RTFM Education Logo - Beyond the Manual

Tips for Windows 2000
Active Directory and General Admin

How to reset the Directory Service Restore Mode Administrator password

In Windows 2000 Server, you used to have to boot the computer whose password you wanted to change in Directory Restore mode, then use either the Microsoft Management Console (MMC) Local User and Groups snap-in or the command

To change the Administrator password. Win2K Server Service Pack 2 (SP2) introduced the Setpwd utility, which lets you reset the Directory Service Restore Mode password without having to reboot the computer. (Microsoft refreshed Setpwd in SP4 to improve the utility's scripting options.) in Windows Server 2003, you use the Ntdsutil utility to modify the Directory Service Restore Mode Administrator password. To do so, follow these steps:

1. Start Ntdsutil (click Start, Run; enter cmd.exe; then enter ntdsutil.exe).
2. Start the Directory Service Restore Mode Administrator
password-reset utility by entering the argument "set dsrm password" at
the ntdsutil prompt:

ntdsutil: set dsrm password

3. Run the Reset Password command, passing the name of the server
on which to change the password, or use the null argument to specify
the local machine. For example, to reset the password on server
thanos, enter the following argument at the Reset DSRM Administrator
Password prompt:

Reset DSRM Administrator Password: reset password on server than os

To reset the password on the local machine, specify null as the server
name:

Reset DSRM Administrator Password: reset password on server null

4. You'll be prompted twice to enter the new password. You'll see
the following messages:

Please type password for DS Restore Mode Administrator Account:
Please confirm new password:
Password has been set successfully.

5. Exit the password-reset utility by typing "quit" at the
following prompts:

Reset DSRM Administrator Password: quit
ntdsutil: quit
 

How to allow users log on to the domain when they can't contact the Global Catalog (GC)

When a native-mode user logs on to the domain, a GC checks for Universal group memberships. If the user can't contact a GC, the logon will fail. To let users log on even though they can't contact the GC, perform the following steps on the servers that service the client logons:

1. Start a registry editor (e.g., regedit.exe) on each domain
controller (DC).
2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
registry subkey.
3. From the Edit menu, select New, Key.
4. Enter the name IgnoreGCFailures, then press Enter.
5. Close the registry editor.
6. Restart the DC.

Be aware that performing these steps can cause security problems. For example, imagine that you're a member of the Universal group that's denied access to a particular network resource. If your system can't contact the GC when you log on, your user token won't have the SID of the Universal group. In that case, you might be able to access the denied resource just as if you weren't a member of the Universal group.

Free Win2K DNS Training Course

A training course titled "Understanding and Troubleshooting DNS in Windows 2000" is available for download from the Microsoft Download Center.

This course provides in-depth discussion of Domain Name Service (DNS) as implemented in Windows 2000, with emphasis on best practices for installing, maintaining, and troubleshooting the DNS Client service and DNS Server service in Windows 2000 networking and Active Directory directory service environments. Detailed discussion of DNS name resolution methods and namespace planning are included. Screen-capture demonstrations illustrate key administrative, configuration, and troubleshooting tasks

More Info: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q330511

How to configure the amount of time the DNS cache stores positive and negative responses

By default, Windows stores positive responses in the DNS cache for 86,400 seconds (i.e., 24 hours) and stores negative responses for 300 seconds (i.e., 5 minutes). To modify these values, perform the following steps:

1. Start a registry editor (e.g., regedit.exe).
2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
registry subkey.
3. From the Edit menu, select New, DWORD Value.
4. Enter the name MaxCacheEntryTtlLimit to change the positive cache period or the name NegativeCacheTime to change the negative cache period, then press Enter.
5. Double-click the new value, set it to the desired number of seconds (e.g., if you entered the name NegativeCacheTime, you could set the value to 0 to stop Windows from caching any negative
responses), then click OK.
6. Repeat Step 5 for the other value, if required.
7. Close the registry editor.
8. Reboot the computer for the changes to take effect.

CHANGING REPLICATION TIMES BETWEEN DOMAIN CONTROLLERS

If you have more two Windows 2000 Server domain contollers. You can set Active directory replication to occur faster than the default 15 minutes. The default for intra-site replication is 5 minutes; to alter this one must edit the registry (for information on editing the registry, see the kb article: http://news.microsoft.co.uk/technet1209023757

In order to change inter-site replication frequency from its default of 3 hours, right-click on the site link, which is under inter-site transports and by default called "defaultipsitelink." Then, select properties and change the "replicate every" field.

Q. Why can't I create a DNS zone name that contains certain reserved words?

A. Non-Active Directory (AD)-integrated zones (i.e., zones that don't
store content in AD) use a file to store zone content. Zone names that
contain reserved words will violate certain OS rules and result in an
error.

Reserved words that you can't use as part of a DNS zone name are
- AUX
- COM1
- COM2
- COM3
- COM4
- CON
- LPT1
- LPT2
- LPT3
- NUL
- PRN

Sample invalid zone names include nul.savilltech.com and
con.windows2000faq.com. To create a valid DNS zone name, you must
either select other words or use the Dnscmd utility to create the
zone. Dnscmd lets you use a /file switch to specify the physical
filename you want to use. For example, type

DNSCMD /zoneadd con.windows2000faq.com /primary /file conzone.com.dns

to specify conzone.com.dns as the filename

MICROSOFT POSTS RTM VERSION OF THE AD MIGRATION TOOL

Microsoft recently posted the release to manufacturing (RTM) version of the Active Directory (AD) Migration Tool for download to the general public. The AD Migration Tool provides an easy, secure, and fast way to migrate your users from Windows NT 4.0 to the Windows

2000 Server (Win2K Server) AD service. You can also use the AD Migration Tool to restructure your Win2K Server AD domains. This tool can help a systems administrator diagnose any possible problems before beginning migration operations. Task-based wizards then let you migrate users, groups, and computers; set correct file permissions; and migrate Microsoft Exchange Server mailboxes. The tool's reporting feature lets you assess the impact of the migration, both before and after move operations. The AD Migration Tool is invaluable for any business considering a migration from NT to Win2K.

You can find more information about and download the AD Migration Tool at:

http://www.microsoft.com/WINDOWS2000/downloads/deployment/admt/default.asp

History of LDAP

X.500, the OSI directory standard, defines a comprehensive Directory Service, including an information model, namespace, functional model, and authentication framework. X.500 also defines the Directory Access Protocol (DAP) used by clients to access the directory. DAP is a full OSI protocol that contains extensive functionality, much of which is not used by most applications.

