3/12/2003 -- By far, the most popular exam currently offered by Microsoft is the Installing, Configuring, and Administering Microsoft Windows 2000 Professional exam (number 70-210). This exam can be used as credit on both the MCSA and MCSE tracks, and consists of seven major objective categories:

1. Installing Windows 2000 Professional
2. Implementing and Conducting Administration of Resources
3. Implementing, Managing, and Troubleshooting Hardware Devices and Drivers
4. Monitoring and Optimizing System Performance and Reliability
5. Configuring and Troubleshooting the Desktop Environment
6. Implementing, Managing, and Troubleshooting Network Protocols and Services
7. Configuring, Managing, and Troubleshooting Security
   

In this article we will look at most of the first two of those seven objectives. In the next few weeks, we'll finish these up then address the middle two, followed by the remaining three in this three-part series. The focus of each article will be examining the material necessary to know to pass this exam. To view the official list of objectives for this exam, go to: http://www.microsoft.com/traincert/exams/70-210.asp.

Objective #1: Installing Windows 2000 Professional
Regardless of the type of installation you plan to do, the first step is to make certain that the system you are using can run Windows 2000 Professional. In terms of hardware, the following are the minimum requirements:

• Pentium 133MHz or higher (Professional can support two processors.)
• 64MB of RAM (32MB is the minimum supported; the maximum supported is 4GB.)
• 650MB free disk space
• VGA
• Keyboard and mouse (recommended)

The Support folder on the Windows 2000 Professional CD contains an HCL.TXT file, which is the Hardware Compatibility List of supported hardware. An updated version of this file is kept on the Microsoft Web site. The latest release notes can also be found in text files located on the CD under the SETUPTXT folder.

The second step to perform before any installation is to back up your existing files to removable media. This provides you with an insurance policy in the event of an unforeseen disaster and, therefore, is highly recommended.

Dual-booting requires that each operating system be stored in its own folder. The default folder under which Windows 2000 is installed is WINNT but can be changed to any valid folder name.

1.1: Perform an Attended Installation of Windows 2000 Professional
The simplest installation of the Windows 2000 Professional product is the attended installation. If you are installing on a blank hard drive, you need to have a bootable CD-ROM drive, or you must make a set of startup disks. You can create the startup disks (a set of four) from the CD with the MAKEBOOT.EXE utility in the Bootdisk folder. For example, if the CD drive is E: and the floppy drive is A:, you would use the following syntax to make startup disks from the command prompt:

E:\Bootdisk\MAKEBOOT A:

NOTE: A 32-bit version of the utility (MAKEBT32.EXE) is also stored in the Bootdisk folder and can be used if you want to make the boot disks from within Windows 2000 on another machine.

After you make the startup disks, you can proceed with the installation by booting the system with the first floppy and then following the instructions as they appear. You can also run the installation across the network. To do so, you need a path to where the files are stored (on a server). Preferably the path is created via a client disk. You also need a partition established on the target machine to install into.

If your hard drive has an operating system capable of interpreting AUTORUN.INF, you can begin the installation by simply inserting the CD into the drive (with the OS booted). A splash screen appears. If the startup does not automatically begin -- and it won't if AUTORUN.INF functionality is not enabled -- you can call the executable file from the i386 folder of the CD.

Windows 2000 has two executable setup files: Winnt.exe and Winnt32.exe. Winnt32.exe is used for 32-bit operating systems; Winnt.exe is used for command-prompt installations and 16-bit installations.

Initial Screens
The first decision you are given is whether you want to upgrade the existing operating system or do a fresh/clean installation. An upgrade will assume you intend to keep many existing values and will only ask you for a subset of the fields needed for a fresh installation. The next dialog box shows the License Agreement for Windows 2000. You must accept this agreement to be able to continue the installation. You must then enter a 25-character Product Key. The Product Key consists of alphanumeric entries and identifies the product's validity.

The next screen -- Select Special Options -- is of extreme importance. Three settings can be configured here: Language, Advanced and Accessibility. The Language options allow you to choose the default language for the system and install other languages as well. The Accessibility options allow you to configure the workstation for use by disabled users. The Advanced options are the tricky ones. Here, you can specify where the files are to be copied from (the CD, by default), whether all files should be copied locally, whether you will have the ability to choose a partition to install into during setup, and where the installation folder will be. The installation folder will always default to \WINNT and must be unique for every installation in a dual-boot environment. By default, all installations go into the same directory, and you cannot choose the partition during setup.

If the hard drive is formatted with anything other than the latest version of NTFS, the next dialog box gives you the opportunity to upgrade the drive to NTFS. If you will be dual-booting with any operating system other than Windows NT/2000, you must not upgrade the drive. If you will be using only Windows 2000, NTFS is the best file system you can choose.

NOTE: In addition to NTFS, Windows 2000 works with the FAT and FAT32 file systems. FAT is needed for MS-DOS, OS/2, the Windows 3.x operating systems, and the first release of Windows 95. FAT32 can be used with the second release of Windows 95 (95b) and Windows 98.

First Reboot
After you choose whether or not to upgrade the drive, the system will reboot and begin a text-based setup routine. You will be asked whether you want to repair an existing installation (press R) or set up a new installation. (You can always exit by pressing F3.) A cursory examination of the hard drive will be done, and any existing installations of Windows 2000 will be identified. If there are existing installations, you will be given the choice once more to repair them (R) or continue with a fresh installation (Esc). A message could come up after the reboot indicating that a virus has been found. This is caused by the virus checker running for the previous operating system (Windows 98 or whatever you are coming from). If this happens, disable the virus checker and reboot again.

NOTE: Choosing (R) to repair an installation brings up the Repair Options screen. From here you have the choice of bringing up the Recovery Console or using the ERD (Emergency Repair Disk).

Next, you must identify a partition into which the installation will go. (You can also select unpartitioned space.) Choose whether to format the partition differently than it currently is. (It can be converted to FAT, converted to NTFS, or left alone; FAT32 does not appear as an option here.) The files are copied from the CD to the partition. Depending on the speed of your system and your CD drive, this step can take considerable time. When this is finished, the system reboots again.

Second Reboot
After the reboot, the setup routine continues in GUI mode with the Setup Wizard. Setup automatically tries to identify your hardware and attached devices, and properly configures them.

The Regional Settings dialog box allows you to customize the user location and keyboard layout. It is followed by a text box asking for your Name and Organization. These free text entries are written into the Registry and used as default values during the installation of new applications. A deviation of the value entered into the Organization field is filled in automatically on the next dialog box (Computer Name and Administrator Password) for the computer name. You can change this value to anything you want as long as it does not exceed 15 characters in length and is unique within your network. This is also the NetBIOS name that can be used for name resolution with WINS and networking with NetBIOS networks, such as Windows for Workgroups. The value is converted to uppercase, which makes the uniqueness a bit trickier.

At the bottom of the dialog box, you must choose and confirm a password for the Administrator account. Two accounts are created during the installation: Administrator and Guest. The Guest account, because it is so limited, does not require you to assign a password during installation. The Administrator account, on the other hand, is very powerful (by virtue of being a member of the Administrators group), so you are prompted for a password. Said password can be nothing (press Enter) or can contain up to 14 characters. After the installation is complete, you can change the password at any time, as you would for a regular account.
The next dialog box-Date and Time Settings-enables you to configure the Date & Time as well as the Time Zone (and to check or uncheck a box to indicate whether to automatically adjust the clock for daylight savings time, if applicable).

