 Single File Version_files/upsection.gif){kind=small}
 Single File Version_files/uptotop.gif){kind=small}
This FAQ is copyright © 1999 John Savill (SavillTech Ltd) all rights reserved. No part of this document should be reproduced, distributed or altered without my permission. You may print it for your own use personnel use.
The Web version of the Windows NT FAQ is at http://www.ntfaq.com/. To subscribe to the Windows NT FAQ send a mail to nt-faq@ed-com.com with subscribe in the body of the message to receive the updated single file version of the FAQ once a week.
This single file version of the FAQ is available for download from http://www.ntfaq.com/faqcomp.zip.
One months of additions are listed here.
Q. What are the differences between NT Workstation and NT Server?
A. See table Below
| Workstation | Server | |
| Connection to other clients | 10 | Unlimited |
| Connection to other networks | Unlimited | Unlimited |
| Multiprocessing | 2 CPUs | 4 CPUs |
| RAS | 1 connection | 255 connections |
| Directory Replication | Import | Import and Export |
| Macintosh Services | No | Yes |
| Logon Validation | No | Yes |
| Disk Fault Tolerance | No | Yes |
| Network | Peer-to-peer | Server |
A. NT actually stands for Northern Telecom but Microsoft
licensed it and in the Windows sense stands for New Technology. Its also
interesting to note its heritage
RSX -> VMS -> ELN -> NT all major
designs of David Cutler
Also VMS +1 letter = WNT (Windows NT) :-) (aka HAL
and IBM in 2001)
Q. What is the NT Boot Process?
A. Firstly the files required for NT to boot are
The common Boot sequence files are
The boot sequence is as follows
A. Virtual Memory makes up for the lack of RAM in computers by using space on the hard disk as memory, Virtual Memory. When the actual RAM fills up (actually its before the RAM fills) then virtual memory is created on the hard disk. When physical memory runs out, the Virtual Memory Manager chooses sections of memory that have not been recently used and are of low priority and writes them to the swap file. This process is hidden from applications, and applications views both virtual and actual memory as the same.
Each application that runs under Windows NT is given its own virtual address space of 4GB (2GB for the application, 2GB for the operating system).
The problem with Virtual Memory is that as it writes and reads to the hard disk, this is much slower than actual RAM. This is why if an NT system does not have enough memory it will run very slowly.
A. In the late 1980's the Windows environment was created to run on the Microsoft DOS operating system. Microsoft and IBM joined forces to create a DOS replacement that would run on the Intel platform that led to the creation of OS/2, and at the same time Microsoft was working on a more powerful operating system that would run on other processor platforms. The idea was that the new OS would be written in a high level language (such as C) so it would be more portable.
Microsoft hired Dave Cutler (who also designed Digital's VMS) to head the team for the New Technology Operating System (NT :-) ). Originally the new OS was to be called OS/2 NT.
In the early 1990's Microsoft released version 3.0 of its windows OS which gained a large user base, and it was at this point that Microsoft and IBM's split started as the two companies disagreed on the future of their OS's. IBM viewed Windows as a stepping stone to the superior OS/2, where as Microsoft wanted to expand Windows to compete with OS/2, so they split, IBM kept OS/2 and Microsoft change OS/2 NT to Windows NT.
Nt was once called OS/3, and OS/2 V3, I am informed by a alpha tester for IBM & MS, he had a set of 5.25 diskettes from Microsoft, and that's how he got them.
The first version of Windows NT (3.1) was released in 1993 and had the same GUI as the normal Windows Operating System, however it was a pure 32 bit OS, but provided the ability to also run older DOS and Windows apps, as well as character mode OS/2 1.3 programs.
For a detailed history have a look at http://windowsnt.miningco.com/
Q. How do I install the SYMBOL files?
A. Symbol files are produced by the linker when a program is built, and are used to resolve global variables and function names in an executable.
For more information see Microsoft Knowledge Base article Q148659
A. Windows NT (both the Workstation and Server) is a 32-bit Operating System. It is a preemptive, multi-tasking Operating System, which means that the Operating System controls allocation of CPU time, not the applications, stopping one application from hanging the OS. NT supports multiple CPU's giving true Multi-tasking, using symmetrical multiprocessing, meaning the processors share all tasks, as opposed to asymmetrical multiprocessing, where the OS uses one CPU and the applications another. NT is also a Fault Tolerant Operating System, with each 32bit application operating in its own Virtual Memory address space (4 GigaBytes) which means one application cannot interfere with another's memory space.
Unlike earlier version of Windows (such as Windows for Workgroups and Windows 95), NT is a complete Operating System, and not an addition to DOS.
NT supports different CPU's: Intel x86, IBM PowerPC (Not to be supported for NT5.0) and DEC Alpha.
NT's other main plus is its Security with a special NT file system (NTFS) that allows permissions to be set on a file and directory basis.
A. Originally there were .ini files in Windows, however the problem with .ini files are many, e.g. size limitations, no standard layout, slow access, no network support etc. Windows 3.1 (yes Windows not Windows NT) had a registry which was stored in reg.dat and could be viewed using regedit.exe and was used for DDE, OLE and File Manager integration. In Windows NT the Registry is at the heart of NT and is where nearly all information is stored, and is split into a number of subtrees, each starting with HKEY_ to indicate that it is a handle that can be used by a program.
| HKEY_LOCAL_MACHINE | This contains information about the hardware configuration and installed software. |
| HKEY_CLASSES_ROOT | This is just a link to HKEY_LOCAL_MACHINE\SOFTWARE\Classes and contains links between applications and file types as well as information about OLE. |
| HKEY_CURRENT_CONFIG | Again this is a link to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current and contains information about the current configuration. |
| HKEY_CURRENT_USER | This is a link to HKEY_USERS\<SID of User> and contains information about the currently logged on users such as environment, network connections, printers etc. |
| HKEY_USERS | Contains information about actively loaded user profiles, including .default which is the default user profile. |
Each of the subtrees has a number of keys, which in turn have a number of subkeys. Each key/subkey can have a number of values which has 3 parts
To edit the registry there are two tools available, regedt32.exe and regedit.exe.Regedit.exe has better search facilities, but does not support all of the Windows NT registry value types. If you want to just have a look around the Registry:
Q. What files make up the registry, and where are they?
A. The files that make up the registry are stored in %systemroot%/system32/config directory and consist of
There are also other files with different extensions for some of them
Q. How do I restrict access to the registry editor?
A. Using the registry editor (regedt32.exe)
Q. What is the maximum registry size?
A. The maximum size is 102MB, however it is slightly more complicated than this.
The registry entry that controls the maximum size of the registry is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\RegistrySizeLimit. By default this entry will not exist so it will need to be created:
The minimum size is 4MB, and if anything less than this is entered in the registry then it will be forced up to 4MB. The maximum is 80% of the paged pool (which has a maximum size of 128MB, hence 102MB which is 80% of 128MB). If no entry is entered then the maximum size is 25% of the paged pool. The paged pool is an area of physical memory used for system data that can be written to disk when not in use.
An important point to note is that the RegistrySizeLimit is a maximum, not an allocation, and so setting a high value will not reserve the space, and it does not guarantee the space will be available.
This can also be configured using the System Control Panel applet, click on the Performance tab and the maximum registry size can be set there. You would then need to reboot.
For more information see Knowledge Base Article Q124594
There is another complication, during early boot, NTLDR loads some code, allocates working memory, and reads in parts of the registry. All of this has to fit in the first 16MB of memory regardless of how much memory is physically installed. The entire system file is read; enough memory is required to contain the whole file as stored on disk without regard to how much of it is useful.
Some problems
A number of ways to get rid of the excess space:
To turn this off use REGEDT32 to add the value "ReportBootOk:REG_SZ:0" [zero] to HKEY_Local_Machine\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon This will prevent creation of the LastKnownGood ControlSet. If a boot fails because the 16 MB limit with NTLDR is exceeded, no dump can be produced and MS will not solve the problem. This 16 MB problem will not be changed in NT 5.
Q. Should I use REGEDIT.EXE or REGEDT32.EXE?
A. You can use either for NT. REGEDIT does have a few limitations, the largest is that it does not support the full regedit data types such as REG_MULTI_SZ, so if you edit this type of data with REGEDIT it will change its type.
REGEDIT.EXE is based on the Windows95 version and has features that REGEDT32.EXE lacks (such as search). In general REGEDIT.EXE is nicer to work with. REGEDIT.EXE also shows your current position in the registry at the bottom of the window.
Q. How do I restrict access to a remote registry?
A. Access to a remote registry is controlled by the ACL on the key winreg.
It is possible to set up certain keys to be accessible even if the user does not have access by editing the value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths\Machine (use regedt32). You can add paths to this list.
Q. How can I tell what changes are made to the registry?
A. Using the regedit.exe program it is possible to export portions of the registry. This feature can be used as follows:
Q. How can I delete a registry value/key from the command line?
A. Using the Windows NT Resource Kit Supplement 2 utility REG.EXE you can delete a registry value from the command line or batch file, e.g.
reg delete HKLM\Software\test
Would delete the HKEY_LOCAL_MACHINE\Software\test value. When you enter the command you will be prompted if you really want to delete, enter Y. To avoid the confirmation add /force to the command, e.g.
reg delete HKLM\Software\test /force
A full list of the codes to be used with REG DELETE are as follows:
| HKCR | HKEY_CLASSES_ROOT |
| HKCU | HKEY_CURRENT_USER |
| HKLM | HKEY_LOCAL_MACHINE |
| HKU | HKEY_USERS |
| HKCC | HKEY_CURRENT_CONFIG |
To delete a entry on a remote machine add the name of the machine, \\<machine name>, e.g.
reg delete HKLM\Software\test \\johnpc
Q. How can I audit changes to the registry?
A. Using the regedt32.exe utility it is possible to set auditing on certain parts of the registry. I should note that any type of auditing is very sensitive lately and you may want to add some sort of warning letting people know that their changes are being audited.
You will need to make sure that Auditing for File and Object access is enabled (use User Manager - Polices - Audit).
To view the information use Event Viewer and look at the Security information.
Q. How can I clean up/remove invalid entries from the registry?
A. Microsoft have released a utility called RegClean which will go through your machines registry and delete any unused/unnecessary keys. The current version is 4.1a and can be downloaded from http://support.microsoft.com/download/support/mslfiles/RegClean.exe .
Once downloaded just click on the Executable and it will check your registry, once the check is completed you will be given an option to fix errors "Fix Errors" button. You can click the Exit button to exit.
RegClean creates an uninstall file in the directory the image is located in, of the name
"Undo <machine name> <yyyymmdd> <hhmmss>.reg"
e.g. "Undo
workstation 19980320 104323.reg"
To undo the changes just double click (or single depending on your config ;-) ) this file.
See http://support.microsoft.com/support/kb/articles/q147/7/69.asp for more information.
Q. I make changes to HKEY_LOCAL_MACHINE\HARDWARE but they are lost on reboot.
A. This is because HKEY_LOCAL_MACHINE\HARDWARE is recreated by the system at boot time and this means any settings such as ACL's are lost. The rest of HKLM (SOFTWARE, SYSTEM, SAM, SECURITY) is stored on disk, and is not recreated during system boot.
Q. What data types are available in the registry?
A. Below is a table of data types supported by Regedt32.exe, regedit.exe does not support REG_EXPAND_SZ or REG_MULTI_SZ
| REG_BINARY | This is raw binary data |
| REG_DWORD | This is a double word (4 bytes). It can be displayed in binary, hexadecimal or decimal format |
| REG_EXPAND_SZ | An expandable text string that contains a variable (for example %systemroot%) |
| REG_MULTI_SZ | A multiple line string. Each "line" is separated by a null |
| REG_SZ | A text string |
Q. How can I automate updates to the registry?
A. There are 2 main methods you can use to create scripts that can be run to automate the updates. The first is to create a .reg file which can then be run using
regedit /s <reg file>
The format of the file is
REGEDIT4
[<key name>]
"<value
name>"="<value>" a string value
"<value
name>"=hex:<value> a binary value
"<value
name>"=dword:<value> a dword value
for example
REGEDIT4
[HKEY_USERS\.DEFAULT\Control
Panel\Desktop]
"Wallpaper"="E:\\WINNT\\savtech.bmp"
"TileWallpaper"="0"
[HKEY_USERS\.DEFAULT\Control Panel\Colors]
"Background"="0 0
0"
Would set the default background and color before anyone logs on.
The second method is to user a Windows 95 style .inf file. These are run using the command
rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 <inf file>
The format of the file is as follows
[Version]
Signature = "$Windows NT$"
Provider=%Provider%
[Strings]
Provider="SavillTech Ltd"
[DefaultInstall]
AddReg = AddReg
DelReg = DelReg
UpdateInis =
UpdateInis
[AddReg]
[DelReg]
[UpdateInis]
Below are the keys to be used
| HKCR | HKEY_CLASSES_ROOT |
| HKCU | HKEY_CURRENT_USER |
| HKLM | HKEY_LOCAL_MACHINE |
| HKU | HKEY_USERS |
The file below is an .inf file which performs the same as the .reg file described earlier
[Version]
Signature = "$Windows NT$"
[DefaultInstall]
AddReg = AddReg
[AddReg]
HKU,".DEFAULT\Control
Panel\Colors","Background",0000000000,"0 0 0"
HKU,".DEFAULT\Control
Panel\Desktop","Wallpaper",0000000000,"E:\WINNT\savtech.bmp"
HKU,".DEFAULT\Control
Panel\Desktop","TileWallpaper",0000000000,"1"
INF files can be generated automatically using the SYSDIFF utility if you have a difference file (sysdiff /inf <name of difference file> <dir to create to>)
A registry entry can also be deleted using .REG files. That is, if one has a .reg file with, e.g.,
[HKEY_CURRENT_USER\Test]
to enter a key, then one can use
[-HKEY_CURRENT_USER\Test]
to remove it.
Q. How do I apply a .reg file without the success message?
A. To apply a .reg file (a registry information file) the normal method from the command prompt is to enter
C:\> regedit <registry file>.reg
This applies the change and gives a confirmation message:
"Information is <filename>.reg has been successfully entered into the registry"
If you would like to avoid this confirmation message and apply the change silently use the /s switch, e.g.
C:\> regedit /s <registry file>.reg
Q. How can I remotely modify the maximum registry size?
A. The maximum registry size is usually defined using the System properties control panel applet, Performance tab. When you change this value all it actually does is to update the registry entry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\RegistrySizeLimit
You could therefore modify this from the command line using a registry script. For example
REGEDIT4
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control]
"RegistrySizeLimit"="24000000"
Run using
C:\> regedit /s <reg name>
You could add this to a login script.
Alternatively run remotely by submitting with the AT command. The change will
not take effect until the machine reboots. If you wanted the reboot to occur you
could add a reboot using the Resource Kit SHUTDOWN.EXE utility (as explained
in
Q.
How can I configure the machine to reboot at a certain time?)
Q. I can't update DWORD values using REG.EXE.
A. There is a bug in REG.EXE supplied with the NT 4.0 resource kit. Download a fixed version from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/nt40/i386/reg_x86.exe
Q. How can I install a .inf file from the command line?
A. The normal method to install a .inf file is to right click on it and select Install from the context menu however it is also possible to install from the command line. The syntax is:
C:\> rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 .\<file>.inf
Q. How can I compress the registry?
A. The following procedure can be used to compact the registry files, but also to restore the 'repair disk data' when you messed up the registry:
1) As always, make sure you have a backup of you're system, including the registry
2) Run Start: "RDISK /S-". This automatically updates the repair info located under %systemroot%\repair. The registry data are reorganized and compressed.
3) Next step is to expand these files to a temporary location.
EXPAND %systemroot%\REPAIR\DEFAULT._ %temp%\DEFAULT
EXPAND
%systemroot%\REPAIR\SAM._ %temp%\SAM
EXPAND %systemroot%\REPAIR\SECURITY._
%temp%\SECURITY
EXPAND %systemroot%\REPAIR\SOFTWARE._
%temp%\SOFTWARE
EXPAND %systemroot%\REPAIR\SYSTEM._ %temp%\SYSTEM
4) Check your %temp% folder and %systemroot%\system32\config to find the difference in size between the different files that make up the registry. Probably the SOFTWARE hive will have a remarkable difference. In my case it shrinked from over 10Mb to 3.5Mb.
5) The registry files in %systemroot%\system32\config should be replaced by the reorganized ones in your %temp% folder. You can do this by:
When I performed these steps I notices a serious performance gain during system startup.
Q. Access to the registry tools has been stopped, is there any way to get access?
A. I include this as I had the exact problem on site a couple of days ago and I want Administrators to be aware that this can be done.
If the scheduler service is running on your PC (or if you can start it) you can submit the registry editor to start via the scheduler and it will then be started under the system context. For example
C:\> at <1 minute in the future> /interactive
regedt32.exe
One minute from submission regedt32.exe will be started giving you full access to the registry. Cool!
You can also re-enable the tools by writing a small .reg file and double click on it which gives full access:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
Save as disableregistrytools.reg, double click from Explorer and you will have full registry access.
Q. Where does Windows 2000 store the last key accessed?
A. In Windows 2000 when you start the registry editor it remembers where you last were and automatically reopens that key. This information is actually stored in the registry in location:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey
If this annoys you, it could be reset at each logon to null via a script with a .reg file, e.g.
Windows Registry Editor Version
5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"=""
Q. What's new in the Windows 2000 version of RegEdit?
A. As we saw in the last registry tip, the Windows 2000 version of Regedit.exe now remember the last key that was open when you start the application.
The second major change is the introduction of a favorites menu to which you can add you most used and 'favorite' registry keys (you would have to be sad :-) ).
REGEDT32.EXE has not had any major functionality changes.
Q. What service packs and fixes are available?
A. See table below. All directories are off of ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/. Just click on the file name for a direct FTP link For people in Europe ftp.sunet.se/pub3/vendor/microsoft/bussys/winnt/winnt-public/fixes may provide faster access.
There are also Microsoft BBS numbers where Service Packs can be downloaded from, e.g. for the UK it is 44 1734 270065, however the fixes tend to be a few days later than on the FTP site.
| File Name | Directory | Description (Microsoft Article No.) | Hotfixes |
| Sp1_400i.exe | /ussp1/i386 | Service Pack 1 | PostSP1 |
| Sp2_400i.exe | /ussp2/i386 | Service Pack 2 (around 14MB) | PostSP2 |
| Nt4sp3_i.exe | /ussp3/i386 | Service Pack 3 (around 18MB) | PostSP3 |
| NT4SP4I.EXE | NA | Service Pack 4 (around 33MB) | PostSp4 |
| SP5I386.EXE | NA | Service Pack 5 (around 34.5MB) | PostSp5 |
Service Pack 1 Hotfixes /hotfixes-postsp1/
| KRNL40I.EXE | /32proc-fix | Q140065 |
| AFD40I.EXE | /afd-fix | Q140059 |
| CDFS40I.EXE | /cdfs-fix | Q142687 |
| NDIS40I.EXE | /mcanet-fix | Q156324 |
| NDIS40I.EXE | /ndis-fix | Q142903 |
| NTBCKUPI.EXE | /NTBackup-fix | Q142671 |
| NTVDM40I.EXE | /ntvdm-fix | Q134126 |
| PCM40_I.EXE | /pcmcia-fix | Q108261 |
| SCSIFIXI.EXE | /scsi-fix | Q171295 |
| SPX40I.EXE | /spx-fix | Q153665 |
| SYN40I.EXE | /syn-attack | Q142641 |
| NTFS40I.EXE | /toshiba-fix | Q150815 |
| STONE97I.EXE | /winstone97 | Q141375 |
Service Pack 2 Hotfixes /hotfixes-postsp2/
| ALPHA40.EXE | /Alpha-fix | Q156410 |
| DNS40I.EXE | /dns-fix | Q142047, Q162927 |
| IISFIX.EXE | /iis-fix | Q163485, Q164059 |
| KRNL40I.EXE | /krnl-fix | Q135707, **Q141239** |
| TCP40I.EXE | /oob-fix | Q143478 |
| RAS40I.EXE | /ras-fix | Q161368 |
| RPC40I.EXE | /RPC-fix | Q159176, Q162567 |
| SECFIX_I.EXE | /sec-fix | Q143474 |
| SERIALI.EXE | /serial-fix | Q163333 |
| SETUPDDI.EXE | /setupdd-fix | Q143473 |
| SFMSRVI.EXE | /sfmsrv-fix | Q161644 |
| WTCP40I.EXE | /TCPIP-fix | Q163213 |
Service Pack 3 Hotfixes /hotfixes-postsp3/
A number of post Service Pack 3 hotfixes have been replaced by newer fixes and are not listed above, they can be found at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/archive . These include
Service Pack 4 Hotfixes /hotfixes-postsp4/
A post Service Pack 4 hotfix rollup has been released and can be downloaded
from:
http://www.microsoft.com/ntserver/nts/downloads/recommended/nt4postsp4hotfix/
Individual hotfixes are:
| BIOSFIXI.EXE | /Y2K/BIOS2-fix | Q216913 |
| CLIKFIXI.EXE | /Clik-fix | Q195540 |
| DISCFIXI.EXE | /Disc-fix | Q221331 |
| GINAFIXI.EXE | /Gina-fix | Q214802 |
| KRNLIFXI.EXE | /Kernel-fix | Q234557 |
| MSMQFIXI.EXE | /Y2K/MSMQ-fix | Q230050 |
| MSV-FIXI.EXE | Msv1-fix | Q214840 |
| NPRPCFXI.EXE | /Nprpc-fix | Q195733 |
| SP4HFIXI.EXE | /roll-up | Q195734 |
| RNR-FIXI.EXE | /Rnr-fix | Q214864, Q216091, Q217001 |
| SCRNSAVI.EXE | /Scrnsav-fix | Q221991 |
| SMSFIXI.EXE | /Sms-fix | Q196270 |
| SMSSFIXI.EXE | /Smss-fix | Q218473 |
| TCPIPFXI.EXE | /Tcpip-fix | Q195725 |
| Y2KUPD.EXE | /Y2K/Y2KUPD | Q218877, Q221120 |
Service Pack 5 Hotfixes /hotfixes-Postsp5/
| CSRSSFXI.EXE | /Csrss-fix | Q233323 |
| DIALRFXI.EXE | /Dialer-fix | NA |
| IGMPFIXI.EXE | /IGMP-fix | Q238329 |
| IOCTLFXI.EXE | /IOCTL-fix | Q236359 |
| LSAREQI.EXE | /LSA3-fix | Q231457 |
| NDDEFIXI.EXE | /NetDDE-fix | Q231337 |
| NTFSFIXI.EXE | /NTFS-fix | Q229607 |
| Q234351I.EXE | /Perfctrs-fix | Q234351 |
| RASFFIXI.EXE | /RAS-fix | Q230677 |
| PWDFIXI.EXE | /RASPassword-fix | Q230681 |
| RPSLWFXI.EXE | /Rpcltscm-fix | Q239132 |
| RPWDFIXI.EXE | /RRASPassword-fix | Q233303 |
| WINHLP-I.EXE | /Winhlp32-fix | NA |
| BIOSFIXI.EXE | /Y2K/BIOS2-fix | Q216913 |
The file names above are for the Intel platform (hence the ending I), but they may also be available for Alpha and PPC, just substitute the I for a A(Alpha) or P(PPC).
I should note a health warning, "If it ain't broke, don't fix it" and I would tend to agree with this, so unless you have a problem, or require a new feature of a Service Pack think if you really want it. Also if you are going to apply it to a live system, try and test it first, as sometimes a Service Pack will introduce new problems.
Q. What are the Q numbers and how do I look them up?
A. The Q numbers relate to Microsoft Knowledge Base articles and can be viewed at http://support.microsoft.com/support/
Q. How do I install the Service Packs?
A. If you receive the Service Pack by downloading from a Microsoft FTP site, then copy the file to a temporary directory and then just enter the file name (e.g. Sp2_400i.exe). The file will be expanded and among the files created a file called UPDATE.EXE will be created. Just run this file. If there is no UPDATE.EXE, just .sym files you have downloaded the symbols version which is used for debugging NT, download the normal version (see above).
If you receive Service Packs via CD, if you just insert the CD (for SP2 and later) and an Internet Explorer page will be shown and you can just click on install for the Service Pack.
Q. How do I install the Hot fix?
A. Again copy the file to a temporary directory and run the file name. A few files will be created, one called HOTFIX.EXE. Run "HOTFIX /install" which will install the Hot Fix.
The newer Hot fixes (Java fix for Service Pack 3 onwards) you just double click on the downloaded file.
A. Use the command Hotfix /remove to remove a hotfix. Before you can do this you will need to expand the original hotfix file using the <hotfix> /x command.
To force the remove using the registry editor (regedt32) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\HOTFIX and delete the entry for the HOTFIX. Then use explorer to goto %SystemRoot%\HOTFIX\HF00?? and copy the backed up files back to their original location.
Q. How do I install Service Pack 3?
A. Before you install Service Pack 3 you must remove Internet Explorer 4.0 preview if installed:
Also before installing SP3 make sure you have an up to date Repair Disk (RDISK /S). To install Service Pack 3 download Nt4sp3_i.exe and follow the instructions below
Q. Emergency Repair Disk issues after installation of Service Pack 3.
A. Due to changes in Service Pack 3 the Emergency Repair Disk process has changed. The file setupdd.sys that is on the 2nd NT installation disk has been superseded by the one supplied with service pack 3. To extract the file from the Service Pack 3 executable, follow the instructions below:
This is discussed in the Service Pack 3 readme file, and also in knowledge base article Q146887.
Q. How do I remove the Java Hotfix for Service Pack 3?
A. Manually unpack the hotfix
javafixi
/x
Then type
hotfix -y
And it will remove the
hotfix.
This method may become the new standard for hot fixes.
Q. How do I install multiple Hotfixes at the same time?
A. When you extract the files in a hotfix, generally the following will be extracted
The hotfix.exe is the same executable for all the hotfixes, and the hotfix.inf is basically the same, the only difference is the files that are to be copied, e.g. tcpip.sys, and a description of the hotfix. To install multiple hotfixes at the same time all that is needed is to decompress the hotfix files and update the hotfix.inf with the information on which files to copy.
The reason we copied the .inf files is that you can just cut and paste the hotfix specific information to the common hotfix.inf. When you decompressed a hotfix you will see which files were created, you could then search the .inf file for the file name and it would be in two places, the directory it belongs in and the [SourceDisksFiles] section. You could then go to the bottom of the file and cut and paste the HOTFIX_NUMBER and COMMENT and add to the end of HOTFIX.INF.
This is very hard to explain and an example is probably the best way to demonstrate this. Suppose you want to install
The procedure would be as follows
To install just type
hotfix
from the directory created (i.e. hotfix), you will see a dialog copying the files (the ones you have specified in the hotfix.inf file :-) ), and the system will reboot. To see what hotfixes are installed:
Q. How do I install Hotfixes the same time as I install Service Pack 3 onwards?
A. Update.exe that ships with Service Pack 3 checks for the existance of a hotfix subdirectory, and if in that directory the files hotfix.exe and hotfix.inf are present you are asked when running update.exe if you also want to install the hotfixes.
Q. I have installed Service Pack 3, now I cannot run Java programs.
A. An updated virtual machine used to be available for Internet Explorer 4.0 from the Microsoft site but now you need IE 4.0.
There is also a hotfix for Service Pack 3 available from Microsoft ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/java-fix/JAVAFIXI.EXE or install service pack 4 or above.
Q. I have installed Service Pack 3, however the Policy Editor has not been updated.
A. This is caused by a mistake in the Service Pack 3 update.inf file. The entry for poledit.exe (the executable for the policy editor) is specified in the [MustReplace.system32.files] section whereas the file should actually be in the [SystemRoot.files].
To install the new Policy Editor perform the following
Alternatively you can update the update.inf fiile and move the location of poledit.exe from [MustReplace.system32.files] to [SystemRoot.files].
Q. How can I tell if I have the 128 bit version of Service Pack 3 installed?
A. The easiest way to tell this is to examine the secure channel dynamic link library (SCHANNEL.DLL):
Q. How do I install a service pack during a unattended installation?
A. There are various options, however all of them require for the service pack to be extracted to a directory, using
NT4SP3_I /x
and you then enter the directory where you want to extract to.
You could extract to a directory under the $OEM$ installation directory which would then be copied locally during the installation and you could add the line
".\UPDATE.EXE -U -Z"
to CMDLINES.TXT. This will increase the time of the text portion of the installation as the contents have to be copied over the network.
With Service Pack 4 you could just add and not need to expand the service pack first.
[Commands]
".\sp4\sp4i386.exe -z -u"
Simply create a folder called sp4 under $OEM$ and copy sp4i386.exe to it.
If using the above you should ensure you have the following in unattended.txt
[Unattended]
OemPreinstall=yes
An alternate method is to install from a network drive, this requires a bit more work:
Q. What order should I apply the Hot fixes?
A. There is no specific order to apply post Service Pack 4 and Service Pack 5 hotfixes.
The Service Pack 3 hotfixes are, for the most part, cumulative. This means that the latest binary also includes fixes previously made to the same binary.
For example, the 01/09/98 version of Tcpip.sys (teardrop2-fix) also includes previous fixes to Tcpip.sys (such as land-fix, icmp-fix, and oob-fix).
When you apply multiple fixes, please install them in the following order to ensure a newer fix is not replaced by an older one.
For the Microsoft version of the list please see ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/postsp3.txt
Q. I get an error message when I try to re-apply a hotfix after installing a service pack?
A. If when you try and reinstall a hotfix (after re-applying a service pack etc.) you get the error
Hotfix: The fix is already installed.
Hotfix: Internal consistency
error: Invalid Tree pointer = <garbage characters displayed>.
you need to remove the hotfix before trying to reinstall.
To remove a hotfix you would usually use hotfix /r or hotfix -y (depending on the version, to check how use /? on the hotfix for the syntax) however there are situations where it will refuse to remove the hotfix:
Hotfix: Fix <name of hotfix> was not removed.
All the hotfix actually does when you install one is to check a registry entry so see if it already there, so to get round this problem we can go into the registry and remove the hotfixes corresponding entry.
The fix is still installed on the system, all you have done is removed NT's knowledge of its installation so you will now be able to re-install the hotfix in the normal way.
Q. When should I reapply a Service Pack?
A. You should reapply any Service Pack (and subsequent hotfixes) whenever you add any system utilities/services or hardware/software. A good rule of thumb is if the computer says "Changes have been made you must shutdown and restart your computer" reapply your service pack before the reboot.
The only problem is once you reinstall a service pack, unless you uninstall then reinstall, you will lose the ability to uninstall it.
A. Due to a lot of public pressure, Microsoft agreed to no longer include any new functionality in Service Packs, but would rather produce a separate add-on which would update various option components.
Option Pack 4 is the first of these (to keep in step with Service Pack 4) and can be downloaded from http://www.microsoft.com/ntserver/nts/downloads/recommended/NT4OptPk/default.asp or is supplied as part of MSDN. The download is about 27MB.
If you download from the web you have to download a special program, download.exe, which you then run which downloads or installs the software.
Included in Option Pack 4 are:
More information can be found at http://www.microsoft.com/NTServer/nts/exec/overview/WhatNew.asp
To install the Option Pack you must be running Service Pack 3 or above (I tested with Service Pack 4 and you get warnings that it has not been tested on Service Pack 4 but it works fine) and you must have Internet Explorer 4.01 or above.
Once you start the installation you should click Next to the introduction screen and you will then have two options
If you select Upgrade Only then only existing components on the system will be upgrade to Option Pack 4 version, clicking Upgrade Plus allows you to install extra software.
If you select Upgrade Plus you can then choose which components to install. Items such as IIS have sub-components such as NNTP server (news) which you can optionally install.
Depending on the components you selected you will be asked some minor questions and then the machine will reboot.
Q. How can I tell which version Service Pack I have installed?
A. When a Service Pack is installed using the normal method (e.g. not just copying the files to a build location) the service pack version is entered into the registry value CSDVersion which is under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion.
The value is of the formal "Service Pack n", e.g. "Service Pack 4" but can have extra information if it is a beta or release candidate, e.g. "Service Pack 4, RC 1.99".
To check this from the command line you could use the REG.EXE Resource Kit supplement 2 utility:
C:\>reg query "HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\CSDVersion"
REG_SZ CSDVersion Service Pack 4, RC
1.99
Make sure you put the value in double quotes (").
An alternative is to just run WINVER.EXE which will tell you your current build and Service Pack version. You can also use WINMSD.EXE or Help/About in Explorer.
Q. I receive an error trying to install Service Pack 4 for NT 4.0.
A. If when installing Service Pack 4 you receive the error:
"Service Pack Setup Error. You do not have permissions to update Windows NT. Please contact your system administrator."
it may be caused by the update.exe image being in the wrong directory.
If you have expanded the service pack using nt4sp4i.exe /x it will create a subdirectory, update, which will include the files
When running update.exe it must be in the update subdirectory. If not you should move the image accordingly.
Q. Setupdd.sys is missing in Service Pack 4/5.
A. Setupdd.sys is included on the Service Pack 4/5 CD and in the Y2K download version of Service Pack 4 but not the normal version.
This file is needed to replace the one on the second Windows NT installation disk to repair a system that has Service Pack 3 or above. To create a set of NT installations disks insert the NT installation CD-ROM and type winnt32 /ox.
You can download SETUPDD.SYS here.
Q. Important steps for installing Service Pack 4.
A. Service Pack 4 makes some permanent changes to the registry and so before installing you should perform the following steps to facilitate a Service Pack uninstall in the event of a problem. Before installing the service pack make sure you have performed the installation on a test server and as with another "fix" don't install unless you need a fix supplied by the Service Pack or have been instructed to install it by a Microsoft support engineer. If it ain't broke, don't fix it.
Q. Uninstalling Service Pack 4.
A. As was explained in "Q. Important steps for installing Service Pack 4.", Service Pack 4 makes some changes to registry which can't be undone. Because of this, in the event of a Service Pack 4 uninstall the following files are left unrestored
Additionally the files below are also not restored:
Crypt32.dll, Comctl32.dll, Schannel.dll, Cryptdlg.dll, Pstorerc.dll, Psbase.dll, Pstores.exe, Pstorec.dll, Cryptext.dll, Cryptui.dll, Mssign32.dll, Wintrust.dll, Softpub.dll, Mssip32.dll, Mscat32.dll, Initpki.dll, Cryptnet.dll, Xenroll.dll, Dssig.dll, Sigres.exe, Dssbase.dll, Reaenh.dll (128 bit security only), Rsabase.dll, Certmgr.msc, and Syske.exe.
To uninstall the Service Pack either start the Add/Remove programs control panel applet (Start - Settings - Control Panel - Add/Remove programs), select "Windows NT Service Pack 4" and click Remove, or, move to the %systemroot%\$NtServicePackUninstall$\spuninst directory and run spuninst.exe.
If you wanted to completely uninstall the service pack, undoing the registry changes and restoring all original files you would need to restore the %systemroot% directory from a back and repair the registry using the ERD disk you created. Alternatively you could uninstall as normal then use the ERD to repair the registry and replace the six files that the uninstall does not fix.
Q. How can I tell who installed/uninstalled Service Pack 4?
A. When Service Pack 4 is installed or uninstalled an Event is written to the System Event Log. The Event ID is 4353 so you could just create a filter (View - Filter Events) to view only Event ID 4353. It gives information of the person and time it was actioned.
The messages are
Windows NT Service Pack 4 was installed (Service Pack 3 was previously installed).
or
Windows NT Service Pack 4 was uninstalled. Restoring Windows NT to Service Pack 3.
 Single File Version_files/evt4353.gif)
Q. Service Pack 4 unattended installation switches.
A. The following switches can be used with UPDATE.EXE program supplied with Service Pack 4
| -u | Unattended mode |
| -f | Force all apps to close at shutdown |
| -n | Do not create an uninstall directory |
| -o | Overwrite OEM files without asking |
| -z | Do not reboot when installation is complete |
| -q | Quiet mode - no user interaction |
Q. New Event Logs in Windows NT 4.0 Service Pack 4.
A. Service Pack 4 adds 4 new Event log messages to the System Event Log:
These can all be viewed using the Event Viewer which is located in the Administrative Tools program folder.
Q. When will Service Pack 6 for NT 4.0 be released?
A. Service Pack 6 is currently in beta and I would expect it around September 1999.
Q. I receive an error that setup.log cannot be found when installing a service pack.
A. If when you try and install a service pack you receive one of the following errors:
Service Pack Setup could not find the Setup.log file in your repair directory
or
Service Pack Setup cannot open or modify your SETUP.LOG file
The problem is either
If the file SETUP.LOG in the %systemroot%\repair is missing then you can copy it off your Emergency repair disk however if this is not an option you could copy from another machine but you may need to update the first few number of lines in the file (I copied a setup.log file from a NT Server Terminal Server installation to an NT Workstation and installed Service Pack 5 with no problems after changing the device and directory! This is not a supported method though).