DAP is significantly more complicated than the more prevalent TCP/IP stack implementations and requires more code and computing horsepower to run. The size and complexity of DAP makes it difficult to run on thin clients, such as the PC and Macintosh where TCP/IP functionality often comes with the machine. DAP stack implementations are cumbersome to administer, thus limiting the acceptance of X.500. Hence in 1993, the folks at University of Michigan, with help from the ISODE Consortium, designed and developed a protocol that would work over TCP/IP and was small enough when implemented to run on a thin client like PC's running the WindowsÆ operating system or the Macintosh.

The LDAP version 1 Specification was published in March of 1994. The LDAP version 2 Specification was published as rfc 1777 by the Access Searching and Indexing of Directories (ASID) working group in the IETF in March of 1995. In April of 1996, 40 companies including Microsoft, Netscape, and Novell separately announced support for LDAP protocol in their Directory Services products in order that they may in turn operate with each other and integrate with the Internet. LDAP version 3.0 has gone through several drafts but at this time is not finished.

More Info: http://www.microsoft.com/TechNet/prodtechnol/winntas/evaluate/featfunc/ldapcmr.asp

How to force a user to use a machine-specific Group Policy rather than a user-specific Group Policy

Typically, the settings that the OS applies when a user logs on are based on the user's account container (e.g., a domain, a site, an organizational unit--OU), regardless of which container the user's machine belongs to. In some instances, you might want to forgo using this default behavior and instead associate a user's settings with the location of the user's computer within Active Directory (AD). For example, you might want to set a strict, defined set of policies for a publicly accessible computer, regardless of who logs on to that computer.

To establish machine-specific settings, use Group Policy to set the computer's container to "loopback" mode--so that the computer's client settings take precedence--by performing the following steps:

1. Start Group Policy Editor (GPE) and load the policy that affects the computer whose behavior you want to modify (alternatively, you can start the Microsoft Management Console--MMC--Active Directory Users and Computers snap-in, right-click the container, select Properties, then select the Group Policy tab).

2. Expand the Computer Configuration, Administrative Templates, System, Group Policy branches.

3. Double-click the "Loopback Policy" option (or "User Group Policy loopback processing mode" in Windows .NET Server--Win.NET Server).

4. Select the Enabled option, then select the Mode:

- Merge Mode--loads a user's usual settings first, then loads any settings based on the computer's location, thus overwriting any conflicting user settings

- Replace Mode--loads only settings based on the computer's location

5. Click OK.
 

The Active Directory Client - Update on Microsofts Website

Thanks to everyone who wrote with the news that Microsoft has finally released its Active Directory (AD) client for Windows NT 4.0. I hate to say this, but what took so long? Win2K shipped 7 months ago. Anyway, if you want to run NT 4.0 clients in an AD domain, head over to Microsoft Web site and download the client.

http://download.microsoft.com/download/winntwks40/Install/1.0/NT4/EN-US/Dsclient.exe

Extending Active Directory's GUI

Manage organizational units, user accounts, computer accounts, groups, and volumes, and create more object classes to meet your business needs.

http://www.win2000mag.com/Articles/Content/7883_01.html

Active Directory Script to Change User Password Via a Webpage (ASP)

<%

'This script lets you reset a user's password through a _
'Web-based form by entering the user's CN and the new _
'password to save.

'BEGIN CALLOUT A
strUserCN = request.form("cn")
strNewPassword = request.form("newpass")
strPassVerify = request.form("passverify")
'END CALLOUT A

if strUserCN="" then
response.write "<html><head><title>Change Password</title></head><body>"
response.write "<center><h1>Web Password Reset</h1></center>"
response.write "<hr><br><br><form method=post action=changepass.asp><table>"
response.write "<tr><td>CN: </td><td><input type=text name=cn></td><tr>"
response.write "<tr><td>New Password: </td><td><input type=password
name=newpass></td></tr>"
response.write "<tr><td>Verify Password: </td><td><input type=password
name=passverify></td></tr>"
response.write "<tr><td colspan=2 align=center><input type=submit value='Reset
Password'></td></tr>"
response.write "</table></body></html>"
response.end
else

if strNewPassword = strPassVerify then

set obj = GetObject("LDAP://CN=" & strUserCN & ",CN=Users,DC=accenture,DC=com")
response.write err.description

'BEGIN CALLOUT B
obj.SetPassword strNewPassword
response.write err.description
'END CALLOUT B

response.write "<html><head><title>Results</title></head><center><h1>Update
Results</h1></center><hr><br><br>"
response.write strUserCN & ": password was successfully updated"
response.end

else

response.write "<html><head><title>Error!</title></head><body>"
response.write "<center><h1>An Error Has Occurred!</h1></center>"
response.write "<hr><br><br>"
response.write "The password and confirmation do not match. Please go back and try again."
response.end

end if
end if
%>

Change User Attributes via a Webpage (ASP)

<%

'This script lets you set any user attribute stored in _
'an LDAP directory through a Web-based form by entering _
'a user's CN, the attribute's name, and the attribute's value.

strUserCN = request.form("cn")
strUserProp = request.form("property")
strPropNewValue = request.form("newvalue")

response.write "CN= " & strUserCN

if strUserCN="" then
response.write "<html><head><title>Update Form</title></head><body>"
response.write "<center><h1>Web Update Form</h1></center>"
response.write "<hr><br><br><form method=post action=putscript.asp><table>"
response.write "<tr><td>CN: </td><td><input type=text name=cn></td><tr>"
response.write "<tr><td>Property Name: </td><td><input type=text name=property
value='wwwHomePage'></td></tr>"
response.write "<tr><td>New Value: </td><td><input type=text name=newvalue></td></tr>"
response.write "<tr><td colspan=2 align=center><input type=submit value='Change
Value'></td></tr>"
response.write "</table></body></html>"
response.end
else

'BEGIN CALLOUT A
obj.Put strUserProp, strPropNewValue
'END CALLOUT A

'BEGIN CALLOUT B
obj.SetInfo
'END CALLOUT B

response.write "<html><head><title>Results</title></head><center><h1>Update
Results</h1></center><hr><br><br>"
response.write strUserProp & "for user: " & strUserCN & " was successfully updated with the new
value: " & strPropNewValue
response.end

end if
%>

Microsoft Scripting Center

Perhaps you want to get to more with these VBS files you can use to manipulate the directory service - stop by at the Script Center it might be good place to start...

For More Info:  http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/default.asp


 

Reports on Settings in Active Directory

if you need to run a utility or script to compile a list of users and their permissions, preferably sorted by user. Is there a tool in the NT Resource Kit for this.

srvcheck \\yourserver > c:yourtextfile.txt

How to install specific applications from the Windows .NET Server (Win.NET Server) and Windows 2000 Administration Tools pack

Microsoft supplies the Win.NET Server and Win2K Administration Tools pack as one Windows Installer file (i.e., adminpak.msi). Executing the Windows Installer file installs the whole toolset to
your machine. To install individual tools, perform the following steps:

1. Open the command prompt by going to Start, Run and typing

cmd.exe

2. Navigate to the folder that contains adminpak.msi.
3. Type

msiexec /i adminpak.msi ADDLOCAL=<Short code for the tool> /qb

For example, type

msiexec /i adminpak.msi ADDLOCAL=FeADTools /qb

for the Active Directory (AD) tools.

