Setup stages

1. Setup Program (text mode)- preps hard drive for following stages of install and copies files needed for running Setup Wizard. Requires reboot. (Clean installations only.)
2. Setup Wizard (graphical mode) - prompts for additional info such as product key, names, passwords, regional settings, etc.
3. Install Windows Networking - detects adapter cards, installs networking components (Client for MS Networks, File & Printer Sharing for MS Networks), and installs TCP/IP protocol by default (other protocols can be installed later). Choose to join a workgroup or domain at this point (must be connected to network and provide credentials to join a domain). After all choices are made, components are configured, additional files are copied, and the system is rebooted.
4. Post installation – create user accounts and activate retail versions of Windows XP (customers using the Corporate Edition do not need to activate their product). This stage is sometimes referred to as the “Out of Box Experience” (OOBE).

Installing from CD-ROM

Installing over a Network

Modifying Setup using Winnt.exe

Modifying Setup using winnt32.exe

Unattended installations

Working with Answer Files

Creating Uniqueness Database Files (UDF)

Answer Files are only useful for installing one machine at a time. If you’re installing 50 machines in one go and you want each one to have a unique identity on the network, you will have to create fifty separate Answer Files – that’s a lot of work.

Instead of creating a separate Answer File for each installation, an easier way to go about things it to create a Uniqueness Database File (UDF). The UDF file is used in conjunction with the Answer File and can provide multiple answers for installations done from a single Answer File.

UDFs provide keys and values for each machine that are used to replace corresponding keys and values in an Answer File. When you start the unattended installation you will provide an ID for the machine being installed so that Setup knows which section of the Uniqueness Database File to use.

The Setup Manager Wizard creates a UDF automatically whenever you enter more than one computer name, as shown below in Figure 2.

Figure 2 – Entering multiple Computer Names into the Setup Manager Wizard

If your browser doesn't support inline frames click HERE
to view the full-sized graphic

Here is the Uniqueness Database File that the Setup Manager Wizard created using the input shown above:

;SetupMgrTag
[UniqueIds]
CRAMCLIENT001=UserData
CRAMCLIENT002=UserData
CRAMCLIENT003=UserData
CRAMCLIENT004=UserData
CRAMCLIENT005=UserData

[CRAMCLIENT001:UserData]
ComputerName=CRAMCLIENT001

[CRAMCLIENT002:UserData]
ComputerName=CRAMCLIENT002

[CRAMCLIENT003:UserData]
ComputerName=CRAMCLIENT003

[CRAMCLIENT004:UserData]
ComputerName=CRAMCLIENT004

[CRAMCLIENT005:UserData]
ComputerName=CRAMCLIENT005

You will need to specify the ID of the system being installed as well as the location of the UDF file in the form of a switch when performing an unattended installation. Here is an example of what an installation from a command line would look like:

winnt /s:\\CORPSVR5\I386 /u:\\CORPSVR5\ANSWR\unattend.txt /udf:CRAMCLIENT001,\\CORPSVR5\ANSWR\udf.udb

How UDF files are processed

The keys and values specified in a Uniqueness Database File will always override a corresponding section in an Answer File. The Answer File may override a key that is not specified or assigned in the UDF resulting in the user performing the installation being prompted for input. The scenarios and their results are shown in the table below:

If the UDF is specified on the command line with winnt or winnt32 it can be given any name. However, if you specify the ID of the computer on the command line but fail to specify the name of a UDF file, you will need to supply the UDF on a 3.5-inch floppy disk using a specific name. The file must be named $Unique$.udf or setup will not be able to locate it and the user is prompted for it.

Deploying WinXP by using Remote Installation Services (RIS)

Overview:

Remote Installation Services (RIS) is used to lower the Total Cost of Ownership (TCO) of Windows by simplifying the process of installing new client workstations. You can install Windows 2000 Professional and Windows XP Professional clients using RIS.

It’s also possible to deploy both Windows 2000 Server (CD-based images only – KB# Q214794) and Windows XP Home edition using RIS (CD-based and RIPrep images – KB# Q305308), but Microsoft does not support or recommend doing either.

RIS Server requirements:

Steps for setting up RIS Server:

Creating a RIPrep Image

RIS Client requirements: (KB# Q228908)

Comparing RIPrep images with CD-based images

Troubleshooting Remote Installations

Miscellaneous:

System preparation tool (SYSPREP.EXE): (KB# Q302577)

Sysprep switches

Upgrade paths

Upgrade types

Uninstalling Windows XP

Dynamic Update

Dual-booting Windows XP with other Operating Systems

MS-DOS, Windows 3.x, and Windows 95/98/ME

File and Settings Transfer Wizard (FAST)

This is a GUI tool that allows a user upgrading their system to migrate their files and settings over to Windows XP. It is intended for situations where a single computer is being upgraded or the computer’s owner is performing the upgrade.

Because this tool only exists on systems running Windows XP you will need to run it from the XP product CD, use a direct cable connection between systems, or create a Wizard disk on a 3.5-inch floppy disk.

You can choose to copy the files being transferred to either large removable media or a shared network location.

To run the Wizard from the XP product CD run fastwiz.exe from the \SUPPORT\TOOLS directory.

To run the Wizard from a newly created Wizard disk, click Start > Run and then type a:\fastwiz.exe.

The user can now select the files and settings they wish to transfer using the wizard and move them to the shared network location or to the removable media.

User State Migration Tool (USMT)

This is a command line tool that is used to help administrators migrate settings from systems running Windows 95, Windows 98, and Windows ME over to Windows XP. This tool is not used with Windows 2000. This works with the most popular Microsoft software applications by default but can be customized to work with other applications. USMT can be scripted and is used for mass deployments.

File types transferred by default

Scanning the source computer

1. Log on as migrating user.
2. Map a drive to USMT folder on server.
3. From a command prompt, go to USMT/Scan folder on server.
4. Run scanstate.exe using this command line:
   scanstate /i .\migapp.inf /i .\migfiles.inf /i .\sysfiles.inf \\servername\MigStore
5. Once the program has finished running move to the destination computer.

Migrating files to destination computer

1. Log on as Admin, not migrating user.
2. Make sure migrating user does not have an account on destination computer.
3. Map drive to USMT folder on server.
4. From command prompt go to USMT/Load folder.
5. Run loadstate.ext using this command line:
   loadstate /i .\miguser.inf \\servername\MigStore
6. When program finishes, logon as migrating user to verify successful migration. Classic Windows shell should appear, as it is part of migration.

Product Activation

To reduce the amount of software piracy it has to cope with, especially “casual copying” amongst home users, Microsoft has introduced Product Activation. Product Activation essentially ties your Windows software to specific computer hardware, preventing you from installing the same copy of Windows on multiple computers. After installing Windows XP, you have 30 days in which to activate your product with Microsoft. This can be done over the Internet or via a phone call.

Once your copy of Windows is activated you won’t have to worry about this feature again unless you have a habit of changing your hardware around frequently. Windows XP puts special weight on your computer’s network adapter. If you don’t change your NIC, you can change up to five items without having to re-activate. If your computer doesn’t have a NIC, or you change your NIC, you’re allowed up to three hardware changes before you have to re-activate your operating system.

If you suffer a catastrophe and have to re-install Windows XP from scratch, you won’t have a problem with Product Activation unless you’ve changed your hardware around a bit. Then you’ll be informed that your copy of Windows is already registered to another system and will have to phone up Microsoft and beg and plead a bit. Microsoft allows up to four activations a year for people who like to tinker with their systems. After that, who knows?

This is obviously an annoying feature to cope with, especially in large corporate environments where deployments are done on a large scale. Microsoft offers volume licensing for large corporations. Those corporations participating in this Volume Licensing Plan can obtain a Corporate Edition of Windows XP Professional that only requires a valid product key, but not Product Activation.

