Introduction to Active Directory

Certainly the biggest single change between Windows NT 4 and Windows 2000 is the inclusion in Windows 2000 of an important new service – Active Directory. Active Directory is the native directory service in Windows 2000. Unlike Windows NT 4, when domains were pretty much stand-alone islands that we connected with trust relationships as necessary,

Active Directory is a full-featured directory service. But what is a directory service? Well, a directory service is actually a combination of two things – a directory, and services that make the directory useful. Simply, a directory is a store of information, similar to other directories, such as a telephone book. A directory can store a variety of useful information relating to users, groups, computers, printers, shared folders, and so forth – we call these objects. A directory also stores information about objects, or properties of objects – we call these attributes. For example, attributes stored in a directory for a particular user object would be the user’s manager, phone numbers, address information, logon name, password, the groups they are a part of, and more.

To make a directory useful, we have services interact with the directory. For example, we can use the directory as a store or information against which users are authenticated, or as the place we query to find information about an object. For example, I could query a directory to show me all the color printers in the Frankfurt office, the phone number of Bob in the Delhi office, or a list all of the users accounts whose first name starts with the letter ‘G’. In Windows 2000, Active Directory is responsible for creating and organizing not only these smaller objects, but also larger objects – like domains, organizational units, and sites. In order to fully comprehend what Active Directory is all about, we need to take an initial look at a number of concepts. A deeper discussion on Active Directory will be covered once we get to the AD Implementation and Administration portion of the series.

Introduction to Windows 2000 Server

Windows 2000 Server and Professional are fundamentally quite similar, both in terms or interface and architecture. As such, they often get lumped together when discussed, and for the purpose of the exams, this is very much the case. However, there are a number of fundamental differences between the two. The two main differences between Server and Pro are in terms of optimization as well as services offered. Professional is optimized as a desktop operating system where one runs user applications, while Server is optimized to service a variety of requests from client systems. In terms of services offered, Server provides many more than Professional, providing the ability to run WINS, DNS, Active Directory, and so forth. Since we’ve already covered the Professional materials, let’s begin taking a look at what the Server product itself is all about.

First off, we can’t just talk about the Server product, because there are actually three: Windows 2000 Server, Advanced Server, and Datacenter Server. There seems to be some debate over the differences between these three, when in fact the only differences are in terms of scalability and availability.

Be aware that the minimum support CPU for Server is a Pentium 133, and recommended minimum for RAM is 256 MB, although 128 MB is the minimum supported. The scalability elements outlined in the table above are obvious – Advanced and Datacenter Server can utilize more RAM and CPUs than the basic Server version. However, both of these versions also support two types of clustering, which are availability technologies. When servers are clustered, more than one server (called a node) is connected to a common storage device, and work together as a single system to ensure availability of mission-critical applications. Should one of the nodes in a cluster fail, the services are still available, since the other nodes continue to handle requests. In a Network Load Balancing (NLB) cluster, client requests are distributed amongst a number of systems that provide access to a single application. For example, you could have up to 32 servers configured with identical copies of your website, and the NLB will distribute requests across the NLB cluster, increasing performance, availability and reliability. Just a note, but any suggestion that Windows 2000 Server cannot act as a domain controller is absolutely false.

Subnetting IP Networks

It sometimes amazes me that people get so worked up about subnetting, because it really is quite simple. First of all, you need to recognize that in order to really understand subnetting (at least starting off), looking at the numbers in decimal notation makes very little sense. You need to be looking at numbers in binary to really understand what is happening. The beauty of binary numbering is its simplicity – each value can only be a 1 or a 0. Note that each section (octet) of an IP address can be represented by a series of eight bits. There are 4 octets, so 32 bits altogether. That means any IP address can be also looked at as a 32-bit binary number. The table below outlines binary numbering corresponding values.

Decimal 128 64 32 16 8 4 2 1
Binary 1 1 1 1 1 1 1 1

What this means is simple. If I were to ask for the value of 11001100 in decimal, it would be 128+64+0+0+8+4+0+0, which equals 204. Each bit corresponds to the decimal value above it – add the values for each ‘1’ value and you have the answer. 11111111 would be 128+64+32+16+8+4+2+1, which equals 255 (which is also the highest possible decimal value in an 8-bit binary number).