4. Close the command-prompt session.

The full list of short codes is

Abbreviation Tool
************ **********************
FeADTools Active Directory Tools
FeCERTConsole Certification Authority
FeClusterConsole Cluster Administrator
FeCMAKConsole Connection Manager Administration Kit
FeDHCPConsole DHCP
FeDFSConsole Distributed File System
FeDNSConsole DNS
FeIASConsole Internet Authentication Service
FeIISConsole Internet Services Manager
FeACSConsole QoS Admission Control
FeRSConsole Remote Storage
FeRRASConsole RRAS
FeTAPIConsole Telephony
FeTSClientConsole Terminal Services Client
FeTSMgrConsole Terminal Services Tools
FeWINSConsole WINS

DIRECTORY SERVICES CANNOT START

When you start Windows 2000, the screen might be blank, and you might receive the message "LSASS.EXE - System Error, security accounts manager initialization failed because of the following error: Directory Service cannot start. Error status 0xc00002e1. Please click OK to shutdown this system and reboot into directory services restore mode; check the event log for more detailed information." The event log might contain any of the following messages:

  • Event ID 700 "NTDS (260) online defragmentation is beginning a pass on database NTDS.DIT."
  • Event ID 701 stating that the initialization completed successfully.
  • Event ID 101 "NTDS (260) the database engine stopped."
  • Event ID 1004 "The directory was shut down successfully."
  • Event ID 1168 "Error: 1032 (fffffbf8) has occurred (internal ID 4042b). Please contact Microsoft product support services for assistance." Event ID 1103 "The Windows directory services database could not be initialized and returned error 1032. Unrecoverable error, the directory can't continue."

The problem is that you've set permissions on the drive root, NTDS folder, or Active Directory (AD) log files to be too restrictive. To resolve the problem, restart your domain controller and press F8 to select the Directory Services Restore Mode. Make sure that the Administrator and System accounts have Full Control of the NTDS folder and AD log files and that the System account has Full Control of the drive root and of the %SystemRoot% folder. If you changed the location of the AD or its log files during installation, use the new paths instead.

MICROSOFT RELEASES METADIRECTORY SERVICES 2.2

Microsoft has released Microsoft Metadirectory Services (MMS) 2.2. MMS is a powerful tool that makes it easier for enterprise customers to manage multiple directories in a heterogeneous directory environment. The service has the added benefit of simplifying the deployment of Active Directory (AD). MMS extends the network-management capabilities of AD across multiple kinds of directories. "If you have an AD infrastructure and you want to get email addresses or phone numbers from your Lotus Notes directory into AD, [MMS] does that for you," says Jackson Shaw, MMS product manager. Thanks to a new feature that enables real-time synchronization of directory information into AD, MMS 2.2 also makes AD deployment much simpler for customers who have information about employees, customers, and partners in multiple directories. Another advantage of MMS 2.2 for enterprise customers is improved directory-enabled provisioning, whereby administrators can set up rules to govern synchronization and trigger sets of events. For example, an administrator might create a record in the Human Resources (HR) directory for a new employee. MMS can then "notice" that a new person has been hired and perform automatic services provisioning for that person, assigning him or her an email address and other resources that until now administrators had been providing manually. For more details about MMS 2.2, visit

http://www.microsoft.com/windows2000/guide/server/features/mms.asp

WHAT THE ACTIVE DIRECTORY, SCHEMA & GLOBAL CATALOG ARE IN A NUTSHELL

The Global Catalog (GC) in Windows 2000 Active Directory (AD) is widely misunderstood and it's no wonder why: The catalog serves multiple purposes, has tons of features, and houses dissimilar forms of data. To understand the GC, you must first understand the concept of a "forest." A forest is a collection of one or more AD trees organized as peers and connected by two-way transitive trust relationships between the root domains of each tree. All trees in a forest share a common schema, configuration, and GC. Every domain controller in a forest stores three full, writable directory partitions:

  • Domain directory partition--You might be familiar with the AD Users and Computers Tool. This Microsoft Management Console (MMC) snap- in manages the domain directory partition, which mainly contains the computers, groups, and other objects for a specific Win2K domain.
  • Schema directory partition--This partition contains the Schema container, which stores class and attribute definitions for all existing and possible AD objects. You can view the contents of the Schema container in the AD Schema Editor. (If you're an "IIS Administrator" subscriber, you can learn how to install this tool from my article "Extending the User Class in the AD Schema," September 2000.)
  • Configuration directory partition--This partition stores configuration objects for the entire forest, such as information about sites, services, and directory partitions. To view the contents of the Configuration container, use Active Directory Services Interfaces (ADSI) Edit, which is part of the Win2K Support Tools.

A GC server is a Win2K domain controller that stores these three writable directory partitions, as well as a partial, read-only copy of all other domain directory partitions in the forest. The additional directory partitions are "partial" because although they collectively contain every object in the directory, they have a limited set of specific attributes for each object. The AD replication system automatically builds the GC. AD automatically designates the first domain controller in a forest as a GC server, although any domain controller can be a GC server. (You can configure this controller in the NTDS Settings Properties dialog box in the AD Sites and Services tool.) All three directory partitions exist on a GC server, whether they are full or partial partitions, in one directory database (Ntds.dit) on that server. No separate storage area is necessary for GC attributes: The Global Catalog Server treats them as additional information in the domain controller directory database. When you add a new domain to a forest, AD automatically stores the information about the new domain in the configuration directory partition, which the GC server (and all domain controllers) automatically touches through replication of forest-wide information. Because the GC stores every object in the forest, software developers can use the catalog to locate objects in any domain without a referral to a different server. When a search request is sent to port 389 (the default Lightweight Directory Access Protocol--LDAP--port for AD) on a specific domain, computer, or IP address, the search is performed on one domain directory partition. If the object isn't found in that directory partition (and isn't in the schema or configuration directory partitions), the request is referred to a domain controller in a different domain that might contain the requested object (on the basis of the distinguished name--DN--you present in the search request). Such a referral is called an LDAP referral and can be very expensive in terms of the time it takes the search to find what it's looking for. When a search request is sent to port 3268 (the default GC port), the search includes all directory partitions in the forest. In other words, a GC server processes the search. A GC search can return results for objects in any domain without generating a referral to a domain controller in a different domain. This tool is extremely powerful for software developers in a huge company with AD forests residing in different locations all over the world.

