Fonte: www.computerperformance.co.uk/w2k3/

Windows Server 2003 Active Directory and Group Policy

Windows Server 2003
Installation  

Windows Server 2003
Migration

Windows Server 2003
Configuration

Active Directory - Intro
Active Directory - Adv
Active Directory - DNS
Global Catalog Server
Group Policy
GPMC
Install Server 2003
Install Active Directory
Install Member Server
Install Clients with RIS
Install ADMT & USMT
SP1 for W2K3
RC2 for W2K3
Upgrade from NT 4.0
OUs and Delegation
Schema Explained
 

FSMO (Flexible Single Master Operations)

FSMO Roles
FSMO Advice
FSMO Transfer
FSMO Case Study
Performance Monitor
Raise Domain Level
Run As Second Logon
Server Roles
Tips for W2K3

Windows Server 2003
Services

Windows Server 2003
Utilities

Windows Server 2003
Disaster Recovery

Windows Server 2003
Security

DNS
DHCP
WINS
RRAS
SUS
Terminal Services
ADModify
ADSI Edit
CSVDE
DCDiag
LDP
NetDiag
NTDSutil
Replmon
Shutdown /r /c
Taskmanager
Tools for W2K3
Unhide
Windiff

Authoritative Restore
Backup
Boot Problems
Cluster Server 
Disaster Recovery
RAID
Restore
SAN and NAS
Storage Server 2003
System State & Tools
UPS
Volume Shadow Copy

Security Accounts
Security Active Dir
Security Auditing
Security Certificates
Security IPSec
Security Kerberos
Security L2TP / Certificate
Security Snap-In
Security Sundries
Security Ten Tips

 

Active Directory in Windows 2003 - Introduction

Active Directory in Windows Server 2003

This page is designed to help those who are new to Microsoft's Active Directory.   My goal is to get you started with the key terms and concepts.   For those with some experience already, I want to help plug gaps in your knowledge.

Just as you might get the perspective of a diamond by looking at its different facets, so I want you to build up a picture of Active Directory by examining its many aspects.

Seven aspects of Active Directory

  1. Active Directory as the Successor to NT 4.0’s SAM database
  2. An object based system, e.g. Object (User), Attribute (Logon name), Value (GuyT)
  3. A Search mechanism to retrieve those resources from its database
  4. The Physical side of Active Directory, sites, subnets and site links
  5. Logical Structure - Forest, Tree, Domain and Organisational Units
  6. The Schema and how it defines the Active Directory objects and attributes
  7. Group Policy - Thanks to Active Directory we can lock down the desktop and assign software

1) Active Directory as the Successor to NT 4.0's SAM database

Every successful operating system needs an authentication mechanism.  Novell developed the marvellous NDS tree, while UNIX has the powerful directory services to manage their users.  By the year 2000, NT 4.0's SAM had become an embarrassment and Microsoft developed their directory service we know as Active Directory.  As a matter of interest the physical file corresponding to NT 4.0's SAM is called NTDS.DIT (Directory Information Tree).

2) Active Directory as an object based system

The NT 4.0 SAM database was very thin, both in respect to the number of users it could hold and their range of properties.  The only information SAM stored was usernames and their passwords.  Active Directory on the other hand, can store many many more attributes of the user object.  To examine and configure these attributes, launch the Active Directory Users and Computers and browse through a user's Properties tabs.  There you will discover a whole range of attributes, for example, telephone number, manager, email address, certificates, dial-in properties.

3) Active Directory's search mechanism

Microsoft do not change menu names without good reason; if you go to the Start Menu in Windows Server 2003 you will see that Find (NT 4.0) has been replaced by Search.  Once you launch Search, you will see the file system in the upper window, however, it is the lower section that I am interested in, because this where you can search for Computers, Printers or People.  Using this part of Search, you are actually querying Active Directory to retrieve the objects you are interested in.

Technically you are using a protocol, or query language called LDAP (Lightweight Directory Access Protocol).  What LDAP does is to provide directions and so find objects in the Active Directory database.  LDAP is an important language particularly useful for advanced troubleshooting and making changes suggested by TechNet articles.

TIPS) To learn more about LDAP install the support tools from the Server CD, and experiment with ADSI

4) The physical side of Active Directory

The physical side of Active Directory means your sites and subnets.  If you are familiar with Exchange then the site concept is the same in Server 2003.  SUB NET = split the network, so you split your network into subnets.   The network routers join these subnets to form sites.   Your practical task is to tell Active Directory about the physical sites; Microsoft provide a snap-in to help you define the sites.  Once the sites are created, you configure the Active Directory replication through Site Links.  Lastly, double check that the domain controller objects are in the correct subnet of the correct site.

Their are two main reasons for creating a site, slow network connections and the need to control Active Directory replication traffic.  What confuses beginners is that there is no relationship between sites and domains.  Amateurs think there is a one to one relationship between a site and a domain - wrong.  You can have one domain with many sites.  Multi-nationals may need one site to have domain controller from three different domains.

Plan your sites with a TCP/IP and router expert; thereafter you will only need an occasional change to the configuration.  Users and computer on the other hand, always seem to need their Active Directory settings changing.

5) The logical structure of Active Directory

How you view the logical side of Active Directory depends on your company background.  Small companies will start with just one Domain and focus their efforts on how many Organization Units they need.  A network architect of a large companies will be primarily concerned with how to link DNS names with Domain names, should they have a blank root domain, would that subsidiary be best in its own tree.

Logical Components

 

6) The Active Directory Schema

At its heart, Active Directory is an object based system.  The main objects are Users, Computers, Sites and Printers.  Microsoft have built these objects using attributes, for example Common name (CN), Location, Department and many more.  The role of we the administrators, is to set the values, for example Common name = guyt, Location = Worcester.  At this stage in our education, all we need to know is: we just configure the values through the Active Directory Users and Computers, we do not mess with the Schema itself - that is a job for a developer.

The only other practical point we need to be aware of is that when you install Exchange 2000 or 2003, you have to be a member of the Schema Admins and Enterprise Admins.  Also, once Exchange is installed the User objects will have more tabs with attributes like Mailbox, email address and instant messaging.

7) Group Policy and Active Directory

My first point is that without Active Directory, there would be no Group Policies.  Group policies encourage central control of the desktop.  Your mantra should be 'prevention is better than cure'.  My vision of a group policy is to pamper users with all the software they need, yet deny them access to any part of the computer where they have no business to roam.

The best kept secret of group policy is the chance to assign software to users.  Many administrators get so carried away locking down the desktop that they overlook the change to deploy software.  The advantage of this method of rolling out software is the ease with which you can service pack or update the .MSI installer files.

Do you remember the Organization Units?  Well part of the reason for creating them was so that you could apply group polices.  I mention this as a justification for studying all the facets to Active Directory before you start configuring.  The one group policy that you need to apply at the domain level is the security policy.  Reluctantly, I will leave further discussion to the Group Policy 2003 section.


Active Directory in Windows 2003 - Advanced

Windows Server 2003 Active Directory - Advanced

This section assumes that a working knowledge of Active Directory.  If you are not familiar with Forest, Trees and OU's then check out the Active Directory - Intro - if you are up to speed on the basics then read on.

My twin goals are to give you configuration tips and provide background information before you deploy Active Directory.  My greatest wish is that you will be able to make informed decisions for yourself.

Topics

Forest

The Forest is the highest level in Active Directory.   Logically, a forest is a collection of domains all joined by parent child trusts.  Another way is to think of a forest as a group of trees branching from a root domain.  From a technical standpoint, all objects in the forest share the same schema definitions.

What is new in Server 2003 is that you can have trusts between different forests, this was not possible in Windows 2000.  Microsoft are making it easy for companies who merge or take over smaller organizations.

Domains

The domain remains the basic unit of Active Directory.  From a technical point of view, domains are the security boundary of Active Directory.  From a practical point of view this means that that security policies set in at the domain cannot be changed at the OU level.

Users do not need to know which tree, forest or even OU that they belong to, but they should know which domain to select at logon.  The modern way for a user to logon is to enter their User Principle Name (UPN) in the domain logon box.  The UPN name looks like an email address; for example guyt@CP.com.

Domain controller need to replicate directory information with all other domain controllers in their own domain.  If this replications is slow or chokes a slow link, then first try separate sites, if that solution does not work then consider separate domains in each geographic location.

Organizational Units

When planning your Active Directory, divide and rule is a good maxim.  Learn from the mistakes of NT 4.0 where there were too many domains.  With Active Directory keep to a few domains, but create lots of OU's which you then delegate.  The trick is to keep overall control, harness the benefits of belonging to a domain, while allowing local administrators to create users, and reset passwords.

Installing Active Directory

With installations, 7 minutes of planning will save an hour for rework. The secret of troubleshooting Active Directory installs is mastering DNS.  I find NSLookup invaluable, also Ipconfig's new switches /registerdns and /flushdns are handy.

Procedure for creating a Domain Controller

The key to success is preparation.  Decide your DNS and enter the name in the Computer Name Tab in the System Icon (Windows Key DCPROMO + Pause).  Whilst this section deals with the nuts and bolts of an installation, take care to design your Active Directory forest, for example, account naming strategy, top level OUs, group policies.

Now you are ready to run DCPROMO.

DCPROMO decisions

To call for the Active Directory Installation Wizard, Start, Run DCPROMO and answer these questions:

  1. New Domain - or Replica (another DC in the same domain)
  2. Domain Tree in existing forest - or New Domain Tree
  3. Domain in New Forest

Active Directory Physical Site Topology

The physical structure of Active Directory is much like sites in Exchange.  Firstly sites are completely independent of the Domain and Tree logical structure.  Secondly sites are defined by the subnet that the servers are on.  Thirdly you need to create and configure a site connector to join and synchronise Active Directory between different sites.

Windows 2003 uses a change notification system to keep all the domain controllers synchronised.  When you have more than one domain controller there will be a delay of 15 seconds in changes reaching the other partners at the same site. (Reduced from 5 minutes in Windows 2000)

The reasons for creating a second site would include, slow network links and the desire to control directory replication.  The site connectors allow you to control the intervals between replication, the default is 3 hours.  Do remember to create subnet objects and to associate them with the appropriate sites.  While Windows 2003 clients automatically work out which subnet they are in, you have to manually assign the server the correct IP and use the Active Directory Sites and Subnets snap-in to configure the server object.


Active Directory Tools

Note that you can install the tools below and run from an XP machine.  What you need is Adminpak.msi from the Server CD.  If your adminpak does not work on your client machine, check Microsoft's web site.  There are a number of permutations of W2K3, W2K, XP, and W2K Professional, fortunately Microsoft have a tool for each combination.  If all else fails, then Remote Desktop into the server from the client.

Three basic Active Directory Tools

Three advanced utilities

Check list for further investigation


Active Directory in Windows 2003 - DNS

Introduction to DNS in Windows Server 2003

This page concentrates on configuring DNS for Active Directory.  DNS plays a vital part in planning Active Directory names, and once Server 2003 is up and running, DNS settings are the first place to check when there are slow connection problems.

My goals are to give you configuration tips and provide background information about Active Directory.  My greatest wish is that you will be able to make informed decisions for yourself.

Topics

The Primary Purpose of DNS

Sometimes, particularly in troubleshooting, you have to go back to basics.  Keep in mind that the primary point of DNS is to map a server's name to an IP address.  Example:  LogonServer  -  10.209.12.20.

Users need a range of resources, from printers and home directories to global catalog servers and Kerberos authentication for logon.  The role of DNS is to respond to users requests for the resource by providing the IP address of the servers. 

The extra dimension of DNS with Active Directory is the _SRV records.  These service records tell you not only the server's IP address but also the services that it offers.  Here is a kerberos example: _kerberos 88 (Port) LogonServer.TopBanana.com.

User's perspective - "I want to logon."

DNS with Active Directory - "I will look in the _SRV records for a server which offers Kerberos authentication."

DNS host record - "Here is the IP address of that server you need".

Integrating DNS and Active Directory

The key reason for integrating DNS and AD is efficiency.  This is particularly true where you have lots of replication traffic.  Even if you have a fast network, it makes sense for DNS changes to be replicated along side Active Directory changes, rather than having their own separate system.

Window 2000 (and later) DNS systems use IXFR - Incremental Zone Transfer, this means that only changes are replicated, not the whole database.  The disgraceful situation in NT 4.0 was that if you added one DNS record then all records were transferred during the update thus creating unwanted extra network traffic.

Importance of Naming and DNS

DNS names and Active Directory names.

The confusion arises because both DNS and Microsoft's Active Directory use the domain word.  It may be better if you think of, and refer to, DNS zones and Active Directory domains.  It is often a very good idea to have the DNS zone and the Active Directory name the same.  For example DNS zone TopBanana.com, Active Directory root domain TopBanana.com.  However this arrangement can add to the confusion unless you are clear about the distinction between DNS and Active Directory.

Naming your Active Directory Forest

It is crucial to understand all the implications of your naming conventions, especially the relationship between domain name and DNS name.  Learn from the mistakes of others.  One urban myth circulating has it that all the first 10 companies who installed Windows 2000 Active Directory, had to go back to the drawing board and start again.  What was their problem?  In each case they got their naming strategy wrong.  (or they did not have a strategy).

The first question is are you going to use an existing DNS name?  If you are using and existing domain name will you use the same name for your first domain.  A supplementary question, will the Root domain, be blank or will it be your HQ domain?  There are no right or wrong answers to these questions, what I am saying is that once you make your decisions you have detailed plans to ensure it works and that you do not have to rip it all up and start again.

How many domains do you need, I do have a few here - as few as possible.  Good reasons for having more than one domain, multi national company, incompatible security needs, different language versions of Windows 2003.  Bad reasons for having a new domain, there is a new manager in division, a region want complete control of its IT.

If you do find this planning to much then either make a single domain work for you, or else employ a network architect who is used to this sorting out these naming dilemmas.

Practical configuration of DNS and DCPROMO

The scenario, you are about to install your first Active Directory domain controller.  Remember that when ever you install Windows Server 2003 it begins life as a member server.  To install Active Directory go to the Start Menu, then Run, DCPROMO and so create a domain controller.  But before you do that check out DNS.

Begin in the System Icon, Computer Name (Tab), Change, More.. Primary DNS Suffix of this Computer.  Make sure the settings are as per plan.

Double check the Network Connections, Local Area Network, TCP/IP properties, Use the following DNS server address,  does this point to itself, or to the correct DNS server.  I would fill in both DNS server boxes if you have two DNS servers.

Install DNS through the Add or Remove Programs, Windows Components, Networking Components, Details.  DNS.  If this is your first server I would run DCPROMO without any more configuration at this stage.  My tactic is to let the Wizard add and populate the Forward Lookup Zone.

Seven post installation Active Directory and DNS checks

  1. Once DCPROMO creates Active Directory records in DNS, then I would create the reverse lookup zone and test it with NSLOOKUP.
  2. Check the Event Viewer which is now just under the DNS server object.  Look up any suspicious error messages in TechNet.
  3. Right click the DNS server, Properties, Monitor (Tab), Test Now.  Should the Recursive query fail investigate the Root Hints. (I have never seen the Simple Query fail.)
  4. If you are not connected to the internet.  You may wish to create a '.' (dot, period, full stop) root domain and point the Root ".) to your domain.
  5. Many of us believe that you have not proved Active Directory is working properly until you have installed a second domain controller and seen replication of users.
  6. Set a date to switch to 'Raise Domain Functional Level'.  I used to call this switching to Native Mode, but now it is more complex.  When you have no more NT 4.0 BDC, raising the domain level turns on features like Universal Groups, group nesting, RAS Policies as well as extra Exchange functionality.
  7. Once DCPROMO installs Active Directory, then I would check that at least 4 _mcsdcs records are created, if not I would start and stop the Netlogon service check again.  Still no _mcsdcs records, I would have a reboot, take a 10 minute break and look again in DNS. 

    Experience tells me this either DCPROMO works and there is no problem or else it very stubborn.  If still no sign of Active Directory records in DNS, I would run DCPROMO, demote and start again at the beginning.  In the case of a test installation, I would change the Computer name and the domain suffix before trying again.

Windows Server 2003 - Global Catalog Server

Windows Server 2003 - Global Catalog

Mastering Global Catalog will not only give your users a better network experience, but also teach you about Windows Server 2003's Active Directory.  Global Catalogs are deceptive.  The bigger your Active Directory forest the more important it is to configure Global Catalogs.  If you have Exchange 2003, then there are extra reasons to position Global Catalogs close to the users.

Topics for Windows Server 2003 Global Catalog

Global Catalog - From a Users Perspective

Your average user want answers to questions such as, 'Where are you Domain Controller?' or 'Find this email address in the GAL'.  Naturally people don't normally vocalise these requests, however they logon to the domain, and they attempt to send email with outlook.  The role of the Global Catalog Server is to answer requests for network resources, for example, LDAP queries to find a Domain Controller, or an Exchange 2003 Server.

Global Catalog - Key Concepts

Now we come to the key Global Catalog concepts.  Surprisingly, not every domain controller is a global catalog server.  The reason is that by default there is only global catalog server.  Microsoft's thinking is that you may not want the extra overhead of being a global catalog server, and the more global catalog servers the more replication traffic on your network.

Every Domain Controller knows about its own domain, after all, managing directory services is what a Domain Controller does.  However, Domain Controllers that are also Global Catalog Servers know about other domains (key point).  Microsoft's paranoia is that there may be restrictions on a Universal Group in another domain, therefore, before a user logs on the Domain Controller must be able to enumerate Universal Group membership, just in case a Universal Group and hence a user, has been denied access.  Incidentally, you may have seen Universal Group Caching which neatly solves this latency.   Universal Group Caching is one of the new features of Windows Server 2003.

Configuring Global Catalog

Configuring a Domain Controller as a Global Catalogs is a knack.  Once you have drilled down, and checked the Global Catalog box you always remember that tortuous path.

Let us begin at the Active Directory Sites and Services snap-in.  Expand Sites, Default-First-Site-Name, Servers.  Select your server and seek the NTDS Settings, right click and choose Properties.  All that remains is to tick the Global Catalog box. (See Diagrams Opposite)

With a Windows Server 2000 Server you have to reboot, eccentrically the interface does not tell you to reboot.  All this nonsense is cured in Windows Server 2003, you do not have to reboot when you enable or disable Global Catalog.

The only variation on these instructions is that your servers may be in different sites and not in the strangely named, Default-First-Site-Name. 

If you have firewall restrictions, LDAP uses port 389 for read and write operations and port 3268 for global catalog search operations.

No worries if you only have only one Domain.

To be honest, if you have only one domain then nothing bad will happen if you don't have a local Global Catalog server.  However, if you have a forest then delays can be a problem - unless you place Global Catalog servers judiciously.  The root of the problem is enumerating Universal Group membership.  In a single domain it's pointless using Universal Groups, and even if you did, they will only be users in your domain.  There are no other domains to check.

Global Catalog Servers Summary

The key point with Active Directory is that Domain Controllers, which are not also Global Catalog Servers, cannot deduce Universal Groups in other domains.  For security, until they contact a Global Catalog server Domain Controller cannot proceed with the logon request.  As a result of this knowledge you can plan extra Global Catalog servers.  However, if you only have one domain, there is no need for any more Global Catalog servers.


Group Policy for Windows 2003 Server - Home

Who is this Group Policy Section for?

What are Windows 2003 Group Policies?

With planning, Group Policies can control every aspect of a computer desktop.  Whilst the plan is to control the configuration of both the user and the computer settings; the technique is to define each setting once in an Active Directory Group Policy.  For example, if you need to change everyone's proxy server, the add the IP addresses to a Group Policy rather than edit every Internet Explorer manually.

It may help to remember that Group Policies manipulate registry values, so if the item that you want to control is in the registry, then it can be set by a policy.  Where registry keys do not have ready-made policies, it is possible to create your own policy templates.  However, designing your own templates would be a specialist job for your developers.

Some say there are 700+ built-in polices for XP, while others tell me that there are over 850.  What ever the exact total, the point is that Group Policies are here to stay, and that each new version of Windows will bring yet more settings to organize the desktop.  Here are the commonest policy categories for XP / Windows Server 2003.  Incidentally Windows Server 2003 SP1 added hundreds more Group Policies, particularly to the Inetres (Internet Explorer) section.

Guy's Group Policy Mission

My mission is to bring each Group Policy category or folder to life.  I want to save you time by concentrating on what I consider are the best settings in each Group Policy folder.  Look out for 'Guy's top selections' on each page.  Occasionally, I express an opinion that a policy is of limited use - no sitting on the fence!  However, even if a policy is only needed for specialist configurations, I still point out its purpose, just in case it applies to your situation.

Before you begin evaluating policies, I urge you to decide on the security rating of your organization.  It is important to have a reference point, otherwise it will be difficult to gain a perspective of what makes sense for your users.  My advice is aimed at those who need medium security setting for their domains; therefore, if you are a high or low security company then make the necessary adjustments when assessing my selections.

Remember, that the more security that you enforce, the more work there will be for you.  For instance, do not insist on 14 letter, complex passwords, just because they are the highest settings.  However, if there is a good business case for this level of security, then fair enough, but does take on extra help desk staff to cope with the resultant password lockouts.

Pre-requisites for creating policies

Next step

If you are itching to start configuring Group Policies, the best place to begin is here at User Configuration, Administrative Templates.


Windows 2003 - GPMC (Group Policy Management Console)

GPMC (Group Policy Management Console)

The GPMC is one of THE best new features in all of Windows Server 2003.  Within the GPMC is a rich variety of tools for, creating, editing, observing, modeling and reporting on all aspects of Group Policy.  As an example, my old friend 'Barking Eddie' spent two week's documenting all the Group Policies for one company, when I showed him the GPMC, he was crestfallen and said he could have done that same job in half an hour with GPMC.

GPMC (Group Policy Management Console) Introduction

Getting started with GPMC

Once I installed the GPMC.msi, at first I carried on in my old ways.  When I wanted to check a group policy I launched Active Directory Users and Computer and right clicked the domain, properties, and thence to the Group Policy tab.  (See Diagram.) 

However I soon found that you could add a GPMC snap-in to the MMC, and this is now my preferred method of accessing the GPMC. 

Right from you outset you get GPMC gives you the big picture.  You can the range of places to look for Group Policies, from the Forest at the top, through to the Domain and down to the Sites.  The OU Group Policies are hidden under the domain, note that OUs have a little book symbol that is absent from the Users, Builtin and Computers containers.  If you see the book symbol then you can create a Group Policy, whereas if all you see is a blank yellow folder, then you cannot create a Group Policy.  The GPMC also lists any Models or Policy Results.

RSoP Snap-in (Resultant Set of Policy)

Microsoft provide a snap-in called RSoP for showing a given combination of policy settings.  I find that if you install the GPMC, then you do not really do not need this RSoP.  However, if you have Windows 2000 and no GPMC then the RSoP is intuitive to use and comes in two modes:

Gpupdate

I am so pleased that Windows 2000's Secedit has been superseded by Gpupdate on XP, the old Secedit syntax was horrendous.   Mostly, I just run plain Gpupdate in a 'Dos Box',  occasionally, I append the following switches:

/target:computer  or /target:user applies only the user or computer section of your policy.  Normally I would use plain Gpupdate without the optional target switch.

/logoff   Useful for settings that do not apply until the user logs on again.

/boot   Handy for configurations which need the computer to restart. 
          N.B. /boot does not mean apply the settings every time the computer reboots.

/force reapplies all settings

Gpresult

While, I prefer the GPMC console above, Gpresult is a handy command line utility to display the results of Group Policy.  What I particularly like is the /user switch.  Take the example where you are logged on as the administrator, but wish to test a user called Psycho's settings.  Rather than logoff then logon as that user, just type: gpresult /USER psycho.  Do remember the /USER.  This would be a mistake gpresult /psycho.

[../../Affiliates/Include_CompHelp.htm]

Dcgpofix

This handy command line utility restores the default Group Policy objects to their original state.  You find this 'get out of jail card' = Dcpgofix in the \windows\repair folder.  However because the \windows folder is in the 'Path' you can just run Dcpgofix in a 'Dos Box.

Syntax and Switches

dcgpofix [/ignoreschema][/target: {domain | dc | both}]

Example: dcgpofix /target: GuyDom

Caution

This tool will restore the default domain policy and also the default domain controllers policy to their state just after installation.  Naturally, when you run dcgpofix, you lose all changes made to these Group Policies.

By specifying the /ignoreschema parameter, you can enable Dcgpofix.exe to work with different versions of Active Directory. However, default policy objects might not be restored to their original state. To ensure compatibility, use the version of Dcgpofix.exe that is installed with the operating system.

Remember that the GPMC is designed for Windows Server 2003 rather than W2K.  Get your copy of GPMC.msi as a download from Microsoft's site.  While I am assured that the GPMC will work on Windows 2000 Domains, I have not got it to run yet!  (However I have not tried that hard as I now prefer Server 2003.)

The GPMC unifies Group Policy management across your Active Directory forest.  Before the GPMC, administrators needed multiple tools to manage Group Policy; the Microsoft Active Directory Users and Computers, the Delegation Wizard, and the ACL Editor.  Not only does the GPMC integrate the existing Group Policy tools, but also it brings these exciting new capabilities:


Installing Windows Server 2003

The purpose of this section is to help you with the practicalities of a physical installation of Windows Server 2003.  However, I strongly recommend detailed planning of Active Directory before you roll out Windows 2003 Server on a production network.

Part 1 - Installing Windows Server 2003 - Member Server

A straight forward section on building your member server server.  Remember to plan which 'flavour' of Windows Server 2003 you need.

Check where Windows Server 2003 comes in Guy's index for installing Microsoft products.

Part 2 - Installing Active Directory

This is the trickiest section, you really do need to practice running DCPROMO on a test network.  Pay close attention to your DNS settings.  Spend time designing the whole Active Directory forest not just one domain controller.

What's new with Installs for Server 2003

New command line tool ADPREP, also extra switches for DCPROMO.  Perhaps the easiest way to install is from a backup of an existing domain controller.

Installing XP or Windows 2000 Professional

Ghost is still a popular method for installing clients, but I prefer to use RIS (Remote Installation Service).  The time spent in configuring RIS pays back handsomely when you want Group Policies to apply from day one.  RIS is more tolerant of variations in hardware than ghost images.


Windows Server 2003 - Installing Active Directory

Part 2 - Installing Active Directory

With installations, 7 minutes of planning will save an hour for rework. The secret of troubleshooting Active Directory installs is mastering DNS.  I find NSLookup invaluable, also Ipconfig's new switches /registerdns and /flushdns are handy.

Topics for Installing Active Directory

What's new in Windows Server 2003?

ADPREP

Here is a built-in command line tool that will prepare the schema.  It does not actually install the NDTS.dit files but it does prepare the forest or the individual domain for Active Directory.

ADPREP /forestprep

ADPREP /domainprep

DCPROMO /adv

If you already have a working domain controller, backup the system state, go to a member server, run DCPROMO /adv then point the wizard to the backup files

Procedure for creating a Domain Controller

The key to success is preparation: 

Decide your DNS and enter the name in the Computer Name Tab in the System Icon (Windows Key DCPROMO + Pause).  Whilst this section deals with the nuts and bolts of an installation, take care to design your Active Directory forest, for example, account naming strategy, top level OUs, group policies.

Now you are ready to run DCPROMO.

DCPROMO decisions

To call for the Active Directory Installation Wizard, Start, Run DCPROMO and answer these questions:

  1. New Domain - or Replica (another DC in the same domain)
  2. Domain Tree in existing forest - or New Domain Tree
  3. Domain in New Forest

Crucial Install DNS Stage

There are many ways of installing DNS, but I favour doing as little as possible myself, and letting the DCPROMO Wizard do as much as possible.  For Example, here is a crucial stage where DCPROMO needs DNS, I always select the middle option, ' Install and Configure DNS on this computer...'  To be crystal clear, I do NOT configure DNS myself, I let the Wizard create all those _msdcs records.

Best practice

Remember that the Active Directory can grow so make sure the partition has at least 300 MB of free space for NTDS.dit itself, and 100 MB for the log files.  Talking of the logs, install the edbxxx.log files on a separate disk.

Post installation considerations

To verify that installation has run smoothly check the following:

  1. DNS _SRV record: _msdcs, _sites, _tcp, _udp.  Also the GC, DC records are essential for users to find the global catalog and domain controller in order to logon.  If these records do not appear, try stopping and starting the Netlogon service.
  2. Run %systemroot%\sysvol and look for domain folders.
  3. Check the System and Directory Service Event logs for error messages.

Demotion back to member server

If the worst comes to the worst, run DCPROMO to demote, then try again making different decisions.


Windows Server 2003 - Install Member Server

Part 1 - Installing Windows Server 2003 - Member Server

The purpose of this page is to help you with the practicalities of a physical installation of Windows Server 2003.  In fact this phase is easy, if you have ever installed a Microsoft product before then the procedure will be familiar.

Quick, slow, quick quick slow, that is how the install seemed.  The menus were very like XP with excellent PnP and comprehensive driver support.

All the questions that the wizard asked were straightforward and easy to answer.

I particularly liked the timer screen telling me how long to go.  My criticism is there could be a second clock to tell me how long until the next user intervention.  What happened to me was I left with 34 minutes remaining only to return half an hour later with a screen asking me to choose a time zone, and still 29 minutes to go.

As I am nearly always online, the product activation was easy, slick and asked for no personal information.

TIPS)  For many years my cry has been: 'You never have a big enough C:\ drive',  this time I went for 10GB. (After 3 days I had used 6.5GB)

Windows Server 2003 Family - Check out the 'flavours' of W2K3

Here is the range of Windows 2003 products that are available.

When you upgrade, you must upgrade like for like; Enterprise W2K to Enterprise W2K3 works.  You cannot mix and match, unfortunately this is not a chance to upgrade Standard to Enterprise server.

Note: The Datacenter version is only available from selected manufacturers; it comes as a package the processors, RAM, whole machine with Windows Server 2003 operating system.  You cannot buy Datacenter on CD.  Rumour has it that less than 100 Datacenters have been sold world wide.

Post installation considerations

Check the system logs in the event viewer.  Then plan the role for your member server.

A long time ago I started with Windows v 2.0 and each Microsoft product since has its own personality, what struck me first with Windows Server 2003 was that it wanted me to tune it for a particular role:  File and Print, Application or Domain Controller. This was the first time that I have seen this up front tuning and I liked it.


How to Install Clients with RIS

Remote Installation Service (RIS) in Windows Server 2003

My prediction is that RIS will have rosy future.  Like its rival Ghost, RIS installs images of XP Professional.  The 'killer' feature of RIS is that right from moment of conceptions, before they are even born; the XP machines remain under the control of Group Policies.

Topics for RIS

Introduction to RIS

Installing RIS will be difficult, therefore, if you are only concerned with speed and easy of installation, stay with Ghost.  I will go further and say that RIS is by far the most difficult service in Windows Server 2003's Add or Remove Programs.  If you are up for a satisfying challenge, I will guide you through installing and configuring Microsoft's RIS.

Principle behind RIS

RIS is a modern alternative to using imaging software like 'Ghost'.  What you do is create an image of the XP Professional on the RIS Windows 2003 Server.  Then you boot a brand new machine and press F12, the clever part is that the machine's PXE* network card finds DHCP.   What happens next is that Active Directory, DHCP and RIS work together and produce a menu at the client, at this point you select the desired image and then the installation completes automatically.

The way RIS deploys its images reminds me of SysPrep.  In particular, the way that both technologies use .sif files to hold the setup information.  As we will, RIS is more complex, than SysPrep, but RIS provides far more control of the final XP Professional installation.

RIS Pre-requisites and Dependencies

Active Directory in general and DNS in particular.

DHCP - to enable the PXE network cards to find the RIS Server.

2GB (+) NTFS partition.  Store the image away from the system files.

Virgin client machines with PXE network cards.

One reason that so many people give up with Windows Server 2003's RIS is that there are so many steps to a successful setup.  Moreover some of the configuration tabs are hidden away.  Paradoxically, once you realize that an installation is difficult it becomes easy, my explanation for this paradox is that you take more time and care when the project is challenging.

  1. Logon to the Windows 2003 Server.
  2. Install the RIS Service through the Add or Remove Programs, then reboot.
  3. Go back to the Add or Remove Programs and complete part two of the install where you will be asked for the XP CD and a 2GB NTFS partition to install the 'vanilla' image.
  4. To add more images, create the perfect XP Client, then run RiPrep on the client, I repeat, on the client not the RIS Server.  RiPrep will copy another, more complete image of this client to the RIS server.
  5. A final point, to configure RIS on the server, you need to select the computer object in Active Directory User and Computers, properties, then select the Remote Installation tab.
  6. RIS servers, like DHCP, have to by Authorized before they start servicing clients.
  7. My advice is to investigate Group Policies for RIS, decide on whether to allow the installer to choose setup options, or whether to make the setup silent with no screens and no choices.

* PXE - Pre execution boot.  A network card that boot and then request an IP address from a DHCP server.

Limitations of RIS

RIS delivers only clean installs of XP Professional, you cannot use this technology to upgrade clients such as Windows 98 to XP.  While you cannot use RIS to install domain controllers, you can have Windows Server 2003 stand alone servers which can then join the domain and promoted to domain controllers.  Wireless networks do not support PXE network cards, so you cannot use the wireless medium to install XP Professional via RIS.

Summary of RIS

RIS reminds me of DHCP in that DHCP was slow to take off and old timers used to say, 'I would not trust this new fangled DHCP technology'.  Well, if you appreciate the advantages of DHCP, then investigate RIS.

RIS is Windows Server 2003's new way of installing XP (and Windows 2000 professional) clients.  Unfortunately setting up the RIS server is tricky, but it worth the effort because RIS will reduce your total cost of ownership.  The final reason for mastering the RIS technology is that this will be the way of the future, it's going to take time, but eventually techies will be weaned off Ghost.


Windows Server 2003 - ADMT and USMT

ADMT (Active Directory Migration Tool) and USMT (User Setting)

Microsoft offer three utilities to assist with migrating to Windows Server 2003

Introduction

ADMT v 2.0 (Active Directory Migration Tool)

This is a great tool for copying user account information from an NT 4.0 domain into a different domain in Windows 2003.  The crucial attribute is the sIDHistory, this enables the user object to be identified in the old and new domain.  The prerequisite for using ADMT is that the Windows 2003 domain has to be in Native mode.

You will also need to create a trust so that the NT 4.0 accounts domain trusts the Windows 2003 domain.  As a result the old accounts can be copied across to their new domain.  Let me just clarify that the ADMT copies not moves the accounts, and that it is a one time move without any synchronization.  Should you need account synchronization then deploy the ADC (Active Directory Connector)

Note: You will find ADMT in the \i386 folder on the server CD.

User State Migration Tool

The User State Migration Tool (USMT) copies user settings, files, and documents.  Then you restore these settings on the new machine so users do not have to reconfigure their desktop settings.   It works best for XP and Windows 2000 Professional clients and you do need the client machine to be connected to a domain controller.

There are two command line utilities scanstate and loadstate that control the procedure.

Files and Settings Transfer Wizard (XP)

This wizard found on the XP CD includes the same functionality as USMT but does not allow for the fine tuning of the settings that you get with scanstate and loadstate.


Windows Server 2003 - SP1 Service Pack 1

Windows Server 2003 - SP1 (Service Pack)

[../ThemesGuy/google_w2k3.htm]

Service packs have personalities, and the main character of Windows Server 2003 SP1 is security.  There is a similarity between this SP1 for W2K3 and SP2 for XP, for instance they both enhance have a new firewall.

Microsoft are shifting into proactive mode.  With SP1 they are removing attack points and battening down the hatches; Microsoft seem determined to make it as difficult as possible for malicious code to get a handle on the operating system.  Some say, 'about time too', other say 'Microsoft are delivering on their promise to make security a priority'.

Topics for Windows Server 2003 - SP1

What SP1 can do for your Windows 2003 Server?

  1. Fix problems.  For example, 'No Execute Hardware' prevents malicious code from manipulating memory.  SP1 enforces RPC and DCOM services to authenticate.
  2. Apply all hot fixes in one go, for example numerous security enhancements to Internet Explorer.
  3. Introduce new features.  As well as a built-in Firewall, there is a Security Configuration Wizard to turn off un-needed services.  It is possible that Microsoft will trial features that will emerge in Longhorn in W2K3 Service packs.
  4. SP1 refines existing features for example, WebDAV redirection.

New Features in SP1

One characteristic of Microsoft's service packs is that they introduce new features.  If you were in the developer's shoes, I guess you would want try out components that were going to be released in the next generation, Longhorn.

Data Execution Protection (DEP)

I have to say that Microsoft are at their best when they have a vision.  Data Execution Protection (DEP) may have an unfamiliar acronym but it has a worth goal; to prevent malicious code from disturbing the operating system.  People laughed at PnP (Plug and Pray, Plug and Prey?) but now we take for granted the idea of installing software without user intervention.  One day DEP will be accepted as the norm.

Security Configuration Wizard (SCW)

Here is another concept that Microsoft have been gently pushing, namely that you should identify a role for a server, such as, DC, Application or Web, then tune the server to its particular role.  Perhaps de-tuning would be a better word, as the idea is to turn off services that are not required.  In fact, Microsoft lead the way by turning off IIS by default.  SCW takes the concept a stage further by providing an interface where you can control security and services all in one place.  Think of SCW as a halfway house between Security Configuration Manger and MOM (Microsoft Operations Manager).

SCW is an optional component of SP1, and as well as a GUI,  SCW has a command line version scwcmd.exe.  You may have noticed the march of XML to format output, as expected the SCW configurations are controlled by XML files.

Problems with service packs

The reason why service packs occasionally cripple servers, is that some machines have a combination of hardware and software that have not been validated for a particular service pack.

I estimate that 95% of all service packs which have ever been applied to any machine, worked perfectly.  However, if you suffer from one of the service packs that cause problems, it's like being mugged.  While your belief is that this misfortune only befalls someone else, when it does happen to you, there is a terrible feeling of shock and betrayal.

Problem with Dell and HP Bios

Dell and HP servers require a BIOS upgrade before you can install SP1.  So, I was wrong when I thought that there should be no problem on mainstream servers.  Perhaps you see what I mean about each service pack having its own personality.

Problem with Exchange 2003

Does your Windows Server 2003 run Exchange 2003?  If so, Windows Hosting recommend waiting for Exchange 2003 Server SP2, before applying Windows Server 2003 SP1.  As far as Microsoft themselves are concerned, there is but one issue with SP1 and Exchange 2003, namely that OWA won't work properly on a clustered Exchange 2003 server.

Problem with Server 2003 SP1 and restoring a complete back up.

We had one of our DC's go down after a failed raid rebuild.  Fortunately, we had full back up of the C: D: and system state.  So we formatted the raid and reinstalled the new Windows 2003 machine as a standalone server but with the same name as it was before.

On reboot after the restore I got a 'cannot load DDL from kernel'.  It appears that there is a Issue with SP1 and a rebuild from a restore back up.  When you rebuild the server with the new OS you must put SP1 back on before restoring your data, apparently some of the files needed from the SP1 are not present when doing a full back up (not sure which ones).  However, I can tell you that it worked fine after rebuilt, and got SP1 installed.

Acknowledgement to Daz

Problem with SUS

Another report for Daz.  Apparently SP1 has tightened up on service permissions, the problem went away after giving read access rights for "Network Service" group on WUSyncSvc.exe and folder tree SUS\vroot\autoupdate\administration.

Minor Problem with extra security

If there is a problem on Windows Server 2003, then it is most likely the feature has been blocked thanks to tighter security.  The solution is easy, just find the setting and adjust it, for example, remote administration now needs to open port 445 on the firewall.

Other Microsoft applications that failed the compatibility test
Application Center 2000 Service Pack 2
Internet Security and Acceleration Server 2004 Standard Edition
Microsoft Baseline Security Analyzer (MBSA) 1.2.1
Systems Management Server 2003

 Third-party applications
Citrix Metaframe XPe FR3 and
Computer Associates Brightstor ARCserver Backup 11.0,
HP Insight Manager 4.0 and Compaq Insight Manager,
Kerio Server Firewall 1.0,
NetIQ AppManager 5.0.1 and 6.0
NetIQ Group Policy Administrator 2.0,
Trend Micro ServerProtect.

