Configuring
Windows 2000
Server
T
his chapter explores the many tools for configuring and
managing the system, managing users, and controlling
other aspects of Windows 2000.
The Microsoft Management
Console
In Windows NT, most management functions are scattered
through various utilities, some of which appear in the Control
Panel. Others are located in the Administrative Tools folder on
the Start menu. Still others are hidden in the deep recesses of
the file system, accessible only by Administrators with the time
to hunt them down. Each typically provides a unique UI and no
means of integrating tools together under a single interface.
One of the many changes in the Windows 2000 interface and
administrative structure over Windows NT is the switch to a
more homogenous approach to administrative utilities. While
many system and operating properties are still controlled
through the Control Panel, most administrative functions have
moved to the Microsoft Management Console, or MMC. The
MMC runs under Windows 2000, Windows NT, and Windows
9x. This section of the chapter examines the MMC and its
component tools.
You’ll find additional information about the MMC as well
as additional snap-ins at http://www.microsoft.com/
management/mmc.
Tip
6
6

which you can store by name on disk. The next time you need to work with it,
you run the MMC console from the Start menu or double-click its icon or shortcut.
For example, let’s say you want to put together a custom console for managing a
Windows 2000 Internet server. You can integrate the tools for managing DNS, DHCP,
and IIS all under one interface. This custom console gives you quick access to most
of the settings you need to configure on a regular basis for the server.
The MMC window consists of two panes. The left pane can contain two tabs:
Tree and Favorites. The Tree tab generally shows a hierarchical structure for the
object(s) being managed. When you use the Active Directory Users and Computers
console, for example, the tree shows the containers in the Active Directory (AD)
that pertain to users, groups, and computers. The Favorites tab lets you create
a list of frequently used items in the tree. The right pane is the details pane.
The details pane changes depending on the item you select in the tree. When
you select Services in the tree, for example, the details pane shows the list of
installed services.
4667-8 ch06.f.qc 5/15/00 1:58 PM Page 168
169
Chapter 6 ✦ Configuring Windows 2000 Server
MMC provides two different modes: user mode and author mode. In user mode, you
work with existing consoles. Author mode lets you create new consoles or modify
existing ones. Figure 6-2 shows the Services console opened in user mode. Figure
6-3 shows the Services console opened in author mode. As indicated in the figures,
author mode offers access to commands and functions not available in user mode.
Figure 6-2: User mode restricts the actions a user can perform within
a console.
Figure 6-3: Author mode provides the ability to change console options
and add new snap-ins.
User mode actually offers three different options: full access, limited access with
multiple windows, and limited access with a single window. With full access, an
MMC user can access all the window management commands in MMC but can’t

is useful when you’re creating shortcuts to consoles for use
on different systems (where the system root folder might be different).
✦
/a
: Use the
/a
switch to enter author mode and enable changes to the
console. Opening an existing console with the
/a
switch overrides its
stored mode for the current session.
✦
/s
: Use this switch to prevent display of the splash screen that normally
appears when the MMC starts on Windows NT or Windows 9x systems.
This switch isn’t needed when running the MMC under Windows 2000.
For example, let’s say you want to open the DNS console in author mode to add the
DHCP snap-in to it. Use this command to open the DNS console in author mode:
MMC %systemroot%\System32\dnsmgmt.msc /a
You can right-click an .msc file and choose Author from the context menu to open
the file in author mode.
After opening the DNS console, you add the DHCP console using the Add/Remove
Snap-In command in the Console menu. Snap-ins are covered in the next section.
Tip
Note
4667-8 ch06.f.qc 5/15/00 1:58 PM Page 170
171
Chapter 6 ✦ Configuring Windows 2000 Server
If you prefer, you can simply open the MMC in author mode, then add both snap-ins
using the Add/Remove Snap-In command in the Console menu.