WIN2K PROFESSIONAL DOMAIN-CONTROLLER SELECTION

The domain-controller selection process decides which domain controller a client will use to handle Windows 2000 or Windows NT authentication. Connection-based problems can occur in NT 4.0 because the NT 4.0 client/server architecture can't account for a physical network's complexities. To address the shortcomings of NT 4.0's domain-controller selection process, Microsoft made Win2K Professional's process more sophisticated than NT 4.0's process. Understanding Win2K Pro's domain- controller selection process can help you predict your Win2K domain design's consequences at every network location and troubleshoot client logon problems. To gain that understanding, read Sean Deuby's article on our Web site.

 http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9180

HOW CAN I RESTRICT ACTIVE DIRECTORY REPLICATION TRAFFIC TO A SPECIFIC PORT?

By default, Active Directory (AD) replication via remote procedure calls (RPCs) takes place dynamically over an available port via the RPC Endpoint Mapper using port 135 (the same port as Microsoft Exchange). An administrator can override this functionality and specify the port that all replication traffic passes through. To set a specific port, perform the following steps:

  1. Start a Registry Editor (e.g., regedit.exe)
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
  3. From the Edit menu, select New, then DWORD Value.
  4. Enter the name as "TCP/IP Port" without the quotes and click Enter.
  5. Double-click TCP/IP Port, set the value to the desired port, and click OK.
  6. Close the Registry Editor and reboot.

ON WIN2K-NT 4.0 COEXISTENCE

Several issues can crop up when you run a mixed environment of Windows 2000 and Windows NT 4.0 systems in an NT 4.0 domain. After writing about some of these issues last week, I received a great deal of reader feedback. This week, I clarify a few issues and happily pass on tips that readers sent my way. Thanks to all of you for your feedback--keep it coming.

  • Password Problem Follow-up. Last week, I wrote about a problem I experienced when changing an expired password on a Win2K workstation that was a member of an NT 4.0 domain. Thanks to the readers who responded, we now have a solution. To ensure that Win2K users can successfully change expired passwords for NT 4.0 accounts, you must disable the “User must logon to change password” option (User Manager displays this check box when you select the Account option on the Policies menu). Disabling this feature affects all accounts in the domain, so I'm not very comfortable with this solution's security implications. However, I tested the solution, and it works as advertised.
  • Running NT 4.0's User and Server Manager on Win2K. Last week, I discussed creating a shortcut to User Manager on my Win2K Advanced Server machine so that I could manage the NT 4.0 domain account database without walking downstairs. In response, one reader pointed out that the Windows 2000 Server Resource Kit contains several utilities you can use to manage NT 4.0 systems from a Win2K desktop. After installing the resource kit, you'll find a plethora of tools in the Network Management Tools folder. Although most of the tools run only from the command line and have unusually cryptic and poorly documented argument lists, the Win2K versions of User Manager for Domains and Server Manager have the same GUI that NT 4.0's native applets employ. I tried both utilities and was pleasantly surprised by how well they work. If you prefer to add or modify Win2K or NT 4.0 user accounts from the command line, check out the Console User Manager utility (cusrmgr.exe). And while we're on the subject of user accounts, you might want to try the user status utility usrstat.exe, which displays the full name and last logon time for each user in a domain. If you maintain a large NT 4.0 account database, you should pipe this utility's output to a file.
  • Win2K-NT 4.0 Time Synchronization. One reader wrote to say that he tried to set up an NT 4.0 time server that his Win2K systems could use for synchronization, but he discovered that the timesrv.exe utility from the original Windows NT 4.0 Server Resource Kit doesn't support the Network Time Protocol (NTP) that Win2K systems need. After some exploration, I discovered that Microsoft has released updates for w32time and timesrv, the tools you need to successfully set up an NT 4.0 system that operates as an official time server. However, the updates are hidden in a most unlikely spot: a folder called Y2kfix at Microsoft's FTP site. You can download the tools and documentation from ftp.microsoft.com/reskit/y2kfix/x86. Microsoft article Q258059 contains all the information you need to create an NT 4.0 NTP server. http://support.microsoft.com/support/kb/articles/q258/0/59.asp
  •  
    • Win2K Logon Problems in an NT 4.0 Domain To ensure that your Windows 2000 systems can successfully log on to a Windows NT 4.0 domain, you must first perform several setup and configuration steps. Start by creating a computer account for each new Win2K system in NT 4.0's Server Manager. You can create the accounts before installing Win2K or, if you have an administrator account, during setup. Next, configure Win2K systems with valid addresses for DNS and WINS servers; otherwise, Win2K systems won't be able to locate an NT 4.0 domain controller. If you install standalone Win2K servers in your NT 4.0 domain, be sure that each server has a valid DNS suffix (Setup doesn't automatically define this field when you install a standalone Win2K server). Finally, if your Win2K clients also log on to a Win2K domain, be sure that you check the box that lets Win2K change the DNS suffix when the domain name changes. To avoid continuous NT 4.0 DNS Event Log messages, disable Win2K's dynamic DNS (DDNS) update option. Win2K enables this option during setup. Your Win2K systems might have trouble logging on to an NT 4.0 domain if you unbind or remove Client for Microsoft Networks or if you run a third-party DNS server. As with an improper or incomplete TCP/IP configuration, either or both of these problems can prevent a Win2K system from locating an NT 4.0 BDC. Symptoms of both these problems include the following:
    • Win2K might display the message, "The specified domain either does not exist or could not be contacted."
    • Pinging the domain controller by name fails, but pinging the domain controller by IP address succeeds.
    • If you issue the command net view \\<domain-controller-name>, you get your least favorite and most generic error message: "System error 53 has occurred. The network path was not found."

    If by some remote chance you have Server Message Block (SMB) signing (also known as Common Internet File Sharing--CIFS--protocol) enabled on any of your NT 4.0 domain controllers, Win2K users might have trouble logging on. If a Win2K user enters an invalid password when SMB signing is turned on, Win2K responds with the error message "Network name is no longer available" instead of prompting for the correct password. One obvious workaround is to have your users enter the correct password the first time; you can also disable SMB signing on the NT 4.0 domain controllers. To resolve the problem, call Microsoft Support and ask for the new version of the NT 4.0 redirector.

