Post-Install Configuration of Windows 2000 Server

Materials:
Working complete PC Running Windows 2000 Server
Blank Diskette
Student Diskette, "New Boot A Ver 2.0+"
Student CD-ROM, "Room 6359"
Student CD-ROM, "Windows 2000 Server OEM"
Objectives:
The student will become familiar with:
The Server Project Prototype Phase,
The Server OS Installation Process,
The Windows 2000 Commandline,
The Windows 2000 Setup Logs,
General Windows 2000 Server Configuration procedures,
Windows 2000 Configuration Tools.
Competency:
The student will learn how to install the Windows 2000 Server operating system including how to perform post-installation checks to make sure that the installation was complete and error-free. The student will become familiar with the general procedures for checking the system for trouble-free status as well as how to perform various recommended post-install procedures for increased reliability, recoverability, and security.
Preparation
  1. The student should already be familiar with the pre-installation and installation process of setting up the prototype server with Microsoft Windows 2000 Advanced Server done in the previous lecture/lab module. In this module various technologies will be explored that have been designed to check the status of the installation just performed and improve the ability to determine the problems that occured during the installation and the recoverability of the system should it fail in the future.

  2. Upon final reboot to the desktop following the installation of Windows 2000 Advanced Server the student may at this point proceed with the following post-install operations including:

Procedures - Implement Administrator Account Security
  1. Once the personal changes have been made to the default Administrator account, create at least two more users for the Administrator to use: another full Administrator and a test user. Many times items will be installed or configured on the server by the Administrator and they will only be available to the Administrator even though these items were installed for regular users to use. The test user account can be used by the Administrator to make sure that the new features are accessible by a regular user. The other Administrator account is the Administrator's "back door" or second account through which to gain access to the system in case the original accouint gets damaged. The "back door" administrator account should have a difficult to guess name like: !1O#3T%5F ([Shift]+[1], then [1], then letter [O] which is the first letter of the word "one", then [Shift]+[3], then [3], then [T] which is the first letter of the word "Three", repeat for the number 5) and the password should be a strong one. The backdoor account name and password will likely be forgotten, so they should be written down in the server documentation which should be secured away from the server and a copy of all of the server's documentation should be secured off-site as well.

  2. Rename the original Administrator's account. This makes brute force attempts to hack the account much more difficult and time consuming. The way the brute force attack works is: It knows that the encrypted logon attempt was made using the encrypted text = "Administrator". Now it throws random keys at the encrypted text until this text falls out meaning that the key has been found. For example, assume that this is the ASCII codes of the encrypted logon packet:

      benjojtusbupsopxbz
    

    Subtract one from each ASCII code (so that B=A, C=B, etc) and the result is:

      administratornoway
    

    So if the brute force cracking program knows that the administrator's username is administrator (which these programs are indeed looking for to pop up out of the random key decryptions that they test) then it knows that this has been decoded and the password is "noway". The real Administrator account that will be used often should be given a terrible name like: "TIN9WIH8TWG7TO" which looks awful at first until you realize that every fourth character is a digit in descending order starting with "9" and that each letter is the first letter of each word in the sentence: "There Is No Way In Heck They Will Get This One" Because even decrypted it looks like trash it helps befuddle poorly written brute force hacking tools.

  3. The subject of security is far beyond the scope of this course and it is the technician's responsibility to inform the customer that the system is "up and running but it is not secured" Be sure that the customer understands that they need a security expert such as a technician certified by CompTIA in Security+ or an MCSE or preferably both, to lock the server down properly.

Procedures - Implement Personal Settings
  1. Upon the first reboot to the desktop straighten out the Administrator account now. This includes any personal settings. Since the administrator is responsible for keeping the system operational, essentially of being the first technician for the system, the following personal settings steps are recommended.

  2. Open "My Computer" > "Local Disk (C:)" > View (Main Menu) > Details. Right Click on the "Name" column header and select "More..." In the resulting window, uncheck "Type" and check "Attributes", "Owner", "Created", and "Accessed". Select each item and use the Move Up and Move Down buttons to organize the detail columns (top to bottom appear left to right in the windows explorer details view of any open folder (then click the OK button):

    Choose the meaningful information to be displayed,
    organize the columns, then click the OK button

  3. With the C: drive still open, click Tools (Main Menu) > Folder Options > General (tab) > "Use Windows Classic Desktop" (radio button) and "Use WIndows Classic Folders (radio button). Then click the View tab > check "Display compressed ...", check both "Display the full path...", select "Show hidden files and folders" (radio button), uncheck "Hide extensions of known file types", uncheck "Hide protected operating system files", uncheck "Remember each folder's view settings" Now click the "Apply" button. These explorer settings will be applied permanently to all folders.