You can activate your copy of Windows XP Professional at the Windows Welcome Screen, by choosing Start > Activate Windows, or by typing oobe/msoobe /a at a command prompt.

Product activation uses TCP/IP ports 80 (HTTP) and 443 (HTTPS).

Troubleshooting failed installations

Common errors

Log files created during Setup

Implementing and Conducting Administration of Resources

NTFS file and folder permissions: (KB#S Q183090, Q244600)

File attributes when copying/moving within a partition or between partitions:

Miscellaneous:

Windows XP supports both Basic and Dynamic storage. In basic storage you divide a hard disk into partitions. Windows XP recognizes primary and extended partitions. A disk initialized for basic storage is called a Basic disk. It can contain primary partitions, extended partitions and logical drives. Basic volumes cannot be created on dynamic disks. Basic volumes should be used when dual-booting between Windows XP and DOS, Windows 3.x, Windows 95/98 and all version of Windows NT. (KB# Q175761)

Dynamic storage (Windows 2000 and Windows XP only) allows you to create a single partition that includes the entire hard disk. A disk initialized for dynamic storage is called a Dynamic disk. Dynamic disks are divided into volumes that can include portions of one, or many, disks. These can be resized without needing to restart the operating system. (KB# Q225551)

While both Windows 2000 and Windows XP can both read Dynamic Disks, you should not use them in a dual-boot scenario between the two operating systems. Only one of the operating systems can “own” the set of Dynamic Disks. Never use Dynamic disks in any dual-boot scenario.

Translation of terms between Basic and Dynamic Disks

There are three Dynamic Volume types

Simple volume - contains space from a single disk.

Spanned volume - contains space from multiple disks (maximum of 32). Data storage first fills one volume before going to the next. If a volume in a spanned set fails, all data in the spanned volume set is lost. Performance is degraded as disks in spanned volume sets are read sequentially.

Striped set - contains free space from multiple disks (maximum of 32) in one logical drive. Increases performance by reading/writing data from all disks at the same rate. If a disk in a stripe set fails, all data is lost.

Dynamic Volume States

Miscellaneous

When using the Disk Management Snap-in Tool

Figure 3 – Disk Management

If your browser doesn't support inline frames click HERE
to view the full-sized graphic

Using Diskpart.exe

Diskpart is a new command-line tool that duplicates most of the functionality of the GUI Disk Management MMC snap-in. Because diskpart is a command-line tool, its operation can be scripted making it enormously powerful.

When you first start diskpart you must select the disk you are using by its object number. For example:

Diskpart
select disk 0
assign letter c

...selects the first fixed disk in my system and assigns it the drive letter C. All commands I give to diskpart now will be performed on this disk until I select another disk. Here is the syntax of a diskpart command:

diskpart [/add | /delete] [device_name | drive_name | partition_name] [size]

You cannot format disks using diskpart – you must do this using the format command from the command line.

A complete list of diskpart commands can be found in the deploy.chm file that is included in DEPLOY.CAB on the XP product CD.

Windows File Protection Feature (WFP): (KB# Q222193)

Local and network print devices

Implementing, Managing, and Troubleshooting Hardware Devices and Drivers: (KB# Q199276)

Disk devices

Display devices

Mobile computers

Hardware

Power Management

The Power Management features built into Windows XP Professional are designed to help portable computer users extend their battery life (a major worry when you’re using your system in a place with no plug-ins available).

Power Schemes

Alarms

There are two types of low battery alarms that can be set (shown in Figure 4). You can configure each alarm to simply pop up a dialog warning of the low battery state, run a program, or perform an action:

1. Low battery alarm – this is the “hey, your batteries are getting low you might want to wrap things up” alarm. You hear this alarm first.
2. Critical battery alarm – if you haven’t shut down your system yet and reach the second pre-defined threshold, your computer can warn you again or go into hibernation if necessary.

Advanced Settings

	Standby – this is a low power state where your computer runs using minimal power. Portable computers that support APM can go into standby mode. Your desktop state is not saved in standby mode.
	Hibernate – when your computer goes into hibernation the contents of its memory and desktop state are written to the hard drive. The computer is then completely powered down. The next time the computer is started the hibernation information is pulled from disk back into memory and your desktop state is restored (requires ACPI).

Input and output (I/O) devices

	Keyboards are installed under "Keyboards" in Device Manager.
	Mice, graphics tablets and other pointing devices are installed under "Mice and other pointing devices" in Device Manager.
	Troubleshoot I/O resource conflicts using the "System Information" snap-in. Look under Hardware Resources > I/O for a list of memory ranges in use.

	Drivers are updated using Device Manager. Highlight the device, right-click and choose Properties. A properties dialog appears. Choose the Drivers tab and then the Update Driver... button.
	Microsoft recommends using Microsoft digitally signed drivers whenever possible. Digitally signed drivers are certified by Microsoft to have met standards set by the Windows Hardware Quality Lab. (KB# Q244617)
	The Driver.cab cabinet file on the Windows XP CD contains all of the drivers the OS ships with. Whenever a driver is updated, WINXP looks here first. The location of this file is stored in a registry key and can be changed: HKLM\Software\Windows\CurrentVersion\Setup\DriverCachePath.  (KB# Q230644)
	Only digitally signed drivers are included on the Windows XP product CD or made available from the Windows Update site.
	The Driver Verifier is used to troubleshoot and isolate driver problems. It must be enabled through changing a Registry setting. The Driver Verifier Manager, verifier.exe, provides a command-line interface for working with Driver Verifier. (KB# Q244617)

	Open System applet in Control Panel and click Hardware tab. Then in the Device Manager box, click Driver Signing to display options: Ignore - Install all files, regardless of file signature Warn- Display a message before installing an unsigned file (default setting) Block- Prevent installation of unsigned files
	The Apply Setting As System Default checkbox is only accessible to Administrators

	/scannow - scans all protected system files immediately
	/scanonce - scans all protected system files at next startup
	/scanboot- scans all protected system files at every restart
	/cancel- cancels all pending scans
	/quiet - replaces incorrect files without prompting
	/enable - sets Windows File Protection back to defaults
	/purgecache - purges file cache and forces immediate rescan
	/cachesize=x- sets file cache size

	running sigverif launches File Signature Verification
	checks system files by default, but non-system files can also be checked
	saves search results to Sigverif.txt

Driver rollback is a feature that lets you revert to an older copy of a driver that worked when an upgrade to a new driver goes sour. Here are the points to know for the exam:

	Rollbacks are only possible when there is an existing copy of an older driver.
	Driver rollback is available for all devices except printers, which are controlled through the Printers and Faxes applet, not Device Manager.
	Copies of old drivers are stored in the systemroot%\system32\reinstallbackups\ folder. This folder is automatically created the first time a user updates a driver on their Windows XP system.
	Stored drivers consist of the .SYS files (system configuration) and .INF file (device information file).

Resolving hardware conflicts

	Whenever possible, it is preferable to let Windows attempt to resolve resource conflicts.
	Windows is capable of sharing some resources such as IRQs amongst several different devices. If you assign a resource manually you dedicate it to a particular device and prevent Windows from sharing it with other devices as needed. This can make your resource shortage even worse.
	Never use the Registry Editor to reassign resources unless you have no alternative.

	Adding a processor to your system to improve performance is called scaling. It’s typically done for CPU intensive applications such as CAD and graphics rendering.
	Windows XP Professional supports a maximum of two CPUs.
	Windows XP supports Symmetric Multiprocessing (SMP). Processor affinity is also supported. Asymmetric Multiprocessing (ASMP) is not supported.
	Upgrading to multiple CPUs might increase the load on other system resources.
	Update your Windows driver to convert your system from a single to multiple CPUs. This is done through Device Manager > Computer > Update Driver. (KB# Q234558)

	Adapters are installed using the Add/Remove Hardware applet in Control Panel.
	Change the binding order of protocols and the Provider order using Advanced Settings under the Advanced menu of the Network and Dial-up Connections window (accessed by right-clicking on My Network Places icon).
	Each network adapter has an icon in Network and Dial-up connection. Right click on the icon to set its properties, install protocols, change addresses, etc.