Networking Settings
The networking components are copied over, and a dialog box offers the choice between using Typical settings or Custom settings. Custom is used to configure options manually, whereas Typical installs only Client for Microsoft Networks, File and Printer Sharing for Microsoft Networks, and Internet Protocol (TCP/IP).

NOTE: With Typical installation, TCP/IP looks for a DHCP server, and the ability to manually enter an IP address is not given. If you do not have a DHCP server or you must manually enter the address for any reason, you must choose Custom settings. In addition, if you are a member of a workgroup running any protocol besides TCP/IP, you must choose Custom settings to enable those protocols.

The Custom settings allow you to change the properties of the three components automatically installed (such as add a static entry for TCP/IP), uninstall any of the three, and add additional components. The additional components can be client, service, or protocol. The only client choice available with the core product is Client Service for NetWare.

Two services are available for installation with the core product:

• QoS Packet Scheduler. Quality of Service Packet Scheduler is used for network traffic control.
• SAP Agent. Service Advertising Protocol is used to advertise the known addresses and servers on the network.

In addition to TCP/IP, five protocols are included with Windows 2000 Professional and can be included during installation:

• AppleTalk. For communicating with Macintoshes
• DLC. For mainframes and network printers
• NetBEUI. For workgroups and older Microsoft operating systems
• Network Monitor Driver. For capturing packets that the Network Monitor utility can analyze
• NWLink IPX/SPX/NetBIOS Compatible Transport. For communicating with NetWare servers

The final dialog box-Workgroup or Computer Domain-appears next. It contains only two options:

• The computer is not a member of a domain. (It is either a standalone machine or a member of a workgroup.)
• The computer is a member of a domain.

If it is a member of a domain or workgroup, you must enter the name of that domain or workgroup in the appropriate field. Click Next, and the appropriate files are copied over for the choices you made, and the networking components are configured. After that, Start menu items are installed, components are registered, settings are saved, and temporary files are removed-all from the Performing Final Tasks dialog box, which requires no interaction.

When this step is complete, the installation is done. Remove the CD and click the Finish button to reboot the system.

Network Identification Wizard
After the reboot, the Network Identification Wizard begins. At the first dialog box, you can specify whether all users must enter a user name and password to use the computer (not the default) or whether Windows should log on a single user automatically.

NOTE: When Windows logs on a user automatically, it bypasses fundamental security. This is the default operation for Windows 2000 Professional; you must change it if you want a username and password to be required at each boot.

This is the only dialog box of the wizard. Choosing Finish allows you to get to the Logon dialog box. A successful installation then brings up the Getting Started splash screen.

1.2: Perform an Unattended Installation of Windows 2000 Professional
As simple as attended installations may be, they are time-consuming and administrator-intensive in that they require someone to fill in a fair number of fields to move through the process. Unattended installations allow you to configure the operating system with little or no human intervention. Windows 2000 Professional offers three main methods for performing unattended installations: Remote Installation Service (RIS), System Preparation Tool, and Setup Manager.

Remote Installation Service
RIS (the Remote Installation Service) is a service that runs on a Windows 2000 Server. Client machines to be converted to Windows 2000 Professional access the server service and run the installation across the network. RIS is useful if you need to deploy a number of workstations as quickly as possible and the deployment can be done across the network. If you want to make a number of applications available with the image, you can always change the default user profile that is used by copying in one that has the settings you want.

You must install the service on a server through the Windows Components feature of the Add/Remove Programs applet. The server in question can be a domain controller or a member server.

In addition to a server offering Remote Installation Services, for RIS to work, the network must also be utilizing DHCP (for TCP/IP addresses), have a DNS server, and be utilizing Active Directory Services. If any of these components is missing from the network, you cannot use RIS.

Client machines must have a network adapter card with PXE (Pre-Boot Execution Environment) ROM version .99c or higher and a BIOS set to start from the PXE boot ROM. You can also use a remote installation boot disk to bypass the BIOS, PXE requirements. The boot disk is made from the RBFG.EXE utility in the Reminst folder beneath System32 on the RIS server. The purpose of the RBFG.EXE utility, pure and simple, is to create a non-PXE startup disk.

NOTE: Clicking the Adapter List button shows a list of supported PCI network cards. This is not a partial list; this is the full list. If you attempt to use the disk on a system with an unsupported card, an error message immediately pops up and prevents you from going any further.

You can use a file named Remboot.sif to feed parameters to the installation. You create this file with the Setup Manager utility, discussed in a later section.

System Preparation Tool
Whereas RIS took the approach of downloading/installing the operating system on the client from the server, the System Preparation Tool takes a completely different approach. Sysprep.exe is used to prepare an ideal Windows 2000 Professional workstation so that an image can be made of it (requires a third-party utility). That image, which lacks user/computer-specific information and SIDs, can then be loaded on other computers.

NOTE: Sysprep is not installed during a normal installation, but is stored within the Deploy cabinet file on the CD beneath Support\Tools.

A handful of variables must be unique among all computers. After the image is loaded, those unique values can be filled in with either of two methods:

1. By default, the Setup Wizard runs after the computer is first booted and asks for only the values that must be changed.
2. The Setup Wizard can use a SYSPREP.INF file to fill in the values without the need for user interaction. You can create this file with the Setup Manager, as discussed later in this article.

You can use the following parameters with Sysprep.exe:

After Sysprep runs, the computer is shut down automatically. On startup, the tool kicks in and gives the appearance that the boot is taking forever. Eventually, the Windows 2000 Setup Wizard starts, presenting only those dialog boxes that differ from machine to machine

Setup Manager
Setup Manager is used to create answer files (known as Uniqueness Database Files, or UDFs) for automatically providing computer or user information during setup. Setup Manager, like Sysprep, is not installed on the system by default but is stored within the Deploy cabinet file on the CD beneath Support\Tools.

NOTE: Setupmgr.exe depends on Setupmgx.dll to run. This file is also stored within the Deploy cabinet file and must be installed on the system for Setup Manager to run.

When you run Setup Manager, the Setup Manager Wizard begins. It offers you three choices:

• Create a New Answer File
• Create an Answer File That Duplicates This Computer's Configuration
• Modify an existing answer file

The first option-Create a New Answer File-allows you to create one of three types of answer files:

• Windows 2000 Unattended Installation-offering choices for Professional or Server
• Sysprep Install-offering choices for Professional or Server
• Remote Installation Services (RIS)

With both the Unattended Installation and Sysprep Install, you can choose the amount of user interaction that's required. The amount of user interaction that's required can range from none to only the text portion.

You must provide the following values:

• Name of user.
• Name of organization.
• Name of each destination computer. These values can also be imported from a text file. In addition, names can also be automatically generated based on the name of the organization.
• Password. You can enter the Administrator password, or (the default) you can have a prompt appear for this value during boot. You can also specify how many times the Administrator can be auto logged on using the given password.
• The colors, screen area, and refresh rates.
• Whether typical or custom settings should be used for the network settings. If you choose Custom settings, you can also choose the number of adapters in each computer, the protocols, services, clients, and properties, as well.
• Workgroup or domain information.
• Time Zone.
• Additional settings. These include the country/region you are in, area code, outside line number, phone system in use, default and additional languages, browser and shell settings, installation folder, printers to install, and commands to run on first login.
• Distribution folder. You can choose to create one or only install from a CD.
• The Answer File name. By default, this is Unattend.txt.