But what about converting decimal numbers to binary? Well, it’s different, but no more difficult. Start at the left on the chart above, and add the decimal values together until you reach your total. Every number you use is a ‘1’ and every number you leave out is a ‘0’. For example, let’s take the number 77. This would be 01001101. Say what? Well, I just started adding numbers left to right, leaving out numbers that put me over 77. In this example, I have 0+64+0+0+8+4+0+1. Simple.

You can also do this using a calculator program with a scientific mode. Just type is a number in decimal and hit the BIN button. The number will then be displayed in binary. However, the calculator has no idea that you’re dealing in 8-bit numbers, so you’ll have to be careful. For example, my calculator will tell me that 77 in binary is 1001101. That is, it leaves off any leading zeros. As such, you’ll need to remember to ‘pad out’ your binary numbers to 8 bits if you use the calculator. For example, the calculator will show decimal 8 as binary 1000. For an IP address, we need to add the 4 other zeros, making it 00001000. You’ll have access to the calculator on the exam, so know how to use it.

After you understand binary numbering, subnetting is easy. First of all, we need to discuss what subnetting is. Quite simply, it is taking a big network ID and breaking it down into a number of smaller networks, or subnets. Routers are what usually separate subnets. Reasons for subnetting include connecting different topologies (such as Ethernet and Token ring), as well as making networks smaller and more manageable. Subnets are also sometimes referred to as broadcast domains, since a broadcast sent on a subnet goes to all hosts on that subnet

For the purpose of any exam, you will need to recognize and understand how subnetting works. This includes being able to view system configurations and determine why clients are having trouble communicating. As such, you’ll need to be able to recognize valid IP addresses, subnet mask values, and what range of IP addresses are valid on a given subnet. Let’s start with a look at valid subnet mask values.

A subnet mask means little in decimal. In binary, however, they tell a story. The subnet mask is what tells us which of the 32-bits in an IP address represent the network identification, and which represent the host identification. In the example below, the host IP address is and the subnet mask is /21, or In decimal, it is difficult to determine which portion represents the network and which the host. However, it binary the mask value is:

11111111 11111111 11111000 00000000

So what does that tell me? That the first 21 bits are used to represent the network, and the last 11 bits are used to represent a host on the network. Actually, it tells me more than that. It also tells me how many hosts I can have per network. How? Well, if eleven bits are used to represent a host, then this subnet can have 2046 hosts. How did I get that? Simple: 2 to the power of 11, minus 2. That equals 2048 minus 2, or 2046. Why minus 2? You subtract 2 because a host value of all binary 0’s represents the subnet, and a value of all binary 1’s is the broadcast address for this subnet.

If the subnet mask in the example above had been /17, or, that would leave 15 bits for host addresses. That would mean 2 to the power of 15 minus 2 hosts, or 32766 total.

Figuring that stuff out should now be easy enough as well. The big question, and the key thing you need to be able to do, is to be able to determine if a host ID is valid on a subnet. Every subnet has a range of addresses that are valid on it. In my last example, there were 32766 valid host addresses. You need to be able to determine which ones are valid for the subnet. It isn’t that hard, but you need to know what you’re looking for.

Let’s say that we’ve been given an address of, and we’re trying to determine the range of valid host IDs on this subnet. The first step is to determine the actual network ID on which this host falls. The process we use to determine this is called ANDing. When we want to AND an IP address and subnet mask, we first convert them to binary and line the subnet mask below the IP address. Then, calculate the AND value. In an AND operation, values are calculated as follows:

1 and 1 = 1
1 and 0 = 0
0 and 0 = 0

In our example, this would give us:

IP 10011100 00010001 00101010 00000110

SM11111111 11111111 11110000 00000000

AND 10011100 00010001 00100000 00000000

After we convert our ANDed address back to decimal we get This is the network ID that our host falls onto.