	/basevideo - boots using standard VGA driver
	/fastdetect=[comx,y,z] - disables serial mouse detection or all COM ports if port not specified. Included by default
	/maxmem:n - specifies amount of RAM used - use when a memory chip may be bad
	/noguiboot - boots Windows without displaying graphical startup screen
	/sos - displays device driver names as they load
	/bootlog - enable boot logging
	/safeboot:minimal - boot in safe mode
	/safeboot:minimal(alternateshell) - safe mode with command prompt
	/safeboot:network - safe mode with networking support (KB# Q236346)

	Enter safe mode by pressing F8 during the operating system selection phase
	Safe mode loads basic files/drivers, VGA monitor, keyboard, mouse, mass storage and default system services. Networking is not started in safe mode. (KB# Q199175)
	Enable Boot Logging - logs loading of drivers and services to ntbtlog.txt in the windir folder
	Enable VGA Mode - boots Windows with VGA driver
	Last Known Good Configuration - uses registry info from previous boot. Used to recover from botched driver installs and registry changes
	Recovery Console - only appears if it was installed using winnt32 /cmdcons or specified in the unattended setup file
	Directory Services Restore Mode - only in Server, not applicable to Win2000 Professional
	Debugging Mode - again, only in Server
	Boot Normally - lets you boot, uh, normally ;-)

	Found under HKEY_LOCAL_MACHINE\System\Select - has four entries
	Current- CurrentControlSet. Any changes made to the registry modify information in CurrentControlSet
	Default - control set used next time Windows XP starts. Default and current contain the same control set number
	Failed - control set marked as failed when the computer was last started using the LastKnownGood control set
	LastKnownGood - after a successful logon, the Clone control set is copied here

	Insert Windows XP CD into drive, change to the i386 folder and run winnt32 /cmdcons. (KB# Q216417)
	After it is installed, it can be selected from the "Please Select Operating System to Start" menu.
	When starting Recovery Console, you must log on as Administrator. (KB# Q239803)
	Can also be run from Windows XP Setup, repair option.
	Allows you to boot to a "DOS Prompt" when your file system is formatted with NTFS.
	Looks like DOS, but is very limited. By default, you can copy from removable media to hard disk, but not vice versa - console can't be used to copy files to other media (KB# Q240831). As well, by default, the wildcards in the copy command don't work (KB# Q235364). You can't read or list files on any partition except for system partition.
	Can be used to disable services that prevent Windows from booting properly. (KB# Q244905)

	Accessed through Control Panel > System applet > Advanced tab > Startup and Recovery
	Memory dumps are always saved with the filename memory.dmp. (KB# Q192463)
	Small memory dump needs 64KB of space. Found in %systemroot%\minidump.
	A paging file must be on the system partition and the pagefile itself at least 1 MB larger than the amount of RAM installed for the Write debugging information option to work.
	Use dumpchk.exe to examine contents of memory.dmp. (KB# Q156280)

	Used to gather information from your computer to assist support providers in troubleshooting issues. Reports are composed in Windows 98 and Windows XP and then uploaded to a server provided by the support provider using HTTP protocol.
	Reports are stored in a compressed .CAB format and include a Microsoft System Information (.NFO) file.
	The report generated by Windows Report Tool (winrep.exe) includes a snapshot of complete system software and hardware settings. Useful for diagnosing software and hardware resource conflicts.

Here are the DWORD values you can modify:

	CompressionBurst – lets you specify the amount of time after a computer sits idle before it starts compressing Restore Point data in the background.
	DiskPercent - used for setting the percentage of disk space used for Restore Points. Cannot exceed the DSMax value.
	DSMax – specifies the maximum amount of disk space System Restore can use.
	DSMIN – if free disk space drops below the value specified here, the System Restore feature becomes inactive.
	RestoreStatus – Stores a value indicating whether the last restore operation failed (0), succeeded (1), or was interrupted (2).
	RPGlobalInterval – specifies, in seconds, the interval between automatic creation of restore points – default is 24 hours.
	RPLifeInterval – specifies, in seconds, the Time To Live (TTL) for Restore Points. When a Restore Point reaches the end of its TTL, it is deleted. Default value is 90 days.
	RPSessionInterval – specifies, in seconds, the amount of time System Restore waits before it creates Restore Points while the system is running. Turned off by default (0).
	ThawInterval – specifies, in seconds, the amount of time System Restore waits before waking itself from a disabled state.

Automated System Recovery (ASR)

This is a new feature that allows you to create an image of your system partition and write it to a tape backup device or burn it to a CD. Using a special floppy disk called the Automated System Recovery (ASR) Disk, you boot a computer where the operating system has been damaged beyond repair and use the ASR Disk to restore the computer from the image you created.

	Run ntbackup and choose the Automated System Recovery Wizard from the available options.
	Enter the path and filename for the image file you are creating.
	Insert a blank, formatted 3.5-inch floppy disk into your A: drive then click next.
	The ASR Wizard will create an image file, followed by an ASR floppy disk. The floppy disk contains the ASR state info in the ASR.sif file. Store this file in a safe place along with the image file that you have backed up onto tape or burned onto CD.

Monitoring and Optimizing System Performance and Reliability

	Used to automate events such as batch files, scripts and system backups.
	Tasks are stored in the Scheduled Tasks folder in Control Panel.
	Running task with a user name and password allows an account with the required rights to perform the task instead of an administrative account.
	Set security for a task by group or user.

	Offline files replaces My Briefcase and works a lot like Offline Browsing in IE5 and above.
	By default, offline files are stored in the %systemroot%\CSC (Client Side Caching) directory.
	Share a folder and set its caching to make it available offline. There are three types of caching: manual caching for documents - default setting. Users must specify which docs they want available when working offline automatic caching for documents - all files opened by a user are cached on his local hard disk for offline use - older versions on a user’s machine automatically replaced by newer versions from the file share when they exist automatic caching for programs -same as above, but for programs
	When synchronizing, if you have edited an offline file and another user has also edited the same file, you will be prompted to keep and rename your copy, overwrite your copy with the network version, or to overwrite the network version and lose the other user's changes (a wise SysAdmin will give only a few key people write access to this folder or everyone's work will get messed up).
	Using Synchronization Manager, you can specify which items are synchronized, using which network connection, and when synchronization occurs (at logon, logoff, and when computer is idle).
	The Offline Files feature is not compatible with a feature called Fast User Switching (discussed later).

	Important objects are cache (file system cache used to buffer physical device data), memory (physical and virtual/paged memory on system), physicaldisk (monitors hard disk as a whole), logicaldisk (logical drives, stripe sets and spanned volumes), and processor (monitors CPU load).
	Processor - % Processor Time counter measures time CPU spends executing a non-idle thread. If it is continually at or above 80%, CPU upgrade is recommended.
	Processor -  Processor Queue Length - more than 2 threads in queue indicates CPU is a bottleneck for system performance.
	Processor - % CPU DPC Time (deferred procedure call) measures software interrupts.
	Processor - % CPU Interrupts/Sec measures hardware interrupts. If processor time exceeds 90% and interrupts/time exceeds 15%, check for a poorly written driver (bad drivers can generate excessive interrupts) or else upgrade the CPU.
	Logical disk - Disk Queue Length - if averaging more than 2, drive access is a bottleneck. Upgrade disk, hard drive controller, or implement stripe set.
	Physical disk - Disk Queue Length - same as above.
	Physical disk - % Disk Time- if above 90%, move data/pagefile to another drive or upgrade drive.
	Memory - Pages/sec - more than 20 pages per second is a lot of paging - add more RAM.
	Memory - Committed bytes - should be less than amount of RAM in computer.
	diskperf - physical disk counters are enabled by default, but you will have to type diskperf -yv at a command prompt to enable logical disk counters for logical drives or storage volumes. (KB# Q253251)