Unattend.bat is also created in the same folder as the text file. The batch file points to the text file and the location where the setup files are located. When the asterisk (*) appears in such places as the computer name, it generally means that values will be generated automatically.

In addition to using the batch file, you can also use it from the command line. To instruct Windows 2000 setup (WINNT.EXE or WINNT32.EXT) to use an unattended installation file, you must put /U: on the command line, followed by the full path and filename of the unattended installation file, like this:
WINNT /U:A:\SPENCER.TXT /B

In this case, the command line will use the unattended installation file in drive A: (called SPENCER.TXT) and copy the boot files to the drive so that no floppy swapping will be needed. All files used with the unattended installation must fit within the 8.3 character limitation of DOS.

The section headings are enclosed in brackets, and several key sections are worth noting. Those are covered in the following sections:

[Unattended]
The Unattended section of the unattended installation file must be present or the file will be ignored. This section determines what, if any of the rest of the file, will be processed during setup. Some key entries are listed here:

• OEMPreinstall must be Yes or No (default is No). No means that the $OEM$ directory will not be copied or used.
• The sections [MassStorageDrivers], [KeyboardDrivers], [PointingDeviceDrivers], [OEMBootFiles], and [OEM_Ads] must all be present if the OEMPreInstall is set to Yes.
• NoWaitAfterTextMode is used to prevent Windows 2000 from prompting for a key before rebooting after the text mode portion of setup. The value of 1 tells Windows 2000 not to wait for a keypress after text mode.
• NoWaitAfterGuiMode is similar to NoWaitAfterTextMode but is used to prevent Windows 2000 from prompting for a keypress at the end of the GUI mode setup.
• ConfirmHardware specifies whether the user should confirm hardware. (No is the default and should be used for unattended installations.)
• NTUpgrade indicates how the setup program should handle existing installations of NT. Generally, this option should be set to No to prevent the script from accidentally overwriting an existing version of Windows 2000.
• TargetPath specifies where Windows 2000 will be installed. If the option is *, the setup program will generate a unique directory name.

[UserData]
The UserData section is used to set up the user name, company name, and computer name. Under a normal installation, the FullName and OrgName are the only values supplied.

[Identification]
This section is important to getting a fully functional unattended installation file, because most Windows 2000 workstations-especially those that would need an unattended installation file-are installed on a network. Key options include the following:

• JoinWorkgroup is mutually exclusive with the JoinDomain option and specifies the workgroup that the workstation should join.
• JoinDomain specifies the domain that the workstation should be installed in.

The Uniqueness Database (UDB) File
Most of the entries that exist in an unattended installation file can be overwritten by a uniqueness database. The uniqueness database is simply a standard text file that, like the unattended installation file, uses INI file-type sections and entries.

To use a UDB file, you use the command-line switch /UDF:ID,[Filename]. The ID can be alphanumeric and must match an ID in the uniqueness database. If the filename is missing, the assumed filename is $unique$.udb, and it is assumed to be on a floppy that the user will be prompted for.

The first section of a UDB file is the [UniqueIDs] section, which tells the setup program which IDs are contained in the file and which sections each of those IDs uses. After you establish the [UniqueIDs] section of a UDB file, you need to set up the sections themselves. These sections are identical to those in the unattended installation file. You create the same headings and entries, understanding that some entries can't be in the UDB file.

Entries in this file will override entries in the unattended installation file if they are present. If these entries are not present in the installation file, however, the values from the UDB will be used as if they were in the unattended installation file.

1.3: Upgrade from a Previous Version of Windows to Windows 2000 Professional
You can either perform a clean installation or an upgrade. Upgrades can be done from the following programs:

• Windows 95
• Windows 98
• Windows NT Workstation 4.0
• Windows NT Workstation 3.51

Winnt32.exe is the utility to use to initiate the upgrade. The Setup wizard automatically creates a report of devices that cannot be upgraded. Keep in mind that you must uncompress any DoubleSpace or DriveSpace volumes before you start an upgrade.

1.4: Deploy service packs
Upgrades to Windows 2000 come in the form of service packs. Each service pack contains patches and fixes to operating system components needing such, as well as additional features. A service pack is a self-running program that modifies your operating system. It isn't uncommon within the lifetime of an operating system to have two or three service packs.

Successive service packs include all files that have been in previous ones. Therefore, if you perform a new installation and the latest service pack is Service Pack Four, you do not need to install Service Packs One, Two, and Three. You need install only Service Pack Four after the installation to bring the operating system up to the current feature set.

As they are released, service packs are shipped monthly for all Microsoft Operating Systems with TechNet. TechNet is a subscription CD service available through Microsoft. You can use Windows Installer to deploy service packs to all the machines on the network.

1.5: Troubleshoot Failed Installations
The Windows 2000 Setup program makes installation errors much less common than they used to be with earlier operating systems. Several categories of errors might still occur after an installation, but they are also easier to track down and eliminate.

Installation Disk Errors and Upgrades
In rare cases, there may be a problem with the CD you obtained to perform the Windows 2000 Professional installation. Typically, a read error is posted; less frequently, the installation does not complete itself, and you might not be able to determine why this is so.

To obtain a replacement disk, contact Microsoft at (800) 426-9400. Have your registration number handy; the sales and support staff must have it to process your request. New media requests under the warranty generally are sent without cost. If the upgrade is a slipstream upgrade, you might be charged postage.

Inadequate Disk Space
The Windows 2000 Professional Setup program examines the partition where you want Windows 2000 Professional installed to determine how much free space it contains. If it does not have adequate free space, the installation stops and fails. You must then take corrective action to proceed with the installation.

In certain respects, the Setup program is both intelligent and ignorant. It protects your files in the Recycle Bin by not deleting them, which is wise. Unfortunately, it also leaves any number of TEMP files that could be safely deleted scattered about your disk.

To free up some room on your disk, consider doing any of the following prior to installation:

• Empty your Recycle Bin.
• Delete any TEMP files that you find in the various locations where they are stored (for example, the Print Cache folder).
• Delete any files that you find in your Internet browser's cache folder or any other cache folder.
• Uninstall any programs you no longer need.
• Compress any files you use on an infrequent basis.
• Change the size of the system partition you want to use for your installation.
• Create a new partition with adequate room for the installation.
• Compress your NTFS partition to make more room.
  

Several other methods enable you to reclaim or recover lost disk space. The aforementioned, however, are often sufficient to help you get over the crunch.

Disk Configuration Errors
The best way to ensure that you are using hardware that is compatible with Windows 2000 Professional is to check the Hardware Compatibility List (HCL) to see whether the device is approved for use and supported.

If you have inherited a configuration with a non-supported SCSI device adapter, you might not be able to boot your newly installed operating system. In that instance, boot to a different operating system and try starting WINNT on the installation CD. You can also use a network installation to try to rectify the problem. If none of these solutions work, you may be forced to replace the adapter with one recommended on the Hardware Compatibility List.