 Test your particular server

The only way to discover the truth is by testing SP1 on one of your Windows 2003 Servers.  One philosophy is to always keep one service back behind.  However I don't buy that idea.  Time alone will not magically cure a flaw; you have to test the service pack on a real machine.  If waiting means time spent researching, then fair enough, check your favourite forum or bulletin board for information on hardware / software combinations that give problems.  If you haven't got a spare server, try a parallel installation on an existing machine.

Service Pack Superstitions

An enduring superstition for all service packs, is that even numbers are good but odd numbers are bad.  I will leave you to make up your own mind.  Another urban myth is that applying SP1 will transform 120 evaluation copies into fully blown versions of Windows Server 2003 - wrong.

Incidentally, 'Mad Mick' was telling me that he tried to apply SP1 to one of his 'clients' servers and it would not install.  It turned out to be a pirate copy of Windows Server 2003, and you cannot apply SP 1 to such machines.  Mick started to blame Microsoft, but eventually even Mick had to concede that preventing SP1 running on pirate software, was fair enough.  This really is a case of 'feature by design'.

A 'killer' reason to install SP1 (after testing)

A security guru told me what happens after Microsoft release a security fix.  He claims that hackers reverse engineer the fix and discover the underlying vulnerability.  Then these hackers design a nasty virus which attacks those who did NOT apply the service pack.  So you have to be smart and install SP1 before a new wave of viruses attack your Windows Server 2003.

Some good news, once again SP 1 will 'slipstream' like Windows 2000.  This means that you will NOT have to keep re-applying the service pack as you did with NT 4.0.  How this slipstreaming works is that all the new file versions are stored in the %systemroot%\system32\dllcache folder.  This reminds me, to remind you, to make sure that the %systemroot% partition is plenty big enough to take all these extra files.

How to obtain SP1 for Windows Server 2003

In general SP1 works in just the same way as previous Microsoft service packs.  Keep in mind that all you need is one SP1 file, which can be applied to all your Windows Server 2003 editions, Standard, Enterprise, Web, even the SBS edition.  Talking of the SBS version, Microsoft released a special SP1 for SBS about a month after the regular version of SP1.

Kevin kindly tells me that Microsoft are going to bring out a new edition especially for SBS.  Furthermore, Kevin says while you can apply SP1 to SBS, it's better to wait for the specially designed service pack.

Watch out for another new twist from Microsoft; there are now multiple versions of SP1. One version designed for single server application, one version for deploying to multiple servers, and also a 64bit Itanium version.  (There are also 2 developer versions with checked code.)  Just to recap, which ever SP1 file you download, it works for all editions of Windows Server 2003.

When I downloaded the SP1 file from Microsoft, the size was about 337 MB.  To then go ahead and install SP1, your server needs a minimum of 700 MB free disk space, 2 GB recommended.

Here is where you can download SP1

Summary SP1 for Windows Server 2003

Test SP1 on your machine now.  Microsoft's worthy goals for this service pack are improved security and reliability.  Watch out for new Windows Server 2003 features, for example, firewall and the Secure Configuration Wizard.


Windows Server 2003 - Migrate or Upgrade?

Windows Server 2003 Migration Strategy

There are three possible strategies for a successful transfer from NT 4.0 to Windows Server 2003, my goal is to help you decide which strategy will be right for you.

  1. Migrate to a 'Brand New' Windows Server 2003 domain.
  2. 'In Place' upgrade from NT 4.0 to 2003.
  3. Co-existence of NT 4.0 with Windows Server 2003.

Migration and Upgrade Choices

1. Brand New Domain

Faced with moving to Windows Server 2003, my first choice would be to create a 'Brand New' domain.  There are many advantages of a clean start.  For instance, you may want to change your NT 4.0 domain name to match your DNS name.  Also, you probably want to ditch all that baggage from your old domain.

The hardest part of this strategy is to deal with the user accounts.  Two common solutions are to:

a) Export the old accounts in NT 4.0, then use CSVDE to bulk import into Active Directory.

b) Get ADMT and move the accounts from NT 4.0 into the new domain.

2.  'In Place upgrade from NT 4.0.

The simplest strategy is to make an 'In Place' upgrade of NT 4.0.  Just insert the CD for Windows Server 2003 into the NT4.0 PDC and the wizard will guide you through the upgrade.  Then repeat this procedure for each of your BDCs.  In my opinion, this 'In Place' method is only suitable for small networks with 10-150 users.  In its purest form, this strategy means finishing on Friday as NT 4.0 and coming in on Monday upgraded to a Windows Server 2003 domain.

One worry with the 'In Place' migration is that there is no easy rollback should things go wrong.  One tactic is to keep a BDC available but off the main network.  If there is a problem with the migration bring this BDC back and promote it.  Meanwhile while you rebuild the previous PDC offline then try the migration once again. Alternatively, you could restore from that backup you made before attempting the upgrade.

3. Co-existence of NT 4.0 with Windows Server 2003.
Co-existence would be my last choice.  While it is true that co-existence is the most versatile strategy, it does mean extra work running both NT 4.0 and Windows Server 2003.  If you are not careful, the users become confused, and this would make them hostile to the upgrade - which would be a shame.

I accept that for large organizations, co-existence may be the only practical solution.  At its simplest, it could mean an extension of the 'In Place' strategy by upgrading a few NT 4.0 BDC's each month until the whole organization is native Windows Server 2003.

You could also use Co-existence in conjunction with my first strategy 'Brand New Domain'.  Create a new Windows Server 2003 forest, and then configure trust relationships to the old domain.  Where you need to preserve settings, Microsoft provide good tools to help you move users and their settings across to the new domain, e.g. ADMT and USMT.

At this stage, it is important to reach a preliminary conclusion.  Decide which strategy you are going to deploy, then read these pages to test and refine your Windows 2003 plans.

Where are you now?

My first suggestion is to take stock and ask, 'Where are we now?  Exactly what are our servers running?'  The answers should be easy, we are running NT 4.0 or W2K.  But digging a little deeper, do you know which service packs are installed, the amount of RAM each server has, and the size of the system partitions?  All this is leading up to my key question, 'Will the old machines run the new Server 2003 operating system?'   Also check the HCL (Hardware Compatibility List) on Microsoft's website.  If you are still in doubt, I would download Microsoft's free compatibility testing software and prove that your system will upgrade successfully.

What is your Vision?

Now it is time to clarify, 'Where do you want to get to?'  This is a deceptive question. The answer may not be as simple as migrating to Windows Server 2003.  Perhaps you could use the migration as an opportunity to restructure your domains and consolidate on fewer, bigger servers? (Revise that budget figure and add extra money for new kit).

What I am driving at is develop a vision for IT in your organization.  Imagine the best desktop for your user, think what services they need.  Use migration as an opportunity to reduce costs, increase productivity.   Windows server 2003 is a good choice to turn your vision into reality.  But wait a minute, which 'flavour' of Server 2003 do you want?  Enterprise, Web or Standard Windows 2003 server?

Finally, which of these routes will you take?

  1. Migration path NT 4.0 --> Windows Server 2003 (Recommended)

  2. Migration path NT 4.0   --> Windows Server 2000 (Consider above option)

  3. Migration path W2K      --> Windows Server 2003 (Easy, but would it be cost effective?)


Windows Server 2003 - OUs and Delegation

Delegation and OUs (Organization Units)

Introduction

In my view, modern domains have lots of OUs. Whereas, old fashioned thinking means that all the accounts are created in the one USERS folder.

There is a new breed of people called Network Architects, their role is to help with designing OUs and assist with delegating permissions.  Delegation is versatile; for instance, at the DOMAIN level you could grant the HelpDesk Global group the permission to reset any password in the entire domain.

Another use of delegation would be to give managers complete control of users their own department.  With this arrangement managers can create new users, groups and computer objects, but only in their own OU.  Now put on your Network Architect hat and plan those organizational units.

Topics

One problem with NT 4.0 domains was that often there were too many of them.  This came about partly because of the SAM limit of 40 MB, but more likely because each manager wanted total control of their own department.  You can solve this problem in Windows Server 2003 by creating OUs and then allowing department control over their own users and OUs.  Only create more domains when there is a good business case, for example: multinational company with different languages and vastly different security settings.

Three aspects to planning your OUs

  1. Organize your users by 'filing' them into OUs named after their departments.
  2. Delegate mundane tasks like resetting passwords to local administrators.
  3. Plan desktops through group policies.  Realize that different OUs and departments can have different group policy settings.

1. Organize users by 'filing' them into OUs

By default all users are created in the Users folder.  Much better to distribute users into OUs so that you can manage them more easily.  Once you have organized the user accounts you can apply the same techniques to computers and groups.

2. Delegate mundane tasks like resetting passwords

If you take the time consuming job of account lockout.  When you establish OU's and delegation then a local administrator or power user can reset the password and leave you to get on with more interesting work.  You decide which administrators have control over which tasks.  For the more experienced you could allow them to create user accounts for new joiners, and disable accounts for those who have left.

Delegation Tactics

Firstly create groups with delegation in mind. 
Example: Global Group = HelpDesk to allow password changes.
Global Group = HR Deputy to add more users. 

Secondly consider the tactical question: "Do you delegate at the Domain level or at the OU level?"
Example: At the Domain level, delegate HelpDesk, to Reset Passwords.
Example: At the OU HeadQuarters, delegate HR Deputy to create accounts for new staff. 

Active Directory is flexible so you can do both, or change your mind if the strategy changes.

3.  Plan desktops through group policies

Incidentally the default Users container is not an OU and so you cannot set group policies there.  Group policies are the best way to control the user's desktop and to assign the software they need.  Organizational units are the best place to apply most of the policy settings.  The exceptions are security policies which must be set at the domain level.  By creating OU's you can fine tune which software is assigned to which users.  Customer facing users will need stricter controls over their wallpaper and desktop icons than the back-room team in tech support.

Changes compared with Windows 2000

OU's and delegation are virtually identical in Windows Server 2003 and Windows 2000.  The only relevant new features are improvements to group policies, and they are covered on a separate page.

One minor change is that you can now drag and drop objects between OUs, however take care, you do not want to lose your users!

Creating OUs - Getting Started

Go to the Active Directory Users and Computers, select 'Domain', Right Click, New OU.  Then to delegate Right Click the OU and Delegate is the first item on the shortcut menu.

TIPS)  Firstly, make sure that the Security Tab is available on the OU Properties.  On the above diagram you would go to the View (menu) and select Advanced Features.  Now go back and check the OU, Properties, Security (tab), Advanced should now be there.

When you create OUs balance geographic sites with departmental structure. 
Example: Create a top level of OUs reflecting the branch offices, then nest departments inside each branch OU. 

Delegation - Getting Started

When you right click an OU or the Domain, Delegate control is the first item on the menu.  Once activated, the wizard will lead you through the steps to select the group then choose the tasks to delegate.  It pays to run the wizard a number of times, just to see all the options available.

Recommendations


Windows Server 2003 - Schema

Introduction to Windows 2003's Schema

The Windows Server 2003 Schema Snap-in is not available by default.  There lies a clue that ordinary administrators are not meant to change the Schema.  However, to complete your understanding of Active Directory take time to appreciate the object model that underpins Windows Server 2003.

Topics for Windows Server 2003 Schema

What you need to know about the Schema.

Object based Nature

It us useful to understand the nature of the Schema.  Active Directory is an object based system.  The schema keeps a list of the definitions for each object such as Computer or User.  The list is divided into Classes and Attributes and the Schema recycles attributes like location and applies an instance to the site, printer or computer object.

Flexible Master

The Schema is one of the five single master operations, this means that only one domain controller has a read / write copy of the schema.  Take the time to find out which machine hold the Schema Master role.  Right Click the Schema Snap-in, select Operations Master from the short cut menu.

Modification by Exchange 2003 and Schema Admins

Exchange 2003 relies on Active Directory for definitions of the users mailboxes.  When you install Exchange 2003, firstly you have to be a member of the Schema Admin Global group; secondly Exchange extends the schema to include these extra attributes like mailbox server.  While it is possible to add attributes and classes yourself - resist.  Modifying the schema affects the entire forest and in my opinion should only be done by a developer when there is a clear business need.

Role of the Global Catalog

The Global Catalog server keeps track of a subset of the most important attributes, and the Global Catalog replicates this information to other Global Catalog servers.  Be aware that you can add extra attributes to the list, for example, information on department could be replicated.  The benefit is you could search on department or any other attribute that you added.

Major changes compared with Windows 2000

Deactivating attributes

Active Directory will not allow you to delete classes or attributes but you can deactivate them if you are sure they will not be needed.

Improved replication

In Windows Server 2003, only changes in attributes are replicated, the benefit is less replication traffic and less change of a conflict.

ADPREP

Active Directory preparation allows you to extend the schema ready for an installation of the NTDS.dit database files.  ADPREP uses /forestprep and /domainprep switches rather like Exchange 2000/3.

Getting Started

To make the Schema Snap-in appear, first you need to register a dll.:  Start, Run, regsvr32 schmmgmt.dll.   Next I add the Schema snap-in to my MMC.   Run, MMC if you need to create a blank shell for the snap-ins, then its File (Menu) Add/Remove Snap-in.

The schema shows all the Objects that exist in Active Directory.  Examples of Active Directory Schema Classes include: computer, printer and user

Each object has attributes e.g. CN = Common Name, Department, HomeDrive and USN.  From a design point of view, Microsoft implement 'mix and match'.  Once a attribute like Location is created it can be matched with several objects e.g. Printer Object or Computer Object.  Finally, attributes have values which you set through interfaces like the Active Directory Users and Computers.

While knowledge of the object based systems builds a picture of Active Directory; there is practical value in understanding the role of the schema in Active Directory.  For instance, when you install Exchange 2000 you need to be member of the Schema Admins otherwise your install will fail.  You should also be aware that Exchange 2000 alters the schema so that 4 new Email tabs are added to users' property tabs.

Inspecting the Schema Snap-in

Once you have registered the Active Directory Schema you can check out the Classes and Attributes; this will give you an idea of how objects like users are built up of attributes.  Do not worry about the X500 OID, but do inspect the Attributes Properties to see which are published in the Global Catalog.  The Global Catalog is a subset of the Schema containing the most useful attributes which are used in the Search menus.

In my opinion you should only create new Classes or even new Attributes if you are a developer.  One extra Class I have heard suggested is Laptop.  Personally I think that there enough user attributes, but someone suggested adding a Car with an Expense attribute.

Recommendations


Windows Server 2003 - Function Levels
(Mixed v Native Modes)

Raise Function Levels in Windows Server 2003

The purpose of this page is to explain how the terms 'Mixed and Native mode' apply in Windows Server 2003.  Actually the terms mixed and native have been superseded by 'Raise Function Level'.  I will also point out some of the benefits to switching the the higher levels.

There are two separate aspects of Raise Function Level to be aware of.  One aspect is the domain and the other is the forest.  The key to understanding the concepts is to pay careful attention to these four words, domain, forest, 2000 and 2003.

Firstly, a Windows Server 2003 domain can have a mixture of domain controllers:  NT 4.0 BDCs, Windows 2000 DCs and naturally, Window Server 2003 DCs.  (DC = Domain Controller)

Secondly, the forest may have all domains at the pure Window Server 2003 level.  Alternatively, a forest can have domains running Window 2000 mixed or 2000 native domains.

Domain Function Levels - (Mixed and Native)

There are now four domain 'Levels' that a Windows Server 2003 can operate in.  Whilst it is easy to understand what each level means, it takes time to learn Microsoft's terminology.

  1. Windows Server 2003.  All Server 2003, no other domain controllers.  However, even in this level, the whole range of clients and member servers can still join the domain.

  2. Windows Server 2003 Interim.  NT4.0 servers and Window Server 2003 (no Windows 2000).  This level arises when you upgrade an NT 4.0 PDC to Server 2003.  Interim mode is important where you have NT 4.0 groups with more than 5000 members.  Windows 2000 does no allow you to create groups with more than 5000 users.

  3. Windows 2000 Native. (Yes Windows 2000 native) allows Windows 2000 and 2003 servers (no NT 4.0).

  4. Windows 2000 Mixed. (Yes Windows 2000 mixed) allows NT 4.0 BDCs and Window 2000.  Naturally Windows 2000 mixed is the default function level because it supports all types of domain controllers.

Key term - Raise Domain Functional Level

Windows 2000 mixed mode means that there is at least one NT 4.0 BDC somewhere in the Forest.  To make the switch right click the Domain object in Active Directory Users and Computers and select: Raise Domain Functional Level.  Here is the menu you see:

5 Features Available in Windows 2000 native Level

While Windows Server 2003 mode is the ultimate goal, there are new benefits of deploying Windows Server 2003 in mixed mode (Windows 2000 native).

  1. Select multiple user objects.  Modify attributes of lots of user all in one go.  This feature actually works like NT 4.0's User Manger.  For a variety of reasons, multiple selection was not availably in W2K which made it tedious to change several users home directory in one operation.
  2. Drag-and-drop ability.  One irritation of W2K is that you cannot drag and drop users and computers between OUs.  This has been corrected in the latest Active Directory.
  3. Save your queries.   Tip save search queries that you use often in Active Directory Users and Computers, it saves time when you have to repeat the query later.
  4. Application directory partitions. Useful for controlling the replication scope for DNS (Domain Name System) data stored in Active Directory so that only specific domain controllers in the forest replicate DNS zone information.
  5. Universal group membership cached.  Avoid the need to locate a global catalog across a WAN link during logons by storing user universal group memberships on an authenticating domain controller.

6 Features Available in Windows Server 2003 Level

A reminder that this highest level means all domain controllers are running Windows Server 2003 (No NT 4.0 BDCs or Windows 2000 DCs). 

  1. Domain rename. Rename any domain in the Windows Server 2003  forest. Now you can change the DNS name or NetBIOS name of any child domain or even the forest root domain.
  2. Domain controller rename tool. Rename domain controllers without having to run DCPROMO and demote them.
  3. Forest trusts. Create a two way transitive trust to join two forests.  Very useful for amalgamating companies.
  4. Replication enhancements. Unnecessary traffic was created in W2K when you added one member to a group; it resulted in the whole group membership being replicated.  Linked value replication allows individual users to be replicated instead of replicating the entire group membership.
  5. Global catalog replication.  Similar to the above, less traffic is replicated when changes are made to the Global catalog
  6. Defunct schema objects. Deactivate classes or attributes from the schema which you know you will never use.

Three Forest Levels

  1. All domains at Windows Server 2003 level

  2. At least one domain at Windows Server 2003 Interim, meaning some NT 4.0 domain controllers

  3. Windows 2000 level (default) mixture of NT 4.0, Windows 2000 levels

Key extra features of a forest at Windows Server 2003 level


Windows Server 2003 - FSMO

FSMO (Flexible Single Master Operations)

There are times when you may need to change the Domain Controller which holds one of the 5 FSMO roles.  Either you could be facing a disaster recovery where you have lost the first Windows 2003 Domain Controller, or you are organized and want to get the most out of your Active Directory Forest.  Although you rarely need to deal with FSMO, there is the feeling that knowledge of these Operation Masters is power over your Windows 2003 Servers.

Topics for FSMO

Background of Operations Masters

For most Active Directory operations, Windows 2003 uses the multiple master model.  The benefit is you can add a computer, or change a user's password on any domain controller.  For example, if you have three domain controllers, you can physically create a new computer account in the NTDS.dit database on any of the three.  Within five minutes (15 seconds in Windows 2003), the new computer object will be replicated to the other two domain controllers.

Technically, the Microsoft multiple master model uses a change notification mechanism.  Occasionally problems arise if two administrators perform duplicate operations before the next replication cycle.  For example, you created an OU called Accounts last week, today at the same instant you create new users in that OU, another administrator on another DC, deletes that OU.  Active Directory does it's best to obey both administrators.  It deletes the OU and creates the Users, but as it cannot create the Users in the OU because it was deleted, the result is the users are added to the orphaned objects in the 'LostAndFound' folder.  You can troubleshoot what has happed by locating the 'LostAndFound' folder in Active Directory Users and Computers.

TIPS) From the View Menu in Active Directory Users and Computer,
click: Advanced Features.

It was worth investigating how Active Directory handles orphaned objects because the point of FSMO is that a few operations are so critical that only one domain controller can carry out that process.  Imagine what would happen if two administrators tried to make different changes to the same schema object - chaos.  That is why administrators can only change the schema on one Domain Controller.  Emulating a PDC is the most famous example of such a Single Master Operation; creating a new child domain would be another example.

The Five FSMO Roles

There are just five operations where the usual multiple master model breaks down, and the Active Directory task must only be carried out on one Domain Controller.

  1. PDC Emulator - Most famous for backwards compatibility with NT 4.0 BDC's.  However, there are two other roles which operate even in Windows 2003 Native Domains, synchronizing the W32Time service and creating group policies.  I admit that it is confusing that these two jobs have little to do with PDCs and BDCs.   
  2. RID Master - Each object must have a globally unique number (GUID).  The RID master makes sure each domain controller issues unique numbers when you create objects such as users or computers.  For example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 - 9999. 
  3. Infrastructure Master - Responsible for checking objects in other other domains.  Universal group membership is the most important example.  To me, it seems as though the operating system is paranoid that, a) You are a member of a Universal Group in another domain and b) that group has been assigned Deny permissions.  So if the Infrastructure master could not check your Universal Groups there could be a security breach.  
  4. Domain Naming Master - Ensures that each child domain has a unique name.  How often do child domains get added to the forest?  Not very often I suggest, so the fact that this is a FSMO does not impact on normal domain activity.  My point is it's worth the price to confine joining and leaving the domain operations to one machine, and save the tiny risk of getting duplicate names or orphaned domains. 
  5. Schema Master - Operations that involve expanding user properties e.g. Exchange 2003 / forestprep which adds mailbox properties to users.  Rather like the Domain naming master, changing the schema is a rare event.  However if you have a team of Schema Administrators all experimenting with object properties, you would not want there to be a mistake which crippled your forest.  So its a case of Microsoft know best, the Schema Master should be a Single Master Operation.

(There is a also an important Global Catalog Role, however its not a FSMO as you can have more than one Global Catalog.  See more on Global Catalog Server)

How many FSMO Domain controllers in your Forest?

Three of the FSMO roles (1. 2. and 3.) are held in each domain, whilst two (4. 5.) are unique to the entire forest.  So, if you have three domains there will be 3 PDC emulators, but only 1 Schema Master.

Checking which DC holds which FSMO role

RID, PDC, Infrastructure (1. 2. and 3.)

You can discover which server holds the Operation Master by opening Active Directory Users and Computers, Right click your Domain and select Properties, Operations Masters.

Domain Naming Master (4.)

To see the Domain Naming Master (4.), navigate to the little used, Active Directory Domains and Trusts, Right click your Domain and select Properties, Operations Masters.

Schema Master (5.)

The Schema Master (5.) is the most difficult FSMO to find.  The reason is the Schema snap-in is hidden by default.  Perhaps is this is Microsoft saying - don't mess with the object definitions.  However, you can reveal the Schema and its FSMO settings thus:

1) Register the Schema Snap with this command, RUN regsvr32 schmmgmt.dll

2) Run MMC, File menu, Add\Remove Snap-in, click the Add button and select, Active Directory Schema

3) Select Active Directory Schema, Right Click, Operations Master.

Footnote

I have to confess a hidden agenda with FSMO.  If I want to instantly know how well someone knows Active Directory, I introduce FSMO into the conversation and watch their reaction.  Professionals will know what FSMO means and its significance, amateurs just frown.


Windows Server 2003 - FSMO - Advice

FSMO (Flexible Single Master Operations)

This page will advise you what to do if you lose the Domain Controller holding one of the FSMO roles.  I will also cover the implications of having more than one FSMO master for the same role.  If you have lost your FSMO master then I have a troubleshooting section, and a separate page on transferring FSMO roles. Incidentally, the modern tendency is to use the term Operation Masters, whereas in Windows 2000, FSMO was the term of choice.

Topics for FSMO

PDC Emulator

Of the 5 roles, this is the role that you will miss the soonest.  Not only with NT 4.0 BDC's complain, but also there will be no time synchronization.  Another problem is that you probably will not be able to change or troubleshoot group policies as the default setting is for the PDC emulator also to be the group policy master.

Implications for Duplicates

If the old PDC emulator returns, then it is not as serious as duplicates with some of the other roles.  Quickly seize PDC role from another machine.

RID Master

One Domain Controller is responsible for giving all the rest of the Domain Controllers a pack of unique numbers so that no two new objects have the same GUID (Globally Unique Identifier). 

If you lose the RID master the chances are good that the existing Domain Controllers will have enough unused RIDs to last a week or so do not be in a hurry to seize.

Implications for Duplicates

You must not allow two RID masters, as the possibility of two objects with the same RID would be disastrous.   So if the original is found it must be reformatted and reinstalled before re-joining the forest.

Infrastructure Master

The consequence for a missing Infrastructure master is that group memberships may be incomplete.  If you only have one domain, then there will be no impact as the Infrastructure Master is responsible for updating your user's membership in other domains in the forest.

Implications for Duplicates

No damage occurs if the old Infrastructure master returns, just check out the Roles and decide which machine should hold the role.

Forest Wide Roles

Schema Master

If you lose the Schema Master, then long term it is serious because you cannot install Exchange 2003 or extend the schema.  However, short term no-one will notice a missing Schema Master, so try and repair the old one rather than seize the role.

Implications for Duplicates

You must not allow two Schema Masters, so if the original is found or repaired, it must be completely rebuilt rather than allowed into the forest.

Domain Naming Master

This is a forest wide role that is responsible for adding child domains and new trees.   Unless you are going to run DCPROMO, then you will not miss this FSMO role, so wait rather than seize the role.

Implications for Duplicates

You must not allow the original Domain Naming Master to return, rebuild before you let the machine back in the forest.

Troubleshooting FSMO

Symptoms of FSMO Problems

I find that the first sign of a problem with a FSMO is that Active Directory Users and Computers is slow to initialize.  Moreover, if you try to even view Group Policies, you get an error such as:

Inaccessible GPO - Access Denied.  or
Failed to open the Group Policy Object. You may not have appropriate rights.

The cause of these symptoms is that the FSMO master holding the PDC emulator is unavailable.  Fingers crossed it's a temporary problem, however the problem persists then you need to investigate which Domain Controller holds, or held the PDC emulator role.

Troubleshooting Toolkit

DCDiag - Not only does DCDiag have a routing to check the FSMOs but it also provides information on Active Directory replication.  As ever with troubleshooting, you want to get to the root cause not merely treat one of the symptoms.

NetDOM - It's a close call whether to run NetDOM before or after DCDiag, the answer partly depends on whether NetDom is already installed or if you need to get it from the Windows Server 2003 Support tools.

From the command line type netdom query fsmo.  You should see a list of the of the 5 roles with the corresponding Domain Controller.

DNS - Excuse what may seem like a digression, but it never ceases to amaze me how often faulty DNS configuration is the source of an Active Directory problem.  Therefore, head for the DNS snap-in and observe that all settings are as expected.  Remember the Monitor to tab.  Make sure that each DNS server is registering itself and registering with other DNS Servers.

DCPROMO - Rather drastic, but sometimes just running this program to demote a Domain Controller creates error messages, which are handy additional sources of information.  If there are no error messages, you may just choose to cancel.  However, if you go ahead and run DCPROMO to demote a domain controller, watch out for a check box that says 'This is the last domain controller in the domain'.  If that box is UNchecked the wizard will automatically move any FSMO roles to another domain controller.

NTDSUTIL - Powerful Command Line tool, note the Seize verb  See here for more about transferring FSMO roles with NTDSUTIL.


Windows Server 2003 - How to Transfer FSMO Roles

FSMO (Flexible Single Master Operations)

Remember that in the acronym FSMO, the word Flexible means that you can move the role to a more suitable domain controller.  There are two scenarios for transferring the FSMO roles, the first is a planned transfer where the original FSMO Operations Master is up and running.  Alternatively, if the original FSMO master has been stolen, corrupted or otherwise unavailable then you need NTDSUTIL

Topics for Transferring the FSMO Master.

Planning the FSMO Transfer

As a matter of planning strategy, decide if this move is a short term fix, or part of a long term transfer of role.  Another consideration is do you want all the roles on the same Domain Controller.  The answer is probably not, for example, best practice suggests that the Infrastructure master should not be on a Global Catalog.

If the Global Catalog server and Infrastructure Master are on the same server, the Global Catalog no longer updates information.  You can either just accept this peculiarity, or research why it thinks it knows best and does not need to replicate.  This is only a problem in a multi-domain forest.

Your planning should also take into account the fact that each domain has its own RID, PDC and Infrastructure Master, while there is only one Schema and one Domain Naming Master for the entire Active Directory Forest.

Finally a minor consideration, have you the correct rights, for example, do you have access to an account, which is and Enterprise Administrator and Schema Administrator.

Where to Find the 5 FSMO Masters

Three of the FSMO Operational Masters are found under the domain in Active Directory Users and Computers.  The FSMO roles found here are: RID, PDC and Infrastructure masters.  Right click on the domain name (cp.com in diagram) then select Operations Masters.

The Domain Naming Master is tucked away under the Active Directory Domains and Trusts.  While the hardest FSMO master to find is the Schema Master, the reason being you first have to register the schema snap in with the command: Start, Run Start, regsvr32 schmmgmt.dll.

Now that you have located the 5 Operation Masters, the technique to transfer ownership is the same in each case.

Pull those Operations Masters

The key concept is Pull.  Make sure that you are connected to the destination server.  This is really such a simple point but once you have grasped the concept, the knack transferring FSMO roles will be easy.  Sorry to harp on, but unless you make the new FSMO domain controller the focus for the MMC snap in, trust me, you will be frustrated.

At Last - We get to Press the Change Button

Now that you have the 'focus' on the new Operations Master, your transfer will proceed smoothly.  After double checking that the server names are the correct way around, just click on the Change Button.

Now it's on to the next Operations Master, remember that there are 5 roles.  Although some Forests may have more than one RID, PDC and Infrastructure master, usually you only need to take one server out of commission at a time.  However if you are taking the opportunity to restructure your FSMO roles then you may have to make more than 5 changes.

NTDSutil

NT directory service utility (NTDSutil) reminds me of UNIX or mainframes.  What you get with NTDSutil is command line program with powerful verbs that can dramatically affect the operating system.  Rather like ESEutil you should take every opportunity to practice with NTDSutil, so that when you have to use it in anger you will know what you are doing.  Even so backup because there are no safety checks and the wrong command can wreak havoc.

When you are configuring FSMO with NTDSutil, the command that is,
Seize PDC  (or Seize RID etc).  However, as soon as you execute NTDSutil you realize how many different jobs this utility has.

TIPS)  Make use of help at every NTDSutil prompt

Sample NTDSutil command session

ntdsutil, roles  -  help
connections - help
connect to server yourserver (change yourserver but include the word 'to')
seize pdc (or other FSMO Role)

C:\>ntdsutil
ntdsutil: roles
fsmo maintenance: help

? - Show this help information
Connections - Connect to a specific domain controller
Help - Show this help information
Quit - Return to the prior menu
Seize domain naming master - Overwrite domain role on connected server
Seize infrastructure master - Overwrite infrastructure role on connected server
Seize PDC - Overwrite PDC role on connected server
Seize RID master - Overwrite RID role on connected server
Seize schema master - Overwrite schema role on connected server
Select operation target - Select sites, servers, domains, roles and
naming contexts
Transfer domain naming master - Make connected server the domain naming master
Transfer infrastructure master - Make connected server the infrastructure master
Transfer PDC - Make connected server the PDC
Transfer RID master - Make connected server the RID master
Transfer schema master - Make connected server the schema master

fsmo maintenance: connections
server connections: help

? - Show this help information
Clear creds - Clear prior connection credentials
Connect to domain %s - Connect to DNS domain name
Connect to server %s - Connect to server, DNS name or IP address
Help - Show this help information
Info - Show connection information
Quit - Return to the prior menu
Set creds %s %s %s - Set connection creds as domain, user, pwd.
Use "NULL" for null password,
* to enter password from the console.

server connections: connect to server william
Binding to william ...
Connected to william using credentials of locally logged on user.
server connections: seize pdc 

Summary - FSMO transfer

Before you learn the knack of transferring the FSMO or Operations Master, take a minute to plan which Domain Controllers should hold which roles.  It is possible that existing servers have inappropriate roles, for example if your forest has grown, the Schema master is best in the Root domain. 

(There is a also an important Global Catalog Role, however its not a FSMO as you can have more than one Global Catalog.  See more on Global Catalog Server)


Windows Server 2003 - An Example of How to Decommission FSMO Roles

Real Life Example of Decommissioning FSMO Servers
by Crispin Horsfield

If you're about to decommission a server then you need to be aware of FSMO (Flexible Single Master Operation).  Although Windows Server 2003 no longer employs PDCs and BDCs in their original roles, there are still echoes of their existence around.  Therefore, it's vital to transfer the FSMO role to another server if the server you are decommissioning holds any of the five FSMO roles.

Topics for Decommissioning FSMO Servers

Basic FSMO Server Clean-up

1. Applications, move off all files and applications that you want to keep onto another computer. Obvious, but there may be DLLs lurking in the following places that may also need moving:
C:\Program files\Common files
C:\<windows directory>\system32

Also, check through Add/Remove programs in the Control Panel to make sure that you've covered all the bases. There may also be configuration files and registry settings that are associated with applications that you want to keep.

2. IIS, examine the websites and delete or move as appropriate.

3. DNS, take a close look at the DNS service (mine was a bit flaky so I removed dodgy entries). DO NOT stop this service.

4. DHCP, make sure that no computers are using any of the scopes and then delete them. I then stopped the DHCP service.

Collect info

If you're going to tape and re-install, then check the name and type of all significant drivers e.g. network cards, RAID systems, etc.

With RAID drivers go to Windows-key/Pause-Break --> System Icon, Hardware, Device manager and select your RAID driver.  Go through to Properties, then the Driver tab. Note down the name of the device, the Driver Provider and version. There's probably a new driver available from the manufacturer's website. You may also need a floppy disk (remember them) to store the precious driver.  Make sure that your licence key is available for that server (it's stuck to the side on Dell servers).

Transfer FSMO Roles

http://support.microsoft.com/default.aspx/kb/255504 

>From the above I selected:

To transfer the FSMO roles by using the ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.

2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.

3. Type roles, and then press ENTER.

Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER.

4. Type connections, and then press ENTER.

5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to.

6. At the server connections prompt, type q, and then press ENTER.

7. Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.

8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the ntdsutil utility.

This can take time to filter through so depending on the size of your system you have a cup of tea, large meal or leave it overnight.

DNS I'm not a DNS guru, so I probably did this the hard way.

Start > Programs > Administrative Tools > DNS

For each Forward Lookup Zone change the Start of Authority to the new primary DNS server.
1. Right-click on the zone.
2. Select Properties
3. Select Start of Authority tab.
4. Change the Primary Server to the new value.

This can also take time to filter through depending on your TTL settings, caches, etc. More tea, cake and sleep.

One gotcha can be if (for some reason or other, perhaps even a group policy) the DNSClient setting* in the registry of client machines is set to the old DNS server. Mine was set manually before I learned the joys of Active Directory Sites and Services. I used to point the DNSClient towards the nearest DNS server when I moved computers between locations. I use DHCP now to achieve the same thing and the DNSClient setting has been deleted.
Clearly if it's a Group Policy setting (and I don't know where that would be set), it needs changing.

*I just open up regedit and search for DNSClient.

You can stop and/or remove DNS should you wish at this point.

Active Directory

Run dcpromo on the server to be decommissioned. This can take a while. 

TIPS)  Once your server has been 'decommissioned', turn it off and leave it for a week or so before attempting to re-install Windows Server 2003 (or any other operating system). This means that you should be able to recover should you have missed something vital, by the simple expedient of turning it back on.

Finally, this seems to have worked for me, but others may be running services that also need to be gracefully decommissioned.


Windows Server 2003 - Function Levels
(Mixed v Native Modes)

Raise Function Levels in Windows Server 2003

The purpose of this page is to explain how the terms 'Mixed and Native mode' apply in Windows Server 2003.  Actually the terms mixed and native have been superseded by 'Raise Function Level'.  I will also point out some of the benefits to switching the the higher levels.

There are two separate aspects of Raise Function Level to be aware of.  One aspect is the domain and the other is the forest.  The key to understanding the concepts is to pay careful attention to these four words, domain, forest, 2000 and 2003.

Firstly, a Windows Server 2003 domain can have a mixture of domain controllers:  NT 4.0 BDCs, Windows 2000 DCs and naturally, Window Server 2003 DCs.  (DC = Domain Controller)

Secondly, the forest may have all domains at the pure Window Server 2003 level.  Alternatively, a forest can have domains running Window 2000 mixed or 2000 native domains.

Domain Function Levels - (Mixed and Native)

There are now four domain 'Levels' that a Windows Server 2003 can operate in.  Whilst it is easy to understand what each level means, it takes time to learn Microsoft's terminology.

  1. Windows Server 2003.  All Server 2003, no other domain controllers.  However, even in this level, the whole range of clients and member servers can still join the domain.

  2. Windows Server 2003 Interim.  NT4.0 servers and Window Server 2003 (no Windows 2000).  This level arises when you upgrade an NT 4.0 PDC to Server 2003.  Interim mode is important where you have NT 4.0 groups with more than 5000 members.  Windows 2000 does no allow you to create groups with more than 5000 users.

  3. Windows 2000 Native. (Yes Windows 2000 native) allows Windows 2000 and 2003 servers (no NT 4.0).

  4. Windows 2000 Mixed. (Yes Windows 2000 mixed) allows NT 4.0 BDCs and Window 2000.  Naturally Windows 2000 mixed is the default function level because it supports all types of domain controllers.

Key term - Raise Domain Functional Level

Windows 2000 mixed mode means that there is at least one NT 4.0 BDC somewhere in the Forest.  To make the switch right click the Domain object in Active Directory Users and Computers and select: Raise Domain Functional Level.  Here is the menu you see:

5 Features Available in Windows 2000 native Level

While Windows Server 2003 mode is the ultimate goal, there are new benefits of deploying Windows Server 2003 in mixed mode (Windows 2000 native).

  1. Select multiple user objects.  Modify attributes of lots of user all in one go.  This feature actually works like NT 4.0's User Manger.  For a variety of reasons, multiple selection was not availably in W2K which made it tedious to change several users home directory in one operation.
  2. Drag-and-drop ability.  One irritation of W2K is that you cannot drag and drop users and computers between OUs.  This has been corrected in the latest Active Directory.
  3. Save your queries.   Tip save search queries that you use often in Active Directory Users and Computers, it saves time when you have to repeat the query later.
  4. Application directory partitions. Useful for controlling the replication scope for DNS (Domain Name System) data stored in Active Directory so that only specific domain controllers in the forest replicate DNS zone information.
  5. Universal group membership cached.  Avoid the need to locate a global catalog across a WAN link during logons by storing user universal group memberships on an authenticating domain controller.

6 Features Available in Windows Server 2003 Level

A reminder that this highest level means all domain controllers are running Windows Server 2003 (No NT 4.0 BDCs or Windows 2000 DCs). 

  1. Domain rename. Rename any domain in the Windows Server 2003  forest. Now you can change the DNS name or NetBIOS name of any child domain or even the forest root domain.
  2. Domain controller rename tool. Rename domain controllers without having to run DCPROMO and demote them.
  3. Forest trusts. Create a two way transitive trust to join two forests.  Very useful for amalgamating companies.
  4. Replication enhancements. Unnecessary traffic was created in W2K when you added one member to a group; it resulted in the whole group membership being replicated.  Linked value replication allows individual users to be replicated instead of replicating the entire group membership.
  5. Global catalog replication.  Similar to the above, less traffic is replicated when changes are made to the Global catalog
  6. Defunct schema objects. Deactivate classes or attributes from the schema which you know you will never use.

Three Forest Levels

  1. All domains at Windows Server 2003 level

  2. At least one domain at Windows Server 2003 Interim, meaning some NT 4.0 domain controllers

  3. Windows 2000 level (default) mixture of NT 4.0, Windows 2000 levels

Key extra features of a forest at Windows Server 2003 level


Windows Server 2003 - Run As Secondary Logon

Windows Server 2003 - Run as.  The Secondary Logon Service

The Administrator's Dilemma

The idea behind the Run as command is to encourage administrators to apply 'best practice' to their own actions.  Here is the dilemma, if the network administrator logs on with an ordinary account then he will be unable to configure any of the vital server components.  If that network administrator logs on as a local administrator or domain admin, then that console becomes a security risk.

