.255
Range 2: Class B - 172.16.0.0 through 172.31.255.255
Range 3: Class C - 192.168.0.0 through 192.168.255.255
Although each range is in a different class, your are not required to use any particular range for your internal network. It is a good practice, though, because it greatly diminishes the chance of an IP address conflict.




Security and Administration
Implementing dynamic NAT automatically creates a firewall between your internal network and outside networks, or between your internal network and the Internet. NAT only allows connections that originate inside the stub domain. Essentially, this means that a computer on an external network cannot connect to your computer unless your computer has initiated the contact. You can browse the Internet and connect to a site, and even download a file; but somebody else cannot latch onto your IP address and use it to connect to a port on your computer.
In specific circumstances, Static NAT, also called inbound mapping , allows external devices to initiate connections to computers on the stub domain. For instance, if you wish to go from an inside global address to a specific inside local address that is assigned to your Web server, Static NAT would enable the connection.
Static NAT (inbound mapping) allows a computer on the stub domain to maintain a specific address when communicating with devices outside the network.
Some NAT routers provide for extensive filtering and traffic logging. Filtering allows your company to control what type of sites employees visit on the Web, preventing them from viewing questionable material. You can use traffic logging to create a log file of what sites are visited and generate various reports from it.
NAT is sometimes confused with proxy servers , but there are definite differences between them. NAT is transparent to the source and to destination computers. Neither one realizes that it is dealing with a third device. But a proxy server is not transparent. The source computer knows that it is making a request to the proxy server and must be configured to do so. The destination computer thinks that the proxy server IS the source computer, and deals with it directly. Also, proxy servers usually work at layer 4 (transport) of the OSI Reference Model or higher, while NAT is a layer 3 (network) protocol. Working at a higher layer makes proxy servers slower than NAT devices in most cases.
NAT operates at the Network layer (layer 3) of the OSI Reference Model -- this is the layer that routers work at.
A real benefit of NAT is apparent in network administration . For example, you can move your Web server or FTP server to another host computer without having to worry about broken links. Simply change the inbound mapping at the router to reflect the new host. You can also make changes to your internal network easily, because the only external IP address either belongs to the router or comes from a pool of global addresses.
NAT and DHCP (dynamic host configuration protocol ) are a natural fit. You can choose a range of unregistered IP addresses for your stub domain and have the DHCP server dole them out as necessary. It also makes it much easier to scale up your network as your needs grow. You don't have to request more IP addresses from IANA. Instead, you can just increase the range of available IP addresses configured in DHCP to immediately have room for additional computers on your network.
Multi-homing
As businesses rely more and more on the Internet, having multiple points of connection to the Internet is fast becoming an integral part of their network strategy. Multiple connections, known as multi-homing , reduces the chance of a potentially catastrophic shutdown if one of the connections should fail.
In addition to maintaining a reliable connection, multi-homing allows a company to perform load-balancing by lowering the number of computers connecting to the Internet through any single connection. Distributing the load through multiple connections optimizes the performance and can significantly decrease wait times.
Multi-homed networks are often connected to several different ISPs (Internet Service Providers). Each ISP assigns an IP address (or range of IP addresses) to the company. Routers use BGP (Border Gateway Protocol), a part of the TCP/IP protocol suite, to route between networks using different protocols. In a multi-homed network, the router utilizes IBGP (Internal Border Gateway Protocol) on the stub domain side, and EBGP (External Border Gateway Protocol) to communicate with other routers.
Multi-homing really makes a difference if one of the connections to an ISP fails. As soon as the router assigned to connect to that ISP determines that the connection is down, it will reroute all data through one of the other routers.
NAT can be used to facilitate scalable routing for multi-homed, multi-provider connectivity.

Internet Sharing

Internet Sharing

ICS (Internet Connection Service)

ICS is a feature to use internet on the network. It is an in-built feature. This feature used in small network. This feature come Win 98 SE onwards i.e. in Win 98 SE, Win Me, Win XP, Win 2k.

To make ICS

Select connection and go properties.
Tab to sharing, this option will come only on LAN.
Click on ‘ Enable ICS for this connection '.
If we want to dial through another computer on a LAN, then we click on ‘ Enable on-demand dialing '. This option will enable after enabling ICS.
NOTE : -When we make ICS then the IP-address of the server changed to 192.168.0.1 automatically.

Software Proxy

Software proxy is third-party software. It is also used for internet sharing but on a big network. There are many software proxy like Win proxy, Spool proxy, MS- proxy, Browser – gate, Ezasy Proxy, Netscape Proxy, Win gate etc. Among all of these, we normally use Win proxy . There are five versions of Win proxy which are 1, 2, 3, 4 and 5 .

