Windows NT FAQ Single File Version

This FAQ is copyright © 1999 John Savill (SavillTech Ltd) all rights reserved. No part of this document should be reproduced, distributed or altered without my permission. You may print it for your own use personnel use.

The Web version of the Windows NT FAQ is at http://www.ntfaq.com/. To subscribe to the Windows NT FAQ send a mail to nt-faq@ed-com.com with subscribe in the body of the message to receive the updated single file version of the FAQ once a week.

This single file version of the FAQ is available for download from http://www.ntfaq.com/faqcomp.zip.

What's New

One months of additions are listed here.

Monday 20 September

Friday 17 September

Wednesday 15 September

Tuesday 14 September

Monday 13 September

Thursday 9 September, 9/9/99!

Wednesday 8 September

Tuesday 7 September

Monday 6 September

Friday 3 September

Thursday 2 September

Wednesday 1 September

Wednesday 11 August

Tuesday 10 August

Friday 6 August

Wednesday 4 August

Tuesday 3 August

Monday 2 August

Contents


Core

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Registry

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Service Packs and Hotfixes

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Windows 2000 (NT 5.0)

upsection.gif (909 bytes)uptotop.gif (949 bytes)

File Systems

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Distributed File System

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Network

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Active Directory

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Domains

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Group Policy

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Terminal Server

upsection.gif (909 bytes)uptotop.gif (949 bytes)

RAS

upsection.gif (909 bytes)uptotop.gif (949 bytes)

TCP/IP

upsection.gif (909 bytes)uptotop.gif (949 bytes)

DHCP

upsection.gif (909 bytes)uptotop.gif (949 bytes)

DNS

upsection.gif (909 bytes)uptotop.gif (949 bytes)

WINS

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Exchange/Windows Messaging

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Internet Information Server

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Proxy Server 2.0

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Internet Explorer 4.0/5.0

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Installation

upsection.gif (909 bytes)uptotop.gif (949 bytes)

License

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Windows 95/98 as a client

upsection.gif (909 bytes)uptotop.gif (949 bytes)

MS-SQL Server

upsection.gif (909 bytes)uptotop.gif (949 bytes)

NetWare

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Macintosh

upsection.gif (909 bytes)uptotop.gif (949 bytes)

RAID

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Performance

upsection.gif (909 bytes)uptotop.gif (949 bytes)

System Information

upsection.gif (909 bytes)uptotop.gif (949 bytes)

MultiMedia

upsection.gif (909 bytes)uptotop.gif (949 bytes)

User Configuration

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Environment - Desktop

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Environment - Command Prompt

upsection.gif (909 bytes)uptotop.gif (949 bytes)

System Configuration

upsection.gif (909 bytes)uptotop.gif (949 bytes)

System Policy

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Security

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Backups

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Recovery

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Problem Solving

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Printing

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Support

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Training

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Utilities

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Compatibility

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Hardware

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Windows Scripting Host

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Batch Files

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Various

upsection.gif (909 bytes)uptotop.gif (949 bytes)


Q. What are the differences between NT Workstation and NT Server?

A. See table Below

  Workstation Server
Connection to other clients 10 Unlimited
Connection to other networks Unlimited Unlimited
Multiprocessing 2 CPUs 4 CPUs
RAS 1 connection 255 connections
Directory Replication Import Import and Export
Macintosh Services No Yes
Logon Validation No Yes
Disk Fault Tolerance No Yes
Network Peer-to-peer Server

Q. What does NT stand for?

A. NT actually stands for Northern Telecom but Microsoft licensed it and in the Windows sense stands for New Technology. Its also interesting to note its heritage
RSX -> VMS -> ELN -> NT all major designs of David Cutler
Also VMS +1 letter = WNT (Windows NT) :-) (aka HAL and IBM in 2001)


Q. What is the NT Boot Process?

A. Firstly the files required for NT to boot are

The common Boot sequence files are

The boot sequence is as follows

  1. Power on self test (POST) routines are run
  2. Master Boot Record is loaded into memory, and the program is run
  3. The Boot Sector from Active Partition is Loaded into Memory
  4. Ntldr is loaded and initialized from the boot sector
  5. Change the processor from real mode to 32-bit flat memory mode
  6. Ntldr starts the appropriate minifile system drivers. Minifile system drivers are built into Ntldr and can read FAT or NTFS
  7. Ntldr reads the Boot.ini file
  8. Ntldr loads the operating system selected, on of two things happen
    * If Windows NT is selected, Ntldr runs Ntdetect.com
    * For other operating system, Ntldr loads and runs Bootsect.dos and passes control to it. The Windows NT process ends here
  9. Ntdetect.com scans the computer hardware and sends the list to Ntldr for inclusion in HKEY_LOCAL_MACHINE\HARDWARE
  10. Ntldr then loads Ntoskrnl.exe, Hal.dll and the system hive
  11. Ntldr scans the System hive and loads the device drivers configured to start at boot time
  12. Ntldr passes control to Ntoskrnl.exe, at which point the boot process ends and the load phases begin

Q. What is Virtual Memory?

A. Virtual Memory makes up for the lack of RAM in computers by using space on the hard disk as memory, Virtual Memory. When the actual RAM fills up (actually its before the RAM fills) then virtual memory is created on the hard disk. When physical memory runs out, the Virtual Memory Manager chooses sections of memory that have not been recently used and are of low priority and writes them to the swap file. This process is hidden from applications, and applications views both virtual and actual memory as the same.

Each application that runs under Windows NT is given its own virtual address space of 4GB (2GB for the application, 2GB for the operating system).

The problem with Virtual Memory is that as it writes and reads to the hard disk, this is much slower than actual RAM. This is why if an NT system does not have enough memory it will run very slowly.


Q. What is the history of NT?

A. In the late 1980's the Windows environment was created to run on the Microsoft DOS operating system. Microsoft and IBM joined forces to create a DOS replacement that would run on the Intel platform that led to the creation of OS/2, and at the same time Microsoft was working on a more powerful operating system that would run on other processor platforms. The idea was that the new OS would be written in a high level language (such as C) so it would be more portable.

Microsoft hired Dave Cutler (who also designed Digital's VMS) to head the team for the New Technology Operating System (NT :-) ). Originally the new OS was to be called OS/2 NT.

In the early 1990's Microsoft released version 3.0 of its windows OS which gained a large user base, and it was at this point that Microsoft and IBM's split started as the two companies disagreed on the future of their OS's. IBM viewed Windows as a stepping stone to the superior OS/2, where as Microsoft wanted to expand Windows to compete with OS/2, so they split, IBM kept OS/2 and Microsoft change OS/2 NT to Windows NT.

Nt was once called OS/3, and OS/2 V3, I am informed by a alpha tester for IBM & MS, he had a set of 5.25 diskettes from Microsoft, and that's how he got them.

The first version of Windows NT (3.1) was released in 1993 and had the same GUI as the normal Windows Operating System, however it was a pure 32 bit OS, but provided the ability to also run older DOS and Windows apps, as well as character mode OS/2 1.3 programs.

For a detailed history have a look at http://windowsnt.miningco.com/


Q. How do I install the SYMBOL files?

A. Symbol files are produced by the linker when a program is built, and are used to resolve global variables and function names in an executable.

  1. Create a directory on your machine called SYMBOLS
    mkdir c:\winnt\symbols
  2. Copy over the symbols from the NT installation CD ROM
    xcopy <CD-ROM>:\Support\Debug\i386 c:\winnt\symbols /s
  3. If you have any service pack symbols you should extract these to the same directory, e.g. for Service Pack 2
    SYM_400I -d c:\winnt\symbols

For more information see Microsoft Knowledge Base article Q148659


Q. What is Windows NT?

A. Windows NT (both the Workstation and Server) is a 32-bit Operating System. It is a preemptive, multi-tasking Operating System, which means that the Operating System controls allocation of CPU time, not the applications, stopping one application from hanging the OS. NT supports multiple CPU's giving true Multi-tasking, using symmetrical multiprocessing, meaning the processors share all tasks, as opposed to asymmetrical multiprocessing, where the OS uses one CPU and the applications another. NT is also a Fault Tolerant Operating System, with each 32bit application operating in its own Virtual Memory address space (4 GigaBytes) which means one application cannot interfere with another's memory space.

Unlike earlier version of Windows (such as Windows for Workgroups and Windows 95), NT is a complete Operating System, and not an addition to DOS.

NT supports different CPU's: Intel x86, IBM PowerPC (Not to be supported for NT5.0) and DEC Alpha.

NT's other main plus is its Security with a special NT file system (NTFS) that allows permissions to be set on a file and directory basis.


Q. What is the Registry?

A. Originally there were .ini files in Windows, however the problem with .ini files are many, e.g. size limitations, no standard layout, slow access, no network support etc. Windows 3.1 (yes Windows not Windows NT) had a registry which was stored in reg.dat and could be viewed using regedit.exe and was used for DDE, OLE and File Manager integration. In Windows NT the Registry is at the heart of NT and is where nearly all information is stored, and is split into a number of subtrees, each starting with HKEY_ to indicate that it is a handle that can be used by a program.

HKEY_LOCAL_MACHINE This contains information about the hardware configuration and installed software.
HKEY_CLASSES_ROOT This is just a link to HKEY_LOCAL_MACHINE\SOFTWARE\Classes and contains links between applications and file types as well as information about OLE.
HKEY_CURRENT_CONFIG Again this is a link to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current and contains information about the current configuration.
HKEY_CURRENT_USER This is a link to HKEY_USERS\<SID of User> and contains information about the currently logged on users such as environment, network connections, printers etc.
HKEY_USERS Contains information about actively loaded user profiles, including .default which is the default user profile.

Each of the subtrees has a number of keys, which in turn have a number of subkeys. Each key/subkey can have a number of values which has 3 parts

To edit the registry there are two tools available, regedt32.exe and regedit.exe.Regedit.exe has better search facilities, but does not support all of the Windows NT registry value types. If you want to just have a look around the Registry:

  1. Start a registry editor (regedit.exe or regedt32.exe)
  2. In Regedt32.exe you can set the registry to read only mode which means you won't corrupt anything :-) (Options - Read Only Mode)
  3. Select the HKEY_USERS subkey
  4. Move to the .default - Control Panel - Desktop and you will see a number of values in the right hand pane.
  5. One of them is wallpaper and this is the background that is displayed before you logon.

Q. What files make up the registry, and where are they?

A. The files that make up the registry are stored in %systemroot%/system32/config directory and consist of

There are also other files with different extensions for some of them


Q. How do I restrict access to the registry editor?

A. Using the registry editor (regedt32.exe)

  1. Highlight HKEY_USERS and Load Hive from the Registry menu.
  2. Browse to the users profile directory who you want to restrict the registry tools for and select NTUser.dat.
  3. When prompted for Key Name, input their UserID.
  4. Navigate to \Software\Microsoft\Windows\CurrentVersion\Policies.
  5. If no System sub-key exists, Add Key. Then Add Value of DisableRegistryTools (under the System key) using type REG_DWORD and set it to 1.
  6. Unload Hive from the Registry menu.

Q. What is the maximum registry size?

A. The maximum size is 102MB, however it is slightly more complicated than this.

The registry entry that controls the maximum size of the registry is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\RegistrySizeLimit. By default this entry will not exist so it will need to be created:

  1. Start the registry editor (regedit.exe)
  2. Move to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control key
  3. From the Edit menu, select New - DWord value and enter the name as RegistrySizeLimit
  4. Double click the new entry and enter a value in bytes (choose decimal as the type)

The minimum size is 4MB, and if anything less than this is entered in the registry then it will be forced up to 4MB. The maximum is 80% of the paged pool (which has a maximum size of 128MB, hence 102MB which is 80% of 128MB). If no entry is entered then the maximum size is 25% of the paged pool. The paged pool is an area of physical memory used for system data that can be written to disk when not in use.

An important point to note is that the RegistrySizeLimit is a maximum, not an allocation, and so setting a high value will not reserve the space, and it does not guarantee the space will be available.