Stay with me here. We know that our mask is (or /20). So, we know that the last 12 bits represent the hosts on this network. The network bits are in black below, the host bits in red. We already know that a host ID cannot be all zeros or all ones in binary. So, when I’m calculating the range of valid IPs on this subnet/network, I can’t have either of these values. This leaves me with:

Network ID 10011100 00010001 00100000 00000000

First Valid Host ID 10011100 00010001 00100000 00000001

Last Valid Host ID 10011100 00010001 00101111 11111110

Note that the first valid host ID sets all host bits to zero except the last (called the least-significant bit), and the last valid host ID sets all host bits to one, except the last. What did I lose? Two addresses – the host ID being all zeros (which defines the network) and the host ID being all ones (the broadcast address, which is not valid for a host). These are the same 2 addresses that I subtract when trying to find how many hosts I can have per subnet. If I convert my ranges above to decimal, I end up with a range of: to

The truth of the matter is that you won’t necessarily have time to ‘do the math’ for every question that comes at you during the exam, so you’ll need a way to quickly determine what ranges of hosts are valid on a subnet given a certain mask. For this purpose, I am providing the chart below. You can use this chart to quickly determine the valid ranges of IP addresses on a subnet based on the mask value, and where the next range starts. Please do not use this chart as a crutch if you don’t understand how to determine valid ranges as we went through above. This is meant as a shortcut for those who already understand.

Mask 128 192 224 240 248 252 254 255

Network ID 128 64 32 16 8421

How the chart works is simple. Let’s say I’ve been given a host ID of with a mask of, and I want to quickly determine the range of host IP addresses valid on the same subnet as this host. This address is subnetted into the third octet based on the mask, so we take the third octet value (248) and plug it into the chart above. The Network value that corresponds to 248 is 8. As such, that means that every new subnet starts at a multiple of 8 in the third octet. For example: subnet0 range = to * subnet1 range = to subnet2 range = to subnet 3 range = to subnet 4 range = to subnet10 range = to subnet30 range = to subnet31 range = to *

* Although these ranges were usually omitted in a classful IP addressing system, they are totally valid under CIDR. Often these ranges are still omitted, however, due to the fact that some older equipment may not reference the ranges properly.

Note that our host is on subnet10, the range in red above. The same rules as always still apply, so be careful. The host ID cannot be all 0’s or 1’s. As another example, if the address had been, the subnet mask would be, making the range of addresses on the same subnet as this host everything on subnet, since new ranges start in multiples of 4. That would make the valid range: to

If you go back to the ANDing process, and calculate the first and last host IDs in binary, you’ll see that we’ve come up with the same answer, only much more quickly!

As I mentioned from the outset, this section was not meant to be a complete explanation of designing a subnetting scheme for a network. Instead, we learned how to define valid ranges of addresses based on a host ID and mask value, both in binary and using the shortcut method. You will need to be able to troubleshoot IP addressing, and that’s what I’ve focused on above. Once you can calculate valid ranges, you can then determine which host IDs are local and remote, and which hosts are capable of communicating properly. Only hosts that fall into the same range should be on the same subnet. You also now know that the problem may be the address or the subnet mask values of the hosts in question.

Configuring Remote Access Connections

Remote access connections in Windows 2000 Professional are configured using the Make New Connection Wizard in the Network and Dial-Up Connections program window. The wizard provides 5 choices.

The first two choices involve creating dial-up connections. You should note that if you choose Dial-up to the Internet, the Internet Connection Wizard would start. The third option allows you to create a VPN connection over the Internet, by providing the fully qualified domain name or IP address of the server you wish to connect to. If your system is not directly connected to the Internet and uses a dial-up connection, you can specify the existing dial-up connection to be connected prior to establishing the VPN connection. This avoids having to initiate the two connections individually.

The fourth option in the wizard allows a Windows 2000 Professional machine to accept incoming dial-in, VPN, and direct cable connections. The last option creates a connection to another machine using a direct connection. This function works off the Guest/Host principal.

After the wizard defines the connection, a corresponding connection object will appear in Network and Dial-up Connections. Note that the wizard itself only handles the input of the most basic properties of the connection. However, you can get at the advanced settings of the connection by accessing its properties.

The security option of the connection can also be configured via the security tab. This includes settings such as which authentication mechanism is used, whether encryption is required, and so forth.

Finally, note the options tab. This allows you to control a number of elements including dialing options and associated parameters.

Note that the Make New Connection wizard only allows you to create and configure remote access connections. Local area connections are set up automatically based on the number of network adapters installed.

Remote Access Protocols

Windows 2000 Professional supports the ability to create both outgoing and incoming remote access connections. Types of connections supported include dialup, VPN, and direct cable connection (including infrared). The list below outlines the protocols supported and their associated features and limitations under Windows 2000.