Guy's Secret

Many people that I train dislike the Run as command.  Furthermore, when I visit companies as a consultant, Techies avoid the Run as at all costs.  I was interested therefore, that in Longhorn and Vista, Microsoft have developed UAP (User Account Protection).  What UAP does is minimise the risk of administrators inadvertently running rogue programs. 

Risk from Virus

The risk security threat comes from several sources.  Some of the most virulent viruses need administrative rights to do their dastardly deeds.  If the network guru was logged on as an ordinary user and triggered a virus it may not be able to access the services it needs to perform its evil tasks.  The answer is use the Run As secondary logon just to perform disk administration or creating new users, then revert to the ordinary account to send your email.

Risk from 'Psycho' users

Another source of risk is if the expert slips out for a break and leaves the console with the all powerful administrator logged on.  Think what havoc the company 'psycho' could cause if they dropped by the keyboard?  Unfortunately these nutters do not have 'psycho' stamped on their forehead so you cannot always spot them.  Moreover ordinary sane people change their personality if they taste the power of the network administrator.

The challenge

Using Run As is easy.  All you do is right click the executable, and select Run As from the short cut menu.  Next you supply the real administrator's name and password.  To make the switch even easier, create shortcuts to your favourite tools and check the Run with Different Credential box.

The difficulty is psychological.  Windows Server experts need to break the old habit of always logging on with an administrator account. 

Note: The Run As service is available on Windows 2000 and Server 2003

Technical information.

For those of us who are fascinated by Windows Services, Run As is another example of program that runs as service.  To be precise the service is actually called Secondary Logon.  It is lucky that 'Secondary Logon' is so near 'Run As' in an alphabetical list - otherwise I would never find it!

Summary

Any administrator is perfectly capable of mastering the Run As command, technically it's dead easy.  The hard part is making the psychological change from always logging on as an administrator to logging on with an ordinary account and then using the Run As command to configure the server.


Windows Server 2003 - Server Roles

Windows 2003 - Server Roles

Microsoft's slogan of - 'Easy to deploy, use, and manage' - does have a ring of truth.  However, it does rely on you having the knowledge and skill to make your Windows Server 2003 fulfil its potential.  I must confess that even though I am familiar with the different types of server, every time I checked with the 'Configure Your Server Wizard', I found at least one feature that I would otherwise have missed, so my mantra became - 'Give the wizard a chance'.

Roles for your Windows 2003 Server

Some server roles are best combined, for example domain controller, DNS, and DHCP, whilst others are better on their own server, for example I would separate email (Exchange) from Terminal Services.

Domain Controller

Active Directory is a huge topic in itself.  While DCPROMO is easy to run, planning of both the physical and the logical structure is the key to a trouble free network.  Good news, in Server 2003 you can rename the both the domain itself and the domain controller (Renaming was greyed out in Windows 2000).

Domain controllers do not have to be your most powerful machines, however they must be reliable and always available to answer logon requests.  Decide which DCs will hold which FSMO (Flexible single master operations) roles.  By default only the first server is a GC (Global Catalog).  Having at least one GC on each site will improve any service which makes and LDAP request for Active Directory names.

TIPS) Install the Replication Monitor from the Support folder of the Server CD

DNS (Domain Name System)

Active Directory absolutely relies on DNS, this is why you must become an expert on configuring DNS.  Once DNS is setup, it runs itself thanks to the new dynamic component hence DDNS.  TCP/IP knowledge plus understanding of how DNS works is essential when troubleshooting connectivity problems.

What DNS does is enable client machines to resolve servers IP addresses.  Once the client finds the server, Active Directory uses LDAP to locate services like Kerberos, Global Catalog that clients request.

Your first domain controller can be tricky to setup.  To begin with plan then check the Computer Name found in the System Icon.  Before you run DCPROMO make sure you have the correct Primary DNS Suffix, drill down through the More.. button.

My tactic is to do as little configuring of the forward lookup zone as possible and leave it all to the DCPROMO wizard.  Once Active Directory creates the forward lookup zone, I configure Active Directory integration to to replicate DNS records to the other servers.  Then I manually create the reverse lookup zone, add PTR records and check with NSLOOKUP.

TIPS) If you are troubleshooting DNS _SRV records, try stopping and starting the Netlogon service.

Make it your reflex to install DNS on domain controllers.

(All I want to say about WINS is plan to phase it out, you only need it for Windows 9x clients.)

DHCP (Dynamic Host Control Protocol)

I used to think you needed a DHCP server on every Subnet, but now I recommend just two DHCP servers to share each scope, with a DHCP relay agent on each subnet.  DHCP fits in well with DNS and domain controllers, so I would install DHCP on selected domain controllers.

Once you have installed DHCP, there is much configuration work. But before you do anything else, you must Authorize the DHCP servers in Active Directory.  I believe this authorization is a device to make you stop and think 'do I need another DHCP server?'  Officially the authorization is to prevent rogue techies installing an extra DHCP server when it takes their fancy.  

Now you are ready to decide which of the numerous Scope Options to configure e.g. 003 Router,006 DNS Servers.

File Server

Unlike the above roles, file servers should be member servers, installing Active Directory here would be a disadvantage.  Here are is your checklist of features for a file server that you might wish to deploy.

File servers have always combined well with print servers.

Print Server

Print servers probably show the greatest variation of machine, from dedicated print servers, you get printers hanging off domain controllers to 'Jet Direct' printers with their own network cards.  In my experience there is a contrast between the software settings which are easy to configure and the hardware which constantly cries for attention e.g. paper jam, 'out of toner'.  Here is a checklist to for the software components of your print server:


Application Server

The sort of applications that I mean are database, e.g. SQL or web e.g. IIS.

There is rarely any advantage in installing Active Directory on Application servers, and often this combination creates problems as Active Directory and application services fight for resources or control of components.  So install Application servers on their own member server.

Authentication is important for all server roles, but fail to tie down permissions on an application server and you could get sensitive company information being made available to everyone.  Failure to control security could also invite hackers to attacking your data.  So, delve into all aspects of security on your database servers.

 

There are extra hardware considerations for your application server.  Pamper your database 'crown jewels' with hardware RAID.  Get a trial of clustering.  Clustering is technically interesting, is the way of the future and it will take reliability to another level.  Convince who ever holds the purse strings that the greater availability and less downtime will pay for clustering.

 

Mail Server

Mail servers benefit from being on their own server, separate from domain controllers and separate from database servers like SQL.  Your checklist should include:

 TIPS)  Install WinRoute from the Exchange 2000 CD to check mail routing

 Streaming Media

Rather exotic perhaps, but if you do need to support clients who need audio or video services, then there is a separate Windows Media Service to install through Add Remove Programs, Windows Settings.

 Terminal Services

Terminal services is Microsoft's thin client solution.  The Windows 2003 server does all the processing, and the clients connect from a machine which essentially becomes a dumb terminal.  Terminal Services is built into Windows Server 2003, it is not a separate product as it was in NT 4.0.  However it lies dormant and you need to install it thought the Add or Remove Programs / Windows Components.  You will also need to install Terminal Service Licensing on one of your servers.  Check out special group for Terminal Server Licencing in Built-in folder of Active Directory Users and Computers.

The main question is which mode will you run terminal?  Remote Desktop for Administration or Application mode.

When you install the programs for Terminal Services check out - special 'Transforms' method.  32 Bit programs should be o.k.  Also search websites for scripts to make any non Microsoft applications operate in multi session mode.

Group Policy.  There are Group Policies just for Terminal services,  e.g. Do not let users accidentally Shut Down the terminal server when they think they are shutting down their own machine!

Permissions.  By default every user can access a terminal server, perhaps you wish to change this.

RAS and VPN server

The RAS or Routing and RAS has come along way from its NT 4.0 days.  The fact that it is now built in and installed by default is in an indication of its more robust nature and greater importance.  There are lots of components and technologies to understand and configure to make a successful RAS server:


Windows Server 2003 - Tips

Windows Server 2003 - Tips

Here is a selection of my favourite Windows Server 2003 tips.  My aim is to provide variety, so I hope you will discover at least one valuable tip.

1) Disable the original Administrator account

In Windows Server 2003, for the first time, you CAN disable the Administrator account.   My point is that every hacker knows that Windows has a username called Administrator, so defend it by disabling the account. (Right Click the Administrator, Disable)  Obviously you must create another account with administrative privileges.

There are two variations of this tip.

a) You could disable the account from logging on across the network

b) You could rename the account and create a dummy administrator to confuse would be hackers

2) View Advanced Features

As you are an expert, display all those hidden menus and folders.

a) Go to the Active Directory Users and Computers, Select View (Menu) then check: Advanced Features.  Now you should see the 'LostAndFound' folder and so be able to check for any orphaned users.

b) Select the DNS Icon, View (Menu), Advanced. 
This brings the DNS 'Cached Lookups' folder into view.

 c) Device Manager, Show Hidden Devices. 
This useful for troubleshooting Non Plug and Play devices.

3) The easiest way to bring up the System Icon

Here is my favourite keyboard short cut: 
 (Windows Key) + Pause/Break (Key)

4) Remote Desktop

The idea is to connect to the Windows Server 2003 from your XP Desktop.  Configure Remote Desktop from the System Icon, Remote (tab), Remote Desktop.  This will save you that long walk to the server room. 

When you are logged on to your XP machine go to Accessories, Communication, Remote Desktop connection.  Incidentally, remote desktop was voted the top reason to migrate to XP and here it is on Server 2003.

5) Troubleshooting Error Messages.

a) Start, Help and Support, Troubleshooting Strategies (Bullet point 5)  Here is a wonderful selection of tools to lead you methodically through a problem.  Each hardware device will have its own troubleshooters.  They are excellent for making sure you have not overlooked something obvious.

b) Start, Help and Support, Error and Event Log Messages.  Just type in the error message which you find in the Event Viewer, make sure you are on line, and Microsoft will help diagnose the cause and a solution.

c) Help in general, is so much better than NT 4.0. - I plead with you to give it another chance!

6) To display your Username and Computer Name on the 'My Computer'

Here is a tip for those who like to hack the registry.

Preliminary step, show the 'My Computer' icon, go to Control Panel, Display, Desktop (Tab), Customize Desktop, Check My Computer.

Principle: Find the setting for the My Computer object in the HKey_Classes_Root, substitute two variables for the original setting.   Warning:This is a particularly difficult registry change to make so export the registry FIRST. Regedit, File (menu), Export.

Getting Started

a) Use regedit to locate [HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} rename LocalizedString to LocalizedString.Old.  I advice this step in case anything goes wrong and you want to revert to how it was.
b) Create a new VALUE type Expand_SZ name it LocalizedString  Set the value of LocalizedString to %Username% at %Computername%

TIPS)  Press F5 to refresh the 'My Computer', there is no need to logoff and certainly do not reboot.

7) Configure a short cut to 'Run As' a different user.

This tip only works on short cuts.  So create a short cut to one of your key programs, for example Active Directory Users and Computers.  Right click the short cut, Properties, Advanced (Button), Run with Different Credentials.  The idea behind 'Run As' is to encourage you to log on as an ordinary user, and then use 'elevated rights' when you need to run the administrative tools.  What it does is save you having to log off and then logon again as the administrator.

8) Taskbar appearance

Right Click the Grey Bar at the bottom of the screen, Properties - check out all the settings.

Assorted interesting new features in Server 2003


DNS in Windows Server 2003 - Home

DNS (Domain Name System) in Windows 2003 Server

The purpose of the tutorials in this section is to help you get you started with DNS's terms and concepts.  Mastering DNS is not easy.  The secret of having a fast and secure Active Directory network, is planning then configuring your DNS Server.  When it comes to troubleshooting connectivity, DNS is one of THE most difficult tasks in Windows 2003, so take the time to learn the principles behind Microsoft's dynamic DNS.

The purpose of this page is to act as a mini site map and provide pointers to DNS topics of interest.

Introduction to DNS in Windows Server 2003

There are three scenarios in which your network needs DNS.  Firstly, to find Active Directory resources such as Global Catalog Servers and also Domain Controllers that authenticate Logon or Kerberos requests.  Secondly to locate pages on the internet, and thirdly, mundane task for example, connecting to a printer share.

DNS makes it possible for clients to access network resources using alphanumeric names rather than pure IP addresses.  Unlike WINS, DNS is hierarchical, with advent of Windows 2000 DNS became dynamic DNS.  In practical terms, it means that clients can update their own DNS Server records automatically, thus reducing the administrative load.  The killer reason for implementing DNS is that Active Directory relies on DNS for finding Global Catalog, Kerberos and Logon Servers.

Before you install DNS on a production network you need to answer a whole series of questions.  For example  Will your DNS name match our email domain?  Who will be in charge of DNS, you or must you rely on a Unix department?

One 'Litmus Test' for a difficult topic is the number of specialist terms a component uses.  My rule is the more unusual words and acronyms, the more difficult the subject is to master.  DNS passes this ' difficulty ' test with flying colours.  For instance you need to understand, Namespace, Authoritative, Recursive, and Incremental to name just a few of the DNS keywords.  As you learn about DNS Server watch out for ways to increase your computing vocabulary.

DNS Summary

DNS is the most difficult topic in the whole of Active Directory in general and TCP/IP in particular.  However, to be a 'top techie' forget those exams, if you can troubleshoot DNS then you can not only talk the talk but you can walk the walk and rule that server room.  Make a start by listing the DNS terms and understanding how they fit together.  My tutorials will give you step-by-step guidance on how to get the most out of Microsoft's Dynamic DNS.


Routing and RAS in Windows Server 2003 - What's New?

Routing and RAS (Remote Access Service) in Windows 2003 Server

Routing and RAS is like a sleeping giant.  What I mean by that is, while in Windows Server 2003, you no longer need to install RAS, it remains inactive until you configure the Icon.  I have a special bet for you.  My bet is that Microsoft's RRAS will have at least one feature that will surprise you.

Introduction to RRAS in Windows Server 2003

It's hard to be rude about Windows Server 2003's RAS especially when you remember how flaky RAS was in NT 4.0.  What has happened in Windows 2003 is that the new version of the RAS service is much more robust, but equally the RAS icon is tricky to configure because there are so many more options.  The advertising blurb says that RRAS has zillions of wonderful new features.  This is true, but finding them can be frustrating and that is why I have prepared a series of mini-tutorials.

Routing and RAS Topics

Router

Windows Server can act as a Router; what a novel idea.  My guess is that most people will buy a dedicated hardware router.  However, if you are stuck, don't have the money, or just want to practice some routing ideas, then Window Server 2003 provides genuine but slow software routing capabilities.  (Unlike specialist routers, which provide much faster hardware inter-network connections.)

RAS (Remote Access Server)

Surely no surprise in the RAS core?  Well not really;  the only brain teaser is in the very first decision, do you need a dedicated Windows RAS server at all.  What I am thinking is that there are viable alternatives to a Windows 2003 RAS server with digiboards of modems, for example VPN, RPC over HTTP and internet email.  In my mind RAS was a good solution for roaming users in the 1990's, but in the 21st century other technologies have improved while RAS has stayed where it is.

DHCP Relay Agent

There is an initial shock in that you no longer install the DHCP Relay Agent from the Add or Remove programs.  As soon as you navigate to the RRAS interface, it hits you that this is the obvious place for the DHCP Relay Agent.  It makes sense to link to the Routing Component of Windows Server 2003 with listening and routing component of DHCP.  If there is a frustration it is how well Microsoft hide the DHCP Relay Agent interface in the Routing Interfaces.

RIP and OSPF

Not so much a surprise, more a bonus to find two Routing Protocols under the IP Routing folder.  The trick to installing many of these extra features is to right click the General Folder.  In this instance, select the 'New Routing Protocol'.  On the diagram you can see that RIP is already installed, so we assume that the screen shot was taken from an OSPF installation.

Remote Access Policies

No surprise that Microsoft provide Policies to control RAS users.  However it is confusing that the Remote Access Polices are not in Active Directory.  Microsoft's justification for this arrangement is that for security reasons, RAS servers may be positioned in a DMZ without connectivity to Active Directory.  Just to be clear, RRAS can operate happily in a Domain, it's just you have the option of making it a complete stand alone server.

If you have the time to investigate the RAS Policies, you will be rewarded as there is a rich variety of settings for any eventually that you could dream up.  For example, you can filter on phone number, group membership or Vendor properties.  The bombshell in RAS Policies is that by default, no one can dial-in.  The stated reason for this setting is for security.  My view is that finding the Deny / Grant radio buttons is a hidden test for you.  If you don't know what you're doing then nobody can dial in.  However if you are skilful then you find the setting and switch the radio button from Deny to Grant.

NAT/Basic Firewall

NAT (Network Address Translation) solved an intellectual puzzle for me.  10 years ago, when I first saw multiple workstations browse the internet through one connection, it bamboozled me how the proxy server knew which web page to return to which workstation, given they only had one IP address on the Internet connection.  The answer of course is assigning a unique port number to each client.  In effect NAT keeps a database of which internet requests map to which local machine.  Incidentally, you may have seen NAT's baby brother called ICS, (Internet Connection Sharing) on XP.  In fact, you have to make sure that you disable the Windows Firewall / ICS service before you configure Windows Server 2003.

To configure NAT, navigate in the RRAS interface to the IP Routing folder.  Unlike ICS where you must use 192.168.0.1, with NAT you can use any valid IP address on the internal network, for example 10.0.100.1.  The key decision with NAT tabs is what to do about DNS?  I would recommend keeping DNS resolution in house (don't tick the box). 

RRAS in Windows Server 2003 Summary

I stand by my challenge, which is, if you investigate the RRAS menus, you will find at least one surprise.  It could be in the Remote Access Policies, or possibly in the Routing Interfaces, if not there, then certainly in the NAT configuration.


DHCP in Windows Server 2003

DHCP in Windows Server 2003

D ynamic        - Means that clients IP address may change

H ost             - Indicates that this is a system for clients, e.g. XP machines

C onfiguration  - A clue that you are in charge of the options, e.g. DNS Server

P rotocol         - The rules controlling the flow of packets between client and server

Tutorial for DHCP in Windows 2003

Benefits of DHCP

All clients and servers need an IP address on a TCP/IP network.  How will you configure those dotty dot numbers on your TCP/IP property tabs?  Manually, or automatically via DHCP?  Let us investigate what advantages an automatic DHCP service has over the manual alternative.

DHCP Strategies for the clients and servers

10 years ago, when I first saw DHCP, I thought that you would need one DHCP server on each subnet - wrong.  What I now recommend as a default, is two DHCP servers for the whole company.  For those subnets without a DHCP you configure a DHCP Relay Agent.

If you have two DHCP servers, then provide redundancy by splitting each scope so that each DHCP server gets a non-overlapping range.  For example:

Server A: 10.10.56.1 to 10.10.56.120
Server B: 10.10.56.121 to 10.10.56.254.

Each scope has a class C Subnet Mask /24 (255.255.255.0)

DHCP Strategies for the servers

What are you going to do about the IP addresses for the servers themselves?

If you try the strategy of DHCP address for file and print servers, consider a RESERVATION for each server.  Slowly I am warming to this DHCP idea, the killer advantage is that you can set DNS and Router options even for the servers.  Let me elaborate, if you set server IP addresses manually, but then you change the default gateway, you may forget to change the servers default gateway.  The result would be a loss of what ever service the servers were providing.  However, if the servers have a reserved IP address then they come under the umbrella of your scope options and so there would be no extra work, and no loss of service.

Summary

DHCP is now a well established strategy for providing computers with IP addresses.  However, it is full of surprises and hidden treasures, take the time to develop your DHCP tactics, then explore the properties of both the DHCP server icon and the scopes.  I have a series of tutorials to help you.


Install and Configure DHCP in Windows Server 2003

nstall and Configure DHCP in Windows Server 2003

As services go, DHCP is easy to both install and configure.  However, because there are so many settings in so many places, I am willing to bet that my tutorial will unearth at least one new option that will improve your DHCP performance.

Tutorial to Install and Configure DHCP Servers

DHCP Install

This tutorial will guide you through the steps needed to get your DHCP server installed and configured correctly.  Let us begin with a straightforward job to install DHCP.  Get your Windows Server CD ready, then navigate to: Add Remove Programs, Windows Components, Networking Services.

Whilst adding the DHCP service is easy, configuring the scope options needs thought.  For instance, if you make a mistake with the subnet mask, you cannot amend that scope, you would have to delete and start afresh.  However, you can add and change the options such as Type 006 DNS server, or Type 015 Domain name.

DHCP Address Leases

Lease is a good name for a DHCP IP property.  Take for example the 8 day default lease;  if the client is shutdown for 2 days, when it restarts it will continue to have the same IP address.  Halfway through their lease clients attempt to renew their lease.  IPCONFIG /all will show you the lease, while /renew will do what it says, top up the lease.

Only reduce the duration if you are short of IP addresses.  For example, if you only have 250 IP addresses but 300 possible clients.  It also makes sense to set short leases if you are likely to discontinue a scope in the near future.

Here is a table summarising how a DHCP service results in clients getting an IP address.  If you are interested in seeing these packets, use Network monitor to capture DHCP in action.  Here are the classic 4 packets that clients exchange during a lease negotiation.

Client  Server
DHCPDiscover  --> <--- DHCPOffer
DHCPRequest   --> <--- DHCPack
   
 DHCPInform  Server check that it is Authorized in Active Directory

Note 1: DHCPRequest may seem strange, but it comes into play if there are two DHCP servers and both make an offer to a potential client.

Note 2: DHCPack.  Once in a blue moon you see DHCPNack this is a negative acknowledgement which mean, ' I do no know you'.  The most likely cause of Nack is the client is trying to renew an IP address from the wrong DHCP server.

Scope Options.

Take the time to investigate Scope Options, this the most likely place that I will win my bet that you will find a new setting which will improve your network performance.  These options can be set at the Scope Level, Server Level, Reservation Level or at the Class Level (Tricky).  So find all four places and make up your mind which would be the best level for your network.

Examples of DHCP Scope Options:

Classes (Advanced Tab)

Address Reservation

Reserving IP addresses is useful in two situations, for file and print servers and for important machines where leases are in short supply.  How does DHCP know which machine to lease a particular IP?  The answer is by its MAC address (also called NIC or Physical address).  In Windows 2003 when you enter the MAC address DHCP strips out the hyphens if you absentmindedly include them amongst the HEX numbers.  To find the MAC address ping the machine then type arp -a.

Remember that you can set DHCP Options for the reservations; after all, that may have been the very reason why you decided to make reservations in the first place.

Authorize - DHCP Server

In a Windows Server 2003 (or 2000) domain all DHCP servers need to be authorized in Active Directory.  This is an example of Microsoft's new security initiative, and an attempt to eliminate rogue DHCP servers set up junior administrators in a large company.  So, you need to logon (or RunAs) a member of the Enterprise Admins group.  Then right click the DHCP server icon, and Authorize.

Incidentally, The RIS service also needs to be Authorized before it becomes active.

Activate - DHCP Scope

Even after you Authorize a server, each scope  must be activated individually.  So, right click the scope to activate (or deactivate).  Keep your eye on the red or green arrows to judge your success.  Note you may have to Refresh from the server icon, often pressing F5 is not enough.

Summary of Configuring DHCP

Installing DHCP is easy.  Authorizing and Activating are straightforward.  The toughest part is investigating all the Scope options and decide whether to implement them at the Server or Scope level.  This page will provide a step-by-step tutorial on getting the most from your DHCP Server.
Here is a major strategic decision - what use will you make of DHCP reservations?


DHCP Relay Agent - Windows Server 2003

DHCP - Relay Agent for Windows Server 2003

Instead of deploying a DHCP server on every subnet, discover how to install and configure a DHCP relay agent.  By far the hardest part of mastering the DHCP relay agent is installing it.  Once you have found the relay agent, configuring it to listen for DHCPDiscover packets, is the proverbial piece of cake.

Tutorial for DHCP Relay Agent

DHCP Relay Agent - Concept

DHCPDiscover packets, like all broadcasts, cannot pass across routers.  In fact that was a lie, if you have a modern Router which is RFC 1542 compliant, then you can forward the DHCPDiscover packets to a DHCP server in a different subnet.  In this instance, the Router acts as a Relay Agent.

Relay Agent - Installation

It is rare for Microsoft to remove functionality, but while NT 4.0 Workstations could act as DHCP Relay agents, XP and W2K Pro cannot.  So you need to install the relay agent on a Windows Server 2003. 

What is not obvious is where you find the relay agent, the answer is in Routing and Remote Access.  When you think about it, the relay agent is a type of router, hence the RRAS location to install and configure the DHCP Relay agent makes sense.

As I say once you find and install the Relay Agent, configuring is easy, all you need to do is tell the router or DHCP relay agent the IP address of the real DHCP servers.  Just right click the DHCP Relay Agent, and then select properties from the shortcut menu.

Trap: you forget to add an interface.  See that 'ISP' interface in the screen shot is Enabled.

Relay Agent - In action

Let us turn this tutorial to see how the Relay Agent works.  What happens is the Relay agent intercepts DHCPDiscover packets from clients and then unicasts to the DHCP on their behalf.  The secret of successful relaying is to create the appropriate scope on the DHCP server.  The first time it worked I thought that it was a miracle that the client got the correct IP address.  On reflection, I realized that the Relay Agent adds the Source IP address when it contacts DHCP.  So now I understand how the server knows, from its list of scopes, which subnet to offer an IP address.

Hop Count

How many routers lie between your client and its DHCP server?  Each router would represent 1 hop, so calculate the maximum hop count that you need and configure the Relay Agent accordingly.  From the Routing and Remote Access interface, navigate to the IP Routing, DHCP Relay Agent, right click the Interface, not the server, and check the  Hop Count threshold.

Boot Threshold

The boot threshold setting is for the cautious (or paranoid).  Such people would have a DHCP server AND a Relay Agent on the SAME subnet.  In these circumstances, you should consider how long the Relay Agent should wait for the main DHCP server to respond.  To do this adjust the Boot threshold.

Conflict Detection 

Where you have relay agents, especially if you configure more than one, there is a possibility of duplicate IP addresses.  The conflict detection feature means that the DHCP server checks by pinging the proposed address lease before actually issuing it.  Naturally, if the server receives a reply that IP address is not offered.

Conflict Detection is a property of the DHCP server as a whole and not of individual scopes.  To set the threshold, right click the server icon, properties, then Advanced (Tab).

APIPA

If all else fails, then clients give themselves an Automatic IP address in the range 169.254.x.y where x and y are two random numbers between 1 and 254.

Whilst APIPA is a sign of failure, the fact that the client has a valid IP address means that it can keep on polling to see if a DHCP server has come back online.  In NT 4.0 days, a client would end up with a 0.0.0.0 address if there were no DHCP server, and then you needed to reboot to obtain a valid IP address.

Summary and Challenges.

When you set up a relay agent there are a number of other factors to consider, check your, Hop Count, Boot Threshold, and conflict Detection.  My tutorial compares the difficulty of installation with ease of configuring.


DHCP User Classes

Topics for DHCP Configuration

Creating your own User Class - A tough challenge

User Classes - Concept

The idea is that you may wish a sub-set of computers to have a different default gateway.  Take the scenario where  you have 6 directors who need internet access and would like those machines to have different DHCP scope options. 

Now actually making your own User Class work is one of the most difficult jobs in the whole of computing.  So go slowly, and pay attention to detail, in particular watch out for what needs configuring on the server, and when to run IPCONFIG on the clients.

User Classes - Configuration

1) Create your User Class.  Right click the DHCP server option, select Define User Classes from the short cut menu.

2) Add your chosen User Class.  The trick is to get rid of the dot under ASCI and add a name that you will use for this special User Class. For example, Director.

3) Remember to create the special options for example, a new Default Gateway.  To do this choose the advance tab on the Options.

4) Now we switch our attention to the clients.  The key is to tell the clients which User Class they belong to. 

IPCONFIG /setclassid director, would be the answer in for our example.

In 'real life' I would use a logon script to set this command, your average user would not be able to remember this command.

5) Test your /setclassid with IPCONFIG / all or IPCONFIG /showclassid

Set your own DHCP Predefined Options.

I have one 'killer use' for Predefined options, to set the WPAD (Web Proxy Auto Detect)  for XP clients.  However, I am sure that there will be more uses for Predefined options in the next few years.

Now you could set the ISA server Proxy with a group policy, but it may be easier to control via a DHCP option.

From the DHCP server icon, select: Set Predefined Options. (See Diagram 1)
The crucial button is the:  Add.  Next, in the Name box, enter WPAD
Change the Data Type box to: String.
In the Code box, type: 252.
Crucial point, press enter.

Important: In the Predefined Option and Values dialog box, type
http:// ISA-yourServer: 80 /wpad.dat in the box

Note : 80 is the default port of the ISA AutoDiscovery service

Summary and DHCP Challenge

Creating the server and client side of the DHCP User Classes is one of the most challenging and satisfying configuration tasks.  Keep you eye out for Predefined options like WPAD 252, where you can automatically set the ISA proxy server for your DHCP clients.


DHCP Database in Windows Server 2003

DHCP Database Topics

Perhaps you have never given the DHCP database a thought.  Well the time may come where you need to backup, reconcile or compact the DHCP database.  At the very least, I expect you will want to check your lease statistics.

Tutorial Topics for DHCP Database

DHCP - Display Statistics

Bizarrely, I find 'Display Statistics' the most difficult tab to find on the DHCP server.  This is because it's the first item on the menu, and is often masked by the very highlight that should attract me.  I just hope that you are not afflicted by this blind spot. In any event, Display Statistics is one of the most interesting and rewarding items on the DHCP menu.

Display Statistics is available at both the server and the scope level.  My first thought is, 'How many leases are left?'  Next, I look to see if there have been any NACKS or lease declines.  See the screen shot to find the Display Statistics... menu.

DHCP Database  

DHCP has its own database.  Stored in this DHCP.mdb are the addresses, scopes and leases of the clients.  Understanding this database will help you backing up and restore a DHCP server.

Check out this folder: %systemroot%\system32\dhcp\dhcp.mdb

As time goes by the database will grow, and best practice dictates that you should consolidate the database by freeing up space taken up by old leases.

The procedure for compacting the dhcp.mdb database is this.

1) Stop the DHCP service.  Either right click the DHCP Server icon, select All tasks then Stop.  Alternatively, go to the command line and type: NET Stop DHCPServer.  (For once the command really is DHCPserver, NOT DHCPyourservername.)

2) At the command line, navigate to: %systemroot%\system32\dhcp\dhcp.mdb.

3) Jetpack dhcp.mdb temp.mdb. What this does is copies the existing database, compacts it, then copies it back to the original location - clever.

4) Remember to restart DHCP.  Either use the GUI, or if you are at the command line, NET Start DHCPServer

Warning: Do not 'mess' with any of the files that you find in the %systemroot%\system32\dhcp folder, if you do, then DHCP will stop working and you will either have to restore, or else re-install DHCP.

Backing up the DHCP Database

The first surprise is that this dhcp.mdb database is backed up every hour.

The second surprise is that the old jetpack database engine controls the database.

The third surprise is that you can only automatically backup to a local folder.  Should you need a 'real' backup, then just backup the files in the %systemroot%\system32\dhcp\Backup\ directory.

Finally, and unsurprisingly, there is a GUI to backup the DHCP database.

Reconcile

Reconcile is a technical term for making sure that DHCP information is consistent.  What can happen is that when you restore a database, there is a miss-match between lease information in the database and the same information in the DHCP server's registry.  Specifically, the registry just stores basic or summary information, the detailed information from a recent restore maybe different, so a 'Reconcile' will ensure that the database and registry data are consistent once more.

Bear in mind that you can either reconcile individual scopes or choose all scopes.  It all depends on the 'focus' of what you select.  If you select an individual scope that that is the limit of what you can reconcile, however, when you select the server icon, you can: Reconcile All Scopes - see diagram above.  (not below)

DHCP Audit Log

Once you setup DHCP auditing, you get a separate log for each day of the week.  The logs are a wealth of information, not just about the health of the server, but also which machine gets which IP address for how long.

To setup Auditing, right click the DHCP server, then select properties.

Auditing removes the last reason for having static IP addresses, accountability.  Die-hards, Luddites who resist DHCP often justify static IP addresses on the grounds that you can always account for which machine had which IP address on a particular day.  With DHCP Auditing you can achieve the same result and have all the benefits of central administration, instant control over default gateways and a raft of other options.

Summary - DHCP Challenges

The DHCP database is full of surprises.  Discover how many leases you have issued with 'Display Statistics.  Next discover where the database is situated, and master how to compact the dhcp.mdb.  Also, understand where you can Reconcile the scopes.  Finally, check whether or not auditing is set up on your DHCP server.


Troubleshooting DHCP

DHCP Troubleshooting

It maybe famous last words, but DHCP does not give many problems.  However if you are suffering from an APIPA address or a mis-configuration, then check out these symptoms and their associated cures.

IPCONFIG will be your number one troubleshooting tool.  Take the time to learn all its switches.  For example IPCONFIG /all, /release /renew.

Topics for DHCP Troubleshooting

APIPA (Automatic Private IP Address)

When you run IPCONFIG, if you see address beginning 169.254.x.y, this is known as APIPA.  There may be nothing wrong, on a small network this could be 'By design'.  However on a business network, more than likely it means that the DHCP server is down, or the Relay Agent is not doing its job.

DHCP Server has stopped

If the DHCP server is newly installed then check that it has been Authorized in Active Directory by an Enterprise Admin.  If it is Authorized (Green down arrow on server Icon), then check that the scope is activated.

DHCP Database is corrupted

When you suspect that the DHCP database is corrupt, firstly check through the system and application event logs.  If your worst fears are confirmed, then you have two choices, either just ruthlessly delete the affected scopes and start again.  Alternatively, attempt to restore the database from backup. 

Trap - Orientation, finding a Scope Option

Are you looking for a property of an individual scope, or a property of the DHCP server option?  For example, the clients have a default gateway address of 10.10.56.200, but you do not know where this IP address is coming from. As a rule of thumb if you cannot find what you are looking for on the sever, try the scope, and vica versa! 

Trap - Subnet mask

You cannot change a subnet once you have configured a scope.  All that you can do is delete that scope and the start again.

Trap - Static address

It goes without saying that the very DHCP server itself, must have a fixed IP address.  The DHCP server cannot be its own client.

Trap - DHCP Relay Agent, Interface

Make sure that you add the interface to the Relay Agent.  The Relay Agent is found under the Routing and RAS server icon.  Whilst you add the interface itself, by right clicking the Relay Agent object, select New Interface from the short cut menu. 

DHCP Bottlenecks

If you suspect that there is more DHCP activity than necessary, then setup a performance log and monitor the key counters, for example Requests /sec. 

Summary

DHCP servers are normally well behaved, however here are a selection of tips and traps for when you are stuck.


WINS Servers in Windows 2003 - The Basics

WINS (Windows Internet Name Service) in Windows 2003

My mission in this section is to explain the purpose of WINS in Windows Server 2003 network.  In particular, I have tutorials to show you, where and why you need to configure WINS.

The first point to remember about WINS is that only Microsoft clients use WINS servers for name resolution, whereas Linux, Unix and everyone else on the internet, use DNS exclusively.  To keep matters in perspective, Active Directory, Exchange and IIS also require DNS.  95% of the time modern Microsoft products prefer DNS, but just occasionally they need to find a NetBIOS resource name - come in WINS.  The 'killer' reason for implementing WINS is that Exchange, even Exchange 2003, needs NetBIOS name resolution.

Topics for WINS Servers in Windows 2003

WINS - The Basics of Name Resolution

It goes without saying that you have to implement DNS, but that's another story.  In this section I want to concentrate on WINS for those few occasions where NetBIOS name resolution is vital.  While both WINS and DNS deal with mapping ComputerName to IP addresses, there are two important differences; DNS is hierarchical and can support up to 254 characters, WINS, on the other hand, is a flat-field database limited to 15 letters.  One of the few advantages that WINS formerly had over DNS was that WINS is dynamic.  Well, starting with Windows 2000, DNS is also dynamic, so the only point of WINS in the 21st century is specifically for NetBIOS name resolution.

Keep in mind, especially when troubleshooting, the reason why we need databases such as WINS or DNS. The answer is name resolution.  We humans prefer to remember friendly names like BigServer, whereas computers prefer IP addresses in dot decimal notation for example, 192.168.0.23.

Name resolution started with two files called 'hosts' and LMHosts files.  The hosts file evolved into DNS and WINS took over the name resolution provided by LMHosts.  Every Microsoft machine is born with these files in the folder: %systemroot%\system32\drivers\etc\. Here is a typical entry for LMHosts.

10.54.94.13   bigserver

Installing a WINS Server on Windows Server 2003

WINS is a service and as with DNS and DHCP, you install WINS via the Control Panel,  Add or Remove Programs, Windows Components, Networking Services, Details --> WINS.  The wizard will now prompt you for the Windows Server 2003 CD. 

Once installation completes, you can find the Windows Snap-in in the Administrative Tools folder.  What you are looking for is to make sure that the WINS Status is 'Responding'.

Trap.  In order for the clients to find their WINS server, you need to check to see that the very WINS server is registered in its own database.

A Goofy NetBIOS Problem

The key technical difference is that WINS servers use NetBIOS names whereas DNS relies on hostname.  For years I thought that NetBIOS and hostname were one and the same.  Then one day I had a bizarre naming problem.  A mystery machine called 'goofy' appeared on the network.  You could see it when you typed 'net view' at the command prompt.  I identified it's IP address with ping, and traced its hostname in DNS.  For the solution, I launched regedit and and found two different name settings, hostname and computername.  (Computername is an alias for NetBIOS name.)  Well on this particular machine, the 'user from hell' had managed to set hostname = machinebythewall and computername = goofy.  Just to emphasise, I have never seen different names for computername and hostname before or since.

WINS Summary

WINS is an alternative to DNS for name resolution.   You only need WINS if you have old clients such as Windows 98, or servers that use NetBIOS name services.  DNS is an superior system, and is required by Active Directory,


WINS and Exchange 2003 Dependencies

Exchange 2003's Dependency on WINS

If you want to investigate the relationship between WINS and Exchange 2003 you have 3 choices:

  1. Just install WINS and get on with life.  Configure records for ALL the Exchange servers and Domain controllers.
  2. Ignore WINS, everything IS working fine on MY small network.
  3. The thinking man's approach.  Try to make sense of Exchange's dependency on WINS.  If you go down this route, you may find that the waters get muddier before you see clear bottom.

Clarifying Exchange 2003's Dependency on WINS

I had been labouring under the delusion that Windows and Exchange 2003 servers no longer need WINS, it seems that I was wrong.   However, what I now believe is that Exchange 2003 does not absolutely need WINS.  What various Exchange 2003 processes absolutely need is, NetBIOS name resolution.  On simple networks, like mine, Exchange 2003 can resolve NetBIOS names simply by just broadcasting.  Now I expect that you are ahead of me on why big networks still need WINS, because broadcasts are limited to the local subnet.

Let us consider a quote: 'Microsoft tries to make sure all programs work without NetBIOS, but this may only apply to future products.' From the Microsoft source knowledgebase article: PSS ID Number: 837391.

The above article points out problems with these configurations:

Solutions to Exchange's need for NetBIOS Name Resolution.

  1. WINS (Best).
  2. LMHosts - Troubleshooting.
  3. Broadcast - Local Subnet only.

Associated programs - DNS, DHCP, Outlook and possibly SMS.

Exchange 2003's Dependency on WINS - Summary

Exchange 2003 still makes NetBIOS calls.  So either configure resource records in WINS, or else rely on broadcasts to resolve the NetBIOS requests.


WINS Registrations in Windows 2003

WINS (Windows Internet Name Service) Registration

Always remember that there are two processes with WINS, registration and query.  In the case of registering, your mission is to enter the clients IP address into the WINS server database.  When querying, you need to find the WINS server with the resources you are looking for.  This page examines how DHCP help clients add records to the WINS database.

Topics for WINS Registration in Windows Server 2003

WINS Records

WINS clients can register more than one type of resource record in the WINS server database, for example File Server [20h], or Messenger [03h].  Another famous WINS service is [00h] Workgroup, or some call it the redirector.

TIPS) So that clients can find their WINS server, remember to add a record for each server as to their own WINS Database.  Either add a static record, or simply add the servers own IP address to the network connection, TCP/IP properties, Advanced tab.

When I first investigated the new WINS server interface in Windows Server 200x, I could not find any records even though I knew that clients had registered.  What could be the problem?  Well it seems that unlike NT 4.0, the later WINS servers do not display any records unless you specifically ask for them.  So, from the WINS server, right click the Active Registrations folder and select Display Records.  The secret is to click: Find now, (and not bother with the filter).

