If you have been previously operating a Windows NT Server-based network and make the plunge to Windows Server 2003, you will find that the two network operating systems are very different from each other. These differences are more than just the underlying architecture and the new features in the newer operating system. The entire way you're used to do doing things in Windows NT has changed as well. Here's how you can accomplish some of the more common administrative tasks in Windows 2003, as opposed to the methods used to accomplish the same task in Windows 2000.
User Manager for Domains
In a Windows NT Server environment, one of the most heavily used tools is the User Manager for Domains. While Windows NT uses this tool to create, edit, and delete user accounts, the tool simply does not exist in Windows Server 2003. Remember that Windows Server 2003 is Active Directory based. Since all user information is stored in the Active Directory, you must use a completely different set of tools for working with user accounts.
In Windows Server 2003, the tool that’s used for working with user accounts is called Active Directory Users And Computers. Besides managing user accounts, this tool has other uses that I will discuss later on.
You can access the Active Directory Users And Computers console by clicking the Start button and selecting the All Programs | Administrative Tools | Active Directory Users And Computers commands. When the console opens, expand the container designated by your domain name and, beneath it, you will find a Users container. If you select the Users container, you will see a list of all of the user accounts and security groups for the domain.
The biggest thing to remember when working with user management in Windows Server 2003 is that the right mouse button plays a much more important role than it did in Windows NT. Practically all of the user management functions involve the right mouse button. For example, if you right-click on the Users container, you will see a shortcut menu. One of the commands on this menu is New. You can use this command to create a new user or group.
If you wish to delete a user, select the actual user account or accounts that you want to delete, click the right mouse button and select the Delete command from the resulting shortcut menu.
The shortcut menu for a user account contains many other handy functions. For example, you can use it to enable, disable, or rename the account. If you need to reset a password, you must also right-click on a user account, and select the Reset Password command from the resulting shortcut menu. Another cool shortcut menu command is the Move command. In Windows NT, there was no easy way to move user accounts or groups from one domain to another. However, using the Move command, you can move users and groups between domains or organizational units.
As you can see, most of the Windows NT user account management features are accessible through a simple right click. However, if you want more detailed control over a user or group, right-click on the desired user or group and select the Properties command from the shortcut menu. This will open the user or group’s properties sheet. If you look at the properties sheet for a user, you’ll have access to everything from the user’s personal information (name, phone number, etc.) to the user’s group memberships to the user’s terminal services and remote control settings.
In Windows NT, Server Manager is used primarily for viewing which computers are a part of the domain, seeing which resources within the domain are in use, and promoting BDCs. As you might have already guessed, though, Server Manager doesn’t exist in Windows Server 2003.
First, let’s address the PDC / BDC issue. In a Windows Server 2003 environment, there is no such thing as a PDC or a BDC. While it’s true that one server in each domain functions as a PDC emulator and that server roles make some domain controllers a little more important than others, there is no all powerful PDC.
Instead, Windows Server 2003 simply has domain controllers and member servers. You can use the DCPROMO command to turn a member server into a domain controller or to turn a domain controller into a member server. In Windows NT, if you wanted to make such a switch, you had to reinstall Windows.
Windows Server 2003 uses what’s known as multimaster replication. This means that when someone makes an Active Directory level change, such as creating a user account, the change doesn’t have to be written to the PDC. The change can be written to any domain controller and is then replicated to the other domain controllers at a later time.
Another server function that has changed since Windows NT is setting up computer accounts. In Windows NT, you would either manually create a computer account through Server Manager or you would join the domain when installing Windows NT workstation. In Windows Server 2003, a computer can still join the domain during Windows installation, so long as the workstation is running Windows NT, 2000, or XP.
If you want to manually create a computer account, though, you must return to the Active Directory Users And Computers console. To create a computer account, simply right-click on the Computer container beneath the domain and then select the New | Computer commands. Windows will then prompt you for the name of the computer and will create the computer account in the Computers container. You can also create a computer account within an Organizational Unit (OU) if you so desire.
Still another function of Server Manager is to allow you to see shared resources, sessions, and open files. In Windows Server 2003, this task is accomplished through the Computer Management console. This console is found on the server’s Administrative Tools menu. When the console opens, navigate through the console tree to System Tools | Shared Folders. If you expand the Shared Folders container, you will see sub containers named Shares, Sessions, and Open Files. These containers display the same type of information as the Windows NT Server Manager does. Keep in mind, though, that the information that you are viewing is static. If you want to refresh the information, you must click the Refresh icon or press the [F5] key.
In Windows NT, the Server Manager allowed you to view usage information for any computer in the domain, assuming that you had the appropriate rights. By default though, the Windows Server 2003 Computer Management console displays only the share and usage information for the local machine. If you want to view this information for other computers, you must right-click on the Computer Management (Local) container in the console tree, and then select the Connect To Another Computer command from the resulting shortcut menu.
Another function that has changed greatly since Windows NT is trust relationships. In Windows NT, if you wanted for one domain to trust another, you would have to go into User Manager for Domains and create a trust relationship between the domains.
In Windows NT, the trusts could be confusing because you could have a one-way trust and two-way trust, and there was no such thing as an implicit trust. If you had a hundred domains and you wanted all of them to trust each other, you would have to create thousands of trusts.
In Windows Server 2003, though, this has changed. All Active Directory domains are organized into a forest. All domains within a forest trust every other domain in the forest automatically. The only way that you would ever have to manually create a trust relationship in Windows Server 2003 is if you wanted to create a trust between forests.
Creating a trust between forests is similar to creating a trust between Windows NT domains. You can create either a one-way or a two-way trust and there is no such thing as an implicit trust relationship between multiple forests.