Tip
4667-8 ch06.f.qc 5/15/00 1:58 PM Page 171
172
Part II ✦ Planning, Installation, and Configuration
Snap-ins come in two flavors: standalone and extension. Standalone snap-ins are
usually called simply snap-ins. Extension snap-ins are usually called simply exten-
sions. Snap-ins function by themselves and can be added individually to a console.
Extensions are associated with a snap-in and are added to a standalone snap-in or
other extension on the console tree. Extensions function within the framework of
the standalone snap-in and operate on the objects targeted by the snap-in. For
example, the Services snap-in incorporates three extensions: Send Console
Message, Service Dependencies, and SNMP Snap-in Extension.
You can add snap-ins and extensions when you open a console in author mode.
By default, all extensions associated with a snap-in are added when you add the
snap-in, but you can selectively disable extensions for a snap-in.
To add a snap-in, open the MMC in author mode and choose Console ➪ Add/
Remove Snap-In. The Standalone page of the Add/Remove Snap-In property sheet
shows the snap-ins currently loaded. The Extensions tab lists extensions for the
currently selected snap-in and allows you to add all extensions or selectively
enable/disable specific extensions.
In the Standalone page, click Add to add a new snap-in. The Add Standalone Snap-In
dialog box lists the available snap-ins. Click the snap-in you want to add and click
Add. Depending on the snap-in, you might be prompted to select the focus for the
snap-in. For example, when you add the Device Manager snap-in, you can select
between managing the local computer or managing another computer on the net-
work. Adding the IP Security Policy Management snap-in lets you choose between
the local computer, domain policy for the computer’s domain, domain policy for
another domain, or another computer.
After you configure snap-ins and extensions the way you want them, save the console
so you can quickly open the same configuration later. To do so, choose Console, Save,

✦ Selected tree item: This option applies the taskpad only to the selected item in
the tree. Using the DNS snap-in as an example, creating a taskpad for Forward
Lookup Zones and using this option will cause the taskpad to appear only
when you click Forward Lookup Zones. It will not appear if you click Reverse
Lookup Zones.
✦ All tree items that are the same type as the selected tree item: This option
applies the taskpad to all objects in the tree that are the same type as the
selected object. Using the previous DNS example, choosing this option will
cause the taskpad to display when you click either Forward Lookup Zones
or Reverse Lookup Zones.
4667-8 ch06.f.qc 5/15/00 1:58 PM Page 173
174
Part II ✦ Planning, Installation, and Configuration
Figure 6-6: The first wizard page helps you configure the
way the taskpad appears.
✦ Change default display to this taskpad view for these tree items: Select this
option to have the MMC automatically switch to taskpad view when the user
clicks the object in the tree associated with the taskpad. Deselect the option
to have the MMC default to the normal view instead.
The third page of the wizard prompts you for a taskpad view name and description.
The name appears at the top of the taskpad and on the tab at the bottom of the
taskpad. The description appears at the top of the taskpad under the taskpad name.
On the final page of the wizard, you can click Finish to create the taskpad. The Start
New Task wizard option, if selected, causes the Start New Task wizard to execute
when you click Finish. This wizard, described in the next section, helps you create
tasks for the taskpad.
Creating tasks
After you create a taskpad, you’ll naturally want to create tasks to go on it. Select
the Start New Task wizard option if you are in the process of creating the taskpad.
Or, right-click the node in the tree that is associated with the taskpad, choose Edit

task itself. To modify the task, remove the task and recreate it. You also can use
the up and down arrows to change the order of tasks in the list, which changes
their order of appearance on the taskpad.
Figure 6-7: Use the Tasks page to
add, remove, and modify tasks.
4667-8 ch06.f.qc 5/15/00 1:58 PM Page 175
176
Part II ✦ Planning, Installation, and Configuration
Favorites
The Favorites list in the left pane of the MMC lets you access often-used objects in
a console with a single click. The Favorites list appears when you open a console
in author mode or if the Favorites list contains any items. The tab doesn’t show up
in the left pane when the console is opened in user mode or if the Favorites list is
blank. It is useful for quickly accessing objects that are buried deep in the tree. You
also can use Favorites to simplify the view of the tree for inexperienced users.
To add an item to Favorites, click the object in the tree to which you want to cre-
ate the shortcut, then choose Favorites ➪ Add to Favorites. Specify a name for the
shortcut and the folder in which you want it created. Click New Folder to create a
new folder for the shortcut.
You can use the Organize Favorites dialog box to create folders, move items from
one folder to another, and rename or delete items. Choose Favorites ➪ Organize
Favorites to open the Organize Favorites dialog box.
Other Add-In Tools
Snap-ins are just one of the objects you can add to an MMC console. Other objects
include ActiveX controls, links to Web pages, folders, taskpad views, and tasks. The
previous section explained taskpad views and tasks. The following list summarizes
the additional items:
✦ ActiveX controls: You can add ActiveX controls to a console as the details/
results view (right pane) for the selected node of the tree. The System
Monitor Control that displays system performance status in Performance