	Alert logs are like trace logs, but they only log an event, send a message, or run a program when a user-defined threshold has been exceeded
	Counter logs record data from local/remote systems on hardware usage and system service activity
	Trace logs are event driven and record monitored data such as disk I/O or page faults
	By default, log files are stored in the \Perflogs folder in the system's boot partition
	Save logs in CSV (comma separated value) or TSV (tab separated value) format for import into programs like Excel
	CSV and TSV must be written all at once, they do not support logs that stop and start. Use Binary (.BLG) for logging that is written intermittently
	Logging is used to create a baseline for future reference

	Recommended minimum paging file size is 1.5 times the amount of RAM installed. A system with 64 MB should have a 96 MB page file. Maximum page file size should not exceed 2.5 times the amount of RAM installed.
	Set through Control Panel > System applet > Advanced tab > Performance Options > Change.
	The most efficient paging file is spread across several drives, but is not on the system or boot partitions. (KB# Q123747)
	Maximum registry size can also be changed through the Virtual Memory dialog box.

	Created to store different sets of configuration settings to meet a user’s different needs (usually used with portables) such as whether a computer is docked or undocked.
	User selects the desired profile at Windows XP startup.
	Profiles are created through Control Panel > System applet > Hardware tab > Hardware Profiles.
	Devices are enabled and disabled in particular profiles through their properties in the Device Manager snap-in.

	Windows XP Backup is launched through Control Panel > System applet > Backup or by running ntbackup from the Start menu. (KB# Q241007)
	Users can back up their own files and files they have read, execute, modify, or full control permission for.
	Users can restore files they have write, modify or full control permission for.
	Administrators and Backup Operators can backup and restore all files regardless of permissions.
	System state information (system registry and COM objects) can be backed up using by selecting System State information in ntbackup or by using the systemstate command from the command line.

This is a database that stores Windows XP configuration information for all installed software, hardware and users in a hierarchical structure. Consists of five main subtrees:

	HKEY_CLASSES_ROOT - holds software configuration data, file associations and object linking and embedding (OLE) data
	HKEY_CURRENT_CONFIG - holds data on active hardware profile extracted from SOFTWARE and SYSTEM hives
	HKEY_CURRENT_USER - contains data about current user extracted from HKEY_USERS, and additional info pulled down from Windows authentication
	HKEY_LOCAL_MACHINE - contains all local computer hardware, software, device driver and startup information. Remains constant regardless of the user
	HKEY_USERS - holds data for user identities and environments, custom settings, etc.

Windows 2000 supported two different registry editing tools:

	The Registry Editor (Regedt32.exe) has a read-only mode, a security menu, and supports the REG_EXPAND_SZ and REG_MULTI_SZ data types as well as the ability to set permissions.
	Regedit.exe does not. Registry Editor automatically saves changes as they are made.

The functionality of both regedit.exe and regedt32.exe has been combined into one tool under Windows XP. Typing the name of either executable into the run dialog brings up the same registry editing tool now.

Secondary Logon Service (Run As): (KB# Q225035)

	Similar to the SU (Super User) command in UNIX
	Used to test settings using a particular user account while logged in with a different account
	Select the application icon using a single left-click, hold down the Shift key and right-click the icon. When the pop-up menu appears, click Run As. This brings up a dialog box titled "Run program as other user" - enter your credentials and click OK

A profile is a collection of data and folders that store the user's desktop environment and application settings along with personal data. A profile is automatically created the first time a user logs onto a Windows NT4, Windows 2000, or Windows XP system. Profiles contain the following settings:

	Accessories – specific settings for Calculator, HyperTerminal, Notepad, Paint, etc.
	Application settings – profile-aware applications, such as Microsoft Word 2000, store user specific configuration information in the user profile.
	Control Panel – all custom Control Panel settings are written to the User Profile (e.g., display and mouse settings).
	Printer Settings – information on all network printer connections is stored in the user profile. Locally connected printers are not written to the profile.
	Taskbar Settings – all taskbar settings.
	Windows Explorer Settings – all Explorer settings, as well as persistent connections (mapped drives).

User Profiles also contain the following folders:

	Application Data – all profile-aware applications store their information in this folder. Roams with profile by default and can be redirected using Group Policy.
	Cookies – all Internet Explorer cookies are stored here. Roams with profile by default.
	Desktop – all desktop items including shortcuts and files are stored here. Roams with profile by default and can be redirected using Group Policy.
	Favorites – all your Internet Explorer bookmarks go here. Roams with profile by default.
	Local Settings – This is where settings that cannot be attached to a roaming profile (discussed later), or that are too large for a Roaming Profile, are stored.
	%Username% Documents – this is where all documents created by a user are stored by default. This folder can be redirected to a network server, but this is done separately from Roaming Profiles. Roams with profile by default and can be redirected using Group Policy.
	NetHood – where shortcuts to Network Neighborhood items are stored. Roams with profile by default.
	PrintHood – where shortcuts to print folder items are stored. Roams with profile by default.
	Recent – shortcuts to recently used documents. Roams with profile by default.
	SendTo – shortcuts to applications. Roams with profile by default.
	Start Menu – shortcuts to program executables. Roams with profile by default and can be redirected using Group Policy.
	Templates – shortcuts to template items. Roams with profile by default.

In Windows XP Professional, the default location for User Profiles is the \%systemroot%\Documents and Settings\%username% directory (shown in Figure 8).

Figure 8 – Folder structure of the User Profile

There are three types of User Profiles:

1. Local User Profile – Automatically created the first time a user logs onto the computer. Stored on the local hard disk. All changes are stored locally.
2. Mandatory User Profile – A profile created for users by Administrators. A user cannot modify the settings in this profile: all changes that the user makes are lost. Kept only for backwards compatibility with NT4 domains – Windows 2000 and newer domains should administer profiles through Group Policy instead.
3. Roaming User Profile – This is a User Profile stored on a network server. Users can log on from different machines on the network and still receive the same settings and have access to all of their documents from the network location instead. Roaming profiles are advantageous as they keep the user’s state information in a centralized place. Support staff can easily replace a user’s computer without losing that user’s preferences. All changes made to a Roaming Profile are copied to the network server.

	Replaces setup.exe. Windows Installer packages are recognized by their .MSI file extension.
	Integrates software installation into Windows XP so that it is now centrally controlled, distributed, and managed from a central-point.
	The software life cycle consists of four phases, Preparation, Deployment, Maintenance, and Removal.

	A software package is installed on a Windows 2000 or Windows .NET Server in a shared directory. A Group Policy Object (GPO) is created. Behavior filters are set in the GPO to determine who gets the software. Then the package is added to the GPO under User Configuration > Software Settings > Software Installation (this is done on the server). You are prompted for a publishing method - choose it and say OK.
	Set up Application Categories in Group Policy > computer or user config > Software Settings > Software Installation (right-click) > Properties > Categories > Add. Creating logical categories helps users locate the software they need under Add/Remove Programs on their client computer. Windows does not ship with any categories by default.
	When upgrading deployed software, AD can either uninstall the old application first or upgrade over top of it.
	When publishing upgrades, they can be optional or mandatory for users but are mandatory when assigned to computers.
	When applications are no longer supported, they can be removed from Software Installation without having to be removed from the systems of users who are using them. They can continue using the software until they remove it themselves, but no one else will be able to install the software through the Start menu, Add/Remove Programs, or by invocation.
	Applications that are no longer used can have their removal forced by an administrator. Software assigned to the user is automatically removed the next time that user logs on. When software is assigned to a computer, it is automatically removed at start up. Users cannot re-install the software.
	Selecting the "Uninstall this application when it falls out of the scope of management" option forces removal of software when a GPO no longer applies.