Features of Win Proxy

1. In built DHCP server (comes version 3 onwards)
2. In built Anti – virus (comes version 3 onwards)
3. Automatic Anti – virus update
4. Viewing active connection
5. IP – address restriction
6. Web site restriction
7. Site termination (comes version 3 onwards)
8. Multiple Protocol support
9. Enable logging
10. In – built socks 4 and socks 5
Yahoo messenger use HTTP proxy , but MIRC or MSN messenger use socks to communication.

To install/remove Win proxy trial version

We can download 30 days trial version of win proxy from www.winproxy.com site. After 30 days we need to reinstall it. To reinstall Win proxy trial version, we need to format HD. There are other options to remove Win proxy.
1. Change the time of computer
2. Backup the registry
3. Delete Win proxy entries from registry (win proxy & ositis)

To install Win proxy

1. First run Setup of Win proxy from CD-ROM to install.
2. In welcome wizard click Next.
3. In license agreement screen click Yes to agree.
4. Enter the destination path to install win proxy on HD, either select the default or browse any other.
5. In setup type wizard select any one among Typical, Compact & Custom .
6. In Select Program Folder option, give any name to the program.
7. In Start copying file , it show the current setting and on pressing Next it copies files from CD-ROM to HD.

To configure Win proxy

1. In Win proxy registration dialog box, enter the serial no, name & e-mail ID .
2. Now it asks for to register , click Yes.
3. By Rebuilding cache Database , files retrieved before processing is done by cached.
4. In this wizard, it tells us about IP address of computer on network/ Internet.
5. In setup wizard: Internet protocol , check the protocols which we want to enable.
6. In Proxy port , we give the CERN Proxy Port. We can give any no. up to 80. All the clients also configure same port no. in Internet Connection Properties to access the Internet. Port No. is like a Pin Code. Port No. 16, 20, 80 used for HTTP, 21 for FTP, 23 for Telnet.
7. In Internet News wizard, we enter the Internet News server.
8. In Mail server wizard, we enter the Internet Mail server.
9. In Socks wizard, Select DO if we want to enable Socks 4 and Socks 5 for communication. Here we can also enter the address of DNS server also.
10. In Dial up network wizard, we select either Use Dial up networking or not using dial up networking. If we are using Dial up network then we need to give Phone no, user name and password to dial.
11. If we are using two proxy servers then we enable Cascading . This allows users to access Internet through two proxy server. We also give cascading Proxy Port and Proxy IP address .
12. In Administrator & security option, we give the password to run and remove proxy.
13. There is also a port for Logging, which is default 8000 . Logging allows us to monitor all traffic over the network.
14. In Connection view wizard, we select DO if we want to view active connection otherwise do NOT.
15. On click Finish, it asks for view suggested client configuration. If we press Yes, it show all the configuration in a Notepad file.

Hardware proxy

It is a hardware device, which use dedicated hardware. It also uses a dedicated IP address given by manufacturers. There is no driver required in H/w proxy.

There are two models of hardware proxy, which is launched by D – Link .
(i) DP – 601 (ii) DP – 602

DP – 601 : - It is an H/w proxy, which has in – built modem. It is cheaper than other. It is slow in speed. We can not attach any extra external modem in this type of proxy. If there is problem in server then both the server and modem damaged.

DP – 602 : - It is an H/w proxy, which has COM port to attach external modem. We can use two modems, when there are more users. Then we need two phone lines also. These two modems also load balancing.
To configure H/w proxy
1. Telnet
2. Software install in one PC.
3. Web browser (easy & common)
4. We can configure it by GUI by entering the IP address at Internet Explorer.

Active Directory & Remote Installation Service

ADS (Active Directory Service)

ADS installed server is also called Domain Controller . In domain based networking, we use centralized user accounts and database on domain controller (DC). It is also called PDC (Primary Domain Controller). To change a workgroup of Win 2k server in domain, we need to install ADS.
NOTE : - We can not change the name of computer after installing the ADS.

