Practical 1

Execution of Basic TCP/IP utilities and commands.

1.1.Ping Command
Ping is a command which tells you if the connection between your computer and a particular
domain is working correctly.
In Windows,
 Select Start > Programs > Accessories > Command Prompt.
 Enter the word ping, followed by a space, then the domain name.
If the results show a series of replies, the connection is working. The time shows you how fast
the connection is. If you see a "timed out" error instead of a reply, there is a breakdown
somewhere between your computer and the domain. In this case the next step is to perform
a traceroute.

1.2. Traceroute Command

Traceroute is a command which can show you the path a packet of information takes from your
computer to one you specify. It will list all the routers it passes through until it reaches its
destination, or fails to and is discarded. In addition to this, it will tell you how long each 'hop'
from router to router takes.
In Windows,

 Select Start > Programs > Accessories > Command Prompt. This will give you a window like the
one below.

 Enter the word tracert, followed by a space, then the domain name.

C:\>tracert 11.1.0.1

Tracing route to 11.1.0.1 over a maximum of 30 hops

1 2 ms 3 ms 2 ms 157.54.48.1
2 75 ms 83 ms 88 ms 11.1.0.67
3 73 ms 79 ms 93 ms 11.1.0.1

Trace complete.

1.3.Ipconfig command

Displays all current TCP/IP network configuration values and refreshes Dynamic Host
Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Used without
parameters, ipconfig displays the IP address, subnet mask, and default gateway for all adapters.

ipconfig Show information

ipconfig /all Show detailed information
ipconfig /renew EL* renew any connection that has
its
name starting with EL
ipconfig /release *Con* release all matching
connections,

eg. "Local Area Connection 1"

or

"Local Area Connection 2"

pconfig /setclassid "Local set the DHCP class ID for the

Area Connection" TEST
named adapter to = TEST
 Example

> ipconfig

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : hsd1.ut.comcast.net.
IP Address. . . . . . . . . . . . : 192.168.201.245
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.201.1

1.4. ARP Command

ARP converts an address to its corresponding physical network address. ARP is a low-level
network protocol, operating at Layer 2 of the OSI model.

ARP resolves IP addresses used by TCP/IP-based software to media access control addresses
used by LAN hardware. ARP provides the following protocol services to hosts located on the
same physical network:

 Media access control addresses are obtained by using a network broadcast request in the
form of the question "What is the media access control address for a device that is
configured with the enclosed IP address?"

 When an ARP request is answered, both the sender of the ARP reply and the original
ARP requester record each other's IP address and media access control address as an
entry in a local table called the ARP cache for future reference.

To view the Address Resolution Protocol (ARP) cache

1. Open Command Prompt.

2. At the command prompt, type arp -a.

For example, if you recently used the ping command to test and verify connectivity from
this computer to a host computer at IP address 10.0.0.99, the ARP cache displays the
following entry:

Interface: 10.0.0.1 on Interface 0x1

Internet Address Physical Address Type
10.0.0.99 00-e0-98-00-7c-dc dynamic
In this example, the cache entry indicates that the remote host computer at 10.0.0.99 resolved to
a media access control address of 00-e0-98-00-7c-dc assigned in the network adapter hardware
of the remote computer. The media access control address is the address that your computer used
to physically communicate with this remote TCP/IP host on your network.

This cache contains the following two types of entries:

 Dynamic ARP cache entries

These entries are added and deleted automatically during normal use of TCP/IP sessions
with remote computers. Dynamic entries age and expire from the cache if not reused
within 2 minutes. If a dynamic entry is reused within 2 minutes, it may remain in the
cache and age up to a maximum cache life of 10 minutes before being removed or
requiring cache renewal by using the ARP broadcast process.

 Static ARP cache entries

These entries are added manually by using the arp command with the -s option. Static
entries remain in the ARP cache until either the computer is restarted, or the interface is
reinitiated. Examples of some of the events that cause an interface to be reinitiated are:

 The interface is Disabled, and then Enabled.

 The Repair feature is used.

 The commands ipconfig /release and ipconfig /renew are given.

 The computer awakes from a suspend or hibernation state.

 You removed and replugged a network cable or moved a computer out of

and back into wireless range.

 ARP cache entries can be deleted manually by using the arp command with the -
d option.

Example: arp -d 192.168.0.1

Removes ARP mappings for 192.168.0.1 on all interfaces.

1.5.tcpdump Command

tcpdump is a most powerful and widely used command-line packets sniffer or package analyzer tool
which is used to capture or filter TCP/IP packets that received or transferred over a network on a
specific interface.

 tcpdump works in network layer.a network packet header consists of

sender,destination,state information and other flag informations.

 TCPDUMP only captures the first 96bytes of data from the packet by default
  To print all packets arriving at or departing from sundown:

tcpdump host sundown

 To print all IP packets between ace and any host except helios:

tcpdump ip host ace and not helios

HOST Command

host is a simple utility for performing DNS lookups. It is normally used to convert
names to IP addresses and vice versa. When no arguments or options are given,
host prints a short summary of its command line arguments and options.

Example

host 123456789.co.in

Output

123456789.co.in has address 69.65.102.222

Netstat Command

The netstat command is used to display the TCP/IP network protocol

statistics and information.

Example

Netstat

Output

Proto Local Address Foreign Address State

TCP hope:4409 www.computerhope.com:telnet ESTABLISHED
TCP hope:3708 multicity.com:80 CLOSE_WAIT
TCP hope:4750 www.google.com:80 CLOSE_WAIT

FTP

To start an FTP interactive session type "ftp" from a DOS Command window.
C:\> ftp
The DOS prompt should be replaced with the FTP prompt. The FTP program is now running
on the local system. A connection (or session) to a remote system has not been established.
The help command or ? (question mark) may be executed without being attached to a
remote system and will do a print (usually to the screen) of the FTP commands. The
following is an example of an FTP Command to display the FTP Help information.
ftp help
The following is a typical result of the help command running on a PC with Windows.
Commands may be abbreviated. Commands are:
! delete literal prompt send
? debug ls put status
append dir mdelete pwd trace
ascii disconnect mdir quit type
bell get mget quote user
binary glob mkdir recv verbose
bye hash mls remotehelp
cd help mput rename
close lcd open rmdir
ftp
The following FTP Command will perform the FTP OPEN (make the connection) and display
the following messages.
ftp open domain.name
Connected to domain.name
220 antigonous FTP server ready.
User (domain.name:(none)): User-Name
331 Password required for user-name
Password: password
230 User user-name logged in.
ftp
The following FTP Command will change the directory on the remote system and display the
following message.
ftp> cd /web
250 CWD command successful.
ftp
The following FTP Command will find out the pathname of the current directory on the
remote system and display the information.
ftp> pwd
257 "/web" is the current directory.
ftp

An FTP Command List

The following is a summary of the commonly used FTP Commands.

Command Description

! Preceding a command with the exclamation point will cause the command to execute
on the local system instead of the remote system.

? Request assistance or information about the FTP commands. This command does not
 require a connection to a remote system.

ascii Set the file transfer mode to ASCII (Note: this is the default mode for most FTP
programs).

bell Turns bell mode on / off. This command does not require a connection to a remote
system.

binary Set the file transfer mode to binary (Note: the binary mode transfers all eight bits per
byte and must be used to transfer non-ASCII files).

bye Exit the FTP environment (same as quit). This command does not require a
connection to a remote system.

cd Change directory on the remote system.

close Terminate a session with another system.

debug Sets debugging on/off. This command does not require a connection to a remote
system.

delete Delete (remove) a file in the current remote directory (same as rm in UNIX).

dir Lists the contents of the remote directory.The asterisk (*) and the question mark (?)
may be used as wild cards.

get RemoteName LocalName

help Request a list of all available FTP commands. This command does not require a
connection to a remote system.

lcd Change directory on your local system (same as CD in UNIX).

ls List the names of the files in the current remote directory.

mget Copy multiple files from the remote system to the local system.
Note: You will be prompted for a "y/n" response before copying each file.

mkdir Make a new directory within the current remote directory.

mput Copy multiple files from the local system to the remote system. (Note: You will be
 prompted for a "y/n" response before copying each file).

open Open a connection with another system.

put Copy a file from the local system to the remote system.

pwd Find out the pathname of the current directory on the remote system.

quit Exit the FTP environment (same as "bye"). This command does not require a
connection to a remote system.

rmdir Remove (delete) a directory in the current remote directory.

trace Toggles packet tracing. This command does not require a connection to a remote
system.

Telnet Command
The telnet commands allow you to communicate with a remote computer that is using the Telnet
protocol. You can run telnet without parameters in order to enter the telnet context, indicated by the
Telnet prompt (telnet>). From the Telnet prompt, use the following commands to manage a computer
running Telnet Client.
The tlntadmn commands allow you to remotely manage a computer running Telnet Server. These
commands are run from the command prompt. Used without parameters,tlntadmn displays local server
settings.
To use telnet commands at the Telnet prompt
To start Telnet Client and to enter the Telnet prompt

How to Install Telnet in Windows

If you would like to use the Telnet command from the DOS (command) prompt,
follow these steps to re-enable the Telnet client on your Windows machine:

1. Go to Control Panel – > Programs and Features.

2. Click Turn Windows Features on or off.
3. Enable Telnet Client and click OK.
That’s it. Open the command prompt, type telnet to make sure it works – may you
should try to verify an email address. Alternatively, you may download the Putty
SSH utility as it can also be used as Telnet client for Windows.

EXAMPLE

telnet mymail.com
Practical 2
Configure a router
Create a topology as given in following image

Click inside the Router and select CLI and press Enter to get started. Setup mode start automatically if
there is no startup configuration present. The answer inside the square brackets [ ], is the default
answer. If this is the answer you want, just press enter. Pressing CTRL+C at any time will end the setup
process, shut down all interfaces, and take you to user mode (Router>).

You cannot use setup mode to configure an entire router. It does only the basics. For example, you can only
turn on either RIPv1 or Interior Gateway Routing Protocol (IGRP), but not Open Shortest Path First Protocol
(OSPF) or Enhanced Interior Gateway Routing Protocol (EIGRP). You cannot create access control lists (ACL)
here or enable Network Address Translation (NAT). You can assign an IP address to an interface, but not to a
subinterface. All in all, setup mode is very limiting.
--- System Configuration Dialog --- Continue with configuration dialog?
[yes/no]:

Write no and press enter. To get router prompt

You are now connected to Router and are in user mode prompt. The prompt is broken down into two parts, the
hostname and the mode. "Router" is the Router0's hostname and ">" means you are in user mode.
Press RETURN to get started
Router>

User mode is indicated with the '>' next to the router name. in this mode you can look at settings but can not
make changes.
In Privilege mode(indicated by the '#', you can do anything). To get into privilege mode the keyword is enable.
Next type the command enable to get to the privileged mode prompt.
Router > enable
Router#

To get back to the user mode, simply type disable. From the user mode type logout or exit to leave the
router.
Router#disable
Router>
Router>exit
Router con0 is now available
Press RETURN to get started

press enter to get back router prompt

Router>

You are now in User mode. Type ? to view all the available commands at this prompt.
Router>?

From privilege mode you can enter in configuration mode by typing configure terminal you can exit
configuration mode type exit or <CTL>+z
Router>enable
Router#config terminal
Router(config)#exit
Router#
To view all commands available from this mode type ? and press enter This will give you the list of all available
commands for the router in your current mode. You can also use the question mark after you have started
typing a command. For example if you want to use a show command but you do not remember which one it
uses 'show ?' will output all commands that you can use with the show command.
Router#show ?
access-expression List access expression
access-lists List access lists
backup Backup status
cdp CDP information
clock Display the system clock
cls DLC user information
compress Show compression statistics
configuration Contents of Non-Volatile memory
--More--
Basic Global Configurations mode Commands
Configuring a Router Name
This command works on both routers and switches
Router(config)#hostname Lucknow Lucknow(config)#
You could choose any descriptive name for your cisco devices
Configuring Passwords
This command works on both routers and switches

Router(config)#enable password test Sets enable password to test

Router(config)#enable secret vinita Sets enable secret password to vinita

Router(config)#line console 0 Enters console line mode

Router(config-line)#password console Sets console line mode password to console

Router(config-line)#login Enables password checking at login

Router(config)#line vty 0 4 Enters vty line mode for all five vty lines

Router(config-line)#password telnet Sets vty password to telnet

Router(config-line)#login Enables password checking at login

Router(config)#line aux 0 Enters auxiliary line mode

Router(config-line)#password aux Sets auxiliary line mode password to aux

Router(config-line)#login Enables password checking at login

CAUTION: The enable secret password is encrypted by default. The enable password is not. For this reason,
recommended practice is that you never use the enable password command. Use only the enable secret
password command in a router or switch configuration.
You cannot set both enable secret password and enable password to the same password. Doing so defeats
the use of encryption.
Configuring a Fast Ethernet Interface
Router(config)#interface fastethernet 0/0 Moves to Fast Ethernet 0/0 interface configuration mode

Router(config-if)#description Student Lab LAN Optional descriptor of the link is locally significant

Router(config-if)#ip address 192.168.20.1 255.255.255.0 Assigns address and subnet mask to interface

Router(config-if)#no shutdown Turns interface on

Creating a Message of the Day Banner

Router(config)#banner motd # Next Schedule metting with manager is
Postponed #
Router(config)#
The MOTD banner is displayed on all terminals and is useful for sending messages that affect all users. Use
the no banner motd command to disable the MOTD banner. The MOTD banner displays before the login
prompt and the login banner, if one has been created.
Creating a Login Banner
Router(config)#banner login # Unauthorized access is prohibited !
Please enter your username and password. #
Router(config)#
The login banner displays before the username and password login prompts. Use the no banner
login command to disable the login banner. The MOTD banner displays before the login banner.
# is known as a delimiting character. The delimiting character must surround the banner and login message
and can be any character so long as it is not a character used within the body of the message
Assigning a Local Host Name to an IP Address
Router(config)#ip host Lucknow 172.16.1.1
Assigns a host name to the IP address. After this assignment, you can use the host name rather than an IP
address when trying to Telnet or ping to that address
The no ip domain-lookup Command
Router(config)#no ip domain-lookup
Router(config)#
Turns off trying to automatically resolve an unrecognized command to a local host name
Ever type in a command incorrectly and are left having to wait for a minute or two as the router tries to translate
your command to a domain server of 255.255.255.255? The router is set by default to try to resolve any word
that is not a command to a Domain Name System (DNS) server at address 255.255.255.255. If you are not
going to set up DNS, turn off this feature to save you time as you type, especially if you are a poor typist
The logging synchronous Command
Router(config)#line console 0
Router(config-line)#exec-timeout 0 0
Router(config-line)#
Sets the time limit when the console automatically logs off. Set to 0 0 (minutes seconds) means the console
never logs off.
The command exec-timeout 0 0 is great for a lab environment because the console never logs out. This is
considered to be bad security and is dangerous in the real world. The default for the exec-timeout command is
10 minutes and zero (0) seconds (exec-timeout 10 0).
Saving and erasing configurations
Router(config)#exit Bring you back in Privilege exec mode

Router#copy running-config startup-config Saves the running configuration to local NVRAM

Router#copy running-config tftp Saves the running configuration remotely to a TFTP server

Router#erase startup-config Deletes the startup configuration file from NVRAM

Configuration Example: Basic Router Configuration

Click inside the Router and select CLI and press Enter to get started.
--- System Configuration Dialog ---

Continue with configuration dialog? [yes/no]: no

Press RETURN to get started!

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#description Student Lab LAN
R1(config-if)#ip address 192.168.20.1 255.255.255.0
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed
state to up
R1(config-if)#exit
R1(config)#banner motd # Next Schedule metting with is postponed #
R1(config)#banner login # Unauthorized access is prohibited !
Enter you user name and password #
R1(config)#ip host Lucknow 172.16.1.1
R1(config)#no ip domain-lookup
R1(config)#line console 0
R1(config-line)#exec-timeout 0 0
R1(config-line)#logging synchronous
R1(config-line)#password consloe
R1(config-line)#login
R1(config-line)#exit
R1(config)#line vty 0 4
R1(config-line)#password telnet
R1(config-line)#login
R1(config-line)#exit
% Unrecognized command
R1(config)#enable password test
R1(config)#enable secret vinita
R1(config)#exit
%SYS-5-CONFIG_I: Configured from console by console
R1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
R1#
Practical 3
Configure VPN components and Set-up VPN.
Practical-3
Configure VPN components and set up VPN
VPN creates a tunnel, and all your network and online activity travels through it. From the point of
view of someone else sniffing around on the same network, your activity is hidden because it is
inside that tunnel. Furthermore, all your data is encrypted, giving you another level of security.