    Making the needed changes in the Folder Options View tab properties sheet

    After applying the Windows explorer view settings, all open folders
    will display more meaningful information at a glance

  4. Right Click on the desktop and select Properties > Effects (tab) > uncheck all effects and click the "Apply" button, removing visual effects means that the interface has to do less work just to make things look better which is entirely unimportant on a server locked in a closet.

    Disable all visual effects, they are a waste of processing power especially on a server

  5. Make any other personal modifications that you feel are necessary.
Procedures - Checking the Fresh Installation of Errors
  1. From the desktop open a command prompt and issue this command:

    C:\WINNT>echo %systemroot%
    C:\WINNT
    C:\WINNT>_
    

    This displays the text C:\WINNT on the following line then returns to the prompt. This identifies the value of the environmental variable %systemroot% whenever this or any other environmental variable is refered to (anything between two percent signs) in any documentation. The value held in the %systemroot% variable is the location where the operating system has been installed. Remember that in the boot sequence, the MBR of the physical disk that the system BIOS boot strap loader will try to boot from must contain the pointer to the partition on which the operating system files have been placed and this partition does not have to be on that physical disk, it can be on another physical disk. This variable will indicate the partition and the folder which the installation allows the user to name other than WINNT.

  2. Now open Notepad.exe and then File > Open and navigate to the %systemroot% folder and change the Filename text box to read "*.LOG" (no quotes!) and press [Enter]. Doubleclick the file in the open dialog box named Setuperr.log. Here is a sample excerpt:

    Warning:
    NetSetup: Could not find a section for {4EE2B32E-2859-430D-8E94-B94407586A01},
    therefore if parameters were specified for this adapter (e.g. static IP address,
    etc.) they will not be used.
    ***
    
  3. If the file which lists errors that occured during the setup process (setuperr.log) is empty then that is wonderful. If it does have entries like the example above then they must be pursued. Now this ClassId (the huge number in curly braces) can be copied onto the clipboard and then regedit can be opened and the value can be pasted into the Find What box. If it is found then determine the name of the device that this ClassID is attached to and check it in device manager. If the device manager reports that the device is OK, then move on to the next warning that involves a device or service that "will not be used" or some other similar verbage.

  4. Not all of these log files are found in the %systemroot% folder. If necessary use Start > Search > Files and Folders to find and open them. Here are the significant setup activity log files and what they do:

  5. Sample from Setupapi.log:

    [2000/11/22 17:12:05 340.12]
    Munged cmdline: setup -newsetup
    EXE name: C:\WINNT\system32\setup.exe
    Installing Device Class: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} 1394.
    Class install completed with no errors.
    

Reconfigure CD-ROM Install to Point to Local Install Folder
  1. It is probably a good idea with CD-ROM installations to copy the installation files to the hard drive and configure Windows to retrieve any needed files from there rather than requiesting the original installation CD-ROM which should be securely stored with the rest of the server documentation. Copy the i386 folder from the installation CD-ROM to the root of the C: drive. Open "My Computer" > D: > ENGLISH > WIN2000 > ADV_SERV This folder holds the correct i386 folder. Right click it and select "Copy" then open the C: drive and right click any white area and select "Paste"

  2. To configure Windows to refer to this new location the following registry keys must be changed from the following data to "C:\i386" or "C:\" as needed:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
    Sourcepath = "D:\ENGLISH\WIN2000\ADV_SERV\i386"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
    Sourcepath= "D:\"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
    Installation Sources = "D:\ENGLISH\WIN2000\ADV_SERV\i386" 
    
  3. The following key will exist if a service pack has been applied to the installation and it can be changed if you decide to move the service pack files folder to another location (such as a centralized network share):

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
    ServicePackSourcePath = "C:\WinNt\ServicePackFiles"
    
  4. The following key must be added to keep some utilities from assuming that the installation was CD-ROM based:

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup]
    CDInstall = 0
    
  5. Whenever you actually write a value into the registry, such as these changes, you should use regedt32.exe NOT regedit.exe which is the exact same program that came with Windows 9x and that version WILL CORRUPT Windows 2000 registry values. Click > Start > Run > "regedt32" and click OK to start the correct registry editor. Then dig down to the indicated keys above, and make the EXACT changes to the value/data pairs as indicated.