Below is an example of the first lines of setup.log
[Paths]
TargetDirectory="\WINNT"
TargetDevice="\Device\Harddisk0\partition2"
SystemPartitionDirectory="\"
SystemPartition="\Device\Harddisk0\partition1"
[Signature]
Version="WinNt4.0"
[Files.SystemPartition]
ntldr="ntldr","2a36b"
NTDETECT.COM="NTDETECT.COM","b69e"
[Files.WinNt]
\WINNT\Help\31users.hlp="31users.hlp","12bfc"
...
etc.
If you copy from another machine you may need to update the TargetDirectory and also the TargetDevice (which is where the %systemroot% is located and can be compared against the boot.ini file) and SystemPartition (which is the active partition, starting from 1, e.g. C:, this should not need to be changed).
If the TargetDirectory is different you should perform a global replace in the file from the old name, e.g. WINTSRV to the new name, e.g. WINNT.
If you do have a setup.log file in the repair directory and still get problems installing check that its format matches that given above.
If you don't have any SETUP.LOG files I have an example one you can download and modify from an NT Workstation installation (but don't mail me asking for support) but the correct procedure is outlined at http://support.microsoft.com/support/kb/articles/Q173/3/84.asp which involves reinstalling NT over your existing installation.
Q. How can I perform a function in a logon script depending on machines Service Pack version?
A. A new utility from SavillTech, CmdInfo sets error level values depending on the Service Pack version of the client machine, depending on the results different actions can be taken.
CmdInfo can be downloaded from http://www.savilltech.com/download/cmdinfo.zip.
CmdInfo can also perform actions depending on the OS version, installation type. Below is an example of usage to detect SP version in a logon script:
@ECHO OFF
CMDINFO.EXE /sp
IF ERRORLEVEL 5 GOTO SP5
IF
ERRORLEVEL 4 GOTO SP4
IF ERRORLEVEL 3 GOTO SP3
IF ERRORLEVEL 2 GOTO
SP2
IF ERRORLEVEL 1 GOTO SP1
IF ERRORLEVEL 0 GOTO SP0
:SP5
ECHO
Service Pack 5 is installed on this NT computer.
ECHO No further upgrades are
necessary.
GOTO END
:SP4
ECHO Service Pack 4 is installed on this
NT computer.
ECHO Press any key to install Service Pack 5...
PAUSE >
NUL
rem Let's assume drive X: is mapped to a sharepoint...
rem
X:\SP5\UPDATE\UPDATE.EXE -u -f -o
GOTO END
rem (etc.
...)
:END
EXIT
Q. What is new in Windows NT 5.0?
A. NT 5.0 is the next major release of NT. It is expected to include the following new features:
For more information on what's new please goto http://www.microsoft.com/NTServer/Basics/Future/WindowsNT5/Features.asp
A. Below is a list of useful links at Microsoft
Q. How do I get the Microsoft Windows 2000 Beta?
A. Windows 2000 is currently in beta test. The technical beta program is closed and is not accepting additional requests at this time. The Windows 2000 beta is not generally available at present for free. If you want this beta, there are five approaches you can consider taking:-
A. Microsoft have renamed NT 5.0 to Windows 2000 in an attempt to simplify the product lines. Below is an extract from the Microsoft press release:
Four products to make up initial Windows 2000 offerings, all "Built on NT Technology".
The company has decided to rename the next release of the Windows NT® line of operating systems—formerly known as Windows NT 5.0—as Windows 2000. Now that millions of people use the Windows NT operating systems every day, Microsoft has decided to rename its next releases to reflect their shift into the mainstream market and to help customers understand the products. All currently released operating systems will retain their names.
The company has also expanded the Windows server line to meet customer demand for solutions that are more powerful than Windows NT Server Enterprise Edition and for lower cost clustering alternatives for branch-office servers.
"Windows NT was first released five years ago as a specialized operating system for technical and business needs. Today it has proven its value as the preferred technology for all users who want industry-leading cost-effectiveness, rich security features and demonstrated scalability," said Jim Allchin, senior vice president at Microsoft. "The Windows NT kernel will be the basis for all of Microsoft's PC operating systems from consumer products to the highest-performance servers."
The Windows 2000 line, which Microsoft will begin to roll out in 1999,
will include four products. Windows 2000 Professional is a desktop operating
system aimed at businesses of all sizes. Microsoft designed Windows 2000
Professional as the easiest Windows yet, with high-level security and
significant enhancements for mobile users. The operating system is also designed
to provide industrial-strength reliability and help companies lower their total
cost of ownership with improved manageability.
Microsoft offers the Windows 2000 Server as the ideal solution for small- to medium-sized enterprise application deployments, web servers, workgroups and branch offices. Windows 2000 Server will support new systems with up to two-way SMP; existing Windows NT Server 4.0 systems with up to four-way SMP can be upgraded to this product.
Windows 2000 Advanced Server is a more powerful departmental and application server that provides network operating system and Internet services. Supporting new systems with up to four-way SMP and large physical memories, this product is ideal for database-intensive work. In addition, Windows 2000 Server integrates clustering and load-balancing support to provide excellent system and application availability. Organizations with existing Windows NT 4.0 Enterprise Edition servers with up to eight-way SMP can install this product.
The Windows 2000 line will also include the new Windows 2000
Datacenter Server, which is the most powerful server operating system ever
offered by Microsoft. Windows 2000 Datacenter Server supports up to 16-way SMP
and up to 64GB of physical memory, depending on system architecture. Like
Windows 2000 Advanced Server, it provides both clustering and load balancing
services as standard features. Microsoft designed this product especially for
large data warehouses, econometric analysis, large-scale simulations in science
and engineering, online transaction processing and server-consolidation
projects.
Microsoft believes its new Windows 2000 name will help both its partners and customers. "The new name also serves our goal of making it simpler for customers to choose the right Windows products for their needs," said Brad Chase, vice president at Microsoft. "The new naming system eliminates customer confusion about whether 'NT' refers to client or server technology. Also, with our across-the-board improvements in ease of use, mobile support and total cost of ownership that provide benefits to so many users, 'NT' technology is no longer just for high-end workstations." Microsoft will use the tagline "Built on NT Technology" to help its customers through the naming transition.
The company believes that the Windows 2000 name and NT tagline will help people to identify which operating system will work best in their environment. And—as the name implies—Windows 2000 is ready for the next millennium.
Q. Getting the most out of NT 5.0 beta 2.
A. Windows NT Expert Thomas Lee has submitted these tips for getting the most out of NT 5.0 Beta 2.0. Dated 04/11/1998
Now that NT5 Beta 5 Beta 2 Workstation and Server have been in the field for some time, some experience in these releases has been gained. In these public newsgroups, we often see issues being repeated since later users have not seen the related posts.
To help in assisting new users, I've complied what I modestly called:
I've written both specific answers to the these noted problems, plus some general tips on how to get the most out of NT5 B2.
I can't get DHCP to work.
Two things to check: first that the DHCP server has been authorised and second that the subnet has been activated, To find out more about setting up a DHCP server, refer to the Walkthroughs.
In general, read the walkthroughs for all the functions before asking more questions in the newsgroups. But if you are unclear, certainly post!
CDR is broken in B2
This is a known issue. But please file a bug report on your details, especially including your exact hardware configuration.
In general, try to read the older messages - the last couple of weeks or so to see if the issue has come up. A lot of issues are repeated, and repeated, suggesting, to some, that newsgroups are write only.
So how do I create a domain - there was nothing in the setup about that!
In Windows 2000, the creation of a domain controller is not done during the installation of the OS. With Win2k, you install the OS first then you create a Domain Controller by DCPROMO.EXE either from the command prompt of from Start/Run. Prior to running DCPROMO.EXE, you must install and setup a DNS service. For more details on setting up a DC, see advsetup.txt on the CD.
In general, please read all the files in the root of the CD before asking further questions in the newsgroup please! [J.S. There is also an example in the FAQ Q. How do I promote a server to a domain controller?]
Beta 2 is does not support my <pick your hardware device>
First, check the HCL in \support\hcl.txt to see if this card is supported. If it is and it does not work, try the standard tricks: take card out, see what works. Check the IRQs, etc. IF all else fails, file a bug report.
If your device in NOT on the HCL, file a bug report explaining the details of your system, the precise way the card fails (BSOD, installs but fails, reduced functionality). Also try Win98 drivers if you can find them. Finally file a bug report.
In general, the HCL is your friend. Please consider consulting it prior to asking questions on the newsgroups. Also, Help is your other friend - check Help for configuration questions.
The Find dialog is broken.
The find/search dialog does work, it's just not user friendly. This is a bug, and is "fixed in later builds" - a common reply to bugs submitted regarding this dialog!
But file searching can be significantly improved by use if the index server. This does devour a lot of disk resources initially ( it content indexes your entire disk setup).
Once it has completed the first pass (which can take hours depending how much disk space you have and hot much horsepower your system has. Initial indexing is an ideal task to kick off at night, and come back to seeing complete in the morning. Once installed, it's efficient, and is very useful for searching. Development staff, developing HTML, Office documents, C Code, etc., will love the ability to search for specific strings in the myriad of .cpp, .htm, .shh, .asp files, etc! Check it out.
In general, for certain users, Index server is a real pal.
I can't work out how to do something in NT5 B2.
Try looking in the help. The server help, especially, has a lot of really great background information. Help is massively different, and better, in Windows 2000 than in NT4! The Help text include documentation on how to carry out most basic configuration tasks, back ground concepts (and much of it well written), and places to go for more information (e.g. web sites, books, RFCs, etc). Take a look - Help has gotten a whole lot better.
In general, Help is a friend.
Why is this wise guy always asking me to read the documentation?
Simple, really. A number of procedures will be new, and the details of these are documented. Secondly, the release notes document known issues, work arounds, etc.
Windows 2000 is a lot different from NT4. I'd like to find the 'This sure isn't Kansas any more Toto' quote from the Wizard of oz as the start-up sound. MS are aware and really have tried to document the key points. The walkthroughs make a great self paced self study tour of Windows 2000 - enjoy the ride.
In general: the product documentation is your friend.
Why that guy always saying 'file a bug report'
Why IS that guy always telling me to file a bug report??? Well, to put it bluntly: The product shipped as NT5 B2 is in beta test. It is not a final product. There are most likely thousands of bugs still remaining ranging from serious show stoppers to trivial things that simply will never get fixed (e.g. the titles on a dialog box). That is not abnormal for such a large product this far from shipping.
Win2000 is simply NOT ready go to ship today - MS need to find, and resolve, these bugs. If you find something wrong, it may just be simple user error but it may well be a bug. So if you think it's broken, tell MS.
You, as future users, can influence and have helped to shape the product as it evolves. MS has listened to the feedback and are incorporating it. With the NT team embark on the death march to Beta 3, if you don't tell MS, you may well have to live with the consequences - and condemn others.
MS have made it clear that Windows 2000 will not ship before it's ready. They have said they will ship when customers tell them it's ready. You are the customer - tell MS what you've found out and what you think.
In general: Make a difference. File a GOOD bug report.
OK, Cool, so how do I do it.
If you are on an internal beta, you will know how to do this - it was on the release notes accompanying your CD (and in email). Please follow directions, and discuss the issue on the internal newsgroups. Please read those groups.
If you are not on the technical beta, then go to ntbeta.microsoft.com. Fill in a short survey, and give them your email alias. You will then get a userid and password to enter the site. Go back, and with your password, you can drill down to a web tool to file a bug report. Spend a bit of time, if you can, to look at the site for more details on bug reporting. Oh, and the ntbeta.microsoft.com has not been renamed. Yet.
In general: The ntbeta.microsoft.com site is your friend.
How much do I need to tell MS about a bug. How good is good?
To some degree, the more you can provide, the better. Filing good bug reports means report as much as possible, including all your hardware, the exact nature of problem, and if possible precise steps to reproduce it.
In general, If MS can't reproduce it - it's not a bug.
Written by that guy who is always asking folks to read the documentation, use Help, and file good bug reports.
And for the humour impaired: this entire post is classified ":-) "
Q. What hardware is needed to run Windows 2000?
A. Below is a list of the minimum hardware needed to install Windows 2000.
The minimum memory is the minimum memory and setup program performs a test to check you have that amount or the installation will not proceed (very annoying when I tried to install server on my portable which (then) only had 32MB of RAM). You can hack the txtsetup.sif files, however, to install either Server or Workstation on systems with less memory. There is no check on CPU type.
The 64bit Alpha processor continues to be supported, although memory requirements are slightly larger (eg 96MB for Server) than Intel systems. Support for archaic 1st generation systems such as the Jensen has been dropped for Windows 2000.
This information is also in the file setup.txt on the Windows 2000 (NT 5.0 Beta) CD-ROM.
Q. Where is the Hardware Compatibility List for Windows 2000?
A. The HCL for Windows 2000 is supplied on the CD in both text and HTML Help format. It can also be found at ftp://ftp.microsoft.com/services/whql/win2000hcl.txt.
Q. How can a FAT partition be converted to an NTFS partition?
A. From the command line enter the command convert d: /fs:ntfs . This command is one way only, and you cannot convert an NTFS partition to FAT. If the FAT partition is the system partition then the conversion will take place on the next reboot.
After the conversion File Permissions are set to Full Control for everyone, where as if you install directly to NTFS the permissions are set on a stricter basis.
Q. How can a NTFS partition be converted to a FAT partition?
A. A simple conversion is not possible, and the only course of action is to backup all the data on the drive, reformat the disk to FAT and then restore your data backup.
Q. How do I run HPFS under NT 4.0?
A. If you want NT support for HPFS, you can upgrade from 3.51 to 4.0 which will retain HPFS support. You can manually install the 3.51 driver under NT 4.0, however this is not supported by Microsoft.
Q. How do I compress a directory?
A. Follow instructions below (this can only be done on an NTFS partition)
Q. How do I uncompress a directory?
A. Follow the same procedure above, but uncheck the compress box.
Q. Is there an NTFS defragmentation tool available?
A. There are a number available for NT that I know of.
Windows 2000 has a limited built in defragmentation tool which can be used as follows:
)
Q. Can I undelete a file in NT?
A. It depends on the file system. NT has no undelete facility, however if the filesystem was FAT then boot into DOS and then use the dos undelete utility. With the NT Resource kit there is a utility called DiskProbe which allows a user to view the data on a disk, which could then be copied to another file. It is possible to search sectors for data using DiskProbe.
If the files are deleted on an NTFS partition booting using a DOS disk and using the undelete.exe program is not possible since DOS cannot read NTFS partitions. NTFS does not perform destructive deletes which means the actual data is left intact on the disk (until another file is written in its place) and so a new application from Executive Software, Network Undelete can be used to undelete files from NTFS partitions. A free 30-day version can be downloaded from http://www.networkundelete.com/.
Executive Software also have a free utility Emergency Undelete which can undelete locally deleted files, http://www.execsoft.com/.
It is important that once any file is delete all activity on the machine is stopped to reduce the possibility of other files overwriting the data that wants to be recovered.
A. Native NT does not support FAT32. NT Internals have released a read-only FAT32 driver for Windows NT 4.0 from http://www.sysinternals.com/fat32.htm, or a full read/write version can be purchased from http://www.winternals.com/.
Windows 2000 has full FAT 32(x) support with the following conditions:
Q. Can you read an NTFS partition from DOS?
A. Not with standard DOS, however there is a product called NTFSDos which enables a user to read from a NTFS partition. The homepage for this utility is http://www.sysinternals.com/.
Q. How do you delete a NTFS partition?
A. You can boot off of the three NT installation disks and follow the instructions below:
Usually a NTFS partition can be deleted using FDISK (delete non-DOS partition), however this will not work if the NTFS partition is in the extended partition.
You can delete an NTFS partition using Disk Administrator, by selecting the partition and pressing DEL (as long as it is not the system/boot partition).
There is also a utility called delpart.exe that will delete a NTFS partition from a DOS bootup.
Q. Is it possible to repartition a disk without losing data?
A. There is no standard way in NT, however there is a 3rd party product called Partition Magic which will repartition FAT, NTFS and FAT32, however there is a bug in the product which makes the boot partition unbootable if it is repartitioned. A fix is available for this from their web site
Q. What is the biggest disk NT can use?
A. The simple answer to this question is that NT can view a maximum partition size of 2 terabytes (or 2,199,023,255,552 bytes), however there are limitations that restrict you well below this number.
FAT has internal limits of 4 GB due to thefact it uses 16-bit fields to store file sizes, 2^16 is 65,536 with a cluster size of 64 KB gives us the 4 GB.
HPFS uses 32bit fields and can therefore handle greater size disks, but the largest single file size is 4GB. HPFS allocates disk space in 512 byte sectors which can cause problems in Asian markets where sector sizes are typically 1024 bytes which means HPFS cannot be used.
NTFS uses 64-bits for all sizes, leading to a max size of..... 16 exabytes!!! (18,446,744,073,709,551,616 bytes), however NT could not handle a volume this big.
For IDE drives, the maximum is 136.9 GB, however for a standard IDE drive this is constrained to 528MB. The new EIDE drives can access much larger sizes.
It is important to note that the System partition (holding ntldr, boot.ini, etc.) MUST be entirely within the first 7.8Gb of any disk (if this is the same as the boot partition this limit applies) This is due to the BIOS int 13H interface used by ntldr to bootstrap up to the point where it can drive the native HDD IDE or SCSI. int 13H presents a 24 bit parameter for cylinder/head/sector for a drive. If say by defragmentation the system are moved beyond this point you will not be able to boot the system.
Windows 2000 has no such limitation. These are limits imposed by the specific machine BIOS. Newer machines/BIOSes typically don't have this limitation.
Q. Can I disable 8.3 name creation on a NTFS?
A. From the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem, change the value NtfsDisable8dot3NameCreation from 0 to 1.
You may experience problems installing Office 97 if you disable 8.3 name creation and may have to re-enable it during the installation of the software.
Q. How can I stop NT from generating LFN's (Long File Names) on a FAT partition?
A. Using the registry editor change the value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\Win31FileSystem from 0 to 1 and only 8.3 file names will be created.
The reason for not wanting the LFN's to be created is that some 3rd party disk utilities that directly manipulate FAT can destroy the LFN's. Utilities such as SCANDISK and DEFRAG that come with DOS 6.x and above do not harm LFN's.
Q. I can't create any files on the root of a FAT partition.
A. The root of a FAT drive has a coded limit of 512 entries, so if you have exceeded this you will not be able to create any more files. I don't have this many! Remember Long File Names take up more than one entry, see the next FAQ for more information, so if you have many LFN's on the root this will drastically reduce the number of files you can have.
A. Long File Names are stored using a series of linked directory entries. A LFN will use one directory entry for its alias (the alias is the 8.3 name automatically generated), and a hidden secondary directory entry for every 13 characters in its name, so if you had a 200 character long file name, this would use 17 entries!
The alias is generated using the first six characters of the LFN, then a ~
and a number for the first 4 versions of a files with the same first six
characters, e.g. for the file
john savills file.txt
the
names generated would be johnsa~1.txt, johnsa~2 etc.
After the first 4 version of a file, only the first two characters of the file name are used, and the last 6 are generated, e.g. jo0E38~1.txt
Q. How do I change access permissions on a directory?
A. You can only set access permissions on an NTFS volume. Follow the instructions below:
Q. How can I change access permissions from the command line?
A. A utility called CACLS.EXE comes as standard with NT, and
can be used from the command prompt. Read the help with the CACLS.EXE program
(cacls /?). To give user john read access to a directory called files
enter:
CACLS files /e /p john:r
/e is used to edit the
ACL instead of replacing it, therefore other permissions on the directory will
be kept. /p sets permission for user:<permission>
Q. I have a CHKDSK scheduled to start next reboot, but I want to stop it.
A. If the command chkdsk /f /r (find bad sectors, recover information from bad sectors and fix errors on the disk) is run, on the next reboot the check disk is scheduled, however you may want to cancel this check disk. To do this perform the following:
Q. My NTFS drive is corrupt, how do I recover?
A. To restore an NTFS drive using the information below, it must have been created using Windows NT 4.0, if it was not created using NT 4.0 you should see Knowledge base article Q121517. To restore an NTFS partition you must locate the spare copy of the boot sector and copy it to the correct position on the drive. You need the NTdiskedit utility (you can also use Disk Probe that comes with the resource kit and instructions for Disk Probe can be found at http://support.microsoft.com/support/kb/articles/q153/9/73.asp or Norton disk edit) which is available from Microsoft Support Services.
Q. How can I delete a file without it going to the recycle bin?
A. When you delete the file, hold down the shift key.
Q. How can I change the serial number of a disk?
A. The serial number is located in the boot sector for a volume. For FAT drives its 4 bytes starting at offset 0x27; for NTFS drives its 8 bytes starting at offset 0x48. You'll need a sector-level editor to modify the number (like the Resource Kit's Diskprobe).
Q. How can I backup the Master Boot Record?
A. The Master boot record on the hard disk used to start the computer (the system partition) is the most critical sector so make sure this is the sector you backup. The boot partition is also very important (where %systemroot% resides). You need the DiskProbe utility that comes with the Resource Kit.
Q. How do I restore the Master Boot Record?
A. Follow the instructions below, however be very careful!!!
Q. What CD-ROM file systems can NT read?
A. NT's primary file system is CDFS a read only file system, however it can read any file system that is ISO9660 compliant.
Q. How do I disable 8.3 name creation on VFAT?
A. Start the registry editor (regedit.exe) and set the value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\Win95TruncatedExtensions to 0.
Q. How do I create a Volume Set?
A. A volume set allows you to take all the unused space on one or more drives (up to 32 drives per volume set) and combine it into a single, large, system recognizable drive. To create a volume set:
The main problem with volume sets is that if one drive in the volume set fails, the entire volume set becomes unavailable.
Q. How do I extend a Volume Set?
A. Extending a volume set is very simple, however a reboot will be required
The reboot will take longer than normal as the new area added has to be formatted to the same file system as the rest of the volume set.
Note: Only NTFS Volume Sets can be extended.
Q. How do I delete a Volume Set?
A. When you delete a volume set all the data stored will be lost. To delete a volume set:
Q. What is the maximum number of characters a file can be?
A. This depends on if the file is being created on a FAT or NTFS partition. The maximum file length on a NTFS partition is 256 characters, and 11 characters on FAT (8 character name, . , 3 character extension). NTFS filenames keep their case, whereas FAT filenames have no concept of case (however the case is ignored when performing a search etc on NTFS). There is the new VFAT which also has 256 character filenames.
NTFS filenames can contain any characters, including spaces, uppercase/lowercase except for the following
" * : / \ ? < > |
which are reserved for NT, however the file name must start with a letter or number.
VFAT filenames can also contain any characters except for the following
/ \ : | = ? " ; [ ] , ^
and once again the file name must start with a letter or number.
NTFS and VFAT also creates a 8.3 format file name, see Q. How to LFN's work?
Q. How can I stop chkdsk at boot time from checking volume x?
A. When NT boots it performs a check on all volumes to see if the dirty bit is set, and if it is a full chkdsk /f is run. To stop NT performing this dirty bit check you can exclude certain drives. The reason you may want to do this is for some type of removable drive, e.g. Iomega drives:
Where x is the drive letter, e.g. if you wanted to stop the check on drive f: you would type autocheck autochk /k:f *. To stop the check on multiple volumes just enter the drive names one after another, e.g. to stop the check on e: and g: autocheck autochk /k:eg *, you do not retype the /k each time.
If you are using NT 4.0 with Service Pack 2 or above, you can also use the CHKNTFS.EXE command which is also used to exclude drives from the check and updates the registry for you. The usage to disable a drive is
chkntfs /x <drive letter>:
e.g. chkntfs /x f:
would exclude the check of drive f:
To set the system back to checking all drives just type
chkntfs /d
Q. How can I compress files/directories from the command line?
A. A utility is supplied with the resource kit called compact.exe which can be used to view and change the compression characteristics of a file/directory.
Q. What protections can be set on files/directories on a NTFS partition?
A. When you right click on a file in Explorer and select properties (or select Properties from the File menu) you are presented with a dialog box telling you information such as size, ownership etc. If the file/directory is on a NTFS partition there will be a security tab, and within that dialog, a permissions button. If you press that button you can grant access to users/groups on the resource at various levels.
There are six basic permissions
These can be assigned to a resource, however they are grouped for ease of use
The permissions above can all be set on a directory, however this list is limited for a file, and permissions that can be set are only No Access, Read, Change and Full Control.
Another permission exists called "Special Access" (on a directory there will be two, one for files, one for directories), and from this you can set which of the basic permissions should be assigned.
Q. How can I take ownership of files?
A. Sometimes you may want to take ownership of files/directories, usually as someone has removed all access on a resource and can't see it. You would log on as the Administrator and take ownership. You cannot give ownership to someone else using standard NT functionality, only take ownership.
Q. How can I view the permissions a user has on a file from the command line?
A. A utility is supplied with the resource kit called perms.exe which can be used to view permissions on files/directories. The usage is
perms <domain>\<user> <file>
e.g. perms
savilltech\savillj d:\file\john\file.dat
You can add /s to also show details of sub files/directories. The permissions shown equate to
| R | Read |
| W | Write |
| X | Execute |
| D | Delete |
| P | Change Permission |
| O | Take Ownership |
| A | All |
| None | No Access |
| * | User is the owner |
| # | A group the member is a member of owns the file |
| ? | Permissions cannot be determined |
To output to a file just add > filename.txt at the end, e.g.
perms <user> <file> > file.txt
Q. How can I tell the total amount of space used by a folder (including sub folders)?
A. There are two ways of doing this (there are more!), one using explorer and one from the command line. Using Explorer
From the command line you can just use the dir command with
/s qualifier which also lists all sub-directories,
e.g.
dir/s d:\savilltechhomepage
would list all
files/folders in the savilltechhomepage directory and at the end the total
size.
Q. There are files beginning with $ at the root of my NTFS drive, can I delete them?
A. NO!!! These files hold the information of your NTFS volume. Below is a table of all the files used by the file system:
| $MFT | Master File Table |
| $MFTMIRR | A copy of the first 16 records of the MFT |
| $LOGFILE | Log of changes made to the volume |
| $VOLUME | Information about the volume, serial number, creation time, dirty flag |
| $ATTRDEF | Attribute definitions |
| $BITMAP | Contains drive cluster map |
| $BOOT | Boot record of the drive |
| $BADCLUS | A list of bad clusters on the drive |
| $QUOTA | Quota information (used on NTFS 5.0) |
| $UPCASE | Maps lowercase characters to uppercase version |
If you want to have a look at any of these files use the command
dir /ah $mft
Its basically impossible to delete these files anyway as you can't remove the hidden flag and if you can't remove the hidden flag you can't delete it!
Q. What file system do Iomega ZIP disks use?
A. By default, the formatted ZIP disks are FAT, however you can format these with NTFS is you want. NTFS has a higher overhead than FAT on small volumes (an initial 2MB) which is why you don't have NTFS on 1.44 floppy disks.
Q. What cluster size does a FAT/NTFS partition use?
A. The default cluster size for a FAT partition is as follows:
| Partition size | Sectors per cluster | Cluster size |
| <32MB | 1 | 512 bytes |
| <64MB | 2 | 1K |
| <128MB | 4 | 2K |
| <255MB | 8 | 4K |
| <511MB | 16 | 8K |
| <1023MB | 32 | 16K |
| <2047MB | 64 | 32K |
| <4095MB | 128 | 64K |
This is why FAT volumes larger than 511MB are not recommended due to the amount of potentially wasted space due to the 16KB and above cluster size.
The default for NTFS is as follows:
| Partition size | Sectors per cluster | Cluster size |
| <512MB | 1 | 512 bytes (or hardware sector size if greater than 512 bytes) |
| <1024MB | 2 | 1K |
| <2048MB | 4 | 2K |
| <4096MB | 8 | 4K |
| <8192MB | 16 | 8K |
| <16384MB | 32 | 16K |
| <32768MB | 64 | 32K |
| >32768 MB | 128 | 64K |
NTFS better balances the trade off between disk defragmentation due to smaller cluster size and wasted space due to a large cluster size.
When formatting a drive you can change the cluster size using the /a:<size> switch, e.g.
format d: /a:1024 /fs:ntfs
Q. How much free space do I need to convert a FAT partition to NTFS?
A. The calculation below can be used for disks of a standard 512 bytes per sector:
To summarize:
Free space needed = (<size of partition in bytes>/100) + (<size of partition in bytes>/803) + (<no of files & directories> * 1280) + 196096
For more information see Knowledge Base article Q156560 at http://support.microsoft.com/support/kb/articles/q156/5/60.asp
Q. NT becomes unresponsive during an NTFS disk operation such as a dir.
A. When you perform a large NTFS disk operation such as a dir/s *.* or a ntbackup :\*.* NT can sometimes become unresponsive because NT updates NTFS files with a last access stamp and if viewing thousands of files the NTFS log file can become full and waits to be flushed to the hard disk, this can cause NT to become unresponsive. To stop NTFS updating the last access stamp perform the following:
This should improve the performance of your NTFS partitions.
Below is an example or a .reg file that can be used to automate this:
REGEDIT4
;
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
"NtfsDisableLastAccessUpdate"=dword:1
Q. I have missing space on my NTFS partitions (Alternate Data Streams).
A. Its possible to hide data from both explorer and the dir command within an NTFS file that you cannot see unless you know its stream name. NTFS allows multiple streams to a file in the form of <filename>:<stream name>, you can try it
You can have as many streams as you want. If you copy a file it keeps the streams, so copying normal.txt to john.txt, john.txt:hidden would exist. You cannot use streams from the command prompt as it does not allow : in files names except for drive letters.
Microsoft provide no way of detecting or deleting these streams. The two ways to delete are
One application I have found to detect alternate data steams is by Frank Heyne and can be downloaded from http://www.heysoft.de/nt/ep-lads.htm.
Alternatively you can use Lizp which is downloadable from http://www.lizp.com/. I have not used it in earnest, however what I have seen looks very good. An example use would be
 Single File Version_files/lizpnt.gif)
Its also possible to write a function to enumerate every altstream in every
file matching c:\winnt\*. To do this, let's define a function, we'll call it
las, and it'll take one argument, the wild path. Then we could type
(las
'c:\winnt\*)
and we'd get what we wanted.
Here's such a function definition:
(sequence
(define
(las Dir)
(filter
'(lambda
(o)
(cdr o) )
(mapcar
'(lambda
(FileInfo)
(if
(getfilesize
(car FileInfo) )
(cons
(car FileInfo)
(getaltstreams
(car FileInfo) ) )
(cons nil nil) ) )
(dirlist Dir) ) ) )
'(Enhanced with las) )
Even though you could type all this in at the prompt, on one long line, it's easier to save the code above to a file. Let's call the file las.lzp.
Now, from the Lizp prompt, you could type
(eval (load 'las.lzp))
and voila, you'll have a new function, las. Now try the thing above:
(las 'c:\winnt\*)
Suppose we think our Lizp should have this functionality always. Then type
(Compile (load 'las.lzp) 'Lizp_with_las.exe true)
and we'll have a new version of Lizp, called Lizp_with_las.exe.
Finally, suppose we wanted a GUI application which asked us for the wild path, and then displayed the alternate streams in a window. Save the following lines to a file, let's call it las_gui.lzp:
(local
(Result)
(setq Result
(las
(inputbox
'((Wild path to check for Alt Streams)) ) ) )
(messagebox
(if Result Result
'((No Alt Streams found in path.)) ) )
(exit) )
Now, from Lizp_with_las' prompt, type
(Compile (load 'las_gui.lzp) 'Las.exe nil
and you'll have a new program, Las.exe, doing what we want. Note the last argument to the Compile function: the first time we compiled, we used "true", this last time we used "nil". This is because the first time we wanted the new program to create a console when run (because it was going to be our new Lizp interpreter). The second time we don't need a console.
Another way to delete these streams is to edit them in notepad and delete all the text. When you quit notepad NT tells you that the file is empty and will be deleted and you only have to confirm.
If you want to write your own programs to detect streams have a look at
Basically the only reliable way of handling streams is to use the BackupRead() function. The only "problem" is that BackupRead() requires SeRestorePrivilege/SeBackupPrivilege rights which most users will not have
BackupRead() actually does is to turn a file and its associated metadata (extended attributes, security data, alternate streams, links) into a stream of bytes. BackupWrite() converts it back.
Q. How can I change the Volume ID of a disk?
A. Windows NT provides functionality to change the volume name of a disk by using the command
label <drive>: <label name>
Windows NT does not provide built in functionality to change Volume ID's, however NT Internals has produced a free utility that can be downloaded from http://www.sysinternals.com/misc.htm called VolumeID which can change the volume ID of a FAT or NTFS volume. To view a drives current Volume ID you can just perform a dir <drive>: and the volume serial number is shown on the second line down, e.g.
Volume in drive E is system
Volume Serial Number is
BC09-8AE4
To change enter the command
volumeid <drive letter>: xxxx-xxxx
Q. How do I read NTFS 5.0 partitions from Windows NT 4.0?
A. Service Pack 4 includes a read/write driver for NTFS 5.0 volumes (an updated ntfs.sys driver). More details will follow once Service Pack 4 is released, the non-disclosure agreement limits me from saying any more.
Q. How do share and file system protections interact?
A. In general when you have protections on a share or on a file/directory the privileges are added, for example if user John was a member of 2 groups, one with read access and another with change the user would have read and change access. The exception to this if a group has "no access" which means no mater what other group memberships there are, any user in that group will have no access.
The opposite is true when protections are set on the file system and on the share where the most restrictive policy is enforced, e.g. if the file has full control set for a user and the share only has read then the user will be limited to read-only privileges, likewise if the file had only read-only but the share had full the user would still be limited to read-only.
Share protections are only used when the file system is accessed through a network connection, if the user is using the partition locally then the share protections will be ignored.
Q. How can I backup/restore my Master Boot Record?
A. The Windows NT Resource kit supplies a utility DISKSAVE.EXE which enables a binary image of the Master Boot Record (MBR) or Boot Sector to be saved.
DISKSAVE has to be run from DOS and so you will need to create a bootable DOS disk and copy DISKSAVE.EXE to the disk. To create a DOS bootable disk just use the command
C:\> format a: /s
from a DOS machine (do not do it from a Windows NT command session).
Once you boot with the disk you will have a number of options:
F2 - Backup the Master Boot Record - This function will prompt for a path and filename to save the MBR image to. The path and filename are limited to 64 characters. The resulting file will be a binary image of the sector and will be 512 bytes in size. The MBR is always located at Cylinder 0, Side 0, Sector 1 of the boot disk.
F3 - Restore Master Boot Record - This function will prompt for a path and filename for the previously save Master Boot Record file. The only error checking is for the file size (must be 512 bytes). Copying and incorrect file to the MBR will permanently destroy the partition table information. In addition, the machine will not boot without a valid MBR. The Path/filename is limited to 64 characters.
F4 - Backup the Boot Sector - This function will prompt for a path and filename to save the Boot Sector image to. The path and filename are limited to 64 characters. The resulting file will be a binary image of the sector and will be 512 bytes in size. The function opens the partition table, searches for an active partition, then jumps to the starting location of that partition. The sector at that location is then saved under the filename the user entered. There are no checks to determine if the sector is a valid boot sector.
F5 - Restore Boot Sector - This function will prompt for a path and filename for the previously save Boot Sector file. The only error checking is for the file size (must be 512 bytes). Copying and incorrect file to the Boot Sector will permanently destroy Boot Sector information. In addition, the machine will not boot without a valid Boot Sector. The Path/filename is limited to 64 characters.
F6 - Disable FT on the Boot Drive - This function may be useful when Windows NT will not boot from a mirrored system drive. The function looks for the bootable (marked active) partition. It then checks to see if the SystemType byte has the high bit set. Windows NT sets the high bit of the SystemType byte if the partition is a member of a Fault Tolerant set. Disabling this bit has the same effect as breaking the mirror. There is no provision for re-enabling the bit once it has be disabled.
Q. How do I convert an NTFS partition to NTFS 5.0? - NT 5.0 only
A. Windows NT 5.0 introduces NTFS 5.0 which enables a number of new features. By default when you install Windows NT 5.0 it will automatically convert any NTFS 4.0 partitions to NTFS 5.0 (however this may change).
Service Pack 4 has an updated NTFS.SYS which can read NTFS 5.0 partitions so apply this to any systems that need to read Windows 2000 NTFS 5.0 partitions.
To check the version of an NTFS partition use the CHKNTFS.EXE utility.
C:\> chkntfs <drive>:
The type of the file system is
NTFS 5.0.
or
The type of the file system is NTFS
4.0
<drive>: is not dirty
If the file system is not NTFS 5.0 and you want to upgrade it use the command
C:\> chkntfs /e <drive>:
The machine will need to be rebooted for the upgrade to take place.
Q. I cannot compress files on an NTFS partition.
A. If when you try and compress files on an NTFS partition using Explorer (right click on a file/directory, select properties and check the compress box) the option is not available or when you try from the command prompt using the command:
C:\> compact /c ntfaq.txt /s
you get the error
"The file system does not support compression"
the cause is normally that the cluster size of the NTFS partition is greater than 4096. To check the cluster size of your NTFS partition use the CHKDSK command, e.g.
C:\> chkdsk <disk>: /i /c
The /i /c are used to speed up the chkdsk and at the end of the display it will tell you the bytes in each allocation unit:
2048 bytes in each allocation
unit.