Setting up Public VPN access under Windows 7 is simple. The following instructions go step–by–
step through the creation process.
There are two types of VPN connections: incoming and outgoing. An outgoing session means the
user is using the computer to remotely connect to some other network or machine, as may happen
when the user is accessing a work computer. If you have a wireless router at home that supports
VPN, you can set up an outgoing connection from your laptop to connect to the router and get access
to your media server, your home computer, and other devices on your home network remotely.
An incoming session means other machines can access your machine. Think carefully before you
grant access to your computer. One scenario where this makes sense is if you have a lot of media
files or documents on the computer that people need to be able to access at any time.
It is straightforward to set up either type of connection using the built-in VPN client in Windows 7.
Outgoing VPN: Connecting to a VPN Server or Router
In the Network and Sharing Center (under Control Panel, Network and Internet), there is an option to
"Set up a new connection or network." The next option is to click on "Connect to a Workplace" in
order to start the connection wizard, and then select "Use my Internet connection (VPN)" option to
begin the process. If you have a 3G card installed, you may first see a prompt to use the 3G card
instead of creating a "new" connection. In this case, you want the "new" connection so that you can
use your existing Internet connection (yes, it's a little confusing).
A far easier way to get to this point is to click on the Start button and type "VPN" in the search box.
It will jump straight to the "Set up a virtual private network (VPN) connection" window in the
wizard. Tin the Internet address field, enter the IP address of the VPN server or the network's domain
name. This information will usually be provided by the network administrator. If you are connecting
to the home router, then you would put in the IP address of that router.
The destination name field displays the name users would see. If you aren't going to connect right
away, select the "Don't connect now; just set it up so I can connect later" checkbox.
Leaving it unchecked means the client will try to make a connection at the end of the wizard. If there
are multiple users on the Windows 7 box, you can either check off "Allow other people to use this
connection" to make the VPN connection available to others, or leave it unchecked to ensure no one
else has the option.

3. This screen asks for a username and password. If you leave it blank, you will be prompted to enter
the information when making the actual connection.
4. The final window, if you selected "Don't connect now," will display a "Connect now" option. You
can close the window now, or connect.
When you are ready to connect, just click on the network icon in systray (the icon could be for the
wireless network or for the wired one) and the connection that was created earlier would show up in
the list under "Dial-up and VPN." You can also get here by clicking on "Connect to a network" under
Network and Sharing Center.
5. In the VPN connection box, enter the username and password to the VPN network, if it isn't
already pre-populated, along with the domain provided by the administrator. This connection should
work for a majority of VPN networks.
 6. If the connection fails, click on Properties. The most common issue has to do with the
server configuration. Select the "Security" tab in the Properties window. Type of VPN" should be set
to Automatic. Check with the administrator if it should be set to PPTP, L2TP/IpSec, SSTP, or IKEv2.
If it still doesn't work, it's possible you should uncheck "Include Windows logon domain" under the
Options tab.
7. After saving the properties, select Connect to launch the connection. You are now connected to a
VPN server and your connection is safe
Practical 4

Design and implement small network

Packet Tracer – Creating a New Topology
What is Packet Tracer? Packet Tracer is a protocol simulator developed by Dennis Frezzo and his team
at Cisco Systems. Packet Tracer (PT) is a powerful and dynamic tool that displays the various protocols
used in networking, in either Real Time or Simulation mode. This includes layer 2 protocols such as
Ethernet and PPP, layer 3 protocols such as IP, ICMP, and ARP, and layer 4 protocols such as TCP and
UDP. Routing protocols can also be traced.

Purpose: The purpose of this lab is to become familiar with building topologies in Packet Tracer.

Requisite knowledge: This lab assumes some understanding of the Ethernet protocol. At this point we
have not discussed other protocols, but will use Packet Tracer in later labs to discuss those as well.

Step 1: Start Packet Tracer

Step 2: Choosing Devices and Connections

We will begin building our network topology by selecting devices and the media in which to connect them.
Several types of devices and network connections can be used. For this lab we will keep it simple by
using End Devices, Switches, Hubs, and Connections.
Single click on each group of devices and connections to display the various choices. The devices you
see may differ slightly.
Step 3: Building the Topology – Adding Hosts

Single click on the End Devices.

Single click on the Generic host.

Move the cursor into topology area. You will notice it turns into a plus “+” sign.

Single click in the topology area and it copies the device.

Add three more hosts.

Step 4: Building the Topology – Connecting the Hosts to Hubs and Switches

Adding a Hub

Select a hub, by clicking once on Hubs and once on a Generic hub.

Add the hub by moving the plus sign “+” below PC0 and PC1 and click once.
Connect PC0 to Hub0 by first choosing Connections.

Click once on the Copper Straight-through cable.

Perform the following steps to connect PC0 to Hub0:

1. Click once on PC0

2. Choose FastEthernet
3. Drag the cursor to Hub0
4. Click once on Hub0 and choose Port 0
5. Notice the green link lights on both the PC0 Ethernet NIC and the Hub0 Port 0 showing that the
link is active.
 1 2 3 4 5

Repeat the steps above for PC1 connecting it to Port 1 on Hub0. (The actual hub port you choose does
not matter.)
Adding a Switch

Select a switch, by clicking once on Switches and once on a 2950-24 switch.

Add the switch by moving the plus sign “+” below PC2 and PC3 and click once.

Connect PC2 to Hub0 by first choosing Connections.

Click once on the Copper Straight-through cable.

Perform the following steps to connect PC2 to Switch0:

1. Click once on PC2

2. Choose FastEthernet
3. Drag the cursor to Switch0
4. Click once on Switch0 and choose FastEthernet0/1
5. Notice the green link lights on PC2 Ethernet NIC and amber light Switch0 FastEthernet0/1 port.
The switch port is temporarily not forwarding frames, while it goes through the stages for the
Spanning Tree Protocol (STP) process.
6. After a about 30 seconds the amber light will change to green indicating that the port has entered
the forwarding stage. Frames can now forwarded out the switch port.

Note: Spanning Tree Protocol (STP) is discussed later.

1 2 3 4 5 6

Repeat the steps above for PC3 connecting it to Port 3 on Switch0 on port FastEtherent0/2. (The
actual switch port you choose does not matter.)
Move the cursor over the link light to view the port number. Fa means FastEthernet, 100 Mbps Ethernet.

Step 5: Configuring IP Addresses and Subnet Masks on the Hosts

Before we can communicate between the hosts we need to configure IP Addresses and Subnet Masks on
the devices.

Click once on PC0.

Choose the Config tab and click on Settings. It is here that you can change the name of PC0. It is also
here where you would enter a Gateway IP Address, also known as the default gateway and the DNS
Server IP Address. We will discuss this later, but this would be the IP address of the local router. If you
want, you can enter the Gateway IP Address 172.16.1.1 and DNS Server IP Address 172.16.1.100,
although it will not be used in this lab.
Click on Interface and then FastEthernet. Although we have not yet discussed IP Addresses, add the IP
Address to 172.16.1.10. Click once in the Subnet Mask field to enter the default Subnet Mask. You can
leave this at 255.255.0.0. We will discuss this later.

Also, notice this is where you can change the Bandwidth (speed) and Duplex of the Ethernet NIC
(Network Interface Card). The default is Auto (autonegotiation), which means the NIC will negotiate with
the hub or switch. The bandwidth and/or duplex can be manually set by removing the check from the
Auto box and choosing the specific option.

Bandwidth - Auto

If the host is connected to a hub or switch port which can do 100 Mbps, then the Ethernet NIC on the host
will choose 100 Mbps (Fast Ethernet). Otherwise, if the hub or switch port can only do 10 Mbps, then the
Ethernet NIC on the host will choose 10 Mbps (Ethernet).

Duplex - Auto
Hub: If the host is connected to a hub, then the Ethernet NIC on the host will choose Half Duplex.

Switch: If the host is connected to a switch, and the switch port is configured as Full Duplex (or
Autonegotiation), then the Ethernet NIC on the host will choose Full Duplex. If the switch port is
configured as Half Duplex, then the Ethernet NIC on the host will choose Half Duplex. (Full Duplex is a
much more efficient option.)

The information is automatically saved when entered.

To close this dialog box, click the “X” in the upper right.

Repeat these steps for the other hosts. Use the information below for IP Addresses and Subnet Masks.

Host IP Address Subnet Mask

PC0 172.16.1.10 255.255.0.0

PC1 172.16.1.11 255.255.0.0

PC2 172.16.1.12 255.255.0.0

PC3 172.16.1.13 255.255.0.0

Verify the information

To verify the information that you entered, move the Select tool (arrow) over each host.

Deleting a Device or Link

To delete a device or link, choose the Delete tool and click on the item you wish to delete.
Step 6: Connecting Hub0 to Switch0

To connect like-devices, like a Hub and a Switch, we will use a Cross-over cable. Click once the Cross-
over Cable from the Connections options.

Move the Connections cursor over Hub0 and click once.

Select Port 5 (actual port does not matter).

Move the Connections cursor to Switch0.

Click once on Switch0 and choose FastEthernet0/4 (actual port does not matter).

The link light for switch port FastEthernet0/4 will begin as amber and eventually change to green as the
Spanning Tree Protocol transitions the port to forwarding.

Step 7: Verifying Connectivity in Realtime Mode

Be sure you are in Realtime mode.

Select the Add Simple PDU tool used to ping devices..

Click once on PC0, then once on PC3.

The PDU Last Status should show as Successful.

Resetting the Network

At this point we will want to reset the network, Whenever you want to reset the network and begin the
simulation again, perform the following tasks:

Click Delete in the PDU area.

Now, Power Cycle Devices and confirm the action.

Waiting for Spanning Tree Protocol (STP)

Note: Because Packet Tracer also simulates the Spanning Tree Protocol (later), at times the switch may
show amber lights on its interfaces. You will need to wait for the lights to turn green on the switches
before they will forward any Ethernet frames.

Step 8: Verifying Connectivity in Simulation Mode

Be sure you are in Simulation mode.

Deselect all filters (All/None) and select only ICMP.

 1

2
Select the Add Simple PDU tool used to ping devices..

Click once on PC0, then once on PC3.

Continue clicking Capture/Forward button until the ICMP ping is completed. You should see the ICMP
messages move between the hosts, hub and switch. The PDU Last Status should show as Successful.
Click on Clear Event List if you do not want to look at the events or click Preview Previous Events if
you do. For this exercise it does not matter.
 Practical 5
Configuration of the following
a) Remote Login Service – TELNET/SSH
b) Configuration of FTP server and accessing it via FTP Client.
The ability to telnet to and from your Windows 2008 Server is an important network feature that you can learn to configure in
this article.

While the telnet client and server application has been around, well, forever, it is still very useful and, if you are like me, you
may use it every day for a variety of network configuration tasks. In Windows Server 2008, configuring your server to
respond to telnet requests and even using a Windows 2008 Server to telnet to another system with a telnet server can be
quite different. Now, let’s find out how to configure both!

Why would I want to configure my Windows 2008 Server as a Telnet Server?

There are a number of reasons to configure a Windows 2008 Server as a Telnet server. Here is my list of them:

 To perform remote CLI commands on your Windows 2008 Server, over a LAN or a WAN.

 To be able to configure and troubleshoot all your network devices – whether they are Cisco routers, Linux servers, or
Windows 2008 Servers, from a quick and simple command line – that is the telnet application.

 To test connectivity to and from the server using a simple & reliable protocol

Let’s talk about an example. Say that I want to check on the status of some files that are supposed to be transmitted to my
IIS server. There are a few quick commands that I can do to check on those files and I could do those commands much
quicker than other alternatives if I could just get to a Windows command prompt. For example, instead of connecting to the
server with Remote Desktop (RDP), with VNC, or another remote control method, why not just telnet to the server and
quickly run the 2 commands that you need to run?

Of course, this is just a simple example but I am sure that there are many examples in your own organization where your
administrative task could get done quicker if you could just telnet to the Windows server and perform the CLI commands that
you need to perform.

How do you install the Windows Server 2008 Telnet Server?

To install the Windows 2008 Server Telnet server, you need to add a new Windows Feature. To do this open upServer
Manager and click on the Features section on the left. Next, click on Add Features on the right, like this:
Figure 1

On the Select Features window, scroll down to the Telnet Server option and click its checkbox to select it. Now, clickNext,
then Install.
Figure 2

This begins the installation of the Telnet Server. After a few minutes, you will get a message that the installation is complete.
That’s it - the installation is really “that” simple!

For more information on the difference between roles & features see my Admin tip: What is the difference between a Role
and a Feature when customizing your Windows 2008 Server?

How do you install the Windows Server 2008 Telnet Client?

While, at this point, you could test your new Telnet Server from any computer that has the telnet application (like Windows
XP or 2003) however, let’s use a Windows 2008 Server with the telnet client to connect to your Windows 2008 Server that
we just installed the Telnet server on.

So, unlike in most previous Windows operating systems, we need to install the telnet client in Windows 2008 Server. To do
this, we need to go into the same Server Manager application, to Features, then to Add Feature.

This time, we will choose to install the Telnet Client, as you see in Figure 3:
Figure 3

After clicking Next, then Install, my telnet client was installed very quickly, as you see in Figure 4, below.

Figure 4

Also, see my Admin Tip entitled Why is there no CLI Telnet in Windows Server 2008?
Enabling and Allowing Access to the Telnet Server

Before you connect to the new telnet server, hold on. Unlike many other features, just because the telnet server feature is
installed, doesn’t mean that it is working. To actually use the telnet server, you need to, minimally, 1) start the service and 2)
allow access.

To start the service, go into the Services MMC either through the Start menu or by running services.msc. Change the
telnet service to start automatically and then go ahead and Start the service.

When you are done, it should look like it does in Figure 5:

Figure 5

By the way, you can also start and stop your telnet server from a command prompt by using net start telnet and net stop
telnet.

At this point, you can telnet to your server and get a login prompt. You can login as administrator but no other non-
administrative users can login. To allow other users to login, we need to configure who is authorized to login via telnet. To do
this, you need to add the non-administrative user to the Local Group called TelnetClients. On my system, this group was
already created for me however Microsoft’s official instructions say that it has to be created. So, if the group is not created
on your system, go ahead and create the group.

Next, Add Users to this group. In my case, I added my already created user “ddavis” to the TelnetClients group, as you
see in Figure 6, inside Computer Management.
Figure 6

Once the user was added, it was time to test the telnet server with a non-administrative user.

Testing your new Windows 2008 Telnet Server

To test our new Windows 2008 Telnet Server, I went over to another a Windows Vista that I had recently installed, across
the LAN. Prior to using telnet on this machine, I had to install the telnet client feature which was similar to installing the telnet
server feature in Windows 2008 Server.

To test our connection, I went to Start à Command Prompt. At the Windows command prompt, I telnetted to my new Telnet
Server and was able to successfully connect, as a non-administrative user (notice the username I logged in with), as you
can see below in Figure 7-10:

Figure 7

Figure 8
 Figure 9

Figure 10

I think there are two important things of note that we can learn from Figures 7-10, above:

1. Per the warning message above in Figure 6, Telnet is an insecure protocol. All traffic sent (including your username &
password) are send in clear-text across the network. That means that your username & password could be seen by
someone who is decoding packets on your network. This is a security risk even on a secure internal LAN.

2. However, per the note in Figure 9, Windows Telnet supports NTLM authentication. You can force the telnet server to only
allow NTLM authentication and this would make your telnet server much more secure.

Additionally, if you read the official Microsoft telnet operations guide below, you can learn how to customize the configuration
for telnet and do things such as change the port number used, idle time, max # of simultaneous users, and more.

To see who is connected to your telnet server, you can use the following command:

tlntadmn -s

You can see an example of it in action in Figure 11.

Figure 11

Also, you can do other functions with the tlntadmn command like send messages to users (below, in Figure 12 & 13) and
disconnect users.

Figure 12

Figure 13

b) Configuration of FTP server and accessing it via FTP Client.

The first thing you’ll need to setup your own FTP server in Windows is to make sure you

have InternetInformation Services (IIS) installed. Remember, IIS only comes with Pro, Professional, Ultimate or

Enterprise versions of Windows.

In Windows Vista and earlier, click on Start, Control Panel and go to Add/Remove Programs. Then click

onAdd/Remove Windows Components. For Windows 7 and higher, click on Programs and Features from Control Panel

and then click on Turn Windows features on or off.

In the components wizard, scroll down until you see IIS in the list and check it off. Before you click Nextthough,

make sure you click on Details and then check File Transfer Protocol (FTP) Service.
For Windows 7 and up, go ahead and click on the box next to Internet Information Services and FTP Server. You

also need to make sure you check the Web Management Tools box otherwise you won’t be able to manage IIS from

Administrative Tools later on. For FTP, you need to check the FTP Service box otherwise you won’t have the

option to create an FTP server.

Click OK and then click Next. Windows will go ahead and install the necessary IIS files along with the FTP service.

You may be asked to insert your Windows XP or Windows Vista disc at this point. You shouldn’t need a disc for

Windows 7 or higher.

Setup and configure IIS for FTP

Once IIS has been installed, you may have to restart your computer. Now we want to go ahead and open the IIS

configuration panel to set up the FTP server. So go to Start, then Control Panel and click onAdministrative Tools.

You should now see an icon for Internet Information Services.