Requirement for ADS server

1. Win 2k server
2. TCP/IP protocol
3. DNS
4. Static IP address
5. Win 2k CD-ROM
6. NTFS partition

Installation of ADS server

1. To install ADS there are two options.
(i) Open ‘Configure your server' and select Activity Directory and click on start .
(ii) Run the dcpromo command on RUN.
2. Click on Next in welcome wizard.
3. In domain controller type wizard, select a new domain option to create a new child domain, new domain tree, or new forest. In case of use existing domain, we select controller for an exiting domain .
4. In create tree or child domain wizard, we can create new tree by selecting create a new domain tree or create a child under exiting tree by selecting create a new child domain in an existing domain tree .
5. In create or join Forest wizard, we can create a new forest of domain trees or place the new domain tree in an existing forest by selecting option.
6. In new domain name wizard, we give DNS name with a 3 digit extensions.
7. Now we give the NetBIOS domain name, users of earlier versions of windows will use this name to identify the new domain.
8. In this wizard, we give database and log locations . The partition must be NTFS.
9. In shared system volumn wizard, we give the path of folder which stores the server's copy of the domain's public files. The name of the folder must be sysvol . The folder must be located on NTFS volumn.
10. In configure DNS wizard, we select Yes to install and configure DNS or select No to install and configure DNS myself.
11. If we select Yes then Permissions wizard will open. If we want to run ADS on all OS, then we select ‘ Permissions compatible with pre-windows 2000 servers ' or if we want to run ADS only on Win 2000 OS then we select ‘ Permissions compatible only with Window 2000 servers '.
12. In this wizard, we give the password for starting the computer in Active Directory restore mode .
13. Now it shows the summary of ADS.
14. When we click on Next, system starts configure active directory.
15. After configuration, we click on Finish to complete the ADS installation.

To connect with domain server

1. Open the TCP/IP properties and write the IP address of domain server.
2. Open the properties of My computer.
3. Select the properties of ‘Network identification'.
4. Enter the domain name then it asks for domain server user name and password.
5. Restart the system.
NOTE: - The time & date of all the systems must be same.

To create user accounts on domain

1. Start à Programs à Administrator tools à ADS users & computers.
2. To create organization, select the server and select ‘ New organization ' from the pop-up menu.
3. To create new user account, we select ‘ New user ' from pop-up menu.
4. To move a user/computer, we select the user/computer and then select move from the pop-up menu. Then enter the OU (Organizational Unit) name.

To make restriction

1. To restrict a user to logon in particular time. Then we select the user A/c and then select ‘ Logon hours ' from right click menu. Then we give the day and time restriction and select logon denied .
2. To restrict users to log on any particular computer, we select ‘ logon to ' from right click menu and add the computers to logon. Remaining computers are restricted from logon.
3. To expire a user at any particular time, we select the user A/c and select ‘ Account expires ' from pop-up menu. Now we select the date and time when the A/c expires. On that particular date & time the user can not logon.
4. To disable a user/computer, we select disable from pop-up menu.

RIS (Remote Installation Service)

RIS is used to install OS on a client, which has not CD-ROM. To install OS we create RIS wizard on a server and install OS on the network. We can install only Win 2k Professional through RIS. RIS delete all partitions of the client computer.

Requirements for RIS server

1. Win 2k server
2. ADS (Active Directory Service)
3. NTFS partition other than system having Win 2k image
4. DHCP server (Authorized)
5. TCP/IP protocol
6. DNS server
7. RIS (configure)
8. Win 2k professional CD-ROM
9. PXE – boot ROM (NIC) or RIS client floppies
To create floppy, we use RBFG command. But the floppy run in some types of LAN, which is made by some manufacturers like Intel (PRC), AMD, IBM, Compaq, 3Com.

Installation of RIS

1. We need DHCP and DNS for RIS so first we Install DHCP and DNS.
2. When creating scope, we define the DNS name and computer name.
3. Authorized DHCP server.
4. Select add/remove window components from the add/remove programs of control panel.
5. Check the RIS .
6. When we press Next, it configure the components. Enter the CD-ROM of Win 2k, when prompted.
7. We end the wizard or completing the installation by clicking on Finish and then restart the system.

Configure RIS setup wizard

1. To configure RIS setup wizard, Run risetup command on RUN.
2. Click on Next on welcome screen.
3. In Remote installation folder location wizard, enter the location for the installation folder. The partition must be formatted by NTFS.
4. In initial setting wizard, if we want this RIS server to respond to client requests, we check ‘respond to client computer requesting service'. We can also configure it manually after the after the setup wizard.
5. In the Installation source file location wizard, we specify the location of the Win 2k professional source file that the wizard will copy to create the default RIS image.
6. In Window installation image folder name wizard, give the name of the folder that will contain the RIS image. By default the folder name is win2000.pro .
7. In Friendly Description and help text screen, enter a description and help text for the RIS image.
8. Now it displays the summary of all the setting or information. Now click Finish.
9. Remote installation service setup wizard will run in which RIS server copies files, creates the remote installation folder, create the image of Window 2000 professional and set up the RIS server. This process takes several minutes. When the process completes, click on Done .


Installation of Win 2k pro on client through PXE-NIC by RIS

1. To install OS on a new system we boot the system from PXE – NIC.
2. Now it configures DHCP and obtains a IP address and now press F12 , when prompted.
3. Welcome screen will display, click on Next.
4. Give User name, password and domain name of RIS server.
5. Configure all data on HD of client computer will be deleted.
6. Now it shows setting.
7. Installation of Win 2k professional started.