WINS DHCP Registrations

Clients either register in the WINS database via the TCP/IP properties, or better still through their DHCP scope options.  The idea is that DHCP gives the client not only its IP address, but also the IP of the Router and the WINS server.

The first DHCP Scope option is type 044, which tells the client the name of its WINS server(s).  The second option is type 046, this is more complicated, and deals with the clients query behaviour.  If in doubt chose type 0x8 H-Node.  Let me explain a little more about option 046:

H-node tells the client to try WINS first, if that fails broadcast for the IP address.

M-node which means Broadcast first then ask a WINS server.

P-node means only use WINS.

B-node, simply means broadcast, do not use WINS.

Why would you want M-node?

WINS gave me a tricky moment on one of my training courses.  I was explaining the merits of H-node name resolution.  I told the delegates that the client uses WINS first, then broadcasts if there is no reply from the WINS server.  H-node should stand for heads-up, because it's a great play.

Then I went on to say that M-node is limited.  The reason is because M-node broadcasts first and only when that fails, do M-node clients query WINS.  So far, so good, but then I overplayed my hand and said no sane person would use H-node.  You've probably guessed what happened next, a delegate put up their hand and said, 'er.. Guy we use M-node and its great'.

The delegate went on to explain that they have only have 5-10 computers in their regional offices and the WINS server is only accessible by a 56K link to HQ. (This is an old story).  After I removed the proverbial egg from my face, I got the point; mostly these clients wanted to connect to a printer in the same room, if the name resolution went all the way to HQ and back, merely to find a machine only meters away, it made no sense.  Much better in that case to broadcast.

WINS Registration Summary

When you integrate WINS, DHCP and DNS, they are better than the sum of the individual parts.  What DHCP can do for WINS is give out the IP address of the WINS server.

Basically, WINS in Server 2003 is much like NT 4.0.  However there are neat improvements and new ways of displaying the resource records.


WINS and DNS Integration in Windows 2003

WINS and DNS Integration in Windows 2003

If you must have a WINS server, then at least achieve the best configuration possible.  Take the situation where the WINS database contains records for computers that DNS does not know about.  It costs very little to configure DNS to query WINS for such NetBIOS names.

Topics for WINS and DNS Integration

Configuring DNS for WINS Integration

WINS and DNS are full of surprises.  For instance, to integrate WINS and DNS go to the zone folder not the server icon.  It was a long time before I realized the significance of going to WINS tab in DNS and checking the box: 'Use WINS forward lookup'.  In fact, I was adding a special WINS record to the DNS forward lookup zone.  However, once I had configured this tab, it was less of a shock to realize that I could carry out a similar procedure for in the Reverse Lookup zone.   The result was I had integrated WINS and DNS for both zones.

How the Integration Works

When a DNS client send a name resolution query to the DNS server, the first thing the server does is look in its DNS zones to try and resolve the request.  If it fails to find a name match, DNS strips down the fully qualified domain name to just the hostname, and passes a request for that name to the WINS server.  If WINS finds such a name amongst its records, it sends back the name and IP address to DNS. And finally, DNS replies with answer to the client's query.

Guy's WINS / DNS challenge

Here is a fun challenge to test WINS / DNS integration.  I assume that you already have DNS and WINS installed, and crucially, you configure the WINS tab on the DNS server to, 'Use WINS for forward Lookup'.  OK, here is the challenge, add a fictitious computer as a static entry in your WINS database.  Ping that NetBIOS name.  You should get a timed out reply, but interestingly, you should see the fictitious IP address that ping is attempting to connect.  So this proves that ping at least, is using WINS.

Example 1. At the WINS server, add a static entry for PeterComputer 192.168.0.89.

At the command prompt: Ping PeterComputer
Result pinging petercomputer.cp.com [192.168.0.89]

The second half of the challenge is to add another record, but this time in DNS.

Example 2: In DNS Forward Zone, add PeterComputer 192.168.0.71
Result pinging petercomputer.cp.com [192.168.0.89] hmmm 89.

Humour me, run ipconfig /flushdns and try once more
Result pinging petercomputer.cp.com [192.168.0.71] hooray! 71.

What does experiment this prove?  Well it shows that DNS clients can use their DNS server to retrieve information form the WINS database.  My challenge also showed that DNS queries its own database before forwarding the request on to WINS.  Incidentally, the challenge reminds us of ipconfig /flushdns.

WINS and DNS Integration Summary

If you are going to use a WINS server, you may as well take advantage of the wonderful DNS system and just integrate WINS.  The idea is that if DNS knows the answer to a clients query then it will reply immediately.  However if it cannot resolve the NetBIOS name, it passes the query on to the WINS server.  Any reply is then relayed to the original client.


Troubleshooting a WINS Server in Windows 2003

Troubleshooting a WINS Server in Windows 2003

In the early days of NT 4.0, WINS was plagued with problems, in fact it seemed to me that half the fixes in NT services packs were for WINS Jet database errors.  Thankfully all those problems have been ironed out.  In fact it seems a shame that now that WINS is working perfectly, it has become obsolete.

Topics for Troubleshooting WINS Servers

Basic ping problems

A common problem is that you can ping a server by IP address, but not by NetBIOS name.  The first place to check is the WINS database.  If the record is there, and you can ping correctly from the server itself, then blame the client's WINS settings.  Either DHCP has an error in Option 044 or 046, or there is a fault at the clients TCP/IP properties.  In the latter case check the Network connection properties.

TIPS)  Add the WINS server's own IP address to its database.

Cannot see any Resource Records

This can be embarrassing.  You know that clients have registered in WINS server but When you go to the WINS Server icon, you cannot see any records in the Active Registrations folder.  The solution is simply right click Active Registrations, and select Display Records.  The crucial step is just click on the button: Find now.

[../../ThemesGuy/google_bannermiddle2W2K3.htm]

NBTStat and WINS Records

NBTStat is a handy command line utility to connect interrogate a WINS server.  You can discover which resource records the WINS server holds for which host.

To save the long walk to the WINS server, you could either user Remote Desktop, or go to the command line and try NBTStat. (Careful with the spelling as there is also a netstat.)  Collect information about WINS records by going to the cmd prompt and typing, NBTStat - A (Big A), for example:
nbtstat - A 192.168.0.23. 

Beware NBTStat is a rare utility in that its switches are case sensitive e.g. NBTStat -a and -A give different results.  Here are two examples: 

Lower case '-a' will only be effective with the ServerName for example:
nbtstat -a ServerName.  Do not use the IP address with -a.

Upper case '-A' requires an IP address for example
nbtstat -A 192.168.0.23.  However -A ServerName fails. 

Another point is that (-a and -A are designed for remote machines, to see your very own WINS records type nbtstat -n (no ip address or NetBIOS name required)

NetBIOS Name Resolution Sequence

When you are troubleshooting it saves time if you know the default sequence that a client uses to resolve a NetBIOS name request.

  1. Looks in it's own NetBIOS cache.  You can check this cache with nbtstat -n (also -c for any remote machines cached).
  2. Queries WINS.
  3. Broadcast.  Tell the truth the reason that I have taken my eye of the NetBIOS ball is that in testing all my machines have been on the same network.  So as broadcast is a valid method for NetBIOS name resolution, I had not needed the WINS server.  But in the real world, servers will be on other networks, so we will need WINS. (Broadcasts, by definition, are limited to the subnet where they originate.)
  4. Looks in LMHosts.  To this LMHosts and Hosts files are a life saver when troubleshooting.
    Incidentally, there used to be the trick question that LMHosts reduced broadcasts, well you can see from this sequence that LMHosts has no effect on broadcasting (more's the pity).
  5. Here is the slightly strange part, if the client has not yet received an answer to its NetBIOS query, it now checks the hosts file and then DNS.

Backup WINS Database

The notorious WINS backup problem occurs when you try and backup WINS, not locally, but across the network.  All that you can do is change the Database path back to a local folder.

To alter the path, launch the WINS manager and navigate to the Server icon, right click and select the advanced tab of the properties.  Traditionally, the path is %windir%\system32\wins.

In fact, one reason for backing up the WINS database is that you wish to protect wins.mdb against a compact error.

Compacting the WINS Database

If you have a large number of WINS clients then every 6 months or so, you should reclaim diskspace space by compacting the WINS server database.

Instructions to Compact wins.mdb

  1. Stop with WINS service  - net stop wins
  2. Navigate to the %windir%\system32\wins folder
  3. Type - Compact.  (Just run the compact command to see what files are there.  You should see wins.mdb.)
  4. Type - Compact /c wins.mdb  (Note some impressive compression ratios.)
  5. Start the WINS service  - net start wins

NetSH is on my list of: - can do better with this program.  My point if you like NetSH then WINS would be one reason to practice with this command-line utility.

Burst  handling

It puzzled me how switching to 'burst handling' would speed up the WINS service.  Then all became clear when I realized that what happens is that WINS receives requests for registration, but defers adding or updating the records.  Like any good TCP transaction, when the client sends in request to be registered the server should respond, with burst mode the servers replies instantly, but actually puts the request in a queue to be registered with the server is less busy.  Without burst handling, the client's request would timeout and so it would send another request so increasing the load on the server and exacerbating the problem.

A likely scenario is that all the users turn on their machines at the same time on a Monday morning, so swamp the WINS server registration request.  My friend 'Mad Mick' said one of his clients suffered from frequent power cuts, and the burst mode helped to reduce the load when all the computers restarted at the same time.

Indication that burst handing is working is error code
4338 - WINS_EVT_SPOOFING_STARTED in the application code.  If fact the message is asking you to adjust the setting on the Advanced tab on the WINS server.

To configure Burst mode launch the WINS snap-in and navigate to the Server icon, Advanced tab.  The higher the burst handling setting, the bigger the queue or buffer on the server.  So if you set burst handling to high the server supports a queue of up to 500 pending registration requests.

Troubleshooting WINS Server -  Summary

There is a troubleshooting tool for every WINS problem.  From NBTStat at the command line, to burst handing at the WINS Server.


Windows Server 2003 - IIS 6.0

nternet Information Service version 6.0

Introduction

IIS 6.0 is bigger, faster and definitively more security.  Is it easier to configure?  Judging by the extra menus, new features, new acronyms and backwards compatibility - no.  But then if everything was easy you would not need the likes of you and I!

Microsoft's philosophy on security is changing and the proof is here in IIS. Microsoft default used to be for ease of now they are committed to locking down settings, and their strategy is to disable services that are not required for example, FTP and NNTP disabled on pure web servers.  Why not try the IIS Security Lockdown wizard which you can download from Microsoft's site?

Does IIS 6.0 have major differences compared with Windows 200 - yes.  New application pool and area for Web Service Extensions.  An indication of all the development work lies in the version number, while other Windows Server 2003 components report to version 5.x, IIS is version 6.0.

Where is the IIS Install gone? Check out Add Remove Programs / Windows Components - Application Server/IIS Details

Which components use IIS?  - More than you think!

Firstly, a reminder that the main purpose of IIS is to respond to HTTP get page requests.  Now think of all the applications that rely on web components.

Technical Information

HTTP.SYS is well named as its job is to route HTTP requests to applications.  Think of HTTP.SYS as a good listener that manages TCP/IP connections and sends requests to the correct queue.  It works by fetching stored procedures, however, there are no worries that user mode code can execute directly in the kernel.  In addition Kernel mode caching results in a 70% improvement in dealing with http get requests.

INETINFO.EXE is still there running the following components:  FTP, SMTP, NNTP, ADO and ODBC connections

The Metabase - that strange registry for IIS, has been replaced with Metabase.xml in the %windir%\system32\inetsrv folder.

N.B. the default %windir% would be Windows not WINNT.

Mega Technical

.NET Framework

  1. Supersedes .asp?  Active server pages where clever html code runs on the server.
  2. Runtime language
  3. Unified class libraries

Windows Server 2003 - SUS

Software Update Services - SUS

My goal is persuade you to download SUS (Software Update Services) for your Windows 2003 Domain. The SUS program is free from Microsoft; the concept is sound, what have you got to lose?

Introduction to SUS

The principle behind SUS is that your Windows 2003 server contacts Microsoft's master update service and copies down all the patches, security updates and hotfixes.  If you have the time you can test then 'Approve' the patches for your XP clients.  When time is short you can omit the approval stage or just give the patches a quick look.

What SUS does is removes the need for clients to individually connect to Microsoft's site every time there is a new hotfix.  Thus saving network traffic and reducing user error.

As a bonus you can create a Group Policy to control who gets what and when.  For example, apply patches to XP computers in Accounts OU at 02:00hrs.

3 Elements of SUS

  1. SUS itself, the service which runs on the Windows 2003 (Member) server
  2. AU which runs on the clients.
  3. Group policy which regulates which clients get which patches.

What SUS does is work with Intellimirror and Group Policy to support XP clients. The group policy template wuau.adm is responsible for the SUS updates. This wuau.adm comes automatically with Windows Server 2003.

Installing SUS

Server Side
1) Download the SUS product as a .msi from Microsoft (No worries it's free)
2) Make sure that your server is running at least IIS v 5.0
3) Run the installation Wizard
4) On the server, you need at least 500MB disk space per locale.

How to Install AU clients
Apply SP1 on XP or SP3 on Windows 2000 Pro - that's all you need to do on the client side.  The rest of the install is handled by Group Policy.

Configuring SUS

As I mentioned earlier, SUS needs IIS v5.0, so here is the clue that you configure it by typing:
http://ServerName/susadmin in the browser.  Once installed, you net to 'Set Options' to align the configurations with your network.

When you have downloaded and checked the updates, you can select patches or hotfixes that are needed and then 'Approve' the update.  After that Group Policy takes over and distributes the approved updates to the clients.  Alternatively, you can bypass approval and let Group Policy roll out the patches just as they come from Microsoft's site.  Network administrator's that I have talked to prefer the 'Approve' method because they like to control which SUS patches to let out onto their network.

Microsoft have always been good at providing logs, and SUS is not different you can easily check which patches have been approved and when your server synchronized with the Microsoft master serer on the web.

WSUS

WSUS (Windows Update Service) will enable you to update Office, SQL Server, and other Microsoft products.  SUS on the other hand neither supports Windows 9x nor does it support Microsoft Office.  Watch out for WUS, currently in beta testing.

Summary

What are you waiting for?  I challenge you to download SUS from Microsoft's site, install, test and then approve the updates.  Finally, do not neglect to control SUS via Group Policy. 


Terminal Services in Windows Server 2003 - Home

Terminal Services and Remote Desktop Connections

The purpose of this section is to introduce you to Microsoft's Terminal Services terms and concepts.  I don't often beg, but if you haven't tried Terminal Services yet, I beg you to give the remote desktop a chance.  If you take up my challenge, I hope that you will have fun experimenting with the RDC (Remote Desktop Connections) settings for the client.  You will find most of the key configurations for Windows 2003 Server under the RDP icon.

The purpose of this page is to act as a mini sitemap and provide pointers to Terminal Services topics of interest.

Topics for Microsoft's Terminal Services

New Client Features for RDC

  1. Display Remote Desktop in True 24 bit Color.
  2. Automatic Reconnects - Useful for wireless and dial-up connections.
  3. Redirect and Control - Printers and especially, file systems.
  4. Low Bandwidth Options - Conserve the bandwidth by disabling bitmaps.
  5. Security - Client Authenticates Server also can use TLS Security.
  6. Remote Desktop Web Connection.

New Features for Server

Better remote desktop connection.  Tools that did not work in previous Terminal Services now work with Windows Server 2003.

More Group Policy Options especially for Terminal Services.  Give better control of profile paths.  Much asked for single session, so that a user can only logon once.  Configure which servers can obtain a Terminal Service License.  Also improved control of Terminal Service software via group policy.

Printer drivers.  Better support, improved emulation of printers which are almost the same.

Session Directory.  An attempt to create 'Farms' for Terminal Servers.  Helps you create clusters of load balanced servers.

Summary of Microsoft's Terminal Services

Terminal Services is easy to install, deploy and configure on Windows Server 2003.  The toughest part is understanding Microsoft's licensing system.  Trust me, one day you will find situations where remote desktop comes into its own.


Terminal Services in Windows Server 2003

Introduction to Terminal Services in Windows Server 2003

Even if you do nothing else with Microsoft's Terminal Services, set up a remote connection so that administrators can connect to your Windows 2003 servers as if they were console users.  Trust me, one day this remote connection will save your bacon.  Naturally, remote connections bring security concerns, but remember that you have control over the (few) accounts who can logon remotely.

Remote Desktop Connections (RDC) provides each client with a private link to the Window Server 2003.  Perhaps you have already used this RDC technology to access one XP workstation from another XP professional machine.

Thin XP Client Concept

The key concept with Terminal Services is thin client. Rather than rolling out XP professional on every desktop, deploy terminal services and provide the same client technology, but with most of the processing is done on the Windows 2003 Server.

You may hear people mutter that terminal services is like going back to the main-frame.  To digress, students of nature say that no large organism has ever existed without a central nervous system.  As science tends to mimic nature, I do believe that eventually everyone will be using thin clients.  Perhaps the greatest appeal of terminal services is the rapid deployment of software, just install and configure once on the server, rather than repeating hundreds or thousands of times for each client.

Another use of thin client is for roaming users to collect their email from a web client.  By their nature such connections are flaky, so if the session was held on the company Windows 2003 Server it would matter less if the connection was intermittent, the session on the server would hold up and be ready when the user reconnected.

History and New Features of Terminal Services 2003

One joy of studying history is to admire progress.  Let us see how far Terminal Services has come since it started life as an add-on for Microsoft's NT 4.0.  In Windows 2000, Terminal services became just another program to install through add or remove software.  These Windows 2003 terminal servers had two modes, Application and Remote Administration.  The situation in Windows Server 2003 is that Remote Administration mode becomes Remote Desktop, moreover.  Remember that Terminal Services is installed automatically on each Server 2003.   (In W2K3, you had to visit the Add / Remove Programs.)

Application is mode is the what the dozens of clients need to run their Remote Desktop session.  Application mode is what you install still need to install through Add or Remove programs.  In my opinion, the most difficult decisions are licensing rather than configuration.

With the arrival of Windows Server 2003 many of the previous Terminal Service niggles have been ironed out.  For instance, rather than being limited to 256 resolution, we now have true color.  I really like the fact that I can now use Keyboard combinations like Alt + Tab in the terminal server window.  Local resources like files and com ports have been added to local printers.  So that you benefit from all the server resources as well as having the local resources available when wanted.

The key Terminal Service technology is delivered by RDP (Remote Desktop Protocol) which just passes keystrokes and screen refreshes across the network.  Another improvement in Windows 2003 is a more efficient network connection, quite frankly, I have never found the network bandwidth to be a problem with Terminal Services, the bottleneck is more often memory on the server. 

Three Configuration Interfaces

If I have one tiny criticism of Terminal Service it is that you need to check three different interfaces to configure the settings, Licensing, Configuration and Server Manager. Worse, only Terminal Services Configuration is available as a snap in for my MMC, the others I have to access the long way around via, All Programs, Administrative Tools.

Terminal Services Configuration

8 tabs combine to provide the RDP (Remote Desktop Protocol settings.  You can either control the settings via these menus or you can limit the users' freedom via Group Policies if you prefer.

Useful settings include, idle timeouts, client settings - drive mapping and remote control for your help desk. 

Terminal Services Manager

This is the interface where you can inspect which users are connected to the Terminal Server.  If necessary you can send those users messages and even take control of their machines.  Sometimes users do not logoff, and so you may wish to delete old sessions to free up resources.

Terminal Services Licensing

All I want to do here is point out that each client needs a Microsoft license.  Users who connect from an old Windows 9x machine cannot expect to get the XP experience interface for nothing, so they must buy a license. The two exceptions, which do not require a license, are remote administrators mode, and XP machines.

The precise cost of the licenses will vary.  When I last looked they were in the region of $65 and dropping.  I wish that I could be more definite, but there are so many deals and rule changes that it is impossible to give an accurate up-to-date figure.

Terminal Services Clients

The Terminal Service client is now called Remote Desktop Connection (RDC).  It is virtually identical to the remote desktop of XP.

Note the option button where you can set the password and user account for the connection.

You can also allow the user to tune the performance and the resources.  Perhaps most of these settings are best controlled by a Group Policy.

Group Policies for Terminal Services

What I particularly like about Windows 2003 are the increased Group Policies to control almost every aspect of the client server connection.  For example, I recommend: 'Remove Disconnect Option from Shutdown'.  However, not all policies are negative, I particularly like the Automatic Reconnect and Keep-alive connections.


Terminal Services Configuration in Windows Server 2003

Introduction to Terminal Services Configuration

Terminal Services is Microsoft's thin client.  The remote desktop protocol gives an XP Professional experience to users, who for a variety of reasons, cannot use a real XP desktop.  Even if you have no intention of deploying Terminal Services for users, it is well worth checking the Windows Server 2003 settings so that you can take advantage of the two free administrative connections.

Terminal Services has its own RDP (Remote Desktop Protocol).  Most of the user's settings are configured at the Terminal Services Configuration snap-in, through the 8 tabs underneath under the RDP settings.

In terms of overall Remote Desktop strategy, there are three places to check, here at the RDP-Tcp properties on the server, at the client Options button, and through Group Policy. (Typical Microsoft to provide 3 ways of Configuring Terminal Services.)

8 Settings for RDP-Tcp

To start with, I assume that you are logged on at the Windows Server 2003 console.  From the Administrative Tools,  launch the Terminal Services Configuration interface. (Beware, there are 3 Terminal Services Snap-ins.)

Now you should see the 8 tabs, which you see under the Connections folder of the RDP-Tcp icon.

  1. General
  2. Logon Settings
  3. Sessions
  4. Environment
  5. Remote Control
  6. Client Settings
  7. Network Adapter
  8. Permissions

General

Microsoft have not left much to configure on the general tab.  The only configuration you need is if you have installed certificates or a third party logon / authentication package for the XP client.

Logon Settings

Again, in most instances, Microsoft's defaults will suffice.  The one exception is testing, when I am testing new Group Policies it is annoying to have to keep entering the password, so under these circumstances, I disable the prompt for a password.  A real-life application could be if you only use Terminal Services as a Kiosk / internet café.

Sessions

The sessions tab is useful for setting timeouts.  I like to control what happens if a Remote Desktop user is idle for hours on end.  There are two potential problems, firstly that idle user could be hogging a Terminal Service license, which someone else could use.  Secondly, if you have dozens of idle users then the Windows 2003 server's performance would degrade slightly because it still has to allocate resources to those sessions.

Environment

Most of the time the defaults will suffice, however, if necessary you could start a special program for each session.  I know that one company that created special shells and messages, but equally, I know that many users found them annoying because they were not relevant to how they used Remote Desktop.

Remote Control

Here is where you can have fun.  The best configuration is to setup remote control whereby the users allow administrators to interact.  In fact, the most fun is where you not only view the session but interact with the desktop whether or not the user invites you.  I am duty bound to point out that administrators should act responsibly and not abuse their privileges and rights.  Managers reading these notes should ask for a detailed report on remote control, because even in view mode, techies could see what the financial manager or other sensitive staff were doing.

On a more general point, managers should always remember that techies are all powerful and could read their email and see or their files.  Even with certificates and encryption, if I was an employee, I would always believe that the network manager could see everything that was happening on the network.  That pre-supposes that the network manager had the time and found my email and files worth the effort of looking at!

To drive my point home, most security breaches are internal rogues not external hackers.

Client Settings

Definitely a tab to check.  Here is where you control local resources. It is all too easy to forget that with Terminal Services it is as thought the user is logged on at the actual server.  To digress, the classic 'gotcha' is where the users shutdown the server when they think they are shutting down their own XP machines.  Naturally you control shutdown via Group Policies.

Meanwhile, back with the Client Settings tab, these menus move resources like the printer from the server to the true local client machine.

Network Adapter

Incidentally, here is where you can tell whether Terminal Services has been installed, or whether the server is just in the default Remote Administration mode.  The key setting is the Maximum number of connections, in Remote Desktop mode Microsoft will only allow 2 connections, whereas the full Terminal Services configuration permits unlimited connections. One reason that you may wish to reduce this number is the performance of the server, the other would be the number of licenses.

Permissions

The main reason for looking at the classic permissions tab is to remind yourself that there is such a built-in group as Remote Desktop Users.  Microsoft's best practice suggests that you use this Remote Desktop Users to decide who has the privilege of using Terminal Services.

Server Settings

The server Settings folder keep a record of choices that you made when you installed Terminal Services, the interface makes it easy to go back and adjust a particular attribute.

The diagram on the right was taken from a session where I changed the ' Restrict each user to one session ' from No to Yes.

Terminal Services Summary

Even though configuring Microsoft's Terminal Services is easy, there are still 8 tabs that you should know inside out.  Particularly when troubleshooting, you need to be able to find remote control settings or session timeouts.


Terminal Services in Windows Server 2003 - Client Connections

Introduction to Terminal Services - Client Connections

If you have already used XP's Remote Desktop then you will have an appreciation of the style and power of the Terminal Services interface.  Windows Server 2003 has a service called Terminal Services, which provides the XP experience to Windows 95 and even web clients.  Just to be clear on Microsoft's terminology, the Terminal Services Client is called Remote Desktop Connection (RDC). Furthermore, under the covers, the RDC client connects to its server using RDP (Remote Desktop Protocol).

Topics for Terminal Services Client Connections

Remote Desktop Connection Options

To configure the terminal services session on the local machine, you need to launch the Remote Desktop client.  On an XP machine click Start, All Programs, Accessories, and Communications.

Note 1: If you want to be flashy, click Start then Run, type mstsc.

Note 2: I also recommend you try Remote Desktop Web Connection

For other host operating systems, locate the folder where the administrator installed the RDC client.  If you are that administrator, then you can install the client from Microsoft's XP CD.  Note you don't need to install the whole XP operating system, just seek out the 'Additional Tasks' menu.  Still stuck for a client?  Go to Microsoft's site and search for 'download remote desktop'.

You will enjoy configuring the client by pressing the aptly named Options button, which you find on the Remote Desktop Connection logon interface.  (See blue ring on diagram above.)

If you are going to connect to the Terminal Server regularly, click on the General Tab and type in the username and password.  I love the box which enables Windows to remember my password.  The only slight difficulty is the 'Browse for server button', however if you remember to type the name of the computer in the first dialog box, there is no problem finding the Windows 2003 Server.

Color Display

Microsoft have corrected the biggest problem in previous editions of terminal services, namely improved Color resolution.  The Colors menu (opposite) shows how easy it is to choose the highest resolution that your client's monitor supports.  The range now goes from 256 right up to True Color (24 bit).

Microsoft provide a slider to adjust the remote desktop size, however I find it just as easy to use the normal windows controls once I have connected to the server.

Programs Tab

Remote Desktop connection also has a Programs tab.  While I have not found a 'killer' use for this button, if you can think of an application that would help users, then Microsoft have provided the interface for you to launch it on the XP client.

In some ways this Programs tab is a substitute to the Startup menu found on normal XP clients.

Local Resources

On the Remote Desktop Options, the Local Resources tab reveals many of the most useful new features.  In previous generations of Terminal Services it frustrated me that I could not Alt + Tab, well now I can execute this trusty keyboard combination.

Local Devices give users a choice of server or local machine for disk drives, printers and COM ports. However, there will always be an element of confusion as to whether a disk, COM port or printer is on the server or on the client.  Users need no invitation to 'lose data'.  The danger is that they may think they are saving files locally, whereas the files are actually saved on the server.  To conclude, you may wish to control local devices via Terminal Services Group Policies.

There are enough Terminal Services options to warrant producing a short training document / web page or even a short course.  If you decide to go down this user training route then looking after files would be a central element in your best practice documents.

There is one more decision with local resources, and that concerns sound.  If it were me, then I would want to control the audio setting, 'Bring to this computer' setting.  However, if you were setting up a Terminal server kiosk, then the option to 'Leave sound on the server' would be preferable.

Customizing the Remote Desktop Experience.

The Experience tab is gives you a sense of power and control.  Your first decision is to select the most appropriate connection speed.  If you need low bandwidth connections, then you can remove the ticks next to Bitmap caching and Themes.

Try experimenting with ticking, 'Show contents of window while dragging' and 'Menu and window animation'.  If you are going to spend time with the a Terminal Server connection, then its worth spending a few minutes investigating the variety of setting available.

Security Tab

Here is a surprise.  For once Microsoft's Security tab is not about permissions, but about authenticating the Server to the client.  The idea is twofold.  Firstly, to ensure that the users on the client  are connecting to a know server and not a phishing or fake server.  Secondly, to ensure that the connection, once established is secure.

Technically, security relies on Transport Layer Security (TLS) 1.0; therefore, to provide this level of authentication you must apply SP1 to the Windows 2003 Server.  High security companies rave about the new security, whereas the rest say, 'One more setting to go wrong, we will leave this tab alone'.  Guy says, 'The more security you have the more work for you the administrator,.

Summary of Remote Desktop Client

The Remote Desktop Options button opens the door to 6 more tabs where you can control every aspect of the client's Terminal Services (XP) experience.  If I could single out two settings to check, make sure you get high 24 bit color, and decide when you save files, if its to the local machine or the server.


How to Configure Windows Server 2003 Remote Desktop - Remotely

Introduction to How to Configure Remote Desktop - Remotely

One of the most annoying situations is when you know that the Windows 2003 Server is up and running, but you cannot connect because Remote Desktop has not been setup.  However, if you have the knowledge, then there is a backdoor called fDenyTSConnections which will turn the key to that backdoor.

Of all the services on Windows Server 2003, Remote Desktop is the one service where you most need to plan ahead.  The reason I say this is not because configuring Remote Desktop is difficult, quite the reverse; no my reason is to save you frustration.

Topics for Remotely Editing, Remote Desktop

Enabling Remote Desktop Mission

Our goal is to use a backdoor registry hack to enable Remote Desktop on Windows Server 2003.  Fortunately, Microsoft's Windows Server 2003 has the Terminal Services installed and built-in.  So, our mission is merely to put a tick in Remote Desktop box, which you find in the System Icon, Remote tab.

Let us pretend that you wish to add another service such as RRAS or Certificate Server to a Windows Server 2003 machine.  Inconveniently, this machine is the other side of town, or the other side of the world.  The answer is regedit and fDenyTSConnections.

How to find fDenyTSConnections in the Registry

The technique of how I found the 'fDenyTSConnections' setting is instructive in its own right.

  1. Launch Regedit.
  2. Export the registry on the test machine.
  3. Next manually place the tick in the box
  4. Export the registry again.
  5. Run WinDiff to find the single change in the registry.
  6. What I found was that fDenyTSConnections had changed from 1, meaning deny Remote Desktop, to 0 meaning enable, permit that remote desktop connection.
  7. To be quite certain of the double negative logic, find fDenyTSConnections and experiment with adding and removing the tick in the Remote Desktop box.

Note: For more instructions on using Windiff

Registry Setting fDenyTSConnections

Now our mission is clear, on the Terminal Services machine, change fDenyTSConnections from =1 to =0.  In order to achieve our mission we need to connect to the registry of the target machine.  My first choice would be Remote Registry.  Open regedit, File Menu, Connect Network Registry.  Naturally, you have to connect to the correct registry hive,
HKLM\System\CurrentControlSet\Control\Terminal Server,  now find the Reg_DWord called fDenyTSConnections and set the value = 0 (zero)

Note: You may have to Start the Remote Registry Service on the target machine. 

Unfortunately, you have to restart the Windows Server 2003 before the fDenyTSConnections setting takes effect.  There must be service that you could start and stop but I have not found which one that is.  Instead I use the shutdown command with the restart switch.

Shutdown Command - Remote switch

Shutdown /m \\targetserver /r

The /r means restart.  Mr Angry wrote in saying it should not be /m and /r but -m and -r.  Personally, I find that either a minus or slash works equally well.  With shutdown, beware shooting yourself in the foot and shutting down your own machine instead of the target Windows Server 2003, it sounds hilarious, but actually it's embarrassing.  Again knowledge is power there is a switch to abort a shutdown

Another clever idea I have is using a .reg file.  One reason for adding fDenyTSConnections to the registry from a file is that the remote registry service is disabled on the target machine.  So you have a choice of strategies, start the Remote Registry service remotely with a script see here, or remotely execute a .reg file with a shell program.

Summary of Terminal Services and fDenyTSConnections

Here we have a precise, but tricky task.  We want to enable Remote Desktop on a distant Terminal Server even though Remote Desktop is specifically denied on that distant server.  Even if you have no need to configure fDenyTSConnections yet, you may like the challenge of testing the technique.  You never know that you may need the combination of Windiff and remote registry editing to solve a similar Microsoft problem.


Benefits of Thin Clients

Benefits and Savings of Using Thin Clients

This whitepaper describes the advantages of using thin clients as opposed to PCs (fat clients), and demonstrates how thin clients can produce significant cost savings both initially and over time. A formula is explained that allows you to quickly calculate the savings that your enterprise could make using thin client computing.

Topics for Thin Client Benefits

Introduction

Thin client computing is booming and not without reason: It’s solving the growing management problem of PCs (fat clients), and is introducing huge savings on support, hardware and upgrade costs. Furthermore, it is allowing employees to telework/roam more easily. Various enterprises which have made the switch are reaping the benefits, reporting huge cost savings, as well increases in reliability and productivity.

Thin clients are proven to be more reliable and easier to manage than PCs (fat clients). They rely on the principles of server-based computing (SBC) - a technology whereby applications are deployed, managed, supported and executed on the server and not on the client - solving the many fundamental problems associated with managing the applications on the client itself.

What are thin clients?

A thin client is a general term for a device that relies on a server to operate. It provides a display device, keyboard and mouse and basic processing power in order to interact with the server. A thin client device contains no moving parts such as fans or hard drives (in the case of a dedicated thin client device). It does not store any of the data locally – it is very thin in features and functionality – hence the term 'thin client'.

A thin client often does not contain local storage and requires little processing resources. Thin client hardware can be a converted old PC, a new dedicated thin client device or simply a new low cost PC with a thin client OS installed.

Thin clients present a user with the same look and feel of a traditional desktop and can run any software – Windows, Linux, UNIX, Mainframe, Java, etc. – allowing for easy integration with the existing IT solution.

[../../Affiliates/Include_2x.htm]

What are the benefits of using thin clients?

The most compelling advantage of using thin clients is to cost cuts. A study conducted by Bloor Research (http://www.bloor-research.com/) shows that “Deploying thin client technology across enterprises can cut costs by up to 70%” (http://www.2x.com/whitepapers/Thin_Client_Benefits_in_Practice_English_Version.pdf)

In a study entitled “Thin-Client vs. Fat-Client TCO” Gartner concluded that "Thin client deployment also offers a quick return on investment (ROI) with a payback period of three months for thin clients."

However, Server Based Computing offers many other benefits beyond simply saving costs:

Worldwide access to work files and enterprise applications - Thin client computing enables increased productivity by allowing workers to work from anywhere in the world. This is crucial as in  2007 more than 60 million people will be telecommuting while 5 million office jobs will be assigned to branch locations, according to the IT analyst group, Gartner Inc. Employees can access their personal desktop from a fat client or notebook, making it easy to telework from home or while on the road. With this system, supporting a mobile workforce simply involves updating the application software on the servers. Workers are guaranteed secure and instant access to enterprise applications and personal data, from any device and over any network speed.

Reduced administration and end user support - Thin clients are far simpler to manage since the thin client OS is deployed centrally and only includes a remote terminal client. Having a single point of administration reduces overall administration costs and saves on maintenance time. Administrators can perform upgrades, deploy patches, applications and virus updates solely on the terminal servers for thousands of users, without having to visit the individual workstations.

Adding or replacing thin clients is far easier - In a server based computing environment, adding desktops for new recruits can be done in a matter of minutes. Also, should a thin client device fail, the desktop can be restored in minutes simply by replacing the thin client device (they are so cheap you can have a number of them in your store for emergency).

Increased reliability: Longer MTBF - Thin client devices don’t have moving parts or fans, and therefore have a MTBF (meantime before failure) which is far longer than a normal PC. Gartner, Inc., reports the average thin client MTBF is about 175,000 hours, compared to 25,000 hours for PCs.

Increased security: Less risk of viruses - A server operating system is proven to be more secure than a desktop OS. Thin clients do away with hard drives and floppy drives and administrators can restrict the access to USB sticks and CD ROMS. This in turn prevents users from loading foreign applications onto the devices, thus increasing security levels and virtually eliminating viruses. It is also a secure approach for home working, as no corporate data is downloaded to virus prone home computers.

Lessens the risk of data theft - Having all data stored on central servers eliminates the risk of important company data falling into the wrong hands should a fat client or notebook be lost or stolen. When working from home, there is also no need for corporate data to be transported between office to home on disks or memory cards.

Disaster recovery: Data is more secure and easier to backup - If a terminal fails, important data isn’t lost since it is stored on the server. Having a centralized storage system allows for faster and easier backups as well as efficient disaster recovery.

Lower power consumption: Save on electricity and heat generation - A thin client device uses only a third of the power a PC uses and generates far less heat and noise, resulting in substantial savings.

Smaller footprint: Save on space - Thin client devices are usually smaller than PCs - the size of an external modem or small VCR. Their compact size allows thin clients to be hidden under desktops or even mounted on walls or under desks.

Easy licensing management and conformance to legal requirements - Due to the centralization, software licensing becomes far easier to monitor and manage. Only the servers need to be audited, not the thin client itself. Legal conformance with data protection laws such as the UK’s Data Protection Act and America’s HIPPA is also made easier due to the data being centralized. Protecting personal records and privacy becomes much simpler than with distributed client/server data. It is also easier and cheaper to respond to any legal questions or cases since potential evidence is centralized.

Reduce capital expense on computer hardware - Thin client devices are cheaper to purchase than PCs. You don't need much processing power and you can use the hardware for a longer period of time (on average, 6 years instead of 3 years). You can also choose to extend the lifespan of your current computers by converting them to thin clients (even a Pentium II could make an acceptable thin client!).

Environments that could benefit from thin client computing

 2X fat2thin savings calculator – How much can you save?

Switching to thin client devices presents considerable costs savings. The fashion retailer Armani Exchange reported a 60% reduction in cost when it deployed thin clients in 2005. You can easily find out how much you could save with the 2X Fat2Thin calculator available on http://www.2x.com/calculator/fat2thin.htm.

Simply fill in the number of PCs that you will convert to thin clients (or replace with dedicated with thin client devices). The number of PCs that you will replace by thin clients is represented as an X and the following formula is applied:

The result shows how much lower the Total Cost of Ownership is of thin client desktops compared to fat client desktops. Following is an explanation as to how these amounts were reached:

*1Explanation of savings on administration

These were calculated at $1000 per PC. Many research studies indicate that the amount is between $800 and $1,700 (for example, see http://h18004.www1.hp.com/products/thinclients/target_market.html, http://www.1st-computer-networks.co.uk/t_c_computing.html  and http://www.thinplanet.com/opinion/matrix.asp) per year. Beyond day-to-day maintenance of installation of patches, software upgrades, etc, there is also the 3 year upgrade cycle which requires an administrator to move all the data and profiles to the new PC. On average this will cost $300 per PC, making for an additional cost of $50 per year (over a 6 year period). Since administration is simplified, an enterprise will require fewer IT staff to perform the same number functions. This means lower training costs and fewer salaries to pay. Bloor Research estimates that the number of helpdesk staff needed can be reduced typically by 50% and often by 75%.

*2 Explanation of savings on client hardware

These were calculated to be $208 per PC per year. You can get an adequate thin client for $250, in contrast with the average price for a PC of about $750 – this results in a saving of $500. However, because PC hardware has to be upgraded approximately every 3 years as opposed to a thin client which only needs to be replaced every 6 years, the savings increase to $1250 over a span of 6 years ($1500 spent on 2 PCs as opposed to $250 on 1 thin client device). This amount is then divided by 6 to calculate a yearly saving. If you are using existing PCs instead of thin clients, the hardware savings can still be applied because you would be extending the life span of the converted computers. Furthermore, the MTBF of a thin client device is higher and it uses far less energy.

*3 Explanation of extra server hardware costs

These were calculated at $50 per user. Because all processing is done on the server, when using thin clients you will need to buy additional servers to act as terminal servers. On average 30 users will need a dual processor server with 4 gigs of RAM and SCSI hard disks. A brand name server should cost around $4,500 and will depreciate on average in 3 years (in reality you can use them for longer than that).

