Post-Install Configuration of Windows 2000 Server

Materials:
Working complete PC Running Windows 2000 Server
Blank Diskette
Student Diskette, "New Boot A Ver 2.0+"
Student CD-ROM, "Room 6359"
Student CD-ROM, "Windows 2000 Server OEM"
Objectives:
The student will become familiar with:
The Windows 2000 Installation Process,
The Windows 2000 Commandline,
The Windows 2000 Setup Logs,
General Windows 2000 Server Configuration Tips,
Windows 2000 Configuration Tools.
Competency:
The student will learn how to install the Windows 2000 Server operating system including how to perform post-installation checks to make sure that the installation was complete and error-free. The student will become familiar with the general procedures for checking the system for trouble-free status as well as how to perform various recommended procedures for increased reliability, recoverability, and security.
Preparation

The student should already be familiar with the standard manual installation of the Windows 2000 Server operating system from the OEM CD-ROM. In this module various technologies will be explored that have been designed to check the status of the installation just performed and improve the ability to determine the problems that occured during the installation and the recoverability of the system should it fail in the future. Various tools and strategies covered in other modules will be linked accordingly.

Upon final reboot to the desktop following the installation of Windows 2000 Advanced Server the student may at this point proceed with the following post-install operations.

Procedures - Implement Security

  • Upon the first reboot to the desktop go ahead and straighten out the Administrator account now. Create at least two more users for the Administrator to use. Another full Administrator and a test user. Many times items will be installed or configured on the server by the Administrator and they will only be available to the Administrator even though these items were installed for regular users to use. The test user account can be used by the Administrator to make sure that the new features are accessible by a regular user. The other Administrator account is the Administrator's "back door" or second account through which to gain access to the system in case the original accouint gets damaged. See Creating New Users for details. At this point the of the tutorial series this server is not yet a domain controller so the users will be created by the utility "Local Users and Computers" in Computer Management.

  • Rename the original Administrator's account. This makes brute force attempts to hack the account much more difficult and time consuming. The way the brute force attack works is: It knows that the encrypted logon attempt was made using the encrypted text = "Administrator". Now it throws random keys at the encrypted text until this text falls out meaning that the key has been found. For example, assume that this is the ASCII codes of the encrypted logon packet:

      benjojtusbupsopxbz

    Subtract one from each ASCII code (so that B=A, C=B, etc) and the result is:

      administratornoway

    So if the brute force cracking program knows that the administrator's username is administrator (which these programs are indeed looking for to pop up out of the random key decryptions that they test) then it knows that this has been decoded and the password is "noway". The real Administrator account that will be used often should be given a terrible name like: "TIN9WIH8TWG7TO" which looks awful at first until you realize that every fourth character is a digit in descending order starting with "9" and that each letter is the first letter of each word in the sentence: "There Is No Way In Heck They Will Get This One" Because even decrypted it looks like trash it helps befuddle poorly written brute force hacking tools.

  • The subject of security is far beyond the scope of this course and it is the technician's responsibility to inform the customer that the system is "up and running but it is not secured" Be sure that the customer understands that they need a security expert such as a technician certified by CompTIA as Security+ or preferably an MCSE, to lock the server down properly.

    • Procedures - Checking the Fresh Installation of Errors

    1. From the desktop open a command prompt and issue this command:

      C:\WINNT>echo %systemroot%
C:\WINNT
C:\WINNT>_

      This displays the text C:\WINNT on the following line then returns to the prompt. This identifies the value of the environmental variable %systemroot% whenever this or any other environmental variable is refered to (anything between two percent signs) in any documentation. The value held in the %systemroot% variable is the location where the operating system has been installed. Remember that in the boot sequence, the MBR of the physical disk that the system BIOS boot strap loader will try to boot from must contain the pointer to the partition on which the operating system files have been placed and this partition does not have to be on that physical disk, ut can be on another physical disk. This variable will indicate the partition and the folder which the installation allows the user to name other than WINNT.

    2. Now open Notepad.exe and then File > Open and navigate to the %systemroot% folder and change the Filename text box to read "*.LOG" (no quotes!) and press [Enter]. Doubleclick the file in the open dialog box named Setuperr.log. Here is a sample excerpt:

      Warning:
NetSetup: Could not find a section for {4EE2B32E-2859-430D-8E94-B94407586A01},
therefore if parameters were specified for this adapter (e.g. static IP address,
etc.) they will not be used.
***

      If the file which lists errors that occured during the setup process (setuperr.log) is empty then that is wonderful. If it does have entries like the example above then they must be pursued. Now this ClassId (the huge number in curly braces) can be copied onto the clipboard and then regedit can be opened and the value can be pasted into the Find What box. If it is found then determine the name of the device that this ClassID is attached to and check it in device manager. If the device manager reports that the device is OK, then move on to the next warning that involves a device or service that "will not be used" or some other similar verbage.