Procedures - Verify Drivers
  1. If the server installation was done properly then the server was designed from the beginning including usage of 100% Microsoft HCL approved devices then troubles should be minimal. Nevertheless it is very possible that combinations of approved devices could still conflict with each other causing problems. On rare occasions these problems will not result in obvious signs from the system until it is much too late. For example a in device manager should be recognized for what it is: a device that is not working properly. This usually means that the system can identify it through PnP but that the device's drivers are not loaded, are currently conflicting with another device, or have been disabled because they are causing the system problems. Whatever the reason behind the yellow exclamation point, what it really means is that the device is not running properly and on a server of a network this translates to: there is a very bad day in your future ... when the server starts bogging down or completely fails. It cannot be overstated that this new young server must be stabilized which includes cleaning up all issues especially in device manager prior to continuing with the post-install configuration of the server. Therefore these issues must be completely resolved before putting the server into use.

  2. Aside from these tools here are some other Windows 2000 specific tools that should be used in addition to device manager and system information to check the status of the drivers that Windows 2000 installed during setup, to verify the drivers, configure for legacy support and to update any additional drivers.

Procedures - Launch/verify Windows File Protection
  1. Windows File Protection, keeps a store of important operating system files in the folder named %systemroot%\system32\DLLCACHE and whenever any of these files is modified or deleted by any process, Windows will copy the file from the DLLCACHE folder back over the changed one, thus protecting it mainly from software installations that overwrite existing Windows core files with customized ones that may introduce serious bugs that ultimately cause the system to crash.

  2. WFP, is a technology introduced with Windows 98, and working effectively starting with Windows 2000 Professional and Server. WFP is not necessarily turned on by default and so should be checked at this time. WFP is always deactivated when booting into safe mode or when booting to the recovery console. When WFP is inactive it obviously cannot detect a system file change and therefore cannot take any action to correct it either. To verify that WFP is active, open a DOS box and type "sfc /?" This is the "System File Checker" system tool. From the help screen, it can be seen that in order to run a full system file check it needs the switch "/SCANNOW" Run a full system file check on the server at this point. If SFC cannot run, then WFP is inactive for some reason and this situation must be remedied immediately before proceeding with the post-installation configuration procedures for the server. If it does start properly, then let it run and be sure that it reports no problems. Note: if it requests the installation CD-ROM, this means that it did find a changed system file, and the original was not in the DLLCACHE folder. Providing it with the CD-ROM, should be sufficient to fix both the changed file AND the DLLCACHE. Nevertheless, SFC should be repeated until no further CD-ROM requests are made.

  3. Check the following registry key to be sure that SFC is activated:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    SFCScan=1
    
Procedures - Install and Configure Additional Hardware/Software/Components
  1. Only in rare cases will a Windows 2000 Server be able to function on the network as a DHCP client meaning that it will receive its TCP/IP configuration from a DHCP server and its IP address will change from time to time. Since the server is a network resource and the name resolution services on the network map its user friendly name to its IP address, servers are far better off using static IP addresses so that this mapping will not suddenly be pointing to a non-existent or worse incorrect host. In the case of the DHCP server itself it really cannot be a DHCP client since it is the server who issues the addresses to the clients. Therefore the server's TCP/IP should be configured at this time.

  2. Any additional hardware (except printers) should be installed at this time. Any additional software that needs to be installed on the system should be installed at this time and any optional Windows components should be installed at this time (such as the installation of DHCP, DNS, WINS, etc. server services).

    Install DHCP, DNS, and WINS
Procedures - Implement Storage Solutions
  1. The drives on the server should be upgraded to dynamic disks, Windows server is almost non-functional if not installed on NTFS. The file system can be converted but it is far better to perform the clean installation into an NTFS partition, which was done in the previous exercise. Even on an economy model server a second IDE drive costs less than $100 and can be used to create a software level RAID. For the level of disaster prevention that this brings for this small price; not setting it up would be ridiculous.