Conclusion

This paper discussed a number of benefits when using thin clients as opposed to PCs (fat clients) and aimed to give an idea of the cost savings attained by making the switch. In a nutshell, thin clients:

About 2X ThinClientServer

2X ThinClientServer is complete solution for the central deployment, configuration and management of thin clients & user's connection settings. Both PCs (converted 2 thinclients) & thin client devices from any vendor are supported via 2XThinClientOS. Thin client settings (RDP / ICA / NX), screen size, Terminal server type (Windows/Citrix/Linux etc) and name can be controlled centrally by user, group or department (Active Directory/LDAP).

About 2X TerminalServer

2X TerminalServer for Linux is a server-based computing solution that provides users with a secure, personal Linux desktop, from anywhere in the world and over any connection speed. With it you can reduce PC administration and make big savings on Microsoft server, client access (CALs) and application (Office) licenses.

About 2X

2X Software Ltd - 2X - is a new company developing software for the booming server-based computing market. The thin client market is forecasted to grow at 22.8% each year until 2008 (IDC). The yearly number of thin clients sold will increase from 1.5 million to 3.4 million in 2007.

The company’s product line includes a thin client server for Windows and Linux, a terminal server for Linux, application tunneling of Windows and Linux apps and a suite of add-on products for Microsoft Terminal Services. Both products leverage the open source Linux operating system.

2X is a privately held company. Its management team is backed by years of experience in developing and selling network infrastructure software. 2X is a Novell, RedHat and IBM ISV partner. More information on: http://www.2x.com.


Choosing the Right Thin Client Device and Software

Choosing the Right Thin Client Device and Software

This white paper focuses on the choice of thin client devices, their operating system, and the thin client management software.

Topics for Choosing Client Device and Software

Introduction

Thin client / server-based computing is booming. Companies are realizing it’s the only way to solve the rapidly escalating problem of fat client management. Thin clients eliminate the tremendous effort required by fat clients for hardware upgrades, software updates, application deployment, security, and backup of data stored on fat clients.  

In a server-based computing environment, only the servers need to be managed. Data and applications reside on a few servers rather than on hundreds or thousands of clients. PCs become terminals and can be replaced by simpler, less expensive - and most importantly - easier to manage devices called "thin clients". 

An additional advantage of server-based computing is that employees can telework/roam more easily.

 In short, thin client computing is a “must” for any company that wants to control spiraling PC management costs. However, how can a company best jump onto the thin client computing bandwagon? The following issues must be considered:

 Choice of back-end terminal server - Windows or Linux?

What to look out for when buying thin client software and hardware 

Server Based Computing is a must for any company wanting to control spiraling fat client management costs. However, a company should carefully consider catering for the following issues when deciding what devices to use as thin clients and what management software to select for their management.

What type of thin client device?

Almost any computer or device can serve as a thin client. After all, it only needs to run the client software to access the terminal server. You can choose to:

  1. Convert existing PCs into thin clients (free)

  2. Buy new low cost PCs and convert them to thin clients

  3. Buy  a brand name thin client devices, such as Wyse or HP (generally $300 and up)

  4. Buy low cost client devices, such as MaxSpeed, DevonIT, Expert (generally $150 and up).

 Let’s take a closer look at each of these options:

 1  Converting PCs into thin clients. This option is very attractive because you can continue to use your existing computers, therefore requiring no further investment. An additional advantage of using existing PCs as thin clients is that the user can continue to use the hard disk for data that has been stored there. Furthermore, if the thin client OS of choice can be installed as a dual boot option, the computer can also boot into its former OS for transition purposes. On the flip side though, existing computers use more power than thin clients device and have a shorter MTBF (mean time before failure), because they have more moving parts.

 2  Buy new low cost PCs and convert them to thin clients. PCs are so cheap nowadays that sometimes they are hardly more expensive than a thin client device. In fact many branded thin client devices are more expensive then normal PCs! Therefore, buying a PC and installing a thin client OS can be an attractive option. It also buys you the flexibility to use the PC as a fat client later on if required. We recommend buying a PC that has a PXE booting capability–that allows you to manage the thin client OS more easily because you can configure it to download the latest OS at boot.

 3  Buy branded thin client devices. Buying a dedicated thin client device is attractive because of its smaller footprint, reduced electricity consumption, low noise level and less heat generation. However, some thin clients are very expensive, up to $1000. Be careful when buying thin client devices from a main stream company. They often charge extra for essentials software options (RDP etc.) and for the management software to manage the thin client devices. In addition they often can only manage thin client devices from that manufacturer itself!

 4  Buy low cost thin client devices. There are a large number of low cost thin client device manufacturers (Expert electronics, DevonIT/NTAVO, Maxspeed) that can provide thin clients from as little as $149 each. There is often nothing wrong with the hardware, it’s just that the management software that comes with them is limited. In many situations, these thin client devices can suffice.

 If you decide to buy a dedicated thin client device, you should look for the following specs:

Should Thin Client OS be Windows or Linux?

A further choice to consider is whether the OS on the actual device should be Windows CE, Windows XP embedded, or Linux. Note that this option is completely independent of the choice of desktop (Windows or Linux) that you will present to the user. If you use Linux, the user may never know that his thin client device is actually running Linux.

 Many thin clients nowadays actually run Linux. The reason for this is that there is excellent support for all terminal servers (RDP for Windows, ICA for Citrix, and X/NX for Linux). Also Linux can easily be customized by the manufacturer. Software and management options are less flexible on Windows CE, because Windows CE requires software specifically developed for it. A Windows XP embedded client license costs $90 and requires 250 Mb just for the OS. This drives up the cost of the actual thin client device.

 Advantages of running Linux on the thin client:

 Windows XP embedded has a much larger footprint (up to 256 Mb) and therefore requires much more storage and cannot be booted via PXE. This means that it requires more effort to update the thin client software. Windows CE has limited software support because it requires software to be developed specifically for the CE platform

Embedded Windows operating systems require a licenses fee which drives up the thin client device costs ($3 for CE basic, $16 for CE professional, and $90 for XP Embedded)

·         The Linux thin client gives you the option of a Linux desktop, which for some organizations can be a way to save substantial Microsoft licensing fees.

Disadvantages of running Linux on the thin client:

 A Windows XP or CE client comes bundled with Internet Explorer. If the user will only use a browser on his/her thin client, and the web applications that you want them to connect to support Internet explorer only, then you will need to use a Windows XP or CE client

Windows-only companies will have to learn some Linux skills to manage and support the Linux thin client devices.

Software for management of thin clients

An important consideration should be how you plan to manage the thin clients. The central aim of server-based computing is reduced administration, so your thin client management tool should focus on this. Important considerations include:

In order to have the flexibility to choose thin client devices from different vendors, or even convert PC’s to thin clients, consider thin client management software that supports different types of thin client devices. This allows you to add different types of thin clients or to change thin client vendors.

 The actual thin client OS must be very easy to update, allowing for easy deployment of updates to the terminal server client software (RDP, ICA & NX clients) and possible addition of new features/software.

 Connection profiles (the settings that a user / terminal client software will use to connect, including terminal server name, resolution and so on) and other configuration settings, ideally, should be managed and stored at the server level and not on the local storage of the thin client. It should not be necessary to push out the connection settings to the thin client. It is more complex and takes more time to have the management software push out the settings to the thin clients.

 User or department-based connection settings (not just thin client-based): Most thin client management software associates a connection setting with a thin client device. It can be useful for thin client management software to have the ability to link a connection profile to a user, group of users or a department (OU). This reduces administration because you can make group or department wide profiles and allows a user to roam more easily.

Conclusion

This paper discussed a number of key issues for your thin client strategy: Thin client hardware options, OS of the thin client and considerations for the management software.

There are several good options for thin clients. You should choose a strategy that allows you to use PCs, low cost and higher cost thin client devices

·         Choose management software that is vendor independent and allows you to manage different types of thin client devices

·         Management software should allow for easy, centralized updating of the thin client OS and control of the connection settings.

About 2X ThinClientServer

Thin client OS for existing PCs and thin clients

2X ThinClientServer provides a complete solution for the central deployment, configuration and management of thin clients.

Manage thin client settings centrally

A small footprint Linux distribution is deployed to thin clients (all popular thin clients are supported) or to normal PCs, allowing you to convert existing PCs to thin clients. Thin client settings (screen size, which terminal servers to log into, etc) can be controlled centrally.

 2X ThinClientServer makes centrally managed, load balanced, and fault-tolerant server based computing easy and inexpensive.

 2X ThinClientServer Features:

 Convert old PCs to powerful thin clients

Use low cost thin clients

Thin client vendor independent

Manage connections settings based on user name or device

Connection settings can be linked to Active Directory users, OUs or groups

Web-based management interface

Connect to either Windows, Citrix, or Linux terminal services

Built-in load balancing and redundancy of terminal servers

Easy updates of thin client operating system & software

Thin clients can boot via PXE, CD ROM, USB, floppy or hard disk

Thin clients can be configured to log to Syslog for easy troubleshooting

Thin clients can be discovered via SNMP, allowing you to use other network management software

Supports Microsoft RDP, Citrix ICA, and 2X & Nomachine NX protocols thin client computing protocols.

About 2X

2X Software Ltd (“2X”) is a new company that develops software for the booming server-based computing market. The thin client market is forecasted to grow at 22.8% each year until 2008 (IDC). The yearly number of thin clients sold will increase from 1.5 million to 3.4 million in 2007.

The company’s product line includes a terminal server and a thin client server. Both products leverage the open source Linux operating system.

2X is a privately held company. Its management team is backed by years of experience in developing and selling network infrastructure software. 2X is a Novell & IBM ISV partner
This paper has received the ‘No Bull’ certification from Brian Madden. This certification ensures that this vendor’s paper is realistic, accurate, and not full of hype. As a reader with limited time, you can trust papers with the ‘Certified No Bull’ logo from Brian Madden. More information is available at www.brianmadden.com/certified.

This paper has received the ‘No Bull’ certification from Brian Madden. This certification ensures that this vendor’s paper is realistic, accurate, and not full of hype. As a reader with limited time, you can trust papers with the ‘Certified No Bull’ logo from Brian Madden. More information is available at www.brianmadden.com/certified


Terminal Services - Remote Desktop Web Connection

Introduction to Remote Desktop Web Connection

If you are familiar with Microsoft's Outlook Web Access (OWA), then Remote Desktop Web Connection is a logical extension of those thin client principles.  From the Remote Desktop client's point of view, you simply open a browser window and receive the XP Desktop.  From the Windows 2003 Server point of view, it's Terminal Service business as usual thanks to IIS and the TSWEB virtual directory.

Topics for Remote Desktop Web Connection

Web Connection Scenario

Let us assume that your users' machines do not have XP.  If they had XP then they won't need Remote Desktop very often.  However, you would like to provide these old machines with the XP desktop experience, so you deploy the Web Connection version of Remote Desktop.  As luck would have it, you have already installed Terminal Services on your Windows 2003 Server.

These days every computer operation is web based, OWA, RPC over http, OMA, and http printing.  So a Web Connection for terminal services is just a logical continuation of this trend to do everything in a browser.  Your mind may be racing ahead thinking of benefits such as easy rollout, support for roaming users and no need to buy new workstations.

One company that I know supplies logon accounts for its partners and allows them to view its products via a Remote Desktop Web Connection.  The partners are impressed with the technology (and the merchandise).

Install Remote Desktop ActiveX Control

Do you trust Microsoft!  Providing you trust the Microsoft Windows Publisher, installing the Web connection is easy.

In the browser address type http:// yourserver/tsweb/.  Substitute yourserver with the name of your real Windows 2003 Terminal Services machine.  Tsweb is the name of the virtual directory created automatically at the default website.

Click on Install and the Remote Desktop ActiveX Control will automatically decompress the file and install the necessary controls to enable your Web Connection.

Web Connection Logon Screen

Once you allow Microsoft's ActiveX Control to install its .cab files, then all you need to do is type the name of the Windows 2003 Terminal Server in the dialog box.

I prefer to tick the box which says 'Send logon information for this connection'.  My reasoning is that I like to type my name and password before clicking connect.  However this is not compulsory for getting your Remote Desktop Web Connection.

About the only obstruction to a smooth connection would be firewall problems.  So make sure that your firewall opens both port 80 for the web and 3389 for Remote Desktop.

Windows Server 2003 IIS and TSWeb

If you check the Terminal Services machine, you should find that Windows Server 2003 automatically added a Virtual directory called TSWeb.  Apart from making sure that the World Wide Web Publishing Services has not been disabled, and has started there is no extra configuration at the server end.

While you are checking the Windows 2003 WWW service, take the opportunity to find and examine the Terminal Services group of services.  What you should find is that the Terminal Services, and the Terminal Service Licensing are started, but the Terminal Services Session Directory is disabled.  Do not be alarmed that the later service is disabled as it is only needed if you have clustering.

Summary of Remote Desktop Web Connection

What appeals most about Remote Desktop Web Connection is its simplicity.  The only trick to setup is accepting Microsoft's ActiveX Control.  Only the most hardened user will fail to be impressed when they receive the full XP desktop in a browser window.  For you, maybe the Web Connection is an extension of a system like OWA that you know already.


Windows Server 2003 - Terminal Services Group Policies

Introduction to Terminal Services - Group Policies

If you intend to be serious about Microsoft's Terminal Services then invest the time it takes to configure Group Policies.  In fact, choosing your Terminal Server settings will be fun and a labour of love.  Perhaps you already use Windows Server 2003's Group Policy to control the XP experience, if so then configuring the remote desktop will follow on naturally.

Topics for Terminal Services - Group Policies

Getting Started with GPMC
Guy's top 5 Terminal Service Group Policies
\(Root) - 15 Policies
\Client Server Data Redirection
\Encryption and Security
\Licensing
\Temporary Folders
\Client
\Session Directory
\Sessions

Getting Started with GPMC

Assumption: that you have Windows Server 2003 and have downloaded the marvellous Group Policy Management Console (GPMC) from Microsoft's site.

Most of the Terminal Services Group Policies are found under the Computer Configuration.  Whilst some settings are also available under User Configuration, my first piece of advice is just use the Computer Configuration Group Polices for Terminal Services.  My reasoning is keep it simple, and keep all the settings in one place.

Many of these Group Policies can also be controlled via the Terminal Services Configuration Snap-in, a classic case of Microsoft providing two (three) ways of doing everything.  So, my suggestion is to have both the GPMC and the Terminal Services Configuration menus available.

Guy's top 5 Terminal Service Group Policies

About half of the Group Policies are only needed for special situations, such as Microsoft clustering or running Remote Desktop from PDAs.  I have indicated where settings would not be needed if you have a standard configuration of Terminal Services.  However, I have selected 5 Group Policies which you should consider for any Windows Server 2003 configuration.

Assumption:

You have access to the Windows 2003 Server, and you have opened the GPMC (Group Policy Management Console).  From there you edit the Group Policy.  See screen shot above showing Terminal Services Group Policy.

\(Root) - 15 Policies

Keep Alive Connections Specifies whether persistent connections are allowed. By default, keep-alive connections are disabled. The idea is to ensure that the session state on the server is consistent with the client state.
Automatic Reconnection By default, the Terminal Server tries twenty reconnections at five second intervals.  This setting is also available at the Experience tab in Remote Desktop Connection. Users can choose 'Reconnect if connection is dropped'.
Restrict Terminal Services users to a single remote session This setting is nailed down by default.  It is a good idea to keep it not configured, in which case the default on the Terminal Server takes over.  You need a really good reason to Disable this setting.
Enforce Removal of Remote Desktop Wallpaper Useful for slow connections.
Deny log off of an administrator logged in to the console session There is a concept of session 0.  If one administrator has control of the terminal server console they may not want another server to log them off session 0.  Tentatively suggest enable.  Make sure you check the double negative logic
Limit number of connections Self evident group policy.
Limit maximum color depth Only useful for slow connections or primitive devices.
Allow users to connect remotely using Terminal Services I suggest that this is a maintenance setting to stop users logging on during a time when you are servicing the terminal server.
Do not allow local administrators to customize permissions Guy says you don't need this policy.  Control permissions with Remote Desktop Users Group.
Remove Windows Security item from Start menu and Policy to make it difficult for users to end a remote desktop session.  Settings for a kiosk.
Remove Disconnect option from Shut Down dialog Makes it difficult for users to end a remote desktop session.  Useful for an internet café?
Always show Desktop on Connection Group Policy to prevent people choosing other programs running.  Guy cannot see much call for this setting.
Set path for TS Roaming Profiles * Type the UNC path to the network share in the form \\Computername\Sharename. Note, no need to specify %username% for the user alias, because Terminal Services automatically appends this at logon.
TS User Home Directory Type the UNC path to the network share in the form \\Computername\Sharename. Note, no need to specify %username% for the user alias, because Terminal Services automatically appends this at logon.
Start a Program on Connection Optional

\Client Server Data Redirection  - 10 Policies

Allow Time Zone Redirection By default the session take's its time from the server.  You can alter the behaviour to display local time on the remote desktop.
Do not allow clipboard redirection The default is copy and paste between session and local applications is allowed.
Do not allow smart card device redirection Normally smart cards are detected on connection.
Allow audio redirection Users can use the "Remote computer sound" option on the Local Resources tab of Remote Desktop Connection to choose whether to play the server's sound on the remote computer or on the local computer
Do not allow COM port redirection Can also be controlled by the Terminal Services Configuration menu.
Do not allow client printer redirection Normally, you would want clients to be able to redirect jobs to a local printer.
Do not allow LPT port redirection Similar Group Policy to the printer settings above.
Do not allow drive redirection Normally drives are mapped when the initial session is connected.
Do not set default client printer to be default printer in a session Suppose a client already has a default printer.  When the terminal server session is created, the normal behavior is to retain this default printer.
Terminal Server Fallback printer driver behavior* If there is no matching printer driver on the client, then Terminal Services finds then nearest match.  Good idea.

\Encryption and Security - 3 Policies

Secure Server (Require Security) This is a Group Policy for RPC authentication. If you enable then make sure the Terminal Services clients are capable of secure RPC communication.
Always prompt client for password upon connection Enabling this setting means that users cannot tick the remember my password box.  A classic of the more security have the more work there is.  If enabled, could annoy users.
Set client connection encryption level If you enable this setting, choose client compatible.

\Licensing - 2 Policies

License Server Security Group* You need to enable this setting to control which computers can contact the Terminal Service Licensing server.  (SP1 cures a bug which prevents the very licensing server from obtaining a license)
Prevent License Upgrade You need to investigate this setting only if you have both Windows 2000 and Windows Server 2003 Terminal services.

\Temporary Folders - 2 Policies

Do not use temp folders per session If you enable this, Terminal Server heaps all the users temporary files in one directory.  Guy says specialist use only.
Do not delete temp folder upon exit Enabling this setting may give slightly better performance the next time a user reconnects.  I would not be in a hurry to enable this setting.

\Client - 1 Policies

Do not allow passwords to be saved Enabling this would be considered high security, but balance security with annoying the users.  Not a policy for me.

\Session Directory - 4 Policies for Clusters of Terminal Server Farms

Terminal Server IP Address Redirection Microsoft's Cluster settings
Join Session Directory Policy for Cluster settings
Session Directory Server More Cluster settings
Session Directory Cluster Name Cluster settings

\Sessions - 5 Policies

Set time limit for disconnected sessions* This setting overcomes the problem of users disconnecting without logging off from their terminal server session.
Sets a time limit for active Terminal Services sessions Not often needed.  Why would you want to stop them working!
Sets a time limit for active but idle Terminal Services sessions* Worth setting.  The only decision is how long is a reasonable idle time-out 20 mins?  1 Hour, you decide.
Allow reconnection from original client only If the status is set to Enabled, users can reconnect to disconnected sessions only from the original client computer. If a user attempts to connect to the disconnected session from another computer, a new session is created instead.
Terminate session when time limits are reached This Group Policy controls whether you are disconnecting or deleting remote desktop sessions that reach their time limits.

Summary of Terminal Services Group Policies

Most of the Terminal Services Group Policies are found under the Computer Configuration.  Whilst some settings are also available under User Configuration, my advice is just use the Computer Configuration Group Polices for Terminal Services.  My reasoning is keep it simple, and keep all the settings in one place.

Many of these Group Policies can also be controlled via the Terminal Services Configuration Snap-in, a classic case of Microsoft providing three ways of configuring.


Windows Server 2003 - Terminal Services Licensing

Introduction to Terminal Services Licensing

Licensing reminds me of the old saying, tell me the rules (Microsoft) and I will play your game.  Every aspect of Terminal Services Licensing has its share of shocks.  If at least one aspect of licensing does not surprise you, then I will eat my hat.

Topics for Terminal Services Licensing

Terminal Services License 120 day Grace

Does is slightly surprise you that Microsoft give us 120 days to sort out the Per User licensing?  Within the grace period you need to iron out your strategy and then contact your supplier to buy the required number of licenses.

Terminal Server Licensing - An Outline Plan

Here is the outline plan.  Count the users (or devices) then buy that number of licenses.  Go to Windows Server 2003, install the Terminal Services and also the Terminal Services Licensing.  Add the licenses to the Terminal Server Licensing interface.  Install the Remote Desktop software on the clients.  (or use Web Connection.)

Terminal Server Licensing Strategy - User or Device

Have a think about who and what will use Remote Desktops.  Count number of users, and then count the number of devices.  If number of users is less than number of devices, then buy what Microsoft calls 'per User licenses', else buy per Device licenses.  These licenses are often referred to as CALs (Client Access Licenses).

If the decision is close then a per User license is cheaper.  For example, if you have geeks with a laptop, a hand held device and a palm top. Occasionally the geek even uses Remote Desktop from their workstation.  The answer is buy one per user license rather than 4 device licenses, one for each of their 'toys'.  Where the per Device option is more economical is if you have kiosks or communal machines.  I do believe that you can combine both per User and per Device licenses.   Incidentally, the per Device licenses are help by the local operating system.

Time for my warning.  Microsoft have a habit of changing the licensing rules so do get confirmation of anything that I say from your trusty Microsoft supplier.  You really should pick the sales people's brains when it comes to Terminal Services Licensing.

My mate 'Mad' Mick bought a 5 CAL User pack for $80 on ebay, however I understand the normal price is $400+ for a 5 CAL Terminal Server User pack.  I understand that per Device Licenses are considerably more c$800.  Microsoft's justification is that you are getting an XP Professional desktop which is normally $200+.

Time for another shock, not only do you need a Terminal Services CAL, but also you need a regular Windows Server 2003 CAL.  Yes that's two licenses for one connection. 

I am going to get all the bad news over in one section.  In Windows 2000 Terminal Service, all XP Machines had a built-in Terminal Service License.  The bad news is that XP's built-in license is not valid on a Windows 2003 Terminal Server.  While this change may seem outrageous, in practical terms how much does it really matter?  How often would an XP Machine need a Terminal Server session?  If it were you or me then we could take advantage of the 2 free Administrator's connections.

Another surprise, there is yet another license scheme called ECL - External Connection Licenses.  I had a friend who ran a training company from a tiny island, he gave is worldwide customers an XP Desktop experience with his special External License.  The idea is rather like a per server license, it cost him tens of thousands of dollars and the paper works was a nightmare before Microsoft would license his operation.

Windows Server 2003 - Terminal Services

Let us switch to the Windows Server 2003 domain controller, I have already hinted at this surprise, just installing Terminal Services is not enough, you must also install a separate component called, Terminal Services Licensing. (See Diagram)

In fact with Windows Server 2003, the Terminal Server Licensing does not need to be a domain controller.  This is a rare example of Microsoft making licensing becoming easier.  At least it's easier if you configure the Terminal Server Licensing servers via Group Policy.

Group Policy Method

  1. Expand the Computer Configuration, Administrative Templates, Windows Components, Terminal Services, double click:  'Use the specified Terminal Server license servers.' 
  2. Select: Enabled. 
  3. Next, type in the names of the license servers that you want this Terminal Server to contact when attempting to obtain CALs.
  4. See more on Group Policies for Terminal Services here.

Regedit Method

If you prefer to hack the registry this is the alternative method.  Scenario, your Terminal Services License server is called Tslicsvr. 

  1. On server OurTerm launch regedit and navigate to: HKLM\SYSTEM\CurrentControlSet\ Services\TermService\Parameters
  2. From regedit's Edit menu, choose a new Key called LicenseServers (Surprise it's Key not Dword or String
  3. Finally add a subkey with the NetBios name of the server (in our example Tslicsvr, in real life substitute the name of yourserver).

In many ways you have little to lose by installing a second licence server for fault tolerance.  The license database may take 10MB but Windows Server 2003 should be able to afford that space.

Domain License v Enterprise License Server

Domain and Enterprise Licensing are two options for the Windows Server 2003.  Make it your reflex to choose the Domain option.  The Enterprise License is designed for different domains, provided they are at the same site.

Installing CALS with the Licensing Wizard

The key point is that Terminal Services requires a two stage authentication with Microsoft Clearinghouse.  Firstly, activate your Windows Server 2003 to be a certified Terminal Services machine.  Secondly, install the CALs that you buy.

Remember that Terminal Services provides 3 interfaces, in this instance we need the Terminal Server Licensing.  Once the snap-in launches, right click the Server (GUIDO in the screen shot) and select Properties.  From here on your own, however the method is similar to other Microsoft activation procedures.  Just remember to have the Terminal Services License Pak numbers that you purchased.

Terminal Server Groups

Take as example, the situation where you have one licensing server and 4 Windows 2003 Servers with Terminal Services, then the license server will issue licences to each server that requests a license.  If you want to control aspects of Terminal Servers then you should invest time and create groups.

If you have more than one Terminal Services Server it is best to manage Terminal Server computer accounts through groups.  Add these computer accounts to the local Terminal Services Computers group.  Alternatively add an extra step and create a global group for the Terminal Servers and that to the domain local Terminal Services Computers group. This method allows a domain administrator to manage a single container of computer accounts.

Summary of Terminal Server Licensing

The secret of Terminal Server Licensing is to plan your mode, per user or per device; then install the Terminal Service Licensing on the Windows 2003 domain controller.  Good luck with negotiating a rock bottom price for your CALs.


Windows Server 2003 Utilities

Windows Server 2003 Utilities

When ever I find the right tool for the right job, I always get a satisfying glow.  I particularly enjoy discovering a new utility that saves me time, ADSI for  interrogating LDAP properties, springs to mind.  Others of my toolkit come into their own in an emergency, NTDSutil and ESEutil are powerful life savers in disaster recovery situations.  There again I love old friends like, Ipconfig for checking IP configuration.  However, in Windows 2003 they have new twists, such as Ipconfig /flushdns.

The most common fault when evaluating new tools is forgetting where they came from; take DCDIAG for an example, is it built-in?  Or does it come in the resource kit.  Actually its neither, you install it from the Server Support tools.

One curiosity with these Windows utilities is that even amongst top techies, it's a case of one man's meat is another man's poison.  Few others rate cmdhere as highly as I do, whereas I have never really got on with diskpart or dsmod.

Sources of Windows Server 2003 Utilities

Support Tools

Built-in Tools - Executables that come with the operating system.

 Microsoft's Site

 Third party

 Resource Kit(s)


Windows Server 2003 - ADSI Edit

Windows Server 2003 - ADSI Edit

ADSI Edit (Active Directory Services Interface) is the best Windows 2003 Server tool for combining learning with troubleshooting.  The number of configuration tasks that require ADSI Edit is on the increase; therefore take the time to install ADSI Edit from the support tool.  Once you have a copy, waste no opportunity to launch ADSI Edit and explore Active Directory.

In your Windows Active Directory career you will find dozens of occasions where the only cure is editing the Domain or Configuration partition with ADSI Edit.  I chose the examples on this page to give you a good grounding in the utility, rather than to cure a specific Windows Server 2003 problem.

Tutorial Topics for ADSI Edit

Scenarios for ADSI Edit

  1. VBScript - Researching the LDAP properties of user objects.  If you have to bulk import users into Active Directory, then you need to know the LDAP names corresponding to Last Name (sn) and First Name (givenName).
  2. Active Directory Users and Computers - Display Names.  The default display in both Exchange GAL and ADUC is First Name then Last Name.  Larger companies may wish to reverse the display because they find it easier to search on Last Name.
  3. Security - Editing security permissions for object that have no other interface. For example, Exchange 2003 Anonymous access to the Address Lists.
  4. Restoring old Backups - Learning how to extend the useful life of a backup tape by increasing the tombstoneLifetime attribute.
  5. TechNet - Following through on TechNet's suggested solutions.  For example, Raise Forest Level with msDS-Behavior-Version.
  6. Replication - Active Directory theory talks of Topology, KCC, Domain replication and Forest replication, with ADSI Edit you can see these different containers and imagine how they could be replicated separately.

Installing ADSI Edit

ADSI Edit is one of Windows Server 2003's support tools.  My advice is to install the whole support tools package from the Server CD:  \support\tools\supptools.msi.  Once the two programs files adsiedit.dll and adsiedit.msc are installed, you also get a shortcut on the Start, Programs menu, however I prefer to add ADSI Edit as a snap-in to my MMC.

Getting Started - Launch ADSI Edit

Once ADSI Edit launches, the secret is connecting to the correct naming context.  If you are following a TechNet instruction then pay close attention to whether it says connect to the Domain or connect to the Configuration Container.  In the diagram opposite you will also see Schema and RootDSE, they are only rarely used for ADSI Editing.  Sorry to harp on, but the classic beginners mistake is connecting to the wrong Naming Context and as a result, being unable to find the required objects and properties.

Once you get started with ADSI Edit notice how the layout is similar to Active Directory Users and Computers, especially the Domain container.  Also the Configuration and the Schema containers are like the Sites and Services, and Schema snap-ins respectively.  The big difference is that with ADSI Edit you see many more properties, and each property has dozens of attributes.  In fact there are so many obscure attributes that I often tick the box: Show only attributes that have values.

Unlike DCDiag, NTDSutil and most of the other tools, ADSI Edit is a GUI, which means its easier to appreciate the scale of Active Directory and easier to navigate the various branches of the configuration containers.

ADSI Edit Example - To change the Display Name

This example has all the ingredients for learning about ADSI Edit, planning, attention to detail and a real life scenario where there is no other way of configuring the settings.  Our objective is to change the display from from First Name Last Name to Last Name, First Name.  From the outset, let us be clear which field we are changing.

Our mission is to change the first field in Active Directory Users and Computers, the column called Name and not the Display Name or Description column.  (Although you could change those too, but that would be a separate project.)  The above diagram shows the final result, let us see how we achieve this goal.

  1. Launch ADSI Edit and make sure you start at the Configuration container. 
  2. Next it's CN=Configuration, Display Specifies.  CN=409 means English sort order (not Spanish or Arabic).
  3. What we want is the user-Display Properties, the crucial attribute is createDialog (not description).
  4. Now it took me four tries before I perfected the string value:
    %<sn>, %<givenName>

Here are my mistakes:

 %<sn>, %   <givenName>.  I exaggerated the gap, but please note that there should be no space between the % and the bracket.  My most infuriating mistake was <givenname>  At first, I had no idea that Active Directory required the case sensitive <givenName>.

Learning Points

1) Do remember what I said about attention to detail as ADSI Edit uses 'raw' mode there is no error checking.

2) The good news is that if you go back to Active Directory Users and Computer and create another user, you will see immediately the effect of editing createDialog.

3) Do experiment with other settings, for example, user-display properties, description attribute.

Good News

If you are upset that existing users are not affected by this change, then get a copy of ADModify and with a few clicks you can display the 'Name' column as LastName, Firstname.

Download ADSI Edit

Summary of ADSI Edit

No-one wins there Active Directory spurs without knowing where to find ADSI Edit.  No-one gets to be a top Windows Server 2003 techie without configuring the Domain and Configuration partitions with ADSI Edit.  Without ADSI Edit experience, many TechNet articles will be beyond your skill level.  While this is not a difficult tool, you have to be careful as there is no error checking.

More Examples of ADSI Edit

Windows Server 2003 - ADSI Edit

You can never get too much of a good thing.  Well ADSI Edit is that 'good thing'.  Thus, never waste a chance to try out a new idea from TechNet, or a new tip on how to configure Active Directory with ADSI Edit.  What you are preparing for is that day when the only way to solve a desperate problem is to change an attribute with ADSI Edit, because there is no other GUI that displays the low level objects.

Topics for ADSI Edit

Example 1: ADSI Edit and TechNet

There is only a chance in a million that you actually need this ADSI Edit fix.  It is most unlikely that you will have a problem Raising Forest Function Level, despite this, msDS-Behavior-Version is a most instructive example of ADSI Edit in action.

The real problem life scenario is that you cannot raise the Forest Level to Window 2003.  We assume that a bug has struck, Mr Nobody fouled up or that the GUI controlling Raise Forest Function Level GUI has jammed.  The scene is set for ADSI Edit to ride to the rescue.  Researching TechNet reveals that we need to edit an attribute called:
msDS-Behavior-Version.

Here are your instructions:

  1. Launch ADSI Edit, navigate to the Configuration partition
  2. Expand: CN=Configuration,DC=<forestname>
  3. Right-click on the CN=Partitions node, select Properties
  4. On the properties sheet, scroll down to the
    msDS-Behavior-Version attribute, and then click Edit
  5. Set the Value to numeric 1, and then click OK.

Learning Points

1) Get a a good reference source, for example TechNet.

2) Pay close attention to the correct top level container.  Is it Domain, or Schema?  No, in this instance you need to start at the Configuration Container.  If you fail to start at the right place you are doomed to frustration.

3) Once you get off to a good start, its just a matter of following the TechNet instructions.

4) The point is that you could not configure msDS-Behavior-Version through Active Directory Users and Computers.

5) Remember that all changes are live and instant, unlike other GUIs the operating does not perform any safety checks.

Example 2: ADSI Edit and DCDiag

Symptoms of a a bizarre connection problem.

When you try to connect to network resources from an affected domain controller with a command such as \\ server \share, you get the following error message:
No logon servers available (c000005e = "STATUS_NO_LOGON_SERVERS")

DCDiag SYMPTOMS

[DC1] LDAP bind failed with error 31
When you run the REPADMIN /SHOWREPS utility locally on a domain controller, you may receive an error message such as:
[C:\Windows\private\ds\src\util\repadmin\repinfo.c, 389] LDAP error 82 (Local Error).

Conformation from NetDiag

The Netdiag tool may display the following error messages:
DC list test . . . . . . . . . . . : Failed
[WARNING] Cannot call DsBind to <servername>.<fqdn> (<ip address>). [ERROR_DOMAIN_CONTROLLER_NOT_FOUND]
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for krbtgt/<fqdn>.
[FATAL] Kerberos does not have a ticket for <hostname>.
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC <hostname>\<fqdn>

ADSI Edit Solution

Launch Adsiedit

  1. Navigate to the Domain NC, expand DC=domain, and then expand OU=Domain Controllers.
  2. Right-click the affected domain controller, and then click Properties.
  3. Click userAccountControl in the Attributes box.  If the value is not 532480, type 532480 in the Edit Attribute box, click Set, click Apply, and then click OK.

Learning Points

1) This is a job for the Domain partition of Active Directory.

2) While normal values for userAccountControl are 512 or 514, Domain Controllers need a value of decimal 532480.

3) Note how you need to be a minor expert in three areas, ADSI Edit, DCDiag and TechNet. -

Example 3 - Installing Exchange 2003. An invalid ADSI pathname was passed

When you run Microsoft Exchange 2003 (2000) Server Setup with the /forestprep switch, the installation fails and you may receive the above error message.

The Cause of error 80005000 in Exchange

You run setup /forestprep, but it does not complete properly.  Active Directory 'flags' that it has been run, but in reality it did not finish.

Check the server progress log for entries like.

(G:\admin\src\udog\setupbase\basecomp\baseatom.cxx:775)
Error code 0X80005000 (20480): An invalid ADSI pathname was passed.

The Solution for Exchange error code 80005000

Open ADSI Edit.
Navigate to this location under the Configuration container:
CN=Configuration; CN=Services; select CN=Microsoft Exchange

Right-click CN=Microsoft Exchange, and then click Properties. From the Attributes tab, under Select which properties to view, click Both.
From the Select what property to view pull-down menu, select Heuristics.
If the value is set to 2, then you have already run ForestPrep.

Solution, reset the Heuristics property, click Clear, and then click Apply. The Value(s) field will have change to 'not set'.

Example 4 - Changing Forest and Domain Function Level

Set Functional Levels Manually
It is possible as a last resort modify the current domain and forest functional level settings with ADSI Edit. When you modify the attributes manually, it is best to target the FSMO authoritative for the increase as the change is actually written to the authoritative FSMO then replicated.

Forest Level Setting

The attribute that you want is: msDS-Behavior-Version on the CN=Partitions, CN=Configurations, DC=ForestRootDom, DC=tld object.
Value of 0 or not set=mixed level forest
Value of 1=Windows Server 2003 interim forest level
Value of 2=Windows Server 2003 forest level

Note When you increase the msDS-Behavior-Version attribute from 0 to 1, you receive the following error message, just ignore it!
Illegal modify operation. Some aspect of the modification is not permitted. Click OK to continue.

To check that your change has worked, refresh the attribute list and check the current setting.

Domain Functional Level Setting
The attribute is msDS-Behavior-Version on the NC head root of each domain DC=Mydomain, DC=ForestRootDom, DC=tld object.
Value of 0 or not set=mixed level domain
Value of 1=Windows Server 2003 domain level
Value of 2=Windows Server 2003 domain level
Summary of ADSI Edit

Nobody wins their Active Directory spurs without knowing where to find ADSI Edit.  No-one gets to be a top Windows Server 2003 techie without configuring the Domain and Configuration partitions with ADSI Edit.  Without ADSI Edit experience, many TechNet articles will be beyond your skill level.  While this is not a difficult tool, you have to be careful as there is no error checking.


Windows Server 2003 - NetDiag Tutorial

Windows Server 2003 - NetDiag Tutorial

NetDiag provides a master class in testing Network Availability.  When you run NetDiag from the command line it carries out a battery of tests, which test network availability.  As usual, my goal in this NetDiag tutorial is to to show you how to master the basics of the utility.

Even if there is no problem with your Active Directory, it is still worth running NetDiag to learn about a healthy operating system, for example NetDiag shows the existence of KCC the knowledge consistency checker.  Get a free copy of Netdiag at the end of this page.

Tutorial Topics for NetDiag

Possible Scenarios for NetDiag

  1. Installing Exchange and you wish to check that you can connect to other servers.
  2. Checking VPN network tunnels
  3. DNS problems.  Computers cannot 'see' their domain controller.
  4. A quick check on hotfixes.
  5. Check the Network Card Bindings from the command prompt.
  6. You are having problems with IPSEC.
  7. Winsock corruption, wrong version incompatibilities.
  8. Check that Domain Controllers are all able to 'speak' LDAP.

Installing NetDiag

NetDiag magically appears after you install the Support Tools from the Windows Server 2003 CD.  Once NetDiag.exe (and Support Tools) is the path then you can run it from any command prompt.

NetDiag switches

/v  If you need the full report on your network availability, then append this verbose switch to the command.  Unlike the /v of other utilities, NetDiag /v really does produce chapter and verse on your network cards and their binding.

/Debug  This debug switch was disappointing in that it did not produce any more details than those supplied by the /v.  Perhaps I would have received extra information if my Windows Server 2003 really had a network connectivity problem.

/q  When you just need to know if there are any errors, this is the switch for troubleshooting.  The /q is the antithisis of the /v and /debut.