This can also be configured using the System Control Panel applet, click on the Performance tab and the maximum registry size can be set there. You would then need to reboot.

For more information see Knowledge Base Article Q124594

There is another complication, during early boot, NTLDR loads some code, allocates working memory, and reads in parts of the registry. All of this has to fit in the first 16MB of memory regardless of how much memory is physically installed. The entire system file is read; enough memory is required to contain the whole file as stored on disk without regard to how much of it is useful.

Some problems

A number of ways to get rid of the excess space:

To turn this off use REGEDT32 to add the value "ReportBootOk:REG_SZ:0" [zero] to HKEY_Local_Machine\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon This will prevent creation of the LastKnownGood ControlSet. If a boot fails because the 16 MB limit with NTLDR is exceeded, no dump can be produced and MS will not solve the problem. This 16 MB problem will not be changed in NT 5.


Q. Should I use REGEDIT.EXE or REGEDT32.EXE?

A. You can use either for NT. REGEDIT does have a few limitations, the largest is that it does not support the full regedit data types such as REG_MULTI_SZ, so if you edit this type of data with REGEDIT it will change its type.

REGEDIT.EXE is based on the Windows95 version and has features that REGEDT32.EXE lacks (such as search). In general REGEDIT.EXE is nicer to work with. REGEDIT.EXE also shows your current position in the registry at the bottom of the window.


Q. How do I restrict access to a remote registry?

A. Access to a remote registry is controlled by the ACL on the key winreg.

  1. Start the registry editor (regedt32.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers
  3. Check for a key called winreg. If it does not exist create it (Edit -Add Key)
  4. Select the winreg key (by clicking on it)
  5. From the Security menu select permissions
  6. Click the Add button and give the user you want read access
  7. Once added, click on the user and select "Special Access"
  8. Double click on the user and you can select which actions the user can perform
  9. Click OK when finished

It is possible to set up certain keys to be accessible even if the user does not have access by editing the value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths\Machine (use regedt32). You can add paths to this list.


Q. How can I tell what changes are made to the registry?

A. Using the regedit.exe program it is possible to export portions of the registry. This feature can be used as follows:

  1. Start the registry editor (regedit.exe)
  2. Select the key you want to monitor
  3. From the Registry menu select "Export registry file"
  4. Enter a file name (notice if you want to export the whole registry just select the "Export Range All") and click OK
  5. Perform the change (install some software or change a system parameter)
  6. Rerun steps 1 to 4 using a different file name
  7. Run the two files through a comparison utility (for example windiff.exe)
  8. If you are using windiff, select Compare Files from the File menu and you will then be prompted to select the 2 files to compare.
  9. Once compared a summary will be displayed stating if there are differences, to view the changes double click on the message
  10. Press F8 to view the next change (or select next change from the view menu)
  11. You have now found what changed!

Q. How can I delete a registry value/key from the command line?

A. Using the Windows NT Resource Kit Supplement 2 utility REG.EXE you can delete a registry value from the command line or batch file, e.g.

reg delete HKLM\Software\test

Would delete the HKEY_LOCAL_MACHINE\Software\test value. When you enter the command you will be prompted if you really want to delete, enter Y. To avoid the confirmation add /force to the command, e.g.

reg delete HKLM\Software\test /force

A full list of the codes to be used with REG DELETE are as follows:

HKCR HKEY_CLASSES_ROOT
HKCU HKEY_CURRENT_USER
HKLM HKEY_LOCAL_MACHINE
HKU HKEY_USERS
HKCC HKEY_CURRENT_CONFIG

To delete a entry on a remote machine add the name of the machine, \\<machine name>, e.g.

reg delete HKLM\Software\test \\johnpc


Q. How can I audit changes to the registry?

A. Using the regedt32.exe utility it is possible to set auditing on certain parts of the registry. I should note that any type of auditing is very sensitive lately and you may want to add some sort of warning letting people know that their changes are being audited.

  1. Start the registry editor (regedt32.exe)
  2. Select the key you wish to audit (e.g. HKEY_LOCAL_MACHINE\Software)
  3. From the Security menu select Auditing
  4. Check the "Audit Permission on Existing Subkeys" if you want subkeys to also be audited
  5. Click the Add button and select the users you want to be audited, click Add and then click OK
  6. Once there are names in the "Names" box you can select which events to be audited, whether success or failure.
  7. When you have filled in all the information click OK

You will need to make sure that Auditing for File and Object access is enabled (use User Manager - Polices - Audit).

To view the information use Event Viewer and look at the Security information.


Q. How can I clean up/remove invalid entries from the registry?

A. Microsoft have released a utility called RegClean which will go through your machines registry and delete any unused/unnecessary keys. The current version is 4.1a and can be downloaded from http://support.microsoft.com/download/support/mslfiles/RegClean.exe .

Once downloaded just click on the Executable and it will check your registry, once the check is completed you will be given an option to fix errors "Fix Errors" button. You can click the Exit button to exit.

RegClean creates an uninstall file in the directory the image is located in, of the name

"Undo <machine name> <yyyymmdd> <hhmmss>.reg"
e.g. "Undo workstation 19980320 104323.reg"

To undo the changes just double click (or single depending on your config ;-) ) this file.

See http://support.microsoft.com/support/kb/articles/q147/7/69.asp for more information.


Q. I make changes to HKEY_LOCAL_MACHINE\HARDWARE but they are lost on reboot.

A. This is because HKEY_LOCAL_MACHINE\HARDWARE is recreated by the system at boot time and this means any settings such as ACL's are lost. The rest of HKLM (SOFTWARE, SYSTEM, SAM, SECURITY) is stored on disk, and is not recreated during system boot.


Q. What data types are available in the registry?

A. Below is a table of data types supported by Regedt32.exe, regedit.exe does not support REG_EXPAND_SZ or REG_MULTI_SZ

REG_BINARY This is raw binary data
REG_DWORD This is a double word (4 bytes). It can be displayed in binary, hexadecimal or decimal format
REG_EXPAND_SZ An expandable text string that contains a variable (for example %systemroot%)
REG_MULTI_SZ A multiple line string. Each "line" is separated by a null
REG_SZ A text string

Q. How can I automate updates to the registry?

A. There are 2 main methods you can use to create scripts that can be run to automate the updates. The first is to create a .reg file which can then be run using

regedit /s <reg file>

The format of the file is

REGEDIT4
[<key name>]
"<value name>"="<value>"
a string value
"<value name>"=hex:<value>
a binary value
"<value name>"=dword:<value>
a dword value

for example

REGEDIT4

[HKEY_USERS\.DEFAULT\Control Panel\Desktop]
"Wallpaper"="E:\\WINNT\\savtech.bmp"
"TileWallpaper"="0"

[HKEY_USERS\.DEFAULT\Control Panel\Colors]
"Background"="0 0 0"

Would set the default background and color before anyone logs on.

The second method is to user a Windows 95 style .inf file. These are run using the command

rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 <inf file>

The format of the file is as follows

[Version]
Signature = "$Windows NT$"
Provider=%Provider%

[Strings]
Provider="SavillTech Ltd"

[DefaultInstall]
AddReg = AddReg
DelReg = DelReg
UpdateInis = UpdateInis

[AddReg]
[DelReg]
[UpdateInis]

Below are the keys to be used

HKCR HKEY_CLASSES_ROOT
HKCU HKEY_CURRENT_USER
HKLM HKEY_LOCAL_MACHINE
HKU HKEY_USERS

The file below is an .inf file which performs the same as the .reg file described earlier

[Version]
Signature = "$Windows NT$"

[DefaultInstall]
AddReg = AddReg

[AddReg]
HKU,".DEFAULT\Control Panel\Colors","Background",0000000000,"0 0 0"
HKU,".DEFAULT\Control Panel\Desktop","Wallpaper",0000000000,"E:\WINNT\savtech.bmp"
HKU,".DEFAULT\Control Panel\Desktop","TileWallpaper",0000000000,"1"

INF files can be generated automatically using the SYSDIFF utility if you have a difference file (sysdiff /inf <name of difference file> <dir to create to>)

A registry entry can also be deleted using .REG files. That is, if one has a .reg file with, e.g.,

[HKEY_CURRENT_USER\Test]

to enter a key, then one can use

[-HKEY_CURRENT_USER\Test]

to remove it.


Q. How do I apply a .reg file without the success message?

A. To apply a .reg file (a registry information file) the normal method from the command prompt is to enter

C:\> regedit <registry file>.reg

This applies the change and gives a confirmation message:

"Information is <filename>.reg has been successfully entered into the registry"

If you would like to avoid this confirmation message and apply the change silently use the /s switch, e.g.

C:\> regedit /s <registry file>.reg


Q. How can I remotely modify the maximum registry size?

A. The maximum registry size is usually defined using the System properties control panel applet, Performance tab. When you change this value all it actually does is to update the registry entry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\RegistrySizeLimit

You could therefore modify this from the command line using a registry script. For example

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control]
"RegistrySizeLimit"="24000000"

Run using

C:\> regedit /s <reg name>

You could add this to a login script.

Alternatively run remotely by submitting with the AT command. The change will not take effect until the machine reboots. If you wanted the reboot to occur you could add a reboot using the Resource Kit SHUTDOWN.EXE utility (as explained in
Q. How can I configure the machine to reboot at a certain time?)


Q. I can't update DWORD values using REG.EXE.

A. There is a bug in REG.EXE supplied with the NT 4.0 resource kit. Download a fixed version from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/nt40/i386/reg_x86.exe


Q. How can I install a .inf file from the command line?

A. The normal method to install a .inf file is to right click on it and select Install from the context menu however it is also possible to install from the command line. The syntax is:

C:\> rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 .\<file>.inf


Q. How can I compress the registry?

A. The following procedure can be used to compact the registry files, but also to restore the 'repair disk data' when you messed up the registry:

1) As always, make sure you have a backup of you're system, including the registry

2) Run Start: "RDISK /S-". This automatically updates the repair info located under %systemroot%\repair. The registry data are reorganized and compressed.

3) Next step is to expand these files to a temporary location.

EXPAND %systemroot%\REPAIR\DEFAULT._ %temp%\DEFAULT
EXPAND %systemroot%\REPAIR\SAM._ %temp%\SAM
EXPAND %systemroot%\REPAIR\SECURITY._ %temp%\SECURITY
EXPAND %systemroot%\REPAIR\SOFTWARE._ %temp%\SOFTWARE
EXPAND %systemroot%\REPAIR\SYSTEM._ %temp%\SYSTEM

4) Check your %temp% folder and %systemroot%\system32\config to find the difference in size between the different files that make up the registry. Probably the SOFTWARE hive will have a remarkable difference. In my case it shrinked from over 10Mb to 3.5Mb.

5) The registry files in %systemroot%\system32\config should be replaced by the reorganized ones in your %temp% folder. You can do this by:

When I performed these steps I notices a serious performance gain during system startup.


Q. Access to the registry tools has been stopped, is there any way to get access?

A. I include this as I had the exact problem on site a couple of days ago and I want Administrators to be aware that this can be done.

If the scheduler service is running on your PC (or if you can start it) you can submit the registry editor to start via the scheduler and it will then be started under the system context. For example

C:\> at <1 minute in the future> /interactive regedt32.exe

One minute from submission regedt32.exe will be started giving you full access to the registry. Cool!

You can also re-enable the tools by writing a small .reg file and double click on it which gives full access:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

Save as disableregistrytools.reg, double click from Explorer and you will have full registry access.


Q. Where does Windows 2000 store the last key accessed?

A. In Windows 2000 when you start the registry editor it remembers where you last were and automatically reopens that key. This information is actually stored in the registry in location:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

If this annoys you, it could be reset at each logon to null via a script with a .reg file, e.g.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"=""


Q. What's new in the Windows 2000 version of RegEdit?

A. As we saw in the last registry tip, the Windows 2000 version of Regedit.exe now remember the last key that was open when you start the application.