When you open IIS in Vista or earlier for the first time, you’ll only see your computer name in the left hand menu.

Go ahead and click the + symbol next to the computer name and you’ll see a couple of options like Web Sites,

FTP Sites, etc. We’re interested in FTP Sites, so expand that out also. You should see Default FTP Site, click on it.

You’ll notice after you click on the default FTP site that there are a couple of buttons at the top that look like

VCR buttons: Play, Stop, and Pause. If the Play button is greyed out, that means the FTP server is active. Your FTP

server is now up and running! You can actually connect to it via your FTP client software. I use SmartFTP, but you

can use whatever you like best.

For Windows 7 and higher, you’ll see a different look to IIS. Firstly, there is no play button or anything like that.

Also, you’ll see a bunch of configuration options right on the home screen for authentication, SSL settings,

directory browsing, etc.

To start the FTP server here, you have to right-click on Sites and then choose Add FTP Site.

This opens the FTP wizard where you start by giving your FTP site a name and choosing the physical location for

the files.

Next, you have to configure the bindings and SSL. Bindings are basically what IP addresses you want the FTP site

to use. You can leave it at All Unassigned if you don’t plan on running any other website. Keep theStart FTP site

automatically box checked and choose No SSL unless you understand certificates.
Lastly, you have to setup authentication and authorization. You have to choose whether you

wantAnonymous or Basic authentication or both. For authorization, you choose from All Users, Anonymous users or

specific users.

You can actually access the FTP server locally by opening Explorer and typing in ftp://localhost. If all worked well,

you should see the folder load with no errors.

If you have an FTP program, you can do the same thing. Open the FTP client software and type in localhostas the

host name and choose Anonymous for the login. Connect and you should now see the folder.

Ok, so now we got the site up and running! Now where do you drop the data you want to share? In IIS, the

default FTP site is actually located in C:\Inetpub\ftproot. You can dump data in there, but what if you already have

data located somewhere else and don’t want to move it to inetpub?

In Windows 7 and higher, you can pick any location you want via the wizard, but it’s still only one folder. If you

want to add more folders to the FTP site, you have to add virtual directories. For now, just open the ftproot

directory and dump some files into it.

Now refresh your FTP client and you should now see your files listed! So you now have an up and running FTP

server on your local computer. So how would you connect from another computer on the local network?

In order to do this, you’ll have to open up the Windows Firewall to allow FTP connections to your computer;

otherwise all external computers will be blocked. You can do this by going to Start, Control Panel, clicking

on Windows Firewall and then clicking on the Advanced Tab.

Under the Network Connection Settings section, make sure all of the connections are checked in the left list and

then click on the Settings button. You’ll now be able to open certain ports on your computer based on the service

your computer is providing. Since we are hosting our own FTP server, we want to check offFTP Server.
A little popup window will appear with some settings that you can change, just leave it as it is and click OK. Click

OK again at the main Windows Firewall window.

In Windows 7 and higher, the process is different for opening the firewall port. Open Windows Firewall from the

Control Panel and then click on Advanced Settings on the left hand side. Then click on Inbound Rulesand scroll

down till you see FTP Server (FTP Traffic-In), right click on it and choose Enable Rule.

Then click on Outbound Rules and do the same thing for FTP Server (FTP Traffic-Out). You have now opened up the

firewall for FTP connections. Now try to connect to your FTP site from a different computer on your network.

You’ll need to get the IP address of the computer first before you can connect into it from a different computer.

Go to Start, click Run and type in CMD. Type IPCONFIG and jot down the number for IP Address:
In your FTP client on the other computer, type in the IP Address you just wrote down and connect anonymously.

You should now be able to see all of your files just like you did on the FTP client that was on the local computer.

Again, you can also go to Explorer and just type in FTP:\\ipaddress to connect.

Now that the FTP site is working, you can add as many folders as you like for FTP purposes. In this way, when a

user connects, they specify a path that will connect to one specific folder.

Back in IIS, right click on Default FTP Site and choose New, and then Virtual Directory.

In Windows 7, you right-click on the site name and choose Add Virtual Directory.
When you create a virtual directory in IIS, you’re basically going to create an alias that points to a folder on the

local hard drive. So in the wizard, the first thing you’ll be asked is for a alias name. Make is something simple

and useful like “WordDocs” or “FreeMovies”, etc.

Click Next and now browse to the path where you want the alias to refer to. So if you have a bunch of movies

you want to share, browse to that folder.

Click Next and choose whether you want it as Read access only or Read and Write access. If you simply want to

share files, check Read. If you want people to be able to upload files to your computer, choose Read and Write.
Click Next and then click Finish! Now you’ll see your new virtual directory below the default FTP site. In Windows

7 and up, the process is reduced to one dialog shown below:

You can connect to you using your FTP client by putting in the Path field “/Test” or “/NameOfFolder”. In Explorer,

you would just type in ftp://ipaddress/aliasname.

Now you’ll only see the files that are in the folder that we created the alias for.

That’s about it! You can create as many folders as you like! The only thing other thing that you would need to do

is to give out your public IP address to anyone who is connecting from outside of your internal network. If you

want users to connect from anywhere in the world, you’ll have to give them your public IP address.
Practical – 6

Setting up and Configuring Local Print Device and Network Print Device

As an administrator, you need to do two main things so users throughout a network can access print
devices connected to a Microsoft Windows 2000 workstation or server: you need to set up a
workstation or server as a print server, and you need to use the print server to share print devices on
the network.

Using Local and Network Printers

Two types of print devices are used on a network:

 Local print device A print device that's physically attached to the user's computer and
employed only by the user who's logged on to that computer.
 Network print device A print device that is set up for remote access over the network.
This can be a print device attached directly to a print server or a print device attached
directly to the network through a network adapter card.

Installing a Local Print Device

The steps for adding a printer for a local print device or for a network print device are similar. To
install a local print device, use the Add Printer wizard on the print server. When prompted, select
Local Printer rather than Network Printer, as shown in Figure 1.
Figure 1:The Local Or Network Printer screen appearing in the Add Printer wizard

The wizard guides you through the remaining steps necessary to add a printer for a print device
connected to the print server. The number of local print devices you can connect to a print server
through physical ports depends on your hardware configuration.

Installing a Network Print Device

In larger companies, most print devices are network print devices. These print devices offer
several advantages. You do not need to place print devices near the print server. In addition,
network connections transfer data more quickly than printer cable connections.

You add a printer for a network print device by using the Add Printer wizard. The main
difference between adding a printer for a local print device and adding a printer for a network
print device is that for a typical network print device, you provide additional port and network
protocol information.

The default network protocol for Windows 2000 is Transmission Control Protocol/Internet
Protocol (TCP/IP), which many network print devices use. For TCP/IP, you provide additional
port information by using the Add Standard TCP/IP Printer Port wizard, which is accessed
through the Add Printer wizard. See Windows 2000 Server Help for more details about installing
a TCP/IP print device onto your network.

Sharing an Existing Printer

If the printing demands on your network increase and your network has an existing, unshared
printer for a print device, you can share it so that users can print to the print device.
When you share a printer, consider the following guidelines:

 You need to assign the printer a share name, which appears in My Network Places. Use an
intuitive name to help users when they are browsing for a printer.
 You can add printer drivers for Windows 95, Windows 98, all versions of Windows NT, and
Windows 2000.
 You can choose to publish the printer in Active Directory services so that users can search for
the printer.

To share an existing printer, open the Printers window, open the Properties dialog box for that
printer, and then select the Sharing. The Sharing tab provides a simple interface for sharing the
printer.

Figure 2: The Sharing tab in the Properties dialog box for a printer

After you have shared the printer, Windows 2000 displays an open hand under the printer icon, indicating that the printer is shared.

Connecting to Printers Created on the Network

Once you create a network printer, remote users can connect to it and use it much like any other
printer. You'll need to set up a connection on a user-by-user basis or have users do this
themselves. To create the connection to the printer on a Windows 2000 system, follow these
steps:

1. With the user logged on, double-click the Printers icon in the Control Panel or in the Start
menu, select Settings, and then choose the Printers option. This opens the Printers folder.
2. Double-click the Add Printer icon to start the Add Printer Wizard shown.
3. Select the Network Printer option button, and then click Next.
 In the Locate Your Printer dialog box, shown in Figure 3, choose a method for finding
the network printer. The available options are

o Find A Printer In The Directory Choose this option if you want to search
Active Directory directory service for the printer. All printers configured for
sharing on Windows 2000 systems are automatically listed in Active Directory.
Printers can be removed from the directory, however.
o Type The Printer Name, Or Click Next To Browse For A Printer Choose this
option if you want to browse the network for shared printers just as you would
browse in My Network Places.
o Connect To A Printer On The Internet Or On Your Intranet Choose this
option if you want to enter the Uniform Resource Locator (URL) of an Internet
printer.

Figure 3: Find the printer on the network or in Active Directory.

4. When the printer is selected, click OK.

5. Determine whether the printer is the default used by Windows applications. Choose Yes
or No, and then click Next.
6. Choose Finish to complete the operation.

The user can now print to the network printer by selecting the printer in an application. The
Printers folder on the user's computer shows the new network printer. You can configure local
property settings using this icon. By default, the printer name is set to Printer on Computer, such
as HP DeskJet on Zeta.

Solving Spooling Problems

Windows 2000 uses a service to control the spooling of print jobs. If this service isn't running,
print jobs can't be spooled. You can check the status of the Print Spooler using the Services
utility in Control Panel. Follow these steps to check and restart the Print Spooler service:

1. Choose Start, then Programs, then Administrative Tools, and then click Computer
Management. Or select Computer Management in the Administrative Tools folder.
 2. Right-click the Computer Management entry in the console tree and select Connect To
Another Computer on the shortcut menu. You can now choose the system whose services
you want to manage.

Figure 3: The Print Spooler service handles print spooling.

3. Expand the Services And Applications node by clicking the plus sign (+) next to it, and
then choose Services.
4. Select the Print Spooler service, as shown in Figure 3. The Status should be "Started." If
it isn't, right-click Print Spooler, and then select Start. The Startup Type should be
"Automatic." If it isn't, double-click Print Spooler, and then set Startup Type to
Automatic.

If this doesn't resolve the problem, you may want to check other related services,
including

o TCP/IP Print Server

o Print Server for Macintosh
o Print Server for Unix

Tip Spoolers can become corrupted. Symptoms include a frozen printer or one that doesn't send
jobs to the print device. Sometimes the print device may print pages of garbled data. In most of
these cases, stopping and starting the Print Spooler service will resolve the problem.

Other spooling problems may be related to permissions. See the section of this chapter entitled
"Setting Printer Access Permissions" for details.

Top of page

Configuring Printer Properties

Once you install network printing, you can use the Properties dialog box to set its properties.
You access the Properties dialog box by doing the following:
 1. Access the Printers folder on the computer you want to configure as a print server. On a
local system, you access this folder by clicking Start, choosing Settings, and then
selecting Printers. On a remote system, you can access this folder through My Network
Places. In My Network Places, access a domain, select a computer whose printer settings
you want to manage, and then double-click Printers.
2. Right-click the icon of the printer you want to configure and then from the pop-up menu,
select Properties.
3. This opens the dialog box shown in Figure 4. You can now set the printer properties.

The sections that follow explain how to set commonly used printer properties.

Adding Comments and Location Information

To make it easier to determine which printer to use when, you can add comments and location
information to printers. Comments provide general information about the printer, such as the
type of print device and who is responsible for it. Location describes the actual site of the print
device. Once set, applications can display these fields. For example, Microsoft Word displays
this information when you select Print from the File menu in the Comment and Where fields,
respectively.

Figure 4: Set printer properties with the dialog box for the printer you want to configure.

You can add comments and location information to a printer by using the fields in the General
tab of the printer's Properties dialog box. Type your comments in the Comment field. Type the
printer location in the Location field.

Changing the Printer Port

You can change the port used by a print device at any time by using the Properties dialog box for
the printer you're configuring. Open the Properties dialog box, and then click the Ports tab. You
can now either add a port for printing by selecting its check box or remove a port by clearing its
check box. To add a new port type, click Add Port and then follow the instructions on what to do
when a print device isn't found, given in the "Installing Print Devices on a Local or Remote Print
Server" section of this chapter. To remove a port permanently, select it and then click Delete
Port.
Scheduling and Prioritizing Print Jobs

You use the Properties dialog box for the printer you're configuring to set default settings for
print job priority and scheduling. Open the dialog box, and then click the Advanced tab. You can
now set the default schedule and priority settings using the fields shown in Figure 5. Each of
these fields is discussed in the sections that follow.

Figure 5: Configure print job scheduling and priority using the Advanced tab.

Scheduling Printer Availability

Printers are either always available or available only during the hours specified. You set printer
availability using the Advanced tab. Access the Advanced tab, and then select Always Available
to make the printer available at all times or select Available From to set specific hours of
operation.

Setting Printer Priority

Use the Priority box of the Advanced tab to set the default priority for print jobs. Print jobs
always print in order of priority. Jobs with higher priority print before jobs with lower priority.

Configuring Print Spooling

For print devices attached to the network, you'll usually want the printer to spool files rather than
print files directly. Print spooling makes it possible to use a printer to manage print jobs.

Enabling spooling To enable spooling, use one of the following options:

 Spool Print Documents So Program Finishes Printing Faster Select this option to
spool print jobs.
 Start Printing After Last Page Is Spooled Select this option if you want the entire
document to be spooled before printing begins. This option ensures that the entire
document makes it into the print queue before printing. If for some reason printing is
canceled or not completed, the job won't be printed.
  Start Printing Immediately Select this option if you want printing to begin immediately
when the print device isn't already in use. This option is preferable when you want print
jobs to be completed faster or when you want to ensure that the application returns
control to users as soon as possible.

Other spooling options You can disable spooling by selecting the Print Directly To The Printer
option button. Additional check boxes let you configure other spooling options. These check
boxes are used as follows:

 Hold Mismatched Documents If selected, the spooler holds print jobs that don't match
the setup for the print device. Selecting this option is a good idea if you frequently have
to change printer form or tray assignments.
 Print Spooled Documents First If selected, jobs that have completed spooling will print
before jobs in the process of spooling—regardless of whether the spooling jobs have
higher priority.
 Keep Printed Documents Normally documents are deleted from the queue after they're
printed. To keep a copy of documents in the printer, select this option. Use this option if
you're printing files that can't easily be recreated. In this way you can reprint the
document without having to recreate it. For details, see the section of this chapter entitled
"Pausing, Resuming, and Restarting Individual Document Printing."
 Enable Advanced Printing Features When this option is enabled, you can use advanced
printing options (if available), such as Page Order and Pages Per Sheet. If you note
compatibility problems when using advanced options, you should disable the advanced
printing features by clearing this checkbox.

Starting and Stopping Printer Sharing

You use the Properties dialog box of the printer you're configuring to set printer sharing. Right-
click the icon of the printer you want to configure, and then select Sharing. You can use this tab
to change the name of a network printer as well as to start sharing or stop sharing a printer.
Printer sharing tasks that you can perform include

 Sharing a local printer (thus making it a network printer) To share a printer, select
Share As and specify a name for the shared resource. If Windows 3.1 or MS-DOS
systems will access the printer, be sure the printer name conforms to the standard 8.3
naming rule, such as SOUTHEAS.PRT rather than SOUTHEAST_PRINTER. Click OK
when you're finished.
 Changing the shared name of a printer To change the shared name, simply type a new
name in the Share As field and click OK.
 Stopping the sharing of a printer To quit sharing a printer, select the Not Shared option
button. Click OK when you're finished.

Auditing Print Jobs

Windows 2000 lets you audit common printer tasks. To do this, follow these steps:
 1. Open the printer's Properties dialog box, then click the Security tab. Open the Access
Control Settings dialog box by clicking Advanced.

Note: Actions aren't audited by default. You must first enable auditing by establishing a
group policy to audit the printer.

2. In the Auditing tab, add the names of users or groups you want to audit with the Add
button and remove names of users or groups with the Remove button.
3. Select the events you want to audit by selecting the check boxes under the Successful and
Failed headings, as appropriate.
4. Click OK when you're finished.

Managing Print Jobs on Local and Remote Printers

You manage print jobs and printers using the print management window.

If the printer is configured on your system, you can access the print management window by
completing the following steps:

1. Double-click the Printers icon in the Control Panel or in the Start menu, select Settings,
and then choose the Printers option.
2. Double-click the icon of the printer you want to work with.

If the printer isn't configured on your system, you can manage the printer remotely by doing the
following:

1. Start Windows 2000 Explorer, and then use My Network Places to access the print
server.
2. Access the Printers folder on the print server and then double-click the icon of the printer
you want to work with.

