click here to buy the Fourth!

Mastering Windows 2000 Server, Fourth Edition, Is Available

The Fourth Edition of Mastering Windows 2000 Server is the latest and most complete of my series of guides to using Windows 2000 to get your job done. I’ve aimed in this book to show you how Windows 2000 Server works, what it can -- and can't - do, and to show you the shortest path to getting any particular job done. 

But why a Fourth?  Two reasons: first, in the year since the Third Edition, I had the opportunity to learn about and work with more aspects of Windows 2000, and I wanted to make sure that information was in the book.  That's pretty much the reason that you've seen a version of this book or its NT 4 predecessor annually: it gives me a chance to add the new technologies that I've learned about, to report on new things that Microsoft has added, and to fix errors in previous editions.  So, in other words, I could have guessed years ago that this edition, or something like it, would appear.  But I didn't expect the second reason:  security.

A New Security Focus

As every system administrator who lived through Code Red, SirCam, Code Blue, Nimda and the zombie attacks of 2001 knows, 2001 was a rough year for computer security.  (To say nothing of the other security-related events of 2001.)  2001 saw the discovery of some very serious security holes in Windows 2000's Internet Information Service, Index Service, and Media Player.  But it also saw a bunch of new worms, viruses, and Trojan horses exploiting those holes.  Network administrators have always, of course, had a responsibility to secure their networks, but I think 2001 changed the reason why they've got to do that. 


Here's what I mean.  Prior to 2001, my main concern in securing my network was in ensuring that the bad guys didn't attack me.  In theory, then, if I don't care about my data and leave my network wide-open, then the only person that I'm affecting is me.  But the new worms changed that reality.  One unprotected Internet Information Server can be infected and that IIS server can then spend all of its free time trying to find and infect other servers.  So when I put an insecure IIS box on the network then I'm not just potentially hurting myself -- no, I've actually joined the Other Side and provided a tool that the weasels can use to magnify their mischief and destruction.  I guess the first great truth of computing in the 21st Century seems to be that security isn’t optional… not for anybody. So I think you’ll notice a bit of a trend in the “all-new” stuff in this edition; you might think of the Fourth as “Mastering Windows 2000 Server… The Security Edition.” 

An Administrator's Handbook, Not An Exam-Cram

But before going on to enumerate the Fourth Edition’s benefits, let me say one thing that it’s not, or at least not intended to be: an MCSE study guide. Over the years, I have heard from literally thousands of people who’ve told me that they have used some of my books to successfully study for Microsoft certification exams, and I’m always happy to hear of their success, even if the book wasn't intended that way.  

Last year, in fact, so many of you had told me that you'd passed tests with the book's help that I sat down one day and took all four of the core Windows 2000 certification exams cold, just to see how I'd do.  I honestly knew only two things about the tests: (1) there are four core tests and (2) everyone says the something called "network infrastructure" is hard.  My reasoning was this:  many people choose to use the book as a guide to preparing for the exam and I wanted to know if in fairness I should try to strongly dissuade them from doing that.  Inasmuch as pretty much everything I know is in the book, I thought that I could answer the question by taking the exams cold.  If I can pass them, then I guess the book could help study for the exams.  Well, I passed 'em all, so if you know this book back to front then you've probably got a chance at doing well on the four core tests and the Active Directory design test.  (And no matter how you study, best of luck!)  

If you own a copy of the Second or Third Edition and you’re wondering if it’s a good idea to “upgrade,” then allow me, if you will, to tell you why I believe that you’ll find a copy of the Fourth a good investment. In short, this edition contains 20 completely new sections ranging in size from two to thirty pages, a new focus on security, a wealth of new Active Directory (AD) and DNS design and troubleshooting advice, dozens of significantly rewritten and expanded sections, and some looks ahead to .NET Server (the next version of NT), where appropriate.

All-New Sections

As I said before, my original goal in the Fourth was to get a chance to add coverage of a bunch of built-in Windows 2000 technologies that are useful but that I simply didn’t have the time to include before. The rash of security problems that beset Windows NT and 2000 in 2001 spurred me to tighten up my own network, and I’ve included what I’ve found works and doesn’t work security-wise in this edition. I think you’ll find these completely new sections useful (and please note if you don’t own any previous editions that I’m jumping straight into techie jargon in the following bullet points so as to provide a short overview for veteran readers -- I will explain all of this terminology in the book):