The second major change is the introduction of a favorites menu to which you can add you most used and 'favorite' registry keys (you would have to be sad :-) ).

REGEDT32.EXE has not had any major functionality changes.


Q. What service packs and fixes are available?

A. See table below. All directories are off of ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/. Just click on the file name for a direct FTP link For people in Europe ftp.sunet.se/pub3/vendor/microsoft/bussys/winnt/winnt-public/fixes may provide faster access.

There are also Microsoft BBS numbers where Service Packs can be downloaded from, e.g. for the UK it is 44 1734 270065, however the fixes tend to be a few days later than on the FTP site.

File Name Directory Description (Microsoft Article No.) Hotfixes
Sp1_400i.exe /ussp1/i386 Service Pack 1 PostSP1
Sp2_400i.exe /ussp2/i386 Service Pack 2 (around 14MB) PostSP2
Nt4sp3_i.exe /ussp3/i386 Service Pack 3 (around 18MB) PostSP3
NT4SP4I.EXE NA Service Pack 4 (around 33MB) PostSp4
SP5I386.EXE NA Service Pack 5 (around 34.5MB) PostSp5

Service Pack 1 Hotfixes /hotfixes-postsp1/

KRNL40I.EXE /32proc-fix Q140065
AFD40I.EXE /afd-fix Q140059
CDFS40I.EXE /cdfs-fix Q142687
NDIS40I.EXE /mcanet-fix Q156324
NDIS40I.EXE /ndis-fix Q142903
NTBCKUPI.EXE /NTBackup-fix  Q142671
NTVDM40I.EXE /ntvdm-fix Q134126
PCM40_I.EXE /pcmcia-fix Q108261
SCSIFIXI.EXE /scsi-fix Q171295
SPX40I.EXE /spx-fix Q153665
SYN40I.EXE /syn-attack Q142641
NTFS40I.EXE /toshiba-fix Q150815
STONE97I.EXE /winstone97 Q141375

Service Pack 2 Hotfixes /hotfixes-postsp2/

ALPHA40.EXE /Alpha-fix Q156410
DNS40I.EXE /dns-fix Q142047, Q162927
IISFIX.EXE /iis-fix Q163485, Q164059
KRNL40I.EXE /krnl-fix Q135707, **Q141239**
TCP40I.EXE /oob-fix Q143478
RAS40I.EXE /ras-fix Q161368
RPC40I.EXE /RPC-fix Q159176, Q162567
SECFIX_I.EXE /sec-fix Q143474
SERIALI.EXE /serial-fix Q163333
SETUPDDI.EXE /setupdd-fix Q143473
SFMSRVI.EXE /sfmsrv-fix Q161644
WTCP40I.EXE /TCPIP-fix Q163213

Service Pack 3 Hotfixes /hotfixes-postsp3/

2GCRASHI.EXE /2gcrash Q173277
ASPFIX.EXE /asp-fix Q165335
ATA-FIXI.EXE /atapi-fix Q183654
DNSFIX_I.EXE /dns-fix Q142047
EUROFIXI.EXE /euro-fix Q182005
ADMNFIXI.EXE /getadmin-fix Q146965
IDEFIX-I.EXE /ide-fix Q153296
IIS-FIXI.EXE /iis-fix Q143484
IIS4FIXI.EXE /iis4-fix Q169274
JOY-FIXI.EXE /joystick-fix Q177668
NDISFIXI.EXE /ndis-fix Q156655
NBTFIX-I.EXE /netbt-fix Q178205
PCMFIX-I.EXE /pcm-fix Q180532
PENTFIX.EXE /pent-fix Q163852
PPTPFIXI.EXE /pptp2-fix Q167040
PPTPFIXI.EXE /pptp3-fix Q189595
PRIVFIXI.EXE /priv-fix Q190288
PRNTFIXI.EXE /Prnt-fix Q181022
ROLL-UPI.EXE /roll-up Q147222
RRASFIXI.EXE /rras20-fix Q168469
RRASFIXI.EXE /rras30-fix Q189594
DCOMFIXI.EXE /SAG-fix  
SCSIFIXI.EXE /scsi-fix Q171295
SFM-FIXI.EXE /sfm-fix Q166571, Q170965, Q172511, Q177644, Q178364, Q180622, Q180716, Q180717, Q180718 & Q185722
CHARGENI.EXE /simptcp-fix Q154460
SNK-FIXI.EXE /snk-fix Q193233
SRVFIX-I.EXE /srv-fix Q180963
SSL-FIXI.EXE /ssl-fix Q148427
TAPI21FI.EXE /tapi21-fix Q179187
TEARFIXI.EXE /teardrop2-fix Q179129
Y2KFIXI.EXE  /Y2k-fix Q196548
WANFIX-I.EXE /wan-fix Q163251
WINSFIXI.EXE /winsupd-fix Q155701
Y2KFIXI.EXE /y2k-fix Q175093, Q180122, Q183123 & Q183125
ZIP-FIXI.EXE /zip-fix Q154094

A number of post Service Pack 3 hotfixes have been replaced by newer fixes and are not listed above, they can be found at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/archive . These include

Service Pack 4 Hotfixes /hotfixes-postsp4/

A post Service Pack 4 hotfix rollup has been released and can be downloaded from:
http://www.microsoft.com/ntserver/nts/downloads/recommended/nt4postsp4hotfix/

Individual hotfixes are:

BIOSFIXI.EXE /Y2K/BIOS2-fix Q216913
CLIKFIXI.EXE /Clik-fix Q195540
DISCFIXI.EXE /Disc-fix Q221331
GINAFIXI.EXE /Gina-fix Q214802
KRNLIFXI.EXE /Kernel-fix Q234557
MSMQFIXI.EXE /Y2K/MSMQ-fix Q230050
MSV-FIXI.EXE Msv1-fix Q214840
NPRPCFXI.EXE /Nprpc-fix Q195733
SP4HFIXI.EXE /roll-up Q195734
RNR-FIXI.EXE /Rnr-fix Q214864, Q216091, Q217001
SCRNSAVI.EXE /Scrnsav-fix Q221991
SMSFIXI.EXE /Sms-fix Q196270
SMSSFIXI.EXE /Smss-fix Q218473
TCPIPFXI.EXE /Tcpip-fix Q195725
Y2KUPD.EXE /Y2K/Y2KUPD Q218877, Q221120

Service Pack 5 Hotfixes /hotfixes-Postsp5/

CSRSSFXI.EXE /Csrss-fix Q233323
DIALRFXI.EXE /Dialer-fix NA
IGMPFIXI.EXE /IGMP-fix Q238329
IOCTLFXI.EXE /IOCTL-fix Q236359
LSAREQI.EXE /LSA3-fix Q231457
NDDEFIXI.EXE /NetDDE-fix Q231337
NTFSFIXI.EXE /NTFS-fix Q229607
Q234351I.EXE /Perfctrs-fix Q234351
RASFFIXI.EXE /RAS-fix Q230677
PWDFIXI.EXE /RASPassword-fix Q230681
RPSLWFXI.EXE /Rpcltscm-fix Q239132
RPWDFIXI.EXE /RRASPassword-fix Q233303
WINHLP-I.EXE /Winhlp32-fix NA
BIOSFIXI.EXE /Y2K/BIOS2-fix Q216913

The file names above are for the Intel platform (hence the ending I), but they may also be available for Alpha and PPC, just substitute the I for a A(Alpha) or P(PPC).

I should note a health warning, "If it ain't broke, don't fix it" and I would tend to agree with this, so unless you have a problem, or require a new feature of a Service Pack think if you really want it. Also if you are going to apply it to a live system, try and test it first, as sometimes a Service Pack will introduce new problems.


Q. What are the Q numbers and how do I look them up?

A. The Q numbers relate to Microsoft Knowledge Base articles and can be viewed at http://support.microsoft.com/support/


Q. How do I install the Service Packs?

A. If you receive the Service Pack by downloading from a Microsoft FTP site, then copy the file to a temporary directory and then just enter the file name (e.g. Sp2_400i.exe). The file will be expanded and among the files created a file called UPDATE.EXE will be created. Just run this file. If there is no UPDATE.EXE, just .sym files you have downloaded the symbols version which is used for debugging NT, download the normal version (see above).

If you receive Service Packs via CD, if you just insert the CD (for SP2 and later) and an Internet Explorer page will be shown and you can just click on install for the Service Pack.


Q. How do I install the Hot fix?

A. Again copy the file to a temporary directory and run the file name. A few files will be created, one called HOTFIX.EXE. Run "HOTFIX /install" which will install the Hot Fix.

The newer Hot fixes (Java fix for Service Pack 3 onwards) you just double click on the downloaded file.


Q. How do I remove a Hot fix?

A. Use the command Hotfix /remove to remove a hotfix. Before you can do this you will need to expand the original hotfix file using the <hotfix> /x command.

To force the remove using the registry editor (regedt32) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\HOTFIX and delete the entry for the HOTFIX. Then use explorer to goto %SystemRoot%\HOTFIX\HF00?? and copy the backed up files back to their original location.


Q. How do I install Service Pack 3?

A. Before you install Service Pack 3 you must remove Internet Explorer 4.0 preview if installed:

  1. From Control Panel (Start - Settings - Control Panel) double click Add/Remove Programs
  2. Select "Microsoft Internet Explorer 4.0" and click Add/Remove
  3. Select Remove All
  4. You will have to reboot

Also before installing SP3 make sure you have an up to date Repair Disk (RDISK /S). To install Service Pack 3 download Nt4sp3_i.exe and follow the instructions below

  1. Double click nt4sp3_i.exe
  2. It will verify the file and then uncompress to a temporary area (you can make it uncompress without installing by typing nt4sp3_i /x)
  3. Click Next to install and click Yes to accept the license agreement
  4. Click Next and then select "Yes create uninstall"
  5. Click Next then Finish
  6. You will then have to reboot

Q. Emergency Repair Disk issues after installation of Service Pack 3.

A. Due to changes in Service Pack 3 the Emergency Repair Disk process has changed. The file setupdd.sys that is on the 2nd NT installation disk has been superseded by the one supplied with service pack 3. To extract the file from the Service Pack 3 executable, follow the instructions below:

  1. Copy nt4sp3_i.exe to a temporary area
  2. Uncompress the service pack
    nt4sp3_i /x
  3. Insert the second NT installation disk (do not use the originals, create a new set using winnt32 /ox)
  4. Set the file setupdd.sys to write enabled
    attrib -r a:\setupdd.sys
  5. Copy the new setupdd.sys to the 2nd installation disk
    copy setupdd.sys a:

This is discussed in the Service Pack 3 readme file, and also in knowledge base article Q146887.


Q. How do I remove the Java Hotfix for Service Pack 3?

A. Manually unpack the hotfix
javafixi /x
Then type
hotfix -y
And it will remove the hotfix.

This method may become the new standard for hot fixes.


Q. How do I install multiple Hotfixes at the same time?

A. When you extract the files in a hotfix, generally the following will be extracted

The hotfix.exe is the same executable for all the hotfixes, and the hotfix.inf is basically the same, the only difference is the files that are to be copied, e.g. tcpip.sys, and a description of the hotfix. To install multiple hotfixes at the same time all that is needed is to decompress the hotfix files and update the hotfix.inf with the information on which files to copy.