Point-to-Point protocol – PPP is the de facto standard for dialup connections, and supports numerous transport protocols including TCP/IP, NetBEUI, IPX/SPX, AppleTalk and a range of others. PPP also support the assignment of client IP addresses via DHCP. Windows 2000 can act as both a PPP client and server.

Serial Line Internet Protocol – SLIP is an older dialup standard that can only be used with IP and does not allow for dynamic allocation of IP addresses. Windows 2000 can only function as a SLIP client and not as a SLIP server.

Point-to-Point Tunneling Protocol – PPTP is a virtual private networking (VPN) protocol used to create a secure connection over an untrusted network (such as the Internet) by encrypting all data sent between a PPTP client and PPTP server. PPTP is supported by a variety of operating systems, including Windows NT 4.0, Window 95, 98, etc.

Layer 2 Tunneling Protocol – L2TP is another VPN protocol that provides a similar function to PPTP. However, L2TP’s responsibility is tunnel creation and tunnel management. L2TP does not actually encrypt data. Instead, it works in conjunction with the IPSec protocol, which is actually responsible for the encryption. L2TP in an open standard developed jointly by Microsoft and Cisco to ultimately replace PPTP and Cisco’s Layer 2 Forwarding (L2F) protocol.

IPSec – In a VPN environment, IPSec is responsible for encrypted data sent between the VPN client and server, as well as negotiating encryption related parameters such as encryption level (56-bit, 128-bit, etc) and so forth.

Note that so far, the only Microsoft OS to natively support L2TP / IPSec is Windows 2000. As such, protocol choice is often based on client systems making the connection.

Windows 2000 Professional also supports a few new authentication protocols for the purposes of remote access connections. These include EAP and BAP, which are looked at below.

EAP – The Extensible Authentication Protocol is an extension to PPP that allows for a greater degree of choice in terms of the authentication mechanism used. Support is built into Windows 2000 for the use of generic token cards, the MD5-CHAP protocol, and Transport Layer Security (TLS), which is used for authentication via smart card. EAP also allows vendors to create additional authentication modules that can be used in Windows 2000, such a biometric hardware such as a thumbprint reader or retinal scanner, for example.

BAP – The Bandwidth Allocation Protocol is a protocol that enhances the capabilities of multilink in Windows 2000. Multilink is the ability to aggregate the bandwidth from multiple dialup connections (modem or ISDN) for a single user. BAP works to manage bandwidth usage more efficiently. For example, you can use BAP to automatically drop one line of a multilink connection should utilization fall below a certain level.

Windows 2000 also continues to support a variety of authentication protocols that included in NT 4.0. These include:

PAP – Password Authentication Protocol. Uses plaintext passwords.

SPAP – Shiva Password Authentication Protocol. Authentication protocol that allows Windows 2000 clients to be authenticated by Shiva servers, or Shiva clients to be authenticated by Windows 2000 Servers.

CHAP – Challenge Handshake Authentication Protocol. An MD-5 based authentication protocol that is supported in a variety of OSes.

MS-CHAP – Microsoft’s version of CHAP. When this option is chosen, you can choose to encrypt all data using MPPE (Microsoft point-to-point encryption).

MS-CHAP version 2 – supports many of the same features as MS-CHAP, but is a stronger version. For example, while MS-CHAP uses a single cryptographic key for all data sent and received, MS-CHAP v2 uses separate keys for each function. Also supports password changes during the authentication process.

TCP/IP Utilities

Windows 2000 provides a wide range of utilities for use in a managing, configuring, and troubleshooting the TCP/IP environment. I have listed the TCP/IP-related utilities below, along with an outline of their uses and some important switches.

Ping – A simple diagnostic utility that verifies connectivity with a remote computer.

Pathping – An advanced ping utility, it also does a traceroute and provides stats of packet loss at intermediary routers.

Arp – displays and allows modification of the Address Resolution Protocol cache, where information on IP to MAC address mappings for local hosts are stored.

Route – displays and allows modification the locally configured routing table

Tracert – traces the route that a packet takes in reaching its final destination.

Nslookup – a command-line resolver for querying a DNS server.

Netstat – displays current TCP/IP session information. For example, information on connected hosts and port numbers used.

Nbtstat – displays the local Netbios name cache. When used with the –RR switch, causes the client to re-register itself with its configured WINS server.