several icons in
systemroot\system32\Shell32.dll
.
✦ Console mode: Choose the mode in which you want the console to open for
the next session. Choose between author mode and one of the three user
modes discussed previously.
✦ Enable context menus on taskpads in this console: Select this option to
enable context menus in taskpads. If deselected, right-clicking a taskpad
object will have no effect (no context menu is displayed).
✦ Do not save changes to the console: Select this option to prevent the user
from saving changes to the console, in effect, write-protecting it.
✦ Allow the user to customize views: Select this option to allow users to add
windows focused on items in the console. Deselect to prevent users from
adding windows.
4667-8 ch06.f.qc 5/15/00 1:58 PM Page 177
178
Part II ✦ Planning, Installation, and Configuration
You also can control view options within the MMC. To do so, choose View➪
Customize to access the Customize View dialog box (Figure 6-9). The options
in the Customize View dialog box are self-explanatory.
Figure 6-9: Use Customize View to set
view properties in the MMC.
Control Panel versus MMC
Even though the MMC now serves as the focal point for many of the administration
tasks you’ll perform on a regular basis, the Control Panel hasn’t gone away. The
Control Panel is alive and well and contains several objects for configuring the sys-
tem’s hardware and operating configuration. The tools provided for the MMC do
not take the place of the Control Panel objects or vice-versa. However, you will find
some of the MMC tools in the Administrative Tools folder in the Control Panel.
The Control Panel in Windows 2000 works much like the Control Panels in Windows

separate consoles. See the sections, “Event Viewer,” and, “Services,” later in this
chapter for more details.
Figure 6-10: Use Component Services to configure COM+ applications
as well as general Windows 2000 services.
Note
Note
4667-8 ch06.f.qc 5/15/00 1:58 PM Page 179
180
Part II ✦ Planning, Installation, and Configuration
Computer Management
The Computer Management console (Figure 6-11) provides tools for managing
several aspects of a system. Right-click My Computer and choose Manage, or
click Start ➪ Programs➪ Administrative Tools ➪ Computer Management to open
the Computer Management console. Computer Management is composed of three
primary branches: System Tools, Storage, and Services and Applications. System
Tools provides extensions for viewing information about the system, configuring
devices, viewing event logs, and so on. Storage provides tools for managing physi-
cal and logical drives and removable storage. Services and Applications lets you
configure telephony, Windows Management Instrumentation (WMI), services,
and the Indexing Service. Other applications can appear under this branch as
well, depending on the system’s configuration.
You can use Computer Management to manage either the local computer or
a remote computer. Right-click the Computer Management node and choose
Connect to another computer to manage a remote system. The tasks you can
perform are usually the same whether locally or remotely, but some tasks
can only be performed within the context of the local system. This chapter
assumes you’re using Computer Management to manage the local system.
Figure 6-11: Computer Management integrates several snap-ins to
help you manage a system, its storage devices, and services.
This section covers the snap-in extensions provided in the Computer Manage-

Perhaps the most useful aspect of the System Information branch is that you can
extract the information to a text file or system information file. The text file can be
opened in any text editor, incorporated into a report document, embedded in an
e-mail message, and so on. The system information file (
.nfo
file) uses a propri-
etary file format that can be read and displayed by the System Information snap-in
extension. Saving a system’s configuration to disk in
.nfo
format lets you take a
“snapshot” of the system to use as a baseline for comparing later changes or simply
as a record of the system’s settings. The benefit of saving the configuration to a
.nfo
file rather than a text file is that you can view it in a hierarchical structure
within the snap-in. The benefit of using a text file is that you can incorporate the
data in other documents.
To save a
.nfo
file, right-click any node of the System Information branch and
choose Save As System Information File. Specify a file name and click OK. System
Information saves the entire branch regardless of where you clicked it (it could take
a while for the file to be generated). To view a
.nfo
file, simply double-click the file
(Figure 6-12).
4667-8 ch06.f.qc 5/15/00 1:59 PM Page 181
182
Part II ✦ Planning, Installation, and Configuration
Figure 6-12: You can view a saved .nfo file within the System Information snap-in
extension by double-clicking the .nfo file.