/test:  Unlike DCDiag, NetDiag's test switched worked perfectly.  What is more the command:
netdiag /test produced the following list of possible tests:

 Ndis - Netcard queries Test
IpConfig - IP config Test
Member - Domain membership Test
NetBTTransports - NetBT transports Test
Autonet - Autonet address Test
IpLoopBk - IP loopback ping Test
DefGw - Default gateway Test
NbtNm - NetBT name Test
WINS - WINS service Test
Winsock - Winsock Test
DNS - DNS Test
 DsGetDc - DC discovery Test
DcList - DC list Test
Trust - Trust relationship Test
Kerberos - Kerberos Test
Ldap - LDAP Test
Route - Routing table Test
Netstat - Netstat information Test
Bindings - Bindings Test
WAN - WAN configuration Test
Modem - Modem diagnostics Test

Example - NetDiag using my favourite /v

Owner of the binding path : Remote Access NDIS WAN Driver
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndiswanasync
Upper Component: Remote Access NDIS WAN Driver
Lower Component: RAS Async Adapter

Component Name : Message-oriented TCP/IP Protocol (SMB session)
Bind Name: NetbiosSmb
Binding Paths:

Component Name : WINS Client(TCP/IP) Protocol
Bind Name: NetBT
Binding Paths:
Owner of the binding path : WINS Client(TCP/IP) Protocol
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndis5
Upper Component: Internet Protocol (TCP/IP)
Lower Component: VIA Rhine II Fast Ethernet Adapter

Owner of the binding path : WINS Client(TCP/IP) Protocol
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndiswanip
Upper Component: Internet Protocol (TCP/IP)
Lower Component: WAN Miniport (IP)


Component Name : Internet Protocol (TCP/IP)
Bind Name: Tcpip
Binding Paths:
Owner of the binding path : Internet Protocol (TCP/IP)
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndis5
Upper Component: Internet Protocol (TCP/IP)
Lower Component: VIA Rhine II Fast Ethernet Adapter

Owner of the binding path : Internet Protocol (TCP/IP)
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndiswanip
Upper Component: Internet Protocol (TCP/IP)
Lower Component: WAN Miniport (IP)


Component Name : Client for Microsoft Networks
Bind Name: LanmanWorkstation
Binding Paths:
Owner of the binding path : Client for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios_smb
Upper Component: Client for Microsoft Networks
Lower Component: Message-oriented TCP/IP Protocol (SMB session)

Owner of the binding path : Client for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: Client for Microsoft Networks
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndis5
Upper Component: Internet Protocol (TCP/IP)
Lower Component: VIA Rhine II Fast Ethernet Adapter

Owner of the binding path : Client for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: Client for Microsoft Networks
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndiswanip
Upper Component: Internet Protocol (TCP/IP)
Lower Component: WAN Miniport (IP)

Component Name : WebClient
Bind Name: WebClient
Binding Paths:

Component Name : Virtual Machine Network Services
Bind Name: VPCNetS2
Binding Paths:
Owner of the binding path : Virtual Machine Network Services
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndis5
Upper Component: Virtual Machine Network Services
Lower Component: VIA Rhine II Fast Ethernet Adapter

Owner of the binding path : Virtual Machine Network Services
Binding Enabled: No
Interfaces of the binding path:
-Interface Name: ndiswanasync
Upper Component: Virtual Machine Network Services
Lower Component: RAS Async Adapter

Owner of the binding path : Virtual Machine Network Services
Binding Enabled: No
Interfaces of the binding path:
-Interface Name: ndiscowan
Upper Component: Virtual Machine Network Services
Lower Component: WAN Miniport (L2TP)

Owner of the binding path : Virtual Machine Network Services
Binding Enabled: No
Interfaces of the binding path:
-Interface Name: ndiswan
Upper Component: Virtual Machine Network Services
Lower Component: WAN Miniport (PPTP)

Owner of the binding path : Virtual Machine Network Services
Binding Enabled: No
Interfaces of the binding path:
-Interface Name: ndiswan
Upper Component: Virtual Machine Network Services
Lower Component: WAN Miniport (PPPOE)

Owner of the binding path : Virtual Machine Network Services
Binding Enabled: No
Interfaces of the binding path:
-Interface Name: ndiscowan
Upper Component: Virtual Machine Network Services
Lower Component: Direct Parallel


Component Name : DHCP Server
Bind Name: DHCPServer
Binding Paths:

Component Name : Wireless Configuration
Bind Name: wzcsvc
Binding Paths:

Component Name : Network Load Balancing
Bind Name: Wlbs
Binding Paths:
Owner of the binding path : Network Load Balancing
Binding Enabled: No
Interfaces of the binding path:
-Interface Name: ndis5
Upper Component: Network Load Balancing
Lower Component: VIA Rhine II Fast Ethernet Adapter


Component Name : Steelhead
Bind Name: RemoteAccess
Binding Paths:

Component Name : Dial-Up Server
Bind Name: msrassrv
Binding Paths:

Component Name : Remote Access Connection Manager
Bind Name: RasMan
Binding Paths:

Component Name : Dial-Up Client
Bind Name: msrascli
Binding Paths:

Component Name : File and Printer Sharing for Microsoft Networks
Bind Name: LanmanServer
Binding Paths:
Owner of the binding path : File and Printer Sharing for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios_smb
Upper Component: File and Printer Sharing for Microsoft Networks
Lower Component: Message-oriented TCP/IP Protocol (SMB session)

Owner of the binding path : File and Printer Sharing for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: File and Printer Sharing for Microsoft Networks
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndis5
Upper Component: Internet Protocol (TCP/IP)
Lower Component: VIA Rhine II Fast Ethernet Adapter

Owner of the binding path : File and Printer Sharing for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: File and Printer Sharing for Microsoft Networks
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndiswanip
Upper Component: Internet Protocol (TCP/IP)
Lower Component: WAN Miniport (IP)

Component Name : NetBIOS Interface
Bind Name: NetBIOS
Binding Paths:
Owner of the binding path : NetBIOS Interface
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: NetBIOS Interface
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndis5
Upper Component: Internet Protocol (TCP/IP)
Lower Component: VIA Rhine II Fast Ethernet Adapter

Owner of the binding path : NetBIOS Interface
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: NetBIOS Interface
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndiswanip
Upper Component: Internet Protocol (TCP/IP)
Lower Component: WAN Miniport (IP)

Component Name : Generic Packet Classifier
Bind Name: Gpc
Binding Paths:

Component Name : Application Layer Gateway
Bind Name: ALG
Binding Paths:

Component Name : WAN Miniport (Network Monitor)
Bind Name: NdisWanBh
Binding Paths:

Component Name : WAN Miniport (IP)
Bind Name: NdisWanIp
Binding Paths:

Component Name : Direct Parallel
Bind Name: {008B21D9-D54E-4E48-89D4-6AFE56D46BD9}
Binding Paths:

Component Name : WAN Miniport (PPPOE)
Bind Name: {64B56A43-AB5C-4651-BA33-C2FD789C4FB9}
Binding Paths:

Component Name : WAN Miniport (PPTP)
Bind Name: {DC610D9D-0B7F-44A6-896A-385E053E25FD}
Binding Paths:

Component Name : WAN Miniport (L2TP)
Bind Name: {3169BFB1-4CA5-4B6E-B6C1-3F97DA23E954}
Binding Paths:

Component Name : RAS Async Adapter
Bind Name: {8F35788C-3CFD-41A6-B23B-720020295CF7}
Binding Paths:

Component Name : VIA Rhine II Fast Ethernet Adapter
Bind Name: {C5C19000-0322-4FC1-9566-A647EF0EB900}
Binding Paths:

WAN configuration test . . . . . . : Skipped
No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed information

The command completed successfully

C:\Documents and Settings\guyt>

Tutorial Leaning Points

1)  The comprehensive NetDiag will check WAN connections if they exist on your server.

2)  I can recommend the /test switch.  Try netdiag /test.

Download DCDiag


Windows Server 2003 - LDP Support Tool Utility Tutorial

Windows Server 2003 - LDP Support Tool Utility

LDP is the forgotten Microsoft tool in the Windows Server 2003 toolkit.  Here on this page is a step-by-step tutorial for getting started with LDP.  Really it should be called LDAP as that's what it configures.  Perhaps LDP is overlooked because it's so hard to get going, I will reveal the secrets of how you search for Active Directory information with this Microsoft utility.

Topics for LDP

Getting Started with Microsoft's LDP

Installing LDP is easy.  From the CD \support\tools, double click suptools.msi.  Alternatively, here is a free download of Microsoft's LDP. There are a number of ways of executing ldp.exe, to begin with, let us call for the Run dialog box and type ldp.

The more choices a program gives, the more difficult it is for a beginner to get started.  In the case of LDP, you have to perform three operations in sequence before you can start.

Assumption: We wish to view our domain and check on users whose first name begins with 'a'.

1) Click on the Connection menu, then Connect, select your server name.  Being an LDAP program leave the port on 389.  You don't want a connectionless, leave the default with no tick in the Connectionless box.  No need for SSL either.

2) Next we need to Bind, which is rather like logging on.  Even though you would think that LDP would use the credentials of the logged on user, it does not always work that way.  So just Bind with an Administrator's name and password.

3) Click View and select Tree; what you see is a box waiting for baseDN (Distinguished Name).

Now we come to the crucial step.  The text books say type, DC=yourdomain,DC=com.  The problem comes if you are unsure of your domain name.  Does it have an extension of .com?  Guy says just try pressing OK without entering anything in the box.

If it truly is your intention to connect to your domain, then do not use the drop-down menu and select, DC=ForestDnsZones,DC=domain,DC=com, that just does not work for me.

4) What I hope you will see in the left hand LDP panel is a structure that reminds you of Active Directory Users and Computers.

5) Now you have done the hard work, and its time for the first LDAP query.  Click on the Browse menu, and select Search.  Leave the Base Dn dialog entry as it is, in the Filter box type (givenName=a*).  If you remember our brief was to find all users' whose first name begins with A.  If that produces no results, try (cn=a*).  CN means common name, and surely there will be an administrators' account in the domain.

6) The fruits of all your LDP efforts should now appear in the right hand menu.  It takes a little getting used to the fact that the latest entries are at the bottom rather than the top, so be prepared to scroll.

Here is an example of an LDP printout.

 ***Searching...
ldap_search_s(ld, "DC=cp,DC=com", 2, "(cn=a*)", attrList, 0, &msg)
Result <0>: (null)
Matched DNs:
Getting 24 entries:
>> Dn: CN=a86fe12a-0f62-4e2a-b271-d27f601f8182,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com
2> objectClass: top; container;
1> cn: a86fe12a-0f62-4e2a-b271-d27f601f8182;
1> distinguishedName: CN=a86fe12a-0f62-4e2a-b271-d27f601f8182,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com;
1> name: a86fe12a-0f62-4e2a-b271-d27f601f8182;
1> canonicalName: cp.com/System/DomainUpdates/Operations/a86fe12a-0f62-4e2a-b271-d27f601f8182;
>> Dn: CN=ab402345-d3c3-455d-9ff7-40268a1099b6,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com
2> objectClass: top; container;
1> cn: ab402345-d3c3-455d-9ff7-40268a1099b6;
1> distinguishedName: CN=ab402345-d3c3-455d-9ff7-40268a1099b6,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com;
1> name: ab402345-d3c3-455d-9ff7-40268a1099b6;
1> canonicalName: cp.com/System/DomainUpdates/Operations/ab402345-d3c3-455d-9ff7-40268a1099b6;
>> Dn: CN=ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9,CN=Packages,CN=Class Store,CN=Machine,CN={4627307D-103B-4A81-99D0-B5B06B8AD999},CN=Policies,CN=System,DC=cp,DC=com
2> objectClass: top; packageRegistration;
1> cn: ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9;
1> distinguishedName: CN=ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9,CN=Packages,CN=Class Store,CN=Machine,CN={4627307D-103B-4A81-99D0-B5B06B8AD999},CN=Policies,CN=System,DC=cp,DC=com;
1> name: ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9;
1> canonicalName: cp.com/System/Policies/{4627307D-103B-4A81-99D0-B5B06B8AD999}/Machine/Class Store/Packages/ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9;
>> Dn: CN=abab2104-5729-4bed-ac94-a65c89516e84,CN=AppCategories,CN=Default Domain Policy,CN=System,DC=cp,DC=com
3> objectClass: top; leaf; categoryRegistration;
1> cn: abab2104-5729-4bed-ac94-a65c89516e84;
1> distinguishedName: CN=abab2104-5729-4bed-ac94-a65c89516e84,CN=AppCategories,CN=Default Domain Policy,CN=System,DC=cp,DC=com;
1> name: abab2104-5729-4bed-ac94-a65c89516e84;
1> canonicalName: cp.com/System/Default Domain Policy/AppCategories/abab2104-5729-4bed-ac94-a65c89516e84;
>> Dn: CN=Account Operators,CN=Builtin,DC=cp,DC=com
2> objectClass: top; group;
1> cn: Account Operators;
1> description: Members can administer domain user and group accounts;
1> distinguishedName: CN=Account Operators,CN=Builtin,DC=cp,DC=com;
1> name: Account Operators;
1> canonicalName: cp.com/Builtin/Account Operators;
>> Dn: CN=Administrator,CN=Users,DC=cp,DC=com
4> objectClass: top; person; organizationalPerson; user;
1> cn: Administrator;
1> description: Built-in account for administering the computer/domain;
1> distinguishedName: CN=Administrator,CN=Users,DC=cp,DC=com;
1> name: Administrator;
1> canonicalName: cp.com/Users/Administrator;
>> Dn: CN=Administrators,CN=Builtin,DC=cp,DC=com
2> objectClass: top; group;
1> cn: Administrators;
1> description: Administrators have complete and unrestricted access to the computer/domain;
1> distinguishedName: CN=Administrators,CN=Builtin,DC=cp,DC=com;
1> name: Administrators;
1> canonicalName: cp.com/Builtin/Administrators;

Download LDP

Summary of LDP

Microsoft's LDP is a tricky program to get started.  This page gives you step-by-step instructions to create LDAP queries against a Windows Server 2003 Active Directory.


Windows Server 2003 - DCDiag Tutorial

Windows Server 2003 - DCDiag Tutorial

DCDiag is one of those command line utilities that you turn to when you have a Windows Server 2003 problem.  The DC in DCDiag means Domain Controller, so as a source of Active Directory clues, DCDiag comes second only to the Event Logs.

Even if there is no problem with your Active Directory, it is still worth running DCDiag to learn about a healthy operating system, for example DCDiag shows the existence of KCC the knowledge consistency checker.

Tutorial Topics for DCDiag

Scenarios for DCDiag

  1. Preparing to install or migrate to Exchange 2003.
  2. Check FSMO roles.
  3. Troubleshooting Group Policy.
  4. Active Directory not replicating between Domain Controllers.
  5. Running down Kerberos authentication problems.
  6. Resetting the Directory Service Administrator's password.
  7. Fixing a servers Service Principle Name (SPN) error.

Installing DCDiag

With DCDiag it's not so much installing as getting a copy for the Window Server 2003 Support tools.  I could not help noticing that after I installed Windows Server 2003 SP1, there was a new DCDiag with twice the file size.  It reported to be version 5.2.3790.1830.  Intrigued, I checked the old version and found it was 5.2.3790.0 (no 1830).  Further research revealed that indeed, the new version has more tests; as DNS is always a worry when ever there is an Active Directory problem, I was pleased to see extra DNS health checks in the latest version of DCDiag.  (See bottom of this page for a free copy of DCDiag.)

DCDiag switches

/v  I have to admit that at first I had no idea that DCDiag had switches.  Whilst I should have known that Microsoft would provide switches I had no idea that there were so many.  I will let you into another secret, I have never before know the /v (verbose) to be of any use.  My point is that many utilities have this switch and normally I avoid it, but in the case of DCDiag the /v is a little gem.

/q  From the sublime /v you could go to the ridiculous /q which only report errors.

/s As always, '/s specifies the server, or in this case, the Domain Controller.

/fix Fixes Service Principal Names (SPN)  problems.

/f:logfile.txt Slightly confusing given that there is also a /fix switch.  Personally, I copy and paste from the command prompt, but if you are more organized, then use /f:filename to output to a file.

/test: Confession time.  I gave up with the /test, I just could not get it to filter the dns tests as advertised.  I consoled my self that you can always get the information by running the full test and just reading the parts that are of interest.  However, I got the /test switch working perfectly with NetDiag so is it me or have Microsoft made a documentation error?

DCDiag Example using my favourite /v

 ***Searching...
ldap_search_s(ld, "DC=cp,DC=com", 2, "(cn=a*)", attrList, 0, &msg)
Result <0>: (null)
Matched DNs:
Getting 24 entries:
>> Dn: CN=a86fe12a-0f62-4e2a-b271-d27f601f8182,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com
2> objectClass: top; container;
1> cn: a86fe12a-0f62-4e2a-b271-d27f601f8182;
1> distinguishedName: CN=a86fe12a-0f62-4e2a-b271-d27f601f8182,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com;
1> name: a86fe12a-0f62-4e2a-b271-d27f601f8182;
1> canonicalName: cp.com/System/DomainUpdates/Operations/a86fe12a-0f62-4e2a-b271-d27f601f8182;
>> Dn: CN=ab402345-d3c3-455d-9ff7-40268a1099b6,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com
2> objectClass: top; container;
1> cn: ab402345-d3c3-455d-9ff7-40268a1099b6;
1> distinguishedName: CN=ab402345-d3c3-455d-9ff7-40268a1099b6,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com;
1> name: ab402345-d3c3-455d-9ff7-40268a1099b6;
1> canonicalName: cp.com/System/DomainUpdates/Operations/ab402345-d3c3-455d-9ff7-40268a1099b6;
>> Dn: CN=ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9,CN=Packages,CN=Class Store,CN=Machine,CN={4627307D-103B-4A81-99D0-B5B06B8AD999},CN=Policies,CN=System,DC=cp,DC=com
2> objectClass: top; packageRegistration;
1> cn: ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9;
1> distinguishedName: CN=ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9,CN=Packages,CN=Class Store,CN=Machine,CN={4627307D-103B-4A81-99D0-B5B06B8AD999},CN=Policies,CN=System,DC=cp,DC=com;
1> name: ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9;
1> canonicalName: cp.com/System/Policies/{4627307D-103B-4A81-99D0-B5B06B8AD999}/Machine/Class Store/Packages/ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9;
>> Dn: CN=abab2104-5729-4bed-ac94-a65c89516e84,CN=AppCategories,CN=Default Domain Policy,CN=System,DC=cp,DC=com
3> objectClass: top; leaf; categoryRegistration;
1> cn: abab2104-5729-4bed-ac94-a65c89516e84;
1> distinguishedName: CN=abab2104-5729-4bed-ac94-a65c89516e84,CN=AppCategories,CN=Default Domain Policy,CN=System,DC=cp,DC=com;
1> name: abab2104-5729-4bed-ac94-a65c89516e84;
1> canonicalName: cp.com/System/Default Domain Policy/AppCategories/abab2104-5729-4bed-ac94-a65c89516e84;
>> Dn: CN=Account Operators,CN=Builtin,DC=cp,DC=com
2> objectClass: top; group;
1> cn: Account Operators;
1> description: Members can administer domain user and group accounts;
1> distinguishedName: CN=Account Operators,CN=Builtin,DC=cp,DC=com;
1> name: Account Operators;
1> canonicalName: cp.com/Builtin/Account Operators;
>> Dn: CN=Administrator,CN=Users,DC=cp,DC=com
4> objectClass: top; person; organizationalPerson; user;
1> cn: Administrator;
1> description: Built-in account for administering the computer/domain;
1> distinguishedName: CN=Administrator,CN=Users,DC=cp,DC=com;
1> name: Administrator;
1> canonicalName: cp.com/Users/Administrator;
>> Dn: CN=Administrators,CN=Builtin,DC=cp,DC=com
2> objectClass: top; group;
1> cn: Administrators;
1> description: Administrators have complete and unrestricted access to the computer/domain;
1> distinguishedName: CN=Administrators,CN=Builtin,DC=cp,DC=com;
1> name: Administrators;
1> canonicalName: cp.com/Builtin/Administrators;

Tutorial Leaning Points

1) DCDiag has several useful switches, which represent horses for courses, for example, if you only want a report on errors then substitute /q for /v.

2) Use the output as an opportunity to investigate services, for example 'The File Replication Service SYSVOL'.  any problem with the frssysvol could alert you to Group Policy problems.

Free Download of DCDiag


Windows Server 2003 - Replmon Support Tool Utility Tutorial

Windows Server 2003 - Replmon Support Tool Utility

Replmon is one of Microsoft's most exciting tools in the Windows Server 2003 toolkit.  I have a tutorial to get you started with Replmon.  What I like about Replmon is the way that it combines business with pleasure and practical with theory.  Before I explored Replmon I could not picture how Directory Replication works, with Replmon I can see precisely what data is replicated in which partition.  The theory of Domain, Forest and Schema partitions come to life when you can actually see the topology and the links.

Topics for Replmon

Introduction to Directory Replication

Replmon displays information about Active Directory Replication.  In Windows Server 2003, Microsoft have improved Windows 2000 in two ways, reduced latency, and only replicating attributes that change not the whole object.  Both Windows 2000 and 2003 use the multi master model, change notification and pull replication.

Reasons for Using Replmon

I declare a bias.  I just love using Replmon for its own sake.  What I enjoy is thrill of making replication happen, the sense of importance when examining those USN numbers.  In case you are wondering there are also sound business and troubleshooting benefits of getting comfortable with Replmon.

  1. Replmon with give you clues why replication is not happening.  Sift through Active Directory replication messages and find the last successful synchronization.

  2. See what happens when you try and force replication.  Does Replmon magically synchronize, or do you get a new meaningful error message?

  3. If you do get replication errors, say with DCDiag, then force the KCC (Knowledge Consistency Checker) to recreate the topology.

  4. Should you have the luxury of a large forest, Replmon will give you an understanding of how the domain controllers are joined by three separate rings.  Would it help if you manually created extra shortcut links?

  5. Are there any complications with Trust?  Examine the trust relationships, within or between forests.

  6. Discover more about the meta data, in particular the attributes of objects.  Again I confess a bias as need LDAP attributes for my VBScripts, Replmon displays the objects and their correct LDAP syntax.

  7. Group Policies can be troublesome because there are two separate replication paths, Active Directory and FRS.  Replmon also matches those strange hex numbers files which you find under sysvol, with the corresponding names of the policies as seen in the GPMC (or Active Directory Users and Computers)

Getting Started with Replmon

Installing Replmon is straightforward.  Load the Windows 2003 CD into the caddy and navigate to the  \support\tools and double click suptools.msi.  However a word of warning; because there are so many .dlls and associated Replmon files it is best to keep the files in their original locations.  Of all of the support tools, Replmon is the fussiest about being run from its default location.  A bonus of keeping all the support files in their default folder is that you can type the name of the executable in the Run dialog box and it will execute because the operating system has learnt the 'Path'.  So, in this instance type: replmon in the run box.

First look at the Replication Monitor

Once Replication Monitor executes click the Edit Menu and Add Monitored Server.  Now follow your nose, and connect to the desired Domain Controller.  You cannot help noticing that the interface is reminiscent of the Active Directory Sites and Services snap-in.  For example, you may have already used Active Directory Sites and Services to manually replicate Active Directory or to check on which servers hold Global Catalogs.  Note in passing, that while we get started we just focus on one site, however in a big organization there are likely to be several sites each with their own ring of linked servers.

Here in Replication Monitor, explore the 4 or 5 Configuration containers, keep looking for more detail by right clicking on any object that you see.  Below is an example of right clicking the Domain Controller object.

Appreciating the Scope of Replmon

Unlike other Windows Server 2003 tools where you can practice on just one Domain Controller, with Replmon you need two Domain Controllers to see any action.  In fact the more Domain Controllers, the more you appreciate the clever ways in which replication functions.  Best of all, if you have a multi domain forest, then you can trace the differences between domain and forest topologies.  Theory says that all domain controllers in the forest share the same schema, with Replmon you can actually see the one Schema ring that includes all domain controllers.  Whereas in the case of domains, there are separate ring topologies for each domain.

My advice is to begin by right clicking the ServerName object, from the resulting drop down menu select, 'Show Replication Topologies'.  As well as viewing how all the domain controllers are linked, this example shows the value of clicking on any object that you meet.  At first it seems as thought there is nothing to see, but if you click on the View Menu, Connection Objects only, then all Domain Controller appear.

 Hmm.... still no sign of the replication links.  Let us try another right click, and select 'Show Intra-Site Connections'.  At this point I pay attention to detail, and remember that Intra means within, whereas Inter is like Inter-City and means between.  What you should now see is topology links between all the Domain Controller.  Incidentally, the word 'Site' reminds us that to begin with we are just investigating the Default-First-Site, in a production network there may be multiple sites.

If you have 5 or more servers in the ring, you may consider right clicking and adding extra links to speed up replication; this is particularly true for Windows 2000 networks where latency is much longer than Windows Server 2003.

Summary of Replmon

Active Directory Replication is clever but complicated system.  Microsoft's Replmon enables you to see what is happening, and where necessary, force replication or add extra links.  Other benefits of running Replmon include troubleshooting Group Policy replication and examining trust relationships.


Compare Files with Windiff

Windiff - To Compare Files

Don't you just love utilities with expressive names such as Windiff?  The concept behind Microsoft's Windiff is simple, to compare files and display their differences.  Again like other tools, the power of Windiff comes from you imagining scenarios when it would solve your problems.

Either extract Windiff from the Windows Server 2003 Support folder, or download a free copy at the bottom of this page.

Topics for Windiff

Guy's killer use of Windiff - To find settings in the registry

Judging my postbag, not many people realize the benefits of comparing files with Windiff.  However, like the all the best ideas, once you understand it becomes blindingly obvious.

Take the situation where you want to find a particular setting in the registry, for example, a setting on the Winlogon message box that you wish to control.

  1. Before you make any changes, export the registry with Regedit.
  2. Make the change, for example, reverse the tick in the checkbox
  3. Export the registry after the change.
  4. Compare the two .reg files with Windiff.

Incidentally, if you have other killer uses for Windiff, do let me know and I will publish them.

Getting Started with Windiff

I find that while Windiff is easy to get working, it leaves me with that lingering feeling that I never quite reach the bottom of its possibilities. For example, I rarely use Windiff for copying files.
Windiff has two main modes: 
Compare files
Compare directories

Let us start with Windiff's number one job, comparing files.  When you first launch Windiff, beware of a pair of tricky menus.  Go slowly.  Be ready for Windiff to ask for the name of the two files in quick succession.  I emphasise this sequence because when I was a greenhorn, I thought either I was going mad, or Windiff had a bug.  My salvation was reading the screen, Select First File, then Select Second File - phew it's that easy to get started.

The First Windiff Trick

Once you have loaded the two files, I expect you want Windiff to identify the differences.  The trick is to click on 1 .\file and then click on Expand.

As ever Microsoft provide two ways of doing everything, and you could click on the Expand Menu and then select, 'Both files'.

Down to Business - File Comparison

At the business end, Windiff homes in on every tiny difference between the two files, moreover for easy reading it highlights each difference with a different color.  The color coding extends into the margin so you can see which file corresponds to the red highlight and which to the yellow highlight.

If a line is the same in both files it only has one entry, which you see in normal black text.  Where there are differences, not only do you have the exceptions highlighted, but it gives you the line number.

The screen shot is taken from a regedit export.  As I mentioned earlier, one of my classic uses of Windiff is finding where in the registry Microsoft store particular settings.

Zebra Stripes

After doing it best to match the files line-by-line, Windiff looks at the remaining parts.  Where there are sections which are different, but which correspond, in the sense that the part before and the part after match between the files, Windiff has a choice between displaying the lines as blocks or as interleaved.

Windiff uses a heuristic intelligence to decide whether the lines from the two files are similar.  If it judges that they are similar it displays them interleaved, otherwise it displays them as blocks.

Compare Folders with Windiff

A secondary job for Windiff is to compare whole folders or directories.  Just click on the File menu and select 'Select Directories'.  This time you see both directories one under the other so there is no chance of confusion.

TIPS) Press F8 to see the next change / difference.

Windiff Options

Although there is nothing really exciting in the Options menu, they are worth checking.  For example, if you remove the tick next to 'Show Identical Lines, it will help you track single changes in large files. In addition to the options,  check out the Expand menu and decide if you need to add or remove any of those options.

Windiff's Mark Menu

It is easy to overlook the Mark menu. The job of this menu is to hide or exclude files in your search.

Windiff Command Line Options

My old friend 'Barking' Eddie insisted that I added this command line section.  As I may have mentioned in previous Eddie is an ex-UNIX man and is a founder of 'Dos Diehards'.

Windiff Command Line Options:

-D Compare one directory only.
-F[flags] savefile Save composite file to 'savefile'. The 'flags' may consist of one or more of I (identical), L (left), R (right), F (moved leFt), G (moved riGht), S (Similar left), A (similiAr right), X (exit after saving list).
(e.g. -FLF saves list of Left or moved-leFt lines).
-I file Reads list of files to compare, from the specified input file. Each line can contain one or two filenames, space delimited (with quoting, if filenames contain spaces). Use "-" as the filename to read from stdin. If a line contains only one filename, the file is compared to itself.
-N name NET SEND notification to 'name' at end of comparison.
-O Outline view (no automatic expansion).
-P Perverse comparison: breaks lines on punctuation.
-S[flags] savefile Save list of files to 'savefile'. The 'flags' may consist of one or more of S (same), L (left), R (right), D (different), X (exit after saving list).
(e.g. -SLD saves list of Left or Different files).
-T Compare whole subtree.
 

Download Windiff


Windows Server 2003 Task Manager - The poor man's performance monitor

Introduction to Windows Server 2003 Task Manager

Do not neglect Windows Server 2003's Task Manager.  There will be occasions when you just need a quick piece of system information, calling for your task manager can be just as effective as the performance logs but much faster.

TIPS)  Execute the Task manger with CTRL +SHIFT +ESC; if you have long fingers, try launching it with just your left hand.  (As ever Microsoft provide 3 ways of doing everything, so you can right click the grey bar at the bottom of your screen and select Task Manger.)

Each of the five tabs has it's own personality, I recommend that you get to know the capabilities of each one.  An application tab for zapping programs, a process tab for checking for viruses, a performance tab to calculate pagefile and now a network utilization tab to see how much activity there is on the LAN or WAN.

Topics for Task Manager in Windows Server 2003

Applications Tab

No doubt you have already used task manager's Application Tab to end process for programs that hang or do not respond.  Assuming that your group policy allows users access to this tab, why not send out an email reminding users of how to use this Applications tab when their machine hangs and programs are 'Not Responding'.

Another use of the Applications Tab is to discover the underlying Image Name of a program, simply right click and then select: Go to Process.

Tip: One of the joys of using any new program is setting the preferences.  With Task Manager I like to remove the tick which says ' Always on top'. (Option Menu).

Processes Tab

Here is a tab for the support professional, in fact the more 'Image Names' that you can identify the better techie you are.

The more of these Image Names that you can match to programs or processes, the easier it is detect impostors such as viruses.  Moreover, by identifying the 'good guys' you will learn how applications such as Exchange and SQL interact with the operating system.

At first svchost seems suspicious.  Could you have been infect 7 times by a strange virus?  No, svchost is the generic name for an image shared by the operating systems services, for example, Alerter, Net Logon, Print Spooler.  The interesting fact about all these svchost is that some services would fight if put together in the same Image Name process, so the operating system separates incompatible services and puts them in separate svchosts.

Returning to the theme of identifying rogue programs; what would think if you saw Avgserv and Agvcc32 amongst the image names?  When I saw these processes, I must admit my heart missed a beat.  At first I thought my machine has been infected by a virus, but no, it was actually my virus checker which had installed itself as a process.  Naturally I left that running!

How about msblast.exe?  Was this a game that my nephew had installed?  Well I tried a search in Google and up came W32/BlasterA virus.  Here was a case where I needed to check the registry as the blaster virus cunningly re-infects those who are not diligent.  Other viruses have more innocuous names like Tlntsvr.exe and Wina.exe, so this is why I urge you to know the  Processes Image names.

View Menu, Select Columns

When using the Processes tab to troubleshoot be aware that you can add extra columns, for example Virtual Memory, IO Reads and Writes.  Again my idea is to use the Task Manager to display information quickly without resorting to setting up the System Monitor and Log Counters.

Adjust Priority, Set Affinity

If you right click any process then you can adjust Priority, typically you have a spreadsheet calculating in the background while you want to give a foreground application like Outlook more CPU time slices.  Note, never set programs to Real Time, it will cripple your machine and require a reboot - you have been warned.

Affinity means that one program can be associated exclusively with one processor, naturally you need a multi processor machine for this setting to even appear.  In truth, Affinity is a case of 'Mother knows best'.  Guy says leave alone, unless someone has got in before you and incorrectly set affinity, leave it to the operating system.

Performance Tab

My main use of this Tab is to check memory.  In particular to check on the pagefile.  Now I have read many articles about how big to set the page file.  Experts say use RAM x 1.5 whilst others say RAM x 2.  Guy says suck it and see.  By that I mean compare two figures: Commit Charge (K) Limit with Peak.  You may have already guessed that the Commit Charge (K) is the sum of RAM + Pagefile

In Diagram 2 the Limit is 1280032 (I wish it put in commas!)
Whilst the Peak is 617564. My interpretation is that this machine has a big enough page file.  However if the Peak was 1MB (1000000), then I would declare that the pagefile was not big enough and take action in the System Icon.  If the Peak was below 400000 and I was desperate for the disk space, then I would even reduce the pagefile. 

Leaky Memory

Keep your eye on Kernel Memory, Nonpaged.  These days servers need rebooting less frequently, if you have a 'leaky app' then Nonpaged memory will creep up over time.  Confirm any suspicions with View, Select Columns, Non-Paged Pool.

Networking Tab

This is great utility to view network utilization.  This is a new Task Manager interface in XP and Server 2003.  In fact it is difficult if not impossible to create performance logs to measure % Network utilization.

Users Tab

Call me a 'Luddite' but I have never had much use for this tab on my Windows 2003 Server.  When I want to check on users connected to the server, I prefer the Shared Folder snap-in.

Another reason that I do not use the Users Tab is that with XP you only see this machine if it's part of a Workgroup and you are using 'Fast User Switching'.

Task Manager Trap

When I was a 'greenhorn, (many, many years ago) I fell into the trap of carelessly double clicking inside Task Manger, as a result the top menu with File, Option, Help disappeared.  I could not understand what had happened until I double clicked near the top, and lo and behold the menu reappeared.  It was a beginner's mistake; I mention it because there are about 3 or 4 other Microsoft programs that display the same menu behaviour.


Windows Server 2003 - Remote Shutdown Commands

Remote Shutdown Command in Windows Server 2003

Shutdown is an exciting new command line program available in Windows 2003 and XP.  I say exciting both in the sense that everyone loves this command, and also exiting in the sense it has a dramatic effect - downs the remote server.  So take care when experimenting with this command.

Twenty dollars gets you fifty, that sooner or later you shoot yourself in the foot and accidentally shutdown your own machine instead of the remote machine.  So pay close attention to the shutdown syntax.  This mistake is so common and so irritating that I have put the abort command first.

TIPS) Shutdown /a  Remember this is your get out of jail card, it aborts shutdown

Example: Shutdown  /a  /m \\ computername

Windows Server 2003  'Remote Shutdown'  Topics

Shutdown - The basics

Shutdown is a built-in executable in XP and Windows Server 2003. Your first decision is do you want a simple shutdown?  If so, just type Shutdown /s at the command prompt.  Alternatively, should you desire the machine to restart then type Shutdown /r.

After you issue the /s or /r, a dialog box appears with a 30 second count down, remember to issue the Shutdown /a if you are just testing, or have made a mistake.  Watch out for the dialog box disappearing as you issue the Shutdown /a instruction.

Remote Shutdown - Select your victim!

Now for the 'Remote' shutdown switch /m \\ victim.  The full command would be:
Shutdown /r /m \\ victim.  The slashes look slightly strange, but that's how it works, in this example, 'victim' is the remote machine name. 

Examples of the Shutdown switch in action

shutdown /s /m \\victim    - Shuts down a remote machine called 'victim'

shutdown /r /m \\exchange - Reboots a remote machine called 'Exchange'

Note 1: For once, Microsoft's sequence of switches is important shutdown /m /s \\ machine does not work.

Note 2: None of this is case sensitive so sHUTDOWN /R /m \\ ViCTim would work.

Note 3: You can use the minus sign in the switches instead of the slash, for example shutdown -s -m \\victim.

Shutdown - Add the extras

 /t for time.  Is 30 seconds too short (or too long) a time?   You can adjust with /t: 60 to display the dialog box one minute. Maximum is 600 seconds.

/f for force.  'Mr Nasty', is coming - ready or not!  Shutdown /r /f as you may have guessed, restarts the machine and closes any programs without warning.

/c for comment.  Would you like to put your stamp on the shutdown?  Let people know who is in charge, who is shutting them down?  /c " Guy is shutting you down"

/d p:4:1 reason.  Personally, I would avoid this switch, the syntax is tricky the numbers obscure and worst of all it does nothing exciting.  That said the idea is sound, it enters a reason for the shutdown in the event log.  If you activate shutdown's help, then you will get a whole list of major and minor reasons that you could employ with this switch.  For me, this switch is an option, an option that I do not take.

Note 1: Shutdown's switches work equally well with a dash, for example, -d, -r or -a  (instead of /d, /r or /a)

Note 2: Another example of Shutdown in action

How to Turn off the Shutdown Event Tracker

If what you seek is t0 disable the the Shutdown Event Tracker, then here is how you set the Group Policy to prevent having to type a comment every time you restart the server.  

See Also  (There is also tsshutdn for Terminal Servers)


Windows Server 2003 - NTDSutil Tutorial

Windows Server 2003 - NTDSutil Tutorial

NTDSutil is a wonderful Windows utility for configuring the heart of Active Directory.  In fact, typing the powerful NTDSutil verbs reminds me of a Unix command line.

With NTDSutil you get instant access to the Active Directory database.  Unlike GUIs, which drive me mad with their 27 OK buttons, NTDSutil just does what I say - instantly.   However, because these NTDSutil commands act without the usual Windows operating system checks, I exhort you to practice the commands in my examples before you need them in a disaster recovery.  If you follow my tutorials, you may discover settings that you did not know existed, for example, choose a new password for DSRM (Directory Service Restore Mode).

Tutorial Topics for NTDSutil

Preparation for NTDSutil

Begin by logging on at a Windows Server (2003 best).  I suggest that you create a new folder to hold any logs that NTDSutil creates, for example D:\ ntdsutil.  Run a CMD prompt change directory to D: \ntdsutil and at the prompt type, ntdsutil.  Unsurprisingly, the actual executable is called ntdsutil.exe and is found in the %sytstemroot%\system32 folder.  With this knowledge, you could copy that ndtsutil.exe file onto another operating system if necessary.

Key NTDSutil command

When you are experimenting with NTDSutil, if you get stuck remember these four little words, they will make the difference between success and frustration:
Connect to Server BigServer (Substitute your server for BigServer)
Don' shorten the command to: Connect BigServer (Remember the words 'to' and 'server').

TIPS)  If ever you are stuck in NTDSutil, simply type help.

Variety of NTDSutil tasks

Authoritative Restore - Major project, needs careful planning

Configurable Settings - Not very interesting

Domain Management - Specialist area. Create Naming Contexts and add replicas to the Application Directory Partition of DNS.

Files - Available only if you boot the server into Directory Restore Mode.  Checks the integrity of NTDS.DIT and moves associated databases.

Roles = FSMO Maintenance.  Which Domain Controller has which Single Operations Master?  Seize roles such as PDC Emulator.  Good news, for once you do get a message detailing the transfer you are about to make.  My advice is to use Roles in conjunction with netdom or the Active Directory Snap-ins.  My point is I could not find a way of displaying who holds which FSMO role with NTDSutil. 

Reset DSRM password.  If you don't know the server's Directory Service account password, then here is your change to reset to a password that you will remember.

Security Account Management. Check for duplicate SIDs

Example 1: Security Account Management (Maintenance)

Let us start gently and check for duplicate SIDs.  This experiment is more for gaining experience of the NTDSutil interface than the probability of finding any duplicate SIDs.  This is what I typed at the command prompt, my commands are in bold:

 E:\ntdsutil>ntdsutil
ntdsutil: security account management
Security Account Maintenance: connect to server BigServer
Security Account Maintenance: check duplicate sid
...
Duplicate SID check completed successfully. Check dupsid.log for any duplicates
Security Account Maintenance:

Tutorial Leaning Points

1) In the above session I typed the full command security accounts management.  However you can shorten commands thus: 'sec acc man'
Incidentally, I am inventing these shorthand commands in the sense that NTDSutil also understands:
sec ac ma or even 'secu a m'.  NTDSutil's brain works by analysing your letters and if there is only one possible interpretation then it fills in the gaps and returns the service that you asked for.  For example plain, 'se' will not work because there is another command which begins with se, Semantic....

2) When the command prompt shows, Security Accounts Maintenance:
Here is where you must type: 'connect to server BigServerr'.  Be aware that even though I am sitting at BigServerr's console, I must remember this command : connect to server xyz.

3) When I type the instruction, 'Check Duplicate SID', don't ask me why, but you cannot shorten the command to 'chk dup sd'.  Please just accept you need the full words here.