	You can assign or publish software packages.
	Software that is assigned to a user has a shortcut appear on a user's Start > Programs menu, but is not installed until the first time they use it.
	Software assigned to a computer is installed the next time the computer is started, and before the user can logon.
	When software is assigned to a user, the new program is advertised when a user logs on, but is not installed until the user starts the application from an icon or double-clicks a file-type associated with the icon. Software assigned to a computer is not advertised - the software is installed automatically. When software is assigned to a computer it can only be removed by a local administrator - users can repair software assigned to computers, but not remove it.
	Published applications are not advertised. They are only installed through Add/Remove Programs in the Control Panel or through invocation.
	The software settings of a Group Policy are not refreshed like the rest of the settings. The user may need to logoff/logon or the system may need to be restarted for the new settings to take place (depending on type of software installation).
	Published applications lack resiliency (do not self-repair or re-install if deleted by the user). Finally, applications can only be published to users, not computers.
	With invocation, when a user double-clicks on an unknown file type, the client computer queries Active Directory to see what is associated with the file extension. If an application is registered, AD checks to see if it has been published to the user. If it has, it checks for the auto-install permission. If all conditions are met, the application is invoked (installed).
	Non-MSI programs are published as .ZAP files. They cannot take advantage of MSI features such as elevated installation privileges, rolling back an unsuccessful installation, installing on first use of software or feature, etc. (KB# Q231747) .ZAP files can only be published, not assigned.
	Non-MSI programs can be repackaged using a 3rd party tool called WinINSTALL by Veritas software. There is a lite version of this software that was included on the Windows 2000 product CDs that you can use. It lets you take a snapshot of a system, install your application, take another snapshot and create a difference file that becomes your MSI install package. If you wish to assign a non-MSI program to a user or computer, you must first repackage it as an MSI file. (KB# Q236573)
	When software requires a CD key during installation, it can be pushed down with the installer package by typing misexec /a <path to .msi file> PIDKEY="[CD-Key]". (KB# Q223393)
	Modifications are created using tools provided by the software manufacturer and produce .MST files which tell the Windows Installer what is being modified during the installation. .MST files must be assigned to .MSI packages at the time of deployment. (KB# Q236943)
	Patches are deployed as .MSP files. (KB# Q226936)

	Windows XP Professional supports the connection of up to 10 monitors.
	Portable users can spread their desktop across their notebook monitor in addition to an externally connected monitor using a feature called “Dual View” – works similarly to multiple monitors.
	All monitor settings are configured through the Display applet in Control Panel.
	The new, brightly-coloured theme that Windows XP comes out of the box with (called “Luna”) can best be described as “butt ugly.” This is the default theme for clean installations. To prevent your users from going blind you can restore some degree of normalcy by selecting the Windows Classic theme instead that is de rigueur in Windows ME and Windows 2000.

You can set compatibility for the following operating systems

	Windows 95
	Windows 98/ME
	Windows NT.40 (SP5 or higher)
	Windows 2000

You can choose the following display settings:

	256 colours
	640x480 screen resolution
	Disable visual themes (feature that can affect behavior of some programs)

Fax support

	If a fax device (modem) is installed, the Fax applet appears in Control Panel. It does not appear when no fax device installed
	If the Advanced Options tab is not available in the Fax applet, log off then log back on as Administrator
	Use the Fax applet to set up rules for how device receives faxes, number of retries when sending, where to store retrieved and sent faxes, user security permissions, etc.
	The Fax printer in your printer folder cannot be shared

	StickyKeys allows you to press multiple key combinations (CTRL-ALT-DEL) one key at a time
	FilterKeys tells the keyboard to ignore brief or repeated keystrokes
	SoundSentry displays visual warnings when your computer makes a sound (for aurally impaired)
	ShowSounds forces programs to display captions for the speech and sounds they make
	MouseKeys lets you control the mouse pointer with the numeric keypad
	Magnifier magnifies a portion of the desktop (for visually impaired) - available during GUI phases of OS installation (KB# Q231843)
	Narrator reads menu options aloud using speech synthesis (for visually impaired) - available during GUI phases of OS installation

This new feature is unique to Windows XP and allows a user to request remote help from a more knowledgeable friend or support technician (in MS terminology, the user providing assistance is referred to as the "expert"). Once the request is accepted, the remote helper can:

	See the user's desktop
	Control the user's desktop (with permission)
	Chat with the user using text or voice
	Send and receive files from the user's system

Remote Assistance is enabled by default in Windows XP. You can enable or disable it by right-clicking on My Computer, dragging to Properties, and then choosing the Remote tab on the System Properties dialog.

Requesting assistance

Important items to remember for the exam:

	Requests must have an expiry set on them. Once the expiry has been reached the helper can no longer respond to the request.
	When using Windows Messenger, requests can be accepted if both parties are behind proxy servers using Network Address Translation (NAT) and have private addresses. When requests are sent by e-mail, NAT between the user and the helper will prevent a Remote Assistance session from taking place.
	Always password protect requests for additional security
	You can view the status of your assistance invitations. Windows XP keeps a record of all invitations you have sent and tells you which are open and which have expired.

Accepting the request

	If you are using Windows Messenger some text will appear in your chat Window informing you that you have received a Remote Assistance request. Click the hyperlink to Accept the request and Windows XP will connect to the remote system.
	Requests that arrive by e-mail will show up as a plain text e-mail with a file attachment. To begin the Remote Assistance session simply open the file attachment that accompanied the e-mail. The e-mail attachment will have a filename similar to rcbuddyx.MsRIncident (where x is an identifier that may or may not appear).

Let's look at the helper's Remote Assistance console first. The following functions are available to you:

	Take control – by default, the remote helper can only view a user's desktop. Before the helper can take control of the remote desktop he or she must request control by clicking this button. The remote user must accept your request before you have control and can take it back at any time by pressing their ESC key.
	Send a File – use this feature to send the user an updated driver or file that is needed to repair their system.
	Start Talking – this button lets you start a voice chat (Voice Over IP or VOIP) session with the remote user. Both systems will need sound cards, microphones, and speakers/headphones for this to work. Best used over high-bandwidth connections only.
	Settings – use this to adjust sound quality and resize your console.
	Disconnect – used to end the Remote Assistance session.

Built-in accounts used with Remote Assistance

	HelpAssistant – this is the account used by helpers you have invited to provide assistance. It is only ever enabled when there are open assistance invitations. Once all open invitations have expired this account is disabled again.
	SUPPORT_xxxxxx – (where xxxxx is a hexadecimal number). This account is only used when assistance is requested directly from Microsoft and it is disabled by default.

	TCP is an industry-standard suite of protocols
	It is routable and works over most network topologies
	It is the protocol that forms the foundation of the Internet
	It is Installed by default in Windows XP
	Can be used to connect dissimilar systems
	Uses Microsoft Windows Sockets interface (Winsock)
	IP addresses can be entered manually or be provided automatically by a DHCP server
	DNS is used to resolve computer hostnames to IP addresses
	WINS is used to resolve a NetBIOS name to an IP address
	Subnet mask - A value that is used to distinguish the network ID portion of the IP address from the host ID
	Default gateway - A TCP/IP address for the host (typically a router) which you would send packets for routing elsewhere on the network

Windows 98, Windows ME, Windows 2000 and Windows XP support this feature. When "Obtain An IP Address Automatically" is enabled, but the client cannot obtain an IP address, Automatic Private IP addressing takes over:

	IP address is generated in the form of 169.254.x.y (where x.y is the computer's identifier) and a 16-bit subnet mask (255.255.0.0)
	The computer broadcasts this address to its local subnet
	If no other computer responds to the address, the first system assigns this address to itself
	When using the Auto Private IP, it can only communicate with other computers on the same subnet that also use the 169.254.x.y range with a 16-bit mask
	The 169.254.0.0 - 169.254.255.255 range has been set aside for this purpose by the Internet Assigned Numbers Authority

Alternate TCP/IP Configurations

	Telnet client - Can be used to open a text based console on UNIX, Linux and Windows XP systems (run telnet servername)
	FTP client - Command line based - simple and powerful (run ftp servername)
	Internet Explorer 6 - Microsoft's powerful and thoroughly integrated Web browser
	Outlook Express 6 - SMTP, POP3, IMAP4, NNTP, HTTP, and LDAP complaint E-mail package.