If you wanted to create a trust relationship between forests, you would use a tool called Active Directory Domains And Trusts. However, creating a trust between forests is an involved procedure that requires a lot of planning. The procedure is beyond the scope of this article.
In Windows NT, there are three basic types of system policies. First, there are the user policies. These involve user names and passwords. Second, there are trust relationship policies, which I just discussed. The third type of policy is an audit policy. Audit policies allow you to compile a security log of specific user actions.
Security auditing still exists within Windows Server 2003, and as with Windows NT, you can read the security logs through the Event viewer. However, the method used to create an audit policy differs widely between Windows NT and Windows Server 2003.
Windows Server 2003 makes use of something called group policies. Group policies are a huge collection of security settings, of which audit policies are only a tiny part. Group policies allow you to define events for auditing, but they also allow you to do things like control the minimum password length or which applications that a user is allowed to run.
Group policies are a huge topic, and it would be possible to write an entire book on them. I do want to take a moment and show you basically how they work, though, particularly as they relate to auditing.
The first thing that you need to know about group policies is that they are hierarchical in nature. Group policies can be applied at a variety of levels. The lowest level is the policy that applies to the local machine. From there, additional policies may be applied at various levels of the Active Directory, such as at the site level, OU level, and domain level. Therefore, it’s possible that several policies will apply to a single user or computer. Because of this, the various applicable policies are rolled into a single policy known as the Resultant Set of Policy. This process resolves conflicts between the various policies and establishes the final security policy for the user or the computer. (Policies can be applied to a user, computer, or both).
To access the group policies, you must open the Group Policy Editor. Normally, you would do this by entering the MMC command at the Run prompt. This will open an empty Microsoft Management Console. Next, select the Add / Remove Snap In command from the console’s File menu to reveal the Add / Remove Snap In dialog box. When this dialog box appears, click the Add button and you will see a list of available snap-ins. Select the Group Policy Object Editor, and click Add. Windows will now prompt you as to which group policy object you wish to edit. Make your selection and click Finish, Close, and OK.
You will now see the Group Policy that you have selected. The first thing that you will notice as you navigate through the console is that there are distinct sections for Computer Settings and for User Settings. There are Audit-related policy elements scattered throughout the group policy. If you want to see one, though, navigate through the console tree to Computer Policy | Windows Settings | Security Settings | Local Policies | Audit Policy. This section allows you to audit things like logon events and account management. Keep in mind, though, that these settings apply at the computer level. There is an entirely different group of settings for the user level configuration.
Outside of the Group Policies, you can also audit objects, such as files and folders (assuming that the files exist on an NTFS partition). To do so, right-click on a file and select the Properties command from the resulting shortcut menu. When you see the file’s properties sheet, select the Security tab and click the Advanced button. This will cause Windows to display the Advanced Security Settings properties sheet for the file. You can use this properties sheet’s Auditing tab to configure auditing for the file or printer.
The System Properties sheet has also really evolved since Windows NT. In Windows NT, if you right-click on the My Computer icon and select the Properties command from the resulting shortcut menu, you will see the System Properties sheet. In Windows Server 2003, you still access the System Properties sheet in the same manner, but the sheet has changed considerably.
In Windows NT, the System Properties sheet had six tabs; Startup / Shutdown, Hardware Profiles, User Profiles, General, Performance, and Environment.
In Windows Server 2003, the General tab still exists and is almost identical to its Windows NT counterpart. In Windows NT, the Performance tab contains settings that allow you to adjust application performance and virtual memory. In Windows 2003, though, you must go to the Advanced tab, click the Settings button in the Performance section, and then select the Advanced tab found on the Performance Options properties sheet. As you might have guessed, there have been a lot of other performance modification mechanisms added as well.
The Windows NT Environment tab contains a listing of your environment variables. To access this same information in Windows 2003, you must click the Environment Variables button at the bottom of the Advanced tab.
In Windows NT, there is a Hardware Profiles tab that allows you to view any hardware profiles present on the machine. In Windows Server 2003, there is an entire Hardware tab, of which Hardware Profiles is only a small part. This tab also contains the Device Manager, the Add Hardware Wizard, and a button for driver signing.
The Windows NT User Profiles tab allows you to see any user profiles that are currently available. In Windows Server 2003, these profiles are available through the User Profiles section of the Advanced tab.
Finally, the Startup / Shutdown tab allows you to control the various Windows boot options and what happens when the system crashes. These settings are found in the Startup and Recovery sections of Windows 2003’s Advanced tab.
Service Control Manager
Although not really an administrative tool, I wanted to take a moment and mention the Service Control Manager. In Windows NT Server, the Service Control Manager is used to stop and start system services. If you wanted to access the Service Control Manager, you would simply go into the Control Panel and double-click the Services icon and Windows would launch the Service Control Manager.
The Service Control Manager still exists in Windows Server 2003, but has evolved over time. Now, the Services icon is on the Administrative Tools menu instead of being a part of the Control Panel.
If you open the Service Control Manager, you will find that like just about everything else in Windows 2003, it is console based. The column to the right contains a list of available services and their current status. You can right-click on a service to access a shortcut menu that allows the service to be started or stopped. The menu also contains a Properties command. Selecting the Properties command displays a service properties sheet. This properties sheet displays all of the service’s dependencies—something that would have been nice to have had in Windows NT.
Everything's constant but change
As you can see, Windows NT differs significantly from Windows Server 2003. You can almost forget everything you knew about administering a Windows NT network when administering Windows Server 2003. However, once you figure out what tasks are done with the new tools, you'll quickly become as efficient with Windows Server 2003 as you were with Windows NT.