Using the Print Management Window

You can now manage print jobs and printers using the print management window shown in
Figure 6. The print management window shows information about documents in the printers.
This information tells you

 Document Name The document file name, which can include the name of the
application that printed it.
 Status The status of the print job, which can include the status of the document as well as
the status of the printer. Document status entries you'll see include Printing, Spooling,
Paused, Deleting, and Restarting. Document status can be preceded by the printer status,
such as Printer Off-Line.
 Owner The document's owner.
 Pages The number of pages in the document.
 Size The document size in kilobytes or megabytes.
  Submitted The time and date the print job was submitted.
 Port The port used for printing, such as LPT1, COM3, or File (if applicable).

Figure 6: Manage print jobs and printers using the print management window.

Pausing the Printer and Resuming Printing

Sometimes you need to pause a printer. Using the print management window, you do this by
selecting the Pause Printing option on the Printer menu (a check mark indicates that the option is
selected). When you pause printing, the printer completes the current job and then puts all other
jobs on hold.

To resume printing, select the Pause Printing option a second time. This should remove the
check mark next to the option.

Emptying the Print Queue

You can use the print management window to empty the print queue and delete all of its
contents. To do this, on the Printer menu select the Cancel All Documents option.

Pausing, Resuming, and Restarting Individual Document Printing

You set the status of individual documents using the Document menu in the print management
window. To change the status of a document, follow these steps:

1. Select the document in the print management window.

Use the Pause, Resume, and Restart options on the Document menu to change the status
of the print job.

o Pause Puts the document on hold and lets other documents print.
o Resume Tells the printer to resume printing the document from where it left off.
o Restart Tells the printer to start printing the document again from the beginning.

Removing a Document and Canceling a Print Job

To remove a document from the printer or cancel a print job, follow these steps:

1. Select the document in the print management window.

2. Select Cancel from the Document menu or press Del.
Note: When you cancel a print job that's currently printing, the print device may continue to
print part or all of the document. This is because most print devices cache documents in an
internal buffer, and the print device may continue to print the contents of this cache.

Checking the Properties of Documents in the Printer

Document properties can tell you many things about documents that are in the printer, such as
the page source, orientation, and size. You can check the properties of a document in the printer
by doing either of the following:

 Select the document in the print management window and then, from the Document
menu, select Properties.
 Double-click the document name in the print management window.

Setting the Priority of Individual Documents

Scheduling priority determines when documents print. Documents with higher priority print
before documents with lower priority. You can set the priority of individual documents in the
printer by doing the following:

1. Select the document in the print management window and then, from the Document
menu, select Properties.
2. In the General tab, use the Priority slider to change the priority of the document. The
lowest priority is 1 and the highest is 99.

Scheduling the Printing of Individual Documents

In a busy printing environment, you may need to schedule the printing of documents in the
printer. For example, you may want large print jobs of low priority to print at night. To set the
printing schedule, follow these steps:

1. Select the document in the print management window and then, from the Document
menu, select Properties.
2. In the General tab, select the Only From option button and then specify a time interval.
The time interval you set determines when the job is allowed to print. For example, you
can specify that the job can print only between the hours of 12:00 midnight and 5:00 a.m.

Summary

The steps for adding a printer for a local print device or for a network print device are similar. In
both cases, use the Add Printer wizard on the print server. The Add Printer wizard starts with the
Welcome To The Add Printer Wizard screen. The wizard guides you through the steps to add a
printer for a print device. The default network protocol for Windows 2000 is TCP/IP, which
many network print devices use. In addition, if the printing demands on your network increase
and your network has an existing, nonshared printer for a print device, you can share it so that
users can print to the print device.
 Practical 7
Creating Windows Server Boot Disk.
To create a bootable Windows 2003 CD-ROM, you first need to extract the boot sector of an
existing Windows 2003 installation CD-ROM. (This procedure should also work to create a
Windows XP bootable CD-ROM; simply capture the boot sector of an XP CD-ROM.) To
extract the boot sector, I used the IsoBuster CD-ROM and DVD data-recovery tool, which
you can download here . After you install IsoBuster, perform these steps:

1. Insert the Windows 2003 CD-ROM that you want to integrate with SP1.
2. Open IsoBuster and select Bootable CD from the left pane, right-click the Microsoft Corporation.img
file, and select Extract Microsoft Corporation.img from the context menu, as the figure shows.
3. Enter a name for the boot sector you're extracting and click Save.
4. Exit IsoBuster.

Alternatively, you can use a pre-extracted Windows 2003 boot sector file called
Windows2003StdCDBootSector.img , which you can download here .

Next, you'll create the new structure for the Windows 2003 with integrated SP1 CD-ROM by
performing these steps:

1. Create a new folder on a local file system, and name the folder windows2003sp1.
2. Copy the contents of the existing Windows 2003 CD-ROM to the new folder.
3. Create an extracted version of the service pack that you want to slipstream (in this example, SP1). To
do so, download the service pack, then execute it with the /x switch, as in the following example:
/x

4. Open the extracted service pack, navigate to the "update" subfolder, and run this command:
update /integrate:

as in this example
update /integrate:D:\temp\windows2003stdsp1
You can also choose to not extract the service pack first and instead simply add the /integrate switch
to the downloaded SP1 file, as in this example:
/integrate: .
The integrate switch tells the update command to integrate the service pack files into an existing
Windows 2003 installation source. You can also update the support tools and deployment tools with
their SP1 versions. (For download information, see the FAQ "Where can I get the updated support
tools and deployment tools for Windows Server 2003 Service Pack 1 (SP1)?" at
http://www.windowsitpro.com/articles/index.cfm?articleid=46056 .) Rename the downloaded
deployment tools .cab file to deploy.cab and place the file in the \support\tools subfolder of the
Windows 2003 CD-ROM folder that has the slipstreamed SP1 (replacing the existing deploy.cab file).
To update the SP1 support tools, extract them to a new folder using the command
 \c \t
as in this example:
D:\temp\windowsserver2003-kb892777-supporttools-x86-enu.exe /c
/t:d:\temp\2003sp1suptools
Copy the four extracted files (sup_pro.cab, sup_srv.cab, support.cab, and suptools.msi) to the
\support\tools folder of the Windows 2003 folder.

You're now ready to burn this new structure and the boot sector you extracted earlier to a
CD-ROM to make a bootable Windows 2003 CD-ROM that has SP1 slipstreamed into it. For
this example, I used the Nero 6.6 CD-ROM burning software, but you can use any CD-ROM
burner software that lets you create a bootable CD-ROM. To create the Windows 2003 CD-
ROM, perform these steps:

1. Start the Nero or other CD-ROM burning application.

2. From the File menu, select New.
3. From the list of CD type options, select CD-ROM (Boot).
4. Select the Boot tab, then select "Image file" and enter the location of your boot sector image file.
Check the "Enable expert settings" and set the emulation to "No Emulation." Set the load segment to
07C0 and the number of sectors to 4, as the figure shows.
5. Select the Label tab and enter the volume label of the original CD-ROM (e.g., NRMSFPP_EN for
Windows 2003 Standard Server).
6. Under Burn CD, select the "Finalize CD (No further writing possible!)" option.
7. Click New.
8. Drag all the files from the Windows 2003 with slipstreamed SP1 folder to the CD project, as
the figure shows.
9. From the Recorder menu, select Burn Compilation.
Click Burn.

The application then creates your SP1-integrated bootable Windows 2003 CD-ROM.
Practical – 8

Installing Windows Server 2003

Introduction

Deploying and installing Microsoft Windows Server 2003 (Standard or Enterprise) on a new
Server. This step by step document contains screen shots of the installation process of Windows
Operating System which will takes you through the complete process of the installation. The
installation steps of the Standard and Enterprise Editions are the same no difference in the
installation process of the two versions of Windows Server 2003, the difference is in the features
only.

Hardware Requirements for Windows Server 2003

As minimum requirements for Windows Server 2003, An Intel processor–based server running
Windows Server 2003 with at least 128 megabytes (MB) of RAM can be used to run Windows
Server 2003, but as your organization goes bigger and your users are increased, then you should
consider bringing a powerful server with latest Processor Technology (Dual Core) and high
processor cache (2MB or 4MB), also with at least 512 MB Memory. Microsoft also recommends
that the server should have several gigabytes of disk storage (at Least Two SCSI Disks). In
addition, servers should be equipped with high-speed network interface cards (Minimum 100
MBps).

Server Disks and Partitions

The partition in which you are going to deploy the Windows 2003 Operating System should be
formatted as NTFS not FAT. By default the main partition (C Drive) will host the Windows
Operating System and Files, but if you plan to host this folder and files on another Partition/Disk,
then you have to make sure that this drive is formatted as NTFS as well.

Windows Server 2003 system requirements.

There are different editions of serve 2003 it depends which edition you have planned to install

Windows
Server 2003 Number of Available Disk Space (for
Edition Processors Processor Speed RAM Setup)

Web 1–2 133 megahertz (MHz) 128 megabytes (MB) 1.5 gigabytes (GB)
minimum; 550 MHz minimum; 256 MB
recommended recommended; 2 GB
maximum
Standard 1–4 133 MHz minimum; 550 128 MB minimum; 256 1.5 GB
MHz recommended MB recommended; 4
GB maximum

Enterprise 1–8 133 MHz minimum; 550 128 MB minimum; 256 1.5 GB
MHz recommended MB recommended; 32
GB maximum

Datacenter 8–32 400 MHz minimum 512 MB minimum; 64 1.5 GB

GB maximum

Install MS Windows Server 2003 on your Server

If your server was purchased from a known vender, as I mentioned above, like HP, DELL, IBM,
etc) then this server will come with a complete kit to prepare your server for Microsoft Various
Operating Systems installation, and other operating systems like Linux, Unix, MAC, etc. You
have to use this kit to prepare your server with all the configuration and drivers for the operating
system that you chose. Here I will not discuss these steps, in order to be familiar with these steps,
please consult your hardware vender. In this article, I will list the steps to install Windows Server
2003 directory from the Media you purchased from Microsoft Software Partner.

In order to install Windows Server 2003 on your Server, here are the steps:

1. To begin the installation procedure, boot directly from the Windows Server 2003 CD. Your CD-
ROM must support bootable CDs. (When you configure partitions and format drives, all data on
the server hard drive/Disk will be destroyed).

2. Make sure that you configured your Server BIOS to make the first Boot Drive is the CD/DVD
ROM Drive, to be able to boot from the CD/DVD Drive.

3. During the boot, if you were prompted to “Press Any Key to boot from CD” then press any key,
you can press the Enter Key or the Space Bar Key for simplicity, then the Windows Installation
Process begins.

Now we are going see how to install Server 2003 Standard Edition.

Insert a boot disk in a CD/DVD rom boot the system from CD,

Press any key to boot form CD.

Set up will load minimum drives from CD.

Press enter key (↵) to run Setup.

Agree the licensing agreement by press F8 to agree.

Delete the existing partition & create a new partition.

Format the partition.

Set up will format the partition to install windows.

Now Setup Will copy files required for installation.

After copying the system will restart automatically.

After restarting Setup will prepare to install.

At this point of time your Screen might flicker your keyboard & mouse may not work for some
movement.

It will ask for regional settings don’t worry leave default click on Next.
Give the name & Organizing click on Next.

Enter the product key which you will be provided by Microsoft.

This will ask you how clients & servers are connected to your network so it will keep track or license of
your clients & Server.

Now it will prompt for computer Name & to set the password click on Next.
Set the Date & Time Zone & click on Next.

Select the typical for standalone select custom for Network configuration.
Select Internet Protocol (TCP/IP) click on properties.

Give an IP address of your network click on ok.

Click on next to finish the wizard.

If you have a domain controller give the domain name to join this serve to domain.
It will prompt for user credential type the user name & password it will be joined to domain click o next
& finish the wizard.

White for a while the setup will complete.

After completing the system will restart.
Conclusion

The above practical went through the details steps on how to install Windows Server 2003 on a
new server.
Practical – 9

Installing Linux Server

Abstract

This manual explains how to boot the Red Hat Enterprise Linux 7 installation program (Anaconda) and how to
install Red Hat Enterprise Linux 7 on AMD64 and Intel 64 systems, 64-bit IBM Power Systems servers, and
IBM System z. It also covers advanced installation methods such as Kickstart installations, PXE installations,
and installations over VNC. Finally, it describes common post-installation tasks and explains how to
troubleshoot installation problems.

THE BOOT MENU

Once your system has completed booting from your boot media, the boot menu is displayed. The boot menu
provides several options in addition to launching the installation program. If no key is pressed within 60
seconds, the default boot option (the one highlighted in white) will be run. To choose the default, either wait
for the timer to run out or press Enter.

Figure 1. The Boot Screen

To select a different option than the default, use the arrow keys on your keyboard, and press Enter when the
correct option is highlighted.

INSTALLATION MODE OPTIONS

You can install Red Hat Enterprise Linux 7 in graphical mode or in text mode. While the graphical mode is
recommended and preferable for the installation and contains all options to configure, both modes follow
the layout of a summary menu with various sections you can enter and reenter at your convenience, as
displayed in the screenshots below.

Figure 2. The Installation Summary Screen

Figure 3. The Installation Summary screen in Text Mode

While text mode installations are not explicitly documented, those using the text mode installation program
can easily follow the GUI installation instructions.

Installation in Graphical Mode

If you have used a graphical user interface (GUI) before, you are already familiar with this process; use your
mouse to navigate the screens, click buttons, or type into text fields.

You can also navigate through the installation using the keyboard. Use the Tab and Shift+Tab keys to cycle
through active control elements on the screen, the Up and Down arrow keys to scroll through lists, and the
Left and Right arrow keys to scroll through horizontal toolbars or table entries. Use the Space and Enter keys to
select or remove a highlighted item from selection, or to expand and collapse drop-down lists. You can also
use the Alt+X key command combination as a way of clicking on buttons or making other screen selections,
where X is replaced with any underlined letter appearing within that screen after you press Alt.

WELCOME SCREEN AND LANGUAGE SELECTION

The first screen of the installation program is the Welcome to Red Hat Enterprise Linux 7.1 screen. Here you
select the language that Anaconda will use for the rest of the installation. This selection will also become the
default for the installated system, unless changed later. In the left panel, select your language of choice, for
example English. Then you can select a locale specific to your region in the right panel, for example English
(United States).
Alternatively, type your preferred language into the search box as shown below.

Once you have made your selection, click the Continue button to proceed to the Installation Summary
screen.

Figure 4. Language Configuration

Instead of directing you through consecutive screens, the Red Hat Enterprise Linux installation program
allows you to configure your installation in the order you choose.

Use your mouse to select a menu item to configure a section of the installation. When you have completed
configuring a section, or if you would like to complete that section later, click the Done button located in the
upper left corner of the screen.

Only sections marked with a warning symbol are mandatory. A note at the bottom of the screen warns you
that these sections must be completed before the installation can begin. The remaining sections are optional.
Beneath each section's title, the current configuration is summarized. Using this you can determine whether
you need to visit the section to configure it further.
Once all required sections are complete, click the Begin Installation button.

If you used a Kickstart option or a boot command-line option to specify an installation repository on a
network, but no network is available at the start of the installation, the installation program will display the
configuration screen for you to set up a network connection prior to displaying the Installation Summary
screen.

Figure 5. Network Configuration Screen When No Network Is Detected

You can skip this step if you are installing from an installation DVD or other locally accessible media, and you
are certain you will not need network to finish the installation. However, network connectivity is necessary
for network installations or for setting up advanced storage devices. For more details about configuring a
network in the installation program.
DATE & TIME
To configure time zone, date, and optionally settings for network time, select Date & Time at the Installation
Summary screen.

Specify a time zone even if you plan to use NTP (Network Time Protocol) to maintain the accuracy of the
system clock.

Figure 6. Time zone configuration screen

If you are connected to the network, the Network Time switch will be enabled. To set the date and time
using NTP, leave the Network Time switch in the ON position and click the configuration icon to select which
NTP servers Red Hat Enterprise Linux should use. To set the date and time manually, move the switch to the
OFF position. The system clock should use your time zone selection to display the correct date and time at
the bottom of the screen. If they are still incorrect, adjust them manually.
LANGUAGE SUPPORT
To install support for additional locales and language dialects, select Language Support from the Installation
Summary screen.

Use your mouse to select the language for which you would like to install support. In the left panel, select
your language of choice, for example Español. Then you can select a locale specific to your region in the right
panel, for example Español (Costa Rica). You can select multiple languages and multiple locales. The selected
languages are highlighted in bold in the left panel.

Figure 7. Configuring Language Support

Once you have made your selections, click Done to return to the Installation Summary screen.

KEYBOARD CONFIGURATION
To add multiple keyboard layouts to your system, select Keyboard from the Installation Summary screen.
Upon saving, the keyboard layouts are immediately available in the installation program and you can switch
between them by using the keyboard icon located at all times in the upper right corner of the screen.

Initially, only the language you selected in the welcome screen is listed as the keyboard layout in the left
pane. You can either replace the initial layout or add more layouts. However, if your language does not use
ASCII characters, you might need to add a keyboard layout that does, to be able to properly set a password
for an encrypted disk partition or the root user, among other things.