Ipconfig – displays the current TCP/IP configuration of the local machine.
/release – releases a DHCP-obtained IP address
/renew – obtains a new DHCP IP address
/all – displays all TCP/IP configuration information
/flushdns – purges the local DNS resolver cache
/regsiterdns – refreshes DHCP leases and re-registers with DNS.
/displaydns – shows the contents of the DNS resolver cache.

Hostname – displays the locally configured TCP/IP hostname (note this may be different that the locally configured computername (also referred to as a netbios name).

LPQ – checks print queue status on an LPD-based printer.

LPR – sends a print job to a remote UNIX printer running the LPD service

Ftp – a client program to transfer file between the client and a system configured as an FTP server via TCP.

Rcp – used to copy files between a client and a server running an RCP service.

Rexec – used to execute a command or process on a remote computer

Rsh – used to execute a command or process on a remote computer running remote shell (RSH) service.

Telnet – a client program used to logon and execute command remotely on a system running a telnet service.

Tftp – a client program to transfer small files between the client and a system configured as a TFTP server via UDP.

IP Addressing

Understanding IP addressing is central to making sense of how TCP/IP works. First off, every single TCP/IP-based host needs a unique IP address to communicate properly on a network. This address is made up of two main parts, a network (or subnet) address and a host address. Determining which portion is which is actually the function of the subnet mask.

One thing you should be aware of is a marked shift in how we look at IP addresses in Windows 2000. Most of you are probably familiar with the idea of classful IP address, or IP addressing based on class of address. As a review, in a classful system, we had three main classes of address:

Class A – The first octet of addresses in this class always started between 1-126. Only the first octet designated the network. For example, with default mask

Class B – The first octet of addresses in this class always started between 128-191. The first two octets designated the network. For example, with default mask

Class C – The first octet of addresses in this class always started between 192-223. The first three octets designated the network. For example, with default mask

Note: Use of the default mask means you are not subnetting the network (all hosts are logically part of the same big network)

The classful system of addressing really isn’t used any more, mostly because it is terribly inefficient and wastes addresses. In its place, CIDR, or Classless Inter-Domain Routing took over. In CIDR, addresses don’t really have a class (it is often referred to as classless addressing). Instead, addresses are looked at in conjunction with their associated mask value as a way of distinguishing between different networks. For example, your company might be provided with the address The notation used in the previous example is referred to as CIDR notation. What it actually represents is a network ID, followed by the number of bits used in the subnet mask. In this case, it means that you have a network ID of, with a mask using 20 bits, or If you still don’t see it, try looking at this: = 11111111 11111111 11110000 00000000

Essentially, the /20 means that the first 20 bits in the subnet mask are set to the binary value of 1. Note that in our example, it means that this company has a range of IP addresses available to them that starts at and goes to That means they have 4094 addresses at their disposal, instead of an entire Class B range, which would be 65534. So who manages giving you these ranges? Usually your ISP. The reason is that most companies actually don’t need that many addresses, since they can use private address ranges internally. Only hosts that need to be accessible by systems on the public Internet need a ‘real’ IP address. By the way, if you have no idea how came up with the numbers above, don’t worry, it is all going to be covered in the subnetting portion of the article.

TCP/IP Configuration

TCP/IP has become the de facto protocol used in networking today, in conjunction with the growth and proliferation of the Internet as a communication tool. For all intents and purposes, TCP/IP is the primary networking protocol of Windows 2000, since Active Directory necessitates a TCP/IP-based network. However, you should still be aware that Windows 2000 supports a variety of other transport protocols including NetBEUI, NWLink (the IPX/SPX compatible transport), AppleTalk, and DLC (although this is a primarily used for special purposes, such as connecting to a non-TCP/IP network-connected printer). These other protocols will be looked at in more detail in the Server portion of the series.

TCP/IP configuration in Windows 2000 can be done both for LAN and remote access connections, as a function of configuring the associated connection object. Each connection object is configured independently, whether for file and printer sharing, or its TCP/IP properties.