1012032 total allocation units on disk.
572750 allocation units
available on disk.
If this number is greater than 4096 you will need to backup all the data on the disk and then reformat the partition using any of the following methods:
Once reformatted you can then restore your backed up data.
To understand more about the 4,096 limit please read Knowledge base article Q171892 at http://support.microsoft.com/support/kb/articles/q171/8/92.asp
Q. How can I modify the CHKDSK timer?
A. Service Pack 4 introduces a new feature which before performing a chkdsk of a disk if its dirty bit is set a 30 second countdown timer is given allowing you to cancel to chkdsk from running.
If you want to modify this 30 second value perform the following:
The change will take effect at the next reboot
Q. How can I view the current owner of a file?
A. The normal method would be to right click on the file in Explorer, select Properties, click the Security tab and click Ownership. This will then show the current owner and give the option to take ownership.
To view from the command line you can use the SUBINACL.EXE utility that is shipped with the Windows NT Resource Kit Supplement 2. To view the current owner use as follows:
C:\> subinacl /file <file name>
//++++
//
D:\Documents\<file name>
//----
+ Owner =
builtin\administrators
+ Primary Group= lnautd0001\domain users
+
System ACE count =0
+ Disc. ACE count =1
lnautd0001\saviljo
ACCESS_ALLOWED_ACE_TYPE FILE_ALL_ACCESS
You could perform on *.* to list owners for all files in all subdirectories (no need for any /s switch).
Q. How can I view/defrag pagefile fragmentation?
A. System Internals has released PageDefrag, a free utility that shows fragmentation in the pagefile and then offers the option of defragmentation at boot time.
The utility can be downloaded from http://www.sysinternals.com/pagedfrg.htm. Once you download just unzip the file and run pagedfrg.exe. Below is a sample output.
 Single File Version_files/pagedfrg.gif)
I understand that Executive Software's Diskeeper 4.0 can also defragment pagefiles however I have not seen it in action (http://www.diskeeper.com/).
Q. I get a disk maintenance message during setup.
A. If during setup up get the message:
Setup has performed maintenance on your hard disk(s) that requires a reboot to take effect. You must reboot and restart Setup to continue.
Press F3 to reboot.
This is returned when the Autochk part of the installation was able to repair the partition, but will require a reboot.
For a FAT partition, this could include corruption of extended attributes was fixed, the dirty bit was cleared, orphaned long filename entry was fixed (or any other fixing of lfns), directory entry fixed, crosslinked files fixed, non-unique filename uniqued, or any other structural issues at all fixed. There will of course be other specific "fixing steps" that would cause this for NTFS, or other non-file system specific structures.
In short this is not a problem as long as the setup does not get stuck in a loop keep running this stage.
Q. Where is Disk Administrator in Windows 2000? - Windows 2000 only
A. As with every other Administration tool in Windows 2000, Disk Administrator has been replaced with a Microsoft Management Console (MMC) snap-in.
By default it is accessible via the Computer Management MMC snap-in
 Single File Version_files/diskman.gif)
Alternatively create your own MMC console
You now have your own MMC with just the Disk Management. You could save by selecting "Save As" from the Console menu, enter "Disk Admin" as the name and click Save. You will now see under the Programs menu a new folder, My Administrative Tools with Disk Admin as a MMC snap-in.
Q. How do I convert a basic disk to dynamic? - Windows 2000 only
A. Windows 2000 introduces the idea of a dynamic disk needed for fault tolerant configurations. To convert perform the following:
Converting Basic disks to Dynamic disks don't require reboots - however any volumes contained on them after the conversion will generate a popup that basically says a re-boot is necessary before the volumes can be used. I generally say - NO, do not reboot - until all the volumes are identified and all the popups go away, then perform a single re-boot.
When you upgrade from basic to dynamic any existing partitions become simple volumes. Any existing mirrored, striped or spanned volumes sets created with NT 4.0 become dynamic mirrored, striped or spanned volumes respectively.
If you get a message that says you are out of space then you may not have enough unallocated free space at the end of the disk for the private region database that Dynamic disks use to keep volume information. To be Dynamic it needs about 1 MB of this space, sometime the space is not visible to the user in the GUI but it is still there.
You may not have the space if the partition(s) on the disk take up the entire disk and were created with Setup, an earlier version of NT or another OS. If partitions are created within Windows 2000 the space is reserved, partitions created with Setup will reserve the space in a later release.
To undo this conversion run Dmunroot.exe which will revert boot and system partition back to basic but all other volumes will be destroyed. Alternatively you should backup any data on the disk you wish to preserve, then delete all partitions - that should activate the menu choice "Revert to Basic Disk", the entire disk HAS to be unallocated or free space.
Q. How do I delete a volume in Windows 2000?
A. To delete a volume just perform the following, be warned you will lose any data on these volumes.
Q. How do I import a foreign volume in Windows 2000?
A. If you take a disk from another machine and place in a Windows 2000 box it will be shown as foreign and its partitions not available, however its partition information can be imported and volumes used. Any volumes that were part of a set will be deleted during the import phase unless the whole set of disks are imported.
 Single File Version_files/importforeign.gif)
 Single File Version_files/foreignchoose.gif)
The data on the imported volumes will now be accessible (you have to refresh in Explorer to see them (press F5)).
Q. How can I wipe the Master Boot Record?
A. The normal method is using the DOS FDISK command:
C:\> fdisk /mbr
however there are some cases where this does not work and a more direct method may be needed.
A program called DEBUG.EXE is supplied with DOS, Windows 9x and NT and can be used to run small Assembly language programs and just such a program can be used to wipe the MBR. Perform the following, but BE CAREFUL, this WILL wipe your MBR leaving your system unbootable and its data lost.
 Single File Version_files/mbrwipe.gif)
You can now install a replacement MBR via a normal installation.
Thanks to Mark Minasi for giving permission to reproduce this Assembler code and a full explanation can be found in Windows NT Magazine Summer 1999 issue
Another method from David Lynch:
C:\> debug
-a
xxxx:0100 mov ax,0301
xxxx:01xx mov
cx,1
xxxx:01xx mov dx,80
xxxx:01xx int 13
xxxx:01xx int 3
xxxx:01xx
<CR>
-G
This is much shorter. It has 2 theoretically possible failure cases
There is nothing special about filling the MBR with 0's. It just need to not be valid. Any invalid MBR is the same as no MBR.
Q. How can I cancel a scheduled NTFS conversion?
A. If you have scheduled a NTFS conversion for next reboot using the CONVERT command it can be canceled as follows:
Q. What is the Encrypted File System (EFS)?
A. New to Windows 2000 and the NTFS 5.0 file system is the Encrypted File System (EFS) which as the name suggests is used to encrypt files.
NTFS is a secure file system however with more and more people using portables and utilities such as NTFSDos which bypasses NTFS security another layer or protection is needed.
EFS uses a public and private key encryption and the CryptoAPI architecture. EFS can use any symmetric encryption algorithm to encypt files however the initial release only uses DES. 128-bit keys are used in North America, 40-bit internationally.
No preparation is needed to encrypt files and the first time a user encrypts a file an encryption certificate for the user and a private key are automatically created.
If encrypted files are moved they stay encrypted, if users add files to an encrypted folder the new files are automatically encrypted. There is no need to decrypt a file before use, the operating system automatically handles this for you in a secure manner.
In the event of a users private key being lost (either by reinstallation or new user creation) the EFS recovery agent can decrypt the files.
Q. What do I encrypt/decrypt a file?
A. Encrypting and compressing a file/folder is mutually exclusive, you can encrypt a file or compress it, not both.
To decrypt a file perform the following:
 Single File Version_files/fileprop.gif)
 Single File Version_files/encryptfile.gif)
 Single File Version_files/encryptfileorfolder.gif)
To decrypt repeat the above but unselect the box. If you decrypt a folder it will ask if you also want to decrypt all child folders and files.
Compress encrypted file will not save in most case. Encrypt compressed file
makes sense. There is a technical issue here. It is not because of reparse
point. Neither compression nor encryption uses reparse point. The reason we do
not support both is backup\restore. We provide a way for backup operator to
backup encrypted file. The operator has no way to read the file in plaintext.
The NTFS compression result depends on the disk cluster. If the backup source
and the restore destination has the different cluster size, NTFS could not
restore the encrypted data because NTFS does not know how to understand the
data.
Sparse and encryption.
Encryption is compatible with
sparse. In other words, you can encrypt a sparse file and still keep it a sparse
file.
Q. What do I encrypt/decrypt a file from the command line?
A. A command line utility, CIPHER.EXE, can be used to encrypt and decrypt files from the command line.
CIPHER [/E | /D] [/S:dir] [/I] [/F] [/Q] [dirname [...]]
/E Encrypts
the specified directories. Directories will be marked so that files added
afterward will be encrypted.
/D Decrypts the specified directories.
Directories will be marked so that files added afterward will not be
encrypted.
/S Performs the specified operation on directories in the given
directory and all subdirectories.
/I Continues performing the specified
operation even after errors have occurred. By default, CIPHER stops when an
error is encountered.
/F Forces the encryption operation on all specified
directories, even those which are already encrypted. Already-encrypted
directories are skipped by default.
/Q Reports only the most essential
information.
dirname Specifies a pattern, or directory.
Used without
parameters, CIPHER displays the encryption state of the current directory and
any files it contains. You may use multiple directory names and wildcards. You
must put spaces between multiple parameters.
Q. How can a user request an EFS recovery certificate?
A. To request a EFS certificate you first need the domain to have a trusted list of Certificate Authorities and the user needs to be a domain Administrator.
You will now have a File Recovery certificate under the Personal\Certificates folder.
Q. How can I add a user as an EFS recovery agent for a domain?
A. Recovery agents are users who can recovery encrypted files for a domain. To add new users as recovery agents they must first have recovery certificates.
Refresh the machine policy
C:\> secedit /refreshpolicy machine_policy
The agent will only be able to recover files encrypted after the user was made an agent. If an encrypted files is unencrypted and the encrypted or even just opened the new agent WILL be able to recover it as the file will "refresh" its recovery certificates (if the recovery policy has changed).
The local admin on a standalone PC or the first logon admin on a DC is the recovery agent by default. However this can be modified. You can remove the default recovery agent and assign any one as the recovery agent. In other words, admin can not read other person's encrypted file unless he is the recovery agent. The purpose of assigning the first logon admin as the recovery agent is to make life easier for most of our customer. The corp user is recommended to modify the recovery agent.
Q. How do I delete an orphaned share?
A. An orphaned share is one that the directory it shares has been deleted. If you delete a directory in Explorer that is shared any shares will automatically removed. If you delete by a different method, such as from the command prompt then the share will be left and it may result in messages in the System Event Log of the form:
The server service was unable to recreate the share NTFAQ because the
directory D:\ntfaq files no longer exists.
You can manually update the registry to remove these "rogue" shares.
 Single File Version_files/deadshare.gif)
If you type net share the share name will still be displayed until the lanmanserver service is restarted. If you manually restart it will also stop the services, net logon, computer browser and Distributed File System.
Another method (if you have access) is to use Server Manager in NT 4.0, connect to the machine and orphaned shares are grayed out, you can then delete them. Windows 2000 Computer Manager does not display orphaned shares in a different colour making this approach impossible in Windows 2K.
Q. How can I check who last opened a file?
A. The only way I know of would be to enable auditing on the file and then examine the Security Event log for access.
 Single File Version_files/fileopenaudit.gif)
In order to do this you will need the following:
A. You need to reset the Disk Administrator configuration by performing the following:
 Single File Version_files/windiskfirstrun.gif)
Q. I'm unable to use the Encrypted File System under Windows 2000 as I'm a member of a 4.0 domain.
A. Because a machine in a domain uses the domain policy for recovery if the domain does not support EFS (such as a 3.51 or 4.0 domain) EFS is disabled. To get around this perform the following:
secedit /refreshpolicy
machine_policy /enforce
Q. What is Distributed File System?
A. Distributed File System (or Dfs) is a new tool for NT server that was not completed in time for inclusion as part of NT 4.0, but is now available for download. It basically allows Administrators to simulate a single server share environment that actually exists over several servers, basically a link to a share on another server that looks like a subdirectory of the main server.
This allows a single view for all of the shares on your network, which could then simplify your backup procedures as you would just backup the root share, and Dfs would take care of actually gathering all the information from the other servers across the network.
You do not have to have a single tree (Dfs directory structures are called trees), but rather could have a separate tree for different purposes, i.e. one for each department, but each tree could have exactly the same structure (sales, info. etc).
For more information on DFS see http://www.microsoft.com/ntserver/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp
A. Dfs is available for download from Microsoft http://www.microsoft.com/ntserver/nts/downloads/winfeatures/NTSDistrFile/default.asp. Follow the instructions at the site and fill in the form about your site. The file you want for the I386 platform is dfs-v41-i386.exe.
Once downloaded just double click on the file, and agree to the license. It will then install files to your drive which you need to install.
Windows 2000 has Dfs built-in as a core component.
A. Follow the instructions below, you must have first downloaded and expanded the file dfs-v40-i386.exe:
Windows 2000 does not require you to install Dfs, it is built into the operating system, all it requires is configuration.
Q. How do I create a new folder as part of the Dfs?
A. Once Dfs is installed a new application, the Dfs Administrator, is created in the Administrative Tools folder. This app should be used to manage Dfs. To add a new area as part of the Dfs tree follow the procedures below:
A. Follow the procedure below:
Q. How do I create a Dfs root volume in Windows 2000?
A. Windows 2000 currently supports one Dfs root per server however this will be expanded in future versions of the operating system/service packs.
The Distributed File System has its own DFS Microsoft Management Console snap-in which has a shortcut on the Administrative Tools folder.
To create a new Dfs root perform the following:
 Single File Version_files/newdfsroot.gif)
 Single File Version_files/domaindfsroot.gif)
 Single File Version_files/nt83.gif)
Q. How can I add a replica Dfs root volume in Windows 2000?
A. If your Dfs root was created as a fault-tolerant Dfs root you may add other Dfs servers as part of the Dfs root replica set.
To add a new Dfs root replica member perform the following:
These root replicas will all contain the Dfs root information by utilitizing and replicating via the Active Directory. You can actually see the Dfs information using the Active Directory Users and Computers snap-in, select Advanced Features view, System, Dfs.
Q. How can I add a child node to Dfs in Windows 2000?
A. Once your Dfs root is created the next step is to populate with child nodes/leafs which actually link to information.
To add a new Dfs child node perform the following:
 Single File Version_files/nt84.gif)
Any subdirectories of the child leaf will also be published to the Dfs with the parent directory, for example if a share, ntfaq, was added as a child node to Dfs, any subdirectories of that share would be viewable on the Dfs tree as children of the documents Dfs entry.
Q. How can I add a replica child node to Dfs in Windows 2000?
A. The Windows 2000 version of Dfs allows child replica sets to be created in which a single Dfs leaf points to multiple shares on different servers the File Replication Service will keep the contents of all shares in sync with each other. This allows fault tolerance AND load balancing.
Members of a node replica set must:
To add a new Dfs child replica member perform the following:
 Single File Version_files/nt85.gif)
Multi-master replication is used except on the first replication path where the contents of the Primary server is copied to the other members. Any content currently in the other shares is moved to a NtFrs-PreExisting subdirectory (but a checksum is performed and if the files match with the primary servers share they are moved back into the main directory to save network bandwidth in copying them from the Primary server).
Replication is every 15 minutes by default.
Q. How do I assign User Rights for a standalone server (not the PDC/BDC) in a domain?
A. In NT Workstation, User Manager/Policies/User Rights... assigns the privileges (e.g. the Shutdown or Log On Locally privilege) for the local machine. However, in NT Server the User Rights you assign with User Manager for Domains affect the Domain Controller(s). To modify privileges for the local machine, first choose Select Domain... from the User menu, and type in the name of the computer at the Domain prompt (you cannot browse the domain).
Q. I can't FTP to my server, although the FTP service is running?
A. Have you unchecked the "Allow only anonymous connections" option, but still receive a "530 User xyz cannot log in. Login failed." message? To log on to the FTP server with your domain account, it is not sufficient to specify your name at the User prompt. The FTP service checks local accounts only, even if the computer is participating in a domain. Use domainname\username instead, e.g. if the domain name was savilltech and the user was john, enter savilltech\john as the username.
Q. How do I validate my NT Logon against a UNIX account?
A. There is software to do this available at
Q. Can I synchronize the time of a NT Workstation with a NT Server?
A. Yes, enter the command
NET TIME \\<name of the server to set time to> /SET /YES
Please note that users will require "Change System Time" user right, via User Manager\User rights. There is a utility on the resource kit called TimeServ which runs the time synchronization as a service and works even when there are no logged on users.
Also see Q. How do I configure a user so it can change the system time?
Q. How can I send a message to all users?
A. Ensure the "Messenger" service is started (Control Panel
- Services - Messenger - Auto). To send a message type:
c:> net
send <machine name> "<message>"
Or instead of a machine
name type * to broadcast to all stations
There are also various GUI utilities, and one of the best is NT Hail at http://www.geocities.com/SiliconValley/Bay/1999/NT_Hail.html
Q. How do I change a Workstations Name?
A. Follow the steps below
Q. How do I stop the default admin shares from being created?
A. This can be done through the registry.
This can also be done using the policy editor. Start the policy editor (poledit.exe), load the default computer profile, and expand the Windows NT Network tree, then Sharing and set "Create hidden drive shares" to blank for server/workstation.
There are a few other options though. The first is to use NTFS and set
protections on the files so people may be able to connect to the share, but they
will not be able to see anything. The second is to delete the shares each time
you logon, this can be done through explorer, but it would be better to have a
command file run each time with the lines
net share c$
/delete
and for all the other shares, however these shares are there
for a reason so your machine can be administered by the servers, so if you
delete them system managers may have something to say about it!
Q. How do I disconnect all network drives?
A. Use net use * /del /yes
Q. How do I hide a machine from Network Browsers?
A. Using the registry editor set the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters and set value Hidden from 0 to 1 which should be of type DWORD. You should then reboot. You can also type
net config server /hidden:yes
The above command also automatically creates quite a lot of other values under \Parameters key, too.
You can still connect to the computer, but it is not displayed on the browser.
A. NT does not support remote boot. It is possible to reboot a machine from another computer using the Shutdown Manager that comes with the NT resource kit.
You could also reboot by using the shutdown.exe resource kit utility and specify another machine name.
C:\>shutdown \\<machine name> /r /y /c
Software such as PC Anywhere can also remotely reboot machines.
Q. How can I get a list of users currently logged on?
A. Use the net sessions command, however this will only work if you are an Administrator. You can also use control panel and choose server.
The resource kit utility, Net Watch, can also show current logged on users that are connected to the Netlogon share if you connect to the domain controller, however these connects terminate after a finite amount of time so will not necessarily show all users.
Q. How do I configure NT to be a gateway to an ISP?
A. Firstly the hardware required would be a network and a modem. The network card would be so the other clients in the network can communicate with the "to be" gateway, and the modem to connect to the gateway. Dial-up networking is not covered here, and you should first be confident with dial-up networking before attempting this.
This would enable the machines to send out IP packets to the internet, however the packets would have no way of finding there way back, as the ISP would not know to route them through the gateway, so you ISP will have to either a) have host entries for each of the machines or b) point to the gateway as another DNS.
Other things to check are as follows:
Have a look at http://support.microsoft.com/support/ntserver/serviceware/nts40/e9mslcs1z.asp for more information.
Q. How do I install the FTP server service?
A. In prior version of NT, the FTP server service was installed as part of TCP/IP, however as of NT 4.0, it became part of IIS/PWS, so it needs to be installed manually. Before you install the FTP server, TCP/IP must be installed.
Q. How do I get a list of all connections to my PC?
A. Use the command netstat -a
Q. How can I get the Ethernet address of my Network card?
A. Type ipconfig /all from a command box.
Q. How can I configure the preferred Master Browser?
A. On the NT server you want to be the preferred master browser change the registry setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster to True
Q. Is it possible to protect against Telnet attacks?
A. There was a recent well-known problem that a telnet client could connect to an NT machine on port 135, type 10 characters and it would hang NT. There is no simple way to protect NT from a certain port attack. It is possible to configure NT to only accept incoming packets from a set of configured ports, however you have to name the ports you want to accept input from:
To protect against the port 135 attack, install the RPC hotfix for Service Pack 2.
Service Pack 3 and some its Hotfixes are also highly desirable, and address a number of Internet attack methods.
Q. What Telnet Servers/Daemons are available for Windows NT?
A. A Telnet Server on NT allows connection to an NT machine using a Telnet client from any hardware platform. Products are available from:
Q. How do I install MSN under NT?
A. The new MSN 2.0 only runs under Windows 95, however a version for NT 4.0 is being developed. In the mean time it is possible to use MSN to connect to the Internet, however you cannot read Mail
Q. What FireWall products are available for NT?
A. Below are a selection of FireWall systems for NT:
Q. How do I install the Remoteboot Service?
A. Before installing the Remoteboot service you must have both the NetBEUI and DLC protocols installed. The remoteboot service will only run on NT server.
Q. How many connections can NT have?
A. NT workstation can have up to 10 concurrent connections, with one exception, Peer Web Services which allows unlimited concurrent connections.
Q. How can I secure a server that will be a Web Server on the Internet?
A. Below are points to be aware of
Q. How can I stop a user logging on more than once?
A. There is no way in NT to stop a user logging on more than once, however it is possible to restrict a workstation so that only a certain user can login, and with this method each user would be tied to one workstation and thus could only logon once.
This solution is far from ideal, and it may be plausible to write a login script that checked if a user was currently logged on and if so, logoff straight away (using the logout command line tool).
Q. How can I get information about my domain account?
A. From the command prompt type
net user <username> /domain
And all your user information will be displayed including last logon time, password change etc.
Q. A machine is shown as Inactive in Server manager when it is not.
A. Sometimes Server Manager fails to see a machine has
become active, you can attempt to force it to see the machine by
typing:
C:> net use \\<machine
name>\IPC$
If this fails it may be the machine has been configured to be invisible to the network such as if hidden from Network Neighborhood as seen in 'Q. How do I hide a machine from Network Browsers?'.
Q. How do I automatically FTP using NT?
A. I use a basic script to update my main site and the mirrors using two batch files. The first consists of a few lines:
d:
cd \savilltechhomepage
ftp -i
-s:d:\savmanagement\goftp.bat
The -i suppresses the prompt when performing a multiple put, and the -s defines an input file for the FTP like:
open ftp.savilltech.com - the name of the FTP
server
johnny -
username
secret - password
cd
/www - remotely move to a base directory
lcd
download - locally change directory
cd
download - remotely move to a sub directory of the current
directory
binary - set mode to
binary
put faqcomp.zip - send a
file
cd .. - move down a directory
remotely
lcd .. - move down a directory
locally
cd ntfaq
lcd ntfaq
mput *.html - send
multiple files (this is why we needed -i)
close -
close the connection
Q. How can I change the time period used for displaying the password expiration message?
A. Follow Instructions below:
Q. How can I modify share permissions from the command line?
A. The Windows NT resource kit ships with a utility called RMTSHARE.EXE that is used to modify permissions on shares, the syntax to grant access to a share is as follows
rmtshare \\<server name>\<share> /grant
<username>:<permission>, e.g.
rmtshare \\bugsbunny\movies /grant
savillj:f
Valid permissions are f for full, r for read, c for change and n for none. To revoke access to a share type
rmtshare \\<server name>\<share> /grant <username>,
e.g.
rmtshare \\bugsbunny\movies /grant savillj
This would remove savillj's access to the share. To view share permissions enter:
rmtshare \\<server name>\<share> /users, e.g.
rmtshare
\\bugsbunny\movies /grant
RMTSHARE.EXE also allows the creation and deletion of shares. Type rmtshare /? for help.
Q. How can I change the protocol binding order?
A. Network bindings are links that enable communication between the network adapter(s), protocols and services. If you have multiple protocols installed on a machine you can configure NT to try a certain protocol first for communication:
Q. What criteria are used to decide which machine will be the Master Browser?
A. There are 5 roles a machine can have
When an election takes place, a number or criteria are used. Firstly the browser type
If two machines have the same role then the operating system is used
If there is still a tie, the Windows NT version is used
To set a machine as a certain type of browser perform the following
Q. How can I get a list of MAC to IP addresses on the network?
A. An easy way to get a list of MAC to IP addresses on the local subnet is to ping every host on the subnet and then check you ARP cache, however pinging every individual node would take ages and the entries only stay in the ARP cache for 2 minutes. An alternative is to ping the broadcast mask of your subnet which will ping every host on the local subnet (you can't ping the entire network as you only communicate directly with nodes on the same subnet, all other requests are via the gateway so you would just get a ARP entry for the gateway).
What is the broadcast mask? The broadcast mask is easy to calculate if the subnet mask is in the format 255.255.255.0 or 255.255.0.0 etc. (multiples of 8 bits). For example if the IP address was 134.189.23.42 and the subnet mask was 255.255.0.0 the broadcast mask would be 134.189.255.255, where 255 is in the subnet mask the number from the IP address is copied over, where 0 it is replaced with 255, basically the network id part is kept. If the subnet mask is not the basic 255.255 format, you should use the following, all you need is the IP address and the subnet mask
for example, IP address 158.234.24.98 and subnet mask 255.255.248.0
|
Network |
Host | |||||||||||||||||||||||||||||||
| 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | |
| 1 | 0 | 0 | 1 | 1 | 1 | 1 | 0 | 1 | 1 | 1 | 0 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 1 | 1 | 0 | 0 | 0 | 0 | 1 | 1 | 0 | 0 | 0 | 1 | 0 | |
| 1 | 0 | 0 | 1 | 1 | 1 | 1 | 0 | 1 | 1 | 1 | 0 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | |
|
Byte 1 |
Byte 2 |
Byte 3 |
Byte 4 | |||||||||||||||||||||||||||||
The first row is the subnet mask 255.255.248.0, the second row the IP address 158.234.24.98 and the third row is the broadcast mask, 158.234.31.255.
To get the MAC to IP addresses, you would therefore perform the following
ping <broadcast mask>
arp -a
Voila, a list of IP addresses and their MAC address (you can add > filename to get the list to a file, e.g. arp -a > iptomac.lst). You could repeat this exercise on the various subnets of your organization.
Unfortunatly due to limitations in NT's implementation of PING the above will not work correctly so put the following into a file
REM arpping.bat
ping -n 1 -l 1 %1.%2
arp -a %1.%2
You can then call the batch file as follows:
C:\> for /l %i in (1,1,254) do arpping 160.82.220 %i
In this case it would generate a list of all MAC to IP addresses for 160.82.220.1 to 160.82.220.254. Again you could put this all in a file, redirect to a file and then search, e.g.
REM test.bat
for /l %%i in (1,1,254) do arpping.bat 160.82.220
%%i
Notice you have to use two %%. You could run as
C:\> test.bat > file.txt
Then search listing.txt for (example) dynamic
C:\> findstr dynamic file.txt
160.82.220.1 00-00-0c-60-8b-41
dynamic
160.82.220.9 00-60-97-4b-bf-4c dynamic
160.82.220.13
00-10-4b-49-94-e1 dynamic
160.82.220.17 00-80-5f-d8-a4-8b
dynamic
160.82.220.22 00-a0-d1-02-a4-cf dynamic
160.82.220.25
00-60-08-75-0d-7a dynamic
160.82.220.26 00-10-4b-44-e4-73
dynamic
160.82.220.33 00-10-4b-44-d6-33 dynamic
160.82.220.34
00-10-4b-4e-67-6a dynamic
160.82.220.35 00-60-97-4b-c4-53
dynamic
160.82.220.39 00-10-4b-44-eb-ae dynamic
160.82.220.41
00-10-4b-49-7b-f7 dynamic
160.82.220.42 00-00-f8-21-7a-7f
dynamic
160.82.220.43 08-00-20-88-82-57 dynamic
160.82.220.221
00-80-5f-88-d0-55 dynamic
Q. How can I control the list of connections shown when mapping a network drive?
A. When you map a network drive (Explorer - Tools - Map network drive), if you click the down arrow on the path, a list of previous connections will be shown. These are stored on the registry and can be edited
Q. How do I grant users access to a network printer?
A. The same way as files have security information, so do printers, and you need to set which users can perform actions on each network printer
Q. How can I create a share on another machine over the network?
A. From a Windows NT Server machine a share can be created by opening Server Manager, highlight the target system, select Computer, Shared Directories, and click on New Share.
The Windows NT Resource kit comes with a utility called RMTSHARE.EXE and this can be used to create shares on other machines providing you have sufficient privilege. The basic syntax is as follows
rmtshare \\<computer name>\"<share name to be
created>"="<path>" /remark="<share description>"
e.g.
rmtshare \\savillmain\miscfiles=d:\files\misc /remark="General files"
You only need to use double quotes around the share to be created and the path if there are spaces in the share/file name, e.g. if the share was to be called misc files instead of miscfiles it would have to be in quotes, e.g.
rmtshare \\savillmain\"misc files"="d:\my files\misc" /remark="With space share"
There is also a wizard to share and administer your NT server c:\%systemroot%\system32\wizmgr.exe.
Remember share names cannot contain the " / \ [ ] : | < > + ; , ? * = characters.
Q. I get errors accessing a Windows NT FTP Server from a non Internet Explorer browser.
A. If you run the Microsoft FTP Server Service then you may find problems accessing an area other than the root from a non Internet Explorer browser. This is because most other FTP Servers use the UNIX type naming conventions and that is what browsers such as Netscape expect, however the Microsoft FTP service outputs using dos naming conventions. This can be resolved by forcing the FTP server service to use Unix conventions rather than dos
You will need to stop and start the FTP server service for this change to take effect (Start - Settings - Control Panel - Services - FTP Service - stop - start)
Q. How can I view which machines are acting as browse masters?
A. There are 2 utilities shipped with the NT resource kit (one GUI, on command line) which can be used to view current browse master status.
BROWMON.EXE - Select from the Diagnostics Resource Kit menu. The master browser will then be displayed for each domain. Double clicking on a machine will then list the other machines that are browsers and a subsequent double click on these machines will tell their status, e.g. backup browser.
BROWSTAT.EXE - Start a command session. There are a number
of commands that can be used, however to get a general view enter the
command
browstat status <domain name>
Browsing is
active on domain.
Master browser name is: PDC
Master browser is running
build 1381
2 backup servers retrieved from master
PDC
\\PDC
\\WORKSTATION
As can be seen the master browser name is shown, as are backup servers.
Q. Is there any way to improve the performance of my modem internet connection?
A. By default, NT will use a Maximum Transmission Unit (MTU) (packet size) over the path to a remote host of 576. Problems can arise if the data is sent over routes etc that cannot handle data of this size and the packets get fragmented.
The parameter EnablePMTUDiscovery set to 1 forces NT to discover the maximum MTU of all connections that are not on the local subnet. To change this perform the following:
By discovering the Path MTU and limiting TCP segments to this size, TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs. Fragmentation adversely affects TCP throughput and network congestion.
Q. How can I remotely tell who is logged on at a machine?
A. The easiest way to do this is to use the NBTSTAT command. There are two ways to use this command depending on if you know the machines name or just its IP address. If you know the machines name enter the command
nbtstat -a <machine name>
e.g. nbtstat -a pdc
The output will be of the format:
NetBIOS Remote Machine Name Table
Name Type
Status
---------------------------------------------
PDC <00> UNIQUE
Registered
PDC <20> UNIQUE Registered
SAVILLTECH <00> GROUP
Registered
SAVILLTECH <1C> GROUP Registered
SAVILLTECH <1B>
UNIQUE Registered
SAVILLTECH <1E> GROUP Registered
PDC <03>
UNIQUE Registered
SAVILLJ <03> UNIQUE
Registered
SAVILLTECH <1D> UNIQUE Registered
INet~Services
<1C> GROUP Registered
..__MSBROWSE__.<01> GROUP
Registered
IS~PDC.........<00> UNIQUE Registered
MAC
Address=00-A0-24-B8-11-F3
The user name is the <03>.
If you only know the IP address use the command
nbtstat -A <IP address>
e.g. nbtstat -A
10.23.23.12
The output is the same and notice we just use a capital A instead of a lowercase a.
This will only work if the remote machine in question is running it's messenger service, otherwise the username is not returned.
Q. How do I remove a NT computer from a domain?
A. The first way would be to logon to the machine you wish to remove from the domain and start the Network Control Panel Applet (Start - Settings - Control Panel - Network or just right click on Network Neighborhood and select properties). Select the Identification tab and click Change. Just enter a different domain or workgroup, you will receive a notice welcoming you to the new domain/workgroup. The problem with this is the machine can still rejoin the domain as its account has not been removed from the domain.
To actually remove the computer account from the domain perform the following:
Alternatively you can remove a computer from the command line using the Resource Kit utility NETDOM
netdom /Domain:<domain> MEMBER <machine name>
/delete
e.g. netdom /Domain:savilltech MEMBER kevinpc /delete
You can use this command from any machine workstation or server as long as you are logged on as an administrator. When you enter the command it will find the PDC and delete, the output is as follows:
Searching PDC for domain SAVILLTECH ...
Found PDC \\PDC
Member
\\KEVINPC successfully deleted.
Q. How can I shutdown a number of machines without going to each machine?
A. I have a number of machines setup in my Lab and at the end of an entertaining evening of computing I don't want to have to goto each machine and shut them down so I wrote a small batch file that uses the shutdown.exe resource kit utility. Just enter the following into a file with a .bat extension:
rem Batch file to shutdown local machine and the PDC, BDC
shutdown
\\pdc /t:2 /y /c this shuts down a machine called PDC in 2 seconds,
repeat with other machine names
shutdown \\bdc /t:2 /y /c
this shuts down a machine called BDC in 2
seconds
shutdown /l /y /c /t:5 this line shuts down
the local machine in 5 seconds
You can then just right click the file in explorer and drag onto the desktop, release and select "Create shortcut". Clicking this icon will then shutdown all the machines in the file. On a NT Server these shutdowns are not graceful and the users will not be asked to save work if they are not logged on or the machine is locked. If they are logged on then they have the option of saving files (unless a force switch is used).
If you have installed a SP4 or SP5 on Win NT, remote shutdown command will shutdown machine immediately without stopping services (dirty shutdown event ID 6008)
Q. How can I close all network sessions/connections?
A. The command below will close all network sessions
net session /delete
Q. How can I connect to a server using different user accounts?
A. It is possible to specify a user account to use when connecting to a share using the /user switch, e.g.
C:\> net use k: \\server\share /user:domain\user
If you then attempt to connect to the server again with a different username an error will be given. A workaround is to connect to the server using its IP address rather than its NetBIOS name, e.g.
C:\> net use l: \\<ip address>\share /user:domain\user
Q. How do I set the comment for my machine that is displayed in Network Neighborhood?
A. There are 3 ways to set this, from the command line, edit the registry or via the GUI.
The easiest way is via the Server control panel applet
An alternative method is from the command prompt using the "net config" command.
C:\> net config server /srvcomment:"machine comment"
Note that even if you are performing this on a workstation machine you still use "net config server" as this is a configuration on the server service of the machine.
Both of the methods shown update a single registry value so this can also be edited directly.
This method only works once the Server Service has been restarted, however, both other methods work instantly. This is because the registry area is only read during startup of the service.
You can remotely change the comment of other machines by using the NT Server utility "Server Manager". Double click on a machine and you will then be presented with the same dialog box as with the Server control panel applet. This has the advantage of allowing the Administrator to set a common description format.
Q. How can I define multiple NetBIOS names for a machine?
A. This would be useful if, for instance, you wanted to migrate a number of shares to a different machine and rather than having to switch all clients to the new machine instantly you could define the new machine to also answer to the old machines NetBIOS name and then slowly migrate the machines. To define extra names for a machine perform the following:
There is bug when using multiple NetBIOS names on print servers, see 'Q. The additional NetBIOS name of my server does not work for print services.'
Q. How can I manage my NT domain over the net?
A. Microsoft have released "Web Administrator 2.0 for Microsoft Windows NT Server" which allows you to use to manager the following via the web
The additional software required has to be installed on a server (though it does not have to be a domain controller) with
Internet Information Server 4.0 is available as part of Option Pack 4 which can be obtained from http://www.microsoft.com/windows/downloads/contents/updates/nt40ptpk/default.asp or as part of MSDN. Option Pack 4 has its own requirement that Internet Explorer 4.0 be installed.
Once all the software is installed you can download the Web Admin tools from http://www.microsoft.com/ntserver/nts/downloads/management/NTSWebAdmin/default.asp
To begin the installation just execute the required executable and the installation wizard will begin.
Once the installation is complete you will be able to administer your domain by connecting to http://<the server name>/ntadmin/default.asp. For example if I had installed the software on titanic in the savilltech.com I would connect to http://titanic.savilltech.com/ntadmin/default.asp.
You will need Internet Explorer 4.0 or above to use the site and once connected you can perform a number of options. Below is an example of viewing/changing users.
 Single File Version_files/ntwebadmin.gif)
Q. How can I remotely manage services?
A. The Windows NT Resource kit has two utilities, SC.EXE and NETSVC.EXE, which allow remote services to be managed. The resource kit has help on both on these but we will only look at NETSVC.EXE.
