Please note: If you are setting up a Windows 2000 system for personal use, or for occasional sharing, please refer to the Windows 2000 Professional setup page instead. Windows 2000 Server is optimized for enhanced network operation at the cost of desktop performance. Unless you truly need the resource sharing capabilities of Server, your needs will be better served by Professional.
It is assumed that the reader is interested in running a Windows 2000 Server at Stanford University and does not already have an operating Windows NT 4.0 domain.
Windows NT 4.0 to Windows 2000 domain
migration will be covered elsewhere.
Hardware Requirements:
If at all possible, choose hardware listed on Microsoft's hardware compatibility list (HCL), available from Microsoft Windows 2000 Compatibility List or Microsoft Hardware Labs. If you do use hardware that is not on this list, chances are still good that installation is possible, but you may need to download drivers from the hardware vendor. Also, Microsoft will only support approved hardware in the event of a driver problem.
Networking Requirements:
Obtain a unique machine name
for your Windows 2000 Server. Machine names are registered in the
Stanford NetDB database. At the same time, you will register a unique TCP/IP address for your
machine.
There are three protocols widely used by Windows 2000. They are TCP/IP, IPX/SPX compatible transport, and NETBEUI.
TCP/IP is the only generally routable protocol at Stanford. You must use TCP/IP to traverse subnets! When registering for a machine name, you should receive an IP address. If you do not want any access to resources outside your subnet, you may elect to use a different protocol.
IPX/SPX compatible transport is used mainly for communication between Novell servers and Windows NT Servers or clients.
NETBEUI is a proprietary protocol of Microsoft Lan Manager. It can be used for communication between members of the "Windows" family of products only. It does have the advantage of being the fastest protocol for small workgroup networking.
Windows can operate in one of two different authentication modes, Workgroup or Domain.
Workgroup is mainly for very small account databases and/or machine groups. Every machine in a workgroup handles it's own authentication and it's own controls over access to local resources. Because of this, every machine must have a local account for every user that will use the machine. This model is very quick to set up and everyone can maintain their own machine. The drawbacks are that whenever a change needs to be made to an account, it must be performed on every machine that account uses and that whenever a machine is added, all accounts that need to use that machine must be created again on that machine.
Domain is for larger groups. In a domain, special servers, called Domain Controllers or DCs, hold the authentication database and verify permissions when resources are accessed. This model is easier to manage since a change has to be made just once to a domain to have effect everywhere. Authentication can be maintained in case of a problem by implementing more than one DC. DCs can also be arranged geographically to minimize the number of network hops an authentication request must make. This can improve network performance in larger implementations. Contact the Windows 2000 Infrastructure group to have your server participate in a domain.
Windows 2000 supports three file systems: FAT, FAT32, and NTFS. NTFS is highly recommended for any server installation
FAT, or File Allocation Table, is the same file system as has been supported by all MS operating systems. It has been improved in Windows 2000, NT, and in Windows 9x to support long file names. It is NOT compatible with FAT32. Files and folders on FAT partitions cannot have permissions applied to them.
FAT32, has been modified for 32-bit addressing of blocks .This allows for larger files and smaller block sizes. It has support for long file names. Files and folders on FAT32 partitions cannot have permissions applied to them.
NTFS, or New Technology File System, is a more robust, transaction-based file system. Since it is transaction based, it can recover from some media and software errors. This also means that some disk area is lost for the transaction log. Files can be larger on NTFS partitions than FAT or FAT32. NTFS partitions can be "grown" by adding more disks. Windows 2000 only supports compression on NTFS partitions. NTFS is required for Services for Macintosh. Files and Folders on NTFS partitions can be protected by permission lists. Windows 2000 NTFS partitions are accessible only to Windows 2000 and Windows NT 4.0 with Service Pack 4.
You do not have to format or create any partitions on a new machine before starting. You will need your four setup disks, your CD-ROM, a blank disk for a Emergency Repair Disk, and hardware support disks for any hardware not supported by Microsoft.
It is recommended that you make the system partition 4GB during setup. Windows 2000 takes up a lot of space and the system disk is the only disk that you cannot enlarge later.
After Windows 2000 setup completes:
If you are NOT joining a Windows 2000 domain, set up the Windows Time Service
If you are joining a Windows 2000 domain, then you will need to configure your machine for the campus tree.
1) Configure Kerberos interoperability:
Run Ksetup from the command prompt
It should be in the Program Files\Support tools if you installed the support
tools.