    • Managing Win2K and NT 4.0 User Profiles User profile management is a broad subject with a million possible complications. However, before you get started, you should know a few things about user profiles and system policies. First, NT 4.0 caches local profiles in the Profiles directory of the system root. If you upgrade an NT 4.0 system to Win2K, Win2K maintains this location. However, if you perform a clean Win2K installation, Win2K stores local user profiles under their respective usernames in the Documents and Settings folders on the boot drive. Second, NT 4.0 and Win2K manage duplicate profiles differently. http://support.microsoft.com/support/kb/articles/q236/6/21.asp
    • - File-Sharing Issues The default permission on all my Win2K volumes is Everyone:Full Control, and, by default, each top-level directory on the drive inherits this permission from the volume. Win2K further sets the default permission for all file shares to Everyone:Full Control. To ensure a modicum of security, be sure that you set NTFS file permission appropriately for any directory you want to share, whether it hosts a user profile, an application, or data. http://support.microsoft.com/support/kb/articles/q263/0/06.asp

NT4 & Win2K Prof TOGETHER - AND THE PROBLEMS YOU HAVE

Be aware that if you have a system policy that sets the "do not display last username", it will not work on Win2Kp. You will need to go into the local security settings and enable that setting on each machine, until you can get Group Policies going. The other gotcha is in the roaming policy area. Since Win2KP places profiles in C:\Documents and Settings, and Winnt4 places profiles in C:\winnt\profiles, we have found that users jumping from a Winnt4 workstation to a Win2KP workstation can have some interesting issues, mostly that all settings may not migrate, or none at all

I have 9 Win2K machines in one NT4 Server domain. The group policy NTconfig.pol on the server works but, I have tried to restrict the local C: visibility for 8 of them and not for the other. What you get is either all visible or all not visible. Have tried different combinations of groups and their priority to no avail

When a user logs on to the win2k computer everything is fine. if he the goes to a NT-machine and logs in he can´t use his e-mail anymore.. NT asks for a password that doesn´t exists. Only solution is to disable ProtectedStorage service or delete the whole profile and recreate it

We recently added over 50 W2K Pro machines into an existing NT4 domain and came across several problems. An NT4 standard user priveleges differ greatly to a W2K standard user. One main area is that a W2K standard user cannot install software that will be available to other users, you need to be at least a W2K Power User (which is too powerful for a normal user). This caught us out when trying to use a web application that required the user to install an Active-X control - a standard user was not allowed to install it, so the application failed. Microsoft provide security templates that can be applied by the "secedit" command line or the relevant mmc snapin. These templates include a compatability script (compatws.inf) which makes a W2K Pro machine align the security settings akin to that on NT4. (TechNet Article Q234926 is a starting point.)This is one of the many quirks of running W2K in an Nt4 domain. 

DCPromo Install Errors

DCPromo Fix. If you run dcpromo.exe and it fails, check the Dcpromo log file for the error message, "The replication system encountered an internal error." http://support.microsoft.com/support/kb/articles/q267/8/87.asp

When you run Dcpromo.exe, it may not run successfully, and the following error message may be recorded in the Dcpromo log file: The replication system encountered an internal error.  Dcpromo.exe replication does not succeed and generates an internal error when it replicates a tombstone with a phantom parent. The replication process tries to read the globally unique identifier (GUID) of the parent tombstone to send to the destination, but does not succeed when it finds that the parent is a phantom rather than a live object or tombstone. A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to computers that are experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Windows 2000 service pack that contains this fix. To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please go to the following address on the World Wide Web:

http://support.microsoft.com/directory/overview.asp

CHANGING PASSWORDS IN WINDOWS 2000

When Windows 2000 users try to change their passwords, they might see the error message, "The Password Cannot Be Changed At This Time." This problem occurs when you haven't defined a minimum password age for the users' Group Policy. To resolve the matter, configure a minimum password age of 0 instead of none. For step-by-step instructions, including screen shots, be sure to visit our Windows 2000 FAQ site.

http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=15757

Synchronize Time On All Servers

Q. Does anyone know a procedure for synchronizing the time on all my servers? Can the synchronization be configured to flow down to clients (Windows 2000 Professional and Windows 9x)?

A.  try TimeServ in ResKit or net time or if you like to have a professional solution, try 'Domain Time II' (http://www.greyware.com), especially if you also have UNIX boxes in your environment. Thread continues at

 http://www.win2000mag.net/Forums/Application/Thread.cfm?CFApp=69&Thread_ID=47337&mc=5

NT File Replication System (NTFRS) stopped responding

A typical cause for this problem is that the NTFRS's intermediate storage area, the staging area, is full. The staging area stores data as it travels between the network drive and the final local destination. Because data can move faster locally than across the network, this area's space fills quickly when you replicate large amounts of data. By default, the system allocates 660MB for the staging area, but you can increase this value if the staging area volume has sufficient free space. Before you make the change, you must determine the hexadecimal value of the required size in kilobytes. For example, if you need a 1GB staging area (1,000,000KB), you would perform the following steps to calculate the hex value:

  1. Start calc.exe.
  2. From the View menu select Scientific.
  3. Set the type to Dec.
  4. Enter the number in kilobytes (in this example, 1000000).
  5. Set the type to Hex. The number will change to the hex equivalent (in this example, F4240).
  6. Note the hex value.

To increase the staging area's size, perform the following steps:

  1. Start regedit.exe.
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters.
  3. Double-click the "Staging Space Limit in KB" value.
  4. Change the base to Hex, and enter the value (in this example, F4240).
  5. Click OK.
  6. Close regedit.

NT 4.0 AND WIN2K SYSTEM POLICY MODE SETTINGS IN THE REGISTRY

Have you ever defined a system policy, logged on to a system where the policy should apply, and wondered where the policy settings went? Apparently, some OEMs are shipping Win2K and NT 4.0 systems with a registry setting that disables the application of system policy. http://support.microsoft.com/support/kb/articles/Q168/2/31.asp

IMPORTING AND EXPORTING AD INFORMATION

You can use one of three approaches to Active Directory (AD) data manipulation. First and most common is using the limited set of Microsoft Management Console (MMC) tools that Windows 2000 provides. No Web-based tools ship with Win2K to manipulate AD, but you can download a Web-based tool called Active Directory Web Administrator, which I wrote and presented at Microsoft TechEd 2000, from my company's Web site. Go to 

http://www.interknowlogy.com/resources/support.asp 

and scroll down to "TechEd (6-411) Windows DNA with Middle Tier Active Directory COM+ Objects." This tool lets you modify user data in AD in a spreadsheet-like view. Second, you can write code to manipulate data in AD. Active Directory Service Interfaces (ADSI) is the most common programming interface, but it's not for the beginner or faint of heart. Because of the lack of a sufficient AD toolset in Win2K, many administrators with large AD installations are using ADSI to write their own tools or are commissioning companies to do it for them. Third, you can use a Win2K utility program called ldifde.exe (LDIF Data Exchange) to perform batch updates to AD. To help facilitate exchanging data, ldifde.exe uses LDAP Data Interchange Format (LDIF), a file format standard used for exchanging data with Directory Services (DSs) such as the Win2K AD. You can use ldifde.exe to

  • Export and import data to and from AD (e.g., exporting all the users of one domain to another domain)
  • Add, create, and modify data in AD (e.g., adding new users in batch format without having to depend on an administrative console)
  • Create schema additions in AD (e.g., adding a new attribute such as favoriteColor to AD schema)