To view the services on a remote machine use
C:\> netsvc /query \\<server name> /list
To see the current state of a service use
C:\> netsvc <service name> \\<server> /query
You can then modify the state of the service using the /start, /stop, /pause and /continue switches, e.g.
C:\> netsvc <service name> \\<server> /stop
A. Below is a summary of all the net.exe usage methods.
net accounts
Used to modify user accounts. Specified on its own will give information about the current logon.
Options:
| /forcelogoff:<minutes or no> | Minutes until the user gets logged off after logon hours expire. No means a forced logoff will not occur |
| /lockoutthreshold:<number of failed attempts> | This parameter allows you to configure the number of failed logon attempts before the account is locked. The range is 1 to 999. |
| /lockoutduration:<minutes> | This parameter specifies the number of minutes accounts remain locked before automatically becoming unlocked. The range is 1 to 99999. |
| /lockoutwindow:<minutes> | This parameter lets you configure the maximum number of minutes between two consecutive failed logon attempts before an account is locked. The range is 1 to 99999. |
| /minpwlen:<length> | Minimum number of characters for the password. Default is 6, valid range is between 0 and 14 |
| /maxpwage:<days> | Maximum number of days a password is valid. Default is 90, valid range is between 0 and 49710 |
| /minpwage:<days> | Number of days that must occur before the password can be changed. Default is 0, valid range is between 0 and maxpwage |
| /uniquepw:<number> | Password may not be reused for number attempts |
| /sync | Forces a domain sync |
| /domain | Performs any of the above actions on the domain controller |
net computer
Used to add and remove computer accounts from the domain.
Options:
| \\<computer name> | Name of the computer to be added or removed |
| /add | Add the specified computer |
| /del | Removes the specified computer |
net config server
Allows modifications to the server service. Entered with no parameters give details of the current configuration
Options:
| /autodisconnect:<minutes> | Number of minutes an account may be inactive before disconnection. Default is 15, valid range between 1 and 65535. -1 means never disconnected. |
| /srvcomment:"text" | Set the comment for the machine |
| /hidden:<yes or no> | Specified is the computer is hidden in the listing of computers |
net config workstation
Allows modifications to the workstation service. Entered with no parameters give details of the current configuration
Options:
| /charcount:<bytes> | Number of bytes to be collected before data is sent. The default is 16, valid range is between 0 and 65535. |
| /chartime:<msec> | Number of milliseconds NT waits before sending data. If charcount is also set whichever is satisfied first is used. Default is 250, valid range is between 0 and 65535000. |
| /charwait:<seconds> | Number of seconds NT waits for a communications device to become available. Default is 3600, valid is between 0 and 65535. |
net continue <service name>
Restarts the specified paused service.
net file
Lists any files that are open/locked via a network share.
Options:
| id | Identification of the file (given by entering net file on its own) |
| /close | Close the specified lock |
See Q. How can I tell who has which files open on a machine? for more details.
net group
Adds/modifies global groups on servers. Without parameters will list global groups.
Syntax:
net group <group name> [/command:"<text>"] [/domain]
net group
<group name> [/add [/comment:"<text>"] or /delete] [/domain]
net
group <group name> <user name> /add or /delete [/domain]
Options:
| groupname | Name of the global group |
| /comment:"<text>" | Comment if a new global group is created. Up to 48 characters |
| /domain | Performs the function on the primary domain controller |
| username | Username to which apply the operation |
| /add | Adds the specified user to the group or the group to the domain |
| /delete | Removes a group from a domain or a user from a group |
net localgroup
Performs actions on local groups. Same parameters as net group.
net name
Adds/removes a name to which messaging may be directed to. Running the command on its own will list all messaging names eligible on the machine.
Options:
| name | The messaging name to be added/removed |
| /add | Add the name |
| /delete | Remove the name |
net pause <service name>
Used to pause a service from the command line.
net print
Used to list/modify print jobs.
Options:
| \\computername | Indicates the computer that hosts the printer queue |
| sharename | Name of the printer queue |
| job | The job number to modify |
| /hold | Pauses a job on the print queue |
| /release | Removes the hold status of a job on the print queue |
| /delete | Deletes a job off of the print queue |
net send
Sends a message to a computer, user or messaging name.
Options:
| name | Name of the user, computer or messaging name. Can also use * to send to everyone in the group |
| /domain:<domain name> | All users in the current domain or the specified domain |
| /users | To all users connected to the server |
| message | The message to send |
net session
Lists or disconnects sessions. Used with no options lists the current sessions.
Options:
| \\<computer name> | The computer of whose session to close |
| /delete | Closes the session to the computer specified. Omitting a computer name will close all sessions |
net share
Used to manage shares from the command line.
Syntax:
net share <sharename>=<drive>:\<directory>
[/users=<number> or /unlimited] [/remark:"text"]
net share
<sharename> [/users=<number> or /unlimited] [/remark:"text"]
net
share <sharename or device name or drive and path> /delete
Options:
| <sharename> | Name of the share |
| <device name> | Used to specify the printer name if specifying a printer share |
| <drive>:<path> | Absolute path |
| /users:<number> | Number of simultaneous connections to the share |
| /unlimited | Unlimited usage |
| /remark:"<text>" | Comment for the share |
| /delete | Delete the specifed share |
net start <service name>
Start the specified service
net statistics [workstation or service]
Gives information about either the server or workstation service.
net stop <service name>
Stops the specified service
net time
Used to synchronize the time of a computer.
Options:
| \\<computer name> | The name of the computer to which synchronize the time |
| /domain:<domain> | Synchronize the time with the specified domain |
| /set | Sets the time |
net use
Connects or disconnects to a network share. Used with no qualifiers lists the current network mappings.
Syntax:
net use <device name> or * \\<computer name>\<share name>
[password or *] [/user:[domain\user] /delete or [persistent:[yes or no]]
net
use <device name> /home /delete or /persistent:[yes or no]
Options:
| <device name> | Name of the device to map to. Use * to use the next available device name |
| \\computer name | The name of the computer controlling the resource |
| \sharename | Name of the share |
| \volume | Name of the volume if on a NetWare server |
| password | Password to which to map |
| * | Gives a prompt to which to enter the password |
| /user:<domain>\<user> | Specifies the user to connect as |
| /home | Connects to a users home directory |
| /delete | Closes a connection |
| /persistent:[yes or no> | Sets if the connection should be reconnected at next logon |
net user
Used to add/create/modify user accounts
Syntax:
net user <username> [password or *] [/add] [options] [/domain]
net
user <username] /delete /domain
| username | The name of the account |
| password | Assigns or changes a password |
| * | Gives a prompt for the password |
| /domain | perform on a domain |
| /add | Creates the account |
| /delete | Removes the account |
| /active:[yes or no] | Activates or deactivates the account |
| /comment:"<text>" | Adds a descriptive comment |
| /counterycode.nnn | nnn is the number operating system code. Use 0 for the operating systems default |
| /expires:<date or never> | The expiry date of the account. Date format is mm,dd,yy or dd,mm,yy which is determined by the country code |
| /fullname:"<name>" | The full name of the account |
| /homedir:<path> | Path for the users home directory |
| /passwordchg:[yes or no] | Used to specify if the user can modify the password |
| /passwordreq:[yes or no] | Used to determine if the account needs a password |
| /profilepath:<path> | Used to specify the profile path |
| /scriptpath:<path> | Path of the logon script |
| /times:<times or all> | Hours user may logon |
| /usercomment:"<text>" | A comment for the account |
| /workstations:<machine names> | Names the user may logon to. * means all. |
net view
Lists shared resources on a domain. Used with no parameters lists all machine accounts in a domain.
Options:
| \\computer name | Specifies the computer whose resource should be viewed |
| /domain:<domain name> | The domain to be used |
| /network:<NetWare network> | A NetWare network to be used |
Q. How can I make net.exe use the next available drive letter?
A. The normal syntax to map a network drive is
C:\> net use <drive letter>: \\<server>\<share>
however this can be modified to
C:\> net use * \\<server>\<share>
which will make the net use command utilize the next available drive letter.
Q. How can I check if servers can communicate via RPC's?
A. Exchange ships with RPINGS.EXE and RPINGC32.EXE which can be used to test RPC communication between two servers. These programs are located in the SERVER\SUPPORT\RPCPING directory of the Exchange CD. Test as follows:
The connection will then be checked. Once complete close the RPINGC32.EXE utility by clicking Exit and on the target machine enter the sequence '@q'.
Below is an example of a successful test.
 Single File Version_files/rpcping.gif)
Q. How can I reduce the delay when using multiple redirectors?
A. The MUP (Multiple UNC Provider) first establishes whether Distributed File System (Dfs) is in use and passes the request to DFS.
The delays come from two locations:
Depending on the number of redirectors, protocols, and timer configurations for connectivity, these delays can exceed 13 seconds for each initial connection.
Service Pack 4 for Windows NT 4.0 has introduced an updated MUP.SYS giving better performance and a new registry entry which may speed up the initial connect to non-Windows UNC resources, DisableDFS. Perform the following change on each client:
Setting the DisableDFS value to 0 or deleting will set the machine back to its old behaviour.
If you have the Novell IntranetWare client also installed you must also perform the following before rebooting:
Knowledge base article Q171386 at http://support.microsoft.com/support/kb/articles/q171/3/86.asp has more information on this.
Q. How can a DOS machine connect to an NT domain?
A. Microsoft provide software to enable a DOS machine to participate on a network using a variety of protocols and to connect to a Windows NT domain.
NT Server ships with the "Network Client Administrator" which allows the creation of an installation disk set or a disk to allow Network based installation of a variety of clients, including a network client for DOS.
'Q. How do I install NT over the network?' has an example of creating a network installation disk, instead we will concentrate on creating an installation disk set.
To install on a DOS machine you perform the following:
When the machine reboots it will load all the network and protocol drivers and then attempt to logon to the network by issuing the
net start
command. You will then be asked for a username and password:
Type your user name, or press ENTER if it is ADMINISTRATOR:
Type your
password:
You will be asked if you want to create a password file. If you select yes then you will no longer be asked for a password at start-up time, like an auto-logon but be aware it means anyone accessing your computer can logon as you.
Q. Where are Windows 2000 network connections stored in the registry?
A. The Windows 2000 connections consist of entries of not only remote connections such as to your ISP, but also your Local Area Connection and these are contained under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\GUID\Connection registry key which GUID is the Globally Unique IDentifier of the connection.
Its just interesting to know as if you have a stray connection which gets corrupted maybe as you remove the network card you can manually remove by editing the registry.
Q. How do I install the loopback adapter in Windows 2000?
A. The loopback adapter is useful for those machines with no network card but would like to experiment with installing network protocols and other network related items. Obviously since there is no physical network connection you cannot talk to other machines.
You should then configure the device with an IP address etc. If you select DHCP it will use an address 169.254.x.x/16 (subnet mask 255.255.0.0) as no DHCP server can be contacted due to the lack of network connectivity.
Q. How can I turn off/on connection ghosting?
A. Windows uses Ghosted connections for when a user doesn’t need or want an actual connection until there is a need for the connection to be utilized. Once the user uses the connection, Windows NT/2000 will make the necessary connection. In some instances, this technique can cause problems; for example, there will be a delay the first time that an inactive, ghosted connection is used.
To turn off the ghosting and eliminate the initial delay when connecting perform the following:
Q. What is the Active Directory?
A. The Active Directory is Microsoft's implementation of a 'Directory Service' and a directory service is basically something that stores data in an organized format and has the mechanisms needed to publish and access the data.
Active Directory is not a Microsoft innovation, but rather an implementation of an existing model (X.500), an existing communication mechanism (LDAP) and an existing location technology (DNS), and each of these are covered in the FAQ.
Before the details of Active Directory are considered, it is important to have an overview of what it is trying to achieve. A directory in its most basic sense is just a container for other information, such as a telephone directory has various entries, and each entry has values. An example would be a name, address and telephone number that would make up a single entry in the directory.
Name: John Savill
Address: 2 SavTech Way, (yeah right
:-))
London
Tel: 353 3523
E-mail: john@serverfaq.com
In a large directory these entries may be grouped by location or by their type, e.g. lawyers, pest control, etc, or both which would lead to a hierarchy of each type of person in each location. The actual telephone directory would be a directory service as it contains not only the data but also a means to access and use it. The telephone operator would also constitute a directory service as it has access to the data and presents it to you where you can request data and an answer to your query is given.
Active Directory is a type of Directory Service, it holds information about all resources on the network and clients can query the Active Directory for information about any aspect of the network. Active Directory has a number of powerful features:
The last point regarding partitioning the information in the Directory into different stores does not mean that the Active Directory cannot be queried for information from other domains. Global catalogs are used which contain information about every object in the enterprise forest allowing forest wide searches.
Q. A number of Active Directory descriptions.
A. Below are some definitions for the active directory:
ONE SENTENCE SUMMARY OF DNS AND ACTIVE DIRECTORY:
A dns server is used by a client to provide the address of the client's nearest domain controller, which has a copy of Active Directory, which the client then uses to locate whatever object it's looking for.
ONE PARAGRAPH SUMMARY OF DNS AND ACTIVE DIRECTORY:
First a client contacts a dns (domain name system) server which looks up the client's domain, and provides him with the address of the closest dc in that domain. The client proceeds to contact the dc which can then authenticate him. Once authenticated, the client can search Active Directory (a database on the dc) to find objects the client is looking for, like an address for mail, a file, printer, or list of users in a group, etc. If the client cannot contact a dns server, it won't be able to find its domain controller, since only the dns server has the address of it.
ONE PAGE SUMMARY OF DNS AND ACTIVE DIRECTORY:
When dcpromo is performed on a W2K machine named, say, "fido" for the first time creating a new domain, say, "narnia", dcpromo creates two different kinds of "domains". First it creates a domain on the dns server, in our example: "narnia.extest.microsoft.com". This will be found on the extest dns servers, which are in exlab's minilab in bldg 43. Exlab maintains these as community dns servers to save testers the trouble of installing a dns server every time they want to install W2K. Simplified a little, the dns domain on the extest master dns servers looks like this:
extest.microsoft.com
narnia.extest.microsoft.com
bigthud
dc 172.30.224.34
blackie dc
172.20.32.13
etc. (this is
very approximate, but functionally identical)
Clients contact the dns server and it looks up the client's domain. Looking for "narnia" the dns server also discovers "bigthud" and "blackie", both dc's of "narnia". Let's say "bigthud" is the closest dc to the client. The dns server would send the client the address of the dc "bigthud", namely, 172.30.224.34. The client connects and accesses the Active Directory domain database stored on "bigthud" to find objects (like printers, file servers, users, groups, organizational units, etc) in the "narnia" domain. "bigthud" also stores links to other domains in the tree "com". Thus, the client can search a whole tree of domains.
If the search needs to go beyond the client's tree of domains, then a version of Active Directory listing the objects in the whole forest is also available. It is called the Global Catalog. The GC can be kept on any dcs in the forest you may choose, or all, but it does not have to be kept on all.
GC is a shorthand way to access an object ANYWHERE in the forest, but it only provides a few of its attributes, you have to go to the domain AD (always on a dc in that domain) to get the whole object. The GC can be configured to provide whatever object attributes you choose, too, not just a rigid default set of them.
To help in creating objects in AD, the dc also keeps a copy of the classes and hierarchy of classes for the whole forest, too. For example, if we had a class of "baseball players", and a derived class "pitchers" (which is just a player with a few records added of strikeouts and no-hitters, etc) then the class structure would be kept in AD in the part called the "Schema". If we then created an actual group of players we would use our Schema classes to make the players as objects (instances of the classes) in Active Directory. We can also add more classes, eg: "football players" and "quarterbacks" to the Schema, and we call that freedom an "extensible Schema".
The schema is a part of the W2K "configuration namespace" kept on all dcs in a forest. A namespace is a range of labels you put on things, eg: a supermarket "aisle" namespace: aisle=cookies, shelf=top, item=oreo. The configuration namespace in W2K consists of a number of defined items such as physical locations, W2k "sites" (a site is a child of a forest, and can contain machines from any domain, only condition being that all machines in a site have fast reliable net connections for dc replication), and "subnets" which are IP address groupings assigned to sites which help further speed up AD replication amongst dc's, eg: "your dc rocks if it's in the IP subnet and W2K site where its friends are".
Active Directory employs LDAP (Lightweight Directory Access Protocol, a standard Internet protocol that many applications use) to access its records. Why? Because its records are STORED on the dc in "LDAP distinguished name format". But what is LDAP distinguished name format? In the following LDAP distinguished name format example "fred" is a user in the "programming" organizational unit in "narnia" domain in "extest" domain in "microsoft" domain in "com" domain:
cn=fred,ou=programming,dc=narnia,dc=extest,dc=microsoft,dc=com
where cn stands for common name, ou stands for organizational unit, and dc in this case stands for "domain component", NOT domain controller. This is how "fred" appears in Active Directory, and a client such as an administrator can access attributes about fred using that syntax, assuming the client has security permissions to do so.
The client's actions are straightforward, as long as the client talks LDAP to Active Directory. However, an action may be done from a client running an application that uses a different name format. To support this, there are two other name formats that can be used (with a little translating) to access Active Directory:
1. "LDAP
URL":
Example:
LDAP://server1.narnia.extest.microsoft.com/cn=fred,ou=programming,dc=narni
a,dc=extest,dc=microsoft,dc=com.
2. "Active Directory Canonical
name":
Example:
narnia.extest.microsoft.com/programming/fred. This last
one, "Active Directory Canonical name" is what you'll see in user interfaces in
W2K.
A. X.500 is the most common protocol that is used for Directory Management and there are currently 2 main standards, the 1988 and 1993 standards with the 1993 standard providing a number of advances over the older standard. The Windows NT 5.0 implementation of its Directory Services is derived from the 1993 X.500 standard as described below.
The X.500 model uses a hierarchical approach to the objects in the name space with a root at the top of the namespace with children coming off of it. Domains in Windows 2000 are DNS names, for example savilltech.com is a domain name, legal.savilltech.com is a child domain of savilltech.com. Child domains are covered elsewhere.
 Single File Version_files/x500.gif)
The example shows a root of the directory service and then a number of children. In this case the first layer or children represent countries, however there are no rules and you may break these down however you want. Imagine each country as a child domain of the root, for example usa.root.com and england.root.com. Each child domain can then be broken into a number of organizations. These organizations can be broken down further into organizational units and various privileges/policies can be applied to each Organization unit. Each Organizational Unit has a number of objects such as users, computers, groups etc.
While the directory service is based on X.500, the access mechanism actually uses LDAP (Lightweight Directory Access Protocol) which solves a number of problems with X.500.
X.500 is part of the OSI model however this does not translate well into a TCP/IP protocol environment so LDAP uses TCP/IP for its communication medium. LDAP cuts down on the functions available with a full X.500 implementation making a leaner faster directory service while keeping the overall structure of X.500.
LDAP is actually the mechanism used to communicate with the Active Directory and performs basic read, write, and modify operations.
More on X.500 can be found at http://www.salford.ac.uk/its024/X500.htm
Q. What is the Global Catalog?
A. The Global Catalog contains an entry for every object in the enterprise forest (the term forest is explained later) but contains only a few properties of each object. The entire forest shares a global catalog with multiple servers holding copies. Searches in the whole enterprise forest can only be done on the properties in the Catalog where as searches in the users own domain tree can be for any property. Only Directory Services (or Domain Controllers) can be configured to hold a copy of the Global Catalog.
Do not configure too many global catalogs in each domain, as you will waste network bandwidth with the replication. One global catalog server per domain in each physical location is sufficient, however NT will set servers as Global Catalogs as it thinks are necessary so there should be no need for you to modify this unless you notice slow query response times.
Since full searches involve querying the whole domain tree rather that the global catalog, grouping the enterprise into a single tree will improve your searches as it will allow you to query on items not in the global catalog, thus a larger search criteria.
Q. How do I configure a server as a Global Catalog?
A. To configure a Windows 2000 domain controller as a global catalog server perform the following:
 Single File Version_files/globalcat.gif)
A. The Schema is a blueprint of all objects in the domain and when first created a default Schema exists which contains definitions for users, computers, domains etc. Because of this, you can only have one schema per domain as you cannot have multiple definitions of the same object.
The default schema definition is defined in the SCHEMA.INI file that also contains the initial structure for the NTDS.DIT (storage for the Directory data). This file is located in the %systemroot%\ntds directory. This file is a plain ASCII format file and can be typed out.
A. In Windows 2000 one domain can be a child of another domain, e.g. child.domain.com is a child of domain.com (a child domain always has the complete domain name of the parent in it), and a child domain and its parent share a two way transitive trust.
When you have a domain as a child of another, a domain tree is formed. A domain tree has to have a contiguous name space.
 Single File Version_files/tree.gif)
Notice in the second diagram the lack of contiguous names
means they are not part of the tree
The name of the tree is the root domain name, so in the example the tree would be referred to as root.com. Since the domains are DNS names and inherit the parent part of the name, if a part of the tree is renamed, then all of its children will implicitly also be renamed, for example if parent ntfaq.com of sales.ntfaq.com was renamed to backoffice.com the child would be renamed to sales.backoffice.com. This is not actually currently possible though.
Domain trees can currently only be created during the server to Domain Controller promotion process with DCPROMO.EXE, this may change in the future.
There are a number of advantages in placing domains in a tree. The first and most useful is that all members of a tree have kerberos transitive trusts with its parent and all its children. These transitive trusts also mean that any user or group in a domain tree can be granted access to any object in the entire tree. This also means that a single network logon can be used at any workstation in the domain tree.
A. You may have a number of separate domain trees in your organization that you would like to share resources and this can be accomplished by joining trees to form a forest.
A forest is a collection of trees that do not have to form a contiguous name space (however each tree still has to be contiguous). This may be useful if your company has multiple root dns addresses.
 Single File Version_files/forest.gif)
As can be seen from the example, the two root domains are joined via a transitive, two-way Kerberos trusts as in the trust created between a child and its parent. Forests always contain the entire domain tree of each domain and it is not possible to create a forest containing only parts of a domain tree.
Forests are created during the server to Domain Controller promotion process with DCPROMO and can currently not be created at any other time, this will change in the next version.
You are not limited to only 2 domain trees in a forest, you can add as many trees as you want and all domains within the forest will be able to grant access to objects for any user within the forest. Again this cuts back on having to manually manage the trust relationships. The effect of creating a forest is the following:
You may of course choose not to join trees to become a forest and may instead create normal trusts between individual elements of the tree's.
A. Windows NT 4.0 trust relationships are not transitive so if domain2 trusts domain1, and domain3 trusts domain2, domain3 does not trust domain1.
 Single File Version_files/transtrust.gif)
This is not the case with the trust relationships used to connect members of a tree/forest in Windows 2000, trust relationships used in a tree are two-way, transitive Kerberos trusts which means any domain in a tree implicitly trusts every other domain in the tree/forest. This removes the need for time-consuming administration of the trusts as they are created automatically when a domain joins a tree.
Kerberos is the primary security protocol for Windows NT. Kerberos verifies both the identity of the user and the integrity of the session data. The Kerberos services are installed on each domain controller, and a Kerberos client is installed on each Windows NT workstation and server. A user's initial Kerberos authentication provides the user a single logon to enterprise resources. Kerberos is not a Microsoft protocol and is based on version 5.0 of Kerberos. For more information see IETF RFCs (Requests For Comments) 1510 and 1964. These documents are available on the web from http://www.isi.edu/rfc-editor/rfc.html.
Q. How do I create a new Active Directory Site?
A. Active Directory has the concept of sites which can be used to group servers into containers which mirror the physical topology of your network, and allow you to configure replication between domain controllers (among other things). A number of TCP/IP subnets can also be mapped to sites which the allow new servers to automatically join the correct site depending on their IP address and for clients to easily find a domain controller closest to them.
When you create the first domain controller a default site, Default-First-Site-Name is created to which the domain controller is assigned. Subsequent domain controllers are also added to this site however they can then be moved. This site can be renamed if you wish.
Sites are administered and created using the "Active Directory Sites and Services Manager" MMC snap-in. To create a new site perform the following:
Now the site is created you can assign various IP subnets to it as follows:
 Single File Version_files/newsubnet.gif)
 Single File Version_files/newsubnet2.gif)
You now have a subnet linked to a site. You can assign multiple subnets to a site if you wish.
If you are confused about the bits masked in the subnet name it can be between 22 and 32 and is just the number of bits set in the subnet mask. The subnet mask is made up of 4 sets of 8 bits. To convert the subnet mask to bits you can use the illustration below.
 Single File Version_files/subnetmask.gif)
Therefore the subnet mask 255.255.255.0 would be 11111111.11111111.11111111.00000000 in binary which therefore uses 8+8+8 bits (24) to define the subnet mask. A subnet mask of 255.255.252.0 would be 11111111.11111111.11111100.00000000 which is 8+8+6 or 22.
Q. How do I move a server to a different site?
A. If your sites and subnets are configured then new servers will automatically get added to the site that owns the subnet however you can also manually move a server to a different site:
 Single File Version_files/moveserver.gif)
The move will take immediate effect.
Q. How can a server belong to more than one site?
A. By default a server will belong to one site however you may want to configure a server to belong to multiple sites.
Bear in mind sites are used for replication, for clients to find resources and to cut down on traffic on inter-site connections so just modifying the site membership may cause performance problems.
To configure a server to have multiple site membership perform the following:
The above does not create the objects in the Active Directory to evaluate the sites and these need to be added manually.
Q. How can I backup the Active Directory/System State?
A. The Active Directory is backed up using the NTBACKUP.EXE utility. The Active Directory is part of the machines System State which is defined as follows:
For all Windows 2000 machines the System State includes the registry, class registration database and the system boot files. For a Windows 2000 Server that is a certificate server it also contains the Certificate Services database. Finally for a Windows 2000 machine that is a domain controller it includes the Active Directory and the SYSVOL directory also.
To backup the System State using the Backup Wizard perform the following:
If you don't want to use the wizard it can be manually backed up as follows:
 Single File Version_files/actbackup.gif)
To backup only the System State from the command line use the command
C:\> ntbackup backup systemstate /f d:\active.bkf
Of course this is the most basic backup to file and you can use more complex options.
Q. How can I restore the Active Directory?
A. The Active Directory cannot be restored to a domain controller while the Directory Service is running so to restore perform the following:
The computer will boot into a special safe mode and will not start the Directory Service. Be warned that during this time the machine will not act as a domain controller and will perform not perform authentication etc.
Once you have restored the backup reboot the computer and start in normal mode to start using the restored information. You may find a hang after the restore has completed and I found a 30 minute wait on some machines.
Q. What are the FSMO roles in Windows 2000?
A. In Windows 2000 all domain controllers are equal and through a process known as multi-master replication changes are replicated to all domain controllers in the domain. However in keeping with George Orwell's Animal Farm some Domain Controllers are more equal than others.
Multi-master replication resolves conflicts however in some situations it is better to stop the conflict before it happens and to this end there are five difference Flexible Single Master of Operations (FSMO) roles (formally known as Floating Single Master of Operations as the roles were originally going to be dynamically changeable) each managing an aspect of the domain/forest. These roles can be moved between domain controllers but not dynamically, they must be manually moved in the same manner as a BDC has to be manually promoted to a PDC.
There are two types of roles, some are per domain, some are per forest. Only a domain controller in the domain can hold a domain specific FSMO role, any domain controller in the forest can hold a forest FSMO role. Domain controllers cannot hold FSMO roles in other domains/forests.
These roles are assigned in different GUI ways or using the NTDSUTIL utility.
The five roles are defined below:
| Role name | Description | Per domain/forest |
| Schema master | At the heart of the Active Directory is the schema which is like the blueprint of all objects/containers. Since the schema has to be the same throughout the entire forest only one machine can authorize modifications to the schema. | One per forest |
| Domain naming master | To add a domain to the forest its name has to be verifiably unique and so the Domain naming master FSMO's of the forest is contacted to authorize the domain name operation. | One per forest |
| RID master | Any domain controller can create new objects
(such as a user, group, computer account) however after creating 512 user
objects the domain controller must contact the domains RID master for
another 512 RID's (it actually contacts when it has less than 100 RID's
left, this means the RID master can be unavailable for short periods of
time without causing object creation problems). This is to ensure each
object has a unique RID. When a DC creates a security principal object it attaches a unique SID to the object. The SID is created using the domain SID and a relative ID (the RID). The RID master has to be available when attempting to move objects between domains with the resource kit movetree utility. |
One per domain |
| PDC emulator | For backwards compatibility reasons one domain controller in each 2000 domain must emulate a PDC for the benefit of 4.0 and 3.5 domain controllers and clients. | One per domain |
| Infrastructure master | When a user and group are in different domains there can be a lag between changes to the user (e.g. name) and its display in the group. The infrastructure master of the groups domain is responsible for fixing up the group-to-user reference to reflect the rename. The infrastructure master performs is fixups locally and relies upon replication to bring all other replicas of the domain up to date. | One per domain |
Q. How can I change the RID master FSMO?
A. The RID master is defined here.
To modify the role perform the following:
 Single File Version_files/changedc.gif)
 Single File Version_files/ridmaster.gif)
This can also be accomplished using the NTDSUTIL.EXE utility. Enter the commands it bold
C:\> ntdsutil
ntdsutil: roles
fsmo maintenance:
connections
server connections: connect to server <server
name>
server connections: quit
fsmo maintenance: transfer
rid master
Click Yes to the role transfer dialog
Server "titanic" knows about 5 roles Schema - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=savilltech,DC=com
fsmo maintenance:
quit
ntdsutil: quit
Q. How can I change the PDC emulator FSMO?
A. The PDC emulator is defined here.
To modify the role perform the following:
 Single File Version_files/pdcemulator.gif)
This can also be accomplished using the NTDSUTIL.EXE utility. Enter the commands it bold
C:\> ntdsutil
ntdsutil: roles
fsmo maintenance:
connections
server connections: connect to server <server
name>
server connections: quit
fsmo maintenance: transfer
pdc
Click Yes to the role transfer dialog
Server "titanic" knows about 5 roles Schema - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=savilltech,DC=com
fsmo maintenance:
quit
ntdsutil: quit
Q. How can I change the Infrastructure master FSMO?
A. The Infrastructure master is defined here.
To modify the role perform the following:
 Single File Version_files/infrastruct.gif)
This can also be accomplished using the NTDSUTIL.EXE utility. Enter the commands it bold
C:\> ntdsutil
ntdsutil: roles
fsmo maintenance:
connections
server connections: connect to server <server
name>
server connections: quit
fsmo maintenance: transfer
infrastructure master
Click Yes to the role transfer dialog
Server "titanic" knows about 5 roles Schema - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=savilltech,DC=com
fsmo maintenance:
quit
ntdsutil: quit
Q. How can I change the Domain naming master FSMO?
A. The Domain naming master is defined here.
To modify the role perform the following however make sure the machine is a global catalog:
 Single File Version_files/changedc2.gif)
 Single File Version_files/operman.gif)
This can also be accomplished using the NTDSUTIL.EXE utility. Enter the commands it bold
C:\> ntdsutil
ntdsutil: roles
fsmo maintenance:
connections
server connections: connect to server <server
name>
server connections: quit
fsmo maintenance: transfer
domain naming master
Click Yes to the role transfer dialog
Server "titanic" knows about 5 roles Schema - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=savilltech,DC=com
fsmo maintenance:
quit
ntdsutil: quit
Q. How can I change the Schema master FSMO?
A. The Schema master is defined here.
To modify the role perform you must use the 'Active Directory Schema Manager' and you must first register the .dll for the MMC snap-in
C:\> regsvr32 schmmgmt.dll
You can now start the Schema Manager via the Resource Kit Tools console or by creating a custom MMC and add the Active Directory Schema snap-in to it (Start - Run - MMC - Console menu - Add/Remove Snap-in - Add - Active Directory Schema - Add - Close - OK)
 Single File Version_files/schemamaster.gif)
To modify the role from the command line enter the commands in bold
C:\> ntdsutil
ntdsutil: roles
fsmo maintenance:
connections
server connections: connect to server <server
name>
server connections: quit
fsmo maintenance: transfer
schema master
Click Yes to the role transfer dialog
Server "titanic" knows about 5 roles Schema - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS
Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=savilltech,DC=com
fsmo maintenance:
quit
ntdsutil: quit
Q. What is Multi-master replication?
A. In a Windows 2000 domain, all domain controllers are equal which means changes can be made on ANY domain controller and each servers complete domain directory has to be kept up-to-date with each other through a process of multi-master replication.
Each time a change is made to the Active Directory the servers Update Sequence Number, or USN, where the change is implemented is incremented by one and this USN is also stored along with the change to the property of the object modified. These changes have to be replicated to all domain controllers in the domain and the Update Sequence Number provides the key to the multi-master replication.
Update Sequence Number increments are atomic in operation which means that the increment to the USN and the actual change occurs simultaneously, if one part fails the whole change fails which means its not possible for a change to be made without the USN to be incremented, which means changes will never be "lost". Each domain controller keeps track of the highest USN's of the other domain controllers that it replicates with so it can calculate which changes it needs to be replicated on each replication cycle.
At the start of the replication cycle each server checks its Update Sequence Number table and then queries the domain controllers it replicates with for their latest USN's. For example the table below represents the USN table for server A
| DC B | DC C | DC D |
| 54 | 23 | 53 |
Server A then queries the domain controllers for their current USN's and gets the following:
| DC B | DC C | DC D |
| 58 | 23 | 64 |
From this server A can calculate the changes it needs from each server:
| DC B | DC C | DC D |
| 55,56,57,58 | Up-to-date | 54-64 |
It would then query each server for the changes needed.
It is possible for multiple changes to the same property of an object to occur, and collisions are detected via a Property Version Number (PVN) which every property has. These work like the USN's and each time a property is modified, the PVN is incremented by one.
In the event of a modification to the same property of the same object then the change with the highest PVN takes precedence, and if the PVN's are the same for a property update then a collision has occurred. If the PVN's match then the time stamp is used to resolve any conflicts. Each change is time stamped and this highlights the need for the domain controllers time to be accurate with one-an-other. In the highly unlikely event that the PVN's match AND the time stamp is the same then a binary buffer comparison is carried out with the larger buffer size change taking precedence. Property Version Numbers are only incremented on original writes and not on replication writes (unlike USN's) and are not server specific but rather travels with the property.
A propagation-dampening scheme is also use to stop changes being repeatedly sent to other servers which already have the change and to this end each server keeps a table of up-to-date vectors which are the highest originating writes that are received from each controller and take the form of:
<the change>,<domain controller making the original change>,<USN of the change>
For example
<object savillj, property Password xxx>,Titanic,54
Domain controllers then also send this information with the USN's so they can calculate if they already have the change the other domain controllers are trying to replicate.
Q. How can I move objects within my Forest?
A. The Windows 2000 Resource Kit ships with the MOVETREE.EXE utility which can be used to move organization units, users or computers between domains in a single forest. This is useful for the consolidation of domains or to reflect organization restructuring.
Certain objects cannot be moved with MOVETREE such as Local and Domain Global groups and if the container they are in is moved these objects will be placed in an "orphan" container in the "LostAndFound" container in the source domain.
Associated data is not moved with MOVETREE such as policies, profiles, logon scripts and personal data. To accomplish the movement of these items you should write custom scripts using the 'Remote Administration Scripts'.
The syntax of MOVETREE is
MoveTree [/start | /continue | /check] [/s SrcDSA] [/d DstDSA] [/sdn SrcDN] [/ddn DstDN] [/u Domain\Username] [/p Password] [/quiet]
| /start | Start a move tree operation with /check option by default. Instead, you could be able to use /startnocheck to start a move tree operation without any check. |
| /continue | Continue a failed move tree operation. |
| /check | Check the whole tree before actually move any object. |
| /s <SrcDSA> | Source server's fully qualified primary DNS name. Required |
| /d <DstDSA> | Destination server's fully qualified primary DNS name. Required |
| /sdn <SrcDN> | Source sub-tree's root DN. Required in Start and Check case. Optional in Continue case |
| /ddn <DstDN> | Destination sub-tree's root DN. RDN plus Destinaton Parent DN. Required |
| /u <Domain\UserName> | Domain Name and User Account Name. Optional |
| /p <Password> | Password. Optional |
| /quiet | Quiet Mode. Without Any Screen Output. Optional |
You should first run in /check mode as this will perform a test without actually performing the move. Any errors will be displayed and also written to the file movetree.err in your current directory. If the test is OK run with the /start option.
An example use would be
C:\> movetree /check /s titanic.market.savilltech.com /d pluto.legal.savilltech.com /sdn OU=testing,DC=Market,DC=Savilltech,DC=COM /ddn OU=test2,DC=Legal,DC=Savilltech,DC=COM
This would move the OU testing from domain market.savilltech.com to test2 in domain legal.savilltech.com.
Q. How do I allow modifications to the Schema?
A. The Schema is extensible which means it can be changed but modifying the Schema is a dangerous task as it will affect the entire domain Forest (since a forest shares a common schema) and someone at Microsoft once said the following:
"If you find you have to change the schema find another way. If you still have to, look again. If after all that you find you still need to change the schema you better make sure your managers are fully aware of the implications"
That being said to allow modifications there are two ways.