  1. Create a directory on a disk called hotfix
    md hotfix
  2. From the command line decompress the hotfixes you wish to install, note each time you decompress a hotfix a new hotfix.inf will overwrite the existing one so you may wish to backup the .inf files
    - <hotfix name> /x, e.g. javafixi /x
    - you will be asked where to extract the hot fix files to, enter the hotfix directory and click OK, e.g. d:\hotfix
    - copy the hotfix.inf file to the name of the hotfix, e.g.
    copy hotfix.inf javafix.inf
  3. You will now have a number of files in the hotfix directory, with hotfix.exe, hotfix.inf and all the versions of the .inf files you copied. You now need to merge the contents of the .inf files into one main hotfix.inf file.
    If the hotfix you extracted had file tcpip.sys (ignore the .dbg files) you need to update the hotfix.inf file to include the copying of this file. Since TCPIP.SYS lives in the system32/drivers directory, you would add the line TCPIP.SYS to the [Drivers.files] section of the hotfix.inf file, e.g.
    [Drivers.files]
    TCPIP.SYS

    You also need to add TCPIP.SYS to the [SourceDisksFiles] section, e.g.
    [SourceDisksFiles]
    TCPIP.SYS=1
  4. Finally you need to add a comment at the end of the hotfix.inf file with a description of the hotfix in the [strings] section with the Q number and a comment, e.g.
    [Strings]
    ..
    HOTFIX_NUMBER="Q143478"
    COMMENT="This fix corrects the port 139 OOB attack"

    For multiple comments and numbers use HOTFIX_NUMBER2, COMMENT2 etc.

The reason we copied the .inf files is that you can just cut and paste the hotfix specific information to the common hotfix.inf. When you decompressed a hotfix you will see which files were created, you could then search the .inf file for the file name and it would be in two places, the directory it belongs in and the [SourceDisksFiles] section. You could then go to the bottom of the file and cut and paste the HOTFIX_NUMBER and COMMENT and add to the end of HOTFIX.INF.

This is very hard to explain and an example is probably the best way to demonstrate this. Suppose you want to install

The procedure would be as follows

  1. Decompress the hotfixes to the hotfix directory and after each extraction backup the hotfix.inf file in the order admnfixi.exe - javafixi.exe - oobfix_i.exe
  2. Admnfixi.exe consists of ntkrnlmp.exe and ntoskrnl.exe, search admnfixi.inf (the copy we made) for the files and they appear as follows
    [Uniprocessor.Kernel.files]
    NTOSKRNL.EXE

    [Multiprocessor.Kernel.files]
    NTOSKRNL.EXE, NTKRNLMP.EXE

    [SourceDisksFiles]
    NTKRNLMP.EXE=1
    NTOSKRNL.EXE=1

    [Strings]
    HOTFIX_NUMBER="Q146965"
    COMMENT="This fix corrects GETADMIN problem"
  3. javafixi.exe consists of win32k.sys so search javafixi.inf for win32k.sys
    [MustReplace.System32.files]
    WIN32K.SYS

    [SourceDisksFiles]
    WIN32K.SYS=1

    [Strings]
    HOTFIX_NUMBER="Q123456"
    COMMENT="This fix corrects the problem with True Color adapter cards and Java"
  4. The current version of hotfix.inf already contains the information for the oobfix as it was the last installed, so the information for the above 2 must be added resulting in the changes being

    [MustReplace.System32.files]
    WIN32K.SYS

    [Drivers.files]
    TCPIP.SYS

    [Uniprocessor.Kernel.files]
    NTOSKRNL.EXE

    [Multiprocessor.Kernel.files]
    NTOSKRNL.EXE, NTKRNLMP.EXE

    [SourceDisksFiles]
    NTKRNLMP.EXE=1
    NTOSKRNL.EXE=1
    TCPIP.SYS=1
    WIN32K.SYS=1


    [Strings]
    ;; this part needs modifying, only one HOTFIX_NUMBER can be passed so created your own internal reference,
    ;; e.g. Q99999 and also the comments need a unique number at the end, e.g. comment1, comment2 otherwise
    ;; only the first comment will be entered

    HOTFIX_NUMBER="Q999999"
    COMMENT1="This fix corrects the port 139 OOB attack"
    COMMENT2="This fix corrects GETADMIN problem"
    COMMENT3="This fix corrects the problem with True Color adapter cards and Java"

To install just type

hotfix

from the directory created (i.e. hotfix), you will see a dialog copying the files (the ones you have specified in the hotfix.inf file :-) ), and the system will reboot. To see what hotfixes are installed:

  1. Start the Registry Editor (Regedit.exe)
  2. Look at the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix values

Q. How do I install Hotfixes the same time as I install Service Pack 3 onwards?

A. Update.exe that ships with Service Pack 3 checks for the existance of a hotfix subdirectory, and if in that directory the files hotfix.exe and hotfix.inf are present you are asked when running update.exe if you also want to install the hotfixes.

  1. Create a direrectory to hold the extracted Service Pack
    md servpack
  2. Extract the Service Pack
    nt4sp3_i /x
    You will be asked for a directory, enter the created directory, e.g. e:\servpack and click OK
  3. Create a hotfix subdirectory
    md hotfix
  4. Extract the hotfixes to this directory using the instructions in the previous FAQ
  5. Run UPDATE.EXE in the servpack directory and click Yes when asked to install Hotfixes

Q. I have installed Service Pack 3, now I cannot run Java programs.

A. An updated virtual machine used to be available for Internet Explorer 4.0 from the Microsoft site but now you need IE 4.0.

There is also a hotfix for Service Pack 3 available from Microsoft ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/java-fix/JAVAFIXI.EXE or install service pack 4 or above.


Q. I have installed Service Pack 3, however the Policy Editor has not been updated.

A. This is caused by a mistake in the Service Pack 3 update.inf file. The entry for poledit.exe (the executable for the policy editor) is specified in the [MustReplace.system32.files] section whereas the file should actually be in the [SystemRoot.files].

To install the new Policy Editor perform the following

  1. Expand the service pack
    nt4sp3_i /x
  2. You will be asked for a directory, enter a path and click OK. A message "Extraction complete" will be displayed when completed
  3. Move to the directory the service pack was extracted to and copy the file poledit.exe to the %systemroot% directory
    copy poledit.exe %systemroot%

Alternatively you can update the update.inf fiile and move the location of poledit.exe from [MustReplace.system32.files] to [SystemRoot.files].


Q. How can I tell if I have the 128 bit version of Service Pack 3 installed?

A. The easiest way to tell this is to examine the secure channel dynamic link library (SCHANNEL.DLL):

  1. Start Explorer (Win + E or Start - Programs - Explorer)
  2. Move to %systemRoot%/system32 (where %systemRoot is the windows NT directory, e.g. d:\winnt)
  3. Right click on Schannel.dll and select properties
  4. Click the Version tab. The description will be one of the following:
    PCT / SSL Security Provider (U.S. and Canada for the 128 bit version.) if you have the 128 bit version
    or
    PCT / SSL Security Provider (Export Version) if you have the non-128 bit version
  5. Click OK when finished
  6. Close Explorer

Q. How do I install a service pack during a unattended installation?

A. There are various options, however all of them require for the service pack to be extracted to a directory, using

NT4SP3_I /x

and you then enter the directory where you want to extract to.

You could extract to a directory under the $OEM$ installation directory which would then be copied locally during the installation and you could add the line

".\UPDATE.EXE -U -Z"

to CMDLINES.TXT. This will increase the time of the text portion of the installation as the contents have to be copied over the network.

With Service Pack 4 you could just add and not need to expand the service pack first.

[Commands]
".\sp4\sp4i386.exe -z -u"

Simply create a folder called sp4 under $OEM$ and copy sp4i386.exe to it.

If using the above you should ensure you have the following in unattended.txt

[Unattended]
OemPreinstall=yes

An alternate method is to install from a network drive, this requires a bit more work:

  1. Create a directory on a network server and copy the extracted service pack to this directory. Setup a share on this directory called SP
  2. Create a batch file in the $OEM$ share of the installation area called SERVPACK.CMD with the following:
    net use z:\\<server>\SP /persistent:no /user:<domain name> \guest < password.txt
    z:\update.exe -u -z
  3. You need to create the password.txt file that contains the guest account password (usually blank) therefore perform the following:
    - type copy con password.txt
    - press ENTER once
    - press CTRL+Z to save the file
    If the password is not blank enter the password then press ENTER
  4. Copy the password.txt file to the $OEM$ directory
  5. Edit CMDLINES.TXT and add ".\SERVPACK.CMD" to the end

Q. What order should I apply the Hot fixes?

A. There is no specific order to apply post Service Pack 4 and Service Pack 5 hotfixes.

The Service Pack 3 hotfixes are, for the most part, cumulative. This means that the latest binary also includes fixes previously made to the same binary.

For example, the 01/09/98 version of Tcpip.sys (teardrop2-fix) also includes previous fixes to Tcpip.sys (such as land-fix, icmp-fix, and oob-fix).

When you apply multiple fixes, please install them in the following order to ensure a newer fix is not replaced by an older one.

For the Microsoft version of the list please see ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/postsp3.txt


Q. I get an error message when I try to re-apply a hotfix after installing a service pack?

A. If when you try and reinstall a hotfix (after re-applying a service pack etc.) you get the error

Hotfix: The fix is already installed.
Hotfix: Internal consistency error: Invalid Tree pointer = <garbage characters displayed>.

you need to remove the hotfix before trying to reinstall.

To remove a hotfix you would usually use hotfix /r or hotfix -y (depending on the version, to check how use /? on the hotfix for the syntax) however there are situations where it will refuse to remove the hotfix:

Hotfix: Fix <name of hotfix> was not removed.

All the hotfix actually does when you install one is to check a registry entry so see if it already there, so to get round this problem we can go into the registry and remove the hotfixes corresponding entry.

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix
  3. Under this key will be a number of sub-keys with name of the Knowledge base article the hotfix is referenced by as the name, e.g. Q123456 (the True Colour adapter fix).
  4. To get more details about the hotfix, select the key (e.g. Q123456) and look at the "Fix Description" value.
  5. To remove NT's knowledge of the fix being installed select the specific hotfix you want to remove (e.g. Q123456) and select Delete from the Edit menu. Click Yes to the confirmation
  6. Close the registry editor.

The fix is still installed on the system, all you have done is removed NT's knowledge of its installation so you will now be able to re-install the hotfix in the normal way.


Q. When should I reapply a Service Pack?

A. You should reapply any Service Pack (and subsequent hotfixes) whenever you add any system utilities/services or hardware/software. A good rule of thumb is if the computer says "Changes have been made you must shutdown and restart your computer" reapply your service pack before the reboot.

The only problem is once you reinstall a service pack, unless you uninstall then reinstall, you will lose the ability to uninstall it.


Q. What is Option Pack 4?

A. Due to a lot of public pressure, Microsoft agreed to no longer include any new functionality in Service Packs, but would rather produce a separate add-on which would update various option components.

Option Pack 4 is the first of these (to keep in step with Service Pack 4) and can be downloaded from http://www.microsoft.com/ntserver/nts/downloads/recommended/NT4OptPk/default.asp or is supplied as part of MSDN. The download is about 27MB.

If you download from the web you have to download a special program, download.exe, which you then run which downloads or installs the software.

Included in Option Pack 4 are:

More information can be found at http://www.microsoft.com/NTServer/nts/exec/overview/WhatNew.asp

To install the Option Pack you must be running Service Pack 3 or above (I tested with Service Pack 4 and you get warnings that it has not been tested on Service Pack 4 but it works fine) and you must have Internet Explorer 4.01 or above.

Once you start the installation you should click Next to the introduction screen and you will then have two options

  1. Upgrade Only
  2. Upgrade Plus

If you select Upgrade Only then only existing components on the system will be upgrade to Option Pack 4 version, clicking Upgrade Plus allows you to install extra software.

If you select Upgrade Plus you can then choose which components to install. Items such as IIS have sub-components such as NNTP server (news) which you can optionally install.

Depending on the components you selected you will be asked some minor questions and then the machine will reboot.


Q. How can I tell which version Service Pack I have installed?

A. When a Service Pack is installed using the normal method (e.g. not just copying the files to a build location) the service pack version is entered into the registry value CSDVersion which is under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion.

The value is of the formal "Service Pack n", e.g. "Service Pack 4" but can have extra information if it is a beta or release candidate, e.g. "Service Pack 4, RC 1.99".

To check this from the command line you could use the REG.EXE Resource Kit supplement 2 utility:

C:\>reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion"
REG_SZ CSDVersion Service Pack 4, RC 1.99

Make sure you put the value in double quotes (").