Cannot Connect to a Domain Controller
The error message "Cannot Connect to a Domain Controller" is one of the more common error messages you might see when you install Windows 2000 Professional, change your hardware configuration, or change network settings. There are a number of explanations for this problem.

Carefully verify that you are entering the correct user name and password, and that the Caps Lock key is not on. The first thing you should check is that the account name you are using is listed in the User Manager for Domains on the primary domain controller. An incorrect password generates a different error message than the lack of the user account.

You should check to see whether the machine account has been added to the User Manager for the primary domain controller. Next, open the Network Control Panel and make sure the network bindings are installed properly on the Bindings tab. Some bindings, such as TCP/IP, require not only computer names but also IP addresses and subnet masks. If there is a conflict with two machines on the network having the same IP address, you get an error condition. Failure to enter the subnet mask (or entering an incorrect subnet mask) also prevents your workstation from finding and connecting to a domain controller and getting its network identity properly verified.

The failure to connect to a domain controller is such a common problem that it is really unfortunate the message isn't more descriptive of the problem.

Domain Name Error
If you accidentally select the wrong domain name, you get an error message when you attempt to log on. The solution is obvious when you realize what the problem is. Just go back and select the correct domain name. If you can ping your system using the loopback address and its own IP address, but not the domain name, that's a good indication of a domain name error.

Problems that can occur with name resolution and their solutions fit into the following generalities:

• The entry is misspelled. Examine all relevant tabs and files to verify that the host name is spelled correctly.
• Comment characters in some files prevent the entry from being read. Verify that a pound sign does not appear at the beginning of the line or anywhere on the line prior to the host name.
• The file contains duplicate entries. Because the files are read in linear fashion, any time there is a duplication, only the first entry is read and all others are ignored. Verify that all host names are unique.
• A host other than the one you want is contacted. Verify that the IP address entered in the file(s) is valid and corresponds to the host name.

During the actual installation, Windows 2000 Professional creates six log files at various stages along the way. All six logs are created within the %SystemRoot% or %SystemRoot%\Debug folders (C:\WINNT and C:\WINNT\DEBUG, by default). If you have a puzzling problem, look at these logs and see if you can find error entries there.

• Comsetup.log, This log file holds information about the COM+ installation and any optional components installed. Of key importance are the last lines of the file, which should always show that the setup completed. If the last lines do not show this, they depict where the errors occurred.
• Mmdet.log, This file is used to hold information relevant to the detection of multimedia devices and ports. On most systems used for business, this file will be very small in size and contain only a few lines.
  
• NetSetup.log. This file differs from all the others in that it is within the DEBUG folder and not just %SystemRoot%. Entries in it detail the workgroup and domain options given during installation.
  
• Setupact.log. Known as the Action log, this file is a chronological order of what took place during the setup. There is a tremendous amount of information here; of key importance is whether errors occurred. Of key importance, the last lines of the file can show which operation was transpiring when the installation failed, or if the installation ended with errors. Like all the log files created during setup, this file is in ASCII text format and can be viewed with any viewer (WordPad, Word, etc.).
  
• Setupapi.log. This file shows every line run from an INF file and the results. Not only is this file created during installation, it continues to get appended to afterward. Of key importance is whether the commands are able to complete without error.
• Setuperr.log. The Error log, as this file is commonly called, is written to at the time errors are noted in other log files. For example, an entry in Setupact.log may show that an error occurred, and additional information on it will be found in Setuperr.log. Not only are the errors here, but also the severity of each is given.

Objective #2: Implementing and Conducting Administration of Resources
The permissions, attributes, and characteristics of files and folders depend greatly on the file system that Windows 2000 is installed on and the location of the user accessing them. The sections examine aspects of file and folder attributes and access on the local machine.

2.1: Monitor, Manage, and Troubleshoot Access to Files and Folders
The permissions, attributes, and characteristics of files and folders depend greatly on the file system that Windows 2000 is installed on and the location of the user accessing them. The next two sections examine aspects of file and folder attributes and access on the local machine.

File and Folder Access and Permissions
Share permissions apply only when a user is accessing a file or folder through the network. Local permissions and attributes are used to protect the file when the user is local. With FAT and FAT32, you do not have the ability to assign "extended" or "extensible" permissions, and the user sitting at the console effectively is the owner of all resources on the system. As such, he can add, change, and delete any data or file that he wants.

With NTFS as the file system, however, you are allowed to assign more comprehensive security to your computer system. NTFS permissions are able to protect you at the file level. Share permissions (addressed later in this article) can be applied to the directory level only. NTFS permissions can affect users logged on locally or across the network to the system where the NTFS permissions are applied. Share permissions are in affect only when the user connects to the resource via the network.

The NTFS permissions for a folder are located on the Security tab of its Properties dialog box. Here you can change the NTFS permissions for the folder.
Permissions can be allowed or denied individually on a per-folder basis. You can assign any combination of the values shown in the following list of
NTFS Directory permissions and their meanings.

• Full Control. Gives the user all the other choices and the ability to Change Permission. The user also can take ownership of the directory or any of its contents.
• Modify. Combines the Read & Execute permission with the Write permission and further allows the user to delete everything, including the folder
• Read & Execute.Combines the permissions of Read with those of List Folder Contents and adds the ability to run executables
• List Folder Contents. The List Folder Contents permission (known simply as List in previous versions) allows the user to view the contents of a directory and to navigate to its subdirectories. It does not grant the user access to the files in these directories unless that is specified in file permissions.
• Read. Allows the user to navigate the entire directory structure, view the contents of the directory, view the contents of any files in the directory, and see ownership and attributes.
• Write. Allows the user to create new entities within the folder, as well as to change ownership, permissions, and attributes.

Clicking the Advanced command button allows you to configure auditing and ownership properties. When you change the permissions on a folder, by default you are also changing them for the subfolders and files beneath that folder.

NOTE #1: As with earlier versions of the operating system, in Windows 2000, the default for newly created entities is equal to Everyone - Full Control.

NOTE #2: The No Access permission that was available in all previous versions of NTFS (meaning, in Windows NT) does not exist in NTFS 5 and Windows 2000.

You can also apply NTFS permissions to individual files. This is done from the Security tab for the file. The following table lists the NTFS file permissions.

• Full Control. Gives the user all the other permissions as well as permission to take ownership and change permission.
• Modify. Combines the Read & Execute permission with the Write permission and further allows the user to delete the file.
• Read & Execute. Combines the Read permission with the ability to execute.
• Read. Allows the user to view the contents of the file and to see ownership and attributes.
• Write. Allows the user to overwrite the file, as well as to change attributes and see ownership and permissions.

As with the folder, default permissions on newly created entities are equal to Everyone - Full Control. Additionally, by default, the determination of NTFS permissions is based on the cumulative NTFS permissions for a user. Rights can be assigned to users based on group membership and individually; the only time permissions do not accumulate is when the Deny permission is invoked.

NOTE: The Deny permission overrides all other permissions. In the absence of Deny, rights accumulate through individual and group assignments, as well as through folder and file assignments. (In the case of a conflict, file permissions override folder permissions.)

The check box at the bottom of the Properties dialog box is checked by default. This means that inheritance is a natural occurrence in Windows 2000 and that permissions and rights assigned at one level always filter down, unless the administrator removes the check from this box.