OR
Open regedt32 and add HKLM\CCS\Control\LSA\Kerberos\Domains\stanford.edu
KdcNames: REG_MULTI_SZ: Krb5auth1 Krb5auth2 Krb5auth3
2) Set up DNS and WINS
DNS Settings:
| DNS server addresses - enter in any order | 171.64.7.55 171.64.7.77 171.64.7.99 |
| Append these DNS suffixes in order | stanford.edu |
| DNS Suffix for this connection
(This inherits from Computer Properties) |
<Empty> or stanford.edu |
| Register this connection's addresses in DNS | Clear the Checkbox |
WINS Settings:
| WINS addresses - enter in either order | 171.64.7.155 171.64.7.177 |
| NetBIOS over TCP/IP | Enabled |
3) Connect to your existing domain
When you set up your server, it will contain built-in accounts for initial access to the system. Use the Administrator account to create other users or to attach to a domain. Grant the users permissions by adding them into groups. There are built-in groups for various administrative tasks. Do not use an account with administrator rights for day-to-day use. To assign custom permissions or resource permissions, create groups and add the appropriate users.
Note about groups in Domains: There are three kinds of groups in a Windows 2000 domain tree. Domain Local, Global, and Universal. Domain Local groups can contain accounts and groups from anywhere in the tree, but can only be applied to resources inside that domain. Global groups can contain only users and groups from inside the domain, but can be applied anywhere in the tree. Universal groups are any to any, but also create a performance hit on the domain. A Domain Local group should work for most cases - granting domain local and SSO accounts from WIN.STANFORD.EDU access to logon to machines and connect to resources in the domain.
Other security measures are available. For a more complete discussion, go to Microsoft Technet Security Web site, or Securing Windows 2000 Server.
Supported clients for Windows 2000 Server are Windows 9x, Windows NT, and Windows 2000. Windows 95 and Windows NT require the installation of a Directory Services client. The client for Win9x is available on the Windows 2000 Server CD. The client for Windows NT is in Service Pack 7
"Samba" and other client software for Unix is available depending on the flavor of Unix software you are using (Note: Some versions of Samba can only authenticate with clear text. This setting can be turned on using Windows 2000 Policies or Registry. This is not supported for SUNet-integrated accounts.)
Macintosh clients are supported by File/Print services for Macintosh. Macintosh clients must install the Microsoft UAM included on the Windows 2000 server to make full use of Windows 2000.
Windows for Workgroups and MS-DOS clients can be supported only by machine local accounts. Windows Networking (LANMAN) clients can be found on a Windows NT 4.0 Server CD.
When configuring clients, make sure that "Use DNS for Windows resolution" is selected in the TCP/IP properties. Remove "Register this connection's address in DNS" on Windows 2000.
If you intend to access your server from another subnet for authentication, you will
need to set up LMHOSTS files for each client or configure a WINS server. A sample LMHOSTS
file can be found in %systemroot%\system32\drivers\etc\lmhosts.sam
If you do not need to authenticate across subnets, then clients can access the resources on a
server on another subnet simply by specifying the UNC path to the resource e.g.
"\\Server\Resource". This succeeds via a DNS lookup, so the server's DNS name must match
its computer name and "Use DNS for Windows resolution" must be enabled.
To create a file share,
Share permissions only control who can access the share. File and folder access permissions, if any, are also in effect when the user attempts access to a resource. To set file and folder permissions, use the security tab from the file's or folder's properties' "Security" tab. User's access will be the most restrictive of the two sets of permissions.
Clients can then connect to the share by browsing their Network Neighborhood or by mapping a drive to the UNC path of the file share.
You can attach to a print device by USB/Serial/Parallel or one of the network printing protocols.
If you connect to an
AppleTalk printing device do NOT capture the port. 
This is not necessary and will prevent anyone else from finding the device in the
AppleTalk network.
Clients can connect to the printer by browsing the network or selecting "Add Printer" and "Network Server" and entering the UNC path of your shared printer
If you wish to share files and printers for use by a Macintosh network, you will need to install File Services for Macintosh or Print Services for Macintosh from the Windows Components' "Other Network File and Print Services" tab. This will also install the Appletalk protocol on your machine if you have not already. You will be prompted to select an AppleTalk zone if more than one is present.
After installing File Services for Macintosh, open "Computer Management" "System Tools" "Shared Folders". Right clicking allows you to set up properties for the Mac Services. Right clicking on "Shares" allows you to add a new file share. Any folder on an NTFS partition can be shared as a Macintosh volume. A subdirectory of a volume cannot be shared as a volume. The same folder can be shared as a regular share and as a volume, with different names, if desired.
Shared printers are automatically shared on the Macintosh network after installing Print Services for Macintosh.
Return to WWW-NT home page
Last modified 10/12/00 by Ross Wilper
©2000 Trustees of the Leland Stanford Junior University