click here to buy the Fourth!
Mastering Windows 2000 Server, Fourth Edition, Is Available
The Fourth Edition of Mastering Windows 2000 Server is the latest and most complete of my series of guides to using Windows 2000 to get your job done. I’ve aimed in this book to show you how Windows 2000 Server works, what it can -- and can't - do, and to show you the shortest path to getting any particular job done.
But why a Fourth? Two reasons: first, in the year since the Third Edition, I had the opportunity to learn about and work with more aspects of Windows 2000, and I wanted to make sure that information was in the book. That's pretty much the reason that you've seen a version of this book or its NT 4 predecessor annually: it gives me a chance to add the new technologies that I've learned about, to report on new things that Microsoft has added, and to fix errors in previous editions. So, in other words, I could have guessed years ago that this edition, or something like it, would appear. But I didn't expect the second reason: security.
A New Security Focus
As every system administrator who lived through Code Red, SirCam, Code Blue, Nimda and the zombie attacks of 2001 knows, 2001 was a rough year for computer security. (To say nothing of the other security-related events of 2001.) 2001 saw the discovery of some very serious security holes in Windows 2000's Internet Information Service, Index Service, and Media Player. But it also saw a bunch of new worms, viruses, and Trojan horses exploiting those holes. Network administrators have always, of course, had a responsibility to secure their networks, but I think 2001 changed the reason why they've got to do that.
Here's what I mean. Prior to 2001, my main concern in securing my network was in ensuring that the bad guys didn't attack me. In theory, then, if I don't care about my data and leave my network wide-open, then the only person that I'm affecting is me. But the new worms changed that reality. One unprotected Internet Information Server can be infected and that IIS server can then spend all of its free time trying to find and infect other servers. So when I put an insecure IIS box on the network then I'm not just potentially hurting myself -- no, I've actually joined the Other Side and provided a tool that the weasels can use to magnify their mischief and destruction. I guess the first great truth of computing in the 21st Century seems to be that security isn’t optional… not for anybody. So I think you’ll notice a bit of a trend in the “all-new” stuff in this edition; you might think of the Fourth as “Mastering Windows 2000 Server… The Security Edition.”
An Administrator's Handbook, Not An Exam-Cram
But before going on to enumerate the Fourth Edition’s benefits, let me say one thing that it’s not, or at least not intended to be: an MCSE study guide. Over the years, I have heard from literally thousands of people who’ve told me that they have used some of my books to successfully study for Microsoft certification exams, and I’m always happy to hear of their success, even if the book wasn't intended that way.
Last year, in fact, so many of you had told me that you'd passed tests with the book's help that I sat down one day and took all four of the core Windows 2000 certification exams cold, just to see how I'd do. I honestly knew only two things about the tests: (1) there are four core tests and (2) everyone says the something called "network infrastructure" is hard. My reasoning was this: many people choose to use the book as a guide to preparing for the exam and I wanted to know if in fairness I should try to strongly dissuade them from doing that. Inasmuch as pretty much everything I know is in the book, I thought that I could answer the question by taking the exams cold. If I can pass them, then I guess the book could help study for the exams. Well, I passed 'em all, so if you know this book back to front then you've probably got a chance at doing well on the four core tests and the Active Directory design test. (And no matter how you study, best of luck!)
If you own a copy of the Second or Third Edition and you’re wondering if it’s a good idea to “upgrade,” then allow me, if you will, to tell you why I believe that you’ll find a copy of the Fourth a good investment. In short, this edition contains 20 completely new sections ranging in size from two to thirty pages, a new focus on security, a wealth of new Active Directory (AD) and DNS design and troubleshooting advice, dozens of significantly rewritten and expanded sections, and some looks ahead to .NET Server (the next version of NT), where appropriate.
As I said before, my original goal in the Fourth was to get a chance to add coverage of a bunch of built-in Windows 2000 technologies that are useful but that I simply didn’t have the time to include before. The rash of security problems that beset Windows NT and 2000 in 2001 spurred me to tighten up my own network, and I’ve included what I’ve found works and doesn’t work security-wise in this edition. I think you’ll find these completely new sections useful (and please note if you don’t own any previous editions that I’m jumping straight into techie jargon in the following bullet points so as to provide a short overview for veteran readers -- I will explain all of this terminology in the book):
Major Rewrites And Changes
Many chapters include significant rewrites. There truly isn’t time to list them all but here are the bigger ones.
Chapter 4, on Setup, includes a new section that I think you’ll really like: it shows you how to build setup scripts and Remote Installation Servers that do unattended automated rollouts of Windows 2000 Server and Professional… but these servers arrive with the latest service packs and hotfixes from the first boot. Chapter 6, on TCP/IP basics, not only includes the pieces that I’ve already described, but a couple of reader requests as well: a table of common port numbers and a description of how to use network binding order to improve system performance.
