120 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM In addition to providing users with access to multiple versions of their files, volume shadow copy also functions as an open file backup mechanism for the Windows Server 2003 Backup program. By default, Backup uses volume shadow copies of files that are locked open when performing backups. This enables the program to back up files that are in use by an application at the time the backup is performed. You can prevent Backup from using volume shadow copy during a particular backup job by selecting the Disable Volume Shadow Copy check box in the Advanced Backup Options dialog box (as shown in Figure 4-13). Ft04cr13 .bmp Figure 4-13 The Advanced Backup Options dialog box Backing Up and Restoring Active Directory Practice enabling volume shadow copy on your Windows Server 2003 computer by doing Exercise 4-3, “Enabling Volume Shadow Copies,” now. As mentioned earlier in this chapter, you can back up the Active Directory database on a Windows Server 2003 domain controller using the Backup program by select - ing the System State object as one of the backup targets. However, restoring Active Directory to a domain controller is not so simple. Before you can restore the Active Directory database from a System State backup, you must start the computer in Directory Services Restore Mode. You do this by pressing F8 as the system starts and selecting Directory Services Restore Mode from the Windows Advanced Options menu. This starts the computer with the Active Directory database closed, so that it is accessible to the Backup program and can be restored from a tape. NOTE Logging On When you restart the computer in Directory Services Restore Mode, you must log on as an Administrator by using a valid Security Accounts Manager (SAM) account name and password, not the Active Directory Administrator’s name and password. This is because Active Directory is offline, and account verification cannot occur. The SAM accounts database is used to control access to Active Directory while Active Directory is offline. You specified this password when you set up Active Directory. Once the computer is started in Directory Services Restore Mode, you can run the Backup program and restore the System State object from your tape or other medium. The Windows Server 2003 Backup program supports two types of Active Directory restores: ■ Nonauthoritative restore The objects in the Active Directory database are restored exactly as they appear in the System State object, with their CHAPTER 4: BACKING UP AND RESTORING DATA 121 original update sequence numbers intact. Because these sequence numbers are the same values the objects had when the backup was per - formed, they are outdated, and the Active Directory replication process will overwrite the objects with the newer versions from other domain controllers. You use a nonauthoritative restore when you want to rebuild a domain controller that has been damaged with the latest Active Direc - tory information from your other domain controllers. Windows Server 2003 Backup performs nonauthoritative restores by default. ■ Authoritative restore The objects in the Active Directory database are restored with updated sequence numbers that prevent them from being overwritten during the next replication pass. You use an authoritative restore when you want to use a System State backup to recover Active Directory objects that have been accidentally deleted. To perform a nonauthoritative restore, you simply restore the System State object using the Backup program while in Directory Services Restore Mode. To perform an authoritative restore, you first perform a nonauthoritative restore, and then before restarting the computer, you use a command-line utility called Ndsutil.exe to mark specific Active Directory objects as authoritative. The Ntdsutil.exe utility can be found in the Systemroot\System32 folder. Marking objects as authoritative changes the update sequence number of an object so it is higher than any other update sequence number in the Active Directory replication system. This ensures that any replicated or distributed data that you have restored is properly replicated throughout your organization. When the restored domain controller is online and connected to the network, normal replication brings the restored domain controller up-to-date with any changes from the additional domain controllers that were not overridden by the authoritative restore. Replication also propagates the authoritatively restored object(s) to other domain controllers in the forest. The deleted objects that were marked as authoritative are replicated from the restored domain controller to the additional domain controllers. Because the objects that are restored have the same object properties, security remains intact and object dependencies are maintained. For example, suppose you back up the system on Monday and then create a new user called Jeff Smith on Tuesday, which replicates to other domain controllers in the domain. Then, on Wednesday, you accidentally delete Nancy Anderson’s user object. To authoritatively restore the Nancy Anderson user without reentering information and without losing the Jeff Smith account, you perform a nonauthori - tative restore of the domain controller with the backup created on Monday. Then, using Ntdsutil.exe, you mark Nancy Anderson’s user object as authoritative and restart the domain controller. The result is that Nancy Anderson’s object is restored without any effect on Jeff Smith. NOTE Exam Objectives The objectives for the 70-290 examination state that students should be able to “back up files and System State data to media.” 