  • DNS-related AD troubleshooting: probably the source of the greatest number of AD questions. If you’re having trouble logging onto a new AD, adding a new domain controller to an AD. Simple diagnostic steps to prove whether the problem is or isn’t DNS-related and, if it is, then how to fix it in Chapter 8.
  • Using security templates and SECEDIT: I’ve been kicking myself since the Third Edition came out for not covering this completely essential tool. How’d you like to control user rights, local group membership, NTFS permissions, Registry security, auditing and account policies remotely on any system on your network? Simple ASCII templates let you control it all. Learn about it in Chapter 9.
  • Auditing security events, file and directory access: if you’re like most of us, then you know that Windows 2000, like NT, provides a wealth of potential reporting on who did what and when and where he did it. But how to use it? Chapters 8 and 11 include all you need to know about using auditing to track what’s happening in your network.
  • IPSec explained and demonstrated. IP Security -- IPSec to its friends -- is a useful way to secure traffic between any two (or more) systems, even over the Internet. What’s even better, though, is that this works for virtually every Internet-enabled application. Windows 2000 includes it free and it’s well worth your time to get to know it. The writeup is about 20 pages at the end of Chapter 6.
  • Certificates, Public Key Infrastructure and Certificate Authorities. PKI is a huge -- vast -- topic but an important one. Certificates provide a way to authenticate users outside of your network and potentially not even running a Windows operating system. Just as the publicly-defined TCP/IP protocol freed us from the proprietary protocols like NetBEUI and IPX/SPX, PKI is moving us away from proprietary authentication systems. Notice I said “moving” -- 2000’s support of certificates is important but incomplete. Even if you do not intend to use PKI now, read this anyway -- sometime in the next five years you’ll have to understand and wrestle with this. There are over 30 pages on the topic at the end of Chapter 8.
  • Securing IIS Servers and Reading IIS Logs. We can lock our file and print servers behind firewalls, but we have no choice about where our Web servers go -- they’ve got to be out on the public Internet. Chapter 17 offers 16 pages of advice on protecting your Web server. You’ll also find a new section in that chapter showing you how to keep track of who’s been knocking at your door by reading your IIS logs.
  • Configuring and Using Indexing Service. If you are building or maintaining an IIS-based Web site then you’ll usually want to offer your visitors a flexible search engine. Windows 2000’s Indexing Service is a surprisingly useful tool that is, unfortunately, nearly completely undocumented and that includes some truly frightening default settings, security-wise. Chapter 17 includes a new section on setting up and securing Indexing Service, as well as some ready-to-use Active Server Page scripts to provide you a basic search engine.
  • Troubleshooting Group Policies. If you have an Active Directory, then you’ll soon discover the power of group policies. But sometimes they don’t seem to work exactly as advertised -- and then it’s up to you to figure out what’s wrong. Chapter 9 always included a section on GPs, but for this edition I’ve doubled its size and added new sections, including the troubleshooting section.
  • Removable Storage Manager and Automated Backups With NTBackup. I try whenever possible to use the tools that are in the box, mainly because I’m cheap, and so I use NTBackup. But making NTBackup work so that it automatically does scheduled backups turned out to be a major challenge because while 2000’s NTBackup backs up to tapes, as it always did, it now works through a complex intermediary named “Removable Storage Manager” or RSM in order to write to tapes. Chapter 21 explains RSM in detail and presents some fairly intricate -- and useful, I hope -- batch files that you can, with a little modification, plug right into your system and get your backups working automatically.
  • Troubleshooting Network Address Translation and Internet Connection Sharing. I can tell from the amount of letters that I get about ICS and NAT that a lot of you want to use your Windows 2000 computers as a way to share a single routable Internet address with a number of machines. So I created a new section in Chapter 6 offering advice on how to methodically examine and fix a nonfunctioning ICS or NAT connection.
  • Making Older Apps Work Under Windows 2000. Two new sections talk about a couple of tricks that you can do to manage that small number of NT 4 apps that simply don’t want to run under 2000. The sections cover a couple of undocumented tricks -- shutting off Windows File Protection temporarily and using something called “DLL redirection” to accommodate applications that absolutely must have their own versions of system DLLs -- you can solve some of the more annoying compatibility problems.
  • DHCP User and Vendor Classes, and Command-Line Tools. At first glance, DHCP didn’t change all that much under Windows 2000… but there were actually a few quite interesting improvements. One was a whole new set of command-line tools that basically let you do all of your DHCP administration from the command line (and therefore scripts). The other was the notion of vendor and user “classes” which let you create a set of machines in your network that get a different set of DHCP settings than others, even if the others are on the same subnet. Chapter 6 includes this information.

Major Rewrites And Changes

Many chapters include significant rewrites. There truly isn’t time to list them all but here are the bigger ones.

Chapter 4, on Setup, includes a new section that I think you’ll really like: it shows you how to build setup scripts and Remote Installation Servers that do unattended automated rollouts of Windows 2000 Server and Professional… but these servers arrive with the latest service packs and hotfixes from the first boot. Chapter 6, on TCP/IP basics, not only includes the pieces that I’ve already described, but a couple of reader requests as well: a table of common port numbers and a description of how to use network binding order to improve system performance. 