is particularly useful since System Information contains a lot of information.
Follow these steps to perform a search in System Information:
1. Click the level at which you want to search.
2. Choose Action ➪ Find and enter your search text in Find What.
3.Choose between the following options:
• Check Restrict Search to Selected Category to search only the currently
selected category. Uncheck this to search all categories.
• Check Search Categories Only to search only the console (left) pane and
not the results (right) pane for the specified text. Uncheck this to search
the results pane as well.
4. Click Find Next to begin the search.
Performance Logs and Alerts
The Performance Logs and Alerts branch of the Computer Management snap-in pro-
vides a tool for setting up performance monitoring. You can configure counter logs,
trace logs, and alerts. This branch is useful only for viewing or modifying settings —
it doesn’t enable you to actually execute any performance monitoring. Instead, you
need to use the Performance MMC snap-in. See Chapter 20 for detailed information
on configuring performance logs and alerts, and monitoring system performance.
Shared Folders
The Shared Folders branch of the Computer Management snap-in lets you view and
manage shared folders, connections, and open files. It takes the place of features
formerly found in the Windows NT Server Manager. The Shares node lets you view
shares on the selected computer. In addition, you can double-click a share to view
and modify its properties and share permissions. See Chapter 20 for information on
publishing folders in the Active Directory.
You can create and manage shared folders through the Explorer interface. The
advantage to using Shared Folders instead is that you can see all shares on the sys-
tem at a glance.
Tip
4667-8 ch06.f.qc 5/15/00 1:59 PM Page 183

: The
IPC$
share is used to share named pipes and is used during remote
administration and when viewing a computer’s shares.
✦
PRINT$
: This share enables remote printer administration and points by
default to
systemroot\System32\spool\drivers
.
✦
NETLOGON
: This share is used to support user logon, typically for storing
user logon scripts and profiles. There is no pre-defined
NETLOGON
share
for Windows 2000 Professional computers, but such a system will look
by default in the
systemroot\System32\Repl\Import\Scripts
folder
of the local computer when the user logs on locally in a workgroup for
profiles and scripts. In Windows 2000 domains, the
NETLOGON
share
points to
sysvol\domain\Scripts
on the domain controller(s).
✦
FAX$
: This share is present when the fax service is installed and shared. It

Device Manager is the primary tool you use for configuring a system’s hardware.
To view or manage a device, locate it in the details pane and double-click the device
(or right-click and choose Properties) to display the device’s property sheet. The
contents of the property vary according to the device type. Figure 6-13 shows a
typical property sheet for a network adapter.
Figure 6-13: Use a device’s property sheet to view
and configure settings such as resource usage.
The General page, shown in Figure 6-13, provides general information about a device,
such as device type, manufacturer, and so on. Use the Device usage drop-down list to
4667-8 ch06.f.qc 5/15/00 1:59 PM Page 185
186
Part II ✦ Planning, Installation, and Configuration
enable or disable the device. Click Troubleshooter if you’re having problems with the
device and want to use a wizard to help troubleshoot the connection.
It isn’t practical to cover all the settings for all possible types of devices in this
chapter. The following sections explain tasks common to most devices: changing
drivers and modifying resource assignments.
Driver changes
The Driver property page lets you view details about, uninstall, and update a
device’s driver. Click Driver Details to view a list of the files that comprise the
device’s driver. This list is useful for checking file or driver version to make sure
you’re using a specific version of the driver. Use Uninstall if you want to remove
the selected device’s driver.
The Update Driver button opens the Upgrade Device Driver wizard. Use the wizard
to install an updated driver for the device. The wizard gives you the option of search-
ing your system’s floppy and CD-ROM drives, other specific location (local or remote
share), or the Microsoft Windows Update Web site. Just follow the prompts to com-
plete the update. In some cases, changing drivers requires a system restart.
Resource assignment
Because it supports Plug-and-Play (PnP), Windows 2000 can assign device resources