I have felt very strongly for a while now that there isn’t a really good reference for running DNS on Windows 2000, and so I’ve worked hard to make this book that reference. To that end, the DNS coverage in Chapter 7 now includes details on primary/secondary replication, securing zone transfers between servers, and subnet mask ordering (with thanks to Robert Eggleston for pointing it out). I’ve also added coverage about what to do when you find yourself in a mixed DNS environment -- a legacy non-2000 DNS network that you must blend somehow with a 2000-based DNS system. Even if you don’t use 2000-based DNS servers, the built-in dynamic DNS clients on your Windows 2000 systems will give your legacy DNS servers fits when they constantly try to register with those systems. You’ll see in that chapter how to shut the 2000 boxes up and give those old BIND systems a rest!
Two years of post-beta experience has also taught me that the sort of DNS design called “split-brain” DNS or, as I like to think of it, “keeping two sets of books,” isn’t an advanced or optional architecture -- no, I think today’s security environment requires it. So I’ve got a lot more discussion of split-brain architecture. You’ll even build a split-brain DNS system if you follow my step-by-step example of creating a DNS domain called “bigfirm.biz.” The example previously employed only routable addresses, which isn’t a reality for most folks; it’s now built around a more commonly-used IP address range and will “plug and play” better into test network and home-based networks, where you’re likely to have only one routable address and the rest all non-routable. Even better, I have redesigned the example (it used to be “bowsers.com”) to integrate perfectly with the example build-your-own Active Directory in the following chapter; that should make the examples work on a much wider variety of systems.
Speaking of Chapter 8, Active Directory, that too has gotten some major revisions (it is probably the most extensively revised chapter in this edition) as I try to cover more and more AD planning, installation, management and troubleshooting concepts. You’ll see even more DNS in this chapter, as it is AD’s most necessary evil. Chapter 8 sees more practical DNS help in the form of nuts-and-bolts troubleshooting techniques as well as planning issues -- should Acme choose acme.com, acme.local or acme.pri for their AD domain name? The section on migration is considerably larger, with an expanded discussion of the pros and cons of the two main migration approaches.
The AD chapter also includes more AD nut-and-bolts, with an explanation of the “other” AD objects -- shared folders, printers, and contacts -- as well as Domain Local Groups. I honestly didn’t find them all that useful in my AD work, but found that Microsoft asked about them quite a bit in the MCSE exams, so I figured that it couldn’t hurt to pump up the DLG coverage. I still don’t think they’re useful, but read up on ‘em and you’ll get three or four more questions right on the AD test.
Time and Knowledge Base articles have given us some cool new fixes for seemingly impossible problems: fixes for some annoying domain controller and global catalog discovery problems are now available with service pack 2 and a few Registry zaps. They’re in Chapter 8 as well. I realized that I’d covered how to delegate control of an organizational unit, but I’d neglected to explain how to un-do that -- how to “un-delegate,” but the chapter covers that now. I found that my original explanation of AD replication internals was a bit off-kilter so I deleted most of it and rewrote it, and also added some info on using a tool called “repadmin” to track replication. Working with some very large firms on designing their Active Directories has taught me that the peculiar nature of the schema under Active Directory -- one size fits all -- can pose some problems, and I tell you about it in the chapter. And you’ve already read about the new sections on audits and certificates.
Chapter 9, on user accounts, also got a serious re-working. We’d covered profiles for NT 4 workstations, thinking that profiles were passé. Turns out that they’re not, so I updated the section to cover profiles on 2000 and XP systems. You’ve already heard about the rewrite of the group policies section, and the new sections on SECEDIT, but there are, again, more nuts and bolts on a smaller scale: how to set complex password policies, changing passwords from the command line, how to read (and write) the LDAP-ese that some tools require, and a rewrite of how user permissions and rights work are all in Chapter 9.
Chapter 10, Storage And Drives revisits and amplifies upon the problems of making mirrored disks work properly, including creating and using a Windows 2000 boot disk to let you boot from a mirrored disk. Chapter 11 felt, I needed, a better and fuller explanation of 2000’s newer way of representing ACLs, so there’s a new section on understanding “allow” versus “deny” permissions, as well as an in-depth explanation of the lowest-level permissions, what I call the 13 “atomic permissions.” And you’ve already read about the new section on auditing file and directory access. I hope that after reading this chapter you’ll never get confused about NTFS permissions again.
Chapter 17, the chapter on IIS/FTP/E-Mail/Telnet, has a number of new sections, as you’ve read -- securing it, reading the logs, and adding Index Services. I’ve also got a section showing you how to build an Active Server Page that sends e-mails automatically. I use it to inform me of system events. The book’s coverage of EMWACS IMS, the free e-mail server for Windows 2000, is updated with new URLs -- as the tool is free, it kind of has to live wherever it’s welcome. Many of you have expressed frustration with setting up multiple Web sites on a single server, so I’ve got a step-by-step example of doing that. That leads to some more in-depth discussion of SSL on Web sites. Finally, Chapter 21, the disaster recovery chapter, includes the new section on RSM that you’ve already read about. On top of all of these changes are many small improvements, error fixes and tweaks.
All in all, I’m quite proud of this new edition. I hope that you choose to pick it up and, more important, I hope that you're pleased with it.