I have felt very strongly for a while now that there isn’t a really good reference for running DNS on Windows 2000, and so I’ve worked hard to make this book that reference. To that end, the DNS coverage in Chapter 7 now includes details on primary/secondary replication, securing zone transfers between servers, and subnet mask ordering (with thanks to Robert Eggleston for pointing it out). I’ve also added coverage about what to do when you find yourself in a mixed DNS environment -- a legacy non-2000 DNS network that you must blend somehow with a 2000-based DNS system. Even if you don’t use 2000-based DNS servers, the built-in dynamic DNS clients on your Windows 2000 systems will give your legacy DNS servers fits when they constantly try to register with those systems. You’ll see in that chapter how to shut the 2000 boxes up and give those old BIND systems a rest!

Two years of post-beta experience has also taught me that the sort of DNS design called “split-brain” DNS or, as I like to think of it, “keeping two sets of books,” isn’t an advanced or optional architecture -- no, I think today’s security environment requires it. So I’ve got a lot more discussion of split-brain architecture. You’ll even build a split-brain DNS system if you follow my step-by-step example of creating a DNS domain called “” The example previously employed only routable addresses, which isn’t a reality for most folks; it’s now built around a more commonly-used IP address range and will “plug and play” better into test network and home-based networks, where you’re likely to have only one routable address and the rest all non-routable. Even better, I have redesigned the example (it used to be “”) to integrate perfectly with the example build-your-own Active Directory in the following chapter; that should make the examples work on a much wider variety of systems. 

Speaking of Chapter 8, Active Directory, that too has gotten some major revisions (it is probably the most extensively revised chapter in this edition) as I try to cover more and more AD planning, installation, management and troubleshooting concepts. You’ll see even more DNS in this chapter, as it is AD’s most necessary evil. Chapter 8 sees more practical DNS help in the form of nuts-and-bolts troubleshooting techniques as well as planning issues -- should Acme choose, acme.local or acme.pri for their AD domain name? The section on migration is considerably larger, with an expanded discussion of the pros and cons of the two main migration approaches.

The AD chapter also includes more AD nut-and-bolts, with an explanation of the “other” AD objects -- shared folders, printers, and contacts -- as well as Domain Local Groups. I honestly didn’t find them all that useful in my AD work, but found that Microsoft asked about them quite a bit in the MCSE exams, so I figured that it couldn’t hurt to pump up the DLG coverage. I still don’t think they’re useful, but read up on ‘em and you’ll get three or four more questions right on the AD test.

Time and Knowledge Base articles have given us some cool new fixes for seemingly impossible problems: fixes for some annoying domain controller and global catalog discovery problems are now available with service pack 2 and a few Registry zaps. They’re in Chapter 8 as well. I realized that I’d covered how to delegate control of an organizational unit, but I’d neglected to explain how to un-do that -- how to “un-delegate,” but the chapter covers that now. I found that my original explanation of AD replication internals was a bit off-kilter so I deleted most of it and rewrote it, and also added some info on using a tool called “repadmin” to track replication. Working with some very large firms on designing their Active Directories has taught me that the peculiar nature of the schema under Active Directory -- one size fits all -- can pose some problems, and I tell you about it in the chapter. And you’ve already read about the new sections on audits and certificates.

Chapter 9, on user accounts, also got a serious re-working. We’d covered profiles for NT 4 workstations, thinking that profiles were passé. Turns out that they’re not, so I updated the section to cover profiles on 2000 and XP systems. You’ve already heard about the rewrite of the group policies section, and the new sections on SECEDIT, but there are, again, more nuts and bolts on a smaller scale: how to set complex password policies, changing passwords from the command line, how to read (and write) the LDAP-ese that some tools require, and a rewrite of how user permissions and rights work are all in Chapter 9.

Chapter 10, Storage And Drives revisits and amplifies upon the problems of making mirrored disks work properly, including creating and using a Windows 2000 boot disk to let you boot from a mirrored disk. Chapter 11 felt, I needed, a better and fuller explanation of 2000’s newer way of representing ACLs, so there’s a new section on understanding “allow” versus “deny” permissions, as well as an in-depth explanation of the lowest-level permissions, what I call the 13 “atomic permissions.” And you’ve already read about the new section on auditing file and directory access. I hope that after reading this chapter you’ll never get confused about NTFS permissions again.

Chapter 17, the chapter on IIS/FTP/E-Mail/Telnet, has a number of new sections, as you’ve read -- securing it, reading the logs, and adding Index Services. I’ve also got a section showing you how to build an Active Server Page that sends e-mails automatically. I use it to inform me of system events. The book’s coverage of EMWACS IMS, the free e-mail server for Windows 2000, is updated with new URLs -- as the tool is free, it kind of has to live wherever it’s welcome. Many of you have expressed frustration with setting up multiple Web sites on a single server, so I’ve got a step-by-step example of doing that. That leads to some more in-depth discussion of SSL on Web sites. Finally, Chapter 21, the disaster recovery chapter, includes the new section on RSM that you’ve already read about. On top of all of these changes are many small improvements, error fixes and tweaks. 

All in all, I’m quite proud of this new edition.  I hope that you choose to pick it up and, more important, I hope that you're pleased with it.