4) As ever, read the screen and take note of dupsid.log.  However, you have to quit NTDSutil, or use Explorer before you can attempt to read dupsid.log.  My point is that you cannot issue a command : 'notepad dupsid.log' from within NTDSutil.

Example 2: Reset password for DSRM (Directory Services Restore Mode)

Here is where I challenge you to perform a real task. Once upon a time, when your Windows server 2003 was first installed, setup asked for the directory service restore mode password.  90% of administrators ignored the box or forgot the password.  Here is your chance to reset the password that will be required if ever you need to restart the server in Active Directory Restore Mode.  In many ways, this is such an insignificant job, in other ways it saves frustration of being thwarted by not having the administrative password.

 E:\ntdsutil>ntdsutil
ntdsutil: set dsrm password
Reset DSRM Administrator Password: reset password on server BigServer
Please type password for DS Restore Mode Administrator Account: ********
Please confirm new password: ********
Password has been set successfully.
Reset DSRM Administrator Password: quit
ntdsutil: quit
E:\ntdsutil>

Tutorial Learning Points

1) The key command type: 'reset password on BigServer'
If NTDSutil replies with: 'Please type password for DS Restore Mode', then you know you are in the correct place.
2)
To escape from NTDSutil you need just type quit, possibly 2 or three times to get back to the command prompt.

Summary of NTDSutil

NTDSutil is a powerful command line tool.  Take every opportunity to practice its Unix-like commands.  If you practice with NTDSutil then you will be prepared for that day when you need to employ NTDSutil for disaster recovery tasks such as an Authoritative Restore.


CACLS - Modify Discretionary Access Control Lists

Introduction to CACLS - Modify Discretionary Access Control Lists

CACLS is a command-line program for changing a folder's permissions.  It is my view that CACLS is made for scripting, but first a reminder of the manual, GUI method for adjusting a folder's Access Control Lists (ACL).  If you right click a folder and select the Security tab you can examine and modify the permissions (ACL).

On this page I will answer the other questions that you may be asking about CACLS.  For example, where does it come from?  How do you use the CACLS switches?

Topics for CACLS (Modify Discretionary Access Control Lists)

Where does CACLS come from?

You can trace the history of CACLS right back to Windows NT 3.5.  These days CACLS is built-in to Windows 2003, XP and similar modern operating systems.  Just create a cmd session and type: cacls.

When would you need CACLS?

When would you call for CACLS?  If you had lots of folder permissions to change and the normal Explorer GUI would be tedious, for example, to reset permissions on User's home folders to:
username: full control
administrators: full control
users: no entries. 
If you think it through, Deny everyone may not be smart, a bit like shooting yourself in the foot.

How do the CACLS Switches work?

Here is a purely personal view of how to understand the CACLS syntax.  Divide the CACLS command into three parts thus:

CACLS  1) folder name   2) replace, edit or revoke entries   3) grant user permission

Example: cacls  c:\home   /t     /g guyt:F

1) cacls c:\home - this is the path to the folder whose permissions you wish to change

2) /t - replace (with guyt's permissions). Note, /t wipes out everyone else's permissions.  An alternative would be /e meaning edit or append permissions.

3) /g guyt:f - Think of /g as standing for Grant.  In this instance, the command grants guyt full control.  An alternative would be :r (read). Note the colon: incidentally there isn't a comma in sight.

What is the full list of CACLS switches?

/t  Think of the 't' as meaning trash the original Security permissions.

/e  Think of the 'e' as CACLS inviting you to edit, append or correct one that went wrong.

/g  This is the main switch, 'g' as in: grant me the permissions.  Requires a user, a colon and letter for the permission. /g guyt:f  full control for guyt.  /g freddy:r   read only for freddy.

/p  Almost the same as /g.  CACLS /p replaces where as /g appends.

/r  Revokes, removes a named user from the Access Control List.  Classic usage would be /r users.

/d  'd' stands for deny.  Remember that deny users results in nobody being able to see the files, so use /d sparingly.

/c 'c' is for continue.  It works for CACLS like, 'on error resume next' works in VBScript.  Adding /c says to CACLS, 'Carry on despite an error'.

Setting CACLS for Multiple Users

It took me 30 minutes to work out how to configure CACLS to set multiple users or groups, when I finally cracked the code it was so simple.

/g user1:f user2:r admin6:c.  The pattern is one /g and then each user followed by a colon and the permission.  My mistakes were multiple /g and multiple /t - wrong.

If you have problems, you could try domain\user instead of user1. Full example:  /g domx\user:c

What gave me even more grief were groups with spaces "Domain Admin".  You really need to pay attention to detail with names with spaces.  Firstly believe that CACLS can handle "Domain Admins".

From the command line it's moderately tricky:
cacls  /t /g "Domain Admins":c guyt:r

In a VBScript it seemed impossible, until I hit upon the double, double quotes. ""Domain Admins""

If objFSO.FolderExists(strHomeFolder) Then
' Assign user permission to home folder.
intRunError = objShell.Run("%COMSPEC% /c Echo Y| cacls " & strHomeFolder _
& " /t /g ""Domain Admins"":c guyt:r", 2, True)
If intRunError <> 0 Then
Wscript.Echo "Error assigning permissions for user " _
& strUser & " to home folder " & strHomeFolder
End If

Killer use of CACLS

A classic use of CACLS is in conjunction with VBScript to set permissions on users' home directory.  For those who like to provide file shares for their users there is a need to set permissions.  This gets tedious where there are numerous subdirectories, each with different permissions.

Summary of Cacls

CACLS has a versatile set of command-line switches, which allow you automate setting folder permissions.  Launch Explorer to check a folder's Security tab, decide on the changes, then run CACLS form a cmd window.  I find it useful to break down the CALS command in to three parts:
Folder to change, edit or replace, permissions to grant:
Example: cacls c:\home /t /g administrators: f


Windows Server 2003 - Authoritative Restore

Windows Server 2003 - Authoritative Restore

An Authoritative Restore of Active Directory is one of the hardest tasks in Windows Server 2003.  You need Active Directory Replication understanding, NTDSutil skill, backup tapes and above all, a sound plan.

Because you can only test an Authoritative Restore in Directory Services Restore Mode (F8 on the boot menu), I exhort you to try my other NTDSutil commands just to get the hang of the utility.

Tutorial Topics for Authoritative Restore

Typical Authoritative Restore Scenario

You instruct a junior administrator to delete a user account in the Bosses OU.  They open up Active Directory Users and Computers, select the OU.  Now instead of selecting the individual user, they select the OU container object and press delete.  Even though they get two warning messages they ignore them and press OK.  In this scenario we have to assume that this deletion is replicated to all other domain controllers before the senior administrator realizes what has happened.  There is no recycle bin to restore the users, the LostAndFound folder is no good in this situation.  What we need is a laborious Authoritative Restore.

Why do you need an Authoritative Restore?

Let us take stock of why you need an Authoritative Active Restore as opposed to a non-Authoritative restore.  The heart of the problem is that Active Directory is too clever for its own good.  If you delete an ordinary file and restore it from backup, then great, you have the old file back just as it was.  However, when you restore Active Directory, the other domain controllers try and be smart and replicate later transactions so a non-authoritative restore is no good for recovering an OU.  What happens is another Domain Controller just replicates the transactions that deleted the OU because they are newer than the restored version.  As we will see, an Authoritative Restore tricks the other Domain Controllers into accepting the old object by artificially increasing its version number by 100000.

Authoritative Restore Plan

Knowledge is power.  Now that we understand the problem, we can make a plan and then put it into action.  NTDSutil will play the star role.  To recap the problem is that deleted OU called Bosses.

1) The plan is to start with a normal restore.  This is a non-authoritative restore, nothing fancy - yet.  Once you have verified the initial restore, reboot pressing F8, and select Directory Services Restore Mode.  Now its over to NTDSutil and ADSI Edit. (Incidentally if you have trouble with the DSRM password, check here.)

2) While NTDSutil will carryout the actual Authoritative Restore, ADSI Edit will help identify the LDAP name of the deleted OU.  As a matter of tactics we only want to restore one branch or SubTree of active directory.  If for example, 20 users had been created since the initial disaster, we would not want to wipe them out by the Authoritative Restore.  Fortunately, from the normal restore ADSI Edit will reveal the whereabouts of the OU.  Let us assume that the deleted object was: OU=bosses,DC=ourdom,DC=com.  The point is we only want to restore this one part of Active Directory, all the other objects must be left as they are.

3) Remember, we are in Directory Services Restore Mode, so we are all set to run NTDSutil, here are the commands:

Authoritative Restore Example

 E:\ntdsutil>ntdsutil
ntdsutil: authoritative restore
authoritative restore: restore object OU=bosses,DC=ourdom,DC=com

Opening DIT database... Done.

The current time is 06-17-05 12:34.12.
Most recent database update occurred at 06-16-05 00:41.25.
Increasing attribute version numbers by 100000.

Counting records that need updating...
Records found: 0000000012  

Learning Points for Authoritative Restore

1) NTDSutil has about 8 modes, we want specifically, Authoritative Restore.

2) Success or failure depends employing ADSI Edit to get the correct path, for me this is the most nerve wracking part of the exercise.

3) Notice how NTDSutil increases the version number by 100000.  This makes sure that these restored object have a later version number than any equivalent object on the other domain controllers.  As a result, when you reboot this machine it will replicate the restored OU=bosses to the other domain controllers.

Summary of Authoritative Restore

'Self heal' works against you restoring when you try and restore Active Directory objects.  The trick, which NTDSutil performs, is to fool AD that the restore has a higher version number than any existing Active Directory records.  Mastering Authoritative Restore is like passing your final NTDSutil exam.  Take the time to understand the role played by ADSI Edit in obtaining the restored object, for example, OU=bosses,DC=ourdom,DC=com


Windows Server 2003 - ADModify

Windows Server 2003 - ADModify Support Tool Utility

ADModify is one of the most exciting tools in the Windows Server 2003 toolkit.  Here is a step-by-step tutorial for getting started with Microsoft's ADModify.  What I particularly enjoy about this utility is the way that it combines the business of changing Active Directory settings with the pleasure of navigating a friendly interface.

Topics for ADModify

Introduction to ADModify

With any new utility I always asking, where does this tool originate?  In the case of ADModify the answer is Microsoft's lesser known arm PSS (Product Support Services).  These PSS utilities come with a disclaimer that says beware use them at your own risk.  Far from putting me off, the disclaimer just makes me realize how much testing has to go into an official Microsoft tool.

Reasons for Using ADModify

I want to guide you through one 'killer' example of ADModify in action.  Both the Exchange 2003 Address book (GAL) and Active Directory Users and Computers display the 'Name' column as First Name Last Name.  I actually like that sequence because it's friendly, and translates to, Tom Cruise, Britney Spears or Guy Thomas.  However, most big businesses and many of my customers, want to display Last Name, Firstname, so they wish to see Cruise, Tom or Spears, Britney.

As an alternative to ADModify, you can use ADSI Edit to alter the createDialog attribute in Active Directory, but unfortunately this change only alters future user accounts, and as a result you could get confusion where half the users display First Name Last Name, and the other half the reverse (Last Name First Name).

So, here is the 'killer' application of ADModify, to change the display of all existing users (in ADUC and the GAL) to Last Name First Name. Perhaps you are wondering, 'What about new users?  Will their names display with the new settings?'  Good news.  The answer is, 'yes' with ADModify.  On reflection, it would be silly if it did NOT change new names, but there again you never know what happens until you test.

Example of ADModify to Change 'Name' Order

Stage 0

  1. Before you launch the ADModify wizard, check Active Directory Users and Computers and note how user names are displayed in the first column.

 Stage 1

  1. Launch ADModify.

  2. Select 'Modify Attributes.

  3. Click on the drop down menus to select your domain.  See diagram on the right.

  4. Optionally, Select a Domain Controller.

  5. Decide if you want to show all objects, or just Users.  If in doubt, go for consistency and leave all objects ticked.

  6. Click on the large green arrow.

 Stage 2

  1. It is important to maximise the ADModify Window.

  2. For your first try, select a test OU, just in case something goes wrong.

  3. You need the correct sequence here, click Add to List.

  4. Now you are ready to Select All.

  5. Click on the small Next>>> button.

Stage 3

  1. Scroll down to the bottom of the page.

  2. Tick the box: Change CN (RDN).

  3. Remember your goal and click LastName, FirstName.

  4. Note the syntax, especially the percentage signs and the comma.

  5. Decide if you want to keep the comma.  (Most people prefer the comma)

Stage 4

If the test OU worked as expected, and the 'Name' column is now sorted by LastName and not FirstName, then you could run ADModify again, but this time leave the focus at the domain level when you Select All.

Where next with ADModify?

If you run ADModify again, then select other LDAP attributes that you see on the Active Directory Users and Computer Properties sheets.  For example you could add a digit to the telephone number, change the manager or place the users in a different department.

More good news ADModify can easily undo previous changes, all you need is to preserve the XML files that ADModify creates automatically on each run.

Download ADModify

Free Download of ADModify

Summary of ADModify

It is a real pleasure to run ADModify through its paces.  On this page we had a real challenge to change the GAL 'Name' display from FirstName LastName to LastName, FirstName.  I that on the journey you picked up other ideas for ADModify.  My greatest joy would be if you ran ADModify again, but this time make different decisions.


Additional Account Info - Acctinfo.dll

Introduction to Additional Account Info - Acctinfo.dll

What Acctinfo.dll does is expose more properties in Active Directory Users and Computers, for example lastLogon and Password Expires.  Specifically, with this add-on you get an extra tab called Additional Account Info.

What led me to discover this treasure called acctinfo.dll was research into an LDAP property called lastLogon.  The reason that I have not used acctinfo.dll before is that I usually call for ADSI Edit whenever I need to investigate such hidden Active Directory attributes and values.

Topics for Additional Account Info (Acctinfo.dll)

How to add Additional Account Info Property Tab.

What I want to do is add an extra tab to Active Directory Users and Computers.  Amongst the extra information on this tab is, the lastLogon time, UserAccountControl value and Bad Password Count.

All we need to display this extra information is a dynamic link-library file called acctinfo.dll.

Download and Install Additional Account Info

  1. Download acctinfo.dll or acctinfo in zip format
  2. Copy acctinfo.dll to the %systemroot%\system32 folder
  3. Register the service and dll with this command:
    regsvr32 acctinfo  (Similar to registering the schema snap-in)
  4. Close, then open Active Directory Users and Computers.
  5. Look for an extra tab called Additional Account Info.

Learning Points

Note 1: My information is that you need to install acctinfo on the machine where you execute the Active Directory Users and Computers snap-in.

Note 2: In line with modern best practice, once you have registered acctinfo, there is no need to reboot your server.

Note 3: If you wish to remove the Additional Account Info tab, open a run command and type:
regsvr32 /u acctinfo

Note 4: Acctinfo is supplied free by Microsoft.

Extra properties displayed under Additional Account Info

Summary of Acctinfo

Download and try this cost-nothing add-on for Active Directory Users and Computers.  Acctinfo gives extra information about the last time a user logged on, also Bad Password count and the UserAccountControl value.  Download and install acctinfo.dll and get the Additional Account info tab of your users.


Windows Server 2003 - Authoritative Restore

Windows Server 2003 - Authoritative Restore

An Authoritative Restore of Active Directory is one of the hardest tasks in Windows Server 2003.  You need Active Directory Replication understanding, NTDSutil skill, backup tapes and above all, a sound plan.

Because you can only test an Authoritative Restore in Directory Services Restore Mode (F8 on the boot menu), I exhort you to try my other NTDSutil commands just to get the hang of the utility.

Tutorial Topics for Authoritative Restore

Typical Authoritative Restore Scenario

You instruct a junior administrator to delete a user account in the Bosses OU.  They open up Active Directory Users and Computers, select the OU.  Now instead of selecting the individual user, they select the OU container object and press delete.  Even though they get two warning messages they ignore them and press OK.  In this scenario we have to assume that this deletion is replicated to all other domain controllers before the senior administrator realizes what has happened.  There is no recycle bin to restore the users, the LostAndFound folder is no good in this situation.  What we need is a laborious Authoritative Restore.

Why do you need an Authoritative Restore?

Let us take stock of why you need an Authoritative Active Restore as opposed to a non-Authoritative restore.  The heart of the problem is that Active Directory is too clever for its own good.  If you delete an ordinary file and restore it from backup, then great, you have the old file back just as it was.  However, when you restore Active Directory, the other domain controllers try and be smart and replicate later transactions so a non-authoritative restore is no good for recovering an OU.  What happens is another Domain Controller just replicates the transactions that deleted the OU because they are newer than the restored version.  As we will see, an Authoritative Restore tricks the other Domain Controllers into accepting the old object by artificially increasing its version number by 100000.

Authoritative Restore Plan

Knowledge is power.  Now that we understand the problem, we can make a plan and then put it into action.  NTDSutil will play the star role.  To recap the problem is that deleted OU called Bosses.

1) The plan is to start with a normal restore.  This is a non-authoritative restore, nothing fancy - yet.  Once you have verified the initial restore, reboot pressing F8, and select Directory Services Restore Mode.  Now its over to NTDSutil and ADSI Edit. (Incidentally if you have trouble with the DSRM password)

2) While NTDSutil will carryout the actual Authoritative Restore, ADSI Edit will help identify the LDAP name of the deleted OU.  As a matter of tactics we only want to restore one branch or SubTree of active directory.  If for example, 20 users had been created since the initial disaster, we would not want to wipe them out by the Authoritative Restore.  Fortunately, from the normal restore ADSI Edit will reveal the whereabouts of the OU.  Let us assume that the deleted object was: OU=bosses,DC=ourdom,DC=com.  The point is we only want to restore this one part of Active Directory, all the other objects must be left as they are.

3) Remember, we are in Directory Services Restore Mode, so we are all set to run NTDSutil, here are the commands:

Authoritative Restore Example

E:\ntdsutil>ntdsutil
ntdsutil: authoritative restore
authoritative restore: restore object OU=bosses,DC=ourdom,DC=com

Opening DIT database... Done.

The current time is 06-17-05 12:34.12.
Most recent database update occurred at 06-16-05 00:41.25.
Increasing attribute version numbers by 100000.

Counting records that need updating...
Records found: 0000000012  

Learning Points for Authoritative Restore

1) NTDSutil has about 8 modes, we want specifically, Authoritative Restore.

2) Success or failure depends employing ADSI Edit to get the correct path, for me this is the most nerve wracking part of the exercise.

3) Notice how NTDSutil increases the version number by 100000.  This makes sure that these restored object have a later version number than any equivalent object on the other domain controllers.  As a result, when you reboot this machine it will replicate the restored OU=bosses to the other domain controllers.

Summary of Authoritative Restore

'Self heal' works against you restoring when you try and restore Active Directory objects.  The trick, which NTDSutil performs, is to fool AD that the restore has a higher version number than any existing Active Directory records.  Mastering Authoritative Restore is like passing your final NTDSutil exam.  Take the time to understand the role played by ADSI Edit in obtaining the restored object, for example, OU=bosses,DC=ourdom,DC=com


Disaster Recovery - Backup in Windows 2003 Server

Introduction to the Role of Backup in Disaster Recovery

Despite seductive technical innovations such as clustering, backup remains your number one protector against a Windows Server 2003 disaster.

Topics for Backup in Windows Server 2003 Server

35% of backup tapes do not work

Gartner research points out that 35% of backup tapes will not restore in the way that you expect.

At first I did not believe the above statistics.  However, because I have read other articles which give even worse figures, I now accept the truth - many backup tapes are fatally flawed.  If you study Gartner's statement carefully, it says not so much that backup itself does not work, more that something goes awry when you attempt to restore the tapes.

The salutary message is your backup strategy will never be complete until you find the time to test a full restore under realistic disaster conditions.

Backup Strategies for Windows Server 2003

Reasons why you need to backup up data

  1. Day-to-day retrieval of lost files or deleted mailboxes.
  2. Disaster Recovery - as a precaution against server failure.
  3. Archiving - documents that tax inspectors or government officials may need 5 years in the future.

Best Practice - Backup tactics

  1. Backup to a second hard disk or better still, control backup at your SAN.
  2. Backup to tape, that way you have protection against a physical disaster at the site.
  3. Keep father, and grandfather copies of you tapes. 
  4. Keep at least some of your tapes offsite.  (On the internet?)

For an in-depth appreciation of backup, check out this article:
Kick the Tape! By Eric B. Rux, MVP


Types of  Windows Server 2003 Backup

1. Normal - Where ever possible, take a normal backup.  The reason is that this is the only method that backs up ALL the the files.  Another benefit of Normal Backup comes when you restore, you only need the last tape.  With the other types or backup you need to restore multiple tapes which increases the time, frustration and the chance of something going wrong.  Make a normal backup your reflex.

Customer: 'But Guy, a normal backup takes 22 hours'.

Guy: 'O.K., let us use a normal backup at the weekend and differential each night.'

To understand the other types you need to consider what is happening to the archive bit during backup.  As you may know, a normal backup resets the archive bit (no tick), but when the user updates the file a tick appears in the archive bit.   Incidentally, you can check the archive bit status by looking at the advanced properties of any file or folder.

2. Differential - Backs up only files that have changed since the last full backup.  How does it know which files to choose?  It selects only files with the archive bit checked.  Unlike the next type, differential does NOT reset the archive bit, so each day the backups get larger and larger.

3. Incremental - Backs up only files with archive bit set.  Incremental then clears the tick.  Incremental backups are quicker to run than the other types, but are a nightmare to restore.  Some databases only allow Normal or Differential types of backup.  Make this method your last resort.

4. Copy - Backs up files that you manually select, suppose you want all documents that relate to a topic no matter when they last changed.  Copy leaves the archive bit as it was.  

Another scenario where you could use a copy backup is that you want to backup an entire website, no matter when the last files were backed up.  However, you do not want to reset the archive bit.

5. Daily - Backs up files with today's date stamp. Since today midnight 0.00 hrs.  (Not within the last 24 hrs.)

Note: Which ever of the above 5 types you use, you can, and should backup the System State

Backup Tips for Windows Server 2003

1. Keep a spreadsheet - Update records, make a calendar, or utilize the built in scheduler.

2. Use Volume Shadow Copy - The new Shadow Copy feature in Server 2003, provides point-in-time copies of files on network shares.  This enables you to backup open files, however, Volume Shadow Copy is not a substitute for a proper normal backup.

3. Consider Security -  What would happen if someone stole the tape?  Would you notice? What could information could they gain?  How easy would it be for them to restore?  What could you do to prevent all of the above?

Answer: Protect by selecting the option: 'Restrict restore to owner or administrator'.  Another security measure is to use your Domain Group Policy and restrict the Restore privilege to Administrators.

Select the option to verify backup, the process will take a little longer but its worth the wait.

4. Planning - Create a backup baseline.  The idea is to create a reference point where you know everything is working properly.  Then it will be quicker to restore the changes from tape.  Note the 'Restore Point' feature of XP is not available on Server 2003.

Make a written plan of who will do what in the case of an emergency incident.  Create a flow chart of the sequence to retrieve data.  If server is running then get data, if server is not running, repair Windows 2003 operating system.

5. Getting Started - You access the Backup GUI via Accessories, System Tools.  There is also a command line version suitable for scripting called ntbackup.


Disaster Recovery - Boot Options for Windows 2003 Server

Introduction to Boot Options for Windows Server 2003

Windows Server 2003 has inherited the Windows 95 and XP's ability to interrupt the boot sequence by pressing F8.  This is a handy boot option for disaster recovery, for example, when you need to disable a driver or perform an Authoritative Restore.

Boot Topics for Windows 2003 Server

F8 Startup options for Windows Server 2003

Suppose the Windows server will not boot up.  You may get a stop error message, alternatively, it may get a black screen which says, cannot find xyz.com file.  Under these dire circumstances, your best bet is to reboot and press F8.  I urge you to run through these options when you are calm and can make rational decisions, because when disaster strikes, the heart races and you need the comfort of familiar menus and procedures. Therefore, practice boot options with F8.

  1. Safe Mode (Safe Mode with Networking, Safe Mode Command Prompt)
  2. VGA Mode
  3. Last Known good (LKG)
  4. Directory Services Restore

1. Safe mode

Those coming to Windows Server 2003 from NT 4.0, will be impressed with all the options revealed by pressing F8 on boot up; those who know Windows 98 will find old friends on the menu.  There are variation like Safe Mode with Networking, however I find the plain Safe mode is the best option when you begin troubleshooting.  The main use of Safe mode is to correct configuration errors so that you can try another normal boot.  Remember the first question to ask in troubleshooting is 'What was the last setting to change?'.  Incidentally, never waste time asking who made that fatal change because I can tell you the answer from here - it's always Mr Nobody.

A good point about safe mode is that you still preserve the option to try the Last Known Good.

2. VGA Mode

This is useful in two scenarios:
a) You inadvertently install an incompatible monitor driver 
b) Some nutter (Mr Nobody?) tries a variation of black writing on a black background.

3. Last Known Good (LKG)

This option is used in one specialist situation, you have just installed a rogue driver which you are pretty sure is preventing the Windows Server 2003 machine from booting.  If you did something that changed the registry, then you can revert to a spare control set.  Beware, the moment you logon, Windows creates a new Last Known Good, as a result you would lose the previous LKG.  The time to consider the LKG option is if you have just installed a new device and you see an error message 'One or more services failed to start'.  In this situation DO NOT LOGON, power off, restart, press F8 and select Last Known Good from the menu.

4. Directory Services Restore - NTDSUTIL

The scenario: Someone has just deleted a complete OU from your Windows Server 2003 Active Directory.  The problem is that a normal restore will not work under these circumstances.  What will happen is that other Windows 2003 domain controllers will have later Update System Number and over write the restore, and delete the OU, so you are back where you started.  What you need in this situation is the Directory Restore option from the F8 menu.

To prepare for a Directory Service Restore, first complete a normal restore and take the Windows Server 2003 offline.  Then reboot, select the special Directory Service Restore mode at the F8 menu.  Next run NTDSUTIL to tell Active Directory not to over-write the OU that you wish to recover. 

That last paragraph is easy for me to write, but in reality NTDSUTIL is a difficult utility to use.  Time spent practicing with NTDSUTIL will repay many times when you have to make a disaster recovery.  In addition you need to understand LDAP because you need to issue a command to only restore the faulty part of Active Directory, in this case the OU that was deleted.

System Recovery Console - CMDCONS

When you are trying to boot a reluctant Windows 2003 server, CMDCONS is another string to your bow.

Highly organized administrators run Winnt32  /cmdcons which installs about 8MB of files that make up the System Recovery Console.  Fortunately should you forget to run CMDCONS ahead of the boot problem, then you can still boot from Windows Server 2003 CD and access System Recover from that Server CD.

If the system will not start due to a corrupted file, CMDCONS gives you tools to copy replacement files from CD.  When you select System Recovery, it drops you into a DOS like shell where you can also issue commands to enable or disable services that are preventing a clean boot.

Trap: The password for this account is stored in the SAM database.  This is sometimes called the DSRM (Directory Services Restore Mode) accounts.  My point this administrator account  will almost certainly have a different password from the regular domain administrator account. 

Challenge: Install and test CMDCONS.  My point is that time spent practicing with CMDCONS will repay handsomely when it comes to using the Recovery Console in anger.  In particular you may be surprised how difficult it is to logon as administrator.

Tools to troubleshoot Windows Server 2003 crashes

  1. Event Viewer. If you are able to start in safe mode, then the first program to open is the event viewer to check the logs.  There is also a little know script called EventQuery.vbs /auxsource which you run from the command prompt.
  2. System Configuration Utility - Msconfig.exe  Sys.ini etc
  3. System Information.  Programs, Accessories, System Tools
  4. Missing or corrupt file - System File Checker - sfc
  5. System Icon, Hardware, Device Manager, Device, Properties, Roll Back
  6. System Icon, Advanced, Startup and Recovery options
  7. Services (Administrative Tools)
  8. NTBTLog.txt
  9. Resource kit tools like Tasklist and Taskkill

Disaster Recovery in Windows 2003 - Clustering

Introduction to Windows Server 2003 Clustering

Clustering is one of those computing concepts that is - simply great. Also in my 'simply great' category are: client server, DHCP, and VPN.  These are technologies that just make sense and should be implemented where ever possible.  The twin benefits of clustering are load balancing and fault tolerance.  One day soon SAN (Storage Area Network) and wireless networks will join clustering in that 'simply great' category.

There are at least two distinct clustering strategies: Stateful and Stateless.  Stateful is proper fault tolerance clustering, whereas Stateless is just load balancing.  The key points to check are, what application the clustering is designed for?  Does it need special hardware?

Stateless NLB Clusters (Network Load Balancing)

Examples: VPN, IIS or Terminal Server

This is the clustering that you configured through the Network Adapter Properties.

It supports up to 32 nodes, is Stateless and automatically balances the load when more hosts come on line. To further administer NLB there is a little known utility nlbmgr which you can launch from the run command.

A feature of all clustering types is that each server needs a second network adapter (dedicated IP address) which is just used to communicate with the other cluster servers.

From the host point of view they connect to a cluster, so each cluster needs a DNS name and a corresponding cluster IP address.

Which ever method of clustering you use, make sure you purchase the Enterprise or Datacenter edition of Windows 2003.  The standard edition does not support clustering.

Stateful Server Clusters

Examples:  SQL or Exchange

This method of clustering is controlled by a service that you install through Add or Remove Programs.  Note: Cluster Service requires an account much like Exchange 5.5.

Server clusters support up to 8 nodes and are Stateful.  This type of clustering supports failover and is designed primarily for fault tolerance. 

The second network card maintains a 'heartbeat' with other members of the cluster.  The virtual cluster name needs to be registered in DNS.

To administer your cluster, Start (menu) Run, CluAdmin.exe.  The concept is that one node owns the resource, and the other nodes are aware and take over in the event of failure.

Applications such as SQL and Exchange have their own administration programs to configure Active / Active or Active / Passive clustering.  Where possible favour Active / Passive clustering, this means that in the event of failure all the functions are taken over by a 'hot spare' server.

Limitations of Disk configuration on server clusters.

Remember that the disks are likely to be the area where you need specialist cluster aware hardware.  At the top of the range, the storage will be handled by NAS and SAN systems.

Disks to be used for cluster storage must be configured as basic disks and must be formatted as NTFS.  You cannot configure cluster storage devices as dynamic disks or spanned volumes (volume sets) if they will be used as cluster resources.  You can, however, use the DiskPart.exe utility to extend the volume of a basic cluster disk. for more information, see DiskPart.

It is highly recommended that you do not enable write caching on cluster disks.
In server clusters, the process of taking resource groups offline on one node and bringing them online on another node. When failover occurs, all resources within a resource group fail over in a predefined order; resources that depend on other resources are taken offline before, and are brought back online after, the resources on which they depend.


Windows Server 2003 Disaster Recovery - Make a plan

Planning a Windows Server 2003 Disaster Recovery

One of my clients asked me to look over their disaster recovery plan.  This prompted me to do some research and I was just amazed how many facets there are to the disaster recover business.

Disaster Recovery Conclusions

Make a particular study of case histories, 'Those who do not learn from the mistakes of the past are destined to repeat them' - Santyana.

Identify the skills and technologies you need to: a) Prevent, b) Recover from a disaster.  Make sure that the network specialists understand what your business needs.

Few people cover all aspects of Disaster Recovery.  Remember that your maximum benefit comes from identifying your weakest link.

Types of disaster - do you have them all covered?

What would you do in the event of each of the following?  Which order would you put them in?  Most likely =1 least likely = 6.

  1. Power failure
  2. Hackers and security breaches
  3. Stolen Kit, crime and vandalism.
  4. Fire, storm, flooding, earthquake, which is most likely in your area?
  5. Terrorist attacks, chemical attack.
  6. Beware staff leaving - I was called in to help one company because no-one new how the system worked or even where the servers were!  A disaster caused by an outsourcing deal that went bad.

Identify the most likely cause in for your situation.  Eliminate two areas as extremely unlikely.  Are you resources deployed according to your priorities?

Disaster Recovery - Planning

Plan to identify, then eliminate, single points of failures.  Make sure you have duplicate systems for both hardware and software.  Will you need replica servers or even a whole mirror site in another location?  At the very least store copies of your backup tapes offsite.

Define a strategy for each system.  Windows Server 2003 has its own recovery tools, for example, system state.  Exchange and SQL have their own specialist database recovery utilities. Failover clustering is great preventative measure.

When it comes to a restore list the service dependencies and then sequence your recovery process.  For example, operating system first, SQL program, finally database store.

I find targets are both measurable and motivating.  Set targets for availability 99.9 or 99.99.  Set timings for recovery.  2hrs for a server, 24 hrs for a site.

Consider the effect on your users and the effect on your customers.  If your database goes down customers cannot order, but internal users can still use their workstations.  If a virus cripples the email server users may grind to a halt but customers can still keep ordering.

Get executive enthusiasm.  Lobby for a champion particularly when it come to financing your disaster recovery plans.


Disaster Recovery in Windows Server 2003 - RAID

Introduction to RAID in Windows Server 2003

Let us recall the overall disaster recovery goals a) Protect your data. b) Recover quickly from an incident.  In the overall scheme, remember that prevention of data loss is so much better than disaster recovery.

One urban myth had it that a network manager had a knock on the door, and there stood a Compaq engineer.  'I have come to replace your disk' he said, 'What disk? I did not order a disk' - demanded the manager.   'No worries.', replied the engineer, 'our remote monitoring system has spotted the 4th disk in you array has failed and I have come to fit a new one.'

Topics for RAID in Windows Server 2003

Types of RAID

RAID 1 Disk Mirroring  - Protect the Windows Server 2003 operating system with a mirrored disk.

RAID 5 Striping with Parity - If one disk fails the program carries on thanks to your hardware RAID with a hot swappable disk.

RAID 0+1 Striping (No parity) for speed, combined with mirroring the whole stripe set for fault tolerance.

Note: You can only create RAID 5 on Dynamic disk. (So upgrade Basic Disk)

Guidelines for disk configurations.

With hardware RAID, onboard controller handles the RAID system and not the operating system.  Windows Server 2003 'sees' the physical disk array as a single hard drive.  If one hard disk fails in a RAID-1 or RAID-5 implementation, you can rebuild the RAID system and recover all data from the failed disk.  Just press CTRL M during boot and then selecting 'Rebuild'.  This recovers the data to its state immediately before the failure occurred.

Creating RAID volumes in Windows Server 2003

You only really need to do this if you are using software RAID.  Hardware RAID has its own utilities which are often placed in the Control Panel.

  1. Click Start (menu), All Programs, Administrative Tools, Computer Management.
  2. Open 'Storage' and click Disk Management.
  3. Right-click the unallocated space on one of the dynamic disks where the RAID-0, RAID-1, or RAID-5 volume should be created, and then click 'Create Volume.'
  4. In the Create Volume wizard, click 'Next,' and then click on the desired volume type: 'Striped volume,' 'Mirrored volume,' or 'RAID-5 volume.'

Upgrading basic disks to dynamic disks

In my opinion, favour dynamic disk on server, but stick with basic disk on XP and other clients.  Converting to dynamic disk is irreversible, or at least you cannot return to dynamic disk and preserve the data.

Some of the limitations of dynamic disk are not serious, for example you cannot dual boot into another operating system.  However, even this reduces your options, for instance, you could not install a parallel operating system for recovering a machine that will not boot.  More seriously, your hardware RAID may not work on dynamic disk, so check with the manufacturers.

  1. Navigate to the Disk Management console.
  2. Right-click the grey 'Disk Description' pane that is located to the left of the Color-coded volume panes.
  3. Select, Upgrade to Dynamic Disk.'  Note you will have to reboot not once, but twice.

Diskpart - a handy command line utility.

Microsoft provides a disk-partitioning utility called Diskpart which is particularly useful for scripting disk tasks during unattended setup of Windows Server 2003. With diskpart you can configure most of the settings found in the Disk Management GUI.  Writing diskpart in to a script is a particularly easy way of upgrading lots of machines from basic to dynamic disk.


Disaster Recovery in Windows Server 2003  - Restore

Introduction to Windows Server 2003 Restore

Restore often plays the role of the forgotten little sister compared with big brother who plays the part of Backup.

The mechanical details of a restore are easy, the software provides menu driven prompts.  However, remember that horrifying statistic, 35% of restores are not going to work as you anticipated.  The problems come in unforeseen outside factors.  The best way that I can illustrate what can go wrong with restore is through horror stories from cases that I have been involved with.

Lightning Strikes

Here is the unluckiest case I have come across.  The company did everything right, tapes were taken offsite, a restore was scheduled one weekend every 6 months.  Each practice worked perfectly.  One day came a bolt from the blue.  Literally lightning struck their building and the computer building was burned out.

Insurance took care of the recovery costs, and in 6 hours the new servers arrived along with a mobile building and generator.  A courier was despatched with backup tapes, exactly what happened on that flooded road nobody knows, but the upshot was the courier slid under a lorry.  Fortunately the motorcyclist survived, but the tapes were crushed under the truck's wheels.  Naturally, they had other tapes but they were two days old, and they never did recover all the data.

Bishopsgate Backup Tapes

September 11th, was a terrible disaster.  However, by all accounts recovering computer systems went off without a hitch.  I would like to contrast the Twin Towers disaster with an IRA terrorist bomb which was exploded on April 24 1993 in London Bishopsgate. In this English disaster only one person was killed but it devastated the financial computer community.

I was in London at that time and the rumours circulated that the banks had no backups. Word was they customer services had to phone their clients and ask 'Ah hmm, exactly how much money have you got in your account?' People smirked and said, if only they had asked me, 'I would have told them 1 million'. The story was believable because the banks second question was, 'Can you prove it with the last bank statement!'

Well, I repeated this story to quite a few clients. Then one day I spoke to chap from Digital. He listened politely then said 'I was on that case, and you were not far from the truth'. 'Yes of course they had backups, the assistant manager had a garage full of tapes.  However, the problem was that there was no machine in the world that could restore the tapes, the VAX machines were so ancient there was not a compatible machine anywhere.'

Classic Mistake

Often people get in a groove with backup, the job runs, the event log reports success, the tape looks good, you tick the calendar.   But then you get a new system and you save the data to a new folder on a different partition, F:\data.  However, Mr Nobody changed the backup to reflect the new path.  As a result one day when you try a restore, there is nothing on the tape from the F:\.  It goes without saying that its not a backup's fault, once again it is a human logic error.

The Boss from Hell

My last story is amusing in the telling, but was far from funny at the time.  The boss bought a box of tapes and showed the timid assistant how to insert the first tape into the DAT drive.  On the Monday the backup worked perfectly.  However on Tuesday the operator could not remove the cassette.  So, being timid, but resourceful, they unscrewed the Tippex bottle and painted out Monday's date and over-wrote with Tuesday's date.  Guess what happened when the boss needed to restore last weeks data?  All that was on the tape was yesterday's incremental backup.  When he looked in the box 23 tapes were still in their cellophane rappers.  The restore did a perfect job on the incremental tape, but it was a management problem that was responsible for the lack of a normal backup tape.


Disaster Recovery in Windows Server 2003 - SAN and NAS

Introduction to SAN and NAS Disaster recovery strategies

Imagine this scenario, the disk is the bottleneck on your database server.  At this time you are also investigating disaster recovery options.  Storage Area Network (SAN) would solve both problems by delivering fibre optic speed and a separate secure storage for your data.  Incidentally, you often need 2 or 3 reasons before you embrace any new technology.

SAN and NAS could be deployed separately, but working together, SAN provides fast scaleable storage while NAS provides clustering gives file level access to the data.  More and more, SAN and NAS will be thought of as an inseparable pair, like 'TCP/IP'.

SAN and NAS Disaster Recovery Topics

Direct Attached Storage (DAS)

DAS is an acronym that has been invented to describe a hard drive.  I just mention this way of thinking of your discs because it provides a baseline for performance when you look at alternative storage devices like NAS and SAN.

Storage Area Network (SAN)

Because departments are better at collecting information, there is increasing pressure on the administrator to maintain a fast network, while keeping the data secure.  SAN is a great answer to data management overload.

The SAN disk storage subsystem connects to the server through a Fibre Channel.  This channel has a HBA (Host Bus Adapter) on the server connecting fibre-optic cables to the switching device, and finally on to the storage area.

Conceptually, a SAN is a separate arrat of storage devices.  Think of a SAN as a separate back-end network which is dedicated to data storage.