	Telnet server - Windows XP includes a telnet server service (net start tlntsvr) that is limited to a command line text interface and two concurrent users. Set security on your telnet server by running the admin tool, tlntadmn. (KB# Q225233)
	Web Server - stripped version of IIS5 Web server. Limited to 10 connections. Must be installed and the service started before sharing your printers using Web printing or Internet printing. Can be managed using IIS snap-in or Personal Web Manager, a "dumbed-down" GUI for novice users.
	FTP Server - stripped version of Internet Information Server 5 (IIS5) FTP server. Limited to 10 connections but is administered just like the server version using IIS snap-in or the Personal Web Manager.
	FrontPage 2000 Server Extensions - extends the functionality of the Web server and is included in WINXP Pro for developing and testing Web sites before deploying them to a production server.

Here are important changes to Internet Explorer 6 to note for the exam:

	The default cipher strength is now 128-bit.
	The Microsoft Virtual Machine for Java is not bundled in with XP thanks to continued legal bickering between MS and Sun Microsystems. The missing component is configured as an “Automatic Download.” The first time users attempt to use a java-enabled page that requires the Virtual Machine, they will be prompted to download it from Microsoft’s site.
	Internet Explorer now features a Media Toolbar that integrates Windows Media Player into your browser. This new toolbar deftly combines the worst features of both products.
	Microsoft has built a new privacy feature into Internet Explorer based upon the Platform for Privacy Preferences (P3P) standard. By default, all cookies from third-party Web sites that do not contain XML formatted privacy policy information are blocked.

Windows Messenger

While Windows Messenger is backwards compatible with your contacts who are using MSN Messenger, the following features will only work between Windows XP Desktops running Windows Messenger:

	Remote Assistance requests
	Videoconferencing

Internet Connection Sharing (ICS)

Enter the Computer Name, IP address, or Fully Qualified Domain Name (FQDN) of the computer you wish to connect to and click the Connect button. Use the Options button to configure some additional parameters for your connection:

	Display settings can include colour depth (if not overridden at the server end) and display size (640x480 to full screen).
	Remote sounds can be redirected to the local system.
	You can choose whether or not to redirect devices on the remote computer such as printer ports, serial ports, and disk drives to your local system.
	Choose a level of user experience that includes connection speed, themes, desktop background, bitmap caching, etc.

Connecting to Windows XP Professional

Here are the important points to know for the exam:

	Windows XP Professional only supports a single Remote Desktop Connection. When a remote user connects to a Windows XP Professional system the desktop on the local console automatically locks. Unlocking the desktop forces the remote session to disconnect immediately.
	Windows 95/98/ME, Windows NT 4, and Windows 2000 systems can remotely connect to a Windows XP Remote Desktop Connection session using either the 32-bit Terminal Services Client that ships with Windows 2000 or by installing the Remote Desktop Connection client that is included on the Windows XP product CD.
	To install the Remote Desktop Connection on an older Windows operating system, insert the Windows XP product CD, choose Perform additional tasks from the menu, and then Set up Remote Desktop Connection.
	Remote Desktop Connections require that port TCP/IP port 3389 for Remote Desktop Protocol be opened.
	Remote Desktop also supports Remote Desktop Web Connection – this is essentially the same as the Terminal Services Advanced Client available for Windows 2000. Clients require IE4 or higher with a special ActiveX control installed. The Windows XP system offering Remote Desktop Web Connection will need to be configured with the limited version of IIS5 that is included by default. Also ensure that the Remote Desktop Web Connection files are copied to the \Web\TSWeb directory of the Web server.

Troubleshooting: (KB# Q102908)

	Ipconfig and Ipconfig /all - displays current TCP/IP configuration
	Nbtstat - displays statistics for connections using NetBIOS over TCP/IP
	Netstat - displays statistics and connections for TCP/IP protocol
	Ping - tests connections and verifies configurations
	Tracert - checks a route to a remote system
	Common TCP/IP problems are caused by incorrect subnet masks and gateways
	If an IP address works but a hostname doesn’t, check DNS settings

	NWLink (MS's version of the IPX/SPX protocol) is the protocol used by Windows XP to allow Netware systems to access its resources. (KB# Q203051)
	NWLink is all that you need to run in order to allow a Windows XP system to run client/server applications from a NetWare server.
	To allow file and print sharing between NT and a NetWare server, CSNW (Client Services for NetWare) must be installed on the Windows XP system. In a Netware 5 environment, the Microsoft client does not support connection to a Netware Server over TCP/IP. You will have to use IPX/SPX or install the Novell NetWare client. (KB# Q235225)
	Gateway Services for NetWare can be implemented on your Windows 2000 Server to provide a MS client system to access your NetWare server by using the Windows 2000 Server as a gateway. (KB# Q121394)
	Frame types for the NWLink protocol must match the computer that the Windows XP system is trying to connect with. Unmatched frame types will cause connectivity problems between the two systems.
	When NWLink is set to autodetect the frame type, it will only detect one type and will go in this order: 802.2, 802.3, ETHERNET_II and 802.5 (Token Ring).
	Netware 3 servers uses Bindery Emulation (Preferred Server in CSNW). Netware 4.x and higher servers use NDS (Default Tree and Context.)
	There are two ways to change a password on a Netware server - SETPASS.EXE and the Change Password option (from the CTRL-ALT-DEL dialog box). The Change Password option is only available to Netware 4.x and higher servers using NDS.

	DLC is a special-purpose, non-routable protocol used by Windows XP to talk with IBM mainframes, AS400s and Hewlett Packard JetDirect printers.
	The NetBEUI protocol is not installed in Windows XP by default – it can be installed from the \VALUEADD\MSFT\NET\NETBEUI directory on the product CD-ROM.
	Windows XP does not support AppleTalk. If you are upgrading a previous version of Windows with AppleTalk installed, this protocol will be removed during the installation process. (KB# Q305989)

	EAP - Extensible Authentication Protocol. A set of APIs in Windows for developing new security protocols as needed to accommodate new technologies. MD5-CHAP and EAP-TLS are two examples of EAP.
	EAP-TLS - Transport Level Security. Primarily used for digital certificates and smart cards.
	MD5-CHAP - Message Digest 5 Challenge Handshake Authentication Protocol. Encrypts usernames and passwords with an MD5 algorithm.
	RADIUS - Remote Authentication Dial-in User Service. Specification for vendor-independent remote user authentication. Windows XP Professional can act as a RADIUS client only.
	MS-CHAP (v1 and 2) - Microsoft Challenge Handshake Authentication Protocol. Encrypts entire session, not just username and password. v2 is supported in Windows XP, Windows 2000,Windows NT4 and Windows 95/98/ME (with DUN 1.5 upgrade) for VPN connections. MS-CHAP cannot be used with non-Microsoft clients. You must use MS-CHAP authentication for PPTP (see below).
	SPAP - Shiva Password Authentication Protocol. Used by Shiva LAN Rover clients. Encrypts password, but not data.
	CHAP - Challenge Handshake Authentication Protocol - encrypts user names and passwords, but not session data. Works with non-Microsoft clients.
	PAP - Password Authentication Protocol. Sends username and password in clear text.