      Not all of these log files are found in the %systemroot% folder. If necessary use Start > Search > Files and Folders to find and open them. Here are the significant setup activity log files and what they do:

    3. Sample from Setupapi.log:

      [2000/11/22 17:12:05 340.12]
Munged cmdline: setup -newsetup
EXE name: C:\WINNT\system32\setup.exe
Installing Device Class: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} 1394.
Class install completed with no errors.

      4. Procedures - Verify Drivers

    4. If the server installation was done properly then the server was designed from the beginning including usage of 100% Microsoft HCL approved devices then troubles should be minimal. Nevertheless it is very possible that combinations of approved devices could still conflict with each other causing problems. On rare occasions these problems will not result in obvious signs from the system until it is much too late. For example a in device manager should be recognized for what it is: a device that is not working properly. This usually means that the system can identify it through PnP but that the device's drivers are not loaded, are currently conflicting with another device, or have been disabled because they are causing the system problems. Whatever the reason behind the yellow exclamation point, what it really means is that the device is not running properly and on a server of a network this translates to: there is a very bad day in your future ... when the server starts bogging down or completely fails. It cannot be overstated that this new young server must be stabilized which includes cleaning up all issues especially in device manager prior to continuing with the post-install configuration of the server. Therefore these issues must be completely resolved before putting the server into use. See Windows 2000 Drivers, and the general idea on the usage of the Windows Device Manager, and Windows System Information.

    5. Aside from these tools here are some other Windows 2000 specific tools that should be used in addition to device manager and system information to check the status of the drivers that Windows 2000 installed during setup, to verify the drivers, configure for legacy support and to update any additional drivers. See Windows 2000 Drivers for details.

    6. Dealing with APM,ACPI, and APIC motherboards. See Dealing with ACPI for details.

      7. Procedures - Launch Windows File Protection

    7. See Windows File Protection for details.

      8. Procedures - Install and Configure Additional Hardware/Software/Components

    8. Only in rare cases will a Windows 2000 Server be able to function on the network as a DHCP client meaning that its IP address will change from time to time. Since it is a network resource and the name resolution maps its user friendly name to its IP address, servers are far better off using static IP addresses so that this mapping will not suddenly be pointing to a non-existent or worse incorrect host. In the case of the DHCP server itself it really cannot be a DHCP client since it is the server who issues the addresses to the clients. Therefore the server's TCP/IP should be configured at this time. See Configuring TCP/IP in Windows 2000 for details.

    9. Any additional hardware (except printers) should be installed at this time. See Windows 2000 Drivers for details. Any additional software that needs to be installed on the system should be installed at this time and any Windows optional components should be installed at this time (such as the Installation of DHCP, DNS, and WINS amongst many possibilities).

      10. Procedures - Implement Storage and Recoverability

    10. The drives on the server should be upgraded to dynamic disks, server is almost non-functional if not installed on NTFS, the file system can be converted but it is far better to perform the clean installation onto NTFS. Even on an economy model server a second IDE drive costs less than $100 and can be used in a software level RAID. For the amount of salvation that this brings for this small price; not setting it up would be ridiculous. See Mirroring the C: Drive and Setting up a RAID-5 Stripe Set. True mission critical servers should use SCSI hardware level RAID controllers and drives.

    11. The Distributed File System should be configured at this time. All certificates should be exported once all users home directories have been established and encrypted.

    12. The first full backup should be performed once the system is fully operational. All drives should be removed upon completion of the backup and new drives should be installed. The OS should be reinstalled (without all of the post-configuration covered above, and the backup should be restored to be sure that it is fully functional and reliable. A backup strategy should then be set and followed. (The drives should be removed and the original installation drive(s) should be reinstalled once the test of the backup is complete. See MSM3 Lecture #11 - Backup and Restore in Windows 2000 for details.

      13. Procedures - Apply Service Packs and Critical Updates

    13. See MSM3 Lecture #10 - Windows Upgrades, Service Packs and Dual Booting for details.

    14. There is mixed opinion on running the Windows automatic update service UPDMGR.EXE to schedule automatic checking of the Microsoft website for updates. It is probably a better idea for the Administrator to do this manually either daily or every other day. The system should always be fully backed up prior to the installation of a Windows update or indeed any software that will change operating system files. See MSM3 Lecture #11 - Backing up and Restoring Windows for more information.

    15. After the installation of all Service Packs and Critical Updates verify the Windows Version and the amount of memory that the system recognizes.

    Back to Top

    Copyright©2000-2005 Brian K. Robinson ALL RIGHTS RESERVED