If you want to use the GUI first register the .dll for the MMC snap-in (if you haven't all ready)
C:\> regsvr32 schmmgmt.dll
You can now start the Schema Manager via the Resource Kit Tools console or by creating a custom MMC and add the Active Directory Schema snap-in to it (Start - Run - MMC - Console menu - Add/Remove Snap-in - Add - Active Directory Schema - Add - Close - OK)
 Single File Version_files/schemamod.gif)
This can also be accomplished by directly editing the registry
Other related FAQ items:
Q. What are Tombstone objects?
A. Because of the complex replication available in Windows 2000 and the Active Directory just deleting an object would result in it potentially being recreated at the next replication interval and so deleted objects are 'Tombstoned' instead. This basically marks them as deleted and applies to all objects.
Objects marked as tombstoned are actually deleted 60 days after their original tombstone status setting, however this time can be changed by modifying tombstonelifetime under cd=DirectoryServices,cn=WindowsNT,cn=Services,cn=Configuration,dc=DomainName however it is not advised.
Q. How do I switch my 2000 domain to native mode?
A. Windows 2000 domains have two modes, mixed and native. Mixed mode domains allow Windows NT 4.0 Backup Domain Controllers to participate in a Windows 2000 domain.
In native mode only 2000 based domain controllers can participate in the domain and 4.0 based Backup Domain Controllers will no longer be able to act as domain controllers. Also the switch to native mode allows use of the new "Universal" groups which unlike global groups can be nested inside each other. Older NetBIOS based clients will still be able to logon using the NetBIOS domain name even in native mode.
To perform the switch perform the following:
 Single File Version_files/changemode.gif)
 Single File Version_files/nativesuc.gif)
You will need to check all other domain controllers in the domain and when the domain operation mode says "Native Mode" (instead of mixed mode) reboot them. This can take 15 minutes (or more if contact is not able to be made).
If a domain controller cannot be contacted (if on a remote site and only connects periodically) when you make the change the remote DC will switch mode the next time replication occurs.
Q. How can I force replication between two domain controllers in a site?
A. In Windows NT 4.0 replication between domain controllers could be forced using Server Manager. Replication can also be forced with Windows 2000 domain controllers as follows.
 Single File Version_files/forcereplication.gif)
This would replicate from TITANIC to the VENUS domain
controller
The replication is one way and if you want two way replication you will need to replicate in each direction.
Q. How can I change replication schedule between two domain controllers in a site?
A. By default domain controllers will replicate once an hour but this can be changed as follows. This is only for domain controllers in a single site, cross site replication is configured differently.
 Single File Version_files/interreplication.gif)
This replication schedule is one way and would to be repeated for the other direction.
Q. Can I rename a site? - Windows 2000
A. Basically yes. When you install your first domain controller it creates a default site of Default-First-Site-Name which is not very helpful and can be changed as follows:
 Single File Version_files/siterename.gif)
That's it!
Q. What DNS entries are added when a Windows 2000 domain is created?
A. Windows 2000 domains rely heavily on DNS entries however the entries are created automatically providing you have enable dynamic update on the relevant DNS zones. Below are explanations of what the entries are used for:
_ldap._tcp.<DNSDomainName>
Allows
a client to localte a Windows 2000 domain controller in the domain named by
<DNSDomainName>. A client searching for a DC in domain savilltech.com
would query the DNS server for _ldap._tcp.savilltech.com
_ldap._tcp.<SiteName>._sites.<DNSDomainName>
This
allows a client to find a Windows 2000 domain controller in the Domain and site
specified, e.g. _ldap._tcp.london._sites.savilltech.com for a DC in the London
site of savilltech.com
_ldap._tcp.pdc._ms-dcs.<DNSDomainName>
Allows
a client to find the Primary Domain Controller (PDC) FSMO role holder of a
mixed-mode domain. Only the PDC of the domain registers this record.
_ldap._tcp.gc._msdcs.<DNSTreeName>
Allows a
client to find a Global Catalog (GC) server. Only domain controllers serving as
GC servers for the tree will register this name. Should a server cease to be a
GC it will deregister the record.
_ldap._tcp.<site>._sites.gc._msdcs.<DNSTreeName>
Allows
a client to find a Global Catalog (GC) server in the specified site, e.g.
_ldap._tcp.london._sites.gc._msdcs.savilltech.com.
_ldap._tcp.<DomainGuid>.domains._msdcs.<DNSTreeName>
Allows
a client to find a domain controller in a domain based on its Globally Unique
IDentifier (GUID). A GUID is a 128-bit (8 byte) number this is generated
automatically for referencing objects in the Active Directory.
<DNSDomainName>
Allows clients to
find a Domain Controller by a normal Host record.
 Single File Version_files/dnsdc.gif)
Example DNS screen for a domain
Q. How can I manually defragment the Active Directory? - Windows 2000 only
A. By default Windows 2000 servers running directory services will perform a directory online defragmentation every 12 hours (by default) as part of the garbage collection process. This defragmentation only moves data around the database file (NTDS.DIT) and does not reduce its size.
To create a new, smaller NTDS.DIT and offline defragmentation must be performed as follows:
Below is an example of the entire procedure
Microsoft Windows 2000 [Version 5.00.2031]
(C) Copyright 1985-1999
Microsoft Corp.
D:\>ntdsutil
ntdsutil: files
file
maintenance: info
Drive Information:
C:\ FAT (Fixed Drive )
free(1.2 Gb) total(1.9 Gb)
D:\ NTFS (Fixed Drive ) free(152.4 Mb) total(1.9
Gb)
DS Path Information:
Database : D:\WINNT\NTDS\ntds.dit - 8.1
Mb
Backup dir : D:\WINNT\NTDS\dsadata.bak
Working dir:
D:\WINNT\NTDS
Log dir : D:\WINNT\NTDS - 30.0 Mb total
res2.log - 10.0
Mb
res1.log - 10.0 Mb
edb.log - 10.0 Mb
file maintenance: compact to
c:\temp
Opening database [Current].
Using Temporary Path:
C:\
Executing Command: D:\WINNT\system32\esentutl.exe /d
"D:\WINNT\NTDS\ntds.dit" /
/o /l"D:\WINNT\NTDS" /s"D:\WINNT\NTDS"
/t"c:\temp\ntds.dit" /!10240 /p
Initiating DEFRAGMENTATION
mode...
Database: D:\WINNT\NTDS\ntds.dit
Log files:
D:\WINNT\NTDS
System files: D:\WINNT\NTDS
Temp. Database:
c:\temp\ntds.dit
Defragmentation Status ( % complete )
0 10 20 30
40 50 60 70 80 90
100
|----|----|----|----|----|----|----|----|----|----|
...................................................
Note:
It
is recommended that you immediately perform a full backup
of this database.
If you restore a backup made before the
defragmentation, the database will be
rolled back to the state
it was in at the time of that
backup.
Operation completed successfully in 17.896
seconds.
Spawned Process Exit code 0x0(0)
If compaction was
successful you either need to
copy "c:\temp\ntds.dit" to
"D:\WINNT\NTDS\ntds.dit"
or run:
D:\WINNT\system32\ntdsutil.exe files "set
path DB \"c:\temp\"" quit quit
file maintenance: quit
ntdsutil:
quit
D:\>copy c:\temp\ntds.dit
%systemroot%\ntds\ntds.dit
Overwrite D:\WINNT\ntds\ntds.dit?
(Yes/No/All): y
1 file(s) copied.
Q. How can I audit the Active Directory?
A. It is possible to configure auditing on the Active Directory to produce both successful and failed entries in the Directory Service event log.
To configure perform the following:
 Single File Version_files/auditad.gif)
The logs can be viewed in the Security Log (using Event Viewer). The policy change may take a while to take effect as domain controllers poll for policy changes every five minutes. Other domain controllers in the enterprise receive the changes at this interval plus the time of replication.
Q. How can I automate a server upgrade to a Domain Controller during installation?
A. Its possible to run the DCPROMO.EXE utility automatically during an unattended installation using the following method:
The Dcpromo process can be scripted by using the dcpromo /answer:%path_to_answer_file% command. In the following example, the [DCInstall] section and parameters are added directly to the unattended answer file. The parameters for the DCInstall section are detailed in the Unattend.doc supplied with the resource kit but below are the main entries:
| AdministratorPassword | The new password for the domain Administrator account |
| AutoConfigDNS | Indicates if the wizard should configure DNS |
| ChildName | Name of the child part of domain |
| CreateOrJoin | Specifies if the domain will join an existing forest or create a new one |
| DatabasePath | Location for the Active Directory database |
| DNSOnNetwork | Used when a new forest of domains is being installed and no DNS client is configured on the computer |
| DomainNetBiosName | NetBIOS name for the domain |
| IsLastDCInDomain | Only valid when demoting an existing domain controller to a member server |
| LogPath | Path for the DS logs |
| NewDomainDNSName | Name of the new tree or when a new forest is being created |
| ParentDomainDNSName | Specifies name of parent domain |
| Password | Password for username being used to promote server |
| RebootOnSuccess | Whether an automatic reboot should be performed |
| ReplicaDomainDNSName | Name of the domain to be replicated from |
| ReplicaOrMember | Specifies if a 3.51 or 4.0 BDC being upgraded should become a replica domain controller or be demoted to a regular member server. |
| ReplicaOrNewDomain | Specifies if this is a new DC in a new domain or if its a replica of existing domain |
| SiteName | Name of the site, by default this is "Default-First-Site" |
| SysVolPath | Path of SYSVOL |
| TreeOrChild | If this is a new tree of child of existing domain |
| UserDomain | Domain for the user being used in promotion |
| UserName | Name of user performing the upgrade |
Because this process occurs after setup, the answer file created is named $winnt$.inf and is copied to the \system32 folder. Because the parameters are in this file, you must add the following text to the [GUIRunOnce] section of the unattended Setup answer file:
[GUIRunOnce] "DCpromo
/answer:%systemroot%\system32\$winnt$.inf"
[GUIUnattended] Autologon = yes ; automatically logs on the administrator account AutoLogoncount = n ; number of times to perform auto-admin logon
Easy :-) Don't use items like %systemroot% or %windir% etc as they are not understood during unattended installations.
You can just create a [DCInstall] section directly in your unattend.txt file and to avoid having multiple unattended setup files.
[DCInstall]
AdministratorPassword = cartman
CreateOrJoin =
Create
DomainNetBiosName = savtech
NewDomainDNSName =
savtech.com
RebootOnSuccess = Yes
ReplicaOrNewDomain = Domain
SiteName
= "London"
TreeOrChild = Tree
The script above would create a new forest with domain savtech.com at the top with the created domain controller in site London. Default locations for the SYSVOL, logs and Active Directory files will be used. The new domain Administrator account password would be cartman (Southpark rules!).
You can of course use this outside of an unattended installation if you wish after you've installed by just typing:
DCPROMO /answer:<DCInstall answer filename>
A small dialog saying DCPROMO is running in unattended mode will be displayed and then it will reboot.
Q. How do I enable circular logging for the Active Directory?
A. Active Directory can record either sequential or circular logs, although sequential is the default and is preferred. Circular logs overwrite transactions at specific intervals, whereas sequential logs are never overwritten (but data in sequential log files whose transactions have been committed to the database are deleted during garbage collection intervals.)
Sequential log files are not overwritten with new data. They grow until they reach a specified size. Once all the transactions in a log file are committed to the database, this log file is no longer needed. Active Directory’s garbage collection process deletes unnecessary log files every 12 hours (the default garbage collection interval). If your server never stays up longer than 12 hours between reboots, the old log files are never cleaned up and they take up more and more space on the disk (but you have bigger problems :-) ).
Some administrators prefer circular logging because it helps minimize the amount of logged data stored to the physical disk. Imagine circular logs as a donut with new data overwriting the oldest as needed. You must edit the registry to enable circular logging.
Q. How do I change Domain Names?
A. This is not so much a procedure but things to think about.
A knowledge base article exists at http://support.microsoft.com/support/kb/articles/q178/0/09.asp.
Q. How do I move a Workstation to another Domain?
A. Logon to the Workstation locally as Administrator (i.e. name of machine) and goto Control Panel. Double click Network and click change. Enter the new Domain name and click OK. You will receive a message "Welcome to Domain x". Reboot the machine and you are part of the new domain.
If you wish to administer this box from the new domain you will need to add <Domain>\DomainAdmins to the local administrators group by connecting to the local user database via User Manager for Domains (i.e. \\computername)
Q. How many user accounts can I have in one Domain?
A. The real problem is that each user account and machine account takes up space in the SAM file, and the SAM file has to be memory resident. A user account takes up 1024 bytes of memory (a machine account half as much), so for each person (assuming they each had one machine) would be 1.5 KB. This would mean for a 10,000 user domain each PDC/BDC would need 15MB of memory just to store the SAM! Imagine a network with 100,000 people. This is one of the reasons you have multiple domains and then setup trust relationships.
Q. How to I change my server from Stand Alone to a PDC/BDC?
A. You cannot change the role of a NT server, you will need to reinstall NT.
As an alternative, you can use a 3rd party utility called U-Promote, http://u-tools.com/UTools/UPromote.asp however this works by making registry changes that would render your system unsupportable by Microsoft and may lead to problems later in the servers life time, for example moving to Windows 2000.In Windows 2000 you can promote a server to a domain controller by using DCPROMO.EXE.
A. A PDC is a Primary Domain Controller, and a BDC is a Backup Domain Controller. You must install a PDC before any other domain servers. The Primary Domain Controller maintains the master copy of the directory database and validates users. A Backup Domain Controller contains a copy of the directory database and can validate users. If the PDC fails then a BDC can be promoted to a PDC. Possible data loss is user changes that have not yet been replicated from the PDC to the BDC. A PDC can be demoted to a BDC if one of the BDC's is promoted to the PDC.
Q. How many BDC's should I have?
A. Microsoft say one BDC for every two thousand users. This is fine considering a 486DX2 with 32MB of RAM can, on average, perform at least 10 logons per minute, however if everyone in your company arrives at 9:00 on the dot and log on (except for the helpful people who arrive half an hour late) there will be a surge of logon requests to deal with, resulting in large delays. To try and improve on this, it is possible to configure the Server service to throughput for Network Applications rather than File Applications. Remember the more powerful the processor, the more logons (for a Pentium 133, would be able to logon at least 30 people).
Q. How do I configure a Trust Relationship?
A. Domains by default are unable to communicate with other domains, which means somewhere in domain x cannot access any resource that is part of domain y. Before a trust relationship is configured
After a trust relationship is defined, say x trusts y the following happens
In the example above x is the trusting domain, and y is the trusted domain. Also the above is a one-way trust relationship, i.e. while domain y users can use domain x resources, users of domain x cannot use domain y resources. A two-way relationship would allow each domain to access resources of the other (if given permission).
The basics of a trust relationship is to first configure domain y to allow domain x to trust it, and then configure domain x to trust domain y:
Q. How do I terminate a Trust Relationship?
A. Firstly you have to stop domain x trusting domain y, then remove domain x's ability to trust domain y:
Q. How can I join a domain from the command line?
A. The NT Resource Kit Supplement 2 ships a new utility called NETDOM.EXE which can be used to not only join domains, but create computer account and trust relationships.
To join a domain there are 2 paths, the first is to just add the computer to the domain and create the computer account simultaneously which is OK if you are logged on as a domain administrator, if you are not a domain administrator the account needs to be added in advance and then you join the domain.
If you are logged on as a domain administrator then enter the command below to create the account and join the domain
netdom /domain:savilltech /user:savillj /password:nottelling member
<computer name> /joindomain
where <computer name> is the
name of your machine, e.g. johnstation
If you are not an administrator the domain admin people will have to add you an account first using either server manager or using NETDOM.EXE
netdom /domain:savilltech /user:savillj /password:nettelling member <computer name> /add
Once the account has been add the normal user could join the domain using the first command shown.
Q. How do I demote a PDC to a BDC?
A. Normally when you promote a BDC to the PDC, the existing PDC is automatically demoted to a BDC, but in the event that the PDC was taken off line and then a BDC promoted when the old PDC is restarted it will still think its the PDC and when it detects another PDC it will simply stop its own netlogon service.
To actually modify the machine to be a BDC the registry needs to be changed directly:
To avoid having to set security perform the registry change from the system account by submitting the registry editor via the schedule service.
C:\> net start schedule (only if not already
running)
C:\> at <time> /inter
regedt32.exe
C:\> net stop schedule (only
if you had to start it)
Q. How can I configure a BDC to automatically promote itself to a PDC if the PDC fails?
A. There is no way to do this, the assumption is that the PDC would be configured to write out the dump information and then reboot itself thus coming back online. You configure this behavior using the System Control Panel Applet - Startup/Shutdown tab.
A. To rename a Primary Domain Controller perform the following:
To Rename a Backup Domain Controller
Note: If the BDC begins to receive 7023 or 3210 errors after synching the domain in server manager, on the PDC choose the BDC and then synch that specific BDC with the PDC. After an event indicating that the synch is complete, restart the BDC.
Q. Can I move a BDC to another domain?
A. Normally no, the BDC shares a common SID with the PDC of the domain and so there is no way to move a BDC to another domain, you would need to reinstall the BDC.
System Internals have released NewSID 3.0 ( from http://www.sysinternals.com/) which has a SID-synchronizing feature that let's you have one machine copy the SID of another. This makes it possible to move a BDC to a new domain. On the BDC start NewSID and click "Synchronize SID", enter the name of the PDC and click OK.
Q. Can I change a PDC/BDC into a stand-alone server?
A. No, the PDC/BDC registry is different from that of a stand alone server, again a reinstallation would be needed.
As an alternative, you can use a 3rd party utility called U-Promote, http://u-tools.com/UTools/UPromote.asp however this works by making registry changes that would render your system unsupportable by Microsoft and may lead to problems later in the servers life time, for example moving to Windows 2000.
In Windows 2000 you can change a domain controller to a normal server by running DCPROMO.EXE.
Q. Can I administer my domain from an NT Workstation?
A. Yes, if you install the NT Server client based Administration tools:
Q. In what order should I upgrade my PDC and BDC's from 3.51 to 4.0?
A. The two different versions can coexist happily so you can upgrade in order you want however the safest option may be the following schedule:
Q. What tuning can I perform on PDC/BDC Synchronization?
A. There are several registry settings that can be configured for PDC/BDC Synchronization :
These are all values under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters
| ChangeLogSize (REG_SZ) | Default size for the Change Log. By default 64KB with a maximum of 4MB |
| Pulse | This determines the gap in seconds between replication from the PDC to the BDC's. The lowest value is 60, and the max is 3600 (1 hour). The default is 300 (5 minutes). You may want to increase this time if the BDC's are over a slow WAN link. |
| PulseConcurrency | The number of BDC's that the PDC sends pulses to concurrently. By default this is 10. |
| PulseMaximum | The PDC performs a check that the BDC's are still there every so often. This is in seconds and once again the minimum is 60 and the maximum is 86,400. |
| Randomize | The number of seconds a BDC waits after an announcement before answering. 1 by default. |
| ReplicationGovernor | This is a percentage of the 128K blocks that are sent. If you had a slow link you may not want the PDC sending 128K blocks so you could change this to 25, meaning only 32K would be sent at a time. This will mean that the blocks are sent more frequently (25 would mean 4 times as often). |
| Update | By default this is set to no, which means only changes are replicated. Setting this to Yes will cause everything to be replicated even if there is no change. This needs to be set on the import server. |
Q. I cannot add a BDC over a WAN.
A. To add a BDC to a domain, the PDC has to be contactable. Therefore the first task is to check that communications are working.
If you are using TCP/IP then ensure you can PING the PDC,
ping <ip address of the PDC>
If this is OK then the problem is at the NetBIOS level. If you have WINS on the network ensure the BDC is configured to use the WINS server as when the PDC starts it will register the WINS name <domain><1Bh> which is used to identify the domain controller.
Alternatively the LMHOSTS file can be updated.
To use the lmhosts file during installation you should create the file on another machine and copy it over when the BDC is being installed.
Q. How can I synchronize the domain from the command line?
A. To force a domain synchronization use the command
net accounts /sync
Q. How can I force a client to validate its logon against a specific domain controller?
A. Before answering this it is best to understand what happens when a login occurs.
When a logon request is made to a domain, the workstation sends out a request to find a domain controller for the domain. The domain name is actually a NetBIOS name that is a 16-character name with the 16th character used by Microsoft networking services to identify the NetBIOS type.
The type used for a domain controller is <1C> and so the NetBIOS name for domain controller of domain "SAVILLTECH" would be "SAVILLTECH <1C>" The NetBIOS type has to be the 16th character, hence the name of the domain has to be filled with blanks to make its length up to 15 characters.
If the client is WINS enabled then a query for the resolution of "<domain name> <1C>" will be sent to the WINS server as defined in the clients TCP/IP properties. The WINS server will return up to 25 IP addresses that correspond to domain controllers of the requested domain, a \mailslot\net\ntlogon is broadcast to the local subnet and if the workstation receives a response then it will attempt logon with the local domain controller.
If WINS is not configured then it is possible to manually configure the LMHOSTS file on the Workstations to specify the Domain Controller. This file is located in the %systemroot%\system32\drivers\etc directory.
An example entry in LMHOSTS would be as follows
200.200.200.50 titanic #PRE #DOM:savilltech #savilltech domain controller
The above sets up IP address 200.200.200.50 to be host Titanic, which is the domain controller for savilltech and instructs the machine that this entry is to be preloaded into the cache.
To check the NetBIOS name cache you can use command nbtstat -c, which will show all the entries including their type. If WINS is not configured and there is no entry in LMHOSTS then the Workstation will send out a series of 3 broadcasts. In the situation where no response is received and WINS is configured to use DNS for WINS resolution a request to the DNS server will be sent and finally the HOSTS file checked. If all of this fails then an error "A domain controller for your domain could not be contacted.
To force a client to use a specific domain controller we need only do the following:
The machine is now configured to broadcase for a domain controller on a local subnet and then query a name server. If no domain controllers are found on the WINS server, or WINS is not used it will then search the LMHOSTS file. The next stage is to edit this file.
Service Pack 4 includes a new utility, SETPRFDC.EXE, which will direct a secure channel client to a preferred list of domain controllers.
The syntax is:
C:\> SETPRFDC <Domain Name> <DC1, DC2, ....., DCn>
SETPRFDC will try each DC in the list in order, until a secure channel is established. If DC1 does not respond, DC2 is tried, and so on. Once you run SETPRFDC on a WinNT 4.0, SP4 computer, the list is remembered until you change it. You can run SETPRFDC in batch, via the scheduler, or even in a logon script (for future logons). Don't forget to undo any LMHOSTS entries you might have set.
Q. How do I promote a server to a domain controller? - Windows 2000 only
A. Windows 2000 ships with a utility, DCPROMO.EXE, which is used to promote a stand-alone/member server to a domain controller and vice-versa.
In Windows 2000 domains are DNS names which means you can have a hierarchy of domains leading to parent-child domain relationships. The advantage of these parent-child relationships is that there have a bidirectional transitive trust which means that if domain b is a child of domain a, and domain c is a child of domain b, domain c implicitly trusts domain a. This is very different from the way trusts work in earlier versions of Windows NT.
Since Windows 2000 domains rely on DNS it is vital that DNS is correctly configured to enable the domain to be created (if you are creating a new top level domain). Information on configuring DNS for a domain can be found here.
A final pre-requisite is that an NTFS 5.0 volume is required to house the SYSVOL volume and so ensure you have at least one NTFS 5.0 volume (use CHKNTFS to check the versions of your partitions).
To upgrade a stand-alone/member server to a domain controller perform the following:
You now have a Windows 2000 domain controller. Additional domain controllers (old BDC's) can be added by performing the above and selecting "Replica domain controller in existing domain" in step 3. It would then ask you the name of the domain to replica.
Q. How can I generate a list of all computer accounts in a domain?
A. The normal method under Windows NT 4.0 and earlier is to use Server Manager (Start - Programs - Administrative Tools - Server Manager) and computer accounts can be viewed/added/deleted.
Under Windows NT 5.0 this information can be viewed using the Active Directory MMC (Microsoft Management Console) snap-in and browse the domain/Computers group. Of course under Windows NT 5.0 and the Active Directory computers can also be created in Organisation Units so would not all be shown under this tree (as shown below the computer account in the law OU would not be listed in the Computers group).
 Single File Version_files/netdom.gif)
A more complete method is to use the Windows NT Resource Kit NETDOM.EXE utility (which runs under Windows NT 5.0) to generate the list, e.g.
C:\> netdom member
Searching PDC for domain SAVILLTECH
...
Found PDC \\TITANIC
Listing members of domain SAVILLTECH ...
Member 1 = \\ODIN
Member 2 = \\garfield
It is also possible to list other domains using a mixture of command line switches, e.g.
C:\> netdom /d:<domain name> [/u:<domain>\<user to which query> /p:<password] member
The information in the [] is only needed if your account does not have privileges in the requested domain.
The advantage of the command line tool is it lists all computer accounts, even those in OU's in the Active Directory.
An alternative method is to use the net view /domain:<domain> command which has the advantage that you can pipe the output to a file or another command, e.g.
C:\> net view /domain:savtech
Q. How can I verify my Windows 2000 domain creation? - Windows 2000 only
A. To verify the tcp/ip configuration is OK check for the ldap.tcp.<domain> service record, e.g. ldap.tcp.savilltech.com
C:\> nslookup
> set type=srv
>
_ldap._tcp.savilltech.com
Server: [200.200.200.50]
Address:
200.200.200.50
_ldap._tcp.savilltech.com SRV service
location:
priority=0
weight=0
port=389
svr
hostname=titanic.savilltech.com
titanic.savilltech.com internet
address=200.200.200.50
The ldap record used to be ldap.tcp.<domain> but was modified in build 1946 onwards. The underscore is necessary to definitively differentiate our unique names in the DNS namespace from internic registered domain names on the internet. In this way we can ensure that there will never be a DNS name clash. My understanding is that RFC 1034\1035 (may be wrong with these numbers as they may have been superceded) say that the underscore character is NOT a valid character to use in a DOMAIN NAME. All internet registered names should never contain the underscore. Now, RFC2181 states that the underscore is a valid label to use in DNS (as well as plenty of other characters too) so we the underscore is used to prevent possible clash with INTERNET names. This change was introduced in earlier builds of windows 2000. For a while DC's generated both styles of names in DNS to support both styles of clients (ie newer and older builds). Now that client code is changed to look for underscores, we have now retired the ldap.tcp names in favour of the _ldap.tcp names.
Also make sure the NetBIOS computer name is OK
C:\> net view \\<computer name>
Finally check the NetBIOS Domain name works
C:\> usrmgr <domain name>
The NetBIOS domain name is used for backwards compatibility. Use a 4.0 version of usrmgr.
Q. How can I configure multiple Logon Servers with LMHOSTS?
A. Service Pack 4 adds support for multiple domain controllers for a single domain to be configured in the LMHOSTS file (located in %systemroot%\system32\drivers\etc). Normally when a computer starts, the WINS server is queried for any [1C] entries, domain controllers, and it will return a list. This list is not geographically aware and you could be given a domain controller on the other side of the world.
An alternative is to specify a list of domain controllers in the LMHOSTS file (which is now checked before WINS is #PRE is in the entry) and have different LMHOSTS files in different regions.
Example entries in the file would be
200.200.200.50 titanic #PRE #DOM:SAVILLTECH
200.200.200.80 cuttysark
#PRE #DOM:SAVILLTECH
You will need to ensure the computer is configured to use the LMHOSTS file
Q. Are trust relationships kept when upgrading for a 4.0 domain to a Windows 2000 domain?
A. When a 4.0 PDC is upgrade to Windows 2000 all trust relationships are maintained.
Q. How are trust relationships administered in Windows 2000?
A. Instead of using User Manager as in NT 4.0, a new MMC snap-in, Active Directory Tree Manager is used. Although the host application is different the usage is exactly the same.
To view/add/remove perform the following:
 Single File Version_files/win2000trust.gif)
- Example of one domain that trusts ours
Obviously you should try and use the tree and forest concept rather than manual trust relationships with pure Windows 2000 domains. This is discussed in the Active Directory section (which will be added shortly).
Q. I can't promote a BDC to PDC.
A. If you receive an 'Access Denied' message when attempting to promote a BDC to the PDC it may be due to the fact the PDC has Service Pack 4 installed.
This is because Service Pack 4 upgraded the security mechanism used so you will either have to perform the promotion from a Service Pack 4 domain controller or upgrade the BDC in question to SP4.
Another reason for this error is trying to get a renamed and upgraded (3.51 to NT4) server to sync with the domain. The accounts database may have become out of date and thus couldn't be synchronised. NETLOGON may not even be startable.
The way round is to do a "connect as" from the PDC to the rogue BDC using an admin ID known to be good by the BDC before it was upgraded. Once the "connect as" (say to Cc) was accepted, the BDC would then accept the synchronise request from the PDC's Server Manager, restarting NETLOGON in the process.
Q. Unable to join a domain because of SMB signing, what can I do?
A. If the following error message is displayed when you attempt to add a computer running Windows NT to the domain:
"Unable to connect to the domain controller for this domain. Either the username or password entered is incorrect."
The error message is displayed even though networking is enabled and the correct administrator name and password credentials were supplied. The problem is that the PDC has SMB signing set to required and the client cannot communicate as it does not have SMB signing enabled.
Two options are possible. The first is to disable RequireSecuritySignature SMB signing on the domain controller as described in Q. How do I enable SMB signing? or install the machine into a workgroup, enable SMB signing then join the domain. Of course this would not work with BDC's.
Q. How can I create a child domain?
A. Windows 2000 allows the creation of a domain as a child of another domain. When two or more domains are joined in a parent-child relationship a domain tree is formed.
A child domain is created when executing the DCPROMO.EXE image and the parent domain must be accessible to create.
Instead of performing screenshots I've produced an animated GIF of the entire child domain creation (I was bored ;-) ). Click Refresh to make it start from the beginning, a gap of 2 seconds is shown between each screen.
 Single File Version_files/childdcpromo.gif)
Q. How can I create a domain trust through a firewall?
A. When creating trust relationships communications between the two domains is carried out over a number of protocols with each protocol using different TCP/IP port. Below is a list of ports which need to be enabled on the firewall for a trust relationship:
You may use LMHOSTS for name resolution (which would have #pre #dom entries for the domain controllers) or WINS can be used which requires:
Alternatively, a trust can be established through point-to-point tunneling protocol (PPTP). For PPTP, the following ports must be enabled:
If you only wish to perform management through a firewall and/or RRAS you can only allow TCP any-139, TCP 139-any and UPD 138-138 through the firewall. Also allow UDP 137-137 to the WINS Servers. This allows all the remote management tools to run from the management NT Workstations.
Also see the following knowledge base articles:
Q. How can I check the browse masters for a domain?
A. The resource kit has a utility BROWSTAT.EXE which allows status of the browse service to be ascertained. To check browse masters for a domain use the following command:
C:\> browstat status <domain>
To check statistics for a single server use the command
C:\> browstat stats \\<server>
Q. How can I stop a remote master browser?
A. The resource kit utility BROWSTAT can be used to remotely stop a browse master with the following command:
C:\> BROWSTAT TICKLE <transport> <domain> |
\\<server name>
Where
<transport> is the Windows NT transport device name, and <domain> is
the domain in which the master browser is located, and <server name> is
the computer name of the master browser.
To check which transport use the command:
C:\> net config rdr
Workstation active on NetbiosSmb
(000000000000) NetBT_Tcpip_{C2F....
The transport device is indicated by '<network service>_<NIC type>', where <network service> is the session-layer network service, and <NIC type> is the type of network interface card on your computer. The session-layer network services are NetBT for NetBIOS over TCP/IP, NwlnkNb for IPX, or Nbf for NetBEUI, e.g. NetBT_Tcpip.
C:\> browstat tickle NetBT_Tcpip_{C2F8C130-F2AF-11D2-B748-DAEDF5F58140} \\titanic
Q. How can I force a browser election?
A. The resource kit utility BROWSTAT can be used to force a browser election:
C:\> BROWSTAT ELECT <transport> <domain> |
\\<server name>
Where
<transport> is the Windows NT transport device name, and <domain> is
the domain in which the master browser is located, and <server name> is
the computer name of the master browser.
To check which transport use the command:
C:\> net config rdr
Workstation active on NetbiosSmb
(000000000000) NetBT_Tcpip_{C2F....
The transport device is indicated by '<network service>_<NIC type>', where <network service> is the session-layer network service, and <NIC type> is the type of network interface card on your computer. The session-layer network services are NetBT for NetBIOS over TCP/IP, NwlnkNb for IPX, or Nbf for NetBEUI, e.g. NetBT_Tcpip.
C:\> browstat elect NetBT_Tcpip_{C2F8C130-F2AF-11D2-B748-DAEDF5F58140} savilltech
Q. How can I modify the domain refresh interval?
A. Windows refreshes the domain list whenever the machine is locked for more than two minutes (120 seconds). This can lead to a delay while it does this until the user gets control of the system again.
You can modify the amount of time it waits until refreshing by performing the following:
Q. How is the list of cached domains stored?
A. When you logon a list of known (trusted) domains are displayed that you may logon to.
You can view these entries by performing the following:
There is no point editing this list as it will be recreated the next time the machine is started/locked.
A. You will no doubt be familiar with the concept of group policies in NT 4.0 and by utilizing the Group Policy Editor you can configure various restrictions, save it as file NTCONFIG.POL in the netlogon share and the settings will be applied to all users of the domain. Effectively all the policies of Windows NT 4.0 allowed were registry updates.
These policy settings could be configured for users, computers or groups of users.
Windows 2000 takes this to the next level and promises the following ideal
"The ability for the Administrator to state a wish about the state of their Users environment once, and then rely on the system to enforce that wish"
In Windows 2000 the Group Policy model has been completely updated and now utilizes the Active Directory and offers much more than just registry restrictions, for example
Group Policy Object's (GPO's) are a policy unit and can be applied to a site, domain or organizational unit (OU), in fact it will often be the case that a user/computer will have multiple GPO's applicable to them and in the event of a clash of a setting the order of precedence is Site, Domain then OU, SDOU, and so any setting defined at a site level can be overwritten by a domain setting, anything defined on a domain can be overwritten by an OU setting. There is a fourth type, the Local computer policy and this has bottom priority and any policies will be overwritten by any of the others which gives us an order of LSDOU.
The three mechanisms to apply Group Policies for sites, domains and OU’s are as follows:
By default when you select Group Policy for a container there will be no GPO
and you have the option of either adding an existing GPO to the container or
creating a new one. To create a new GPO just click the New button and enter a
name for the GPO. Once created clicking the Edit button can modify the specified
policy. A new instance of the Microsoft Management Console will be started with
the Group Policy Editor loaded with the selected GPO at the root.
Windows
NT 4.0 policies already in place are NOT upgraded to 2000 and you will need to
redefine all your policies as GPO's. In a mixed environment of both 4.0 and 2000
clients you will need to keep a NTCONFIG.POL in the NETLOGON share of the domain
controllers (even the 2000 DC's as they may authenticate 4.0 client logons in a
mixed environment) to ensure 4.0 clients still receive their policy settings.
Windows 2000 clients will ignore NTCONFIG.POL unless you make a policy change to
instruct them to implement the NTCONFIG.POL contents. If you do then the order
of reading is
As has been said, GPO information is stored in the Active Directory but the policy itself is stored on the SYSVOL container on each domain controller as sysvol\Policies\<GUID of GPO> (GUID is Globally Unique IDentifier).
To avoid any conflicts with GPO modifications only the PDC role holder can make changes to the GPO.
Another change is that old 4.0 policies are 'tattooed' in the registry, meaning that even after a policy has been removed, its settings stay in the registry until changed by something else. An advantage of the Windows 2000 Group Policies is that this does not occur. The reason for this is that in Windows 2000, registry settings written to the following two secure registry locations are cleaned up when a Group Policy Object no longer applies:
Finally unlike the 4.0 Group Policies the policy actually gets refreshed at certain times, well not ALL of the policy, software deployment and folder redirection are not updated as, for example, you would be unhappy if the GPO was modified to remove Word and you were using it at the time and it suddenly uninstalled! All 2000 machines refresh the policy every 90 minutes except domain controllers who replicate every 5 minutes. These times and the parts to replicate can be modified within the GPO.
Q. How can I force GPO updates to take effect?
A. Policies are refreshed every 90 minutes (5 on DC's). To force a machine to update the policy use the SECEDIT command.
To update the computer policy type
C:\> secedit /refreshpolicy machine_policy
To update the user policy type
C:\> secedit /refreshpolicy user_policy
Adding /enforce to any of the above forces a reapply of the security policy even if there is no GPO change.
Q. How can I enable the old NTCONFIG.POL to be used by Windows 2000 clients?
A. By default Windows 2000 based clients don't use NTCONFIG.POL but instead use Group Policy Objects (GPO) as defined in the Active Directory. NT 4.0 clients still use NTCONFIG.POL even in a 2000 domain.