An alternative is to just run WINVER.EXE which will tell you your current build and Service Pack version. You can also use WINMSD.EXE or Help/About in Explorer.


Q. I receive an error trying to install Service Pack 4 for NT 4.0.

A. If when installing Service Pack 4 you receive the error:

"Service Pack Setup Error. You do not have permissions to update Windows NT. Please contact your system administrator."

it may be caused by the update.exe image being in the wrong directory.

If you have expanded the service pack using nt4sp4i.exe /x it will create a subdirectory, update, which will include the files

When running update.exe it must be in the update subdirectory. If not you should move the image accordingly.


Q. Setupdd.sys is missing in Service Pack 4/5.

A. Setupdd.sys is included on the Service Pack 4/5 CD and in the Y2K download version of Service Pack 4 but not the normal version.

This file is needed to replace the one on the second Windows NT installation disk to repair a system that has Service Pack 3 or above. To create a set of NT installations disks insert the NT installation CD-ROM and type winnt32 /ox.

You can download SETUPDD.SYS here.


Q. Important steps for installing Service Pack 4.

A. Service Pack 4 makes some permanent changes to the registry and so before installing you should perform the following steps to facilitate a Service Pack uninstall in the event of a problem. Before installing the service pack make sure you have performed the installation on a test server and as with another "fix" don't install unless you need a fix supplied by the Service Pack or have been instructed to install it by a Microsoft support engineer. If it ain't broke, don't fix it.

  1. Perform a full backup of all files and the registry using NTBACKUP or another backup program
  2. Create an up-to-date Emergency Repair Disk and store safely
    RDISK /s
  3. Reboot your system and check the Event Viewer (Start - Programs - Administrative Tools - Event Viewer) and check for any errors. Fix before proceeding. If you make any changes fixing the problems go back to step 2 and recreate another ERD.
  4. Copy your old Uninstall directory to a backup location
    C:\> md %systemroot%\$ntservicepackuninstallback$
    C:\> copy %systemroot%\$ntservicepackuninstall$ %systemroot%\$ntservicepackuninstallback$
  5. Run the resource kit utility SRVINFO.EXE (if available) and keep a copy of the output
  6. Disable any non-essential third-party drivers/services not required for starting the system. Contact the manufacturers to see if updated versions are available.
  7. Check you have enough disk space, you will need 80MB if you select to create an uninstall directory, 40MB if not
  8. Close all active debugging sessions or remote control sessions and any other non-essential applications before starting the upgrade

Q. Uninstalling Service Pack 4.

A. As was explained in "Q. Important steps for installing Service Pack 4.", Service Pack 4 makes some changes to registry which can't be undone. Because of this, in the event of a Service Pack 4 uninstall the following files are left unrestored

Additionally the files below are also not restored:

Crypt32.dll, Comctl32.dll, Schannel.dll, Cryptdlg.dll, Pstorerc.dll, Psbase.dll, Pstores.exe, Pstorec.dll, Cryptext.dll, Cryptui.dll, Mssign32.dll, Wintrust.dll, Softpub.dll, Mssip32.dll, Mscat32.dll, Initpki.dll, Cryptnet.dll, Xenroll.dll, Dssig.dll, Sigres.exe, Dssbase.dll, Reaenh.dll (128 bit security only), Rsabase.dll, Certmgr.msc, and Syske.exe.

To uninstall the Service Pack either start the Add/Remove programs control panel applet (Start - Settings - Control Panel - Add/Remove programs), select "Windows NT Service Pack 4" and click Remove, or, move to the %systemroot%\$NtServicePackUninstall$\spuninst directory and run spuninst.exe.

If you wanted to completely uninstall the service pack, undoing the registry changes and restoring all original files you would need to restore the %systemroot% directory from a back and repair the registry using the ERD disk you created. Alternatively you could uninstall as normal then use the ERD to repair the registry and replace the six files that the uninstall does not fix.


Q. How can I tell who installed/uninstalled Service Pack 4?

A. When Service Pack 4 is installed or uninstalled an Event is written to the System Event Log. The Event ID is 4353 so you could just create a filter (View - Filter Events) to view only Event ID 4353. It gives information of the person and time it was actioned.

The messages are

Windows NT Service Pack 4 was installed (Service Pack 3 was previously installed).

or

Windows NT Service Pack 4 was uninstalled. Restoring Windows NT to Service Pack 3.

Event 4353


Q. Service Pack 4 unattended installation switches.

A. The following switches can be used with UPDATE.EXE program supplied with Service Pack 4

-u Unattended mode
-f Force all apps to close at shutdown
-n Do not create an uninstall directory 
-o Overwrite OEM files without asking
-z Do not reboot when installation is complete
-q Quiet mode - no user interaction

Q. New Event Logs in Windows NT 4.0 Service Pack 4.

A. Service Pack 4 adds 4 new Event log messages to the System Event Log:

These can all be viewed using the Event Viewer which is located in the Administrative Tools program folder.


Q. When will Service Pack 6 for NT 4.0 be released?

A. Service Pack 6 is currently in beta and I would expect it around September 1999.


Q. I receive an error that setup.log cannot be found when installing a service pack.

A. If when you try and install a service pack you receive one of the following errors:

Service Pack Setup could not find the Setup.log file in your repair directory

or

Service Pack Setup cannot open or modify your SETUP.LOG file

The problem is either

If the file SETUP.LOG in the %systemroot%\repair is missing then you can copy it off your Emergency repair disk however if this is not an option you could copy from another machine but you may need to update the first few number of lines in the file (I copied a setup.log file from a NT Server Terminal Server installation to an NT Workstation and installed Service Pack 5 with no problems after changing the device and directory! This is not a supported method though).

Below is an example of the first lines of setup.log

[Paths]
TargetDirectory="\WINNT"
TargetDevice="\Device\Harddisk0\partition2"
SystemPartitionDirectory="\"
SystemPartition="\Device\Harddisk0\partition1"
[Signature]
Version="WinNt4.0"
[Files.SystemPartition]
ntldr="ntldr","2a36b"
NTDETECT.COM="NTDETECT.COM","b69e"
[Files.WinNt]
\WINNT\Help\31users.hlp="31users.hlp","12bfc"
... etc.

If you copy from another machine you may need to update the TargetDirectory and also the TargetDevice (which is where the %systemroot% is located and can be compared against the boot.ini file) and SystemPartition (which is the active partition, starting from 1, e.g. C:, this should not need to be changed).

If the TargetDirectory is different you should perform a global replace in the file from the old name, e.g. WINTSRV to the new name, e.g. WINNT.

If you do have a setup.log file in the repair directory and still get problems installing check that its format matches that given above.

If you don't have any SETUP.LOG files I have an example one you can download and modify from an NT Workstation installation (but don't mail me asking for support) but the correct procedure is outlined at http://support.microsoft.com/support/kb/articles/Q173/3/84.asp which involves reinstalling NT over your existing installation.


Q. How can I perform a function in a logon script depending on machines Service Pack version?

A. A new utility from SavillTech, CmdInfo sets error level values depending on the Service Pack version of the client machine, depending on the results different actions can be taken.

CmdInfo can be downloaded from http://www.savilltech.com/download/cmdinfo.zip.

CmdInfo can also perform actions depending on the OS version, installation type. Below is an example of usage to detect SP version in a logon script:

@ECHO OFF

CMDINFO.EXE /sp
IF ERRORLEVEL 5 GOTO SP5
IF ERRORLEVEL 4 GOTO SP4
IF ERRORLEVEL 3 GOTO SP3
IF ERRORLEVEL 2 GOTO SP2
IF ERRORLEVEL 1 GOTO SP1
IF ERRORLEVEL 0 GOTO SP0

:SP5
ECHO Service Pack 5 is installed on this NT computer.
ECHO No further upgrades are necessary.
GOTO END

:SP4
ECHO Service Pack 4 is installed on this NT computer.
ECHO Press any key to install Service Pack 5...
PAUSE > NUL
rem Let's assume drive X: is mapped to a sharepoint...
rem X:\SP5\UPDATE\UPDATE.EXE -u -f -o
GOTO END

rem (etc. ...)

:END
EXIT


Q. What is new in Windows NT 5.0?

A. NT 5.0 is the next major release of NT. It is expected to include the following new features:

For more information on what's new please goto http://www.microsoft.com/NTServer/Basics/Future/WindowsNT5/Features.asp


information on Windows NT 5.0?

A. Below is a list of useful links at Microsoft


Q. How do I get the Microsoft Windows 2000 Beta?

A. Windows 2000 is currently in beta test. The technical beta program is closed and is not accepting additional requests at this time. The Windows 2000 beta is not generally available at present for free. If you want this beta, there are five approaches you can consider taking:-

  1. Send email to betareq@microsoft.com The Technical beta is closed, and email to this account is unlikely to get you onto the beta. If you do send email, remember you need to justify why MS should send you the beta. Given that the Technical Beta is closed, this approach is unlikely to get you a beta copy.
  2. Take out a subscription to MSDN (Microsoft Developers Network) Professional or Universal levels. MSDN Subscriptions offer comprehensive, timely, and convenient access to Microsoft Visual Tools, essential technical programming information, Microsoft operating systems, software development kits (SDKs), device driver kits (DDKs), Microsoft Office, BackOffice Test Platform, etc. See http://www.microsoft.com/msdn/join/subscriptions.htm for more details including pricing.
  3. Microsoft has said that there will be a wider consumer preview of Windows 2000 now that Beta 3 has shipped. http://www.microsoft.com/windows/preview/
  4. Take the Microsoft Official Curriculum course 1264, NT 5.0 First Look.
  5. Purchase Technet Plus which includes beta products.
  6. Order the Hardware evaluation Kit. For more details on this, see http://www.microsoft.com/hwtest/hctcd/

Q. What is Windows 2000?

A. Microsoft have renamed NT 5.0 to Windows 2000 in an attempt to simplify the product lines. Below is an extract from the Microsoft press release:

Four products to make up initial Windows 2000 offerings, all "Built on NT Technology".

The company has decided to rename the next release of the Windows NT® line of operating systems—formerly known as Windows NT 5.0—as Windows 2000. Now that millions of people use the Windows NT operating systems every day, Microsoft has decided to rename its next releases to reflect their shift into the mainstream market and to help customers understand the products. All currently released operating systems will retain their names.

The company has also expanded the Windows server line to meet customer demand for solutions that are more powerful than Windows NT Server Enterprise Edition and for lower cost clustering alternatives for branch-office servers.

"Windows NT was first released five years ago as a specialized operating system for technical and business needs. Today it has proven its value as the preferred technology for all users who want industry-leading cost-effectiveness, rich security features and demonstrated scalability," said Jim Allchin, senior vice president at Microsoft. "The Windows NT kernel will be the basis for all of Microsoft's PC operating systems from consumer products to the highest-performance servers."

Windows 2000 ProfessionalThe Windows 2000 line, which Microsoft will begin to roll out in 1999, will include four products. Windows 2000 Professional is a desktop operating system aimed at businesses of all sizes. Microsoft designed Windows 2000 Professional as the easiest Windows yet, with high-level security and significant enhancements for mobile users. The operating system is also designed to provide industrial-strength reliability and help companies lower their total cost of ownership with improved manageability.

Microsoft offers the Windows 2000 Server as the ideal solution for small- to medium-sized enterprise application deployments, web servers, workgroups and branch offices. Windows 2000 Server will support new systems with up to two-way SMP; existing Windows NT Server 4.0 systems with up to four-way SMP can be upgraded to this product.

Windows 2000 Advanced Server is a more powerful departmental and application server that provides network operating system and Internet services. Supporting new systems with up to four-way SMP and large physical memories, this product is ideal for database-intensive work. In addition, Windows 2000 Server integrates clustering and load-balancing support to provide excellent system and application availability. Organizations with existing Windows NT 4.0 Enterprise Edition servers with up to eight-way SMP can install this product.

