Kerberos authentication begins, literally, from the time a user tries to log on to the domain. When Kerberos receives an authentication request, it follows this series of steps: 1. Kerberos looks the user up and loads the key it shares with the user to decrypt the authentication message. 2. It then looks at the information in the message. The rst item it checks is the time eld, which is the time on the clock of the user s workstation or the machine from which the user requested logon authentication. If the time on the sender s clock is out of synch by ve minutes, Kerberos will reject the message without further ado (Kerberos will compensate for the different time zones and daylight savings time). However, if the time is within the allowable offset of ve minutes, Kerberos accepts the message pending one more item. 3. Kerberos determines whether the time is identical or older than previous authenticators received from the sender. If the timestamp is not later than and not the same as previous authenticators, Kerberos allows the user to authenticate to the domain. However, it is also important to know that the authentication is mutual. Kerberos will send back a message demonstrating that it was able to decrypt the user s message. Kerberos returns only select information, the most important being the timestamp that it obtained from the original authentication from the client. If that timestamp matches the client s information, then the client is sure that Kerberos, and not an imposter, decrypted the message.
Select the operating system you wish to use at this time and press Enter. This instructs you computer to run the desired operating system. As mentioned earlier, this feature can be quite useful if you wish to prolong the process of completely upgrading your PC to Vista. This allows you to still run programs that are not yet compatible with Vista on your current PC and provides you with more time to accustom yourself to the new user interface and features of Microsoft s visually enhanced operating system.
100 m
As mentioned brie y earlier in this chapter, DFS can provide a level of redundancy to ensure that shares within a given DFS namespace are available even when a server or share becomes unavailable for some reason. DFS does this through replication, which copies the root or link (and underlying data) to one or more other servers. Because DFS returns the complete list of root replicas or share replicas in response to a query, a client can try each one in the list to nd one that functions when a particular server or share is of ine. Though DFS by default does not provide replication of a DFS root or any replicas associated with a given DFS link, you can con gure DFS to replicate entire DFS namespaces or individual shared folders (DFS links). DFS relies on the File Replication Service (FRS) included with Windows Server 2008 to perform automatic replication. After you create a namespaces replica or a share replica, you can con gure the replication policy for that object, which de nes how the object is replicated. Automatic replication is only available for domain-based DFS namespaces and only data stored on NTFS volumes can be replicated. By default, FRS replicates the data every 15 minutes. Automatic replication is not available for data stored on FAT volumes or for standalone DFS roots or replicas. In these situations, you need to use manual replication. Manual replication is just what its name implies. You replicate the data by copying the data periodically through drag-and-drop or a similar method as you would manually copy any le from one place to another. Although you could automate the manual replication through the use of