It is possible to enable the 2000 clients to use NTCONFIG.POL however you should have a good reason as GPOs are superior to the old system policies. One reason to use NTCONFIG.POL in a 2000 domain may be that you have just created some 2000 clients in a newly upgraded 2000 domain but have not yet recreated your policies as GPOs.
To enable system policies (NTCONFIG.POL) perform the following
 Single File Version_files/enablentconfigpol.gif)
The updated GPO will take effect on the client the next time you logon (it will actually take effect max 90 minutes after you make the change but this only affects logon).
This update actually changes registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableNT4Policy to 0.
Q. How can I add additional templates to a Group Policy Object?
A. The old style NT 4.0 templates (.adm) are still supported in Windows 2000 Group Policy Objects (GPO) and are listed in the Group Policy under the 'Administrative Templates' branch. These settings are all "registry" based settings.
Windows 2000 ships with two .adm files
When a adm file is applied to a GPO it is copied from the %systemroot%\inf folder to the %systemroot%\SYSVOL\domain\Policies\<GUID of GPO>\Adm folder.
To add/remove a new template to a GPO perform the following:
The ADM file will be copied to the GPO's Adm folder.
Q. How can I apply a group policy to a security group?
A. Its not possible to apply a group policy to a security group however what you can do is to filter a group policy by changing the permissions on the Group Policy so that only certain users/groups have read and apply privileges.
Now only the selected users will run the GPO
A. Modern day PC users are used to having a system with large amounts of memory, disk and CPU power to run their applications. This is very different to UNIX and VMS environments where servers have all the memory, disks and CPU and users have "dumb" terminals which just send keystrokes to the server which in turn sends back screen updates.
There are a number of advantages with the UNIX/VMS approach. Most desktop computers are idle for most of the time with the CPU only 10% busy normally and a significant amount of memory spare, this is a waste of resources. A central server approach distributes resource's to sessions as needed, minimizing waste and ensuring resources are available when needed.
Installing applications and maintaining them on each desktop is very time consuming. A central server based install simplifies this significantly and lowers the Total Cost of Ownership (TCO).
Windows NT Terminal Server and Windows 2000 address this with client software for Windows 9x/NT and Windows for Workgroups machines that allow a window to be created which allows all processing and execution to be carried out on the server and the only task the local machine does is to pass back keyboard and mouse actions. The Terminal Server does all the computation and storage and passes back screen updates to the client.
 Single File Version_files/tsfull.jpg)
Here you can see an example Terminal Server session in its own
windows, with its own Start menu and taskbar. All applications in this window
are being run on the terminal server. The information shown in Explorer is the
Servers drives, not the local machine.
Obviously Windows NT/95 are operating systems of their own and it may seem pointless running terminal server client on these machines however it could be used for application management, install Office 97 on the Terminal Server and all clients use Office via the Terminal Server connection. Imagine running Office 97 on a Windows for Workgroups machine!
Communication is via RDP (Remote Desktop Protocol) which was designed by Microsoft.
Windows Terminal Server is based on Citrix's WinFrame product and Citrix provide a bolt-on, MetaFrame, which adds functionality to Terminal Server including support for DOS, OS/2, Unix, Java and much more. http://www.citrix.com/
Q. How do I install Windows NT 4.0 Terminal Server Edition?
A. The installation of Windows NT Terminal Server edition is the same as a normal Windows NT Server installation except during installation you will additional be asked:
Once installation is complete if IE 4.0 was selected it will be installed and configured and an additional reboot performed.
Due to the method applications need to be installed on Terminal Server (for use with clients) an upgrade of a Windows NT 4.0 server is not supported or advised.
It is also not advised to run backoffice applications on a Terminal Server due to the massive amounts of resources Terminal Server uses for its clients and as such Terminal Server is not part of the Backoffice suite of applications.
You will also notice that Terminal Server is supplied with Service Pack 3 installed, do NOT install a normal version of a service pack on Terminal Server, special service packs will be made available for Terminal Server installations.
Once install is complete you will notice 4 new tools under the Administrative Tools branch of the Programs Start menu
These will be looked it in detail later in the Terminal Server section. You will also notice User Manager is modified to include a new 'Config' button for each user which allows Terminal Server settings to be configured.
Q. How do I enable Terminal Server under Windows 2000?
A. Windows 2000 has Terminal Server components built into the operating system and they can be installed at installation time or at a later time. To install the components perform the following:
Once reboot is complete 4 new programs will be under the Administrative Tools branch of the Start menu
Q. How do I install Windows NT/9x based Terminal Server clients?
A. Terminal Server has built in support for the following clients
The first 4 all share a common piece of software and terminal server (both NT 4.0 and Windows 2000) ships with a utility to create it on a single floppy disk:
 Single File Version_files/tsclicreate.gif)
All the above does is copy the contents of %systemroot%\system32\clients\tsclient\win32\disks\disk1 to disk so you could directly copy or share this directory. There is also a net subdirectory of tsclient which also contains the clients with each client in its own subdirectory without the disk1 etc. folders, so you could share out this folder to allow access to all client installations. Sharing the net folder would be the prefered method.
To install the client perform the following:
 Single File Version_files/tsclient.gif)
A new folder "Terminal Server Client" has been added with 2 utilities and an uninstall option.
Q. How do I install Windows for Workgroups based Terminal Server clients?
A. Terminal Server has built in support for Windows for Workgroups but they must have TCP/IP 32b installed (this can be downloaded from Microsoft at http://support.microsoft.com/support/kb/articles/q111/6/82.asp). I found this out the hard way! TCP/IP can be installed using the Network setup icon in WFW. You may want to run MEMMAKER after installation of TCP/IP to "tidy" your memory, I had to, just choose Express.
To create floppy disks for Windows for Workgroups TS client installation perform the following:
All the above does is copy the contents of %systemroot%\system32\clients\tsclient\win32\disks\disk1 to disk so you could directly copy or share this directory. There is also a net subdirectory of tsclient which also contains the clients with each client in its own subdirectory without the disk1 etc. folders, so you could share out this folder to allow access to all client installations. Sharing the net folder would be the prefered method.
To install the client perform the following:
A new program group "Terminal Server Client" has been added with 2 utilities and an uninstall option.
Windows 2000 3D
Pinball on Windows for Workgroups 3.11, impressive :-)
Q. How do I connect to a Terminal Server from WFW/9x/NT/2000?
A. The first action is to install the client which is explained in 'Q. How do I install Windows NT/9x based clients?'.
Once the client is installed there are two methods to connect to a terminal server. The first is a very manual method and while simple may not be ideal for many normal users.
 Single File Version_files/tsclient1.gif)
 Single File Version_files/tsclient2.gif)
You should be aware that pressing Ctrl-Alt-Del will bring up the Local security menu and not the remote. To bring up the remote security menu select "Windows NT Security" from the Start menu. You will notice you don't have a shutdown button (unless you are an Administrator) as this would shutdown the terminal server machine.
An alternative is to setup a shortcut to connections and this is accomplished using the "Client Connection Manager".
 Single File Version_files/tsclient3.gif)
You may create a shortcut to this on the desktop by right clicking on it and selecting 'Create shortcut on desktop'.
This shortcut actually calls the normal Terminal Server Client with a parameter of the configuration name, e.g.
"C:\Program Files\Terminal Server Client\MSTSC.EXE" "TS 1 Connect"
This may be useful for you to build into batch menus etc. The actual connection details are stored in the registry under the 'HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client' key. You could therefore dump out this registry key and import into other machines automating the shortcut installations. The only item not read in is the password if autologon was selected.
To dump out to file just select the registry key in REGEDIT.EXE, e.g. "TS 1 Connect", and select "Export Registry File" from the File menu. Enter a file name and click OK. You can then copy this .reg file to any machine and execute using
C:\> regedit /s <file>.reg
Q. How do I close a Terminal Server connection?
A. If you click Start from a Terminal Server session you will see two options if connected to a Windows NT 4.0 box
 Single File Version_files/tsdiss.gif)
There is a major difference between the two.
If you select Logoff your session is logged off and your connection to the terminal server is closed and the connection slot you were using may be used by someone else.
If you select Disconnect you are not logged off, rather the session window closed but if you restart and logon as the same person it will remember all applications and their state. This may seem ideal but remember a Terminal Server has a finite number of allowed connections and a disconnected session constantly uses a connection stopping someone else from connecting.
A disconnected session remains active until one of the following:
If you connect to a Windows 2000 box you will see Disconnect and Shutdown, selecting Shutdown gives the option of logging off.
Q. How do I install applications for use with Terminal Server?
A. Installing applications on a terminal server has to be done in a special way to ensure it is usable by all users of the terminal server.
There are two modes in terminal server, Execute and Install. By default all users are logged on in Execute mode and this means they can run programs etc. When you want to install an Application for use by everyone the Administrator should change to Install mode.
The best way to install software is to use the Add/Remove programs control panel applet as this will automatically set the mode to Install during the installation and then back to Execute at the end. Alternatively you can manually change your mode to install by typing
C:\> change user /install
To change back to execute use
C:\> change user /execute
And to check you current mode use
C:\> change user /query
In this example we will use Add/Remove to install Winzip on a terminal server.
 Single File Version_files/tsinstallapp.gif)
All terminal server users will now have Winzip. An alternative would be to manually set the mode to install, install the software and set back to execute.
Q. I can't install Office 97 SR2 on Terminal Server.
A. If when you try and install Office 97 SR2 on a terminal server via the Add/Remove Programs control panel applet you get the error:
"Setup cannot register MSJET35.dll in the system registry because an older version is in use. Close all applications and try again"
this is because the Terminal Server License Service is using the file. To workaround this stop the licensing service
C:\> net stop "terminal server licensing"
Click Retry on the error dialog and install will continue.
 Single File Version_files/msjet35.gif)
Once installation is complete restart the service
C:\> net start "terminal server licensing"
Office 97 has now been installed for use by all your terminal server clients.
Q. How do I install Citrix Metaframe?
A. Citrix Metaframe is an add-on to Windows NT Terminal Server and although there is currently no version for Windows 2000 it is under development. To install perform the following:
 Single File Version_files/metaframeinst.gif)
Once the machine has rebooted upon logon a new toolbar is added to your desktop which allows control of the MetaFrame environment.
Q. How do I create Citrix Metaframe client media?
A. MetaFrame ships with a utility, ICA Client Creator, which is in the
MetaFrame Tools program group. It can also be started by clicking the client
creator button on the MetaFrame toolbar,  Single File Version_files/clicreabut.gif){kind=small}
.
Once started the utility will check for the CD-ROM and give options to create a variety of clients:
 Single File Version_files/clicrea.gif)
Select the client to install, the disk drive and whether to format the disks.
Alternativly all the clients are copied to the %systemroot%\system32\clients\ica directory, e.g. DOS is wfcdos, so share the directory and allow clients to map directory and install.
Q. How do I install the ICA DOS client?
A. You will first need to create the DOS ICA client installation disk as explained in 'Q. How do I create Citrix Metaframe client media?'.
The DOS machine will also need the ability to connect to the network as explained in 'Q. How can a DOS machine connect to an NT domain?'.
To install the client perform the following:
To run the client simply change to the wfclient directory (or add to the machines path variable) and run WFCLIENT.EXE.
When you run for the first time you will need to create a new entry, click Yes to create a new entry.
Enter connection details such as connection medium (Microsoft TCP/IP), server name/address.
You should then select the Entry and select Connect.
Q. How do install Backup Exec 7.X on TSE?
A. Be sure to disable Terminal Server Licensing before you start the installation.
Q. Can I use normal Service Packs on Windows NT Terminal Server Edition?
A. No, Terminal Server has modifications to its components meaning normal Service Pack's cannot be applied. Terminal Server Edition has Service Pack 3 built in and Service Pack 4 for terminal server was released April 1999.
In Windows 2000 this will not be the case as Terminal Server is just a component of the normal product.
Q. Can I use normal Hot fixes on Windows NT Terminal Server Edition?
A. It depends. Some components of Windows NT Terminal Server Edition are specially modified and some are not. You will need to check if the file you are replacing is specially modified for Terminal Server Edition:
Enter the command:
C:\> filever /v <filename>
-r--- W32i DRV ENU 4.0.1381.32772 shp 25,840 06-08-1998
atapi.sys
FileDescription ATAPI IDE Miniport Driver
OriginalFilenam
atapi.sys
ProductName Microsoft(R) Windows NT(TM) Operating System
ProductVersion 4.00
VS_FIXEDFILEINFO:
Signature: feef04bd
FileVer: 00040000:05658004
(4.0:1381.32772)
ProdVer: 00040000:05658004
(4.0:1381.32772)
We are interested in the FileVer property. If the final number is greater than 32767 then the file was built for Terminal Server, you should therefore only apply a hotfix that is specially released for Terminal Server.
The actually bit value we are interested in is the 0x8000 bit. If set then it is modified for Terminal Server. Below is a file that is not specially modified for Terminal Server
Signature: feef04bd
FileVer: 00040000:05650004 (4.0:1381.4)
ProdVer:
00040000:05650004 (4.0:1381.4)
Special Terminal Server fixes can be found under ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40TSE/
In Windows 2000 this will not be the case as Terminal Server is just a component of the normal product.
Q. I've reached 40 - 45 users and additional users can't log onto Terminal Server?
A. If you have more than 40 users you should increase the amount of PTEs (page table entries) on the system.
Microsoft says that you should increase this if you'll have more than 45 connections. But I've seen that this can be a problem with less users as well. TSE Memory Manager allocates 10,000 PTEs as default. TSE uses PTEs to map the location of physical memory pages. Each user who logs on to TSE requires a minimum of 200 PTEs.
If the PTE pool is exhausted, additional users will not be able to log on. The maximum allowed limit of PTEs are 50,000.
To change the number of PTE's on the system see Q. How do I increase the number of Page Table Entries on my system?
Q. How do I configure a CE based Terminal Server client?
A. One option for Terminal Server clients is to use a "thin" client which has no disks but an embedded operating system and one such device is a Windows CE based client. The advantage is the machine has zero maintenance apart from the initial configuration. The instructions below are for the Viewpoint series from http://www.boundless.com/ (many thanks for letting me have one to use).
When you first turn on the machine it will ask for certain details:
You will have no start bar, just a dialog asking for a connection to be made. You should configure sessions as you would a normal Terminal Server client by selecting the Configure tab.
Q. I am having troubles getting the ICA DOS client to work.
A. The ICA DOS client uses a LOT of memory and to get working I had to remove nearly every other process from memory, thankfully Citrix have now released a new 32 bit DOS client which can access more of your machines memory eliminating the memory problems.
It can be download from http://download.citrix.com/ and its usage is exactly the same as the old 16bit DOS client.
Q. Where can I download updates for MetaFrame?
A. These can be downloaded from http://www.citrix.com/support/ftpserve.htm.
Q. What Service Packs are available for Windows NT Terminal Server Edition?
A. Windows NT Terminal Server Edition is supplied with Service Pack 3 built in. The following Service Packs are available for Windows NT 4.0 Terminal Server Edition.
Service Pack 4 - http://www.microsoft.com/ntserver/terminalserver/downloads/recommended/tsesp4/ordercd.asp
Special hotfixes (when available) can be downloaded from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40TSE/hotfixes-postSP3
Q. How do I send a message to a Terminal Server client?
A. Terminal Server supports two methods of communicating with a Terminal Server client process.
The first is via the GUI:
 Single File Version_files/msgsend.gif)
To send from the command line perform use the MSG command,
msg <user> [/time:<seconds>] [/w] [/server:<server name>] <message>
For example:
C:\> msg savillj /w Get off that computer John!
The /w switch will force the administrators session to pause until the user has clicked OK to the message.
Q. How do I locate machines that are running Terminal Server?
A. Starting the Terminal Services Manager MMC snap-in (Start - Programs - Administrative Tools - Terminal Services Manager) will list machines running the Terminal Server services by expanding the domain. It can also be done with the following command:
qappsrv [/address] [/domain:<domain name>] [/continue]
For example
C:\> qappsrv /address
Known Terminal servers Network Node
Address
---------------------- ------- ------------
DEMO
[
A024E34948]*
The /domain is optional unless you wish to query a domain other than the machines membership and /continue does not pause after each screen of information.
Q. How can I check if a user is logged on via Terminal Server?
A. Starting the Terminal Services Manager MMC snap-in (Start - Programs - Administrative Tools - Terminal Services Manager) will list user processes by machine but this may be cumbersome if a large number of terminal servers are running. It can also be done with the following command:
query user [<user name>] [/server:<server name>]
For example
C:\> query user
USERNAME SESSIONNAME
ID STATE IDLE TIME LOGON
TIME
>administrator console 0 Active . 09/05/99
18:19
savillj
rdp-tcp#1 1 Active 10 09/05/99
14:23
The above lists all users.
You can also check what the user is running with the QPROCESS command:
C:\> qprocess <user name>
To check who is running a certain program (e.g. winword.exe)
C:\> qprocess <process>
will list all users running the passed program.
Q. Mouse movement is jerky in Terminal Server sessions.
A. By default the terminal server client sends updates to the terminal server every 100 milliseconds however you can change this as follows:
Q. Does MetaFrame run on Windows 2000?
A. The normal MetaFrame 1.8 does not, however a 1.8a will and a beta can currently be purchased from the Citrix web site, http://www.citrix.com/.
Installation is basically the same as 1.8.
Q. How can I switch a session between window and full screen?
A. Normally terminal server client sessions are in a window however you can switch to full screen mode so you can't tell you are in a session. To toggle between window and full screen mode press Ctrl+Alt+Break.
You can always tell a terminal server session as the Start menu text says Windows 2000 Terminal instead of Windows 2000 Professional or Server.
Q. How can I remote control another terminal server session in Windows 2000?
A. Users and Administrators may be familiar with the software which allows an Administrator to take control of a users desktop in order to, for example, install software or fix a problem. The Citrix Metaframe add-on for 4.0 TSE enabled Administrators to take control or view users sessions without the need for third party software.
The new Windows 2000 terminal server component now allows session shadowing without the need for the MetaFrame add-on, but now its called 'remote control'.
A condition is that console controlling must have a resolution equal or greater than that of the session that will be shadowed.
By default Administrators have the ability to shadow other users sessions providing the user agrees to have their session controlled/viewed. By default the ability to remote control a users session is defined on the user object on the ‘Remote Control’ tab and the default is to enable remote control providing the users gives permission.
Its possible to override these user settings by editing the configuration of the RDP connection using the ‘Terminal Services Configuration’ MMC snap-in, yes, as with everything else in Windows 2000, all of the Terminal Server tools are MMC snap-ins (but more on them later).
Under the connections branch, right click on the ‘RDP-Tcp’ connection and select properties. Select the ‘Remote Control’ tab and by default it will say to use the users settings however selecting on of the other options allows you to set the remote control to whatever your wishes.
In order to remote control a session you must be logged on as a terminal server session, you can’t remote control from the console (MetaFrame allows you to do this).
Once you have logged in as an Administrator to remote control a session just:
Q. What user environment extensions does the Windows 2000 terminal server component add?
A. A new built-in group has been added in 2000 called ‘Terminal Services Users’ which works in a similar way to the ‘Interactive Users Group’ and when a user logs on via Terminal Services they are part of this groups.
The Terminal Services Users group SID can then be applied to files, folders, anything with an ACL and allow only people logged on via Terminal Services access. You could also test for this group membership during login script etc to perform different actions.
On top of the ‘Remote Control’ tab for users, three extra tabs are added. As shown in figure 3, ‘Terminal Services Profile’ allows an alternative profile and local path to be specified when connecting via terminal server.
The ‘Environment’ tab allows you to specify a program to automatically run when you login via Terminal Services and options to connect to client drives and printers.
Finally the ‘Sessions’ tab allows times to be set before active and idle sessions are disconnected and how long after a session is disconnect before it is totally closed.
 Single File Version_files/usertermserv.gif)
Q. How do I install Active Desktop on Terminal Server?
A. Active Desktop is not supported on Windows Terminal Server through SP4.
Q. How do I enable client computers to logon to a Terminal Server?
A. To log on successfully to Windows 2000 Terminal Server, follow these steps:
Q. How do I connect two Workstations using RAS?
A. NT Workstation supports one inbound RAS connection so one NT station will be the RAS server, and one will be the client. The procedure below is what I did to connect two machines.
Server
If RAS is already installed
If RAS is not already installed, goto “My Computer” and double click “Dial-up Networking”, it will then detect your modem and then take you to step 3 as above.
Client
This assumes RAS is not installed
Q. Is it possible to dial an ISP using the command line?
A. Yes, use RASPHONE -d <entry> or RASDIAL <entry>
To disconnect you can type RASPHONE -h <entry> or RASDIAL /disconnect.
Q. How can I stop the RAS connections closing when I logoff?
A. Perform the following:
Q. How can I create a RAS Connection Script?
A. It is possible to write a script that will run when you connect during a RAS connection to automate actions such as entering your username and password. To specify a script perform the following
An example addition to the SWITCH.INF would be
; the phonebook entry
[Savill1]
; send initial carriage
return
COMMAND=<cr>
; wait for : (after username, may be different
at your site) omit the U as it may be capitals. You could just have
:
OK=<match>"sername:"
LOOP=<ignore>
; send username as
entered in the connection dialog box, alternaticly you could just enter the
username e.g. savillj<cr>
COMMAND=<username><cr>
; wait
for : (after password this time, may be different at your
site)
OK=<match>"assword:"
LOOP=<ignore>
; send the
password entered in the connection dialog box, again you could just manually
enter the password, e.g.
password<cr>
COMMAND=<password><cr>
NoResponse
; send
the "start ppp" command
COMMAND=ppp
default<cr>
OK=<ignore>
In depth information on all of the commands can be found in the SWITCH.INF file.
Q. How can I debug the RAS Connection Script?
A. It is possible to create a log file of the connection by performing the following steps
Each dial-up session will now be appended to the file %systemroot%/system32/RAS/device.log. To stop logging perform the steps above but set the value back to 0.
Q. How do I configure RAS to connect to a leased line?
A. The method will vary depending on your systems current setup, however assuming you have RAS already installed below are the actions needed to configure in your leased line. It is assumed the modems (at both ends) are configured correctly for leased line usage (&D0 for DTR override).
You should now configure the RAS connection (server/client) in the normal way (use the RAS service properties).
Once this has been done you may also want a phonebook entry for outgoing use as you would normally except under the Dialing section check the "Persistent connection" box.
Q. How can I disable RAS AutoDial?
A. The easiest way to do this is to disable the RAS AutoDial service:
To re-enable you would repeat the above but change the startup to automatic.
Q. RAS tries to dial out even on local resources.
A. Perform the following:
You may also wish to add addresses to the disabled list:
You will need to reboot the machine in both of the above cases.
A. When you configure the RAS server you set for each protocol the scope of the connection, the server or the whole network. To change this perform the following:
Clients should now be able to view the entire network.
Q. How do I force the "Logon Using Dialup Networking" to be checked by default on the logon screen?
A. This can be accomplished with a registry change on each client machine.
Q. Where are the RAS phone book entries and settings stored?
A. The actual phone book entries are stored in the file %systemroot%/system32/ras/rasphone.pbk (pbk - phone book). You could therefore copy this file to another machine to copy the phone book entries.
Another important file is %systemroot%/system32/ras/switch.inf which is used to create terminal login scripts (as discussed earlier in this section), and you may find phone book entries may refer to an entry in this file at the end of the entry:
DEVICE=switch
Type=Terminal
In this case, Type=Terminal means bring up a terminal window after connection so it does not use switch.inf,
DEVICE=switch
Type=Pipex
would cause the script "Pipex" (which is in switch.inf) to be run once a connection has been made. If these two lines are missing don't worry, it just means you don't need a terminal window once you have connected (probably means you are connecting to a Windows NT box). Usually if you connect to a non-NT machine you have to send it a username and password, along with the connection type (protocol), which is usually PPP on most modern systems, SLIP is an older option.
RAS information relating to phone book entries and outbound connections in the registry is actually stored under HKEY_CURRENT_USER\Software\Microsoft\RAS Phonebook, and contains details about redial attempts, display settings etc. Again you export this section of the registry to a reg file (using regedit.exe) and import into another machine to copy the machine specific settings.
Q. How can I change the number of rings that RAS server waits for before answering?
A. The normal method is to edit the file %systemroot%\system32\ras\modem.inf. Edit the file, find the sections relating to your modem and find the line
COMMAND_LISTEN=ATS0=1<cr>
Change the numeric value to the number of rings to answer after, e.g.
COMMAND_LISTEN=ATS0=10<cr>
would answer after 10 rings (you must really hate your users, don't we all :-) ). You must restart Windows NT for this change to take effect.
The above does not work if RAS is using any TAPI (Telephony Application Programming Interface )/Unimodem-based devices. If this is the case perform the following:
A. By default the RAS Server will wait 12 seconds before calling back a RAS client however this can be changed by editing the registry.
Q. Whenever I connect via RAS I cannot connect to local machines on my LAN.
A. To enable WWW and FTP browsing when you connect via RAS you enable the "use default gateway on remote network" of the RAS options. This has the effect of when the connection is made a new route is added to the route list superseding the existing LAN routes so any traffic destined for a node outside your local subnet will attempt to be sent using the RAS route. This is because a metric is used to identify the number of hops needed and once connected to RAS it will have a metric 1 and existing routes will be bumped out to a metric of 2.
To solve this a persistent route can be manually added for your LAN's subnet and the associated subnet gateway. While not connected via RAS you can examine your route information using the ROUTE PRINT command:
If your network was 160.82.0.0 (your company has a class B address) and the gateway was 160.82.220.1 for your local subnet you can add a route for the LAN only and all addresses outside of 160.82.0.0 will be routed using the RAS gateway.
C:\>route -p add <ip network> mask <subnet mask>
<local gateway for the route>
e.g. C:\>route -p add
160.82.0.0 mask 255.255.0.0 160.82.220.1
This would mean all addresses from 160.82.1.1 to 160.82.254.254 would be routed via 160.82.220.1 and anything else via the RAS gateway.
If you wanted to add a route for a single host (maybe your internet firewall which is on another subnet) use the following:
C:\>route -p add 192.168.248.8 mask 255.255.255.254 160.82.220.1
Notice the subnet mask of 255.255.255.254 which means only for this single host.
When connected via RAS you will still be able to access resources outside of your local subnet on the LAN with no problems.
Q. How can I disable the "Save Password" option in dial-up networking?
A. When you connect via RAS you can cache the password. If you feel this is a security problem then you can disable the option to enable the password to be saved.
If you disable the "save password" make sure "redial on link failure" is not activated as one redial attempts as it does not save user information it will attempt to connect as Administrator which will not work (unless the ISP has very poor security :-) ).
Q. How can I set the number of Authentication Retries for Dial-Up connections?
A. By default after two unsuccessful authentication attempts the dial-up networking (DUN) component will hang up the line however this can be changed to between 0 and 10. 0 means the line will be hung up after the first attempt, 1 will allow one retry etc.
Q. How can I set the Authentication Time-out for Dial-Up connections?
A. As well as changing the number of Authentication Retries that are allowed, the amount of time between each attempt can also be configured and after that time has elapsed it will count as a logon failure. This can be between 20 and 600 seconds.
Q. Enabling 128-bit RAS Data Encryption.
A. Service Pack 3 (128 bit version) introduced the ability to use 128-bit RAS data encryption with a Windows NT 4.0 RAS server as opposed to the normal 40-bit encryption.
To enable this 128-bit encryption perform the following:
It is now necessary to enable the 128-bit setting:
After reboot is completed clients connecting via RAS or PPTP will have to authenticate using 128-bit key encryption. A number of event logs can be viewed using Event Viewer (Start - Programs - Administrative Tools - Event Viewer).
If a successful connection is made you will see the log:
Event ID: 20107
Source: RemoteAccess
Description: The user RAS
connected to port COMx using strong encryption
If the connection was unsuccessful you will see entry
Event ID: 20077
Source: RemoteAccess
Description: An error occurred
in the Point to Point Protocol module on port COMx. The remote computer does not
support the required encryption type.
The client attempting connection would also receive a 629 error.
Q. Why does my RAS client have the wrong subnet mask, etc.?
A. The only parameter from DHCP that the RAS client uses is the IP address. Other parameters come as follows:
The subnet mask is that used by the NIC in the workstation, if fitted. IPCONFIG shows the mask as being the default mask for the class of IP address in use but this is irrelevant. MS used to display it as 0.0.0.0 which is clearly wrong, but the default is more subtly wrong. If there is no NIC in the client, then the subnet mask is irrelevant as all traffic is passed through the dial-up connection.
The default router is displayed as the same as the address of the client RAS interface. What is actually used as default router is the RAS server itself.
WINS server addresses and DNS server addresses for use by the client similarly do not come from the parameters set on the DHCP server but instead are those used by the RAS server itself.
Node Type is not taken from the DHCP parameters but can change on the RAS client depending on WINS information. If the RAS server has no WINS servers defined locally, a b-node Windows NT RAS client will remain a b-node client. If the RAS server has WINS servers defined locally, a b-node Windows NT RAS client will switch to h-node for the duration of the connection.
More information can be found in knowledge base article Q160699 at http://support.microsoft.com/support/kb/articles/q160/6/99.asp
Q. How long is the lease on the IP address when issued to a RAS client from DHCP?
A. When a RAS server is set to allocate IP addresses from DHCP, it grabs n+1 addresses when the service starts, (where n is the number of dial-up interfaces), and keeps them. Therefore, the lease time is largely irrelevant. When a client dials in, the RAS server issues one of these cached leases and the RAS server maintains the lease on behalf of the client. The RAS server only records the address of the DHCP server and the lease parameters. All other DHCP options are discarded.
You may notice that, if you use IPCONFIG or WINIPCFG on a RAS client to look at lease information, it has null dates (ie. Jan 1, 1980). When the client disconnects, the IP address will be released back to the RAS server, NOT back to the DHCP server. This causes a lot of confusion when people expect to get their IP addresses back to the DHCP server. These will only be released back to DHCP when the RAS service is stopped and then the lease expires in due course.
Thanks to Peter Smith
Q. How can I disconnect users from the RAS server?
A. It is possible to disconnect any user using the "Remote Access Admin" utility:
If you also wanted to revoke the users dial-in permission check the 'Revoke Remote Access Permission' check box from the dialog.
Q. How can I disable the modem speaker when dialing?
A. Its possible to disable the modem speaker in a number of ways. The easiest method is to use the RAS properties:
 Single File Version_files/rasquiet.gif)
An alternative (and you may try this if the above fails to work) is to edit the dial string and add the control sequence for your modem to disable the speaker, its normally M0 however this can vary.
A. When you configure the RAS server, you set for each protocol the scope of the connection, the server or the whole network. To change this perform the following:
Clients should now be able to only view local RAS server connections.
Q. How do I install the Windows 98 Virtual Private Network adapter?
A. Windows 98 contains the Virtual Private Network as standard and to install perform the following:
Once the machine has rebooted to create a new VPN connection start the Dial-Up Networking software and double click the 'Make New Connection'.
Under the device select "Microsoft VPN Adapter", click Next and enter the host name or IP address of the VPN server.
To make a connection dial into the Internet then double click the VPN connection, enter a username and password and you are connected!
Q. How do I install the Point To Point Tunneling Server?
A. Windows NT Server contains the Point To Point Tunneling Protocol as standard and to install perform the following:
Once the machine has rebooted it will operate as a Virtual Private Network server. Make sure any users who want to logon to it have RAS dial in rights (as configured using User Manager).
If you experience any problems with protocols make sure that the RAS server has the protocols configured, e.g. TCP/IP correctly. This can be done by starting the Network Control panel applet, select Services, select RAS and click Configure. Select the VPN port and click Network. You can then configure TCP/IP etc., ensure there are no problems with addresses etc.
Extra VPN connections can also be configured by clicking Add and selecting VPN2, VPN3 etc. You can only have simultaneous VPN connections for the number of VPN devices on the server.
Q. How do I install the Windows NT Virtual Private Network client?
A. Windows NT contains the Virtual Private Network as standard and to install perform the following:
Once the machine has rebooted to create a new VPN connection start the Dial-Up Networking software and double click New.
Under the device select "Microsoft VPN Adapter", and under Phone number the host name or IP address of the VPN server.
To make a connection dial into the Internet then select the VPN connection, enter a username and password and you are connected!
You can check PPP is working by using the IPCONFIG command
PPP adapter NdisWan4:
IP Address. . . . . . . . . : 200.200.200.16
Subnet Mask . . . . . . . . : 255.255.255.0
Default Gateway . . . . . .
: 200.200.200.16
Q. How can I remove the dial-up networking icon from My Computer?
A. The dial-up networking icon can be removed by editing the registry as follows:
To restore it using your reg file just double click on the reg file from Explorer and dial-up networking will be restored.
Q. I've connected two computers using two 56K modems but I never connect at more than 33Kb, why?
A. The problem is that your modems cannot send faster than 33.6k. The 56k technologies, such as X2, K56flex and the new standard V.90 are asymmetric - 56k from a service such as an ISP to you, and 33.6k (maximum negotiated rate, may be less) from you to an ISP.
Having one of your V.90 modems call the other won't create a connection faster than 33.6k since neither side can transmit faster than 33.6k. The 56Kb is possible because the line from your house to the telephone company switching office is analog, and that the rest of the path from the CO to the service (ISP) is 100% digital. At the service end, they specifically install digital modems designed to operate as the service end of V.90/X2/K56flex connection.
This means you would need on of the boxes the same kind of modem that an ISP would buy. You may find however that you can't get one of those without also having the digital phone circuit to connect it to.
If you need 56Kb look at ISDN. The easiest way to setup a system which can accept 56K V90 incoming connections is to get an ISDN2 or home highway and a 3COM Courier-I modem. The Courier-I can act as a standard and ISDN modem. It will also act in V90 mode as a server it it detects an incoming analogue call across the ISDN.
Q. My modem is not supported by RAS, what can I do?
A. Windows NT RAS has support for Unimodem modems and can be configured as follows:
Once enabled you will only have the options to select from the list of modems (in modem.inf) and not 'Have disk' or 'Install Modem' option.
If your modem does not exist on the list of modems download the modems .inf file from the manufacturer and copy to modem.inf in the %systemroot%\system32\RAS or just add details to the original modem.inf file. Make sure you backup the original modem.inf file.
Run the Network control panel applet and select services. Select Remote Access Services and click Properties. Remove any ports currently defined and click Add, add the ports and RAS will use the MODEM.INF file to get initialization information for the modem.
Q. I get error 'There is no answer' from the PPTP server, why?
A. This is caused by either the RAS Connection Manager and Remote Access Server cannot be started or they are set to manual startup.
To fix just start the RAS Connection Manager and RAS and change the RAS Connection Manager startup to automatic using the Services control panel applet.
To test try to PING the PPTP server over the internet.
Q. DEVICE.LOG does not capture modem commands, what can I do?
A. When you use a Unimodem the device.log no longer captures the command however you can create an alternate log file to capture the modem commands:
The log file will be created in the %systemroot% directory with name MODEMLOG_<modem>.TXT.
Q. How do I create a dial-up connection in Windows 2000?
A. Windows 2000 has removed the segregation between LAN and dial-up connections, they are all just connections now.
To create a Dial-up connection to an ISP or your work you need to create a new connection using a modem as the connection medium:
 Single File Version_files/ras20001.gif)
 Single File Version_files/ras20002.gif)
Your new connection will now be visible from 'Network and Dial-up Connections'. To change its properties right click on the connection and select Properties.
A. If you are viewing this page on the web then you are using TCP/IP now! TCP/IP is a suite of related protocols and utilities used for network communications. TCP/IP is actually two protocols, Internet Protocol (IP) and Transmission Control Protocol (TCP). There are many different implementations of TCP/IP however they all conform to a standard which means different implementations can communicate with each other.
Each machine that uses TCP/IP must have a unique TCP/IP address which is a 32 bit number, which is usually displayed in the dotted quad (or dotted decimal) format xxx.xxx.xxx.xxx, where xxx is a number from 0 to 255, for example the IP address 147.98.26.11 is shown in its 32 bit form, and how it breaks down into the dotted quad format
|
10010011 |
01100010 |
00011010 |
00001011 |
|
147 |
98 |
26 |
11 |
TCP/IP was originally used on ARPANET, a military network and grow to universities and is now used on virtually every computer system.
A. Below are the instructions on installing non-DHCP clients:
Q. Is there a way to trace TCP/IP traffic using NT?
A. As part of the Systems Management Server there is a Network Monitor module which enables the entire network to be monitored, also traffic over a modem. There is a limited version of this with NT 4.0 server, however only communications between the server and other computers can be monitored. The Network Monitor Service has to be installed (Control Panel - Network - Services - Add).