Figure 8. Keyboard Configuration

To add an additional layout, click the + button, select it from the list, and click Add. To delete a layout, select
it and click the - button. Use the arrow buttons to arrange the layouts in order of preference. For a visual
preview of the keyboard layout, select it and click the keyboard button.

To test a layout, use the mouse to click inside the text box on the right. Type some text to confirm that your
selection functions correctly.

To test additional layouts, you can click the language selector at the top on the screen to switch them.
However, it is recommended to set up a keyboard combination for switching layout. Click the Options button
at the right to open the Layout Switching Options dialog and choose a combination from the list by selecting
its check box. The combination will then be displayed above the Options button. This combination applies
both during the installation and on the installed system, so you must configure a combination here in order
to use one after installation. You can also select more than one combination to switch between layouts.

Once you have selected your installation source, click Done to return to the Installation Summary screen.

NETWORK & HOSTNAME

To configure essential networking features for your system, select Network & Hostname at the Installation
Summary screen.

Locally accessible interfaces are automatically detected by the installation program and cannot be manually
added or deleted. The detected interfaces are listed in the left-hand pane. Click an interface in the list to
display more details about in on the right. To activate or deactivate a network interface, move the switch in
the top-right corner of the screen to either ON or OFF.

Figure 9. Network & Hostname Configuration Screen

Below the list of connections, enter a host name for this computer in the Hostname input field. The host
name can be either a fully-qualified domain name (FQDN) in the format hostname.domainname or a short
host name in the format hostname. Many networks have a Dynamic Host Configuration Protocol (DHCP)
service that automatically supplies connected systems with a domain name. To allow the DHCP service to
assign the domain name to this machine, only specify the short host name.

Edit Network Connections

This section only details the most important settings for a typical wired connection used during installation.
Many of the available options do not have to be changed in most installation scenarios and are not carried
over to the installed system. Configuration of other types of network is broadly similar, although the specific
configuration parameters are necessarily different.
To configure a network connection manually, click the Configure button in the lower right corner of the
screen. A dialog appears that allows you to configure the selected connection. The configuration options
presented depends on whether the connection is wired, wireless, mobile broadband, VPN, or DSL. A full
description of all configurations possible in the Network section of the system Settings dialog is beyond the
scope of this guide.

The most useful network configuration options to consider during installation are:

Mark the Automatically connect to this network when it is available check box if you want to use the
connection every time the system boots. You can use more than one connection that will connect
automatically. This setting will carry over to the installed system.

Figure 10. Network Auto-Connection Feature

By default, IPv4 parameters are configured automatically by the DHCP service on the network. At the same
time, the IPv6 configuration is set to the Automatic method. This combination is suitable for most installation
scenarios and usually does not require any changes.
⁠

Figure 11. IP Protocol Settings

Select the Use this connection only for resources on its network check box to restrict connections only to
the local network. This setting will be transferred to the installed system and applies to the entire connection.
It can be selected even if no additional routes have been configured.

Figure 12. Configuration of IPv4 Routes

When you have finished editing network settings, click Save to save the new configuration. If you
reconfigured a device that was already active during installation, you must restart the device in order to use
the new configuration in the installation environment. Use the ON/OFF switch on the Network & Hostname
screen to restart the device.

Advanced Network Interfaces

Advanced network interfaces are also available for installation. This includes virtual local area networks
(VLANs) and two methods to use aggregated links. To create an advanced network interface, click the +
button in the lower left corner of the Network & Hostname screen.

Figure 13. Network & Hostname Configuration Screen

A dialog appears with a drop-down menu with the following options:

Bond - represents NIC (Network Interface Controller) Bonding, a method to bind multiple
network interfaces together into a single, bonded, channel.
 Team - represents NIC Teaming, a new implementation to aggregate links, designed to provide a
small kernel driver to implement the fast handling of packet flows, and various applications to do everything
else in user space.
VLAN - represents a method to create multiple distinct broadcast domains, which are mutually
isolated.

Figure 14. Advanced Network Interface Dialog

Once you have selected an option and clicked the Add button, another dialog appears for you to configure
the new interface. Click the Configure button in the lower right corner of the screen. You can also remove a
manually-added interface by clicking the - button.

SOFTWARE SELECTION
To specify which packages will be installed, select Software Selection at the Installation Summary screen.
The package groups are organized into Base Environments. These environments are pre-defined sets of
packages with a specific purpose; for example, the Virtualization Host environment contains a set of
software packages needed for running virtual machines on the system. Only one software environment can
be selected at installation time.

For each environment, there are additional packages available in the form of Add-ons. Add-ons are presented
in the right part of the screen and the list of them is refreshed when a new environment is selected. You can
select multiple add-ons for your installation environment.

A horizontal line separates the list of add-ons into two areas:

Add-ons listed above the horizontal line are specific to the environment you selected. If you select any
add-ons in this part of the list and then select a different environment, your selection will be lost.
Add-ons listed below the horizontal line are available for all environments. Selecting a different
environment will not impact the selections made in this part of the list.
Figure 15. Example of a Software Selection for a Server Installation

The availability of base environments and add-ons depends on the variant of Red Hat Enterprise Linux 7
installation ISO image which you are using as the installation source. For example, the server variant provides
environments designed for servers, while the workstation variant has several choices for deployment as a
developer workstation, etc.

The installation program does not show which packages are contained in the available environments. To see
which packages are contained in a specific environment or add-on, see the repodata/*-comps-
variant.architecture.xml file on the Red Hat Enterprise Linux 7 Installation DVD which you are using as the
installation source. This file contains a structure describing available environments (marked by the
<environment> tag) and add-ons (the <group> tag).

The pre-defined environments and add-ons allow you to customize your system, but in a manual installation,
there is no way to select individual packages to install. To fully customize your installed system, you can
select the Minimal Install environment, which only installs a basic version of Red Hat Enterprise Linux 7 with
only a minimal amount of additional software. Then, after the system finishes installing and you log in for the
first time, you can use the Yum package manager to install any additional software you need.

Once you have selected an environment and add-ons to be installed, click Done to return to the Installation
Summary screen.
Core Network Services
All Red Hat Enterprise Linux installations include the following network services:

 centralized logging through the syslog utility

 email through SMTP (Simple Mail Transfer Protocol)
 network file sharing through NFS (Network File System)
 remote access through SSH (Secure SHell)
 resource advertising through mDNS (multicast DNS)

Some automated processes on your Red Hat Enterprise Linux system use the email service to send reports
and messages to the system administrator. By default, the email, logging, and printing services do not accept
connections from other systems.

You may configure your Red Hat Enterprise Linux system after installation to offer email, file sharing, logging,
printing, and remote desktop access services. The SSH service is enabled by default. You can also use NFS to
access files on other systems without enabling the NFS sharing service.

INSTALLATION DESTINATION
To select the disks and partition the storage space on which you will install Red Hat Enterprise Linux, select
Installation Destination in the Installation Summary screen. If you are unfamiliar with disk partitions

Figure 16. Storage Space Overview

On this screen, you can see storage devices available locally on your computer. You can also add additional
specialized or network devices by clicking the Add a disk button.
Choose the disks to install Red Hat Enterprise Linux on by clicking their icons in the pane at the top of the
screen. Each disk is marked with its label, size, and available space. Disks left unselected on the screen will
not be touched once the installation begins.

Below the panes for storage devices is a form of additional controls labeled Other Storage Options:

In the Partitioning section, you can select how your storage devices be partitioned. You can configure the
partitions manually or allow the installation program to do it automatically.

Automatic partitioning is recommended if you are doing a clean installation on previously unused storage
or do not need to keep any data that might be present on the storage. To proceed this way, leave the
default selection of the Automatically configure partitioning radio button to let the installation program
to create necessary partitions on the storage space for you.

For automatic partitioning, you can also select the I would like to make additional space available
checkbox to choose how to reassign space from other file systems to this installation. If you selected
automatic partitioning but there is not enough storage space to complete the installation, upon clicking
Done, a dialog will appear:
 Figure 17. Installation Options Dialog with Option to Reclaim Space

Click Cancel & add more disks to add more storage space. Click Reclaim space to free some storage
space from existing partitions.

If you select the I will configure partitioning radio button for manual setup, you will be brought to the
Manual Partitioning screen after clicking Done.

In the Encryption section, you can select the Encrypt my data checkbox to encrypt all partitions except
for the /boot partition.

At the bottom of the screen is the Full disk summary and bootloader button for you to configure a disk on
which a boot loader will be installed.

Click the Done button once you have made your selections to either return to the Installation Summary
screen or to proceed to the Manual Partitioning screen.

Boot Loader Installation

Red Hat Enterprise Linux 7 uses GRUB2 (GRand Unified Bootloader version 2) as its boot loader. The boot
loader is the first program that runs when the computer starts and is responsible for loading and transferring
control to an operating system. GRUB2 can boot any compatible operating system and can also use chain
loading to transfer control to other boot loaders for unsupported operating systems.

If you have other operating systems already installed, Red Hat Enterprise Linux attempts to automatically
detect and configure GRUB2 to boot them. You can manually configure any additional operating systems if
they are not detected properly.

To specify which device the boot loader should be installed on, click the Full disk summary and bootloader
link at the bottom of the Installation Destination screen. The Selected Disks dialog will appear. If you are
partitioning the drive manually, this dialog can be reached by clicking Storage device/s selected on the
Manual Partitioning screen.
Figure 18. Summary of Selected Disks

In the Boot column, a green tick icon marks one of the devices as the intended boot device. To change the
boot device, select a device from the list and click the Set as Boot Device button to install the boot loader
there instead.

To decline installation of a new boot loader, select the marked device and click the Do not install bootloader
button. This will remove the tick and ensure GRUB2 is not installed on any device.

Encrypt Partitions
If you selected the Encrypt my data option, when you click to proceed to the next screen the installation
program will prompt you for a passphrase with which to encrypt the partitions on the system.

Partitions are encrypted using the Linux Unified Key.

Figure 19. Enter Passphrase for an Encrypted Partition

Choose a passphrase and type it into each of the two fields in the dialog box. Note that you need to use the
same keyboard layout for setting up this passphrase that you will use to unlock partitions later. Use the
language layout icon to ensure the correct layout is selected. You must provide this passphrase every time
that the system boots. Press Tab while in the Passphrase input field to retype it. If the passphrase is too
weak, a warning icon appears in the field and you will not be allowed to type in the second field. Hover your
mouse cursor over the warning icon to learn how to improve the passphrase.

Reclaim Disk Space

If there is insufficient space to install Red Hat Enterprise Linux on the disks selected in Installation
Destination and you selected Reclaim Space at the Installation Options dialog, the Reclaim Disk Space dialog
appears.
Figure 20. Reclaim Disk Space from Existing File Systems

The existing file systems Red Hat Enterprise Linux has detected are listed in a table as part of their respective
disks. The Reclaimable Space column lists the space that could be reassigned to this installation. The Action
column lists what action will be taken with the file system to reclaim space.

Beneath the table are four buttons:

Preserve - leaves the file system untouched and no data will be deleted. This is the default action.

Delete - removes the file system entirely. All the space it takes up on the disk will be made available for the
installation.
Shrink - recovers free space from the file system and makes it available for this installation. Use the slider to
set a new size for the selected partition. Can only be used on resizable partitions where LVM or RAID is not
used.

Delete all/Preserve all - this button, located on the right, marks all file systems for deletion by default. Upon
clicking, it changes the label and allows you to mark all file systems to be preserved again.
 Manual Partitioning
The Manual Partitioning screen is displayed when you click Done from Installation Destination if you
selected the I will configure partitioning option. On this screen you configure your disk partitions
and mount points. This defines the file system that Red Hat Enterprise Linux 7 will be installed on.

Figure 21. The Manual Partitioning Screen

The Manual Partitioning screen initially features a single pane on the left for the mount points. The pane
is either empty except for information about creating mount points, or it displays existing mount points
that the installation program has detected. These mount points are organized by detected operating
system installations. Therefore, some file systems might be displayed multiple times if a partition is shared
among several installations. The total space and available space on selected storage devices are displayed
beneath this pane.
If your system contains existing file systems, ensure that enough space will be available for the
installation. Use the - button to remove unneeded partitions.

Adding File Systems and Configuring Partitions

An installation of Red Hat Enterprise Linux 7 requires a minimum of one partition but Red Hat recommends at
least four: /, /home, /boot, and swap. You may also create additional partitions you require.

Adding a file system is a two-step process. You first create a mount point in a certain partitioning scheme.
The mount point appears in the left pane. Next, you can customize it using the options in the right pane,
where you can change the mount point, capacity, the device type, file system type, label, and whether to
encrypt or reformat the corresponding partition.
If you have no existing file systems and want the installation program to create the required partitions and
their mount points for you, select your preferred partitioning scheme from the drop-down menu in the left
pane (default for Red Hat Enterprise Linux is LVM), then click the link on top of the pane for creating mount
points automatically. This will generate a /boot partition, a / (root) partition, and a swap partition
proportionate to the size of the available storage. These are the recommended partitions for a typical
installation but you can add additional partitions if you need to.

Alternatively, create individual mount points using the + button at the bottom of the pane. The Add a New
Mount Point dialog then opens. Either select one of the preset paths from the Mount Point drop-down menu
or type your own; for example, select / for the root partition or /boot for the boot partition. Then enter the
size of the partition, using common size units such as megabytes, gigabytes, or terabytes, to the Desired
Capacity text field; for example, type 2GB to create a two-gigabyte partition. If you leave the field empty or if
you specify a size bigger than available space, all remaining free space is used instead. After entering these
details, click the Add mount point button to create the partition.

For each new mount point you create manually, you can set its partitioning scheme from the drop-down
menu located in the left pane. The available options are Standard Partition, BTRFS, LVM, and LVM Thin
Provisioning. Note that the /boot partition will always be located on a standard partition, regardless of the
value selected in this menu.

To change on which devices a single non-LVM mount point should be located, select the mount point and
click the Modify... button in the right pane to open the Configure Mount Point dialog. Select one or more
devices and click Select. After the dialog closes, note that you also need to confirm this setting by clicking the
Update Settings button on the right side of the Manual Partitioning screen.

Figure 22. Configuring Mount Points

To refresh information about all local disks and partitions on them, click the rescan button (with the circular
arrow icon on it) in the toolbar. You only need to do this action after performing advanced partition
configuration outside the installation program. Note that if you click the Rescan Disks button, all
configuration changes you previously made in the installation program will be lost.
Figure 23. Rescanning Disks

At the bottom of the screen, a link states how many storage devices have been selected in Installation
Destination Clicking on this link opens the Selected Disks dialog, where you review the information about the
disks.

To customize a partition or a volume, select its mount point in the left-hand pane and the following
customizable features then appear to the right:
Figure 24. Customizing Partitions

Mount Point - enter the partition's mount point. For example, if a partition should be the root partition,
enter /; enter /boot for the /boot partition, and so on. For a swap partition, the mount point should not be set
- setting the file system type to swap is sufficient.
Desired Capacity - enter the desired size of the partition. You can use common size units such as kilobytes,
megabytes, gigabytes, or terabytes. Megabytes are the default option if you do not specify any unit.
Device type - choose one of these types: Standard Partition, LVM, RAID, LVM Thin Provisioning, or BTRFS.
Check the adjacent Encrypt box to encrypt the partition. You will be prompted to set a password later. RAID
is only available if two or more disks are selected for partitioning, and if you choose this type, you can also set
the RAID Level. Similarly, if you select LVM, you can specify the Volume Group.
File system - in the drop-down menu, select the appropriate file system type for this partition. Check the
adjacent Reformat box to format an existing partition, or leave it unchecked to retain your data. Note that
newly created partititions must be reformated, and the checkbox cannot be unchecked in this case.
Label - assign a label to the partition. Labels are used for you to easily recognize and address individual
partitions.
Name - assign a name to an LVM or Btrfs volume. Note that standard partitions are named automatically
when they are created and their name cannot be edited, such as /home being assigned the name sda1.
Click the Update Settings button to save your changes and select another partition to customize. Note that
the changes will not be applied until you actually start the installation from the Installation summary page.
Click the Reset All button to discard all changes to all partitions and start over.

When all file systems and mount points have been created and customized, click the Done button. If you
chose to encrypt any file system, you will now be prompted to create a passphrase. Then, a dialog appears
showing a summary of all storage-related actions the installation program will take. This includes creating,
resizing, or deleting partitions and file systems. You can review all the changes and click Cancel & Return to
Custom Partitioning to go back. To confirm your changes, click Accept Changes to return to the Installation
Summary page. To partition additional devices, select them in the Installation Destination screen, return to
the Manual Partitioning screen, repeat the steps outlined in this section for the additional devices.

Device Types

standard partition - A standard partition can contain a file system or swap space, or it can provide a
container for software RAID or an LVM physical volume.

logical volume (LVM) - Creating an LVM partition automatically generates an LVM logical volume. LVM can
improve performance when using physical disks.

LVM thin provisioning - Using thin provisioning, you can manage a storage pool of free space, known as a
thin pool, which can be allocated to an arbitrary number of devices when needed by applications. The thin
pool can be expanded dynamically when needed for cost-effective allocation of storage space.