At a minimum, the TCP/IP configuration must include an IP address and subnet mask. The IP address uniquely identifies a TCP/IP host, while the subnet mask allows us to determine which portion of an IP address designates the network, and which portion designates a host on that network (more on that later). Unless the host is connected to small isolated LAN, a default gateway address should also be provided. This is the IP address of the router to which this computer will forward all packets destined for hosts on other networks (except ones for which the host has an explicit routing table entry). The DNS entries in the lower portion of the screen shot above designate the IP addresses of a preferred and alternate DNS server to use to resolve host name and service-lookup queries. The elements behind the advanced button allows configuration of alternate IP addresses, gateways, DNS client properties, WINS client configuration, packet filtering settings, and so forth (again, this is covered in detail in the server portion of the series). Remember that for a system with three network cards, you would configure the properties (TCP/IP, etc) of each separately.

Logon and Authentication

In order for a user to use a Windows 2000 Professional system, they must be authenticated. Authentication occurs when a user provides a valid username and password combination for the system or domain they are logging into. If logging into a Windows 2000 system locally, the user must provide a username and password from the local SAM database on that system. When logging on to a domain, a valid domain username, password and domain name (from the drop-down list) must be provided. Alternatively, you can also log in with something called a User Principal Name (UPN), which looks like an email address in the format If a UPN is provided, the user does not need to choose a domain name from the drop-down box (this will actually be disabled automatically when a UPN is used). When a user is logging on by sitting in front of a system, this is referred to as an interactive logon. In the same manner as NT 4, if you want a system to lock automatically after being idle for a period of time, set up a screensaver – the system will lock automatically after the interval you specify.

One last possibility that you should be aware of in Windows 2000 is the ability to automate the logon process. That is, you can set Windows 2000 up such that is does not require that a user provide a username and password to log in. Instead, the system will login automatically using the credentials you supply. You can control this behavior (which is obviously not recommended on systems that require security, but may be useful on, say, a kiosk system) by using the Users and Passwords applet in Control panel. You must specify the user account that the automated logon should use. Note that authentication is still taking place, but everyone is automatically being authenticated as the same user.

Managing Domain Users and Groups

Local users and groups exist only in the SAM of a local Windows 2000 system, and can only be used for access on the system on which they exist. As such, local accounts are not practical for use in a large environment, due to their distributed administrative nature. As such, most companies have a domain, which of course centralizes user and group administration, as well as the authentication function, on Windows 2000 Servers acting as domain controllers. Domain controllers do not have a local SAM, but instead share and replicate the Active Directory database, where user and group objects (amongst other things) exist. In this section we’ll take a look at a number of features of accounts that still exist, but some that are different than in NT 4.

First of all, every account in Active Directory is an object, and objects can have properties. Examples of properties include things like a first name, last name, password, phone number, and so forth. There are many more properties associated with a domain user account than a local user account.

In very basic terms, local accounts are still very much like accounts in NT 4, while Windows 2000 domain accounts potentially have many more properties associated with them. Domain accounts (users, groups, computers, etc) are set up using the Active Directory Users and Computers tool.

Some basic things you should know about user and group accounts in a domain environment in Windows 2000:

  • User accounts and security group accounts still have a SID (security identifier) associated with them. Renaming an account retains the SID, and may be a good idea if one person is the company replaces another, for the purpose of resource access.
  • If you delete a user account, you also delete the associated SID. Creating another account with the same name will produce a new SID, and therefore an entirely new account.
  • If a person is going on a leave of absence, you can still disable an account.
  • The domain administrator and guest accounts cannot be deleted, but can (and probably should) be renamed. The Guest account is disabled by default.
  • You can still copy user domain user accounts, as in NT 4. Note that only generic items will be copied, such as group membership and so forth. More specific properties, such as a user’s home address, will not be copied. Copying account is most useful if you create a template account for different types of users. (Note that if you create a template account and disable it, all accounts copied from this template will also be disabled until you specifically enable them). Note also that if you copy an account called Mike, for example, and the copy is called Bob, access permissions to resources associated directly to the Mike account are NOT copied to Bob.
  • When dealing with group accounts, you can easily find out what other groups this group is a part of by checking the Member Of property tab. The Members tab shows other users and groups who are part of this group.

Note that Windows 2000 supports three different types of groups: Domain Local, Global, and Universal. Groups can also be nested in Windows 2000, meaning a group can be part of another group (potentially – there are rules). Note that group nesting and Universal groups are only supported in Native mode (a mode where all domain controllers are running Windows 2000), and not in Mixed mode (where you might still have NT 4.0 BDCs present).