Effects of Moving and Copying Files
Moving or copying a file to a new directory could change the permissions on an NTFS file. This depends on whether the file is moved or copied and on whether the target directory is on the same NTFS volume as the original. As a general exam study rule, you will never go wrong backing up the data before moving it, compressing it, etc.

When a file is copied from one directory to another on the same NTFS volume, the file inherits the directory permissions for new files of the target directory. When a file is moved from one directory to another on the same NTFS volume, it retains the NTFS permissions it had from the original directory.

This concept gets confusing when files are moved or copied from one NTFS volume to another NTFS volume. When you copy a file from one NTFS volume to another, the file will always inherit the permissions of the target directory. The same is true when you move a file between NTFS volumes. This is due to the fact that the file is not actually moved between NTFS volumes. The actual process is outlined here:

1. The file is copied to the target directory. This causes the file to inherit the permissions of the target directory.
2. The file in the target directory is compared to the original file, and it's verified that the two are identical.
3. The original file is deleted from the original directory.

Setting NTFS Permissions
You set NTFS permissions from the Security tab of an NTFS file or directory object. To set NTFS permissions, a user must meet one of the following criteria:

• Be a member of the Administrators local group.
• Be a member of the Power Users local group.
• Be assigned the NTFS permission of Change Permission (P) for a directory or file resource.
• Be the Owner of a file or folder object.

The owner of any object can change the permissions of that object at any time. They then have the permission to Take Ownership so that he or she can become the owner of the file or folder object and change the permissions of that object.

File Compression
Using the NTFS file system, you can configure files and folders for file-level compression, if you have Write permissions. To do so, go to the General tab of the file's Properties dialog box and click the Advanced command button. The Advanced Attributes dialog box appears.

Compression conserves disk space but does not reduce the estimation of how much space the user is utilizing when computing disk quotas. Compression can be enabled for an individual file or set at the folder level.

NOTE: Even though encryption and compression settings appear in the same frame on the dialog box, the two features are mutually exclusive.

When a file is copied or moved, the compression attribute resembles other NTFS permissions when deciding whether it will be kept or lost. When the file is copied, the compression attribute always becomes equal to that of the target folder (and if going to a non-NTFS partition, it is lost completely).

As a general rule, an uncompressed file will remain uncompressed when moved about. The only time compression can get squirrelly is when you move a compressed file around.

2.2: Manage and Troubleshoot Access to Shared Folders
Share permissions differ significantly from NTFS permissions in a number of ways:

• They apply to users accessing the resource remotely and not locally.
• They work with Windows- and DOS-based file systems (NTFS, FAT, or FAT32).
• They work in conjunction with other permissions.

In the following sections, you'll learn how to set up shares, how to control access to them, and finally, how to work with Web resources.

Sharing Folders and Controlling Access
Sharing is done at the folder level; it cannot be done individually at the file level. The only requirement is that you must install the File and Printer Sharing for Microsoft Networks service. To quickly see what folders are shared on a machine (and the full path to those shares), go to Administrative Tools, Computer Management, System Tools, Shared Folders, Shares.

You can share a folder from the command line (difficult) or from within the graphical interface (simple). To share a folder graphically, highlight it within your browser and right-click on it. Choose Sharing from the popup menu, and the Properties dialog box appears.

Click the Share This Folder option button; the name of the shared folder automatically appears in the Share Name text box. You can keep this value or change it to any other value. The share name should be 15 characters or fewer (8 or fewer if you will be servicing DOS clients). The Comment field is completely optional, but it can be used to display information about the folder's contents to users.

To stop the sharing of a folder, access the same tab and click Do Not Share This Folder.

NOTE: For users to see the comments, they must use the Details view.

From this dialog box, you can also set the maximum number of users who can access the folder concurrently. The default is unlimited, but you can specify a number if you must limit the access for licensing, design, or other reasons.

Because the permissions apply to the entity only when it is accessed remotely, they are known as Access Through Share (ATS) permissions. The following table summarizes the share permissions you can assign and their meanings:

• Full Control. Gives the user all the other choices and the ability to Change Permission and take ownership (if NTFS).
• Change. Gives the user Read, Execute, Write and Delete permissions to the share.
• Read. Allows the user Read and Execute permissions to the share.

You can add individual users and groups to or remove them from the permissions list. Click Add, and the Select Users, Computers, or Groups dialog box appears. By default, all the Allow check boxes are selected. When you deselect Change or Read, it automatically unchecks Full Control, because Full Control requires having those other permissions.

When the permissions are properly configured, click OK to exit. The folder icon now appears with a hand beneath it, indicating that the folder is shared.

Sharing Again
A folder can be shared more than once, each time having a different share name associated with it. This is useful if you are combining folders-for example, if you are placing what accounting used to call REPORTS in with what marketing used to call DATA. To share the folder under a different name, right-click it, and then choose Sharing from the popup menu.

On the Sharing tab of the Properties dialog box, note that the text box for Share Name is now a drop-down box. Notice, as well, that a new command button appears at the bottom of the box: New Share. By clicking this button, you can specify another name for the share, as well as comments, permissions, and user limits.

NOTE: Both Windows NT and Windows 2000 allow for multiple share names to point to the same folder and have different permissions. As a result, the sales department can be allowed to access files within a folder DATA by the share name SALES and automatically have Read-Only rights, while the accounting department can access the same files under the share name REPORTS and have Full Control. It sounds simplistic, but it is an often-overlooked means of adding simple security to data files.

Sharing from the Command Prompt
The NET command used with the SHARE parameter enables you to create shares from the command prompt, using this syntax:

NET SHARE =:

To share the C:\EVAN directory as SALES, for example, you would use the following command:

NET SHARE SALES=C:\EVAN

You can use other parameters with NET SHARE to set other options. The following summarizes the most commonly used parameters:

• /DELETE To stop sharing a folder
• /REMARK To add a comment for browsers
• /UNLIMITED To set the user limit to Maximum Allowed
• /USERS To set a specific user limit

Hidden Shares
Whether you create a share with My Computer, with Explorer, or from the command prompt, you can "hide" it (prevent it from appearing in Network Neighborhood) by adding a dollar sign ($) to the end of the share name, as shown here:

NET SHARE SALES$=C:\EVAN

This does not prevent a user from connecting to the share. To do so, the user must explicitly supply the entire path (including the $).
Every Windows 2000-based computer has three hidden shares that are created automatically:\

• C$. The root of the computer's drive. A similar share (D$, E$, and so on) will be created for each hard drive partition on a system.
• ADMIN$. The root of the partition on which Windows 2000 has been installed.
• IPC$. The remote IPC (InterProcess Connect) share used for networking.

These shares offer Full Control access to administrators and deny access to regular users. They provide a means by which administrators can easily access key directories across the network.

Accessing the Share
You can access the shared directory and its contents through either Network Neighborhood or the Find command. Using the Details view allows you to view the added comments for each share.

If a user belongs to a group that has access to a resource but still cannot access that resource, look to see which other groups she belongs to. While she may be given access through membership in one group, it is fully conceivable that membership in another group is denying her access.