BTRFS - Btrfs is a file system with several device-like features. It is capable of addressing and managing more
files, larger files, and larger volumes than the ext2, ext3, and ext4 file systems.

software RAID - Creating two or more software RAID partitions allows you to create a RAID device. One RAID
partition is assigned to each disk on the system.

File Systems

xfs - XFS is a highly scalable, high-performance file system that supports file systems up to 16 exabytes
(approximately 16 million terabytes), files up to 8 exabytes (approximately 8 million terabytes), and directory
structures containing tens of millions of entries. XFS supports metadata journaling, which facilitates quicker
crash recovery. The XFS file system can also be defragmented and resized while mounted and active. This file
system is selected by default and is highly recommended. For information on how to translate common
commands from previously used ext4 file system to XFS, see

The maximum supported size of an XFS partition is 500 TB.

ext4 - The ext4 file system is based on the ext3 file system and features a number of improvements. These
include support for larger file systems and larger files, faster and more efficient allocation of disk space, no
limit on the number of subdirectories within a directory, faster file system checking, and more robust
journaling.

The maximum supported size of an ext4 file system in Red Hat Enterprise Linux 7 is currently 50 TB.

ext3 - The ext3 file system is based on the ext2 file system and has one main advantage - journaling. Using a
journaling file system reduces time spent recovering a file system after a crash as there is no need to check
the file system for metadata consistency by running the fsck utility every time a crash occurs.

ext2 - An ext2 file system supports standard Unix file types, including regular files, directories, or symbolic
links. It provides the ability to assign long file names, up to 255 characters.

vfat - The VFAT file system is a Linux file system that is compatible with Microsoft Windows long file names
on the FAT file system.

swap - Swap partitions are used to support virtual memory. In other words, data is written to a swap
partition when there is not enough RAM to store the data your system is processing.

BIOS Boot - A very small partition required for booting a device with a GUID partition table (GPT) on a BIOS
system.

EFI System Partition - A small partition required for booting a device with a GUID partition table (GPT) on a
UEFI system.

Create Software RAID

Redundant arrays of independent disks (RAIDs) are constructed from multiple storage devices that are
arranged to provide increased performance and, in some configurations, greater fault tolerance. See below
for a description of different kinds of RAIDs.

A RAID device is created in one step and disks are added or removed as necessary. One RAID partition per
physical disk is allowed for each device, so the number of disks available to the installation program
determines which levels of RAID device are available to you. For example, if your system has two hard drives,
the installation program will not allow you to create a RAID10 device, which requires 4 separate partitions.
Figure 25. Creating a Software RAID Partition - the Device Type Menu Expanded

Create LVM Logical Volume

Logical Volume Management (LVM) presents a simple logical view of underlying physical storage space, such
as hard drives or LUNs. Partitions on physical storage are represented as physical volumes that can be
grouped together into volume groups. Each volume group can be divided into multiple logical volumes, each
of which is analogous to a standard disk partition. Therefore, LVM logical volumes function as partitions that
can span multiple physical disks.
Figure 26. Configuring a Logical Volume

BEGIN INSTALLATION
When all required sections of the Installation Summary screen have been completed, the admonition at the
bottom of the menu screen disappears and the Begin Installation button becomes available.
Figure 27. Ready to Install

If you have finished customizing your installation and are certain that you want to proceed, click Begin
Installation.

THE CONFIGURATION MENU AND PROGRESS SCREEN

Once you click Begin Installation at the Installation Summary screen, the progress screen appears. Red Hat
Enterprise Linux reports the installation progress on the screen as it writes the selected packages to your
system.
Figure 28. Installing Packages

For your reference, a complete log of your installation can be found in the
/var/log/anaconda/anaconda.packaging.log file, once you reboot your system.

While the packages are being installed, more configuration is required. Above the installation progress bar
are the Root Password and User Creation menu items.

The Root Password menu item is used to set the password for the root account. The root account is used to
perform critical system management and administration tasks. The password can be configured either while
the packages are being installed or afterwards, but you will not be able to complete the installation process
until it has been configured.

Creating a user account is optional and can be done after installation, but it is recommended to do it on this
screen. A user account is used for normal work and to access the system. Best practice suggests that you
always access the system via a user account, not the root account.

Set the Root Password

Setting up a root account and password is an important step during your installation. The root account (also
known as the superuser) is used to install packages, upgrade RPM packages, and perform most system
maintenance. The root account gives you complete control over your system. For this reason, the root
account is best used only to perform system maintenance or administration. See the Red Hat
Enterprise Linux 7 System Administrator's Guide for more information about becoming root.
Figure 29. Root Password Screen

Click the Root Password menu item and enter your new password into the Root Password field. Red Hat
Enterprise Linux displays the characters as asterisks for security. Type the same password into the Confirm
field to ensure it is set correctly. After you set the root password, click Done to return to the User Settings
screen.

The following are the requirements and recommendations for creating a strong root password:

must be at least eight characters long

may contain numbers, letters (upper and lower case) and symbols
is case-sensitive and should contain a mix of cases
something you can remember but that is not easily guessed
should not be a word, abbreviation, or number associated with you, your organization, or found in a
dictionary (including foreign languages)
should not be written down; if you must write it down keep it secure

Create a User Account

To create a regular (non-root) user account during the installation, click User Settings on the progress
screen. The Create User screen appears, allowing you to set up the regular user account and configure its
parameters. Though recommended to do during installation, this step is optional and can be performed
after the installation is complete.
To leave the user creation screen after you have entered it, without creating a user, leave all the fields
empty and click Done.
Figure 30. User Account Configuration Screen
Click the Advanced button to open a new dialog with additional settings.

Figure 31. Advanced User Account Configuration

By default, each user gets a home directory corresponding to their user name. In most scenarios, there is
no need to change this setting.

INSTALLATION COMPLETE
Congratulations! Your Red Hat Enterprise Linux installation is now complete!
Click the Reboot button to reboot your system and begin using Red Hat Enterprise Linux. Remember to
remove any installation media if it is not ejected automatically upon reboot.

After your computer's normal power-up sequence has completed, Red Hat Enterprise Linux loads and
starts. By default, the start process is hidden behind a graphical screen that displays a progress bar.
Eventually, a GUI login screen (or if the the X Window System is not installed, a login: prompt) appears.
Practical 10
Installing Active Directory & Creating AD Objects
Installation

Open Server Manager and click on roles, this will bring up the Roles Summary on the right hand side
where you can click on the Add Roles link.

This will bring up the Add Roles Wizard where you can click on next to see a list of available Roles.
Select Active Directory Domain Services from the list, you will be told that you need to add some
features, click on the Add Required Features button and click next to move on.
A brief introduction to Active Directory will be displayed as well as a few links to additional resources,
you can just click next to skip past here and click install to start installing the binaries for Active
Directory.
When the installation is finished you will be shown a success message, just click close.
Configuration

Open up Server Manager, expand Roles and click on Active Directory Domain Services. On the right
hand side click on the Run the Active Directory Domain Services Installation Wizard (dcpromo.exe)
link.
This will kick off another wizard, this time to configure the settings for you domain, click next to
continue.
The message that is shown now relates to older clients that do not support the new cryptographic
algorithms supported by Server 2008 R2, these are used by default in Server 2008 R2, click next to
move on.
Choose to create a new domain in a new forest.
Now you can name your domain, we will be using a .local domain the reason why will be explained
in an upcoming article.
Since this is the first DC in our domain we can change our forest functional level to Server 2008 R2.
We want to include DNS in our installation as this will allow us to have an AD Integrated DNS Zone,
when you click next you will be prompted with a message just click yes to continue.
You will need to choose a place to store log files, it is a best practice to store the database and
SYSVOL folder on one drive and the log files on a separate drive, but since this is in a lab
environment I will just leave them all on the same drive.
Choose a STRONG Active Directory Restore Mode Password and click next twice to kick off the
configuration.
You will be able to see what components are being installed by looking in the following box.
When its done you will be notified and required to reboot your PC.
 Creating objects in active directory

You can create objects in Active Directory by using the Active directory users and computers console.

Start -> Administrators tools -> Active Directory users and computers.

 On the Active Directory users and computers console, right click on the container object within which you would like to

create an object.

 A submenu pops out , from that choose the option new.

 On choosing the option “new” another submenu pops out with a list of objects, from that choose the object that you intend to

create.

 After you choose an object, respective dialogue boxes appear in which you can enter the attribute values for the object

.When you complete this the object is created.

Practical 11
Create Domain Controller
1. If you have set up a domain controller previously with Windows 2000 Server, or Windows Server 2003,
then you would be familiar with thedcpromo.exe command, it will also be used to set up a Domain
Controller on Windows Server 2008.

To use the command, click on Start > Run > and then write dcpromo > Click OK

2. The system will start checking if Active Directory Domain Services ( AD DS) binaries are installed, then
will start installing them. The binaries could be installed if you had run the dcpromo command
previously and then canceled the operation after the binaries were installed.
3. The Active Directory Domain Services Installation Wizard will start, either enable the checkbox
beside Use Advanced mode installationand Click Next , or keep it unselected and click on Next

The following table lists the additional wizard pages that appear for each deployment
configuration when you select the Use advanced mode installation check box.
 Deployment configuration Advanced mode installation wizard pages

New forest Domain NetBIOS name

On the Choose a Deployment Configuration page,

the option to create a new domain tree appears only in
advanced mode installation.
New domain in an existing forest
Domain NetBIOS name

Source Domain Controller

Install from Media

Additional domain controller in an existing Source Domain Controller

domain
Specify Password Replication Policy (for RODC
installation only)

Create an account for a read-only domain

Specify Password Replication Policy
controller (RODC) installation

Install from Media

Attach a server to an account for an
RODC installation
Source Domain Controller

4. The Operating System Compatibility page will be displayed, take a moment to read it and click Next
5. Choose Create a new domain in a new forest, Click Next
6. Enter the Fully Qualified Domain Name of the forest root domain inside the textbox, click Next
7. If you selected Use advanced mode installation on the Welcome page, the Domain NetBIOS
Name page appears. On this page, type the NetBIOS name of the domain if necessary or accept the
default name and then click Next.
8. Select the Forest Functional Level, choose the level you desire and click on Next. Make sure to read
the description of each functional level to understand the difference between each one.
1.
In the previous step, If you have selected any Forest Functional Level other than Windows Server
2008 and clicked on Next , you would then get a page to select the Domain Functional Level. Select
it and then click on Next
2. In the Additional Domain Controller Options page, you can select to install the Domain Name
Service to your server. Note that the First domain controller in a forest must be a Global
Catalog that's why the checkbox beside Global Catalog is selected and it cannot be cleared. The
checkbox is also selected by default when you install an additional domain controller in an existing
domain, however you can clear this checkbox if you do not want the additional domain controller to be
a global catalog server. The first domain controller in a new forest or in a new domain can not be
a Read Only Domain Controller (RODC), you can later add a RODC but you must have at least one
Windows Server 2008 Domain Controller.

I want to set my DC as a DNS Server as well, so I will keep the checkbox beside DNS Server selected
and click on Next
3. If the wizard cannot create a delegation for the DNS server, it displays a message to indicate that you
can create the delegation manually. To continue, click Yes

4. Now you will have the location where the domain controller database, log files and SYSVOL are stored
on the server.
 The database stores information about the users, computers and other objects on the network. the log
files record activities that are related to AD DS, such information about an object being updated.
SYSVOL stores Group Policy objects and scripts. By default, SYSVOL is part of the operating system
files in the Windows directory

Either type or browse to the volume and folder where you want to store each, or accept the defaults
and click on Next

5. In the Directory Services Restore Mode Administrator Password (DSRM) page, write a
password and confirm it. This password is used when the domain controller is started
in Directory Services Restore Mode, which might be because Active Directory Domain Services
is not running, or for tasks that must be performed offline.
Make sure that you memorize this password when you need it. I know many administrators forgot
it when they most needed it !!
 Make sure the password meet the password complexity requirements of the password policy, that
is a password that contains a combination of uppercase and lowercase letters, numbers, and
symbols. else you will receive the following message :

6. Summary page will be displayed showing you all the setting that you have set . It gives you the option
to export the setting you have setup into an answer file for use with other unattended operations, if you
 wish to have such file, click on the Export settings button and save the file.

7. DNS Installation will start

8. Followed by installing Group Policy Management Console, the system will check first if it is installed or
not.

9. Configuring the local computer to host active directory Domain Services and other operations will take
place setting up this server as a Domain Controller
10. Active Directory Domain Services installation will be completed, click Finish, then click on Restart
Now to restart your server for the changes to take effect.
11. Once the server is booted and you logon to it, click on Start > Administrative Tools , will notice that
following have been installed :

 Active Directory Domains and Trusts

 Active Directory Sites and Services
 Active Directory Users and Computers
 ADSI Edit
 DNS
 Group Policy Management
Summary

Setting up a Domain Controller in Windows Server 2008 to install Active Directory Domain Services is
performed by running the dcpromo command. It has some new options like using Advanced Mode Installation,
and exporting settings to an answer file . In my next articles, I will show you how to perform an unattended
installation to set up your domain controller, and also how to set up an additional domain controller using
Windows Server 2008.
Practical 12
Practice IOS Management & IOS Commands.
IOS is a package of routing, switching, internetworking and telecommunications functions integrated
into a multitasking operating system.

Cisco IOS (originally Internetwork Operating System) is software used on most Cisco
Systems routers and current Cisco network switches.

Steps to configure a router from scratch

1. Hook up the power cable to the router.

2. Connect the serial console cable from the router's console port (RJ-45) to the back of a PC or
laptop (DB-9 Serial, "COM1 Port").

3. Because HyperTerminal comes with Windows, many people use it to configure Cisco routers. To
open HyperTerminal from Windows, go to Start | Programs | Accessories | Communications |
HyperTerminal.

4. Create a new connection called Cisco, click OK to accept the default of using COM1, change the
baud rate to 9600 baud on the Serial Port settings, and click OK, which should take you to the
router's console.

5. Power-on the router, and watch the boot-up sequence.

6. Following the prompt, press [Enter]. Because it's a new router, you'll automatically go into Setup
Mode. You should see something like this:

--- System Configuration Dialog ---

7. Continue with configuration dialog? [yes/no]:

8. Setup Mode asks you a series of questions to assist you in configuring the router. For our
purposes, enter n, and press [Enter].

CISCO IOS Commands

The Cisco IOS software provides access to several different command modes. Each command mode
provides a different group of related commands.

For security purposes, the Cisco IOS software provides two levels of access to commands: user and
privileged. The unprivileged user mode is called user EXEC mode. The privileged mode is called
privileged EXEC mode and requires a password. The commands available in user EXEC mode are a subset
of the commands available in privileged EXEC mode.
The following table describes some of the most commonly used modes, how to enter the modes, and
the resulting prompts. The prompt helps you identify which mode you are in and, therefore, which
commands are available to you:

User EXEC Mode:

When you are connected to the router, you are started in user EXEC mode. The user EXEC
commands are a subset of the privileged EXEC commands.

Privileged EXEC Mode:

Privileged commands include the following:

• Configure – Changes the software configuration.

• Debug – Display process and hardware event messages.

• Setup – Enter configuration information at the prompts.

Enter the command disable to exit from the privileged EXEC mode and return to user EXEC mode.

Configuration Mode:

Configuration mode has a set of submodes that you use for modifying interface settings, routing
protocol settings, line settings, and so forth. Use caution with configuration mode because all
changes you enter take effect immediately.
To enter configuration mode, enter the command configure terminal and exit by pressing Ctrl-
Z.

Getting Help
In any command mode, you can get a list of available commands by entering a question mark (?).

Router>?

To obtain a list of commands that begin with a particular character sequence, type in those characters
followed immediately by the question mark (?).

Router#co?

configure connect copy

To list keywords or arguments, enter a question mark in place of a keyword or argument. Include a
space before the question mark.

Router#configure ?

memory Configure from NV memory

network Configure from a TFTP network host

terminal Configure from the terminal

You can also abbreviate commands and keywords by entering just enough characters to make the
command unique from other commands. For example, you can abbreviate the show command to sh.

IP Address Configuration
Take the following steps to configure the IP address of an interface.

Step 1: Enter privileged EXEC mode:

Router>enable password

Step 2: Enter the configure terminal command to enter global configuration mode.

Router#config terminal

Step 3: Enter the interface type slot/port (for Cisco 7000 series) or interface type port (for Cisco 2500
series) to enter the interface configuration mode.

Example:

Router (config)#interface ethernet 0/1

Step 4: Enter the IP address and subnet mask of the interface using the ip address ipaddress subnetmask
command.

Example,

Router (config-if)#ip address 192.168.10.1 255.255.255.0

Step 5: Exit the configuration mode by pressing Ctrl-Z

Router(config-if)#[Ctrl-Z]

Here is a list of some of useful IOS Commands and their function:

Practical 13
Create new Users & assign privileges/ Permission.
This is a task we want to do from a Domain Controller, and you should have the Administrative Tools
in your Start menu next to the Control Panel link. We’ll choose the Active Directory Users and
Computers snap-in.