The primary difference between creating local accounts and groups and the same
objects in the Active Directory is that the Active Directory provides for additional
account and group properties. In addition, creating accounts and groups requires
an understanding of permissions, rights, group policy, and user profiles, all of
which are explained in Chapter 10.
Disk Management
The Disk Management node is the place to go to manage physical disks and vol-
umes. Disk Management takes the place of the Windows NT Disk Administrator, and
an important distinction is that unlike the Disk Administrator, Disk Management
performs most tasks immediately. In Disk Administrator, you must commit changes
for most tasks (such as creating or deleting a partition). If you’re an experienced
Windows NT administrator, keep this important point in mind when making storage
changes with Disk Management.
Some of the tasks you can perform with Disk Management include managing
partitions, converting basic disks to dynamic disks, creating volumes (basic,
spanned, striped, mirrored, RAID-5), creating and deleting physical volumes,
4667-8 ch06.f.qc 5/15/00 1:59 PM Page 187
188
Part II ✦ Planning, Installation, and Configuration
formatting disks, and so on. For a complete discussion of storage devices
and management (including the Disk Management node), see Chapter 16.
Disk Defragmenter
As a disk is used over time, the data on the disk is scattered into noncontiguous
clusters, becoming fragmented. Disk performance is greatest when data is not frag-
mented, as it takes less time to read the data (since the drive heads don’t have to
move as much to reassemble the data). The Disk Defragmenter node in Computer
Management lets you analyze a disk for fragmentation and defragment the disk. See
Chapter 21 for a discussion of Disk Defragmenter and other options for improving
disk performance.
Logical Drives

provides a means for configuring general settings, logging, backup and restore of
the WMI repository, and security to control WMI access.
Services
In Windows 2000, services are applications that perform specific functions such as
networking, logon, print spooling, remote access, and so on within the operating
system. You can think of services as operating system-oriented applications that
function by themselves or in concert with other services or user applications to
perform specific tasks or provide certain features within the OS. Device drivers,
for example, function as services. Both Windows 2000 Professional and Server
include several standard services by default, and many third-party applications
function as or include their own services. A background virus scrubber is a good
example of a possible third-party service.
Windows NT administrators will remember the Services object in the Control Panel
that enables you to configure, start, stop, and pause services. In Windows 2000,
the Services node in the Computer Management snap-in takes over that function
(Figure 6-15). Services lists the installed services on the target system, and when
Detail view is selected, displays description, status, startup type, and account the
service uses to log on.
Figure 6-15: Use Services to configure, start, stop, and pause services, as well
as view service dependencies.
4667-8 ch06.f.qc 5/15/00 1:59 PM Page 189
190
Part II ✦ Planning, Installation, and Configuration
Starting and stopping services
A running service processes requests and generally performs the task it was
designed to accomplish. Stopping a service terminates the service and removes
it from memory. Starting a service initializes and activates the service so it can
perform its task or function. For example, the DNS Client, when running functions
as a DNS resolver, processes requests for name to address mapping in the DNS
namespace. If you stop the DNS Client service, it is no longer available to process

property page in the Service name field. For example, use the command NET START
ALERTER to start the Alerter service. Use NET STOP ALERTER to stop it.
NET START and NET STOP are very useful for controlling services remotely. If the
telnet service is running on the remote computer, you can telnet to the computer
and use NET START and NET STOP to start and stop services on the remote system.
Setting General service properties
Other settings on a service’s General property page control how the service is
listed in the details pane and how it starts up. Use the Display name field to specify
the name that will appear under the Name field for the service in the details pane.
Specify the service’s description in the Description field. Use the Start parameters
field to specify optional switches or parameters to determine how the service
starts. These are just like command-line switches for a console command.
Configuring service logon
The Log On property page for a service controls how the service logs on and the
hardware profiles in which the service is used. Most services log on using the
System account, although in some cases you’ll want to specify a different account
for a service to use. Some types of administrative services often use their own
accounts because they require administrative privileges. So, you’d create an
account specifically for the service and either make it a member of the Admin-
istrators group or give it the equivalent permissions, subject to its specific needs.
Avoid using the Administrator account itself for a service to log on. When you
change the Administrator password (which you should do often if you use this
account), you will also have to reconfigure each service that used the Administrator
account to change the password in the service’s properties. Using a special account
for those services instead lets you change the Administrator account password
without affecting any services. Check out Chapters 10 and 11 where we spend a lot
of effort to hide the Administrator account and discontinue its use.
The Log On property page contains the following controls:
✦ Local System account: Select to have the service log on using the local
System account.