Windows 2000 Data ServerThe Windows 2000 line will also include the new Windows 2000 Datacenter Server, which is the most powerful server operating system ever offered by Microsoft. Windows 2000 Datacenter Server supports up to 16-way SMP and up to 64GB of physical memory, depending on system architecture. Like Windows 2000 Advanced Server, it provides both clustering and load balancing services as standard features. Microsoft designed this product especially for large data warehouses, econometric analysis, large-scale simulations in science and engineering, online transaction processing and server-consolidation projects.

Microsoft believes its new Windows 2000 name will help both its partners and customers. "The new name also serves our goal of making it simpler for customers to choose the right Windows products for their needs," said Brad Chase, vice president at Microsoft. "The new naming system eliminates customer confusion about whether 'NT' refers to client or server technology. Also, with our across-the-board improvements in ease of use, mobile support and total cost of ownership that provide benefits to so many users, 'NT' technology is no longer just for high-end workstations." Microsoft will use the tagline "Built on NT Technology" to help its customers through the naming transition.

The company believes that the Windows 2000 name and NT tagline will help people to identify which operating system will work best in their environment. And—as the name implies—Windows 2000 is ready for the next millennium.


Q. Getting the most out of NT 5.0 beta 2.

A. Windows NT Expert Thomas Lee has submitted these tips for getting the most out of NT 5.0 Beta 2.0. Dated 04/11/1998

Now that NT5 Beta 5 Beta 2 Workstation and Server have been in the field for some time, some experience in these releases has been gained. In these public newsgroups, we often see issues being repeated since later users have not seen the related posts.

To help in assisting new users, I've complied what I modestly called:

THOMAS'S TOP 10 FAQ TIPS FOR NT5 BETA 2

I've written both specific answers to the these noted problems, plus some general tips on how to get the most out of NT5 B2.

I can't get DHCP to work.

Two things to check: first that the DHCP server has been authorised and second that the subnet has been activated, To find out more about setting up a DHCP server, refer to the Walkthroughs.

In general, read the walkthroughs for all the functions before asking more questions in the newsgroups. But if you are unclear, certainly post!

CDR is broken in B2

This is a known issue. But please file a bug report on your details, especially including your exact hardware configuration.

In general, try to read the older messages - the last couple of weeks or so to see if the issue has come up. A lot of issues are repeated, and repeated, suggesting, to some, that newsgroups are write only.

So how do I create a domain - there was nothing in the setup about that!

In Windows 2000, the creation of a domain controller is not done during the installation of the OS. With Win2k, you install the OS first then you create a Domain Controller by DCPROMO.EXE either from the command prompt of from Start/Run. Prior to running DCPROMO.EXE, you must install and setup a DNS service. For more details on setting up a DC, see advsetup.txt on the CD.

In general, please read all the files in the root of the CD before asking further questions in the newsgroup please! [J.S. There is also an example in the FAQ Q. How do I promote a server to a domain controller?]

Beta 2 is does not support my <pick your hardware device>

First, check the HCL in \support\hcl.txt to see if this card is supported. If it is and it does not work, try the standard tricks: take card out, see what works. Check the IRQs, etc. IF all else fails, file a bug report.

If your device in NOT on the HCL, file a bug report explaining the details of your system, the precise way the card fails (BSOD, installs but fails, reduced functionality). Also try Win98 drivers if you can find them. Finally file a bug report.

In general, the HCL is your friend. Please consider consulting it prior to asking questions on the newsgroups. Also, Help is your other friend - check Help for configuration questions.

The Find dialog is broken.

The find/search dialog does work, it's just not user friendly. This is a bug, and is "fixed in later builds" - a common reply to bugs submitted regarding this dialog!

But file searching can be significantly improved by use if the index server. This does devour a lot of disk resources initially ( it content indexes your entire disk setup).

Once it has completed the first pass (which can take hours depending how much disk space you have and hot much horsepower your system has. Initial indexing is an ideal task to kick off at night, and come back to seeing complete in the morning. Once installed, it's efficient, and is very useful for searching. Development staff, developing HTML, Office documents, C Code, etc., will love the ability to search for specific strings in the myriad of .cpp, .htm, .shh, .asp files, etc! Check it out.

In general, for certain users, Index server is a real pal.

I can't work out how to do something in NT5 B2.

Try looking in the help. The server help, especially, has a lot of really great background information. Help is massively different, and better, in Windows 2000 than in NT4! The Help text include documentation on how to carry out most basic configuration tasks, back ground concepts (and much of it well written), and places to go for more information (e.g. web sites, books, RFCs, etc). Take a look - Help has gotten a whole lot better.

In general, Help is a friend.

Why is this wise guy always asking me to read the documentation?

Simple, really. A number of procedures will be new, and the details of these are documented. Secondly, the release notes document known issues, work arounds, etc.

Windows 2000 is a lot different from NT4. I'd like to find the 'This sure isn't Kansas any more Toto' quote from the Wizard of oz as the start-up sound. MS are aware and really have tried to document the key points. The walkthroughs make a great self paced self study tour of Windows 2000 - enjoy the ride.

In general: the product documentation is your friend.

Why that guy always saying 'file a bug report'

Why IS that guy always telling me to file a bug report??? Well, to put it bluntly: The product shipped as NT5 B2 is in beta test. It is not a final product. There are most likely thousands of bugs still remaining ranging from serious show stoppers to trivial things that simply will never get fixed (e.g. the titles on a dialog box). That is not abnormal for such a large product this far from shipping.

Win2000 is simply NOT ready go to ship today - MS need to find, and resolve, these bugs. If you find something wrong, it may just be simple user error but it may well be a bug. So if you think it's broken, tell MS.

You, as future users, can influence and have helped to shape the product as it evolves. MS has listened to the feedback and are incorporating it. With the NT team embark on the death march to Beta 3, if you don't tell MS, you may well have to live with the consequences - and condemn others.

MS have made it clear that Windows 2000 will not ship before it's ready. They have said they will ship when customers tell them it's ready. You are the customer - tell MS what you've found out and what you think.

In general: Make a difference. File a GOOD bug report.

OK, Cool, so how do I do it.

If you are on an internal beta, you will know how to do this - it was on the release notes accompanying your CD (and in email). Please follow directions, and discuss the issue on the internal newsgroups. Please read those groups.

If you are not on the technical beta, then go to ntbeta.microsoft.com. Fill in a short survey, and give them your email alias. You will then get a userid and password to enter the site. Go back, and with your password, you can drill down to a web tool to file a bug report. Spend a bit of time, if you can, to look at the site for more details on bug reporting. Oh, and the ntbeta.microsoft.com has not been renamed. Yet.

In general: The ntbeta.microsoft.com site is your friend.

How much do I need to tell MS about a bug. How good is good?

To some degree, the more you can provide, the better. Filing good bug reports means report as much as possible, including all your hardware, the exact nature of problem, and if possible precise steps to reproduce it.

In general, If MS can't reproduce it - it's not a bug.

Written by that guy who is always asking folks to read the documentation, use Help, and file good bug reports.

And for the humour impaired: this entire post is classified ":-) "


Q. What hardware is needed to run Windows 2000?

A. Below is a list of the minimum hardware needed to install Windows 2000.

The minimum memory is the minimum memory and setup program performs a test to check you have that amount or the installation will not proceed (very annoying when I tried to install server on my portable which (then) only had 32MB of RAM). You can hack the txtsetup.sif files, however, to install either Server or Workstation on systems with less memory. There is no check on CPU type.

The 64bit Alpha processor continues to be supported, although memory requirements are slightly larger (eg 96MB for Server) than Intel systems. Support for archaic 1st generation systems such as the Jensen has been dropped for Windows 2000.

This information is also in the file setup.txt on the Windows 2000 (NT 5.0 Beta) CD-ROM.


Q. Where is the Hardware Compatibility List for Windows 2000?

A. The HCL for Windows 2000 is supplied on the CD in both text and HTML Help format. It can also be found at ftp://ftp.microsoft.com/services/whql/win2000hcl.txt.


Q. How can a FAT partition be converted to an NTFS partition?

A. From the command line enter the command convert d: /fs:ntfs . This command is one way only, and you cannot convert an NTFS partition to FAT. If the FAT partition is the system partition then the conversion will take place on the next reboot.

After the conversion File Permissions are set to Full Control for everyone, where as if you install directly to NTFS the permissions are set on a stricter basis.


Q. How can a NTFS partition be converted to a FAT partition?

A. A simple conversion is not possible, and the only course of action is to backup all the data on the drive, reformat the disk to FAT and then restore your data backup.


Q. How do I run HPFS under NT 4.0?

A. If you want NT support for HPFS, you can upgrade from 3.51 to 4.0 which will retain HPFS support. You can manually install the 3.51 driver under NT 4.0, however this is not supported by Microsoft.

  1. Copy the 3.51 pinball.sys to the NT 4.0 %SystemRoot%\system32\drivers directory.
  2. Start the registry editor (regedit.exe)
  3. Goto the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
  4. From the Edit menu, select "New Key"
  5. In the form entry box which appears, enter Pinball as the Key Name. Leave the class field blank, and click OK
  6. Highlight the new Pinball key in the editor's left panel and select New Dword from the Edit menu
  7. Enter a name of ErrorControl and click OK
  8. Double click ErrorControl and set to "0x1"
  9. Highlight Pinball again and select "New String" from the Edit menu with name "Group" click OK
  10. Double click Group and set to "Boot file system"
  11. Highlight Pinball again and select "New DWORD" from the Edit menu with name "Start" click OK
  12. Double click Start and set to "0x1"
  13. Highlight Pinball again and select "New DWORD" from the Edit menu with name "Type" click OK
  14. Double click Type and set to "0x2"
  15. Close the registry editor
  16. Reboot the machine

Q. How do I compress a directory?

A. Follow instructions below (this can only be done on an NTFS partition)

  1. Using Explorer or My Computer select a drive
  2. Right click on a directory and choose properties
  3. Select the "Compress" Check box and click "Apply"
  4. You will be asked if you want to compress subdirectories, click OK
  5. Click OK to exit

Q. How do I uncompress a directory?

A. Follow the same procedure above, but uncheck the compress box.


Q. Is there an NTFS defragmentation tool available?

A. There are a number available for NT that I know of.

Windows 2000 has a limited built in defragmentation tool which can be used as follows:

  1. Start the MMC (Start - Run - MMC)
  2. From the console menu select Add/Remove Snap-in
  3. Click Add
  4. Select "Disk Defragmenter" and click Add. Click Close
  5. Click OK to the main Add/Remove dialog
  6. Select the Disk Defragmenter option from Console Root
  7. Select a partition, Analyze and Defragment

Click for full size


Q. Can I undelete a file in NT?

A. It depends on the file system. NT has no undelete facility, however if the filesystem was FAT then boot into DOS and then use the dos undelete utility. With the NT Resource kit there is a utility called DiskProbe which allows a user to view the data on a disk, which could then be copied to another file. It is possible to search sectors for data using DiskProbe.

If the files are deleted on an NTFS partition booting using a DOS disk and using the undelete.exe program is not possible since DOS cannot read NTFS partitions. NTFS does not perform destructive deletes which means the actual data is left intact on the disk (until another file is written in its place) and so a new application from Executive Software, Network Undelete can be used to undelete files from NTFS partitions. A free 30-day version can be downloaded from http://www.networkundelete.com/.

Executive Software also have a free utility Emergency Undelete which can undelete locally deleted files, http://www.execsoft.com/.

It is important that once any file is delete all activity on the machine is stopped to reduce the possibility of other files overwriting the data that wants to be recovered.


Q. Does NT support FAT32?

A. Native NT does not support FAT32. NT Internals have released a read-only FAT32 driver for Windows NT 4.0 from http://www.sysinternals.com/fat32.htm, or a full read/write version can be purchased from http://www.winternals.com/.

Windows 2000 has full FAT 32(x) support with the following conditions:


Q. Can you read an NTFS partition from DOS?

A. Not with standard DOS, however there is a product called NTFSDos which enables a user to read from a NTFS partition. The homepage for this utility is http://www.sysinternals.com/.