Once we’re inside the Active Directory Users and Computers snap-in, we’ll need to expand the
domain in which we want to create the user, and right-click on the Users folder. We’ll then select
New|User.
The New Object – User box will pop up and require you to put in the user’s name and create the
user logon. You’ll need to use a standard method of creating user logon names, as this will cause
much less confusion in the future. If you have a small network, you may want to just stick to using
the first initial and last name because it’s shorter. If you anticipate that your network will grow quite
large, the standard advice is to use the full first and last name separated by a period, as we’ve done
below.
Next we’ll give the user an initial password, and make sure to have them change it as soon as they
first logon.
When we’re finished, we’ll get a nice summary of our work.

When we go back to the Users folder in the domain, we can see our newly created user.
 Once we’ve created a user, there are many things that we’ll need to do with them in order for them
to be useful, like adding permissions and security groups, but at least the operation for spawning
them is simple and straightforward.

Active Directory Object permissions

Permission in AD are privileges granted to users or groups to perform certain operations on objects. Permissions are usually
granted by object owners or administrators.

Users and groups are assigned permissions (to read, write, create child objects etc.) over objects in AD. These permissions
can be of two types:

 Standard permissions which include common permissions such as full control, read, write etc.

 Special permissions which are more privileged like modify permissions, modify owner etc.

Permissions on objects can be assigned in two ways

 1. By configuring GPOs using the group policy management console

 2. By using the security tab in the object’s properties dialogue box.

Permissions on objects can be inherited in two ways.

 1. From the parent object class using which the object was created

 2. From the groups to which the object has been added

Due to various inheritance and assignments, conflicting permissions may be assigned to an object. In such scenarios deny
permissions take precedence over allow permissions. Say for example

 A subject A belonging to group B

 A is granted permission to read C

 B is denied permission to read C

 When A tries to read C it will be denied the privilege.

You can view the permissions on an object in the user interface in the security tab of object’s properties.
Practical 14
Modify/ Delete/Deactivate Users and groups
Disable or activate a local user account
To disable or activate a local user account
1. Open Computer Management.
2. In the console tree, click Users .
Where?

o Computer Management\System Tools\Local Users and Groups\Users

3. Right-click the user account that you want to change, and then click Properties .
4. Do one of the following:
o To disable the selected user account, select the Account is disabled check box.

o To activate the selected user account, clear the Account is disabled check box.

Delete a local user account

The Administrator account and the Guest account cannot be deleted.

To delete a local user account

1. Open Computer Management.
2. In the console tree, click Users .
Where?

o Computer Management\System Tools\Local Users and Groups\Users

3. Right-click the user account that you want to delete, and then click Delete .

Delete a local group

To delete a local group
1. Open Computer Management.
2. In the console tree, click Groups .
Where?

o Computer Management\System Tools\Local Users and Groups\Groups

3. Right-click the group that you want to delete, and then click Delete .
Practical 15
Configure Print Server & Backup Server
Configuring Print and Document Services

Step 1:
Click Start and select Control Panel.

Step 2:
Double-click Programs and Features.

Step 3:
Select Turn Windows features on or off from the menu on the left.
NOTE: When the Windows Features window appears, wait until it populates the contents.

Step 4:
Click on the + sign beside Print and Document Services.
Step 5:
Check the box for LPD Print Service and LPR Port Monitor. Then, click OK.
NOTE: Compared to Windows Vista, Windows 7 will automatically generate the programs.

Adding a Printer

Step 1:
Click Start and select Devices and Printers.

Step 2:
Click on Add a printer in the menu bar.
Step 3:
Select Turn Windows features on or off from the menu on the left.

Step 4:
Select Create a new port. Select Standard TCP/IP Port from the Type of Port drop-down menu and
click Next.
Step 5:
Once prompted, enter the IP address of the PrintServer on the IP address and Port name, then click Next.

NOTE: In this example, the PrintServer’s IP address is 192.168.1.78.

NOTE: Wait until Windows finishes detecting the TCP/IP port.
Step 6:
Select Custom then click Settings.
Step 7:
Select Select LPR under Protocol and enter L1, L2, or L3 (depending on what parallel port the printer is
connected to) in the Queue Name field. Click OK.

• L1 = Parallel Port# 1
• L2 = Parallel Port# 2
• L3 = Parallel Port# 3

NOTE: In the image below, L1 is used as an example.

NOTE: When the Add Printer window reappears, click Next to allow the Windows detect the driver model.

Step 8:
Once it is detected, install the printer driver by selecting your printer’s manufacturer and model. Then,
click Next.

NOTE: In this example, Canon Inkjet iP1300 is selected.

If your printer driver is NOT yet installed, you will be prompted to whether share your printer or not. Follow the
steps below:

Step 1:
Select Do not share this printer if you don’t want to share your printer, then click Next.
NOTE: When you select Share this printer so that others on your network can find and use it,
make sure to configure file and printer sharing. To learn how, click here.

Step 2:
When your printer has been successfully added, click Print a Test Page to check whether your printer
is working properly, or to see troubleshooting information for the printer. Then, click Finish.

NOTE: Make sure you have a paper loaded in your printer.

Step 3:
Go back to Devices and Printers. Your printer’s name should be added under Printers and
Faxes section.

NOTE: Make sure the added printer is on its Default state.

Step 9:
Select Use the driver that is currently installed (recommended). Then, click Next.
NOTE: The next window will tell you that the printer will be installed with the Canon Inkjet iP1300 (as an
example) driver. Then, click Next and it will start to install the printer.
Step 10:
When your printer has been successfully added, click Print a Test Page to check whether your printer is
working properly, or to see troubleshooting information for the printer. Then, click Finish.

NOTE: Make sure you have a paper loaded in your printer.

Step 11:
Go back to Devices and Printers. Your printer’s name should be added under Printers and Faxes section.

NOTE: Make sure the added printer is on its Default state.

Installing the Windows backup and recovery utilities

The Windows Server backup and recovery tools are available in all editions of Windows Server 2012 R2.

You can install the Windows backup and recovery tools by following these steps:

1. In Server Manager, select Add Roles And Features on the Manage menu. This starts the Add
Roles And Features Wizard. If the wizard displays the Before You Begin page, read the
introductory text, and then tap or click Next.

2. On the Installation Type page, Role-Based Or Feature-Based Installation is selected by default.

Tap or click Next.

3. On the Server Selection page, you can choose to install roles and features on running servers or
virtual hard disks. Either select a server from the server pool or select a server from the server
pool on which to mount a virtual hard disk (VHD). If you are adding roles and features to a VHD,
tap or click Browse and then use the Browse For Virtual Hard Disks dialog box to locate the VHD.
When you are ready to continue, tap or click Next twice.

4. On the Select Features page, select Windows Server Backup. Tap or click Next.

5. Tap or click Install. When the wizard finishes installing the selected features, tap or click Close.

From now on, Windows Server Backup and the related command-line tools and the Windows Server
Backup module for Windows PowerShell are available for managing backups.
 You can start Windows Server Backup by selecting the related option on the Tools menu in Server
Manager.

The first time you use Windows Server Backup, you’ll get a warning that no backup has been
configured for the computer. You clear this warning by creating a backup by using the Backup Once
feature, located on the Action menu, or by scheduling backups to run automatically by using the
Backup Schedule feature.

When you use Windows Server Backup, the first backup of a server is always a full backup. This is
because the full backup process clears the archive bits on files so that Windows Server Backup can track
which files are updated subsequently. You can configure the default performance settings by following
these steps:

1. Start Windows Server Backup. In the Actions pane or on the Action menu, tap or click Configure
Performance Settings. This displays the Optimize Backup Performance dialog box, shown
in figure.

2. Do one of the following, and then tap or click OK:

I. Choose Normal Backup Performance to perform full backups of all attached drives.

II. Choose Faster Backup Performance to perform incremental backups of all attached
drives.

III. Choose Custom. In the option lists provided, specify whether to perform full or
incremental backups for individual attached drives.
 Figure: Configure the default backup settings.

After you configure the default performance settings, you can start a full or copy backup by
tapping or clicking Backup Once on the Action menu or in the Actions pane. You can configure a backup
schedule by tapping or clicking Backup Schedule on the Action menu or in the Actions pane.

Backup Software
You cannot back up to tape by using Windows Server Backup. If you want to back up to tape, you need a
third-party backup utility.

Selecting a backup utility

Many backup and recovery solutions are available for use with Windows Server 2012 R2. When
selecting a backup utility, you need to keep in mind the types of backups you want to perform
and the types of data you are backing up.

We can use remote agent backups too for backup and support. For example, BE 2010 R3 + SP3 and
backupassist etc…
Practical 17
Manage Microsoft Windows Internet Security Services (WINS)

WINS (Windows Internet Name Service), like DNS (Domain Name Service) and many
other services in Windows Server 2008, now uses the Microsoft Management Console
(MMC) for configuration and management. To launch the WINS snap-in, go
to Administrative Tools and select the WINS option or (easier) open the Run dialog box
and run the winsmgmt.msc shortcut.

One of the advantages of WINS is that clients register themselves with the service,
and for the most part, you do not require to manually enter mappings. One exception is
non-WINS clients and static entries.

Static entries

By entering static mappings, you make sure that WINS clients can resolve the IP
addresses of non-WINS clients. Non-WINS clients include machines running under
other operating systems, networks, network devices, domains, and so on. You can
even insert a static IP address for another WINS server, if the connection to that WINS
server is unreliable and you cannot afford to have the server lose a lease and not be
capable of renewing it.

To create a static mapping, open the WINS console as described above and follow
these steps:

1) Right-click the Active Registrations node on the WINS tree. Choose New Static
Mapping from the context menu.

2) In the New Static Mapping dialog box, type the name of the target to be resolved in
theComputer Name field.

3) Although you can add a scope name in the optional NetBIOS Scope field, this field
should not be used because NetBIOS scopes are not recommended. The support is
included for advanced NetBIOS solutions and applications.

4) From the Type drop-down list, select the type of name to be resolved. The following
list explains the static entry types:

a) Unique: This is a unique name that can be mapped to a single IP address. Use this
type if you need to add a static mapping for a server —usually another WINS server.

b) Group: Choose this type for a name that maps to a group. A group is a logical unit
on the intranet. Group members, regardless of their nature, usually have their own IP
addresses, but these do not need to be stored in WINS.
c) Domain Name: Choose this type to map an IP address to a domain name.

d) Internet Group: Choose this type to group resources, such as routers, hubs, and
printers. You can store up to 25 members in an Internet group.

e) Multihomed: Choose this type for the name of a host that has more than one IP
address. (Multi-homed usually refers to a host with more than one network interface
card, but Windows Server 2008 can assign multiple addresses to a single interface.)

5) In the IP Address field, enter the IP address of the client and click OK to store the
entry.

The proxy agent

The WINS proxy agent extends the WINS services to non-WINS clients by listening for
their name-registration requests and broadcast-resolution requests and then
forwarding them to the WINS server. To set up this service, you need to alter the
registry.

Open the Registry Editor and go to the following subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NetBT\Parameters

Under the Parameters key, you will find the entry for Enable Proxy. Change this value
to 1 (enabled). Unfortunately, you must then restart the server.

After it is enabled, the proxy agent forwards the non-WINS client’s broadcasts,
requesting name registration to the WINS server. The name does not get registered;
the intention of the proxy is to verify that the name is not already registered.

Whenever the agent detects a name-resolution broadcast, it checks its NetBIOS name
cache and attempts to resolve the name to an IP address. If the name is not cached,
the agent forwards the broadcast as a resolve request to the WINS server. The WINS
server responds to the agent, and the agent then responds to the non-WINS client.
Practical 18
Certificate Services is managed using a Microsoft Management Console snap-in called Certification
Authority snap-in, and a Web-based Active Server Page (ASP) application that can be accessed in a
standard Web browser. In the snap-in, you have full control over Certificate Services. The Web-based
application, on the other hand, is primarily used to retrieve certificate revocation lists (CRLs), to request
certificates, and to check on pending certificates.
Figure 6-1 shows the main window of the Certification Authority snap-in. As you can see, there are four
nodes under the root authority. These nodes are used as follows:
 Revoked Certificates Contains all certificates that have been issued and then revoked.

Figure 1: Use the Certification Authority snap-in to manage Certificate Services.

 Issued Certificates Contains all certificates that have been approved and issued by the Certificate
Services administrator.
 Pending Requests Contains all pending certificate requests for this CA. If you are an
administrator on the certificate server, you can approve requests by right-clicking them and
selecting Issue.
 Failed Requests Contains any declined certificate requests for this CA. If you are an administrator
on the certificate server, you can deny requests by right-clicking them and selecting Deny.
Note: The label for the root node of the snap-in is set to the name of the CA. In the example, the CA
name is Corporate Root CA.
Installing Certificate Services
Installing Certificate Services is a multipart process. First, you must create a folder that Certificate Services
can use to store certificates and configuration files. The folder must be stored on the local machine where
Certificate Services will be installed. The folder must also be configured with Read permission for the
implicit group Everyone. This allows users to access the folder and to install certificates from it. Second, if
the server isn't running IIS and you want to be able to retrieve CRLs to request certificates or to check on
pending certificates via a browser, you must install IIS on the certificate server.
After you create the certificate folder and install IIS, if necessary, you need to install Certificate Services. To
do this, complete the following steps:
1. Log on to the certificate server using an account with Administrator privileges, or Domain
Administrator privileges if you're creating an enterprise CA.
2. Click Start, point to Settings, and then click Control Panel.
3. Double-click Add/Remove Programs. This displays the Add/Remove Programs dialog box.
4. Start the Windows Components Wizard by clicking Add/Remove Windows Components.
5. Select the Certificate Services check box. When prompted to confirm the action, click Yes, and
then click Next.
As shown in Figure 6-2, select the CA type. The options are as follows:
o Enterprise Root CA Establishes the root CA in an Active Directory domain. This option is
only available if your server participates in a domain.
o Enterprise Subordinate CA Establishes a subordinate CA that will be a member of an
existing hierarchy. This option also requires connectivity to Active Directory service.
o Stand-Alone Root CA Establishes a stand-alone root CA that doesn't require connectivity
to Active Directory service.
o Stand-Alone Subordinate CA Establishes a subordinate CA that will be a member of an
existing hierarchy. The server doesn't require connectivity to Active Directory service.

Figure 2: Choose the type of CA that you want to install.

o Note: Select Advanced Options if you want to choose the cryptographic service provider
and hashing algorithms used to generate keys. In most cases, however, the default values
are acceptable.
Next, as shown in Figure 6-3, enter information to identify the CA and to set the expiration date
of the root CA certificate. Provide complete entries for the following fields:
o CA Name Sets the name of the CA, such as Microsoft Corporation Root CA.
 Figure 3: Identify the certification authority and set an expiration date for the root
CA certificate.

o Organization Sets the legal name of your company, such as Microsoft Corporation.
o Organizational Unit Sets the division in your company responsible for the CA, such as
Technology Department.
o City Sets the city or locality in which your company is located.
o State Or Province Sets the name of the state or province in which your company is
located.
o Country/Region Sets the country or region for your company.
o E-Mail Sets the e-mail address for the certificate administrator.
o CA Description Sets a description for the CA.
o Valid For Sets the root CA's certificate expiration date and time. This certificate is
generated when you install the CA.
6. Next, specify the storage location for the configuration data, database, and log. By default, the
certificate database and log are stored in the \%SystemRoot%\System32\CertLog folder. Also, use
the Shared Folder field to specify the location of the certificate folder you created earlier, or click
Browse to find this folder.
7. Click Next. If IIS is running on the certificate server, Windows will need to shut down the related
services before continuing. Click OK when prompted to do this. The Windows Components
Wizard will begin installing and configuring Certificate Services.
8. Click Finish to complete the process. If you installed Certificate Services on a computer running
IIS, you can configure these services for Web access (see the section of this chapter titled,
"Accessing Certificate Services in a Browser").
Accessing Certificate Services in a Browser
When you install Certificate Services on a computer running IIS, the default (or primary) Web site is
updated so that you can perform key certificate tasks via a Web browser. These tasks include
 Retrieving CRLs
 Requesting certificates
 Checking on pending certificates
The structures that make Web-based requests possible are files configured for use in three virtual
directories:
  CertSrv Contains files necessary for Web-based access to Certificate Services and is located in
\%SystemRoot%\System32\CertSrv by default. This directory is set up as an in-process Internet
Server Application Programming Interface (ISAPI) application called CertSrv.
 CertControl Contains files necessary for controlling Certificate Services and is located in
\%SystemRoot%\System32\CertSrv\CertControl by default.
 CertEnroll Contains files necessary for controlling Certificate Services and is located in
\%SystemRoot%\System32\CertSrv\CertEnroll by default.
If these directories are not available for some reason, you can create virtual directories that map aliases to
their physical locations. You do this by completing the following steps:
1. Start the Internet Information Services snap-in and then, in the left panel (Console Root), click the
plus sign (+) next to the computer you want to work with. If the computer isn't shown, connect to
it as discussed in the "Connecting To Other Servers" section of Chapter 2, "Core IIS
Administration."
2. Right-click the Web site on which you want to link the system directory, point to New, and then
select Virtual Directory. This starts the Virtual Directory Creation Wizard. Click Next.
3. In the Alias field, type the name you want to use to access the system directory, such as CertSrv.
4. The next dialog box lets you set the path to the physical directory where your content is stored.
Click Browse to search for the system directory you want to use.
5. Click Next and then set access and execute permissions. For CertSrv, CertControl, and CertEnroll,
select Read, and then select Scripts Only.
6. Click Next and then click Finish. The virtual directory is created and mapped to the system
directory you referenced. The CertSrv directory should be configured as an ISAPI application with
a starting point that points to its base directory. CertControl and CertEnroll should be a part of an
application as well, but these don't need to be configured as separate applications.
Once you've configured Web-based access to Certificate Services, you can access these services by typing
the following URL:
http://hostname/certsrv/
where host name is the DNS or NetBIOS name of the host server, such as ca.microsoft.com or CASrv.
Figure 6-4 shows the main page for Certificate Services.