A command-line utility such as ldifde.exe gives you the power to make potentially massive data updates to AD without having to depend on a cumbersome tool such as the MMC Active Directory Users and Computers snap-in, which lets you affect one attribute on one user at a time in a form-based GUI. Of course, ldefde.exe is much easier to deploy than a custom solution because you don't have to write code. Ldifde.exe has a companion called csvde.exe, which uses a Comma Separated Values (CSV) format instead of an LDIF data format. The power here is that you can use Microsoft Excel or some other program that reads .csv files to prepare your data before using the tool to import it. Both tools use the same command-line parameter formats. Unfortunately, you can use csvde.exe only for additions to AD, not for modifications. Both ldifde.exe and csvde.exe reside in the \winnt\system32 directory; because that directory is "pathed" (i.e., in the DOS search path), you can run the tools from any folder on your Win2K server. (See Win2K Online Help for a summary of the command-line parameters.) As you might guess, the command-line Help isn't enough to get you started using the ldifde.exe tool. The best reference I've found for ldifde.exe is the Microsoft article "Using LDIFDE to Import/Export Directory Objects to the Active Directory" at the following link.

http://support.microsoft.com/support/kb/articles/Q237/6/77.asp

FREE E-BOOK ABOUT WIN2K ADMINISTRATION

Fastlane Technologies and Realtimepublishers.com announced "The Definitive Guide to Windows 2000 Administration" by Sean Daily and Darren Mar-Elia, a free e-book published on a chapter-by-chapter basis. When new chapters are available, you'll receive email notification. Chapter topics include Windows 2000 Network Administration, Managing Security, Administrative Scripting, Managing the Distributed File System, Storage Management, and Remote Access Services. The first chapter, Managing the Active Directory, is available now. For more information, contact Realtimepublishers.com, info@realtimepublishers.com. http://www.fastlane.com/windows2000admin

AD BUILDING BLOCKS

In the September issue of Windows 2000 Magazine, we focus on building your Active Directory (AD) infrastructure. We help you decide how many domains you need and what your site topology should be, and we show you the AD Sizer tool so you can determine the domain controller hardware your AD design requires. We identify Win2K network components you need to monitor and tell you which features to look for in a monitoring tool. We cover the AD Delegation of Control Wizard so you can leverage Win2K's ability to delegate your enterprise's management and support tasks. Finally, we show you how to build and test a large AD.

* Planning for Active Directory

Ready to roll out your company's AD infrastructure? Think again about how many domains you need and what your site topology should be.

--Darren Mar-Elia http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9643

* Monitoring Your AD-Enabled Network

Identify the Win2K network components that you need to monitor and the features you should look for in a monitoring and management tool.

--Sean Daily http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9645

* The Active Directory Delegation of Control Wizard Successfully leverage Win2K's ability to safely delegate routine management and support tasks throughout your enterprise.

--Paula Sharick http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9646

* Who Wants a 100-Million-Entry AD?

You might not want a large AD, but if you must build one, learn how from a couple of people who've done it.

--Tony Redmond http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9647

Win98 cannot logon to a Upgraded Win2K

When you upgrade your Windows NT 4.0 PDC to an Active Directory (AD) Windows 2000 domain controller (DC), Windows 98 clients can no longer log on. You get the messages:

This device does not exist on the network.

The domain password you supplied is incorrect or access to your logon server has been denied.

This problem occurs if the SAM becomes corrupted during the AD install. To recover, follow these steps:

  1. Use addusers.exe to dump the user and group accounts to a text file.
  2. Use dcpromo to remove AD, demoting the DC to a server.
  3. Use dcpromo to promote the server to an AD DC.
  4. Use addusers.exe to import the users and groups from the text file created in step 1.

Introduction to Windows Scripting

Windows scripting is easy. This may sound like a bold statement, but spend a few hours playing with it, get your feet wet and I think you’ll agree. To get started using WSH begin with this introduction tutorial.

More Info: http://www.winguides.com/article.php?id=2

Secure Password Generator

One of the most important security measures with any computer, network or secure software is using a password that is extremely hard to guess or crack. That’s why we have created the free Secure Password Generator, which is designed to create highly secure random passwords with configurable options such as length, case sensitivity and numeric & punctuation characters. Give it a try now and you’ll never have to think up another password again.

More Info: http://security.winguides.com/password.php

Stop Users Exceeding Concurrent Logons

Unfortunately in NT and Win2k there is no built-in restriction such as found in Netware where you can limit a user to a specific number of concurrent logons. The nearest alternative is workstation restrictions. To set workstation restrictions for a user, open Active Directory Users and Computers, find the user, open its properties window. To get true concurrent logon restrictions you’ll need to check out the Cconnect tool in the Windows 2000 Resource Kit. Cconnect works on NT and Win2k. 

If you install CConnect.exe on each Windows 2000 / Windows NT 4.0 client, you can:

Limit concurrent connections per user.

Log off remote computers when concurrent connections are reached.

List all computers that a user is logged on to.

List logon servers for each user.

Show how many users are logged on to a domain controller (DC).

Force a logoff when concurrent connections are reached.

Enable debugging of the CConnect tool.

Write events to the event log of a specified server concerning the status of the CConnect tool.

Save all lists to a file for further examination.

Track the last user of the computer and only limit that user from

logging on to the computer if the computer was shut down improperly.

Windows 2000 clients have no special requirements to run CConnect.exe. Windows NT 4.0 computers must have:

Windows NT 4.0 Service Pack 3 or later must be installed.

Microsoft Data Access Components (MDAC) 2.0 must be installed.

Windows Scripting Host must be installed.

Web Based Enterprise Management (WBEM) must be installed.

Manual Deinstall of ADS from a Child Domain when you have lost contact to PARENT Domain

  1. Boot corrupt DC into Active Directory Restore Mode
  2. Edit the registry change HKLM\SYSTEM\CCS\Control\ProductOptions 
  3. Change the ProductType value from LanmanNT to ServerNT. 
  4. Net stop ntfrs to stop FRS. 
  5. Delete winnt\sysvol and NTDS directories. 
  6. Reboot the now former DC 
  7. Log into the now member server. Change it to a stand alone, by joining a workgroup 
  8. Reboot the now stand alone server.

Cleaning up after DC Move

When you use DCPROMO to move a domain controller (DC) from a source
domain to a destination domain, you might receive continual nagging
messages from Netlogon. The messages, which appear in the DC's event
log, have Event ID 5781 and read, "Dynamic registration or
deregistration of one or more DNS records failed because no DNS
servers are available." During the demotion process, DCPROMO is
supposed to remove allHow can I ascertain which machine a user is using?