Q. How do you delete a NTFS partition?

A. You can boot off of the three NT installation disks and follow the instructions below:

  1. Read the license agreement and press F8
  2. Select the NTFS partition you wish to delete
  3. Press L to confirm
  4. Press F3 twice to exit the NT setup

Usually a NTFS partition can be deleted using FDISK (delete non-DOS partition), however this will not work if the NTFS partition is in the extended partition.

You can delete an NTFS partition using Disk Administrator, by selecting the partition and pressing DEL (as long as it is not the system/boot partition).

There is also a utility called delpart.exe that will delete a NTFS partition from a DOS bootup.


Q. Is it possible to repartition a disk without losing data?

A. There is no standard way in NT, however there is a 3rd party product called Partition Magic which will repartition FAT, NTFS and FAT32, however there is a bug in the product which makes the boot partition unbootable if it is repartitioned. A fix is available for this from their web site


Q. What is the biggest disk NT can use?

A. The simple answer to this question is that NT can view a maximum partition size of 2 terabytes (or 2,199,023,255,552 bytes), however there are limitations that restrict you well below this number.

FAT has internal limits of 4 GB due to thefact it uses 16-bit fields to store file sizes, 2^16 is 65,536 with a cluster size of 64 KB gives us the 4 GB.

HPFS uses 32bit fields and can therefore handle greater size disks, but the largest single file size is 4GB. HPFS allocates disk space in 512 byte sectors which can cause problems in Asian markets where sector sizes are typically 1024 bytes which means HPFS cannot be used.

NTFS uses 64-bits for all sizes, leading to a max size of..... 16 exabytes!!! (18,446,744,073,709,551,616 bytes), however NT could not handle a volume this big.

For IDE drives, the maximum is 136.9 GB, however for a standard IDE drive this is constrained to 528MB. The new EIDE drives can access much larger sizes.

It is important to note that the System partition (holding ntldr, boot.ini, etc.) MUST be entirely within the first 7.8Gb  of any disk (if this is the same as the boot partition this limit applies) This is due to the BIOS int 13H interface used by ntldr to bootstrap up to the point where it can drive the native HDD IDE or SCSI. int 13H presents a 24 bit parameter for cylinder/head/sector for a drive. If say by defragmentation the system are moved beyond this point you will not be able to boot the system.

Windows 2000 has no such limitation.  These are limits imposed by the specific machine BIOS.  Newer machines/BIOSes typically don't have this limitation.


Q. Can I disable 8.3 name creation on a NTFS?

A. From the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem, change the value NtfsDisable8dot3NameCreation from 0 to 1.

You may experience problems installing Office 97 if you disable 8.3 name creation and may have to re-enable it during the installation of the software.


Q. How can I stop NT from generating LFN's (Long File Names) on a FAT partition?

A. Using the registry editor change the value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\Win31FileSystem from 0 to 1 and only 8.3 file names will be created.

The reason for not wanting the LFN's to be created is that some 3rd party disk utilities that directly manipulate FAT can destroy the LFN's. Utilities such as SCANDISK and DEFRAG that come with DOS 6.x and above do not harm LFN's.


Q. I can't create any files on the root of a FAT partition.

A. The root of a FAT drive has a coded limit of 512 entries, so if you have exceeded this you will not be able to create any more files. I don't have this many! Remember Long File Names take up more than one entry, see the next FAQ for more information, so if you have many LFN's on the root this will drastically reduce the number of files you can have.


Q. How do LFN's work?

A. Long File Names are stored using a series of linked directory entries. A LFN will use one directory entry for its alias (the alias is the 8.3 name automatically generated), and a hidden secondary directory entry for every 13 characters in its name, so if you had a 200 character long file name, this would use 17 entries!

The alias is generated using the first six characters of the LFN, then a ~ and a number for the first 4 versions of a files with the same first six characters, e.g. for the file
john savills file.txt
the names generated would be johnsa~1.txt, johnsa~2 etc.

After the first 4 version of a file, only the first two characters of the file name are used, and the last 6 are generated, e.g. jo0E38~1.txt


Q. How do I change access permissions on a directory?

A. You can only set access permissions on an NTFS volume. Follow the instructions below:

  1. Start Explorer (Start - Programs - Explorer).
  2. Right click on a directory and select properties
  3. Click on the Security tab
  4. Click the permissions button
  5. Enter the information required
  6. Click OK, and then click OK again to exit

Q. How can I change access permissions from the command line?

A. A utility called CACLS.EXE comes as standard with NT, and can be used from the command prompt. Read the help with the CACLS.EXE program (cacls /?). To give user john read access to a directory called files enter:
CACLS files /e /p john:r
/e is used to edit the ACL instead of replacing it, therefore other permissions on the directory will be kept. /p sets permission for user:<permission>


Q. I have a CHKDSK scheduled to start next reboot, but I want to stop it.

A. If the command chkdsk /f /r (find bad sectors, recover information from bad sectors and fix errors on the disk) is run, on the next reboot the check disk is scheduled, however you may want to cancel this check disk. To do this perform the following:

  1. Run the Registry Editor (Regedt32.exe). You must use Regedt32 and not Regedit.exe
  2. Goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  3. Change the BootExecute value from:
    autocheck autochk * /r\DosDevice\<drive letter>:
    To:
    autocheck autochk *

Q. My NTFS drive is corrupt, how do I recover?

A. To restore an NTFS drive using the information below, it must have been created using Windows NT 4.0, if it was not created using NT 4.0 you should see Knowledge base article Q121517. To restore an NTFS partition you must locate the spare copy of the boot sector and copy it to the correct position on the drive. You need the NTdiskedit utility (you can also use Disk Probe that comes with the resource kit and instructions for Disk Probe can be found at http://support.microsoft.com/support/kb/articles/q153/9/73.asp or Norton disk edit) which is available from Microsoft Support Services.

  1. Using NTdiskedit for Windows NT 4.0, on the File menu, click Open.
  2. Type the Volume Name as
    \\.\PhysicaldriveX
    where X=the ordinal of the disk that appears in Disk
    Administrator)
  3. Click OK.
  4. On the Read menu, click Sectors. Select 0 for Starting Sectors and select 1 for Run Length. Click OK.
  5. On the View menu, click Partition Table. You should see a table that has four sections, Entry 0 through Entry 3. This refers to the order of partitions. If the partition in question is Partition 2 on the Disk, you need the data in Entry 1. If the Partition in question is the Partition 1 on the disk, you need the data from Entry 0 and so on.
  6. Write down the values of Starting Sector and Sectors.
    NOTE: all of the values you see will be in hexadecimal format. Do not convert to decimal.
  7. Using a Calculator (you can use the one from the Accessories group if one is available) that can add hexadecimal numbers, add the values for Starting Sector and Sectors, and subtract 1 from the sum. For example:
    STARTING SECTOR=Ox3F
    SECTORS=0x201c84 +
    ----------
    0x201CC3
    Less 1 0x1 -
    ----------
    Copy of NTFS bootsector=0x201CC2
  8. On the Read menu, click Sectors. In Starting Sectors, type the value from the equation above. Type 1 in Run Length. Click OK.
    You now should be at your copy of the NTFS bootsector. Visually inspect the boot sector for completeness, NTFS header at first line, text in the lower region (for example, "A kernel file is missing from the disk"), and so forth.
  9. Click Relocate Sectors. This is the Sector you are going to write the bootsector. This will be the value of your Starting Sector with the Run Length of 1. Click OK.
  10. Quit Ntdiskedit. Use Disk Administrator to assign a drive letter if not already assigned. Restart the computer; the file system should be recognized as NTFS.

Q. How can I delete a file without it going to the recycle bin?

A. When you delete the file, hold down the shift key.


Q. How can I change the serial number of a disk?

A. The serial number is located in the boot sector for a volume. For FAT drives its 4 bytes starting at offset 0x27; for NTFS drives its 8 bytes starting at offset 0x48. You'll need a sector-level editor to modify the number (like the Resource Kit's Diskprobe).


Q. How can I backup the Master Boot Record?

A. The Master boot record on the hard disk used to start the computer (the system partition) is the most critical sector so make sure this is the sector you backup. The boot partition is also very important (where %systemroot% resides). You need the DiskProbe utility that comes with the Resource Kit.

  1. Start DiskProbe
  2. From Drives, click Physical Drive, and click on the drive that is the system partition (from the Open Physical Drive dialog)
  3. The disk clicked will be displayed in the Handle 0 section. Click "Set Active" and then click Close
  4. From the sectors menu click Read. Accept the default sectors of "Starting Sector" 0, and "Number of Sectors" 1.
  5. From the File menu click "Save As" and enter a file name.

Q. How do I restore the Master Boot Record?

A. Follow the instructions below, however be very careful!!!

  1. Start DiskProbe
  2. From "File" click "Open" and select the file that the information was saved as
  3. From drives click Physical Drive and click the disk you want to replace the boot partition on
  4. In the Handle 0 box, clear the Read Only box and click "Set Active", then click Close
  5. From the sectors menu click write and set the starting sector to 0, and click "Write it"
  6. Verify and close DiskProbe
  7. Keep your fingers crossed :-)

Q. What CD-ROM file systems can NT read?

A. NT's primary file system is CDFS a read only file system, however it can read any file system that is ISO9660 compliant.


Q. How do I disable 8.3 name creation on VFAT?

A. Start the registry editor (regedit.exe) and set the value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\Win95TruncatedExtensions to 0.


Q. How do I create a Volume Set?

A. A volume set allows you to take all the unused space on one or more drives (up to 32 drives per volume set) and combine it into a single, large, system recognizable drive. To create a volume set:

  1. Logon as an Administrator and start Disk Administrator (Start - Programs - Administrative Tools - Disk Administrator).
  2. Click on the first free area of disk space, then hold down the Ctrl key and select all the other areas of unpartitioned space.
  3. Once all the parts are selected, from the Partition menu select "Create Volume Set".
  4. A dialog box will be displayed and you can choose the size of the partition to be created. Click OK
  5. Once created the areas that are part of a Volume Set will be shown in yellow.
  6. Close Disk Administrator (or select Commit Changes New)
  7. A confirmation dialog box will be displayed, confirm and a reboot will be required.
  8. Once the reboot has completed you can now format the volume. You should really format the Volume NTFS, as DOS and Windows95 clients will not be able to read it anyway!

The main problem with volume sets is that if one drive in the volume set fails, the entire volume set becomes unavailable.


Q. How do I extend a Volume Set?

A. Extending a volume set is very simple, however a reboot will be required

  1. Start Disk Administrator (Start - Programs - Administrative Tools - Disk Administrator)
  2. Click on the existing Volume Set and hold down the Ctrl key
  3. Click on the area (or areas) of free space to be added (a black border will be shown around them)
  4. Choose "Extend Volume Set" from the Partition menu, or right click on one of the selected areas and this option will be shown.
  5. A dialog box will be shown asking how large the drive should be. Click OK
  6. From the Partition menu, select "Commit changes now"
  7. Answer the further dialogs and reboot the server.

The reboot will take longer than normal as the new area added has to be formatted to the same file system as the rest of the volume set.

Note: Only NTFS Volume Sets can be extended.


Q. How do I delete a Volume Set?

A. When you delete a volume set all the data stored will be lost. To delete a volume set:

  1. Start Disk Administrator
  2. Click on part of the volume set
  3. Select Delete from the Partition menu
  4. Click Yes on the dialog box

Q. What is the maximum number of characters a file can be?

A. This depends on if the file is being created on a FAT or NTFS partition. The maximum file length on a NTFS partition is 256 characters, and 11 characters on FAT (8 character name, . , 3 character extension). NTFS filenames keep their case, whereas FAT filenames have no concept of case (however the case is ignored when performing a search etc on NTFS). There is the new VFAT which also has 256 character filenames.

NTFS filenames can contain any characters, including spaces, uppercase/lowercase except for the following

" * : / \ ? < > |

which are reserved for NT, however the file name must start with a letter or number.