Working with Web Resources
If, and only if, Web services are installed on the same machine you have created the share on, an additional tab-Web Sharing-appears under Properties.
By default, Web sharing is not enabled. When you choose to share it, you can create an alias (which appears as the share name, by default). You then can specify Read, Execute, and/or Scripts permissions.

2.3: Connect to Local and Network Print Devices
Printing architecture has come a long way from the days of DOS-based applications. For the exam, you should understand the steps involved in the Windows 2000 printing process and how to configure all aspects of a printer in Windows 2000 Professional.

All About Printer Drivers
The printer driver is responsible for generating the data stream that forms a print job. It amounts to the following two DLLs (Dynamic Link Libraries) and a printer-specific minidriver (akin to a configuration file):

• The Printer Graphics Driver DLL consists of the rendering or managing portion of the driver. It is always called by the Graphics Device Interface.
• The Printer Interface Driver DLL consists of the user interface or configuration management portion of the printer driver. It is used by an administrator to configure a printer.
• The Characterization File contains all the printer-specific information, such as memory, page protection, soft fonts, graphics resolution, paper orientation and size, and so on. The two DLLs need this file to gather printer-specific information.

Because the printer driver is specific to the operating system and hardware platform, you cannot use a Windows 95 printer driver with Windows 2000, and you cannot use an Intel printer driver on an Alpha machine.

The automatic updating of the printer driver on the client is a key component of Windows 2000 printing. When you first configure a Windows 2000 printer for sharing, you must specify the operating systems and hardware platforms of all client machines that are going to access the printer. After you specify them, the appropriate drivers are placed on the server so they are available for downloading to clients.

NOTE: Windows 2000 includes print drivers for Windows 2000, Windows 98, Windows 95, and Windows NT 4.0. The 2000 CD does not include drivers for earlier versions of NT and other operating systems.

All About the Spooler
The spooler consists of a series of DLLs that accept, process, and distribute print jobs. It operates in the background to manage the whole printing process. All told, the spooler service performs the following functions:

• Keeps track of job destinations
• Keeps track of ports
• Routes print jobs to ports
• Manages printer pools
• Prioritizes print jobs

To function, the Spooler service has to run on both the client and the print server machines. A key point to know for the exam is that the spool file folder, by default, is the winnt\system32\spool\PRINTERS directory. You can change this by using the Advanced tab of the printer server's Properties dialog box. (You can also use Registry Editor to set the spool directory, but this method is much easier.)

If print jobs begin to fail because you are running out of space, the best solution is to move the spooler to another drive with more space free.

NOTE: To reach the Print Server Properties dialog box, open the Printers folder, and then choose File, Server Properties.

The next portion of the printing process involves the print router. Little needs to be said except that the print router receives the print job from the spooler and routes it to the appropriate print processor.

All About the Print Processor
Rendering is the process of translating print data into a form a printing device can read. The printer driver starts the process of rendering; the print processor completes it. However, the tasks performed by the print processor differ depending on data type.

The primary Windows NT print processor is called WINPRINT.DLL. It works with the following data types:

• RAW data. Already rendered data that's ready for the printer.
• Text. RAW text with very minimal formatting (intended for printing devices that don't directly accept ASCII text).
• EMF (Enhanced Metafile). A standard file format in Windows NT and Windows 95 wherein the Graphical Device Interface generates information before spooling. Because the processor, memory, and other resources on the machine typically are beefier than on the printer, the end result is that control is returned to the user in less time than if he were to wait for the printer directly.

Windows 2000's WINPRINT.DLL works with several types of RAW and EMF formats.

All About Print Monitors
Print monitors control access to specific devices, monitor the status of devices, and communicate with the spooler. The print monitor controls the data stream to printer ports and is responsible for writing a print job to the output destination and taking care of port access.

To install a print monitor, access the Ports tab of the printer's Properties dialog box and click Add Port. In the Printer Ports dialog box that appears, click on the New Port Type button.

Adding a new port can be useful when you need to offload the queue from a printer that has stopped working. For example, if a printer that an office sends all jobs to stops working but has a full queue, you can add another port going to an identical printer and point the port to the second printer.

The print monitor can perform all the following tasks:

• Detect unsolicited errors (Out of Paper and Toner Low, for example)
• Handle end-of-job notifications
• Monitor printer status for printing errors

Managing Printers and Print Jobs
The primary user interface to Windows 2000 Professional printing features is the Printers folder. This is accessible through the Control Panel or beneath the Settings item in the Start menu.

From the Printers folder, you can install, configure, administer, and remove printers; watch print queues; pause, purge and restart print jobs; share printers; and set printer defaults.

You can install printers on the workstation or through a connection to a remote printer. The remote connection installation is easy to accomplish, whereas installing your own printer is much more involved and requires Administrative or Power User rights.

To start either installation, double-click on the Add Printer icon in the Printers folder. The Add Printer Wizard appears.

Adding a Printer on Your Own Machine
As mentioned earlier, to add a printer, you must have Administrator or Power User rights. The wizard begins the process and then either initiates the Add New Hardware Wizard (if a printer is not already attached) or asks which port you want to use. You cannot proceed until you have checked one of the available ports or added a new port.

Next, you must specify the manufacturer and model of the new printer, choosing from the list displayed. If your printer is not listed, click the Have Disk button and install the driver from a disk.

Next, you must supply a printer name. The only other choice you make here is whether you want the printer to become the default printer for Windows-based programs.

The printer name can contain up to 32 characters; it doesn't have to reflect the name of the driver in use. As you can with other resources and shares, you can place a dollar sign ($) at the end of the name to prevent it from being visible to all other users even though you may choose to share it.

The next choice, coincidentally, is whether you want to share the printer with other computers on the network. You must provide a share name if you are going to share it. (The default is the name you entered in the previous screen.)

If you are sharing the printer, you can specify free text (Location and Comment) to be associated with the printer.

Finally, you are given the choice of printing a test page. (The default is yes.) When you finish the installation, the wizard shows you all your choices and allows you one last chance to make changes (which you do by using the Back command button) before finishing.

Adding a Network or Internet Printer
This is a much simpler operation than installing a printer locally. In the first screen of the Add Printer Wizard, click the Network Printer option. This opens the Locate Your Printer dialog box, which asks for the name of the shared printer you want to connect to.

If the printer is networked and you do not know the path, you can leave the field blank and click Next to invoke the Browse feature. No such feature is available for the Internet printer option, however, so you must specify an URL in order to proceed to the next dialog box.

Prior to completion, the wizard asks if you want the printer to serve as a default printer. It then completes the installation by placing an icon for the printer in the Printers folder.

Internet printing is made possible by IPP (Internet Printing Protocol). It is a low-level protocol that is encapsulated within HTTP. When accessing a printer through a browser, the system first attempts to connect using RPC.

Configuring Printers
All standard configuration settings for a Windows 2000 Professional printer are available through three options of the Printers folder File menu:

• Printing Preferences
• Server Properties
• Properties

Printing Preferences
Select the printer, choose File, and select Printing Preferences (or right-click on the printer icon and choose Printing Preferences from the popup menu). Both methods open a dialog box that differs significantly based on the type of printer in question. On a standard black-and-white laser printer, there are often only two tabs:

• Layout
• Paper/Quality

When you click the Advanced button on the Layout tab, you are given options for changing the graphics resolution, color adjustment, print quality, size, source, and orientation settings.