	PPTP - Point to Point Tunneling Protocol. Creates an encrypted tunnel through an untrusted network. The encryption is provided by Microsoft Point-to-Point Encryption (MPPE), a Microsoft proprietary protocol and is available at 40-bit or 128-bit levels. MPPE requires the use of MS-CHAP.
	L2TP - Layer Two Tunneling Protocol. Works like PPTP as it creates a tunnel, but it does not provide data encryption. Security is provided by using an encryption technology like IPSec.
	Windows XP Professional supports a single inbound VPN connection.

	Multilinking allows you to combine two or more modems or ISDN adapters into one logical link with increased bandwidth. (KB# Q233171)
	BAP (Bandwidth Allocation Protocol) and BACP (Bandwidth Allocation Control Protocol) enhance multilinking by dynamically adding or dropping links on demand. Settings are configured through RAS policies. (KB# Q244071)
	Enabled from the PPP tab of a RAS server's Properties dialog box. (KB# Q233151)

	Using callback allows you to have the bill charged to your phone number instead of the number of the user calling in. Also used to increase security.
	For roving users like a sales force, choose "Allow Caller to Set The Callback Number" (less secure).

	Microsoft technical documentation generally refers to dial-up networking when describing outbound connections. Inbound connections are usually associated with Remote Access Services (RAS).
	All new connections are added using the "Make New Connection" wizard.
	To create a VPN connection, choose Dial-Up To A Private Network Through The Internet, specify whether you need to establish a connection with an ISP first, enter the host name or IP address of the computer/network you are connecting to, and select whether connection is for yourself or all users.
	Dial-up networking entries can be created for modem connections, LAN connections, direct cable connections and Infrared connections.
	PPP is generally preferred because it supports multiple protocols, encryption, and dynamic assignment of IP addresses (KB# Q124036). SLIP is an older protocol that only supports TCP/IP and is used for dialing into legacy UNIX systems.
	Separate icons under Dial-up networking represent all network connections, inbound and outbound - properties, protocols, addresses and services can be individually configured for each.

Full Control	Is assigned to the Everyone group by default. Allows user to take ownership of files and folders. Users can change file access rights. Grants user all permissions assigned by the Change and Read levels.
Change	User can add and create files. Grants ability to modify files. User can change the attributes of the file. User can delete files. Grants user all permissions assigned by the Read level.
Read	User can display and open files. User can display the attributes of the file. User can execute program files.

Active Directory (AD) services provide a single point of network management, allowing you to add, remove, and relocate resources easily. It offers significant enhancements over the limitations of the older Windows NT domain based security model. Its features are:

	Simplified Administration - AD provides a single point of logon for *all* network resources - an administrator can logon to one computer and administer objects on any computer in the network.
	Scalability - NT 4 domains had a practical limitation of about 40,000 objects. AD scales to millions of objects, if needed.
	Open standards support - uses DNS as its domain naming and location service so Windows XP domain names are also DNS domain names. Support for LDAP v2 and v3 makes AD interoperable with other directory services that support the same, such as Novell's NDS. HTTP support means that AD can be searched using a Web browser. Kerberos 5 support provides interoperability with other products that use the same authentication mechanism.

Active Directory Structure

 

	Object - distinct named set of attributes that represents a network resource such as a computer or a user account.
	Classes - logical groupings of objects such as user accounts, computers, domains or organizational units.
	Organizational Unit (OU) - container used to organize objects inside a domain into logical administrative groups such as computers, printers, user accounts, file shares, applications and even other OUs.
	Domain - all network objects exist within a domain with each domain storing information only about the objects it contains. A domain is a security boundary - access to objects is controlled by Access Control Lists (ACLs). ACLs contain the permissions associated with objects that control which users or types of users can access them. In Windows XP, all security policies and settings (like Administrative rights) do not cross from one domain to another. The Domain Admin only has the right to set policies within his/her domain. Enterprise Admins can set rights across all domains in a forest.
	Tree - a grouping or hierarchical arrangement of one or more Windows XP domains that share a contiguous names space (e.g. crams.cramsession.com, sales.cramsession.com, and questions.cramsession.com). All domains inside a single tree share a common schema (formal definition of all object types that can be stored in an AD deployment) and share a common Global Catalog.
	Forest - a grouping or hierarchical arrangement of one or more domain trees that form a disjointed namespace (e.g. cramsession.com and skilldrill.com). All trees in the forest share a common schema and Global Catalog, but have different naming structures. Domains in a forest operate independently of each other, but the forest enables communication across the domains.
	Sites - combination of one or more IP subnets connected by high-speed links. Not part of the AD namespace, and contains only computer objects and connection objects used to configure replication between sites.

Site Replication

	Active Directory information is replicated between Domain Controllers (DCs) and ensures that changes to a domain controller are reflected in all DCs within a domain. A DC is a computer running Windows 2000 Server which contains a replica of the domain directory (Member Servers do not).
	DCs store a copy of all AD information for their domain, manage changes to it and copy those changes to other DCs in the same domain. DCs in a domain automatically copy all objects in the domain to each other. When you change information in AD, you are making the change on one of the DCs.
	Administrators can specify how often replication occurs, at what times, and how much data can be sent.
	DCs immediately replicate important changes to AD like a user account being disabled.
	AD uses multimaster replication meaning that no one DC is the master domain controller - all DCs within a domain are peers.
	Having more than one DC in a domain provides fault-tolerance. If a DC goes down, another is able to continue authenticating logins and providing required services using its copy of AD.
	Replication automatically generates a ring topology for replication in the same domain and site. The ring ensures that if one DC goes down, it still has an available path to replicate its information to other DCs.

	Distinguished Name (DN) - every object in AD has one. Uniquely identifies object and contains sufficient info for an AD client to retrieve it from the Directory. Includes the name of the domain that holds the object and also the complete path through the container hierarchy to it. DNs must be unique - AD will not allow duplicates.
	Relative Distinguished Name (RDN) - if the DN is unknown, you can still query an object by its attributes. The RDN is a part of the name that is an attribute of the object itself (e.g., a user's first name and location).
	Globally Unique Identifier (GUID) - unique 128-bit number assigned to objects when they are created. The GUID never changes so even if the object is renamed or moved, the GUID can be used to locate it.
	User Principal Name (UPN) - "friendly name" given to a user account (e.g., johndoe@brainbuzz.com).

	Reside only on the computer where the account was created in its local security database. If computer is part of a peer-to-peer workgroup, accounts for that user will have to be created on each additional machine that they wish to log onto locally. Local accounts cannot access Windows XP domain resources and should not be created on computers that are part of a domain.
	Domain user accounts reside in AD on domain controllers and can access all resources on a network that they have been accorded privileges for.
	Built in user accounts are: Administrator - used for managing the local system Guest - for occasional users - disabled by default HelpAssistant – account for providing Remote Assistance SUPPORT_######## - this is a vendor’s support account for the Help and Support Service – disabled by default.
	Usernames cannot be longer than 20 characters and cannot contain the following illegal characters: " / \ [ ] : ; | = , + * ? < >
	User logon names are not case sensitive. You can use alphanumeric combinations to increase security, if desired.
	Passwords can be up to 128 characters in Active Directory (we're not kidding!!) but only 14 characters for a local user account. In either case, Microsoft recommends limiting the length to about eight characters. Read Microsoft’s advice on creating strong passwords.
	User accounts are added and configured through the Computer Management snap-in.
	Users should be encouraged to store their data in their My Documents folder that is automatically created within their profile folder and is the default location that Microsoft applications use for storing data.
	Creating and duplicating accounts requires only two pieces of information: username and password. Disabling an account is typically used when someone else will take the user's place or when the user might return.
	Delete an account only when absolutely necessary for space or organization purposes.
	When copying a user account, the new user will stay in the same groups that the old user was a member of. The user will keep all group rights that were granted through groups, but lose all individual rights that were granted specifically for that user.

Here are the important points to know for the exam:

	The Fast User Switching Feature cannot be used while participating in a Windows security domain.
	Fast User Switching is not compatible with Offline Files – you can use one or the other, but not both.
	You must be logged on with local Administrative privileges to enable or disable this feature.