122 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM SUMMARY ■ A network backup solution consists of backup hardware, backup soft- ware, and a plan for using them. ■ When you evaluate backup hardware, higher speed and greater capacity nearly always mean higher price. ■ Magnetic tape is the most popular storage medium for backups because it is fast, inexpensive, and holds a lot of data. Tape drives are available in a variety of speeds, capacities, and price ranges to suit the needs of dif - ferent installations. ■ The primary function of the backup software is to enable the administra- tor to select the targets for backup and then send them to the tape drive or other device. ■ Incremental and differential backup jobs save tape by backing up only the files that have changed since the last backup, based on the status of each file’s archive bit. ■ A good backup software program enables you to schedule jobs to exe- cute at any time, and it maintains both a tape version and a hard disk ver- sion of a catalog of all of the files that have been backed up. ■ Network backup software enables you to back up data from computers anywhere on the network, and it might also provide optional features such as live database backups. ■ To back up the Windows registry, the Active Directory database, and other system resources, you must back up the System State object. ■ Volume shadow copy is a Window Server 2003 feature that enables users to access multiple copies of files that they have accidentally deleted or damaged. ■ When you restore the System State data in nonauthoritative mode, any component of the System State data that is replicated with another domain controller, such as the Active Directory database, is brought up- to-date by replication after you restore the data. ■ When you restore the System State data in authoritative mode, changes that were made since the last backup operation are not restored; the deleted objects are recovered and replicated. To perform an authoritative restore, you use the Ntdsutil.exe command-line utility. EXERCISES Exercise 4-1: Selecting Backup Targets In this exercise, you practice using the Backup program’s tree display to select backup targets. 1. Log on to Windows Server 2003 as Administrator. CHAPTER 4: BACKING UP AND RESTORING DATA 123 2. Click Start, point to All Programs, point to Accessories, point to System Tools, and click Backup. The Welcome To The Backup Or Restore Wizard page appears. 3. Click the Advanced Mode hyperlink. The Backup Utility window appears. 4. Select the Backup tab. 5. Expand the Local Disk (C:) object and select the check box for the Windows folder. 6. Select the System State check box. 7. From the Job menu, select Exit. Exercise 4-2: Incremental and Differential Backups 1. If you back up your network by performing a full backup every Wednes- day at 6 P.M. and differential backups in the evening on the other six days of the week, how many jobs would be needed to completely restore a computer with a hard drive that failed on a Tuesday at noon? 2. If you back up your network by performing a full backup every Wednes- day at 6 P.M., how many jobs would be needed if you performed incre- mental backups in the evening of the other six days of the week and a hard drive failed on a Tuesday at noon? 3. For a complete restore of a computer that failed at noon on Tuesday, how many jobs would be needed if you performed full backups at 6 A.M. every Wednesday and Saturday and incremental backups at 6 A.M. every other day? Exercise 4-3: Enabling Volume Shadow Copies In this exercise, you enable the volume shadow copy feature for your computer’s C: drive. 1. Log on to Windows Server 2003 as Administrator. 2. Click Start, point to All Programs, point to Accessories, and click Win- dows Explorer. The Windows Explorer window appears. 3. Expand the My Computer object in the scope pane, select Local Disk (C:), and from the File menu, select Properties. The Local Disk (C:) Properties dialog box appears. 4. Select the Shadow Copies tab, and then click Enable. The Enable Shadow Copies message box appears. 5. Read the warning message and click Yes. After a brief delay, the date and time appear in the Shadow Copies Of Selected Volume list, indicating that the system has created the first shadow copy. 124 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM REVIEW QUESTIONS 1. Why is it best to perform backups when the organization is closed? 2. Which of the following backup job types does not reset the archive bits on the files that it copies to the backup medium? (Choose all correct answers.) a. Full b. Incremental c. Differential d. Copy 3. Which of the following tape drive devices has the greatest capacity? a. LTO b. QIC c. DAT d. DLT 4. Which of the following is the criterion most commonly used to filter files for backup jobs? a. Filename b. File extension c. File attributes d. File size 5. How does an autochanger increase the overall storage capacity of a backup solution? 6. What are the three elements of the Grandfather-Father-Son media rotation system? a. Hard disk drives, CD-ROM drives, and magnetic tape drives b. Incremental, differential, and full backup jobs c. Monthly, weekly, and daily backup jobs d. QIC, DAT, and DLT tape drives 7. Network backup devices most commonly use which drive interface? a. IDE b. SCSI c. USB d. Parallel port 8. How does Windows Backup verify the data written to the backup medium? 9. When you restart the computer in Directory Services Restore Mode, what logon must you use? Why? CHAPTER 4: BACKING UP AND RESTORING DATA 125 CASE SCENARIO You are designing a backup solution for your company network. To make it easier to back up valuable company data, you have supplied each of the network’s 125 users with a home folder on a shared server drive and have instructed the users to store all their data files in their home folder. You have also created disk quotas granting each user a maximum of 1 GB of storage space. Because of this arrangement, you will be backing up only the network servers, not user workstations. In addition to the file servers hosting the users’ home folders, there are also six Web servers, each with a 40-GB drive containing the home page files, a database server with an 80-GB drive hosting approximately 10 GB of data - base files, and an e-mail server with 25 GB of mail archives. Based on this information, answer the following questions: 1. What is the approximate total amount of regularly changing data that you might have to back up each day? a. 60 GB b. 160 GB c. 360 GB d. 480 GB 2. Assuming that you decide to perform a weekly full backup and daily incremental backups, approximately how much data from the six Web servers can you expect to find on each incremental backup tape? Explain your answer. 