On a bubble-jet printer, the choices change to the following:

• Main (select the print mode)
• Paper
• Control

In all cases, the purpose of Printing Preferences is to configure the printer you use most often for proper handling of the print jobs you most often submit.

Server Properties
The Print Server Properties dialog box contains information specific to the computer's print server activities. The dialog box is independent of any particular type of printer. To get to it, select the printer, choose File, and click Server Properties.

The Print Server Properties dialog box contains the following four tabs:

• Forms. Defines the print forms available on the computer.
• Ports. Maintains a list of available ports. You can add, delete, or configure a port.
• Drivers. Displays information on the installed print drivers (version, environment, and so on) and lets you update, add, or remove them.
• Advanced. Provides the location of the spooler and an assortment of logging and notification options.

  NOTE: The Ports tab in the Server Properties dialog box is the same as the one in the Add Printer Wizard, with one exception: You don't have to select a port here because you are viewing the available ports and are not associating a port with a particular printer.

Properties
Most configuration settings for a printer are located in the printer's Properties dialog box. To open a particular printer's Properties dialog box, select a printer in the Printers folder, right-click it, and then choose Properties. The following sections discuss the tabs of the printer's Properties dialog box.

The Printer Properties General Tab
The General tab lets you install a new driver for the printer. There are two buttons on this tab:

• The Print Test Page button enables you to test a printer connection.
• The Printing Preferences button brings up the same printing preferences discussed earlier in the section "Printing Preferences."

The Printer Properties Sharing Tab
This tab lets you share the printer with other computers on the network. This option is useful if you did not originally install the printer as a shared printer but later decide you want to share it.

The Printer Properties Ports Tab
The Ports tab lets you choose a port for the printer and add or delete a port. The Configure Port button also lets you specify the Transmission Retry time for all printers that use the same driver. Of particular note are the two options at the bottom, with which you can enable printer pooling and bidirectional support. Printer pooling is discussed in detail in a later section of this article. Bidirectional support allows the printer to send unsolicited messages (such as out of paper, low on toner, and so on) to the workstation. In order to send such data, the printer in question must have bidirectional capabilities, and the cabling used must also support it.

The Printer Properties Advanced Tab
This tab combines the features of the Scheduling tab and the command buttons from the General tab of Windows NT 4.0. It lets you determine when the printer will be available and unavailable, and to set the printer priority.

NOTE: The Printer priority is in no way related to the Print job priority. Although the priority for a printer defaults to 1, it can be any number between 1 and 99. When more than one printer is printing to the same printing device, it is useful to change priorities (to allow the one with the highest priority to print first).

NOTE: In a scenario where GroupA submits large jobs that hold up everyone else, you can 1) add a new printer and set a very high priority for it (97, for example), and then 2) deny print permissions to GroupA. This will allow all others to print to this printer first, going to the original printer only if it is free.

Note the three command buttons along the bottom of the dialog box:

• Printing Defaults takes you back (yet again) to Printing Preferences.
• Print Processor allows you to select the processor.By default, this is WINPRINT.DLL, but it can be updated or replaced. WINPRINT.DLL now supports the following eight data choices: RAW, RAW (FF appended), RAW (FF auto), NT EMF 1.003, NT EMF 1.006, NT EMF 1.007, NT EMF 1.008, TEXT
  
• Separator Page lets you choose one of three predefined separator pages or create one of your own. By default, Windows 2000 does not separate print jobs or use a separator page. However, the following options are available with Windows 2000: PCL.SEP (switches Hewlett-Packard printers to PCL mode), PSCRIPT.SEP (switches Hewlett-Packard printers to Post-Script mode), SYSPRINT.SEP (separator page for PostScript printers) and .SYSPRTJ.SEP (the Japanese version of Sysprint.Sep).

The Printer Properties Security Tab
This tab lets you configure permissions, auditing, and ownership for the printer (through the Advanced tab). Like all Windows 2000 objects, printers are protected by the Windows NT security model.

The possible permission levels for printer access/denial are outlined here:

• Print. Allows a user or group to submit a print job and to control the settings and print status for that job.
• Manage Printers. Allows a user to submit a print job and to control the settings and print status for all documents, as well as for the printer itself. In addition, the user or group may share, stop sharing, change permissions for, and even delete the printer.
• Manage Documents. Allows a user or group to submit a print job and to control the settings and print status for all print jobs.

A key thing to remember is that these permissions affect both local and remote users.

To change the permission level for a group, select the group from the Name list and either enter the new permission level in the Permissions combo boxes or open the Advanced dialog box. You can add a group or user to the permissions list by clicking on the Add button and making your changes in the Add Users and Groups dialog box that appears.

NOTE: The Security tab also enables you to set up auditing for the printer and to take ownership of the printer through the Advanced button.

The Printer Properties Device Settings Tab
The Device Settings tab contains settings for the printing device, which differ depending on the printing device.

Setting Up a Printer Pool
A printer pool offers an efficient means of streamlining the printing process in many environments. By the simplest definition, a printer pool is a single logical printer that prints to more than one printing device. It prints jobs sent to it to the first available printing device and provides the throughput of multiple printing devices with the simplicity of a single printer definition. Windows 2000 ensures that no single device is ever sent more than one document at a time if other devices are currently available. This ensures efficient utilization of all printing devices.

The following criteria must be met before a network can use a printer pool:

• A minimum of two printing devices must be capable of using the same printer driver. Because the pool is seen and treated as a single logical device, it must be managed by a single printer driver.
• Although not required, the printing devices should be located in close proximity to one another. This is because users have no means of specifying a device within the pool and are given no notification as to which printer actually printed the job. Users should not have to walk from floor to floor to find their documents; instead, they should be able to check all printing devices quickly.

You create a printer pool by configuring the printer to print to more than one port. Naturally, you must also attach a printing device to each of the ports.

MS-DOS-Based Applications
DOS-based applications differ from Windows-based applications in that they provide their own printer drivers. They typically also render data to the RAW data type or to straight ASCII text. Because of this, an application that prints graphics and formatted text must have its own printer driver for the printing device, whereas the application can print ASCII text without a vendor-supplied printer driver.

NOTE: Most DOS-based applications cannot handle UNC names. Therefore, when you print to a remote printer, you must often map a physical port to the remote printer. To do so, use the following command: NET USE LPTX: \\PSERVER\PRINTER_NAME

2.4: Configure and Manage File Systems
The file system that is appropriate for Windows 2000 depends on the needs of the specific environment it will be used in. In an environment that requires dual-booting to another operating system, Microsoft recommends using a FAT-formatted file system. It recommends NTFS, however, for situations in which security is a concern.

This section will help you determine which file system is appropriate in a given situation. First, you should review the characteristics of the three files systems that Windows 2000 supports.

FAT (File Allocation Table)
FAT was the standard file system in use throughout older operating systems. Not only does Windows 2000 support it, but so does NT, DOS, Windows 95, and Windows 98. In the first versions of DOS and the first release of Windows 95, FAT was your only choice. With the advent of Windows 95b and Windows 98, however, you were given the choice of using FAT or FAT32. With Windows NT, the choice has traditionally been between FAT and NTFS. That means most machines today use FAT as their only filing system-or at least have the choice of using it.