The advantages of SAN is that you can make server-less backup.  This not only removes the load from the server, but also eliminates network traffic during backup.

TIPS)  I once asked a professor of Botany the best way of growing tomato seeds, he said, 'Guy read the packet, it's in the gardener's interest to give you the very best information on growing their seeds right there on the packet'.  The relevance here is, if you want to know the technical specification for SAN,  then who better to contact than the manufacturers.

I have long since given up posting links to manufactures because they get out of date so soon, however a search in Google.com for SAN and HP, or Intersan or Veritas or Monosphere will help you.

Network Attached Storage (NAS)

Think of NAS as your gateway to the SAN.  The NAS devices bring an extra level of fault tolerance to the network.  With hard disks, if the server is down then data cannot be accessed by the clients, but with NAS, the data is still available on the network and accessible by clients. You can also use RAID tactics with NAS and so ensure that the NAS device is not a single point of failure.

NAS (Network Attached Storage) is a data storage mechanism that uses devices connected directly to the network media.  Each device has its own IP address and is connected to the server which acts as a gateway to the data.

The advantage of NAS structure is that it means that you can have different operating systems connected to a centralised storage area.  Another plus is the improved management, backup and physical security of your data.  One simple example of NAS is a CD-ROM 'jukebox' that are connected directly to the network.

SCSI and Fibre Channel

These are the two mechanisms for connecting the server to the data stores.  Fibre Channel as expected uses Fibre optic and is serial in nature.  SCSI uses ethernet and is parallel in operation.  The situation is that Fibre Channel is expected to replace SCSI because of its speed and scalability.  Fibre Channel has its own switches and protocol and uses the HBA (Host Bus Adapter) as a replacement for the SCSI adapter.  SCSI is not giving up the battle and you may see iSCSI a faster internet version.

Logical Unit Numbers (LUNs)

Storage subsystems have an IP address on their I/O bus (SCSI ID or HBA).  Inside the storage system will be arrays of disks.  Areas on these disks are accessed buy their LUN (Logical Unit Number).  LUN security is a feature of the storage subsystem, which limits access to HBAs.  Access to a given LUN is granted based on the WorldWide Name (WWN) of the Host Based Adapter (HBA).

A server device name is bound to a LUN through a specific HBA and eight-byte storage port WWN.  Each server HBA is explicitly bound to a storage volume or LUN and access is explicitly authorized.

Exchange

Users

Disk 1 Disk 2 Disk 3 Disk 4 Disk 5 Disk 6

Disk 7

Disk 8 Disk 9

Disk 10

Disk 11 Disk 12 Disk 13 Disk 14

500 - 1000

EDB and public folder

RAID 5

log files

RAID 1+0

NAS LUNS

RAID 5,1+0, or ADG

EDB and public folder

RAID 1+0

log files

RAID 1+0

NAS LUNS

RAID 5,1+0, or ADG

1500 - 2000

EDB and public folder

RAID 5

log files

RAID 1+0

NAS LUNS

RAID 5,1+0, or ADG

EDB and public folder

RAID 1+0

log files

RAID 1+0

NAS LUNS

RAID 5,1+0, or ADG

3000

EDB and public folder

RAID 5

log files

RAID 1+0

NAS LUNS

RAID 5,1+0, or ADG

EDB and public folder

RAID 1+0

log files

RAID 1+0

NAS LUNS

RAID 5,1+0, or ADG

 Windows Storage Server is designed to 'house' your NAS,


Windows Storage Server 2003

Introduction to Windows Storage Server

'Increase efficiency and reduce complexity', is Microsoft's catch phrase for their Storage Server 2003.  This server is dedicated to looking after your data files and replaces NAS 2.0 on Windows 2000.  Windows Storage Server is a separate product dedicated to NAS (Network Area Storage).  Naturally, it integrates with Active Directory for the file permissions on the stored data.

Windows Storage Server 2003 (NAS Gateway)

This Microsoft product is designed to solve the following problems with data that could have built up over a number years in your organization.

For too long you have been adding an assortment of discs and servers to patch up the users insatiable demands for data storage .  Now you want a unified state-of-the-art solution.

You narrowly avoided a disaster when your database server was offline for a day.  So you want an opportunity to improve your disaster recovery options.  Backup has been a nightmare and people are openly questioning whether a restore will actually work. 

Managing your data has become too complex.  There are too many servers each playing different role in data access.  You want a front end application server, and a backend storage area with easy backup and restore.

Improved features you get with Storage Server 2003

NAS 2.0 ran on Windows 2000, this has been superseded by Storage Server 2003 which runs on Windows Server 2003.

Downside of Windows Storage Server:

Storage server cannot double up as SQL or Exchange application server.  However it does integrate fully with Active Directory, in the sense it can be a member server in the domain, and will apply Group Policies.  Does work with MOM (Microsoft Operations Manager) and SMS (System Management Server)


Disaster Recovery - System State in Windows 2003 Server

Introduction to the System State in Windows 2003 Server

In disaster recovery, planning, prevention and preparation are your watchwords.  Which ever backup software you use for Windows Server 2003, take a minute to tick the System State box.  This page also features ASR and creating a bootable system disk.

Windows Server 2003 System State

System State - Components

Here is a list of all the components contained in the Windows 2003 System State.

The System State has a specialist job namely, to restore the operating configuration files.  Before you install a new application, driver or hotfix, think, 'what will be my fall back position if the server crashes?'.  Microsoft's best practice would say: create a System State backup for the Windows 2003 operating system, then you can rollback if there is a problem.  In reality, once you take these protective measures the application, driver or hotfix never gives any problem.  However, the one time you forget to backup the system state,  'Murphy's law' says disaster will strike your server.

Driver Roll Back

Another alternative for a sickly machine is to repair a dodgy driver by rolling back to, 'one that I saved earlier'.  If you suspect that your latest driver is faulty, then navigate to the Device Manager and check for a red X next to the device.  To attempt a cure, select Properties, Driver (Tab), Roll Back.

Note: Driver Roll Back is a different option from Restore Point.  Moreover, unlike XP, there is no Restore Point option in Windows Server 2003.

ASR (Automated System Recovery)

ASR (Automated System Recovery) is Windows Server 2003's replacement for NT4.0's RDISK.  I have to say that I have never had any success with ASR.  The idea is worthy, all the registry configuration settings can be saved and later restored.  The fatal flaw is that the ASR disk has to be updated manually every time you make a change, and for ordinary mortals that just does not happen.  If there is one thing worse than not having an ASR it is having an out-of-date disk which corrupts the system.

If you wish to create an ASR disk then  Click Start, Programs, Accessories, System Tools, then click Backup. Amateurs believe that the ASR is bootable - wrong.  However, you CAN create a bootable System Disk as explained in the next section.

Bootable System Disk

The floppy disk that I have in mind here has many names, system disk, boot disk, startup disk.  What ever the name the purpose of this simple floppy is to boot a broken machine.  This 'get out of jail disk will help when you boot a machine and see a message saying: 'Cannot find NTOSKERNL.EXE.'   The error sounds vicious even terminal but there is a simple solution - a system disk.

If you are Mr Organized then you will have your system floppy disk at the ready.  However if you need to create a disk then take a blank floppy to another Windows Server.  Remember to start by formatting the floppy within Windows 2003, next, copy NTLDR, NTDETECT.COM and Boot.ini to the floppy.  The secret of getting this floppy to boot the server is understanding Boot.ini.

Sample Boot.ini

 [boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Enterprise" /fastdetect

In most instances changing the partition number will cure the problem.  Partition(1) corresponding to the C:\ drive and Partition(2) to the D:\  Thus, you can make an educated guess as to which number to try on your server.

If you have time you could add other lines to each with a different partition number.  With a little care and trouble, you could make a boot.ini with a dozen lines that would start Windows 2003 on a large variety of disks and partition numbers.

If you have mirrored RAID disks then edit the boot.ini to reflect the pair of disks (same partition number):

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Server 2003 (D0)" /fastdetect

multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Server 2003 (D1)" /fastdetect


Disaster Recovery in Windows 2003 - UPS

The Role of the UPS in Disaster Recovery

Those great big batteries at the side of the server are designed to prevent disaster striking should your site suffer a power failure.

I once stopped by at the UPS stand in a trade fair - they had great coffee and I needed a rest.  Now I thought I knew about UPS devices, but the salesmen showed me some extra capabilities for disaster protection.

  1. The most important job of the UPS is to cut-in when the power fails
  2. UPS also protects against 'brown outs' when the light dims but the power stays on.
  3. UPS will also smooth voltage preventing power surges during electric storms.

Additional UPS Features

The system I saw at the trade fair had 'bells and whistles' like short term capacitors and diesel engines that would deliver conventional AC power.  It also had microprocessor sensors and switch over.

A cautionary tale of an UPS disaster

I sometimes take on work on the basis of 'no fix - no fee'.  So I went to company advertising for a consultant to find the bottleneck on their network.  To my delight got a contract.  However, when I turned up, there were long faces all round, the server room had been burnt down.

Before I abandoned the job, I thought at least they could tell me what had happened.  After a long pause, the junior techie blurted out that the UPS spilt neat acid onto a pile paper, the acid burnt the paper starting a fire.  Cardboard boxes in the room also caught fire and that in turn burnt down the server.  Well no work for me, but a moral to one and all, add: ' I must service the UPS' to your disaster recovery plan.


Disaster Recovery - Volume Shadow Copy (VSS)

Volume Shadow Copy in Windows 2003 (VSS)

Suppose a user wishes to recover yesterday's version of their word document. How much would it cost to restore that one file a user?  If you implement Volume Shadow Copy Services (VSS), then the user can recover the file themselves at no cost to you.

Volume Shadow Copy is one of the least known features of Windows Server 2003.  There are several names for this new service: Shadow Copy, Previous Version, Shadow Copy of Shared folders, Volume Shadow Copy.  Let me help you get started with this wonderful service.

Topics for Volume Shadow Copy

Introduction to Shadow Copy (VSS)

As it is not easy to define this service in one phrase, here are a selection of definitions of Volume Shadow Copy given by the IT press :

Simple way to configure Shadow Copy on a Volume

In Windows Server 2003, each NTFS Volume or partition has its own Shadow Copy tab.  Click on the root of the any drive, Select a Volume, now press the Settings button.  Note that the diagram opposite displays the number of shares for each volume.

This is a key point, Volume Shadow Copy will only operate on shared folders.  If you need to make an instant Shadow Copy of your shares, just press the 'Create Now' button.

The next step is to select the Settings button for the drive you want to configure, remember to change the shadow drive by using the Details button.

When it comes to configuring Shadow Copy for file shares, always use a separate volume for the shadow.  Where possible, use a different disk for performance and fault tolerance.

The default timing for creating a Shadow Copy is twice a day at 7:00 and 12:00.  If you are keen to get the most out of Shadow Copy, then analyze your users work habits and devise a better schedule.  I would advise against going mad and creating too many copies.  Bear in mind that that there is a limit of 64 shadow copies before the first one gets overwritten.  Therefore part of your plan should be to calculate how long it would be before a copy is erased.

How to Manage Volume Shadow Copy in Windows 2003

I do like to work from my MMC or 'Mission Control', therefore when I need to configure Volume Shadow Copy, I go to the Shared Folder snap-in.  The alternative route is to launch Computer Management and select Shared Folders.

Like so many Windows 2003 features, Volume Shadow Copy operates as a service.  You can check the settings through Administrative Tools, Services and verify that Volume Shadow Copy is set to Start Automatically.

Volume Shadow Copy Clients

As I mentioned earlier, the key point to remember with Shadow Copy is that it operates on shares and not all folders.  It also follows that the XP machines need a TWClient (Shadow Copy Client), so to deploy the client, firstly, share out this folder:
%SystemRoot%\system32\clients\twclient

Next send a memo to your users explaining how to install the client.  You could give step-by-step instructions on how to connect to the \\server \twclient share and install the client.  Perhaps an even better idea would be to cut out the user and install twclient via a Software Group Policy.  (Incidentally, if anyone knows what TW in Twclient means, please email me.)

Finally, when your users at these XP clients wish to retrieve a previous version of a file, explain how to connect to the share on the server, and then select the 'Previous Version' tab from the file in question.

Note: When testing make sure that you make a change in the file, otherwise File versions will be blank.  In extreme cases this oversight can mean that you erroneously undo all the Volume Shadow Configuration.

Best Practices for Backup and Volume Shadow Copy

If you use Windows 2003's backup (much improved over Windows 2000), always make sure Volume Shadow Copy is enabled.  That way you can be sure that any open files will be included in the backup.  Fortunately, by default, Volume Shadow Copy is selected, my advice is to leave the setting enabled.

Summary of Volume Shadow Copy (VSS)

Shadow copy, or Volume Shadow copy Service (VSS) is one of the hidden jewels of Windows Server 2003, take the time to setup shadows on your file servers, and roll out the twclient via group policy.


Security in Windows Server 2003

Introduction to Security in Windows Server Server 2003

Good news, at last Microsoft are serious about security in Server 2003.  With NT 4.0 and even Windows 2000, ease of use has been the watchword, but now in Server 2003, security is top of the agenda.

My goal in this section is to give you an insight into the range of improvements to security in Server 2003.  The pages are full of tips and explanations of how to configure the settings.

Security Topics in Windows Server 2003

Indications that Microsoft are serious about security

The list below is not meant to be exhaustive, I selected the topics to show the variety of ways that Microsoft are implementing security in Server 2003.

CRL - (Common Runtime Language)

I have chosen CRL first not because its the best security feature, but because it encapsulates the spirit of security in Windows Server 2003.  CRL makes a dry run before the code actually executes.  It checks that a program can run without errors before actually executing.

Kerberos Security

Kerberos security deals with all aspects of authenticating users.  In practical terms I could break NT 4.0 passwords with a freely available program called  L0PHTCrack but Thanks to Kerberos, Windows 2000 and Server 2003 passwords are immune from such attacks.  I have a whole page on the concept and configuration of Kerberos Security.

Microsoft claim to have examined every line of code

Just in case you always think I take Microsoft's side, my view is it would be better if Microsoft allowed open access to the code rather like the Linux model.  Nevertheless it is reassuring that they have re-checked the code to look for security flaws.

Internet Explorer

In IE 6.0 for Windows Server 2003, the Security Level is set to high by default.  This is an example of more security making it more difficult to use.  In fact I found I had to add a server on my network to the Trusted Zone before I could open an access database across the network.

Default Permissions

The default NTFS permissions ins Server 2003 are:  Users Read and Execute, Administrators Full control, this is much better than the old system where the group Everyone had Full Control.


Accounts Security in Windows 2003

Introduction to Accounts Security in Windows Server 2003

There is a great deal that you can do to enforce account security, but before you get too carried away, ask yourself these two questions:

  1. Who are our enemies?  Internal meddlers,  external hackers or both?
  2. What is our security level? Low, Medium, or High. (High would be banks, MI5 or CIA)

My point is that too much security could alienate your work force, especially if the reasons for your measures are not properly explained.  So integrate your security with your company culture and give horror stories to explain why account security is necessary.

Topics for Account Security

Security concerns

The fear is that non authorized people will misuse your network resources.

What are these people like?  Malicious, opportunitistic or just curious.

What might they do?  Steal data, read information or just alter settings.

How do they gain access?  Guess passwords, sit down at unattended machines or just read post-it notes with passwords.

How do you stop these intruders? 

Methods include:

Develop a vision

Make your goal is to allow the good guys to work unhindered whilst keeping out the bad guys. 

Involve someone who knows the users and understands how they work and what they think.  Commit to developing and evolving your account security policy.  It may be too draconian so slacken off, it may be breached so you need to tighten up in the light of experience.

Where do you apply the security? 

Through Group Policy, at the Domain level (not the OU or Site level).

The picture opposite shows what Windows Server 2003 offers.  If you choose: Password must meet complexity requirements, it means, upper case, lower case, number non-alphanumeric (@ #).

Make users change their passwords every x days, and remember the last y passwords.  Note use minimum password age or else they will just cycle through y passwords in their tea break, and come back to the original password!

What other settings can you apply through Group Policy?  Check out the Account Lockout, this is where you can stop malicious people endlessly guessing someone else's password.  The downside with setting the values too low is that people may forget their own password and lock themselves out, thereby causing resentment and extra work for the help desk.

Technology to the rescue - smartcards

User authentication is a fundamental property of all computer systems.  Passwords have always been the Achilles heel of computer security.  Smart cards in some shape or form, have been 'around the corner' for about ten years.

I predict that within 5 years password logons will be obsolete.  What will replace them?  Smart cards, finger print logon, retina scanning some other technology.  In fact if there were one clear market leader then the solution may be more obvious.

My advice is to consider what $25 will get you in the way of smart card keyboard attachments.  The costs of doing away with passwords will pay back handsomely when you consider support calls and user frustration.  Let us not forget the overall goal, a secure and friendly system.

Once you have the hardware, the software is easy, just check out the User Properties, Account tab.

Understanding the technology will help you secure your system.  Guy's rule of thumb is that the more security you have the more difficult it is to understand and the more work there is configuring it.  Nevertheless you must secure your system and to do that you have to understand the components and procedures involved in Windows Server 2003.


Security and Active Directory 2003

Introduction to Active Directory Security

When you plan your Active Directory Forest, take the time to consider security.  A few minutes planning could save you hours of rework and the cost of unnecessary domain controllers.

Topics for Active Directory Security

Criteria for a second domain

Back in the 1990's when NT 4.0 ruled the roost, the big problem was too many domains.  The cause was partly the size limitation of the SAM database and partly the culture of each manager wanting their own domain.  Active Directory removes the size limitations, so you now need to apply fresh criteria to deciding how many domains your need.  Here are some possible reasons:

Security - The need for different security policies

International incompatibility - Different languages, different encryption standards

Pure 'ring fence' security - Concept of a blank root domain

Directory Synchronization traffic - A valid reason for a second domain, but the reason is lack of bandwidth rather than a security limitations

My point is that security considerations are the prime reason for creating more domains.  More domains mean greater costs on domain controllers and increased complexity for configuration.  So have a good reason to create that second or third domain.

Group Policy

Prevention is better than cure, and good group policy will prevent security breaches, for example:

Special Accounts and Groups

THE Administrator

The number one job that you can do to improve security is to rename the original administrator.  Why is this?  Every hacker know if its UNIX go for the ROOT user, if it's Windows go for administrator.  You could even create a spoof administrator account with no privileges and monitor if anyone tries to logon with that account.

Enterprise Admins

Only in the root domain do you find Enterprise Admins.  Members of this group can create accounts in any of the other domains so they are more powerful than than the Domain Admins or Local Administrators.  Best practice is to limit members of this group, or even leave it blank, only creating users when needed then deleting them.

Schema Admins

This group is needed when you extend the Schema as you install Exchange. Members of this group could cause havoc if they carelessly or recklessly experimented with he schema for no good business reason.


Auditing in Windows Server 2003

Introduction to Auditing in Windows Server 2003

If you are serious about security, then you must schedule time to examine your security logs.  If this means that you are swamped with data, then either filter the events, or change your policy to collect less data.  This section concentrates on configuring and interpreting account logon entries in the event viewer.

Topics for Auditing

Where do you find the audit settings?

You can configure Windows Server 2003 audit settings in several places.  Please check BOTH these locations:

  1. Active Directory Users and Computers \domain\properties\group policy. 
  2. All Programs, Administrative Tools, Domain Controller Security Policy. 

Once you open the policy, navigate to this path: (See Diagram Below)
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.

If all else fails then call for the built in help and it will give you a link to the correct path.

Audit Traps

1) Check which policy you are configuring:

Policy for Domain Controllers or the Default Domain Policy

2) Distinguish between these two settings:

3) The default auditing is for success only, so check the Failure box if you want to see Events 675 and 680.

Logon Events to look out for:

Now we switch to the Event Viewer (All Programs, Administrative Tools).  Amongst the numerous events in the Security Log, here are ID numbers to look out for.  To refine your search, select View (menu), Filter.

672 An authentication service (AS) ticket was successfully issued and validated.
673 A ticket granting service (TGS) ticket was granted.
674 A security principal renewed an AS ticket or TGS ticket.
675 Pre-authentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password.
678 An account was successfully mapped to a domain account.
680 Successful or Failed logon attempt - see Description
682 A user has reconnected to a disconnected terminal server session.
683 A user disconnected a terminal server session without logging off.

The following events are not generated in Windows XP or in the Windows Server 2003 family. So must come from NT 4.0 or Windows 9x machines.

677 A TGS ticket was not granted.
676 Authentication ticket request failed.
681 Logon failure. A domain account logon was attempted.

Failure Codes for Event 675 - see diagram.

Use the View (Menu) filter and enter 675 in the Event ID.  If you do not get any of these events, then deliberately logon to the domain controller with the wrong password or account.

 Once you double click an event check the extra information in the Description. 

 Here are some useful codes.

0x6 The username does not exist

0x17 The account has expired

0x18 Username exists, but password is wrong

0x25 Workstation's clock is out of synch

 Troubleshooting: if you do not get any 675 when you log on with the wrong password check Traps.

Failure codes that you see with event ID 680 

3221225572 User logon with misspelled user account
3221225578 User logon with misspelled password
3221225584 User logon from unauthorized workstation
3221225585 User logon with expired password
3221225586 User logon to account disabled
3221225875 User logon with expired account
3221226036 User logon with account locked


Certificate Server in Windows  2003

Introduction to Certificate Server

Certificates features in more and more Server 2003 locations; smart card login, EFS, and IPSec, to name but three.  In fact certificates are just part of a larger PKI (Public Key Infrastructure) topic.

Topics for Windows Server 2003 Certificates

Certificate Principles

When you receive data you want to be sure that the sender is who they say they are.  You also want to be reassured that the packets have not been read or tampered with on route.  Certificate Services are designed for this scenario where you need secure authentication and encryption.

The principle of encryption is to change plain text into cipher text during transport and then decode back to readable text at the other end.  Unlike Kerberos, where only one key is involved, Certificate Services encrypt and decrypt using a public and private key pair.

Viewing your certificates

The private key is kept with your user profile, but you can easily check the certificate corresponding to your public key by:

1) Viewing your Active Directory certificates by adding a snap-in to your MMC.  Start, Run MMC, File (Menu) Add Snap-in, Add, Certificates.

2) Alternatively you can check your Internet Explorer, Tools, Internet Options, Content, Certificates.

Also, once you have installed certificate services on the Windows Server 2003, clients can apply for certificates through their browsers, for example http://dealer/certsrv  ; substitute your server name for dealer, but type certsrv as shown.  Troubleshooting: check IIS has started.  I once found the port had been set to port 90 instead of 80.

Certificate Models

Think of certificate authorities like you would regard driving licences authorities.  You can get a government driving licence with a picture and issue number, or you go to the fairground and get a 'Mickey mouse' licence.

To decide which model is best for you, consider these two questions,

  1. Will you authorize your own root server, or will you be a subordinate of a respected certificate authority like Verisign?
  2. Will you use Active Directory, or is your certificate server so important that it should be secured offline in a locked office?

Here are the four certificate models:

Certificate Configuration

Certificates Service is installed through the Add or Remove Programs \ Windows Components; and just like other services such as DHCP or IAS you configure Certificate Service through the Administrative Tools.

Personally, I prefer the to add a Snap-In to the MMC, using this technique you can also add a snap-in to examine the User and Computer Certificates.

Check out the Templates to gauge the breadth of purposes that you can deploy certificates.

Types of Certificates


IPSec in Windows Server 2003

Introduction to IPSec in Windows Server 2003

IPSec deals with encrypting data over the network.  What IPSec does is protect data against those bad people with their protocol analysers.  Encryption prevents these network monitors capturing packets and reading sensitive information inside.  In my mind's eye, using IPSec is like putting one of those clear cellophane envelopes in a sealed parcel.

Topics for IPSec

Attacks that you are protecting against

IPSec Options

The best way to set IPSec is through Group Policies, alternatively, you can check through TCP/IP properties, Advanced.

IPSec is Disabled by default, here are the other three settings

  1. Client (Respond only) Means 'I will speak IPSec if you wish'.
  2. Server (Request Security) Means 'I would like to speak IPSec, but if you cannot comprehend IPSec then I will speak normally.
  3. Secure Server (Require Security) Means 'I will only speak with clients who understand IPSec'.

IPSec Modes

Transport Mode is designed to ensure that traffic between two machines is secure, for example the Financial Director and the CEO.

Tunnel Mode is to secure traffic between two networks and is particularly useful for VPN traffic where you need encryption over the internet.

The diagram on the right gives a hint that there are a surprising number of setting and properties for IPSec.  In particular I recommend that you check out the filtering tabs.  (If necessary click and enlarge the thumb-nailed picture)

Encryption Schemes

Remembering that the whole purpose is to encrypt the data leads me to check out the encryption settings.

Authentication

Packet Encryption


Kerberos Security in Windows Server 2003

Introduction to Kerberos Security in Windows Server 2003

My goal on this page is to introduce you to the basics of Kerberos.  Rather like subnet mask and DNS, Kerberos is a complex topic where you need to read three separate accounts, or have three different people explain the concepts, before you truly appreciate all its security ramifications.

My aim is to help you understand what Kerberos will do for your security and to show you where to check or configure the settings.

Topics for Kerberos Security?

Where Kerberos came from?

In Greek mythology, Kerberos was a three headed dog that guarded Hell.  Fast forward to 1981 and MIT (Massachusetts Institute of Technology), where a researcher coined the name Kerberos to describe a security system he was developing.  Microsoft's involvement with Kerberos came much later when they decided it was time to replace NT 4.0's NTLM security.  So Windows 2000 was Microsoft's first system to implement this Kerberos security standard.

How Kerberos works

The principle behind Kerberos authentication is this: the domain controller's Active Directory knows the user's password and naturally the user know their password.  So at logon, a hashed version of their password is sent to the domain controller, if it matches the stored password in Active Directory, authentication is successful and the desktop appears.

The point is that the domain controller must store an encrypted version of the password - plain text is taboo for storing passwords.  The level of encryption is 56bit by default and can be increased to 128bit at least in the US.

Terms you need to know

Kerberos uses a single key to encrypt and decrypt the password. Other terms for this process are private key, single key, or shared secret. When the server stores the password it is said to be hashed and one way encrypted.

User accounts and computer accounts are referred to as security principals, indeed, everything that has a password is known as a security principal.

When it comes to configuring Kerberos you will see that it has two aliases.  On domain controllers, when you check the Services, you see not Kerberos but the alias Key Distribution Center (KDC).  Technically Kerberos is implemented as SSP and SSPI (Security Service Provider Interface).  In addition to logon authentication, SSP ensures that data is not read or modified during transit.  (SSP has no easy configuration interfaces.)

Kerberos Tickets

Once the user has been authenticated by the server, they are given a ticket.  I think of the ticket as being attached to the Explorer, so where ever you explore your ticket gains (or denies) entry. 

Just as a theatre ticket is printed for a particular seat \ show and time, so a Kerberos ticket is 'printed' with the user's Domain UserName and the time that the ticket is valid.

Your logon password gets you a ticket, when the user wants resources it presents this ticket rather than risking sending a password.  This method allows for stronger encryption on the ticket than a password allows.  For instance the ticket encryption includes time based elements which makes it difficult to intercept.

In the literature you may see reference to Ticket Granting Ticket and Session Tickets.  The idea is that once the user logs on they get a master ticket or Ticket Granting Ticket. 

If users want resources from a different server they get a second Session Ticket which is only valid for a limited time for a particular purpose.

 Provided the user remains logged on the tickets are renewed automatically.  All of this underlying technology is hidden from the user and indeed from the administrator.

The default ticket lifetimes are controlled at the domain level by using domain policy. The defaults are:
MaxServiceTicketAge: 10 hours
MaxTicketAge: 10 hours
MaxRenewAge: 7 days
MaxClockSkew: 5 minutes

Kerbtray

If you need to see more details of the tickets get Kerbtray from the resource kit. Or Click here

Troubleshooting Kerberos and DNS records

At login, clients need to contact their domain controllers.  DNS provides the IP address of the domain controllers.  When troubleshooting connection problems, I would first check that the client's TCP/IP settings.  In particular I would use IPCONFIG /all to make sure the client can query the DNS server. 

The next place I would examine is the SRV records on the DNS server.  Windows 2003 clients use DNS's SRV records to locate domain controllers, in particular they attempt to resolve the _ldap._tcp.dc._msdcs SRV records.  Windows 2000/3 domain controllers also publish SRV records for _kerberos and _kpasswd services. The list of published SRV records can be found on a domain controller in the following file:
%Windir%\System32\Config\Netlogon.dns

Time Configuration

Time Synchronization is crucially important for Kerberos, fortunately the built in Windows Time Service on XP and Windows 2000 Professional synchronises automatically with the PDC Emulator.  (This is a special domain controller see FSMO)  So, there is no need to create a special logon script for XP and W2K Pro clients.

KDC Service (Key Distribution Center)

Check that the KDC service has started on Domain Controllers, Administration Tools, Services.

Note Telnet and FTP do not use Kerberos


L2TP Certificates in Windows Server 2003

Introduction to L2TP Certificates

L2TP (Layer two Transport Protocol) is the preferred method to secure data over a VPN.  The other alternative, PPTP (Point to Point Tunnelling Protocol) is less secure and slower.  For instance, only L2TP will allow IPSec data encryption.

Topics for L2TP Certificates

L2TP Mission

To make a L2TP VPN connection between a client and server. This turned out to be one of my most difficult configuration tasks in the whole of Windows 2003, it took two of us three days to get it to work.  (We did have other jobs during the three days.)

Getting to first base

The goal here is to get a default VPN working over the LAN

At the Server

The first stage was easy, configuring RAS on the Windows Server 2003.  Right click the server object, and select the third radio button Virtual Private Network (VPN) and NAT.  Then selected the Network connection, configuring a DHCP scope.

Trap One

The default Remote Access Policy Denies anyone logging in.  Easy change the radio button to = Grant remote access.

Trap Two

Check the test user who will dial-in.  Properties, Dial-in (tab) set to: Allow access or Control access through group policy.  If necessary Raise Domain Level to Windows 2000 native. or Windows Server 2003 native.

At the client

Network connections New Connection

Trap Three

Select 'Do not dial an initial connection' - Remember this is a LAN experiment

You should now have succeeded in connecting using a VPN over your LAN, the proof will be a new computer icon low in the navigation area (Systray).

Home run - connect your VPN using L2TP

The problem is - You get error messages when you select L2TP

From the client you select the VPN, Properties, Networking, Type of VPN and change Automatic to L2TP.  You get error 789, 769 or 800.

The solution is - Install a certificate

Note we were using Windows Active Directory CA, if you are using a Stand Alone certificate server the procedure is slightly different.

Trap Four

Do use a client on a different machine.  Whilst you can normally test RAS clients on the server, it does not work for L2TP

Instructions

  1. From the client request a certificate from the server http://serverIP/certsrv (not certSVR).
  2. Select Advanced Request, Submit a certificate request to this CA using a form
  3. Select Administrator (User is the default).  Leave all the other settings as default.
  4. Scroll down and press - Submit
  5. Install this certificate screen should appear.

Now try to connect using a L2TP VPN. At the client Network Connections, select the VPN, Properties, Networking, Type of VPN and change Automatic to L2TP.

Troubleshooting

Restart the RRAS service rather than rebooting the server.


Security Analysis Snap-in for Windows Server 2003

Introduction to Security Analysis Snap-in Windows Server 2003

Two features I particularly like about the Security Configuration and Analysis snap-in are, firstly it provides a record of the changes you make and secondly it allows you to experiment with templates before actually applying the security settings.

Topics for Security Templates in Windows Server 2003

Security Templates

Before you use the Security Configuration Analysis tool, familiarise yourself with the Security Templates. 

Establish a roll-back position by selecting the template nearest to your situation, then use Save As and choose a different file name.  Use your template and keep the original should you need to roll-back.

Security Analysis

When you right click the Security Configuration and Analysis snap-in, you have options to Analyse or Configure - be very careful with Configure Computer now.  The idea is to master test configurations by comparing templates with the current configuration.  Only when you are happy, move on to the next stage.  My suggestion is to alter the Template, then right click the Snap-in and Import Template.

The legend in the diagram is clear, a Tick means no change and a red X highlights changes that will be made if you apply the template.

Security Configuration

When you have perfected your template, then the time has come to select Configure Computer now (Right Click Security Configuration and Analysis).  If you have selected an unexpectedly severe setting, then just apply the built-in template called - Security Setup and revert to the defaults.


Sundry Security Topics in Windows Server 2003

Introduction to Sundry Security Topics in Windows Server 2003

Here are some examples of other security features that Windows Server 2003 provides.

Topics for Security in Windows Server 2003

Authenticate in Active Directory

DHCP, RIS and IAS all have to be Authenticated in Active Directory before they work.  Microsoft's point is that ordinary administrators may start adding more services than are needed.  I can see the point, there are often too many DHCP servers in an organization so control is useful.

Delegation of Administrative rights

The old dictum of giving the job to the lowest level that has the skill to do the job is relevant to Windows Server 2003 administration, it makes sense to create lots of OU's then delegate responsibility for routing user tasks like resetting passwords or modifying accounts for joiners and leavers.

Authorization Manager

Authorization Manager provides a integration of role–based access control into applications. You can provide access through assigned user roles that relate to job functions.  The policy controls are stored in Active Directory or XML files and apply authorization policy at runtime.

To launch Authorization Manager Start run azman.msc

IIS - no longer installed by default

In previous versions of Windows IIS has seemed like a hacker's delight, well in Server 2003 it is not installed by default.  Another indication of improved security is that IIS has been radically overhauled and reports to version 6.0, almost all other services report to being version 5.1xx.  Finally there is a separate version of Server 2003 dedicated to IIS.

Stored User Names and Passwords

Stored User Names and Passwords is a feature of Microsoft Windows 2000/3 and XP that allows a user to connect to servers using user names and passwords that are different than those used to log on to the network.

Access is controlled through the Control Panel, Stored User Names and Passwords.

Anonymous User - Everyone

The Anonymous user is no longer a member of the group Everyone.  Moreover the default NTFS permissions have been tightened up so users only have read permission by default.  Administrator's however, retain full control.

EFS - No longer needs a recovery agent

In a change from Windows 2000, EFS can now be configured even if there is no assigned recovery agent.  As a cosmetic change they Encrypted files are now displayed green.


Top Ten Tips for Security in Windows Server 2003

Guy's top ten tips for Windows Server 2003 Security

Take as your mantra: 'Preventions is better than cure'.  It is more fun configuring the system to prevent security breaches than implementing disaster recovery plans.

1) Administrators Account - needs renaming

If hackers do not know the name, then they cannot start guessing the password.  Choose a name which blends in with the other users.  You could even create a dummy Administrator account with no rights.  Audit the account and see what happens.

Master the Security Configuration and Analysis Snap-in

Use the Templates to check the available security settings for different levels of security e.g. HISECDC - High security settings for a domain controller.

2) Certificates

Take the time to check out the variety of roles where certificates can improve security, examples: EFS, L2TP, and email.  Develop a policy and a strategy for certificates, for example set up your Active Directory certificate authority to be a subordinate of Verisign.

3) Check the Security Logs

It is no use having a marvellous security system if you do not check to see what is happening.  Get to know the significant Security events such as ID's 675 and 680.

4) EFS on Laptops

Equip your laptops with EFS, this will prevent people stealing the files through a parallel installation.  However it will not provide protection if the thief can guess the user's password.  If you do you EFS take the time to practice with the recovery agent.  You will find that you have to backup the data and restore it on the server with the recovery agent's certificate.

5) Make the Run As command your friend

Always logon with your ordinary humble account, and when you want administrative privileges, instead of logging off - which is a pain - use Run As.  You can even modify shortcuts to Run As another user.

6) L2TP for your VPN's not PPTP.

It seems that PPTP is a favourite choice for hackers, so configure the clients to use L2TP.  However the certificates are awkward to set up, so take care with the instructions.

7) Lockup your Root Servers

Do not neglect physical security, particularly for the servers in your root domain.  Think of the disaster if there was only one root server and it was stolen.

8) Services that you do not use?

If there are any services that you are not using, then make sure they are disabled.  Do you need IIS, FTP or Telnet on the server?  Should clients run VB or java scripting engines or macros?

9) User education

User support and acceptance for your security initiatives will be your unseen friend.  Foster goodwill by explaining why account security is so important.  Reinforce the message with horror stories from other companies.

10) Which service packs do you have?

Back to basics, remember to check for the latest security hot-fixes.  Several of these hot-fixes have prevented virus attacks which have crippled competitors.

Do you have a security tip?  If so let me know and I will include it.


Windows Server 2003 - Command line tools

Here is a collection of my favourite Windows Server 2003 command line tools.  My aim is to offer variety, and I hope you will un-earth at least one utility you had not considered.

Ten tools to run from the command line

 1) GPupdate - Refreshes Group Policy

The number one question I get asked about Group Policies is 'Why won't they work when I set them up perfectly?'  My answer is, run GPupdate.  Result: Bingo, now they work - very satisfying.

2) WHERE - a command line tool.

When you are at the command prompt you may need to find files.  Try Where, for example, Where /r e:\ *.log

Notes: The /r means 'keep on looking'.  Observe the space between /r and e:\ and also the space between e:\ and *.log.  Where is flexible, and will search for any file pattern that you can think of, for example, *.ini or W*.inf.

3) Systeminfo - pipe O/S details to a text file.

This command gives you a hard copy of the information displayed in System Information (Accessories).  From the command prompt type: Systeminfo > server.txt  Then Notepad server.txt lets you read the data captured.   The > 'greater than' is an old trick to redirect information from the screen into a file.

4) CSVDE - Scripting tool

Ideal for importing and exporting user accounts to and from Active Directory. 

5) LDIFDE - Another scripting tool.

Similar to CSVDE, but also allows passwords to be imported using the unicodePwd attribute. 

6) CMDCons - Winnt32 /cmdcons (Needs server CD)

Take a minute to install this command line program.  It will be a life saver should you system fail to boot.  Install CMDCons and practice copying files, just in case you get a server that will not start because of a corrupted file.

7) IPCONFIG /flushdns

This switch solved a thorny connectivity problem I had with DNS and Exchange 2000.  Discover more new useful switches with Ipconfig /?

8) Robocopy - another gem from the resource kit.

Robust copy is the last word in command line copying.  The syntax can be demanding so store the commands in a batch file. 

9) CMDHere - from the resource kit.

Imagine you are using explorer.  Suddenly, you need to open a folder in a 'DOS Box.  It is frustrating to run CMD, change directory about 7 times before you navigate to the right folder.  Install CMDHere and make it one click to your 'DOS Box'.  See Diagram 1.  Download CMDHere
(*** CMD.INF ***
;
; "CMD Prompt Here" PowerToy
;
; Copyright 1996 Microsoft Corporation
;
[version]
signature="$CHICAGO$"
[CmdHereInstall]
CopyFiles = CmdHere.Files.Inf
AddReg = CmdHere.Reg
[DefaultInstall]
CopyFiles = CmdHere.Files.Inf
AddReg = CmdHere.Reg
[DefaultUnInstall]
DelFiles = CmdHere.Files.Inf
DelReg = CmdHere.Reg
[SourceDisksNames]
55="CMD Prompt Here","",1
[SourceDisksFiles]
CmdHere.INF=55
[DestinationDirs]
CmdHere.Files.Inf = 17
[CmdHere.Files.Inf]
CmdHere.INF
[CmdHere.Reg]
HKLM,%UDHERE%,DisplayName,,"%CmdHereName%"
HKLM,%UDHERE%,UninstallString,,"rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultUninstall 132 %17%\CmdHere.inf"
HKCR,Directory\Shell\CmdHere,,,"%CmdHereAccel%"
HKCR,Directory\Shell\CmdHere\command,,,"%11%\cmd.exe /k cd ""%1"""
HKCR,Drive\Shell\CmdHere,,,"%CmdHereAccel%"
HKCR,Drive\Shell\CmdHere\command,,,"%11%\cmd.exe /k cd ""%1"""
[Strings]
CmdHereName="CMD Prompt Here PowerToy"
CmdHereAccel="CMD &Prompt Here"
UDHERE="Software\Microsoft\Windows\CurrentVersion\Uninstall\CmdHere")

10) PathPing - Ping's big brother.

Handy for testing intermittent connections.  PathPing works like ping except it echo-locates for 25 seconds and reports the percentage of lost packets.  As a bonus, PathPing shows you the hops rather like a tracert printout.