Q. I do not have a network card, but would like to install TCP/IP.
A. Microsoft provide a Loopback adapter that can be used for the testing of TCP/IP. To install the Loopback adapter perform the following actions:
Q. I have installed TCP/IP, what steps should I use to verify the setup is correct?
A. Follow the steps below:
Q. How can I trace the route the TCP/IP packets take?
A. In general TCP/IP packets will not always take the same route to a destination, however the start of the journey is likely to be the same, i.e. to your gateway, to the firewall etc. The command to use is tracert and the syntax is as follows
c:\tracert <host name or IP
address>,e.g.
c:\tracert news.savilltech.com
Tracing
route to news.savilltech.com [200.200.8.55]
over a maximum of 30
hops:
1 <10 ms <10 ms <10 ms 200.200.24.1
200.200.200.24.1 is the gateway
2 <10 ms 10ms
<10 ms 200.200.255.81
3 30 ms 10 ms 10 ms news.savilltech.com
[200.200.8.55]
Trace complete
The first column is the hop count, the next 3 columns show the time taken for the cumulative round-trip times (in milliseconds), the 4th column is the hostname if the IP address was resolved, and the last column is the IP address of the host. It is really like a street map telling each turn to take. An important thing to note is to look for looping routes, so host a goes to b then c then back to a, as this indicates a problem usually.
Tracert will not always work with some FireWalls for hosts outside the FireWall.
A. As has been shown the IP address consists of 4 octets and is usually displayed in the format 200.200.200.5, however this address on its own does not mean much and a subnet mask is required to show which part of the IP address is the Network ID, and which part the Host ID. Imagine the Network ID as the road name, and Host ID as the house number, so with "54 Grove Street", 54 would be the Host ID, and Grove Street the Network ID. The subnet mask shows which part of the IP address is the Network ID, and which part is the Host ID.
For example, with an address of 200.200.200.5, and a subnet mask of 255.255.255.0, the Network ID is 200.200.200, and the Host ID is 5. This is calculated using the following:
| IP Address | 11001000 | 11001000 | 11001000 | 00000101 |
| Subnet Mask | 11111111 | 11111111 | 11111111 | 00000000 |
| Network ID | 11001000 | 11001000 | 11001000 | 00000000 |
| Host ID | 00000000 | 00000000 | 00000000 | 00000101 |
What happens is a bitwise AND operation between the IP address and the subnet mask, e.g.
1 AND 1=1
1 AND 0=0
0 AND 1=0
0 AND 0=0
There are default subnet masks depending on the class of the IP address as follows:
Class A : 001.xxx.xxx.xxx to 126.xxx.xxx.xxx uses subnet mask 255.0.0.0 as
default
Class B : 128.xxx.xxx.xxx to 191.xxx.xxx.xxx uses subnet mask
255.255.0.0 as default
Class C : 192.xxx.xxx.xxx to 224.xxx.xxx.xxx uses
subnet mask 255.255.255.0 as default
Where's 127.xxx.xxx.xxx ??? This is a reserved address that is used for testing purposes. If you ping 127.0.0.1 you will ping yourself :-)
The subnet mask is used when two hosts communicate. If the two hosts are on the same network then host a will talk directly to host b, however if host b is on a different network then host a will have to communicate via a gateway, and the way host a can tell if it is on the same network is using the subnet mask. For example
Host A 200.200.200.5
Host B 200.200.200.9
Host C
200.200.199.6
Subnet Mask 255.255.255.0
If Host A communicates with Host B, they are both have Network ID 200.200.200 so Host A communicates directly to Host B. If Host A communicates with Host C they are on different networks, 200.200.200 and 200.200.199 respectively so Host A would send via a gateway.
Q. What diagnostic utilities are there for TCP/IP?
A. We have already seen PING and TRACERT, and below is a full list
For more information on these commands just enter the command with a -?, e.g. netstat -?
Q. What is routing and how is it configured?
A. When host a wants to send to host b, if they are on the same local network then the IP protocol resolves the IP address to a physical address using ARP (Address Resolution Protocol), and the physical address (e.g. 00-05-f3-43-d3-3e) of the source and destination hosts are added to the IP datagram to form a frame, and using the frame, the two hosts can communicate directly with each other.
If the 2 hosts are not on the same local network, then they cannot communicate directly with each other, and instead have to go through a router. You have probably already come across a router when you install TCP/IP, as the default gateway is just a router that you have chosen to use as a means of communicating with hosts outside your local network if no specific route is known. A router can be a Windows NT computer with 2 or more network cards (one card for connection to each separate local network) or it can be a physical hardware device, such as Cisco routers.
Assuming our two hosts are not on the same local network, host A will check its routing table for a router that connects to the local network of host B. If it does not find a match then the data packets will be send to the "default gateway". In most cases, there will not be one router that connects straight to the intended recipient, rather the router will know of another route to pass on your packet, which will then goto another router etc.
For example:
Host A - 200.200.200.5
Host B - 200.200.199.6
Subnet Mask -
255.255.255.0
Router - 200.200.200.2 and 200.200.199.2
Host A's routing
table - Network 200.200.199.0 use router 200.200.200.2
In this example, Host A would deduce that Host B is on a separate network, as its Network ID is 200.200.199. Host A would then check its routing table and see that it knows for network 200.200.199 (the zero means all) it should send to 200.200.200.2. The router would receive the packets and then forward them to network 200.200.199.
What actually happens is each router will have its own routing table that will point to other routes.
To actually configure a route, you use the route command, for example to configure a root for network 200.200.199 to use router 200.200.200.2 you would type
route -p add 200.200.199.0 mask 255.255.255.0 200.200.200.2
The -p makes the addition permanent, otherwise it will be lost with a reboot.
To view your existing information type route print.
A. ARP stands for Address Resolution Protocol and was touched on in the previous question as a means of resolving a IP address to an actual physical network card address.
All network cards have a unique 48 bit address, that is written as six hexadecimal pairs, e.g. 00-A0-24-7A-01-48, and this address is hard coded into the network card. You can view your network cards hardware address by typing
ipconfig /all
.
Ethernet adapter
Elnk31:
Description . . . . . . . . : ELNK3 Ethernet Adapter.
Physical
Address. . . . . . : 00-A0-24-7A-01-48
DHCP Enabled. . . . .
. . . : No
IP Address. . . . . . . . . : 200.200.200.5
Subnet Mask . . . .
. . . . : 255.255.255.0
Default Gateway . . . . . . :
200.200.200.1
Primary WINS Server . . . . : 200.200.50.23
Secondary WINS
Server . . . : 200.200.40.190
As discussed in the Subnet question, if a packets destination is on the same local network as the senders, then the sender needs to resolve the destinations IP address into a physical hardware address, otherwise the sender needs to resolve the routers IP address into a physical hardware address. When a NT machines TCP/IP component starts, it broadcasts an ARP message with its IP to hardware address pair. The basic order of events for sending to a host on the local network is as follows:
If you are sending to a destination not on your local network, then the process is similar except the sender will resolve the routes IP address instead.
To inspect your machines ARP cache, type:
arp -a
and a
list of IP address to hardware address pairs will be shown. Try pinging a host
on your local network and then displaying the ARP cache again and you will see
an entry for the host, also try pinging a host outside your local network and
check the ARP cache and an entry for the router will have been
added. You will notice that the word dynamic is listed with the records, and
this is because they were added as needed and are volatile, hence will be lost
on reboot. In fact the entries will be lost quicker than this! If an entry is
not used again within 2 minutes then it will be deleted from the cache. If it is
used within 2 minutes, it will not be deleted for a further 10 minutes, unless
used again and then it would be ten minutes from when used :-).
You may wish to add static entries for some hosts (to save time with the ARP
requests) and the format is
arp -s <IP address> <hardware
address>, e.g.
arp -s 200.200.200.5 00-A0-24-7A-01-48
Q. My Network is not connected to the Internet, can I use any IP address?
A. The basic answer would be Yes, however it is advisable to use one of the following ranges which are reserved for use by private networks:
10.0.0.0 - 10.255.255.255 this is a single class A
network
172.16.0.0 - 172.31.255.255 this is a group
of 16 contiguous class B networks
192.168.0.0 - 192.168.255.255
this is a contiguous group of 256 class C networks
The addresses above are detailed in RFC 1918 (Request for comment). The advantage of these addresses is that they should be automatically filtered out by routers, thus protecting the internet. Obviously if you did one day want to part of your network on the internet you would need to apply for a range of IP addresses (from Internic or from your ISP).
These addresses are routable and routers will route them by default. You
aren't supposed to route them publicly, and need to configure your router
accordingly. Internet backbone routers have been specifically configured to not
route these addresses, but that is a specific configuration
choice.
People using these addresses must specifically configure their
routers to not route these addresses.
Routers route these addresses by
default as they don't know whether they are gateway routers or some intermediate
router on a WAN (behind a gateway).
Q. How can I increase the time entries are kept in the ARP cache?
A. The default 2 minutes can be changed by performing the following:
Q. What other registry entries are there for TCP/IP?
A. There is a whole knowledge base article on them that may be useful at http://support.microsoft.com/support/kb/articles/q120/6/42.asp .
Q. How can I configure more than 6 IP addresses?
A. Using the TCP/IP configuration GUI you are limited to 6 IP addresses however more can be added by directly editing the registry:
Q. What are the common TCP ports?
A. Below is a list of the most common TCP ports.
| Keyword | Port | Description |
| echo | 7 | Echo |
| systat | 11 | Active Users |
| qotd | 17 | Quote of the day |
| msp | 18 | Message Send Protocol |
| ftp-data | 20 | File Transfer (Data Channel) |
| ftp | 21 | File Transfer (Control) |
| telnet | 23 | Telnet |
| smtp | 25 | Simple Mail Transfer |
| name | 42 | TCP Nameserver |
| bootps | 67 | Bootstrap Protocol Servre |
| bootpc | 68 | Bootstrap Protocol Client |
| tftp | 69 | Trival File Transfer |
| gopher | 70 | Gopher |
| finger | 79 | Finger |
| www | 80 | World Wide Web |
| kerberos | 88 | Kerberos |
| pop3 | 110 | TCP post office |
| nntp | 119 | USENET |
| nfs | 2049 | Network File System |
Q. How can I perform a migration to DHCP?
A. There are only a few basic registry entries that define a client as a DHCP client so an easy way to migrate clients to DHCP is to create a registry script that sets the required values via logon script. You should obviously be careful that there is no overlap between the addresses in the DHCP address pool and those statically assigned.
The DHCP service needs to be configured to start at system startup.Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP\ and change the value entry Start from 1 to 2.
TCPIP parameters are defined to each NIC (Network Interface Card).
The following is an example registry script you may consider using. If you are unsure of the card service goto HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\1 and write down the data for the value entry ServiceName
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<card
service>\Parameters\Tcpip]
"EnableDHCP"=dword:00000001
"IPInterfaceContext"=dword:00000001
"IPInterfaceContextMax"=dword:00000001
You should then add something into the logon script to detect the NIC installed into the computer, run the reg script and request an IP address, e.g.
if reg=elpc575 (for the 3com575tx) goto
dhcp
..
..
..
:dhcp
regedit /s NIC_dhcp.reg
ipconfig
/renew
net send %computername% Congrats Your computer has been configured for
DHCP!
endif
A quick way to find out which network card you are using is on you LAN you will have various types of NIC.
For instance you may have the 3c89d, netflx3,3c575tx for instance for the Neflx3 driver, when the install takes place on the NT 4.0 it adds a registry key in the HKEY_LOCAL_MACHINE\systems\Current control set\system\services\cpqNF31 with the parameters:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CpqNF31\Parameters\Tcpip]
"EnableDHCP"=dword:00000000.
You have to find out what the key name is because it is different for each NIC then you can run kix32.exe and use the arguement:
EXISTKEY (
"Key"
)
Checks for the existence of a registry key.
Parameters
Key - Identifies the key you want to check the existence
of.
Returns
0 the key specified exists (Note : this is different from the way
the EXIST function works...)
>0 the key does not exist, returncode
represents an errorcode
$ReturnCode=ExistKey(
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CpqNF31"
)
If $ReturnCode=0
? "Key exists...."
Endif
...to detemine if the key exist and then execute accordingly for that specific card.
You may also set the value IPAddress=0.0.0.0 and value SubnetMask=0.0.0.0 for the card service however they will be ignored anyway. Fill in the IPAddress and SubnetMask with 0.0.0.0. Blanking out or deleting the values won't work. Restart the workstation to complete the change.
This can also be done using Windows Scripting Host
From MS SupportOnline Article ID: Q197424
'-----------------------------------------------------------------------
' The following script reads the registry value name IPAddress to
' determine which registry entries need to be changed to enable DHCP.
' This sample checks the first 11 network bindings for TCP/IP, which is
' typically sufficient in most environments.
' ----------------------------------------------------------------------
Dim WSHShell, NList, N, IPAddress, IPMask, IPValue, RegLoc
Set WSHShell = WScript.CreateObject("WScript.Shell")
NList = array("0000","0001","0002","0003","0004","0005","0006", _
"0007","0008","0009","0010")
On Error Resume Next
RegLoc = "HKLM\System\CurrentControlSet\Services\Class\NetTrans\"
For Each N In NList
IPValue = "" 'Resets variable
IPAddress = RegLoc & N & "\IPAddress"
IPMask = RegLoc & N & "\IPMask"
IPValue = WSHShell.RegRead(IPAddress)
If (IPValue <> "") and (IPValue <> "0.0.0.0") then
WSHShell.RegWrite IPAddress,"0.0.0.0"
WSHShell.RegWrite IPMASK,"0.0.0.0"
end If
Next
WScript.Quit ' Tells the script to stop and exit.
Q. How do I assign multiple IP addresses to a single NIC?
A. It is possible to assign more than one IP address to a single NIC (Network Interface Card). To configure extra IP addresses under NT 4.0 perform the following:
 Single File Version_files/ipadd.gif)
Under Windows 2000 the procedure is the same except to get the TCP/IP protocol properties you need to:
Q. How do I install the Network Monitor Utility?
A. Windows NT Server ships with a limited version of the Network Monitor utility which allows you to monitor only traffic to and from the installed box. The full SMS version allows promiscuous monitoring of the network.
To install the basic NT version:
The SMS 1.2 version can be installed as part of a full SMS installation by selecting "Install Admin Tools" option and clicking Custom to add the network monitor. It can also be installed directly from the SMS\nmext directory on the SMS 1.2 CD-ROM:
SMS 2.0 version instructions will be added shortly.
Q. How do I perform a network trace using NetMon?
A. To start Network Monitor select "Network Monitor" from the "Network Analysis Tools" Start menu Programs folder. Once started you will be presented with the initial trace dialog which is split into 4 main windows.
 Single File Version_files/netmon.gif)
Initially the trace will be for all hosts to all hosts however you will probably want to refine this using a filter as follows:
You are now ready to start the search by selecting Start from the Capture menu (or click F10). Once you have collected the data you require stop the search by selecting Stop from the Capture menu (or click F11). An alternative is to select Stop + View data which will stop the trace and show the captured data.
The normal method to display captured data is to select "Display Captured Data" from the Capture menu or click F12. A new dialog will be shown will all frames sent between the selected hosts. For more detail about a frame just double click it. It will then give the full frame information and content.
 Single File Version_files/netmon2.gif)
Notice you can actually see the data that was sent and full IP and TCP headers can also be inspected. If you start another search it will ask if you want to save the current captured data. You can also manually save by selecting "Save As" from the File menu.
Q. Nothing shows up on my NETMON trace, why?
A. Netmon is capable of capturing data on all adapters including RAS adapters and by default it will trace the adapter with the lowest MAC address, which would be 000000000000 for a RAS device and thus the default.
To change the adapter used perform the following:
 Single File Version_files/netmon3.gif)
Restart your capture. You could check your cards MAC address (if you had several) using the IPCONFIG /ALL command.
A. In some situations you may want to monitor traffic for a certain machine but are unable to actually use that machine to perform the network monitor (maybe because of physical location).
The Network Monitor agent is installed on the machine whose traffic you wish to monitor and then you can "connect" to it from a machine running the Network Monitor application and capture its traffic.
The Network Monitor agent runs as a service and needs to be started on the machine whose traffic you wish to capture.
Q. How do I install the Network Monitor agent?
A. The Network Monitor agent is supplied with both Windows NT Workstation and Windows NT Server and is installed as follows:
Once the reboot has completed you need to configure the Network Monitor so it starts automatically
To start the Network Monitor Service from the command line use the command
C:\> net start nmagent
Q. How do I monitor traffic for an agent?
A. To monitor traffic from an agent perform the following:
 Single File Version_files/netmon4.gif)
If the connection fails ensure the Network Monitor Agent is running on the remote machine and that you have local Administrator rights on it.
You can now perform captures as per normal. To switch back to local just select Networks from the Capture menu and select one of the Local node options.
Q. How do I filter captured packets?
A. Once you have captured data it is possible to apply a filter to view only certain type of packets:
 Single File Version_files/netfilter.gif)
The data displayed will now be that which matches the specified criteria. Do disable the filter just select "Disable Filter" from the Filter menu.
A. IPv6 is the next verions of the Internet Protocol, version 6.0 hence IPv6.
Current computers use IP version 4.0 which despite being created in the mid-1970's has done very well however it has reached its limit and is about to run out of addresses and is not the most bandwidth friendly protocol so its time for an upgrade.
Below are the 4 main reasons that IP version 4.0 needs an upgrade:
Current IP addresses consist of 32 bits, represented as 4 bytes, dotted-quad format, e.g. 200.200.200.202. IP version 6 uses 128 bits for addresses!
IPv6 is defined in the following RFC's (Request for Comments)
Q. How will IPv6 addresses be written?
A. Since IPv6 address's are 128-bit and hence four times longer than an IPv4 address, addresses are expressed as:
X:X:X:X:X:X:X:X
where each X is a 4-digit hexadecimal integer (16 bits) and each digit is 4 bits and so can be between 0 and F (F is 15 in hexadecimal) and so examples of valid addresses would be
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210
1080:0:0:0:8:800:200C:417A
Notice in the second address you can leave off any leading zeros, but you must have at least one numeral in each part. For example :0800: can be written as :800:.
Obviously you may have a large sequence of zero's in the address and so it is possible to have a single gap by writing :: which will fill the gap with zero's, for example
1080:0:0:0:8:800:200C:417A
may be written as
1080::8:800:200C:417A
0:0:0:0:0:0:0:1 the loopback address (the same as 127.0.0.1 in IPv6) can be written as ::1.
A third format is available, when dealing with a mixed environment of IPv4 and IPv6 nodes is
x:x:x:x:x:x:d.d.d.d
where the 'x's are the hexadecimal values of the six high-order 16-bit pieces of the address, and the 'd's are the decimal values of the four low-order 8-bit pieces of the address (standard IPv4 representation). Examples:
0:0:0:0:0:0:13.1.68.3
0:0:0:0:0:FFFF:129.144.52.38
or in compressed form:
::13.1.68.3
::FFFF:129.144.52.38
The subnet mask is now replaced by a number appended to the network address specifying the number of bits making up the network part (CIDR notation), e.g. ipv6-address/prefix-length:
12AB:0000:0000:CD30:0000:0000:0000:0000/60
12AB:0000:0000:CD30::/60
Means the first 60 bits make up the network part of the address.
When writing both a node address and a prefix of that node address (e.g., the node's subnet prefix), the two can combined as follows:
the node address 11AC:0:0:CA20:123:4567:89AB:CDEF
and its subnet
number 11AC:0:0:CA20::/60
can be abbreviated as 11AC:0:0:CA20:123:4567:89AB:CDEF/60
Q. What is the IPv6 header format?
A. Below is the specification for the header format of IPv6:
| ||||||
| Source Address | ||||||
| Destination Address |
Version - 4-bit Internet Protocol version number.
Traffic Class - 8-bit traffic class field
Flow Label - 20-bit flow label
Payload Length -16-bit unsigned integer. Length of the IPv6 payload, i.e., the rest of the packet following this IPv6 header, in octets. (Note that any present are considered part of the payload, i.e., included in the length count.)
Next Header - 8-bit selector. Identifies the type of header immediately following the IPv6 header. Uses the same values as the IPv4 Protocol field [RFC-1700 et seq.].
Hop Limit - 8-bit unsigned integer. Decremented by 1 by each node that forwards the packet. The packet is discarded if Hop Limit is decremented to zero.
Source Address - 128-bit address of the originator of the packet.
Destination Address - 128-bit address of the intended recipient of the packet (possibly not the ultimate recipient, if a Routing header is present).
Notice that the IPv6 header has far less fields than the IPv4 header and IPv6 introduces a number of extension headers as defined in RFC 2460.
Q. I am unable to install TCP/IP, why?
A. If you are trying to reinstall TCP/IP after previously uninstalling it the problem may be due to certain TCP/IP registry values not being removed correctly.
To manually remove perform the following:
An alternative which avoids having to change security is to start regedt32.exe under the System account by submitting it via the schedule service
C:\> net start schedule (only if not already
running)
C:\> at <time> /inter
regedt32.exe
C:\> net stop schedule (only
if you had to start it)
Once the computer has rebooted restart REGEDT32.EXE and ensure all of the following are deleted (these are the keys whose security you must set)
Connectivity Utilities:
SNMP Service:
TCP/IP Network Printing Support:
FTP Server Service:
Simple TCP/IP Services:
DHCP Server Service:
WINS Server Service:
Windows sockets:
It may also be necessary to remove the following keys:
Q. What switches can be used with PING?
A. PING is used to test TCP/IP connectivity with another host and gives information about the length of time test data takes to be sent to the host and a reply received.
Its most basic use is as follows:
C:\>ping <IP address or hostname>
Pinging 160.82.52.11 with 32 bytes of data:
Reply from 160.82.52.11: bytes=32 time=10ms TTL=252
Reply from
160.82.52.11: bytes=32 time<10ms TTL=252
Reply from 160.82.52.11:
bytes=32 time<10ms TTL=252
Reply from 160.82.52.11: bytes=32 time<10ms
TTL=252
From the above you can see it send 32 bytes to host 160.82.52.11 and each time a reply was received in 10ms or less, this shows a good connection.
PING does have a number of option parameters to accomplish different objectives.
ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] destination-list
| -t | Ping the specifed host until interrupted. |
| -a | Resolve addresses to hostnames. |
| -n count | Number of echo requests to send. |
| -l size | Send buffer size. |
| -f | Set Don't Fragment flag in packet. |
| -i TTL | Time To Live. |
| -v TOS | Type Of Service. |
| -r count | Record route for count hops. |
| -s count | Timestamp for count hops. |
| -j host-list | Loose source route along host-list. |
| -k host-list | Strict source route along host-list. |
| -w timeout | Timeout in milliseconds to wait for each reply. |
In Windows 2000 you can press Ctrl-Break when running the -t option for a list of statisitics. Press Ctrl-C to actually stop the ping.
It can be useful to have a small batch file ping various hosts and terminal servers at regular intervals to ensure all are still present (although there are commercial software packages that do this). A simple command like:
C:\>ping -f -n 1 -l 1 148.32.43.23
Pinging 148.32.43.23 with 1 bytes of data:
Reply from 148.32.43.23: bytes=1 time<10ms TTL=128
pings a host once with one byte of data.
You should be aware that PING works by sending ICMP echo packets and some routers etc may filter these out meaning a PING will not work.
Q. How can I modify TCP retransmission timeout?
A. Service Pack 5 adds a new registry entry, InitialRtt, which allows the retransmission time to be modified. The range is 0 - 65535 milliseconds and can be set as follows:
This parameter controls the initial retransmission timeout used by TCP on each new connection. It applies to the connection request (SYN) and to the first data segment(s) sent on each connection.
Care should be used when adjusting this value. Setting it to large values will dramatically increase the amount of time that it takes for a TCP connection attempt to fail, if the target IP address does not exist.
For instance, the default value is 3,000, or 3 seconds. By default, a connection request is retried 2 times. The total time-out is (3+6+12) seconds, or 21 seconds.
If this registry value is set to 6,000 (6 seconds), the total timeout will be (6+12+24) seconds, or 42 seconds. During this time, an application can appear to stop responding (hang).
Q. How can I disable media-sense for TCP/IP?
A. Windows 2000 introduces media-sense which in a Network Interface Card can detect if it is connected to a network cable and if it is not connected it disables protocols on that adapter (although the loopback address 127.0.0.1 and the local hostname still works).
This may be very inconvenient especially on portables as you may have programs running which requires use of its normal IP address so you can disable this media-sense for TCP/IP only (not the other protocols)
Cheers to Thomas Lee for letting me know media-sense existed :-)
A. DHCP stands for Dynamic Host Configuration Protocol and is used to automatically configure a host during boot up on a TCP/IP network and also to change settings while the host is attached.
This means that you can store all the available IP addresses in a central database along with information such as the subnet mask, gateways, DNS servers etc.
The basics behind DHCP is the clients are configured to use DHCP instead of being given a static IP address. When the client boots up it sends out a BOOTP request for an IP address. A DHCP server then offers an IP address that has not been assigned from its database, which is then leased to the client for a pre-defined time period.
 Single File Version_files/dhcpexample.gif)
If the DHCP client is Windows 2000 and no offer is made and IP auto configuration has not been disabled the client will attempt to find and use an IP address not currently in use otherwise TCP/IP will be disabled.
Q. How do I install the DHCP Server Service?
A. The DHCP server service can only be install on a NT Server.
Under Windows 2000 to install perform the following:
Q. How do I configure DHCP Server Service?
A. The DHCP Server Service is configured using "DHCP Manager" that is installed after the installation of the DHCP Server Service.
Usually items such as DNS servers, WINS server etc will be configured on a global scale and this is also done using Server Manager
Q. How do I configure a client to use DHCP?
A. For NT workstation and Windows95 follow the instructions below:
For Windows 98:
Q. How can I compress my DHCP database?
A. NT Server ships with a utility called JETPACK.EXE which can be used to compact DHCP and WINS databases. To compact your DHCP database perform the following:
Note: While you stop the DHCP service, clients using DHCP to receive a TCP/IP address will not be able to start this protocol and may hang.
Jetpack actually compacts DHCP.MDB into TMP.MDB, then deletes DHCP.MDB and copies TMP.MDB to DHCP.MDB! Simple :-)
For more information, see Knowledge base article Q145881 at http://support.microsoft.com/support/kb/articles/q145/8/81.asp
Q. How can a DHCP client find its IP address?
A. Depending on the client:
Windows NT machine - type ipconfig from the command
prompt
Windows 95 machine - run winipcfg.exe
Q. How can I move a DHCP database from one server to another?
A. Perform the steps below on the server that currently hosts the DHCP Server service. Be warned that while doing this no DHCP clients will be able to start TCP/IP so this should be done outside working hours.
Optionally if you want to remove DHCP from the source machine totally delete the DHCP directory (%systemroot%\system32\dhcp) and then delete the DHCP Service (Start - Settings - Network - Services - Microsoft DHCP Server - Remove)
On the new DHCP server perform the following
Q. How do I create a DHCP Relay Agent?
A. If you have routers separating some of your DHCP clients from the DHCP server you may have problems if they are not RFC compliant. This can be solved by placing a DHCP relay agent on the local network area which is not actually a DHCP server which communicates on behalf of the DHCP Server. The DHCP Relay Agent must be a Windows NT Server computer.
Q. How can I stop the DHCP Relay Agent?
A. All you have to do is stop the DHCP Relay Agent service:
Q. How can I backup the DHCP database?
A. The DHCP database backs itself up automatically every 60 minutes to the %SystemRoot%\System32\Dhcp\Backup\Jet directory. This interval can be changed:
You could backup the %SystemRoot%\System32\Dhcp\Backup\Jet directory if you wish.
Q. How can I restore the DHCP database?
A. Perform one of the following:
Q. How do I reserve a specific address for a particular machine?
A. Before performing this you will need to know the hardware address of the machine and this can be found by entering the command
ipconfig /all
Look for the line
Physical Address. . . . . . : 00-60-97-A4-20-86
Now at the DHCP server perform the following
Q. What registry settings control the DHCP log in Windows 2000?
A. DHCP has always had auditing abilities for DHCP however these abilities have been expanded in 2000 to reduce problems CAUSED by the log files. These improvements will stop log files filling to take up whole partitions and cause system problems.
The following keys are all located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters
| Value Name | Type | Description |
| DhcpLogFilePath | REG_SZ | The partition and directory for the audit logs to be written to. Make sure you write the entire path |
| DhcpLogMinSpaceOnDisk | REG_DWORD | If free space falls below this number (in megabytes) audit logging is stopped |
| DhcpLogDiskSpaceCheckInterval | REG_DWORD | Number of times the audit log is written to before checking for free disk space |
| DhcpLogFileMaxSize | REG_DWORD | Maximum size in megabytes the logs can grow to. By default it is 7. |
Q. How do I authorize a DHCP server in Windows 2000?
A. Any user running Windows 2000 server could install the DHCP server service causing potential problems and so Windows 2000 adds the concept of authorizing the servers with the Active Directory before they can service client requests. If the server is not authorized in the Active Directory then the DHCP service will not be started.
To Authorize a server perform the following:
The red arrow  Single File Version_files/dhcpdis.gif){kind=small}
over the DHCP server should now change to a green one  Single File Version_files/dhcpenb.gif){kind=small}
if you select refresh (it may take a few minutes).
Q. How do I create a DHCP scope in Windows 2000?
A. A DHCP scope is a range of addresses that can be assigned to clients and can also optionally provide information about DNS servers, WINS etc.
DHCP scopes are configured using the DHCP MMC snap-in as follows:
 Single File Version_files/dhcpscope1.gif)
 Single File Version_files/dhcpscope2.gif)
 Single File Version_files/dhcpscopedns.gif)
The new scope will now be listed and the status as either Active or Inactive.
If you selected to not activate the scope it can be manually activated by
right clicking on the scope, select 'All Tasks' and select Activate. The
activation is immediate. Likewise you can deactivate by selecting deactivate
 Single File Version_files/activatescope.gif)
Useful links:
Q. How do I configure DHCP scope options in Windows 2000?
A. When you create a scope the more common options such as DNS and WINS servers can be configured but many more options are available.
 Single File Version_files/timeserv.gif)
The new option(s) will now show in the right hand window. You can change existing options by performing the above and selecting an item already configured and change the details in the Data entry area.
Q. How can I view DHCP address leases in Windows 2000?
A. When a client is offered and accepts an IP address a 'lease' is created for x amount of days. To view current leases perform the following:
It will give details of the IP address, client name and the lease expiration date. Expired leases are also shown for approximately one day but have a dimmed icon. This grace period protects a client lease in the event of the client and server being in different time zones, clocks not synced or simply offline.
Q. How do I change the DHCP address lease time in Windows 2000?
A. To modify the DHCP lease duration from the normal 8 days perform the following:
 Single File Version_files/dhcplease.gif)
Q. How do I install the DNS Service?
A. The DNS Service can only be installed on NT Server and is installed as follows:
Q. How do I configure a domain on the DNS Server?
A. A new application has been added to the Administrative Tools group, DNS Manager, to configure the domain follow the procedures below:
Q. How do I add a record to the DNS?
A. To add a record, for example TAZ with IP address 200.200.200.4 perform the following
Q. How do I configure a client to use the DNS?
A. For an NT machine (and Windows 95) perform the following:
To test, you can start a command prompt and enter
nslookup <host name>
e.g. nslookup taz
The IP address of Taz will be displayed. Also try the reverse translation by entering
nslookup <ipaddress>
e.g. nslookup
200.200.200.4
The name Taz will be displayed.
Q. How do I change the IP address of a DNS server?
A. The information below assumes you have already changed the IP address of the machine ( Start - Settings - Control Panel - Network - Protocols - TCP/IP - Properties) and have rebooted. The scenario below assumes the old IP address was 200.200.200.3 and the new is 200.200.200.8
Update all the clients to use the new DNS server IP address.
The above procedure is the most complete way, however it should still work if you only perform steps 2 and 3.
Q. How can I configure DNS to use a WINS server?
A. Is is possible to configure the DNS to use a WINS server to resolve the host name of a Fully Qualified Domain Name (FQDN).
Q. Where in the registry are the entries for the DNS servers located?
A. The entries for the DNS servers are stored in the registry in the location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters under the NameServer value, Each entry should be separated by a space. Using the Resource Kit utility REG.EXE the command to change would be as follows
reg update HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\NameServer="158.234.8.70 158.234.8.100" \\<machine name>
where 158.234.8.70 and 158.234.8.100 were the addresses of the DNS servers you wanted to configure. Note it sets the value, it does not append so ensure you enter in the existing DNS servers as well as the new ones.
This may be useful for granting users access to the internet by remotely updating their registry to know which DNS servers to use.
Q. I receive error message "No More Endpoints".
A. This can be caused by installing DNS on a machine that has previous settings contained in the %systemroot%\system32\dns directory. To correct perform the following.
Q. How do I configure DNS for an NT 5.0 domain? - NT 5.0 only
A. Windows NT 5.0 domains rely on DNS and require Dynamic DNS which is an update to the basic DNS specification and details can be found in RFC 2136 that can be viewed at ftp://ftp.isi.edu/in-notes/rfc2136.txt.
Another major update in DNS 5.0 is the addition of service (SRV) records and these have already been seen as a mechanism for publishing the ldap server, ldap.tcp.<domain> and it is through these records that domains can be looked up through the DNS service.
You could perform this on a separate NT 5.0 machine, the domain controller and the DNS server will probably not be the same machine, it just has to exist before upgrading the server to a domain controller. To install DNS 5.0 on the server perform the following:
You then need to configure the DNS service
Now the basic zone is configured the required entries for the domain need to be added
The final stage is to configure the zones to be dynamic update enabled which allows hosts to add records in the DNS server.
DNS is now configured for a domain and you can create the domain.
Q. How do I configure Active Directory integrated DNS? - NT 5.0 only
A. It is possible to configure DNS servers that are also domain controllers to store the contents of the DNS database in the Active Directory which will then be replicated to all domain controllers in the domain. The option to store the DNS database in the Active Directory is not available on DNS servers that are not domain controllers.
Q. Setting a secondary DNS server as primary results in errors.
A. If you have a secondary DNS server configured to duplicate all entries from another DNS server you may experience a problem if you try and set it as a primary DNS server, which results in the service not starting and an error to the effect of the data being wrong:
Event ID: 7023
The MS DNS Server service terminated with the following
error:
The data is invalid.
Event ID: 130
DNS Server zone zone name has invalid or corrupted
registry data.
Delete its registry data and recreate with DNSAdmin.
Event ID: 133 DNS
Server secondary zone zone name, had no master IP
addresses in registry.
Secondary zones require masters.
The DNS Manager forgets to set the correct value for the DNS Type in the registry (secondary is remaining), but it is erasing the address of the primary DNS, where the data came from. To correct this perform the following:
You should now be able to successfully start the DNS service
C:\> net start dns
The TYPE value can have one of two values,
0x1 specifies Primary zone
0x2 specifies secondary zone
A fix for this can be downloaded from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/%20hotfixes-postSP3/dns-fix
Q. How do I turn off Dynamic DNS? - Windows 2000 only
A. By default, the TCP/IP stack in NT 5.0 Beta 2 (and later builds) attempts to register it's Host (A) record with it's DNS server. This makes sense in an all NT (Windows 2000) environment. But if you are using a static, legacy DNS server, the DNS guys might not like all the 'errors' this shows up on their server since the DNS servers will not understand these "updates".
You will get errors such as:
To make the clients stop attempting to publish their DNS names/addresses to the DNS server perform the following:
If you have multiple adapters in the machine you may not want to disable for all so instead of setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableDynamicUpdate to 1, set as 0 and then move to the sub key Interfaces\<interface name> and create the DisableDynamicUpdate value there and set to 1.
If you needed to perform this on a large number of machines you should create a reg script or set from the login script.
Q. How do I configure a forwarder on DNS 5.0? - Windows 2000 only
A. If you create a DNS server on your network but are not the main DNS server, i.e. your company has a central main DNS server, you will want to forward queries your DNS server cannot service to that DNS server.
This is because only certain servers in your network will have access to DNS servers outside your network (due to firewalls etc) and thus your (departmental?) DNS server cannot access the DNS servers higher up in the DNS hierarchy. To configure a forward perform the following:
 Single File Version_files/dnsforward.gif)
If you are missing the forwarder tab see Q. I am missing the forwarder and Root Hints tabs in DNS 5.0
Q. I am missing the forwarder and Root Hints tabs in DNS 5.0. - Windows 2000 only
A. This is caused if your server thinks it is the root server in the domain, and will hence have a "." zone. To enable the forwarder you need to delete this zone from your server:
 Single File Version_files/dnsdotzone.gif)
Q. How do I enable DNS round robin resolution?
A. Recent Windows NT service packs introduced LocalNetPriority which tries to return Host resources that are local to the requestor instead of using round robin however round robin can be enabled as follows:
Q. DNS resolution of a valid domain fails on NT.
A. if you are running NT4 DNS with either SP4 or SP5 installed you may find a domain that resolves on Unix DNS servers server times out when you do an NSLOOKUP on NT.
This is a known bug and a Quick Fix Engineering patch for NT bug 267085 is available from Microsoft support or wait for SP6 to come out.Q. How can I force a Windows 2000 domain controller to re-register its DNS entries?
A. To re-register the domain controller DNS entries perform one of the following:
Q. I'm getting DNS zone transfer messages in the event log, is someone hacking me?
A. No, don't panic, it just means someone is listing the content of a zone and this is fine since you are making the information publicly available anyway. To do this list see 'Q. How do I perform a DNS zone transfer?'