    Disk Management - Upgrade Basic Disk to Dynamic Disk
    Disk Management - RAID1 (Mirror the C: Drive)
  2. The Distributed File System should be configured at this time if it is going to be used. The Encrypted File System should be setup and configured so that all users home directories have been established and encrypted and all certificates should then be exported and preferably saved onto a removable media which can then be secured away from the server and another copy off-site.

    Setup Distributed File System
Procedures - Implement Backup Solutions
  1. The first full backup should be performed once the system is fully operational. All drives should be removed upon completion of the backup and new drives should be installed. The OS should be reinstalled (without all of the post-configuration covered above, and the backup should be restored to be sure that it is fully functional and reliable. A backup strategy should then be setup and followed. (The drives should be removed and the original installation drive(s) should be reinstalled once the test of the backup is complete.

Procedures - Apply Service Packs/Critical Updates/Hotfixes
  1. There is mixed opinion on running the Windows automatic update service UPDMGR.EXE to schedule automatic checking of the Microsoft website for updates. It is probably a better idea for the Administrator to do this manually either daily or every other day. The system should always be fully backed up prior to the installation of a Windows update or indeed any software that will change operating system files. Hence the complete installation and configuration of the first backups done in the previous step to this one.

  2. After the installation of all Service Packs and Critical Updates verify the Windows Version and the amount of memory that the system recognizes.

  3. An alternative approach to waiting to install a service pack last, is to install it from the very beginning. This is done by "slipstreaming" the service pack on top of the installation files (the I386 folder) before starting the installation. The best method for "killing two birds with one stone" (having the installation not depend on the CD-ROM as the original installation location and having the original installation updated with the latest service pack is to do the following:

    1. Install the new hard drive on the system and boot to a Windows 95B or later boot disk
    2. Run FDISK and create a Primary partition on the hard drive of the desired size above 512MB so that it will be FAT32 (install does not recognize NTFS!)
    3. Reboot to the diskette and run FORMAT C: /S /U to format the drive bootable. You should copy HIMEM.SYS and SMARTDRV.EXE to the root of the C: drive, create a one line CONFIG.SYS to load HIMEM.SYS and a one line AUTOEXEC.BAT to load SMARTDRV like this:
      C:\>echo device=himem.sys > config.sys
      
      C:\>echo smartdrv 16384 16384 > autoexec.bat
      
    4. Turn off the system and remove the drive. Install it as a second drive on any system running any Windows NT Version 5.0 or later Windows 2000 Professional or Server, Windows XP, Server 2003, Vista, etc.)
    5. Startup the system normally, insert the Windows 2000 Advanced Server installation CD and copy the I386 folder from the installation CD-ROM to the partition
    6. Download or insert the service pack CD-ROM and perform a "slipstream" installation which modifies installation CABs rather than actually install live onto the live operating system (for Windows 2000 Advanced Server, open a DOS box and change to the CD-ROM drive letter then to the directory, then run the service pack program with the appropriate switch:
      C:\>D:
      
      D:\>cd english\win2000\sp4
      
      D:\ENGLISH\WIN2000\SP4>w2ksp4 -s:e:\
      
      
    7. The preceding command will unpack the Service Pack 4 into a temporary directory, then apply it to the i386 folder within the root of the E: drive. When done, properly shut down and remove the drive and install it onto the intended system again
    8. Boot to the hard drive, at the C: prompt, change to the i386 directory and run the DOS executable that prepares the hard drive for the installation:
      C:\>cd i386
      
      C:\I386>winnt
      
    9. The preceding command will unpack the installation files and offer to reboot. When the system reboots the full installation as if it were running from the CD-ROM will begin, but this time it will run much faster (coming from the hard drive instead of the optical drive) and it already has Service Pack 4 in it, and it will never need the installation CD-ROM since the i386 folder is already on the hard drive and it "knows" it. You would proceed with the full install from this point as covered in Lab 7

  4. Once the system has been verified as fully installed and stable at this point, the first fully functional full backup should be taken of the system and tested. Once this has been done, the server is ready for the pilot phase of the server project.

Back to Top

Copyright©2000-2008 Brian K. Robinson ALL RIGHTS RESERVED