3. Based on the information shown earlier in Table 4-1, which type of mag- netic tape drive would best be suited for this network, assuming that you want to use only a single tape for your daily incremental backups? a. DLT b. 8 mm c. QIC d. DAT CHAPTER 5 MAINTAINING THE OPERATING SYSTEM 127 CHAPTER 5 MAINTAINING THE OPERATING SYSTEM All viable software products are in a constant state of development, and the man- ufacturers periodically release updates and upgrades. Operating systems are no exception, and it is important to keep your Microsoft Windows Server 2003 systems up to date. Updating a single computer is a simple task, but updating a large fleet of computers in a timely and efficient fashion is much more complicated. In this chapter, you learn about the types of operating system updates that Microsoft releases, and about some of the methods you can use to apply those updates. Upon completion of this chapter, you will be able to: ■ Understand the difference between service packs and hotfixes ■ Deploy service packs using Windows Update, Automatic Updates, and group policies ■ Integrate service packs and hotfixes into a Windows Server 2003 operating system installation ■ Use Microsoft Baseline Security Analyzer ■ Install and configure a Microsoft Software Update Services server ■ Understand Per Server and Per Device or Per User licensing modes ■ Configure licenses using the Choose Licensing Mode tool in Control Panel and the Licensing administrative tool ■ Create license groups 128 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM WINDOWS OPERATING SYSTEM UPDATES At one time, updating software was a relatively simple matter. If a problem arose in an application or operating system, the manufacturer released an update in the form of a patch that users applied to their computers. An update is a minor revision to a software product that is usually intended to address specific performance issues rather than add new features. When it came time to produce the next version of the software, the manufacturer incorporated all of the patches into an upgrade release. An upgrade is a major revision that might include new features as well as all of the existing patches for the previous version of the product. NOTE Exam Objectives The objectives for the 70-290 exam require students to be able to “manage [a] software update infrastructure.” As software products grew more complex, the number of programming problems tended to increase as well, and so did the number of patches. Some products, par - ticularly operating systems, could have dozens of patch releases between upgrades. Updating applications and operating systems therefore became increasingly prob - lematic for several reasons, including the following: ■ Number of patches When there are a large number of patches for a software product, it becomes difficult to keep track of which patches have been applied and which versions of the product files are being used in a particular installation. ■ Patching order When patches are applied in different orders, the resulting software configurations can be different, particularly if a product has multiple patches containing different versions of the same files. The result of these problems is a nightmare for technical support people trying to troubleshoot an installation of the software. Determining which patches have been applied and the order in which they were applied is the only way to ascertain what versions of the program files are actually in use. Service Packs When faced with the hundreds of patches required for its modern operating sys- tems, Microsoft eventually chose to use a different method of releasing its updates. Instead of many small patch releases, Microsoft creates larger interim releases called service packs. A service pack is a collection of patches and other updates that are tested and packaged as a single unit. A single installation program applies all of the updates at once, producing a consistent software configuration on every computer to which the service pack is applied. Service packs simplify the update process for everyone involved. For Microsoft, releasing updates in a service pack means that it can test the entire package as a whole rather than having to test many different patch combinations. For system administrators and end users, the installation process is reduced to running a single program rather than performing many separate patch installations. For technical support personnel, the troubleshooting process is simplified because they do not have to deal with large numbers of patch releases that might have been installed in CHAPTER 5: MAINTAINING THE OPERATING SYSTEM 129 any order. It is easy to determine what service packs have been installed on a Win- dows 2000, Windows XP, or Windows Server 2003 computer by looking at the General tab in the System Properties dialog box (as shown in Figure 5-1). FT05cr01 Figure 5-1 The System Properties dialog box Microsoft service pack releases are cumulative, meaning that every service pack for a particular product contains all of the updates since the last major release of the product, including all previous service packs. Therefore, when you perform a new installation of a Windows operating system or other Microsoft product, you only have to apply the most recent service pack. Service Pack Releases Microsoft releases operating system service packs in three forms: ■ CD-ROM Service packs are available on CD-ROM directly from Microsoft for a nominal fee. The CD contains the service pack installation files and an installation