NOTE: Windows 95b (or OSR2) released a new version of FAT called FAT32. Windows NT 4.0 was not compatible with FAT32 and offered no way to convert a FAT32 partition to a FAT partition. Windows 2000 supports FAT32 and allows you to install on it as well as convert to it.

The advantages of using FAT in a Windows 2000 environment include the following:

• Required file system for floppy disks
• Compatible with DOS, Windows 95, and other operating systems

The following are disadvantages of using FAT in a Windows 2000 environment:

• No security support
• Poor support for volumes larger than 512MB
• No support for disks larger than 4GB
• Typically unable to format disks larger than 2GB

  NOTE: Because FAT is limited to 65,535 clusters, it must make the cluster sizes larger and larger for large volumes. The result is that as the cluster sizes get larger, more disk space is wasted because FAT allocates a minimum of one full cluster to every file (even if the file is only 5 bytes in size), even if it doesn't need it. The remainder of the cluster is wasted. As a general rule, any disk larger than 400MB should be formatted with a file system other than FAT so that the cluster size can be kept small.

The FAT file system is the appropriate choice for Windows 2000 Professional workstations that need to dual-boot to older operating systems and for formatting floppy disks.

FAT32
FAT32 was introduced with the release of Windows 95b and is the default file system there and in Windows 98. It addressed several problems that cropped up with FAT, namely:

• FAT was limited to 512 entries in the root directory. All long filenames used one entry for every 13 characters. FAT32 has no such limitation.
• FAT could not support large hard drives and stopped formatting at 2GB. FAT32 supports large hard drives and goes beyond the 2GB limit.

In Windows 95b and subsequent releases, as well as in Windows 98, when a user formats a drive, he is asked if he wants to enable large hard drive support. Although it is not specifically spelled out, choosing Yes means you want to use FAT32; choosing No means you want to use FAT. FAT32 is a good choice any time a machine must be able to dual-boot between Windows 98 and Windows 2000 and read files on a drive regardless of the current operating system.

NTFS (NT File System)
Before Windows NT was released, it had become apparent to Microsoft that a new filing system was needed to handle growing disk sizes, security concerns, and the need for more stability. NTFS was created to address those issues. The following sections discuss the major attributes and features of NTFS.

Transaction Tracking -- Although FAT was relatively stable if the systems that were controlling it kept running, it didn't do so well when the power went out or the system crashed unexpectedly. One of the benefits designed into NTFS was a transaction tracking system. This made it possible for Windows NT to back out of any disk operations that were in progress when Windows NT crashed or lost power. This feature allows NTFS to be more resilient to problems than its predecessor, FAT (and FAT32).

NOTE: Even NTFS is not crash proof. It's highly recommended that you protect your computer with a UPS, if possible. NT even includes UPS monitoring software as part of the base product.

• Built-In Security -- Another feature built into NTFS-and that FAT didn't have-is support for security information. When FAT was designed back in the early 80s, personal computers were just that-personal. The concept of networking or sharing information between personal computers was unheard of. Because no resources were shared, security wasn't too important. As the PC industry evolved, it became necessary to secure files from other people-people using the PC directly and from across the network. To handle this, layers of sharing security (such as the share-level security in Windows for Workgroups) were added. In addition, special file encryption programs were developed to encrypt data while it was stored on the hard disk. Encryption is the process of taking a readable file and making it unreadable by means of a process that can be reversed only with a special key. Still, these were add-ons to an elderly (in PC terms) filing system, and they weren't integrated. NTFS's security is flexible and built-in. Not only does NTFS track security in Access Control Lists (ACLs), which can hold permissions for local users and groups, but each entry in the Access Control List can specify which type of access is given-from Read-Only to Change to Full Control, or anything in between.

NOTE: Certain DOS-based programs will read NTFS volumes without the limitations of security that you might have defined on the disk. However, this requires physical access to the computer, as well as enough knowledge to get one of these programs. For testing purposes, you should assume that NTFS volumes cannot be seen from any other operating system.

• Large Disk Support -- In addition to transaction tracking and security, NTFS also improves support for larger disks. Because FAT was designed so long ago, its support of large-size partitions (over 512MB) leaves a little to be desired in terms of speed and efficient use of space. NTFS was designed to handle volumes larger than 512MB without resorting to larger and larger cluster sizes, as FAT does. When FAT allocates a file, it must allocate an entire group of disk sectors, called a cluster. For FAT to support large volumes, the cluster size must be made larger so that the file allocation table itself can fit within 64KB. NTFS doesn't have a 64KB limitation for the way that it tracks files. Although it still uses the concept of clusters, it does so only to balance the size of the allocation map and the amount of wasted space at the end of a file. Both FAT and NTFS allocate space for files in cluster lengths. If a file is 1KB and the cluster size for the volume is 4KB, for example, 3KB at the end of the file will be wasted because it will have been marked in the allocation table as having been used.
• File-Level Compression -- One way to get around allocating a complete cluster for every file with NTFS is to use the file-compression attribute that was added with NT 3.51. This attribute allows NTFS to manage file compression on a per-file basis, unlike FAT-based file compression schemes, which must compress an entire part of the drive.

NOTE: File-based compression is infinitely superior to partition-based compression, because you can compress files you don't frequently use and leave those files you do frequently use uncompressed. This allows you to control how much processor overhead you trade for disk space.

NOTE #2: Not all files can be compressed. In particular, some of the NT boot files and the paging file cannot be compressed; they must always remain uncompressed. NT will not allow you to set the Compress attribute on these files.

NOTE #3: Using compression on files that are served by a file server can dramatically increase the processor utilization of a server. If you are running low on disk space, before you turn on compression, consider the impact it will have on the processor.

To review, the following specific features make it desirable to implement NTFS on a Windows 2000 workstation:

• Transaction tracking
• File-level security support
• File-level compression support
• Large volume support

The following table summarizes the three file systems.

Converting from One File System to Another
During the installation of Windows 2000, you can choose where to install the operating system in a FAT, FAT32, NTFS, or unformatted partition. Immediately after making your selection, you can choose to leave said file system intact (except, of course, for the unformatted) or to change it to any other format.
Anytime after the installation, the CONVERT.EXE utility allows you to convert a FAT or FAT32 file system to NTFS without data loss. The syntax for this command is as follows:

CONVERT {volume} /FS:NTFS [/v]

where the volume is the drive to be converted, and /V is used to invoke verbose mode. Under all conditions, you must use the /FS parameter to specify the file system, and the only accepted file system is NTFS.

So, for example, to convert the C drive to NTFS from FAT/FAT32, you would use the following command:

CONVERT C: /FS:NTFS

Any other conversion you might want to perform requires you to back up your data, format the volume with the new file system, and then restore the data. This can be a touchy subject because other operating systems offer a utility for converting FAT to FAT32 without data loss. Windows 2000 Professional includes no such utility, however.

Stay Tuned...
Next week, we'll continue with this objective (specifically, configuring file systems), then move on to objectives three and four. Until then, happy studying!

Questions? Comments? Did you find this article useful? Post your comments below!

More articles by Emmett Dulaney:

• Security+, Now with Performance-Based Questions
  
• CompTIA Continuing-Ed Deadline Nears
  
• Year-End Study Guide Roundup
  
• Microsoft To Retire Plethora of Exams in July