To identify which machine a particular user is using, you can run a
series of commands (and even create a script to automate this process)
by performing the following steps:

1. Open a command prompt--go to Start, Run, and type

cmd.exe

2. Type

nbtstat -R

to purge and reload the remote cache name table.

3. Type

net send <username> .

to send the user a period (.) for a message.

4. Type

nbtstat -c

to list the cache of recently used names and IP addresses, so you can
identify the entry for the user you're communicating with.

5. Type

nbtstat -A <IP address identified in step 4>

to equate the user's IP address to the machine name.

For example, to locate a user named Kevin, I performed the following
series of commands and received the indicated responses:

C:\>nbtstat -R
Successful purge and preload of the NBT Remote Cache Name Table.

C:\>net send kevin .
The message was successfully sent to KEVIN.

C:\>nbtstat -c
Local Area Connection:
Node IpAddress: [200.200.200.5] Scope Id: []

NetBIOS Remote Cache Name Table

Name Type Host Address Life [sec]
------------------------------------------------------------
KEVIN <03> UNIQUE 200.200.200.3 597

C:\>nbtstat -A 200.200.200.3
Local Area Connection:
Node IpAddress: [200.200.200.5] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
WORKST2 <00> UNIQUE Registered
SAVILLTECH <00> GROUP Registered
WORKST2 <03> UNIQUE Registered
WORKST2 <20> UNIQUE Registered
SAVILLTECH <1E> GROUP Registered
WORKST2 <6A> UNIQUE Registered
WORKST2 <87> UNIQUE Registered
KEVIN <03> UNIQUE Registered

MAC Address = 00-08-C3-8F-0D-83

From this information, I discovered that Kevin is using machine
WORKST2 at IP address 200.200.200.3. the DC-specific Netlogon service records on the
DNS server that performs name resolution for the source domain. The
messages indicate that DCPROMO didn't remove all the DC-specific
Netlogon names from the DNS server.

To eliminate the messages and properly register the Netlogon service
names, you must delete the old, invalid Netlogon service names that
DCPROMO skipped and reregister the DC's Netlogon service records in
the new domain. Find the file
%systemroot%\system32\config\netlogon.dns on the DC you moved. This
file contains all the Netlogon service names the DC must register to
function properly. Scan the file and find lines that begin with a
semicolon, such as the following example:

;5175a911-d70b-4d3c-8df1-024ca6cd6a50._msdcs.company.net. 600 IN CNAME
server.child-domain.company.net

On the DNS server, remove all the invalid Netlogon records that
conform to the format in the example and restart the DC's Netlogon
service. Restarting the Netlogon service forces the DC to reregister
the Netlogon service names, which will stop the nagging messages. I
haven't tested this workaround, so let me know whether it works for
you. For more information, see the Microsoft article "Q311354: Event
5781 Occurs After DC Changes Domain."

More Info: http://support.microsoft.com/default.aspx?scid=kb;en-us;q311354

The Windows 2000 post-Service Pack 2 (SP2) File Replication Service

(FRS) update contains many improvements that speed FRS performance,
eliminate timeouts, and reduce the need for nonauthoritative restores.
In native Win2K domains, the update results in obvious speed
improvements and more robust and reliable file replication. Here's a
quick overview of the changes:
- FRS no longer replicates files that Group Policy updates have
incorrectly marked as changed.
- FRS now obtains replica sets from partner systems serially, which
cuts both the time and the resources that FRS requires to obtain
replica information.
- FRS uses a new algorithm that lets the service continue to
replicate files, even when the staging area is 90 percent full. The
new algorithm permits FRS to delete staging files until the amount of
space consumed drops below 60 percent of the staging area's capacity,
which is 660MB by default.
- The update increases the FRS journal size to a default of 128MB.
The larger size reduces the frequency of journal overwrites and
nonauthoritative restores.
- Instead of automatically initiating a nonauthoritative restore,
FRS writes a message indicating that the restore is required in the
FRS event log.
- FRS lets you change the staging path without first requiring a
nonauthoritative restore. To change the staging path, stop FRS, move
the files, and restart the service.
- The update eliminates an earlier bug that cropped up when the SP2
version of FRS attempted to replicate compressed files.

This post-SP2 update contains new versions of the five components
responsible for file replication: ntfrs.exe, ntfrsapi.dll,
ntfrsprf.dll, ntfrsres.dll, and ntfrsutl.exe. You must contact
Microsoft Product Support Services (PSS) to obtain the update.

Design Considerations for Delegation of Administration in Active Directory

Microsoft published the paper in November2001, and you can download it at the company's Web site (see URL below). The paper discusses design concerns regarding the trust of service owners. Gartner Group's John Enck--former Lab Manager for Windows NT Magazine--brought the paper
to my attention recently because of its recommendations.

http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/addeladmin.asp

In the paper's conclusion, Microsoft says companies "can deploy a single forest
design with a single IT organization owning all forest and domain service
management, and delegate data autonomy or isolation to other organizations by
using [organizational units] OUs." The paper goes on to say, "Some organizations
have specific autonomy or isolation requirements that make trusting a central
service owner impractical or unwise. These organizations can deploy multiple
forest designs, and enable inter-forest collaboration through additional
management systems such as Microsoft Metadirectory Services (MMS)."

So you need to build your Active Directory (AD) infrastructure carefully
because, as the paper also points out, "Domain owners cannot prevent forest
owners from controlling their services and accessing their data," and anyone
joining a forest must trust service owners. In addition, the paper outlines
several potentially exploitable circumstances that exist when you trust service
owners in a single-forest model. Therefore, for maximum security with AD, you
need to use multiple forests. Be sure to read the white paper for more details
about the risks of a single-forest model

Design Considerations for Delegation of Administration in Active Directory - UPDATE

Last week I wrote about Microsoft's white paper, "Design Considerations for
Delegation of Administration in Active Directory," which discusses design
considerations to maximize security for organizations that might need multiple
domains. The paper, in part, suggests that such organizations should consider
using multiple forests to minimize security risks.

http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/addeladmin.asp

Donald Bauer, MCSE and Certified Citrix Administrator (CCA) at Integery
International, wrote to inform me that Lucent Technologies has a white paper,
"Windows 2000 Active Directory Design, Restricting the Enterprise Administrators
Group," which is available online in PDF format. Anyone wondering about the pros
and cons of multiple forest directory models should read this paper.

http://www.lucent.com/knowledge/documentdetail/0,1983,inContentId+8839-inLocaleId+1,00.html

The white paper outlines the advantages of grouping domains into a forest and
discusses three Active Directory (AD) features that make this choice reasonable.
The paper says, "There are many advantages to having domains grouped into a
forest. First and foremost, the Windows 2000 AD automatically manages
interdomain trusts within a forest. A second major advantage is that tools exist
from both Microsoft and third parties to permit the movement of certain types of
objects, such as user or computer accounts, from one domain to another in the
same forest. A third advantage is a unified administrative model: a user can be
designated an Enterprise Administrator (EA) and granted administrative rights to
all domains in the forest."