program called Update.exe. The disk also con - tains the service pack documentation, deployment tools, and updated support tools, which aren’t included as part of a downloaded installation. ■ Express download The express download consists only of the few files needed to begin the service pack download process. When you run the installation program, the software examines your system, accesses the Microsoft Web site, and downloads the files needed to complete the update. Because the installation program checks to see what service packs are already installed on the computer, it can download only the files it needs, which can significantly reduce the size of the download. To run an express installation, the computer must have access to the Internet. ■ Network download The network download option consists of the entire service pack in the form of a single executable archive file. It is intended for network administrators who have to deploy the service pack on large fleets of computers. Once you perform the initial download, you can launch the executable to install the service pack on any computer running the operating system. No additional Internet access is needed. However, because this version contains all of the service pack files, the download can be extremely large, often 100 MB or more. [...]... Updates Although you can always access the Windows Update Web site manually, using Internet Explorer, it is also possible to configure Windows Server 2003 to automatically download and install software updates as they become available This feature is CHAPTER 5: MAINTAINING THE OPERATING SYSTEM called Automatic Updates, and it is available in Windows Server 2003, Windows XP with Service Pack 1 installed,... ■ File Locations Each Windows Update patch consists of two components: the patch file itself and metadata that specifies the platforms and languages to which the patch applies SUS always downloads the metadata, which you use to approve updates and which clients on your intranet retrieve from the SUS server You can choose whether to download 143 144 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM... displays statistics that reflect the number of updates available for each platform, and the date and time of the most recent update The information is summarized from the Windows Update metadata that is downloaded during each synchronization Metadata information is written to disk and stored in memory to improve performance as systems request platform-appropriate updates You can also monitor SUS and Automatic... folder, and the service pack files will be installed at the same time Using Group Policies Another method of automating service pack installations is to use the combination of Windows Installer and the Software Installation policy in a GPO Windows Installer is a program that installs software that has been saved as a Windows Installer Package file with an msi extension Service pack releases include a Windows. .. Automatic Updates by doing Exercise 5-2, “Configuring Automatic Updates,” now ■ MANAGING AND MAINTAINING THE OPERATING SYSTEM balloon in the taskbar tray The administrator can then select the updates to install from a list of those downloaded Automatically Download The Updates, And Install Them On The Schedule That I Specify The computer downloads updates from the Windows Update site as they become available,... Windows Server 2003 or any of the Windows operating systems, but it is available as a free download from Microsoft s Web site at http:// www .microsoft. com/windowsserversystems/SUS/default.mspx MORE INFO As mentioned earlier in this chapter, having users download and install their own operating system updates using the Windows Update Web site can be a waste of time and bandwidth SUS is essentially an... become available, using BITS, and installs them at a specific time each day or each week If an administrator is logged on at the scheduled time, a countdown message appears prior to the installation, and the administrator has the option to delay the installation until the next scheduled time If a nonadministrator is logged on, a warning dialog box appears, but the user cannot delay the installation If... is available, its date and size, and the setup parameters that the update will use when it is installed on a client computer The Update Details page also contains a link to the Knowledge Base article (on Microsoft s support Web site) associated with the update and a link to the update executable itself so administrators can access the updates for testing purposes Figure 5-11 The SUS Update Details page... Automatic Updates Once the SUS server is installed and operational, the next step is to configure the clients to make use of it Earlier in this chapter, you learned about the Automatic Updates feature available in Windows Server 2003, Windows XP, and Windows 2000 By default, Automatic Updates downloads the update files from the Windows Update Web site, but you can also configure this client to obtain... network traffic) After clients have downloaded the approved updates from the SUS server, they are installed and configured—manually or automatically— at the scheduled time If an approved update is later unapproved by an administrator, that update is not uninstalled, but it will not be installed by any additional clients Updates installed through SUS can be uninstalled manually, however, using Add Or Remove . Exam Objectives The objectives for the 70- 290 examination state that students should be able to “back up files and System State data to media.” 122 PART 1: MANAGING AND MAINTAINING THE OPERATING. configure Windows Server 2003 to automati - cally download and install software updates as they become available. This feature is CHAPTER 5: MAINTAINING THE OPERATING SYSTEM 135 called Automatic Updates,. groups 128 PART 1: MANAGING AND MAINTAINING THE OPERATING SYSTEM WINDOWS OPERATING SYSTEM UPDATES At one time, updating software was a relatively simple matter. If a problem arose in an application