If you want to stop people performing zone transfers start the Microsoft DNS Manager, select the Zone, go into the Properties for the zone and select the Notify tab. Check the "Only Allow Access for Secondaries included on the notify list".
A typical event log is shown below:
 Single File Version_files/dnstransfer.gif){kind=spacer}
Q. How do I perform a DNS zone transfer?
A. To list the content of a DNS zone perform the following commands (remember this does not actually remove any information from the host DNS server, it only lists it)
C:\>nslookup
Default Server:
adm1.srv.uk.deuba.com
Address: 10.142.10.2
> set
q=ns
Sets the query type to name servers
>
db.com
The name of the DNS zone you wish to
list
Server: adm1.srv.uk.deuba.com
Address:
10.142.10.2
db.com nameserver = ns1.eur.deuba.com
db.com nameserver =
ns2.eur.deuba.com
db.com nameserver = ns1.uk.deuba.com
db.com nameserver =
ns2.uk.deuba.com
ns1.eur.deuba.com internet
address = 10.70.136.140
ns2.eur.deuba.com internet address =
10.70.137.140
ns1.uk.deuba.com internet address =
10.141.39.181
ns2.uk.deuba.com internet address = 10.140.8.12
>
server ns1.eur.deuba.com Set the server to be one of those listed
Default
Server: ns1.eur.deuba.com
Address: 10.70.136.140
> ls -d
db.com
List out the
zone
[ns1.eur.deuba.com]
db.com. SOA ns1.eur.deuba.com
hostmaster.ose.eur.deub
a.com. (1999091500 3600 1800 604800 1800)
db.com.
NS ns1.uk.deuba.com
db.com. NS ns2.uk.deuba.com
db.com. NS
ns1.eur.deuba.com
db.com. NS ns2.eur.deuba.com
db.com. A
10.141.44.112
db.com. MX 10 bmr1-e1.srv.uk.deuba.com
testxyz CNAME
ns2.eur.deuba.com
atwork CNAME clust1v2.srv.uk.deuba.com
search.atwork
CNAME homepage.mev.eur.deuba.com
phone.atwork CNAME
nerys.x500.esb.eur.deuba.com
www2 A 38.163.212.70
www3 CNAME
nyc00pah11.na.deuba.com
infohost.herold A 193.150.167.33
pmg NS
ns1.eur.deuba.com
pmg NS ns2.eur.deuba.com
mgam CNAME
clust1v2.srv.uk.deuba.com
it.mgam CNAME clust1v2.srv.uk.deuba.com
iis.mgam
CNAME clust1v2.srv.uk.deuba.com
etsg.mgam CNAME
clust1v2.srv.uk.deuba.com
Thats it, you have now listed out all the records in the zone.
A. WINS stands for Windows Internet Name Service. WINS is a NetBIOS Name Server that registers your NetBIOS names and resolves into IP addresses.
If you're using NetBIOS over TCP/IP you will need to have WINS running so that each can find out the correct IP address of the other to communicate.
Need to browse over an interdomain network? WINS!
A. Once your machine is configured to point at a WINS server (and maybe a second backup WINS server);
A. WINS is a server service.
Go to Control
Panel->Network->Services and install the Windows Internet Name
Service.
If you have any non-WINS clients, add them in as static name->IP
mappings.
Configure a WINS Proxy Agent if needed.
Configure WINS support
on your DHCP server.
NT Workstation TCP/IP->Properties->WINS add the IP address of the WINS server (and your secondary if you have one).
Q. What is a WINS Proxy Agent?
A. If you have non-WINS machines on your subnet and want
them to be visible participants, you will want a Proxy Agent to be active within
this subnet.
A WINS Proxy Agent is a WINS client that allows non-WINS clients
to participate, by listening for broadcast name requests and then forwards them
to a WINS server. It then returns the result to the requesting client.
Use a Registry Editor (e.g. regedt32.exe) to open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters and set the EnableProxy parameter to 1.
Q. How do I configure WINS static entries for a non-WINS client?
A. Go into WINS Manager (under Admin
Tools)
Mappings->Static Mappings->Add Mappings enter the NAME and IP
ADDRESS of the machine in question. Under TYPE usually you'll just enter as
Unique. Now click ADD.
Q. How do I configure WINS to work with DHCP?
A. If the computer is a DHCP client, then at the DHCP server, go into DHCP Administrator (Admin Tools) and add two new SCOPE options:
Q. How can I compress my WINS database?
A. NT Server ships with a utility called JETPACK.EXE which can be used to compact DHCP and WINS databases. To compact your WINS database perform the following:
Note: While you stop the WINS service, clients using WINS to resolve addresses will fail unless another mechanism of name resolution is in place.
Jetpack actually compacts WINS.MDB into TMP.MDB, then deletes WINS.MDB and copies TMP.MDB to WINS.MDB.
For more information, see Knowledge base article Q145881 at http://support.microsoft.com/support/kb/articles/q145/8/81.asp
Q. WINS Automatic Backup does not run every 3 hours.
A. By default WINS backup will actually take place every 24 to 27 hours after the last backup completed.
To work around this perform the following:
Q. WINS Log files are created in incorrect locations.
A. The WINS service creates a number of log files, J50.log or J50.chk, in the %systemroot%\system32\WINS directory. This is normal.
If these files are being created in other directories then it may cause a problem and stop the WINS service from starting. The log files can be created in different directories from one of the following reasons:
If your system now has the log files in the wrong place and the WINS service will not start just copy the log files to the %systemroot%\system32\WINS directory and restart the service
C:\> net start wins
If the WINS service is running it will lock the file and you will not be able to delete them so you should perform the following:
Q. WINS server is not being queried for entries in LMHOSTS after Service Pack 4.
A. Before Service Pack 4 a resolution request was always passed to a WINS server and only if no entry was found the LMHOSTS file checked.
Under Service Pack 4 any entry in the LMHOSTS file that has the #PRE qualifier (preloaded) will be used and the WINS server not queried. Therefore if you have incorrect entries in your LMHOSTS file it will prevent the WINS server from being queried so you should therefore edit the file %systemroot%\system32\drivers\etc\lmhosts (e.g. d:\winnt\system32\drivers\etc\lmhosts) and remove the offending entries.
Q. The Outlook/Exchange client takes a long time to start.
A. Sometimes the protocol binding for Exchange can be wrong if more than one protocol is installed, for example if you have NetBEUI and TCP/IP installed, and you connect to the Exchange server via TCP/IP, you need to ensure TCP/IP is first in the binding order, otherwise Exchange will attempt to communicate via NetBEUI initially. To check/set perform the following:
Q. How can I stop Outlook dialing my Internet Account on Startup?
A. Perform the following:
A. The following instructions are to install Exchange 5.0
It is a good idea to have a large pagefile.sys when running Exchange, a good size would be the amount of memory plus 100.
Q. How do I enable the Exchange Active Server Pages?
A. This functionality is new in 5.0, and enables a user to view their exchange mailbox from an Internet browser, such as Internet Explorer or Netscape. Before the Exchange Active Server Pages extension can be installed, there are two pre-requisites
NT Server 4.0 ships with IIS 2.0, therefore assuming you have not upgraded your system since then you will need to perform the following
Once this has finished, you will be able to connect to your Exchange mailbox by entering the URL
http://<Exchange server>/exchange
You then need to enter you Exchange alias and then click the "click here" text.
Q. How do I use the Exchange Optimizer utility?
A. After you install Exchange you are prompted to run the Exchange Optimizer utility, however it can also be run afterwards:
Q. How can I convert mail system X to Exchange?
A. Exchange is supplied with a migration wizard which can convert the following mail systems to Exchange
The wizard is in the Microsoft Exchange folder and below is an example of converting a MsMail Postoffice
Q. How can I create shortcut on the desktop with the "to" field completed?
A. As you may be aware, if you enter the
command
exchng32 /n
This creates a blank new
message, however it is not possible to specify a qualifier containing
information to the content. A workaround to this is the following
If you now double click on the desktop message icon it will create a new message which you can edit and then send with information already filled in!
Q. NT Server hangs at shutdown if User Manager is running.
A. This is caused by an Exchange dll file which is used by User Manager, to fix this perform the following
Q. How can I send a mail message from the command line?
A. You need to use the MAPISEND.EXE utility that is supplied with the Exchange Resource kit. The resource kit can be downloaded from http://www.microsoft.com/msdownload/exchange/rkintel/rkintel.htm and you need to download the AdminNT part.
Once downloaded double click on the zip file and it will expand to a specified location. Copy the MAPISEND.EXE from the restored path (i386\admin\mapisend) to an area of your choice. The usage is simple as long as the exchange client is installed on the computer already (outlook is also OK).
mapisend -u "<profile>" -p <anything> -r
<recipient> -s "<subject>" -t <text file containing the
message>
e.g. mapisend -u "john savill" -p anything -r
john@savilltech.com -s "Test message" -t c:\message\mail4.txt
This is just an example usage, and you may not be sure what you profile name is so instead of using -u and -p, use just -i and this allows interactive login and will also allow you to create a profile which you can then use in future. The full list of switches are
| -u | Profile name (user mailbox) of sender |
| -p | Login password |
| -i | Interactive login (prompts for profile and password) |
| -r | Recipient(s) (multiples must be separated by ';'
and must not be ambiguous in default address book.) |
| -c | Specifies mail copy list (cc: list) |
| -s | Subject line |
| -m | Specifies contents of the mail message, this is ignored if -t is specified |
| -t | Specifies text file for contents of the mail message |
| -f | Path and file name(s) to attach to message |
| -v | Generates an 8 line summary of the sent message |
In all cases if the passing parameter is more than one word it should be enclosed in quotes.
Q. What files does Exchange use?
A. Below is a list of the more common files used by Exchange
| File | Directory | Use |
| Priv.pat Pub.pat | Mdbdata | Patch files, safe to delete if no backup is taking place and no startup recovery is in operation |
| Dir.pat | DsaData | Patch files, as above |
| Dlv.log Snd.log Dlvxxxxx.log Sndxxxxx.log | Mdbdata | These are created when Sending and Delivering diagnostics logging for either the private and public information stores are set. These can be deleted at any time. Dlv.log and Snd.log are the most recent logs created. |
| PUB.EDB PRIV.EDB | MDBdata | Information store |
| DIR.EDB | DSAdata | Directory information |
| EDB.LOG | Transaction Log | |
| EDB00nn.LOG | Previous Transaction Logs | |
| EDB.CHK | Check Point file | |
| RES1.LOG RES2.LOG | Emergency logs for when disk is full | |
| TEMP.EDB | In progress transaction |
Q. How can I change the location of my mail file in Outlook 98?
A. Your messages are stored in a .pst file, and by default this is kept in your personal profile space (%systemroot%/Profiles/<user name>/Application Data/Microsoft/Outlook). This is fine unless you use roaming files which mean you mail file is stored on a central server taking up space.
Fortunately moving you mail file is easy.
What this actually does is update one registry key, HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\14780fd532f9d11181cc00600851c569\001e6700 and its value is the name and location of the .pst file.
Q. How can I reduce the size of my mail file?
A. When you delete files from your mail file the space is usually not cleared away and your mail file may actually grow! To reclaim the wasted space you can "compact" the mail database. The information below is for Outlook 98 but previous versions have similar functions.
If you find the mail file has not been substantially reduced in size it may be there is no redundant information or you may need to run the compaction a couple more times as sometimes the process does not work 100%.
Q. I have a bad message in my POP3 mail box , how can I remove it/read POP using TELNET?
A. It is possible to connect to a POP3 mailbox using Telnet so you should connect via telnet and delete the problem message.
This is obviously useful in a number of scerios and you could use it just to read you mail if you did not have access to a mail client.
Below is an example of the above in action.
 Single File Version_files/popread.gif)
Q. How can I send mail to a SMTP server using Telnet?
A. As with POP3, SMTP messages can also be sent using telnet by connecting to port 25 on the SMTP server, e.g.
C:\> telnet smtp.savilltech.com 25
Once connected you optionally announce to the server who you are (this is needed for some SMTP servers)
helo <domain>
e.g. helo savilltech.com
vrfy <user account>
e.g. vrfy john
Once you are verified you can commence to write an e-mail message. The first command is mail and you specify who it is from, e.g.
mail from:<billg@microsoft.com>
The address has to be in <>. Next you have to specify who will be receiving the message using rcpt, e.g.
rcpt to:<john@savilltech.com>
The from and to have been completed you can start the body of the message using the data command. You have to create the header information in the first lines of the message. Once you have completed the message enter a '.' on a blank link and the message will be sent. Below is an example creating a message.
 Single File Version_files/smtpsend.gif)
As you can see I entered a from, date, to and a subject and then entered the body of the text. Make sure you don't make a mistake as if you backspace this is enterpreted as a bad character and will be rejected. If a message is rejected a rejection will be send to the address specified in the "mail from:<...>" and for this reason you should only ever put your e-mail address. Although I have used a different address as a joke you should NEVER do this.
Below is how the message looks when received in Outlook 98:
 Single File Version_files/smtpview.gif)
The above shows how easy it is to send a message and make it look from a different address but if you examined the header you would easily see it was sent from a different mail server and rumble its a fake (and a very bad one)!
I shall be adding future entries describing how to STOP people sending mail from your server (as they probably can at the moment).
For full information on SMTP and the commands you can use see Request For Comments 821.
Q. Is there a list of known Exchange Directory and Information store problems?
A. An excellent collection has been compiled and is located at http://support.microsoft.com/support/exchange/content/whitepapers/dsis.asp
Q. How do I install Exchange Server 5.5?
A. These instructions are to install the first Exchange Server in the Enterprise
Before you install Exchange Server 5.5, two accounts need to be decided on. The first account is the account that you log on as when you perform the installation of Exchange as this account will be automatically granted the Exchange Administrator permission.
The second account needs to be created and this will be used as the service account for running the Exchange Server services. Any name can be used, the most obvious would be "Exchange Service". To create this account perform the following:
Under Windows 2000 this would be set using the Active Directory Users and Computers MMC snap-in, expand the domain, right click on Users and select New - Users. Enter Exchange Service, click Next and then select the options as in step 4 and click Finish. I found under Windows 2000 I had to make the Exchange Service account a member of the local Administrators group on the server Exchange is being installed on.
Also before installing make sure you have a complete backup of your system.
Now you can start the installation.
Once Installation is complete you should run the Microsoft Exchange Performance Optimizer (Start - Programs - Microsoft Exchange - Microsoft Exchange Optimizer). You will be given the option to run this automatically if installation is successful.
Q. How do I run the Exchange Optimizer?
A. Exchange ships with a utility that allows the program to gather information about the computer and make changes to the Exchange configuration to enhance performance. These performance enhancements are primarily gained by moving the files that make up Exchange to different physical disk drives.
 Single File Version_files/optimize.gif)
Q. What Service Packs are available for Exchange?
A. Below is a list of the service packs available:
Exchange 5.5
Service Pack 2 from ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/Sp2/Server/
Files to download:
| SP2_550A.EXE | Server update for Alpha |
| SP2_550I.EXE | Server update for Intel |
| SP2_55CA.EXE | Chat server update for Alpha |
| SP2_55CI.EXE | Chat server update for Intel |
| SP2_55DC.EXE | Documentation |
| SP2_55FO.EXE | HTML Form Converter |
| SP2_55SS.EXE | Server support files (cluster,KMS,etc) |
| SP2_55XA.EXE | Exchange connector installation(Alpha) |
| SP2_55XI.EXE | Exchange connector installation(Intel) |
| SP2S550A.EXE | Server symbols for Alpha |
| SP2S550I.EXE | Server symbols for Intel |
| SP2S55CA.EXE | Chat server symbols for Alpha |
| SP2S55CI.EXE | Chat server symbols for Intel |
| SP2_55RE.EXE | Readme and HTML file |
Service Pack 1 from ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/SP1/Server/
Files to download:
| SP1_550A.EXE | Server update for Alpha |
| SP1_550I.EXE | Server update for Intel |
| SP1_55CA.EXE | Chat server update for Alpha |
| SP1_55CI.EXE | Chat server update for Intel |
| SP1_55DC.EXE | Documentation |
| SP1_55FO.EXE | HTML Form Converter |
| SP1_55SS.EXE | Server support files (cluster,KMS,etc) |
| SP1_55XC.EXE | Exchange connector installation |
| SP1S550A.EXE | Server symbols for Alpha |
| SP1S550I.EXE | Server symbols for Intel |
| SP1S55CA.EXE | Chat server symbols for Alpha |
| SP1S55CI.EXE | Chat server symbols for Intel |
| SP1_55RE.EXE | Readme and HTML file |
Hotfixes post Service Pack 1
| PSP1STRI.EXE | Store Fix |
Exchange 5.0
Service Pack 1 from ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.0/Sp1/Server/
Files to download:
| SP1_500A.EXE | Server update for Alpha |
| SP1_500I.EXE | Server update for Inter |
| SP1S500A.EXE | Server symbols for Alpha |
| SP1S500I.EXE | Server symbols for Intel |
Service Pack 2 from ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.0/Sp2/Server/
Files to download:
| SP2_500A.EXE | Server update for Alpha |
| SP2_500I.EXE | Server update for Inter |
| SP2S500A.EXE | Server symbols for Alpha |
| SP2S500I.EXE | Server symbols for Intel |
Q. How can I retrieve mail from a POP3 mailbox and forward it to Exchange server?
A. If your ISP does not support ETRN, then you have to use a third party utility to retrieve the mail from a POP3 mailbox. One of these utilities is Mail essentials Small Business (http://www.gficomms.com/). For one mailbox this is a freeware utility.
A more complete listing of utilities can be found on http://www.slipstick.com/
Q. How do I upgrade from Exchange 5.0 to 5.5?
A. The Exchange 5.5 upgrade process actually performs a database upgrade before it actually copies any of the code of 5.5 to the server. This allows for a complete rollback in case the upgrade of the database fails. Below are the steps in performing the upgrade
Q. How do I uninstall Exchange?
A. To uninstall Exchange perform the following. Be aware you will lost all information.
Q. How do I install a duplicate Exchange server?
A. With the concepts of sites in Exchange, it is possible to install multiple Exchange services in a site which will replicate to one another. Duplicates servers in a site provide fault-tolerance and load balancing. To install a duplicate server in a site perform the following. Servers within a site don't have to be in the same domain but should be connected by a fast connection, 128KB is the normal definition of a fast link.
 Single File Version_files/exchsite.gif)
You now have a duplicate Exchange server in the specified site.
Q. How do I connect Exchange sites?
A. If you configure multiple sites by installing new servers and entering a different site name (but the same organizational name) you can connect the sites using Exchanges built-in site connector. To connect sites using the built-in connector they must be able to communicate via RPC calls and to test this see Q. How can I check if servers can communicate via RPC's?. Many routes actually filter out RPC's so it is important you perform this test.
To add a connector between sites perform the following:
The connection will now be visible under the Connections tab.
Q. Exchange Security Knowledge Base list.
A. Below is a list of useful Knowledge Base articles.
1) How to install Exchange 5.5 with support for V1 and V3 Certificates for SMIME and Public/ Private Key encryption (Signing and Sealing Mail Messages). This uses the CA version 1.0 (Certificate Authority) in IIS 4.0 that comes in the NT 4.0 Option Pack. This requires the Updated CA Server. See these KB's.
Q192044
Setting Up X509v3 Certs on Exch 5.5 SP1 KMS with Local CertSrv
Q184695
Readme Notes for Certificate Server Update
2) How to setup SSL/TLS between between Exchange Server 5.0 /5.5 and Internet Email Clients, POP3, IMAP4, NNTP, HTTP, SMTP.
Q175439 XFOR: Enabling SSL For Exchange Server
3) How to setup SSL/TLS between Exchange Server and other SMTP (non-exchange) host. This requires enabling SSL for the SMTP protocol first. See Q175439 for instructions, but select SMTP as the Protocol to be used in Key Manger.
Q174755 XFOR: Connecting IMS to IMS with SASL
4) When you use Microsoft Outlook Express to connect to Microsoft Exchange Server, version 5.0 with Service Pack 1 installed, the Information Store may stop responding (crash). Fixed in the Latest Service Pack.
Q166627 XCLN: Outlook Express Crashes Store When SSL Is Used
5) When trying to access a mailbox in Internet Explorer version 3.02 when the WWW Service for the Internet Information Server (IIS) computer is configured to use Windows (NTLM) authentication only, you may receive the following error message: The Login Request was Denied. Fix is to upgrade to IE 4.0 or use Registry Entry.
Q173307 XWEB: "The Login Request was Denied" Error Message
6) If you configure the Internet Mail Service on two Microsoft Exchange Server computers to use Secure Sockets Layer (SSL) without authentication, you may receive a non-delivery report (NDR) when you attempt to send mail from one server to another through the Internet Mail Service. The text of the NDR includes a 505 error and indicates that authentication is required for the message to be delivered. Fixed in the Latest Service Pack for 5.5.
Q181481 XFOR: Non-Delivery Report When Using SSL Without Authentication
7) On July 17, 1998 Microsoft released an updated version of Schannel.dll. This latest version provides the following benefits: Updates the SChannel.dll used by IIS and Exchange Server for Encryption. See article for Details.
Q148427
Generic SSL (PCT/TLS) Updates for IIS and MS Internet Products
Q181937
Latest SGC-Enabled Schannel.dll Breaks IIS 3.0 Key Manager [iis]
8) Microsoft Proxy Server is designed to work well with other servers like Microsoft Exchange Server. Most Windows Sockets server applications are able to use the server proxy feature while installed on or behind the Proxy Server. Certain additional advanced settings may be required, based on your particular internal server configuration.
Q181420
How to Configure Exchange or Other SMTP with Proxy Server
Q187652
Accessing Data Published Behind MS Proxy Server 2.0
Q178532
Configuring Exchange Internet Protocols with Proxy Server
Q177153
Additional Proxy Server 2.0 Configurations [proxysvr]
9) This article discusses the known TCP/IP ports (TCP and/or UDP) that are used by services within Microsoft Windows NT version 4.0 and Microsoft Exchange Server version 5.0 and 5.5.
Q150543 WinNT, Terminal Server, & Exchange Services Use TCP/IP Ports [crossnet]
10) Microsoft Exchange Server versions 5.0 and 5.5 support a variety of Internet-focused protocols, including POP3, HTTP, LDAP, and NNTP. This article explains the different authentication forms for each protocol.
Q175440 Protocol Authentication on Exchange Server [exchange]
Q. How do I configure Exchange Directory Replication?
A. Once you have connected sites by a connector, be it Exchange, X.400 or Dynamic RAS, no data will be replicated until you configure the directory replication. You must have defined connections between the sites before Directory Replication can be configured.
To configure Directory Replication perform the following:
The Directory Replicator between the sites is now configured and can be modified by double clicking on the replicator as part of the Directory Replication folder.
Q. How do I monitor an Exchange link?
A. It is possible to install link connectors which can be configured to perform a number of actions in the event of a link failure.
 Single File Version_files/exlnkmon.gif)
Q. How do I delete a server from an Exchange site?
A. If you have multiple servers in a site and a server no longer exists you can delete it from the Exchange Administrator program by performing the following:
The server will now be removed.
Q. How do I setup an Exchange forward?
A. A forward can be configured in a number of places. The first place is at the Exchange server:
People will now be able to send mail to this person and it will be forwarded accordingly.
You could also in Exchange Administrator setup a Custom Recipient (as above), then in the Delivery Options for your mailbox set an Alternate Recipient which points to the Custom Recipient that you just created. Select the "Deliver messages to both recipient and alternate recipient" checkbox. In the properties for the custom recipient you can select the option to hide it from the address list.
Other options that can be done at the client end include
Q. How do I configure a X.400 Exchange connector?
A. Aside from the native Exchange Connector, the X.400 connector is the most common Exchange connector, allowing Exchange to connector to non-Exchange systems. While X.400 suffers a 20% drop in performance in comparison to the native Exchange connector it is still impressive.
X.400 is a common standard and Exchanges implementation is based on the 1988 standard. X.400 operates on the MTA stack and has to be installed before installing a X.400 connector. MTA stacks are available for TCP/IP, X.25 and TP4. It is available for RAS as well but that stack does not support X.400. In this walkthrough we will look at implementing X.400 over TCP/IP.
Only Exchange Enterprise edition has the X.400 connector and not the standard edition (also Enterprise has the SNADS and OV/VM(PROFS) connectors which standard does not have). If you only have standard edition and require X.400 connector you will need to upgrade or purchase the X.400 connector as a separate product from Microsoft.
The first step is to install the MTA transport stack
If you find you don't have a number of MTA stacks check you installed the X.400 connector at installation time. Re-run setup and click Add/Remove. Select Exchange Server and click Change Options. Check the "X.400 Connector" box and click OK. Click Continue. You will now be able to install the TCP/IP MTA stack.
Now the MTA stack is installed you can install the actual X.400 connector and configure it accordingly.
You now have a functionality one-way X.400 link. You would now need to repeat the above for the opposite directory.
Q. How do I allow a user to administer Exchange?
A. When Exchange is installed the user who performs the installation is granted Exchange Administrator rights. To grant additional users the ability to administer Exchange perform the following:
The user (or group) will now have the granted rights to Exchange. You may want to create a group, e.g. Exchange Admins, grant this access in Exchange, then Add/Remove users to this group.
Q. How do I grant permission for people to create top level public folders?
A. By default all users can create top level folders however this can be changed if you would like to restrict this
 Single File Version_files/extoplvl.gif)
- Setting top level folder creation access
Alternatively you could have left is as All and modified the list of people who should not be able to create top-level folders.
If people are still logged in they will be able to continue to create top-level folders until they close Outlook/Exchange and restart it.
Q. How do I create public folders?
A. Public folders are administered/created using the 32-bit Exchange clients such as Exchange and Outlook.
To create a top-level public folder perform the following:
To create non-top level folders just select the folder that you wish to be the parent and select New - Folder from the File menu. You will then be able to name the sub-folder as with above.
Q. How do I connect my Exchange server to a SMTP server?
A. Exchange Server 5.5 ships with the Internet Mail Service which allows Newsgroup feeds and, among other things, connections to a SMTP mailbox.
You will need a connection method to the SMTP mailbox, for example a RAS dial-up connection to an ISP. If you are connecting via a firewall make sure the ports used by POP and SMTP and not disallows (ports 25, 110 and 995).
Before doing any of this you should ensure DNS is correctly configured for you local domain (or this may be done by the ISP) by adding a MX record for the Exchange server in DNS (this is not needed if you are connecting via a RAS dial-up connection and just connecting to a specific host).
In this example we will connect to a SMTP mailbox at a ISP.
To configure items such as the dial-up account username and password double click on "Internet Mail Service" under Configuration\Connections, select the Dial-up Connections tab and click Logon Information. From this tab you can also configure time-out and how ofter to dial out.
If you have problems try applying Service Pack 1 which I found fixes a number of problems.
Q. How do I connect my Exchange server to a NEWS feed?
A. Exchange Server 5.5 has the ability to accept a news feed and publish to the Public Folders area. It can also be configured to post back any articles posted by your networks user to the appropriate news server.
It will now connect for the first time and get an initial feed for all newsgroups selected.
 Single File Version_files/excnews.gif)
- Always download the Exchange Admin newsgroup :-), don't we
all?
Clients will now be able to view via the Folders List in Outlook, Public Folders - All Public Folders - Internet Newsgroups - microsoft .....
 Single File Version_files/outnewsread.gif)
You can change any details but double clicking on the appropriate Newsfeed entry under Connections. For example click Schedule allows you to specify how often to connect at certain times of the day/days of the week.
If you are connecting via dial-up you can change the time-out parameter as follows:
Q. What web sites have good Exchange information?
A. Below are a list of some of the best sites I have found
Good Downloads are:
Q. How do I download to Exchange from multiple POP3 mail boxes?
A. Exchange does not really support the downloading of mail from POP3 since you would be asking a Server to act like a client. A 3rd party piece of software called PULLMAIL which can be downloaded from http://www.swsoft.co.uk/pullmail can be used to download from a POP3 mailbox and deposit in an Exchange mailbox. Using the command procedure below it can be made to download from multiple POP3 mailboxes and depost in the correct mailbox.
Enter the following into file getmail.cmd and save.
|
@ECHO OFF REM getmail.cmd 20-Aug-1997 Luke Brennan SET POPUSERS=%SystemRoot%\POPUSERS.DAT REM RASPHONE -d OzEmail REM |
The next step is to create the file that GETMAIL.CMD will read in, POPUSERS.DAT. Below is an example. GETMAIL.CMD expects to find the file in the %systemroot% directory (e.g. d:\winnt) however you can change that by altering the "SET POPUSERS=.." line.
POPusers.dat
; space or comma delimited file
; 1. ISP pop server 2.
POP3 account 3. POP3 password 4. EXCHANGE username
;
savcom.demon.co.uk
rita pass savillr
cello.cchs.usyd.edu.au brennan ######
LDB
savill.pipex.co.uk johnsavill pass savillj
Q. How do I install the Key Management Server?
A. Key Management Server allows secure e-mail via both signed and encrypted messages. To install perform the following:
You will notice whether you choose to store the password a single file kmserver.pwd will be created with a single word in, for example:
SWOBRQSBQZPSPQC
The final step is to configure the Key Management service to start automatically at reboot time.
Q. How do I manage the Certificate Authority of Key Management Server?
A. This is managed through the Exchange Administrator program as follows but make sure that the Microsoft Key Management service is running (Start - Settings - Control Panel - Services)
To change your CA password perform the above then:
You can also add new KM administrators from the Administrators tab
Q. How do I enable advanced security for a user?
A. By default users do not have advanced security after GM server is installed. To enable for a user perform the following actions
To allow the key to be sent via e-mail to the user perform the following:
Now notify the recipient to read their mail or give them the password and they should perform the following:
 Single File Version_files/keyinst.gif)
- Hmmm, looks like a year 2000 problem!
Options for which security to use, signing or encryption can be set using the Security tab of the clients Options dialog or on an individual message basis by clicking the Options button.
Q. How do I automatically create an Exchange mailbox for all members of the domain?
A. Exchange can import users from a comma-separated-file (CSV) of the format:
Obj-Class,Common-Name,Display-Name,Home-Server,Comment
Mailbox,Administrator,,~SERVER,Built-in
account for administering the computer/domain
Mailbox,batman,Bruce
Wayne,~SERVER,
Mailbox,denise,denise van outen,~SERVER,
Mailbox,Exchange
Service,Exchange Service,~SERVER,
Mailbox,Guest,,~SERVER,Built-in account for
guest access to the computer/domain
Mailbox,IUSR_ODIN,Internet Guest
Account,~SERVER,Internet Server Anonymous Access
Mailbox,IWAM_ODIN,Web
Application Manager account,~SERVER,Internet Server Web Application Manager
identity Mailbox,krbtgt,,~SERVER,Key Distribution Center Service
Account
Mailbox,MTS_ODIN,MTS_ODIN,~SERVER,Transaction Server system package
administrator account
Exchange has the ability to generate this file from either a NT domain listing or a NetWare account list.
The file generated has ALL accounts in the domain (as can be seen in the example), for example Exchange service accounts, guest account, IIS accounts so you may want to edit the file generated and remove the lines for whom accounts should not be created.
Once the file has been edited to satisfaction perform the following:
 Single File Version_files/exdomimport.gif)
- Example Import from Domain file
Every member of your domain now has a mailbox on the Exchange server. In larger domains with multiple Exchange sites you may edit the file and import some people into one Exchange site and others into a different site depending on their geographical location.
Q. How do I avoid having to enter the Key Management password?
A. If you have the Key Management Server installed each time you start the KM service you have to either insert a disk with the password on or manually enter it depending on your configuration.
It is possible to configure the service to look on the hard disk although this is not recommended due to security reasons however on development systems this may be OK.
Next time the service is started it will look for the password file on the local harddisk and not prompt for a disk to be entered.
Q. I archived some .pst files to a CD-ROM but unable to load the files.
A. When Outlook opens a PST file it needs write access so you will be unable to load a file from a read-only media such as a CD-ROM drive.
To resolve simply copy the file to a writeable media and read accordingly.
Messages can be send to a .pst file by using Outlooks archive function. To open with Outlook 98 select File - Open - Personal Folders File.
If you store the PST files in a ZIP file on a CD they can be accessed (as when you access a ZIP file it is decompressed locally which would be writable).
Q. How can I limit Exchange mailbox size?
A. Exchange comes built in with the ability to limit and notify of quota violations.
To set the limits perform the following:
 Single File Version_files/excquota.gif)
Individual limits can be set for users by double clicking on them under the Recipients branch and selecting the "Limits" tab. Under "Information Store storage limits" sections unselect the "Use information store defaults" and set explicit values for the user. Useful for your own mailbox ;-)
Now the values for the warning have been configured you must tell the system how often to warn the mailbox owner.
If a client exceeds the limit they will be given warnings to the effect of
 Single File Version_files/quotabad.gif)
If the client does not have the helpful Office Assists enabled they will just get a normal dialog box.
A message from the "System Administrator" with the conditions of the mailbox quotas will also be sent:
Your mailbox has exceeded one or more size limits set by your
administrator.
Your mailbox size is 1518 KB.
Mailbox size limits:
You will receive a warning when your mailbox
reaches 900 KB.
You cannot send mail when your mailbox reaches 1100
KB.
You cannot send or receive mail when your mailbox reaches 1500
KB.
You may not be able to send or receive new mail until you reduce your mailbox size. To make more space available, delete any items that you are no longer using or move them to your personal folder file (.pst). Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit. You must empty the Deleted Items folder after deleting items or the space will not be freed.
See client Help for more information.
Q. How can I limit message sizes in Exchange?
A. Maximum size limits can be set on the Message Transfer Agent (MTA) for inter server traffic by selecting the General tab of the MTA configuration dialog of the server. The message would then be returned to sender in the event of the message being to large however for the people on the same server this limit is not used.
Limits can also be set on a per user basis for all traffic:
 Single File Version_files/exlimit.gif)
- Setting the maximum outgoing size to 2MB
Q. How can I undelete mail in Outlook?
A. When you delete an item from the Outlook client (and its been removed from the Deleted Items folder) it is actually kept on the Exchange server for a set amount of time (Exchange Server 5.5 and above only), obviously this only applies if the mail is from an Exchange server, if you use Outlook to download from POP3, IMAP etc this does not work. Mail and can be recovered as follows:
 Single File Version_files/msgrecov.gif)
To change the number of days Exchange stores deleted items for perform the following:
 Single File Version_files/msgkeep.gif)
Q. What workflow software is available for Exchange server?
A. Workflow software is a tool to manage and automate business processes such as order processing, purchasing, support and sales.
Using Microsoft Exchange Server or an SMTP/POP3 server and third party workflow software, you can easily implement powerful workflow applications that will streamline and decrease the cost of a business process.
There are several third party workflow packages available for Exchange server. A few of them are
For a complete list please go to http://www.exchangesoftware.com/ or for more information on workflow, go to http://www.workflowsoftware.com/.
Q. How do you add an additional Global Address Book or another view to the global address book?
A. This would be useful so, for example, you could separate out vendors email addresses (internet mail) from your actual post office users.
This can not be done easily.
You would have to create Address Book Views. This would divide GAL any way you wanted based on criteria that you provide.
But you have to assign search rights to everyone and if you make one mistake, NO ONE will be able to see anything of Address lists
Here is the procedure for setting up Container Level Search Control using Address Book Views. This allows you to create virtual Exchange Server organizations within a single Exchange Server organization or site. This is useful if you have multiple companies or departments within one Exchange Server organization and you want to prevent these companies or departments from viewing the mailboxes of other companies or departments in the Global Address List.
To set up Container Level Search Control using Address Book Views, perform the following steps:
NOTE: Before changing the rights of the Exchange Service Account, make sure that at least one other Windows NT account or group has at least the Permissions Admin Role on the Organization object.
After you perform these steps, you should be able to log on to an Exchange Sever mailbox. Open the Address Book and choose "Show Names from the:" Global Address List. You should only see mailboxes and/or custom recipients from the Address Book View that your mailbox is associated with.
This will not work for any mailbox whose associated Windows NT account has permissions on objects that give them inherited rights to the Address Book Views. These mailboxes will still be able to view the complete Global Address List.
Q. How do I delete a bad Schedule + message?
A. When users free busy information that is not being published to the Schedule+ Free Busy public folder server correctly or free busy information shows free even though a user has appointments you may need to remove the "stuck" or corrupted messages in the Schedule+ Free Busy hidden public folder.
To resolve this use mdbvu32 to remove the corrupt message. Mdbvu32.exe is on the Exchange Server CD in the support/utils directory.
MDBVU32 STEPS
If the information is still not visible go back to step 1 on using mdbvu32 to look at the schedule+ free busy information again check to make sure that 2 messages don't exist. If they do follow steps to remove and complete the process again.
Q. How do I link Exchange 5.5 and the Windows 2000 Active Directory?
A. The latest beta of Windows 2000 ships with the Microsoft Active Directory Connector (ADC) which replicates a hierarchy of directory objects between the Exchange Server 5.5 directory and the Windows 2000 Active Directory.
But first a potential problem:
Protocol 389 is used for LDAP communication but if you are running Windows 2000 and Exchange 5.5 on the