Реферат: Windows 2000 Essay Research Paper Microsoft Windows
The CA service stops running after a file system upgrade from FAT to the NTFS file system. The following message appears in the application log:
“Certificate Services did not start: Unable to initialize the database connection for *Your CA Name here*. Class not registered 0×80040154.”
As a workaround, uninstall the CA service and then re-install it using the same CA name, key pair, and database as the previous installation.
Upgrade of Subordinate CA from Windows NT 4.0 Certificate Server
After you upgrade a subordinate CA that is running Windows NT 4.0 Option Pack Certificate Server 1.0 to Windows 2000, you must perform a CA renewal operation and create a new CA certificate with the Basic Constraints field set to TRUE for the CA value. Before the SP6 release of Windows NT 4.0, the Certificate Server 1.0 product did not set the CA value to TRUE in the Basic Constraints field in the CA certificate. In SP6, if you are installing the CA for the first time, the CA value is set to TRUE in the CA certificate. In Windows 2000, if you are installing the CA for the first time or if you are performing a CA renewal operation on an existing CA, the CA value is set to TRUE in the CA certificate.
Default Security Settings
This section describes issues related to the default security settings in Windows 2000.
File and Registry Permissions Are Changed During Upgrade
The default security settings for a clean installation are also applied when you upgrade to Windows 2000. Applying the same default security settings ensures that access permissions for the registry and for Windows 2000 system directories and files are set consistently. However, if the default security settings are not sufficient after you upgrade to Windows 2000, you should reapply any custom settings that you applied before the upgrade.
Windows NT 4.0 Users May Need Power User Capabilities After Upgrade
The default security settings for a clean installation are also applied when you upgrade to Windows 2000. For more information about how these default security settings are applied, see “File and Registry Permissions Are Changed During Upgrade,” earlier in this document.
In Windows 2000, the permissions for users who do not have administrator or power user privileges are substantially more secure than in Windows NT 4.0. As a result, most non-certified legacy applications do not run successfully for typical users of Windows 2000. Therefore, after you upgrade to Windows 2000 and default security settings are applied, you may need to give power user capabilities to Windows NT 4.0 users.
When you upgrade from Windows NT 4.0 Workstation, you can provide power user capabilities automatically by adding the Interactive group to the Power Users group. Then, when Windows NT 4.0 users log on locally, they become power users on Windows 2000. Because Windows 2000 power users have the same access control permissions as Windows NT 4.0 users, these users can continue to run non-certified legacy applications after they upgrade to Windows 2000.
Notes
When you upgrade from previous versions of Windows 2000 or install Windows 2000 Server, the Interactive group is not added to the Power Users group.
Certified Windows 2000 applications run successfully for a typical user on Windows 2000. Therefore, certified applications offer the highest level of security without sacrificing application functionality.
Service Account Must Be Manually Added to the Power Users Group After Upgrade
The default security settings for a clean installation are also applied when you upgrade to Windows 2000. For more information about how these default security settings are applied, see “File and Registry Permissions Are Changed During Upgrade,” earlier in this document.
After the default security settings are applied in Windows 2000, services that previously ran under a non-administrative or non-system context on Windows NT 4.0 may no longer work properly. This occurs because Windows 2000 users have fewer permissions than Windows NT 4.0 users. Therefore, after you upgrade to Windows 2000, you must manually add the service account to the Power Users group.
High Encryption Pack—Upgrading from 128-bit Encryption on Down-Level Platforms
When you upgrade the 128-bit version of Windows 95 with Microsoft Internet Explorer 3.02 to Windows 2000, the encryption is reduced to 40-bit. As a workaround, you can install the Windows 2000 High Encryption Pack, which enables you to upgrade to 128-bit encryption.
EFS Recovery and Private Key Issues When Joining a New Windows 2000 Domain
When you upgrade a computer from Windows 95 or Windows 98 to Windows 2000, you may experience problems after joining the new domain because of issues with Encrypting File System (EFS) recovery and migrating private cryptographic keys. After you upgrade the computer, you should not use EFS until the computer actually joins the new domain. If you use EFS before your computer joins the domain, any files that you encrypt with EFS are inaccessible to your domain logon account. In addition, you should not run applications that use private cryptographic keys until the computer actually joins the new domain. If you generate and use private cryptographic keys before your computer joins the domain, these keys are unavailable to your domain logon account.
Directory Services
The following sections describe issues related to Windows 2000 directory services features.
Active Directory Domain Name Length Restriction
The fully-qualified DNS name of an Active Directory domain, for example example.microsoft.com, is restricted to 64 USC Transformation Format 8 (UTF-8) bytes in length. This limit does not apply to computer names.
One ASCII character is equal to one UTF-8 byte in length. Non-ASCII characters, such as other Unicode characters, have a variable length encoding that can be up to three bytes in length. To estimate the size of a name in bytes, count each ASCII character as one byte and each non-ASCII character as three bytes.
Before you deploy Active Directory, verify that all of your planned domain names do not exceed 64 UTF-8 bytes in length.