Great points. The paper also discusses the controversy about the third mentioned
advantage--a unified administrative model. The paper states, "This third feature
has caused some controversy; specifically, some organizations want to have a
fully segregated domain design such that an administrator in one domain cannot
interfere with another domain. This has led some organizations to consider
creating separate forests. Separate forests, while they do solve the problem of
overlapping administration introduce other complications into the mix; trusts
between domains from different forests must be manually managed. If the
organization employs Exchange 2000, a common global address book is not possible
since the address book is defined on a forest basis. Finally, the ability to
move user and computer objects between domains is lost since no tool currently
exists to move an object from one forest to another."

Those are some additional interesting tidbits of information, don't you think?
If you're using AD, be sure to read the eight-page white paper--it's worth your
time to do so.

On January 17, Microsoft released another white paper about AD called "The
Common Criteria: Providing a Reliable Security Standard." The paper is available
on the company's Web site. The paper discuses how to use AD to comply with the
Common Criteria (CC).
http://www.microsoft.com/windows2000/techinfo/planning/commoncriteria.asp

According to the US government's CC Web site, "The governments of North American
and European nations agreed in the spring of 1993 to develop a 'Common
Information Technology Security Criteria.' Participants include France, Germany,
the Netherlands, the UK, Canada, and the United States (National Institute of
Standards and Technology--NIST--and National Security Administration--NSA). The
Common Criteria Project is an international body of organizations charged with
aligning the existing security criteria into a standard for certifying the
security of products and systems.

The CC Project consists of three parts. Part 1 defines general concepts and
principles of IT security evaluation and presents a general model of evaluation.
Part 2 establishes a set of standard components to express the functional
security requirements for targets of security evaluation. Part 3 establishes a
set of assurance components to express the assurance requirements for targets of
evaluation. Be sure to visit the CC Web site and read about this initiative in
detail. You can also read a brief explanation of the project at the SANS
Institute Web site.
http://csrc.nist.gov/cc/info/infolist.htm
http://www.commoncriteria.org
http://rr.sans.org/securitybasics/criteria.php

DNS BUG FIX

When you try to clear Windows 2000's DNS cache, you might receive the error message, "The server cache cannot be cleared. DNS zone already exists in the directory service." If you try to clear the cache from the command line (e.g., using dnscmd /clearcache), you might see the error message, "failed: status = 9718 (0x000025f6)." Microsoft Support Online article Q257828 (http://support.microsoft.com/support/kb/articles/q257/8/28.asp) indicates that you can call Microsoft Support for a new version of dns.exe that correctly purges the cache.

Changing Passwords over the Web

Examine how ADSI lets users change their passwords through a Web interface.

http://www.win2000mag.com/Articles/Index.cfm?ArticleID=16225

Win2K Password Protection

Win2K's password protection is stronger than NT's, but backward compatibility can leave Win2K systems vulnerable.

More Info: http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15892

Scripting Solutions: Easy Active Directory Scripting for Systems

Administrators, Part 1 Learn basic AD and Active Directory Service Interfaces (ADSI) terminology and put ADSI to work in a sample script.

More Info: http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9168

Windows Scripting Guide

Which provides technical resources, information and source code to help you automate the Windows operating system using Windows Script Host (WSH) with VBScript and JScript. URL: http://scripting.winguides.com/

Simplify administration with these resource kit scripts 

In this Top 10, I present my favorite VBScript utilities that you can find in the Microsoft Windows NT Server 4.0 Resource Kit. These utilities provide useful administrative functions and demonstrate how to use the Web-Based Enterprise Management (WBEM) classes with VBScript. (For another opinion about some of these tools, see Mark Minasi, This Old Resource Kit, page 135.)

10. Addusers.vbs and delusers.vbs use Microsoft Active Directory Service Interfaces (ADSI) to add and delete users based on entries in a Microsoft Excel spreadsheet. Before you run these scripts, you must modify the addusers.xls or delusers.xls spreadsheets so that they contain the correct Directory Service (DS) entry for your server. Then, enter the following command:

addusers.vbs addusers.xls

9. Checkbios.vbs uses WBEM to display information about the system BIOS. You can optionally supply parameters that let the script query a remote system. The following example shows how to run checkbios.vbs on a networked system named remotesystem (using the logon remoteid and the password remotepwd):

cscript checkbios.vbs /s remotesystem /u

remoteid /w remotepwd

. Drives.vbs uses WBEM to display information about the system's physical disks. To check the disks on the current system, enter the following command:

cscript drives.vbs

7. Processor.vbs uses WBEM to display a local or remote system's CPU information. To get the processor information for the networked system named remotesystem (using the logon remoteid and the password remotepwd), enter the following command:

cscript processor.vbs /s remotesystem /u

remoteid /w remotepwd

6. Ps.vbs retrieves process information (i.e., process ID, name of the executable program, path to the executable program) for all the current jobs running on the system. To retrieve the list of jobs running on the local system and write them to the file process.txt, enter the following command:

cscript ps.vbs /o process.txt

5. Protocolbinding.vbs displays a local or remote system's network protocol bindings. To run the script for the local system, enter the following command:

cscript protocolbinding.vbs

4. Eventlogmon.vbs uses WBEM to monitor either a local or remote event log. The script writes the record number, log file, source, and time of entry to the screen or an output file. This script runs until you press Ctrl+C (or Ctrl+Break).

cscript eventlogmon.vbs

3. Kill.vbs terminates a running job. First, use ps.vbs to write all the current jobs to an output file. Second, use findstr or grep to process the output file and locate a specific entry. Third, pass the task ID of that entry to the kill.vbs script. The following example shows how to kill the local process with the task ID 278:

cscript kill.vbs /x 278

2. Service.vbs is a powerful remote-administration script that lets you list, start, stop, and install a service on a local or remote system. To list all the services on the local system, enter the following command:

cscript service.vbs

1. Share.vbs uses WBEM to list, create, or delete a machine's shares from a local or remote system. To list all of remotesystem's shares (using the logon remoteid and the password remotepwd), enter the following command:

cscript share.vbs /s remotesystem /u

remoteid /w remotepwd

Scavenging Stale DNS Records

Windows 2000 dynamic DNS (DDNS) gives you a way to delete old records from the DNS database.

More Info: http://www.win2000mag.com/Articles/Index.cfm?ArticleID=19897

Microsoft Active Directory Troubleshooting Diagram

 

Search this site powered by FreeFind

© RTFM Education 2002
All trademarks appropriately acknowledged.
Any information found here is given as is and without warranty.

Site Re-design implemetented by Design By David