Figure 4: Use the Web-based interface to retrieve CA certificates or revocation lists, to request
certificates, or to check on pending certificates.

Starting and Stopping Certificate Services

Microsoft Certificate Services runs as a Windows service on the certificate server. You can stop and start
this service on a local system by completing the following steps:
1. Start the Certification Authority snap-in, then right-click the root node for the CA (Root CA) and
point to All Tasks.
 2. Select Stop Service to stop Certificate Services.
3. Select Start Service to start Certificate Services.
You can stop and start services on a remote system by completing the following steps:
1. Start the Certification Authority snap-in and then right-click the CA node.
2. To display the Certification Authority dialog box, from the shortcut menu, select Retarget
Certification Authority.
3. As shown in Figure 6-5, select Another Computer, type the name of the computer to which you
want to connect, and then click Finish. You can also type the server's Internet Protocol (IP) address
or fully qualified domain name (FQDN).

Figure 5: You can connect to both local and remote certification authorities.

4. In the Certification Authority snap-in, right-click the root node for the CA (Root CA), then point to
All Tasks.
5. Select Stop Service to stop Certificate Services.
6. Select Start Service to start Certificate Services.
Backing Up and Restoring the CA
If your organization publishes its own CA, you should routinely back up the CA information. Backing up
the CA information ensures that you can recover critical CA data, including
 CA private key and certificate
 CA configuration information
 CA log and pending request queue
You can perform two types of backups:
 Standard Creates a full copy of certificate logs and pending request queues.
 Incremental Creates a partial copy of certificate logs and pending request queues. This copy
contains only the changes since the last standard backup.
In a very large CA implementation, you can perform incremental backups of logs and queues by selecting
Perform Incremental Backups. To use incremental backups, you must do the following:
1. First perform a standard backup.
2. Perform successive incremental backups at later dates.
When you use incremental backups, you must also incrementally restore. To do this, complete the
following steps:
1. Stop Certificate Services.
2. Restore the last standard backup.
3. Restore each incremental backup in order.
4. Start Certificate Services.
Creating CA Backups
To back up the CA information on your certificate server, complete the following steps:
 1. Create a folder that Certificate Services can use to store the backup information. This directory
must be empty and it should created on the local machine where Certificate Services is installed.
2. Start the Certification Authority snap-in, right-click the root node for the CA (Root CA), point to
All Tasks, and then select Backup CA. This starts the Certification Authority Backup Wizard.
Note: Certificate Services must be running when you back up the CA. If the service isn't running,
you'll see a prompt asking you if you want to start the service. Click OK.
Click Next and then select the items you want to back up, as shown in Figure 6-6. The options are
o Private Key And CA Certificate
o Configuration Information
o Issued Certificate Log And Pending Certificate Request Queue

Figure 6: Specify the certification items that you want to back up.

3. If this is an incremental backup, select Perform Incremental Backup.

4. Type the file path to the backup folder in the Back Up To This Location field, or click Browse to
search for this folder. If you specify a folder that does not already exist, you will be given the
option of having it created.
5. Click Next. Type and then confirm a password that will be used to protect the private key and CA
certificate files.
6. Click Next and then click Finish. The wizard creates a backup of the selected data.
Recovering CA Information
If you ever need to recover the CA information, you can do this by completing the following steps:
1. The Certificate Services cannot be running when you restore the CA. In the Certification Authority
snap-in, right-click the root node for the CA (Root CA), point to All Tasks, and then select Stop
Service.
2. Right-click the root node a second time, point to All Tasks, and then select Restore CA. This starts
the Certification Authority Restore Wizard.
Click Next and then select the items you want to restore, as shown in Figure 6-7. The options are
o Private Key And CA Certificate
o Configuration Information
o Issued Certificate Log And Pending Certificate Request Queue
 Figure 7: Specify the certification items that you want to restore from a backup.

3. Type the file path to the backup folder in the Restore From This Location field, or click Browse to
search for this folder. You should always restore the last complete backup before restoring any
incremental backups.
4. Click Next. Type the password used to protect the CA files and then click Next again.
5. Click Finish. The wizard restores the selected data. When the operation is complete, you have the
option of starting Certificate Services. Click Yes if this is only a backup to restore. Otherwise, click
No, and repeat this process to apply incremental backups as well.
Generating Certificates Manually in the Certification Authority Snap-In
Once you've issued a certificate, you can manually create the certificate file that you need to install on the
Web site. To do this, complete the following steps:
1. Start the Certification Authority snap-in and then select the Issued Certificates node. You should
see a list of certificates issued by this root CA.
2. Right-click the certificate that you want to generate and select Open. This displays the Certificates
dialog box.
3. Select the Details tab and then select Copy To File. This starts the Certificate Export Wizard. Click
Next.
4. Select the Base-64 Encoded X.509 export file format, and then click Next.
5. Specify the name of the file you want to export. Be sure to use .cer as the file extension. Click
Browse if you want to use the Save As dialog box to set the file location and name.
6. Click Next and then click Finish. Click OK after the Certificate Export Wizard confirms that the
certificate was successfully exported. You can now install the certificate file on the Web site as
described in the section of this chapter titled "Processing Pending Requests and Installing Site
Certificates."
Revoking Certificates
Server certificates are valid for one year and can be revoked if necessary. Typically, you revoke a certificate
when there is a change in the status of the site or when the customer for whom you issued the certificate
cancels the service subscription. To revoke a certificate, complete the following steps:
1. Start the Certification Authority snap-in and then select the Issued Certificates node. You should
see a list of issued certificates.
2. Right-click the certificate that you want to revoke, point to All Tasks, and then select Revoke
Certificate. The Certificate Revocation dialog box is displayed.
 3. As shown in Figure 6-8, use the Reason Code to specify a reason for the revocation, and then click
Yes.
4. The CA marks the certificate as revoked and moves it to the Revoked Certificates node.

Figure 8: Specify the reason you are revoking the certificate.

By default, CAs publish CRLs weekly. You can change this setting through the Revoked Certificates
Properties dialog box.
1. Start the Certification Authority snap-in and then right-click the Revoked Certificates node.
2. Select Properties and then use the Publication Interval fields to set a new interval for publishing
the CRL, as shown in Figure 6-9.
3. Click OK.

Figure 9: Set the schedule for publishing the CRL. By default, the publication interval is one
week.

Reviewing and Renewing the Root CA Certificate

The root CA certificate is valid for the period specified when the certificate was created. To view the
expiration date or to review the certificate properties, complete the following steps:
1. Start the Certification Authority snap-in. Right-click the root node for the CA (Root CA) and then
select Properties. This displays the Root CA Properties dialog box.
2. Click View Certificate on the General tab.
3. As shown in Figure 6-10, use the Certificate dialog box to review the properties of the root CA
certificate, including the valid from and to dates.
 Figure 10: The Certificate dialog box shows the properties of the root CA certificate,
including the valid from and to dates.

Usually, the root CA certificate is valid for two years. If you are approaching the end of the two-year
period, you should renew the certificate. You should also renew the root CA certificate if one of the
following situations exists:
 The signing key is compromised
 A program requires a new signing key to be used with a new certificate
 The current CRL is too big and you want to move some of the information to a new CRL
To renew the root CA certificate, complete the following steps:
1. The Certificate services cannot be running when you renew the CA. In the Certification Authority
snap-in, right-click the root node for the CA (Root CA), point to All Tasks, and then select Stop
Service.
2. Right-click the root node for the CA (Root CA) again, point to All Tasks, and then select Renew CA
Certificate. This displays the Renew CA Certificate dialog box shown in Figure 6-11.
 Figure 11: When you renew the root CA certificate, you can generate new public and
private keys. Do this if the key has been compromised or a new key is required.

3. In the Renew CA Certificate dialog box, select Yes if you want to generate a new public and
private key pair. Otherwise, click No.
4. Click OK. Certificate Services is restarted automatically and a new certificate is issued.
Creating and Installing Certificates
You have two options for creating and installing certificates. You can use your own Certificate Services to
generate your certificates or you can use a trusted third-party authority. When you use Certificate
Services, you manage the certificate creation, expiration, and revocation process. When you create
certificates through trusted third-party authorities, you let the trusted authority manage the certificate
creation, expiration, and revocation process. Either way, the basic tasks you need to perform, create, and
install a certificate are as follows:
1. Create a certificate request.
2. Submit the request to the authority of your choice or to your own root authority.
3. When you receive the response from the authority, process the pending request and install the
certificate.
4. Ensure that SSL is enabled and that secure communications are configured properly.
Creating Certificate Requests
Each Web site hosted on your Web server needs a separate certificate if you want SSL to work properly.
The first step in the certificate creation process is to generate a certificate request. You can generate a
certificate request by completing the following steps:
1. In the Internet Information Services snap-in, right-click the site for which you want to generate
the certificate and select Properties.
2. From the Directory Security tab, select Server Certificate. This starts the Web Server Certificate
Wizard. Click Next.
Note: If you or someone else has already generated a certificate request for the site, you'll see the
Pending Certificate Request dialog box, shown in Figure 6-17. You must either process the
request or delete the request to continue. See the sections of this chapter titled "Processing
 Pending Requests and Installing Site Certificates" and "Approving and Declining Pending
Certificate Requests" for more information.
3. As shown in Figure 6-12, select Create A New Certificate, and then click Next.

Figure 12: To create a certificate, select Create A New Certificate.

4. Select Prepare The Request Now to prepare a request and manually submit it to an authority, and
then click Next.
5. Next, as shown in Figure 6-13, you must assign the certificate a name and select a bit length. The
name should be descriptive and easy to refer to. The bit length sets the encryption strength of
your public and private keys. In most cases, you should choose the highest bit length you are
allowed to use.

Figure 13: Specify a descriptive name and bit length for the certificate.

6. Click Next. You have now created a public and private key pair. These keys are stored locally on
the Web server. The final steps are used to create a certificate-signing request (CSR). The
information in the request identifies the owner of the key and is displayed on your certificate. The
CSR is used only to request the certificate. Certain characters must be excluded from your CSR
fields, or your certificate may not work. Do not use any of the following characters:
7. ! @ # $ % ^ * ( ) ~ ? > < & / \
Enter your organization information in the fields provided:
o Organization Sets the legal name of your company, such as Microsoft Corporation
o Organizational Unit Sets the division in your company responsible for the certificate,
such as Technology Department
 8. Click Next, and enter your Web site's common name. When the certificate will be used on an
intranet (or internal network), the common name may be one word, and it can also be the
NetBIOS name of the server, such as CorpIntranet. When the certificate will be used on the
Internet, the common name must be a valid DNS name, such as www.domain.com. Click Next.
Real World The common name is typically composed of Host + Domain Name, such as
www.domain.com or products.domain.com. Certificates are specific to the common name that
they have been issued to at the Host level. The common name must be the same as the Web
address you will be accessing when connecting to a secure site. For example, a certificate for the
domain domain.com will receive a warning if accessing a site named www.domain.com or
services.domain.com, as www.domain.com and services.domain.com are different from
domain.com. You would need to create a certificate for the correct common name.
As shown in Figure 6-14, enter the geographic information for your company in the fields
provided, and then click Next:
o Country/Region Type the country or region for your company.
o State/Province Type the full name of the state or province in which your company is
located.
o City/Locality Type the city or locality in which your company is located.

Figure 14: Type complete entries for geographic information. Don't use abbreviations for
state, province, city, or locality.

9. Next, you need to specify the filename and path for the certificate request file. By default, the
filename and path are set to C:\CERTREQ.TXT. Type a new path, or click Browse to select a path
and filename using the Save As dialog box.
10. Click Next twice and then click Finish to complete the request generation process.
Submitting Certificate Requests to Certificate Services
After you create a certificate-signing request, you can submit it to Certificate Services using the Web-
based interface. To do this, complete the following steps:
1. The certificate-signing request is stored as ASCII text in the file you specified in Step 10 under
"Creating Certificate Requests." Open this file in Notepad and copy the entire text of the request,
including the BEGIN and END statements, to the clipboard (press Ctrl+A and then press Ctrl+C).
2. You are now ready to submit the request to Certificate Services. Start your Web browser and type
in the Certificate Services URL, such as http://ca.microsoft.com/certsrv/.You should see the main
page for Certificate Services, as shown in Figure 6-15.
 Figure 15: When you access the Certificate Services URL, you should see the main page for
the Web-based interface. If you don't, you may not have configured Web access correctly.

3. Select Request A Certificate and then click Next.

4. On the Choose Request Type page, select Advanced Request, and then click Next.
5. As shown in Figure 6-16, select the second option on the Advanced Certificate Requests page and
then click Next. This option tells Certificate Services that you are going to submit a request that is
base64-encoded.
6. Paste the request into the Saved Request text box and then click Submit.
7. If you've completed this process correctly, the final page shows you that your request has been
received and is pending approval by the CA. If there is a problem with the request, you'll see an
error page telling you to contact your administrator for further assistance. On the error page, you
can click Details to get more information on the error. You may need to re-create the certificate
request or go back to ensure that you haven't accidentally inserted additional spacing or
characters in the request submission.

Figure 16: Use the Advanced Certificate Requests page to choose the type of request you
are submitting.

8. If you are also the CA, you can use the Certification Authority snap-in to handle the request. See
the "Approving and Declining Pending Certificate Requests" section of this chapter.
Once the request has been approved, use the Web-based interface to retrieve the signed certificate. To
do this, complete the following steps:
 1. Start your Web browser and type in the Certificate Services URL, such
as http://ca.microsoft.com/certsrv/.
2. Under Select A Task, select Check On Pending Certificate, and then click Next.
3. You should see a list of pending requests. Requests are listed with a description and a date/time
stamp. Select the request for the site you want to work with and then click Next.
4. If a certificate has been issued for the request, you should see a page stating that the certificate
you requested was issued to you. On this page, select Base 64 Encoded, and then click Download
CA Certificate.
5. You should see a File Download dialog box. Select Save This File To Disk and then click OK.
6. Use the Save As dialog box to select a save location for the certificate file and then click Save. You
should use .cer as the file extension. Then process and install the certificate as described in the
"Processing Pending Requests and Installing Site Certificates" section of this chapter.
Processing Pending Requests and Installing Site Certificates
Once you receive the certificate back from the authority, you can install it by completing the following
steps:
1. In the Internet Information Services snap-in, right-click the site for which you want to generate
the certificate and select Properties.
2. From the Directory Security tab, select Server Certificate. This starts the Web Server Certificate
Wizard. Click Next.
3. As shown in Figure 6-17, select Process The Pending Request And Install The Certificate, and then
click Next.
4. Type the path and filename to the certificate file returned by the authority, or click Browse to
search for the file. Click Next to continue.

Figure 17: Process the pending request and install the certificate file.

5. The next page provides summary information on the certificate. If this is the correct certificate,
click Next, and then click Finish to complete the installation process. Otherwise, click Back to
choose a different certificate file, and then repeat Steps 4 and 5.
6. Configure SSL and manage the certificate as described in the "Working with SSL" and "Managing
Site Certificates in the Internet Information Services Snap-In" sections of this chapter.
Deleting Pending Certificate Requests
If you made a mistake in a certificate request that has already been generated, the only way to fix it is to
delete the request and then create a new one. You can delete pending certificate requests by completing
the following steps:
1. In the Internet Information Services snap-in, right-click the site for which you want to generate
the certificate and select Properties.
2. From the Directory Security tab, select Server Certificate. This starts the Web Server Certificate
Wizard. Click Next.
3. As shown in Figure 6-18, select Delete The Pending Request, and then click Next.

Figure 18: If you or someone else instructs IIS to delete a pending request, you'll need to
re-create the certificate request before you can try to install a certificate.

4. Click Next and then click Finish. This deletes the request association in IIS but does not remove
the actual request file. This file contains your site's public key and should be deleted.