Enabling Fast User Switching

System Policy Editor (poledit.exe) - Windows NT 4, Windows 95 and Windows 98 all use the System Policy Editor (poledit.exe) to specify user and computer configuration that is stored in the registry.

	Not secure because a user can change settings with the Registry Editor (regedit.exe). Settings are imported/exported using .ADM templates.
	Are considered "undesirably persistent" as they are not removed when the policy is no longer applied to systems.
	Do not apply System Policies created using poledit.exe to Windows 2000 or XP systems participating in Active Directory. Only use System Policies when Active Directory is not present.

Group Policy snap-in (gpedit.msc) - Exclusive to Windows 2000 and Windows XP, this editing tool is the replacement for the System Policy Editor that was used in the Windows 95/98/ME and Windows NT worlds.

	Group Policies can only be applied to Windows 2000 and Windows XP systems – they are not compatible with previous versions of Windows. If you want to manage policies on legacy Windows clients you will need to use poledit instead.
	Settings can be stored locally or in AD. They are secure and cannot be changed by users - only Administrators.
	More flexible than System Policies as they can be filtered using Active Directory.
	Settings are imported/exported using .INF files. The Group Policy snap-in can be focused on a local or remote system.

Incremental Security Templates for Windows XP

	There are two types of Group Policy objects: local Group Policy objects and non-local Group Policy Objects (Active Directory Group Policy). Each Windows XP system can have only one local Group Policy object.
	Order of application is Local, Site, Domain and Organizational Unit. Local Policies have the least precedence whereas OU Policies have the highest (example of Group Policy overriding local policy is shown in Figure 16).
	When a machine is joined to a domain it is assumed that domain settings take precedence over local settings. Local Policy is always overwritten by any existing Group Policies for the same setting that come from the domain. Figure 16 – Local Policy Overridden

	Windows XP uses the registry.pol format. Two files are created, one for Computer Configuration (stored in the \Machine subdirectory) and one for User Configuration (stored in the \User subdirectory). Do not edit these files directly – use the Group Policy snap-in to configure the Policy on the local machine.
	registry.pol files can be viewed using the regview.exe tool from the WINXP Resource Kit. Viewing them does not apply them to the registry.
	ntconfig.pol files created with the NT4 System Policy Editor can be applied to Windows XP machines, but this is not recommended. The registry settings in these files are left permanently in the registry. Only do this when Active Directory is not available.
	config.pol files are used with Windows 95/98/ME and are incompatible with Windows XP.

	Security Configuration and Analysis snap-in - Stand-alone MMC snap-in that can configure or analyze WINXP security. Based on contents of a security template created using Security Templates snap-in. There is a text based version of this tool that can be run from the command line - secedit.exe.
	By default, Windows XP Professional doesn't require users to press CTRL-ALT-DEL to logon. Increase security by disabling this feature and forcing users to press CTRL-ALT-DEL, which is a key combination recognized only by Windows (set using the Group Policy snap-in).
	To disable access to the workstation, but allow programs to continue running, use the Lock Workstation option (from the CTRL-ALT-DEL dialog box).
	To disable access to the workstation, and not allow programs to continue running, use the Logoff option (from the CTRL-ALT-DEL dialog box).
	To lock the workstation after a period of idle time, use a screensaver password.
	Clicking Start > Programs > Administrative Tools > Local Security Policy to enable auditing. In the Local Security Settings window double-click Local Policies and then click Audit Policy. Highlight the event you want to audit and on the Action menu, click Security. Set the properties (success/failure) for each object as desired then restart computer for new policies to take effect.
	Clear the Virtual Memory Pagefile when the system shuts down. By default it is not cleared, but this can be changed under Local Security Policy Settings and will prevent an unauthorized person from extracting information from your system's pagefile. (KB# Q182086)
	Prevent the last user name from being displayed at logon (WINXP Pro does this by default). Use the Group Policy snap-in, Local Computer Policy, to change this.
	When using Event Viewer, only local Administrators can see the security log, but anyone (by default) can view other logs.

	Only available on Windows 2000 and Windows XP operating systems using NTFS partitions and volumes. (NTFS v5).
	Encryption is transparent to the user.
	Uses public-key encryption. Using a public key from the user’s certificate encrypts keys that are used to encrypt the file. The list of encrypted file-encryption keys is kept with the encrypted file and is unique to it. When decrypting the file encryption keys, the file owner provides a private key that only he has. (KB# Q241201 & Q230490)
	If the owner has lost his private key, an appointed recovery system agent can open the file using his/her key instead. (KB# Q242296)
	EFS resides in the Windows OS kernel and uses the non-paged memory pool to store file encryption keys - this means no one will be able to extract them from your paging file.
	Encrypted files can be backed up using the Backup Utility, but will retain their encrypted state as access permissions are preserved. (KB# Q227825 & Q223178)
	Microsoft recommends creating an NTFS folder and encrypting it. In the Properties dialog box for the folder click the General tab then the Advanced button and select the "Encrypt Contents To Secure Data" check box. The folder isn't encrypted, but files placed in it will be automatically encrypted. Uncheck the box if you want to decrypt the contents of the folder.
	Although it is recommended that encryption take place at the folder level, it can be done at the file level. Encryption at the folder level will automatically result in all files inside the folder being encrypted. Files moved into or created in an encrypted folder will automatically become encrypted at that time.
	Default encryption strength is 128-bit.
	Compressed files can't be encrypted and vice versa. (KB# Q223093)
	You can share encrypted files under Windows XP Professional by adding the additional users you want to have access to the file after it has been encrypted. (This is not possible under Windows 2000).
	In Windows 2000, Data Recovery Agents (DRAs) were required to implement EFS. In Windows XP, they are optional. Microsoft recommends that all stand-alone or domain environments have at least one designated DRA.
	Use the Cipher command to work with encrypted files from the command line. (KB# Q229530)
	The efsinfo.exe utility in the WINXP Resource Kit allows an administrator to determine information about encrypted files. (KB# Q243026)

	Cipher cannot encrypt files that are marked as read only.
	Syntax: cipher [{/e|/d}] [/s:dir] [/a] [/i] [/f] [/q] [/h] [/k] [/u[/n]] [PathName [...]] | [/r:PathNameWithoutExtension] | [/w:PathName]

	IPSec can be implemented in a Windows 2000/XP domain using Active Directory or on a Windows XP machine through its Local Security settings. This technology was introduced in Windows 2000 and is not available in older versions of Windows.
	IPSec itself is a protocol, not a service. It consists of two separate protocols, Authentication Headers (AH) and Encapsulated Security Payload (ESP). AH provides authentication, integrity and anti-replay but does not encrypt data and is used when a secure connection is needed but the data itself is not sensitive. ESP provides the aforementioned plus confidentiality (data encryption) and is used to protect sensitive or proprietary information but is associated with greater system overhead for encrypting and decrypting data.
	Supported IPSec authentication methods are Kerberos v5 Public Key Certificate Authorities, Microsoft Certificate Server, and Pre-shared Key. (KB# Q240262)
	The IPSec Policy Agent is a Windows XP service that runs within the LSASS.EXE process and shows up in the Services snap-in in MMC. It is loaded and started at system startup and retrieves an IPSec policy from either Active Directory or the local registry. After the IPSec Policy has been obtained, it will be applied to *all* IP traffic sent or received by that system (default behavior - IPSec policy can be modified to allow "soft associations" KB# Q234580).
	Before two computers can communicate they must negotiate a Security Association (SA). The SA defines the details of how the computers will use IPSec, with which keys, key lifetimes, and which encryption and authentication protocols will be used.
	When participating in a Windows XP domain, IPSec policies are stored in Active Directory. Without AD, they are stored in these registry keys...
	Group Policy: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Policy\Cache
	Local Policy: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Policy\Local