VFAT filenames can also contain any characters except for the following

/ \ : | = ? " ; [ ] , ^

and once again the file name must start with a letter or number.

NTFS and VFAT also creates a 8.3 format file name, see Q. How to LFN's work?


Q. How can I stop chkdsk at boot time from checking volume x?

A. When NT boots it performs a check on all volumes to see if the dirty bit is set, and if it is a full chkdsk /f is run. To stop NT performing this dirty bit check you can exclude certain drives. The reason you may want to do this is for some type of removable drive, e.g. Iomega drives:

  1. Run the Registry Editor (Regedt32.exe). You must use Regedt32.exe and not Regedit.exe
  2. Goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  3. Change the BootExecute value from:
    autocheck autochk *
    to:
    autocheck autochk /k:x *

Where x is the drive letter, e.g. if you wanted to stop the check on drive f: you would type autocheck autochk /k:f *. To stop the check on multiple volumes just enter the drive names one after another, e.g. to stop the check on e: and g: autocheck autochk /k:eg *, you do not retype the /k each time.

If you are using NT 4.0 with Service Pack 2 or above, you can also use the CHKNTFS.EXE command which is also used to exclude drives from the check and updates the registry for you. The usage to disable a drive is

chkntfs /x <drive letter>:
e.g. chkntfs /x f: would exclude the check of drive f:

To set the system back to checking all drives just type

chkntfs /d


Q. How can I compress files/directories from the command line?

A. A utility is supplied with the resource kit called compact.exe which can be used to view and change the compression characteristics of a file/directory.


Q. What protections can be set on files/directories on a NTFS partition?

A. When you right click on a file in Explorer and select properties (or select Properties from the File menu) you are presented with a dialog box telling you information such as size, ownership etc. If the file/directory is on a NTFS partition there will be a security tab, and within that dialog, a permissions button. If you press that button you can grant access to users/groups on the resource at various levels.

There are six basic permissions

These can be assigned to a resource, however they are grouped for ease of use

The permissions above can all be set on a directory, however this list is limited for a file, and permissions that can be set are only No Access, Read, Change and Full Control.

Another permission exists called "Special Access" (on a directory there will be two, one for files, one for directories), and from this you can set which of the basic permissions should be assigned.


Q. How can I take ownership of files?

A. Sometimes you may want to take ownership of files/directories, usually as someone has removed all access on a resource and can't see it. You would log on as the Administrator and take ownership. You cannot give ownership to someone else using standard NT functionality, only take ownership.

  1. Log on as Administrator or a member of the Admins group
  2. Start Explorer
  3. Right click on the file/directory and select properties
  4. Select the Security tab and click Ownership
  5. Click "Take Ownership" and then click Yes to the prompt

Q. How can I view the permissions a user has on a file from the command line?

A. A utility is supplied with the resource kit called perms.exe which can be used to view permissions on files/directories. The usage is

perms <domain>\<user> <file>
e.g. perms savilltech\savillj d:\file\john\file.dat

You can add /s to also show details of sub files/directories. The permissions shown equate to

R Read
W Write
X Execute
D Delete
P Change Permission
O Take Ownership
A All
None No Access
* User is the owner
# A group the member is a member of owns the file
? Permissions cannot be determined

To output to a file just add > filename.txt at the end, e.g.

perms <user> <file> > file.txt


Q. How can I tell the total amount of space used by a folder (including sub folders)?

A. There are two ways of doing this (there are more!), one using explorer and one from the command line. Using Explorer

  1. Start Explorer (Win key + E or Start - Programs - Explorer)
  2. Right click on the required folder and select properties
  3. Under the General tab a size will be displayed and this is the total size of the folder and all sub-folders and their contents.

From the command line you can just use the dir command with /s qualifier which also lists all sub-directories, e.g.
dir/s d:\savilltechhomepage
would list all files/folders in the savilltechhomepage directory and at the end the total size.


Q. There are files beginning with $ at the root of my NTFS drive, can I delete them?

A. NO!!! These files hold the information of your NTFS volume. Below is a table of all the files used by the file system:

$MFT Master File Table
$MFTMIRR A copy of the first 16 records of the MFT
$LOGFILE Log of changes made to the volume
$VOLUME Information about the volume, serial number, creation time, dirty flag
$ATTRDEF Attribute definitions
$BITMAP Contains drive cluster map
$BOOT Boot record of the drive
$BADCLUS A list of bad clusters on the drive
$QUOTA Quota information (used on NTFS 5.0)
$UPCASE Maps lowercase characters to uppercase version

If you want to have a look at any of these files use the command

dir /ah $mft

Its basically impossible to delete these files anyway as you can't remove the hidden flag and if you can't remove the hidden flag you can't delete it!


Q. What file system do Iomega ZIP disks use?

A. By default, the formatted ZIP disks are FAT, however you can format these with NTFS is you want. NTFS has a higher overhead than FAT on small volumes (an initial 2MB) which is why you don't have NTFS on 1.44 floppy disks.


Q. What cluster size does a FAT/NTFS partition use?

A. The default cluster size for a FAT partition is as follows:

Partition size Sectors per cluster Cluster size
<32MB 1 512 bytes
<64MB 2 1K
<128MB 4 2K
<255MB 8 4K
<511MB 16 8K
<1023MB 32 16K
<2047MB 64 32K
<4095MB 128 64K

This is why FAT volumes larger than 511MB are not recommended due to the amount of potentially wasted space due to the 16KB and above cluster size.

The default for NTFS is as follows:

Partition size Sectors per cluster Cluster size
<512MB 1 512 bytes (or hardware sector size if greater than 512 bytes)
<1024MB 2 1K
<2048MB 4 2K
<4096MB 8 4K
<8192MB 16 8K
<16384MB 32 16K
<32768MB 64 32K
>32768 MB 128 64K

NTFS better balances the trade off between disk defragmentation due to smaller cluster size and wasted space due to a large cluster size.

When formatting a drive you can change the cluster size using the /a:<size> switch, e.g.

format d: /a:1024 /fs:ntfs


Q. How much free space do I need to convert a FAT partition to NTFS?

A. The calculation below can be used for disks of a standard 512 bytes per sector:

To summarize:

Free space needed = (<size of partition in bytes>/100) + (<size of partition in bytes>/803) + (<no of files & directories> * 1280) + 196096

For more information see Knowledge Base article Q156560 at http://support.microsoft.com/support/kb/articles/q156/5/60.asp


Q. NT becomes unresponsive during an NTFS disk operation such as a dir.

A. When you perform a large NTFS disk operation such as a dir/s *.* or a ntbackup :\*.* NT can sometimes become unresponsive because NT updates NTFS files with a last access stamp and if viewing thousands of files the NTFS log file can become full and waits to be flushed to the hard disk, this can cause NT to become unresponsive. To stop NTFS updating the last access stamp perform the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
  3. From the Edit menu select New - DWORD value
  4. Enter a name of NtfsDisableLastAccessUpdate and click OK
  5. Double click the new value and set to 1. Click OK
  6. Close the registry editor
  7. Reboot the machine

This should improve the performance of your NTFS partitions.

Below is an example or a .reg file that can be used to automate this:

REGEDIT4
;
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
"NtfsDisableLastAccessUpdate"=dword:1


Q. I have missing space on my NTFS partitions (Alternate Data Streams).

A. Its possible to hide data from both explorer and the dir command within an NTFS file that you cannot see unless you know its stream name. NTFS allows multiple streams to a file in the form of <filename>:<stream name>, you can try it

  1. Start a console windows (cmd.exe)
  2. Run "notepad normal.txt" and enter some text and save. This has to be on an NTFS partition
  3. Now edit the file again but this time with a different stream "notepad normal.txt:hidden". You will be prompted to create a new file. Enter some text and save
  4. Perform a dir and you will see you still see only normal.txt with its original size.

You can have as many streams as you want. If you copy a file it keeps the streams, so copying normal.txt to john.txt, john.txt:hidden would exist. You cannot use streams from the command prompt as it does not allow : in files names except for drive letters.

Microsoft provide no way of detecting or deleting these streams. The two ways to delete are

One application I have found to detect alternate data steams is by Frank Heyne and can be downloaded from http://www.heysoft.de/nt/ep-lads.htm.

Alternatively you can use Lizp which is downloadable from http://www.lizp.com/. I have not used it in earnest, however what I have seen looks very good. An example use would be

Lizp NT use

Its also possible to write a function to enumerate every altstream in every file matching c:\winnt\*. To do this, let's define a function, we'll call it las, and it'll take one argument, the wild path. Then we could type
(las 'c:\winnt\*)
and we'd get what we wanted.

Here's such a function definition:

(sequence
    (define
        (las Dir)
        (filter
            '(lambda
                (o)
                (cdr o) )
            (mapcar
                '(lambda
                    (FileInfo)
                    (if
                        (getfilesize
                            (car FileInfo) )
                        (cons
                            (car FileInfo)
                            (getaltstreams
                                (car FileInfo) ) )
                        (cons nil nil) ) )
                (dirlist Dir) ) ) )
    '(Enhanced with las) )

Even though you could type all this in at the prompt, on one long line, it's easier to save the code above to a file. Let's call the file las.lzp.

Now, from the Lizp prompt, you could type

(eval (load 'las.lzp))

and voila, you'll have a new function, las. Now try the thing above:

(las 'c:\winnt\*)

Suppose we think our Lizp should have this functionality always. Then type

(Compile (load 'las.lzp) 'Lizp_with_las.exe true)

and we'll have a new version of Lizp, called Lizp_with_las.exe.

Finally, suppose we wanted a GUI application which asked us for the wild path, and then displayed the alternate streams in a window. Save the following lines to a file, let's call it las_gui.lzp:

(local
    (Result)
    (setq Result
        (las
            (inputbox
                '((Wild path to check for Alt Streams)) ) ) )
    (messagebox
        (if Result Result
            '((No Alt Streams found in path.)) ) )
	(exit) )

Now, from Lizp_with_las' prompt, type

(Compile (load 'las_gui.lzp) 'Las.exe nil

and you'll have a new program, Las.exe, doing what we want. Note the last argument to the Compile function: the first time we compiled, we used "true", this last time we used "nil". This is because the first time we wanted the new program to create a console when run (because it was going to be our new Lizp interpreter). The second time we don't need a console.

Another way to delete these streams is to edit them in notepad and delete all the text. When you quit notepad NT tells you that the file is empty and will be deleted and you only have to confirm.

If you want to write your own programs to detect streams have a look at

Basically the only reliable way of handling streams is to use the BackupRead() function. The only "problem" is that BackupRead() requires SeRestorePrivilege/SeBackupPrivilege rights which most users will not have

BackupRead() actually does is to turn a file and its associated metadata (extended attributes, security data, alternate streams, links) into a stream of bytes. BackupWrite() converts it back.


Q. How can I change the Volume ID of a disk?

A. Windows NT provides functionality to change the volume name of a disk by using the command

label <drive>: <label name>

Windows NT does not provide built in functionality to change Volume ID's, however NT Internals has produced a free utility that can be downloaded from http://www.sysinternals.com/misc.htm called VolumeID which can change the volume ID of a FAT or NTFS volume. To view a drives current Volume ID you can just perform a dir <drive>: and the volume serial number is shown on the second line down, e.g.

Volume in drive E is system
Volume Serial Number is BC09-8AE4

To change enter the command

volumeid <drive letter>: xxxx-xxxx


Q. How do I read NTFS 5.0 partitions from Windows NT 4.0?

A. Service Pack 4 includes a read/write driver for NTFS 5.0 volumes (an updated ntfs.sys driver). More details will follow once Service Pack 4 is released, the non-disclosure agreement limits me from saying any more.


Q. How do share and file system protections interact?

A. In general when you have protections on a share or on a file/directory the privileges are added, for example if user John was a member of 2 groups, one with read access and another with change the user would have read and change access. The exception to this if a group has "no access" which means no mater what other group memberships there are, any user in that group will have no access.

The opposite is true when protections are set on the file system and on the share where the most restrictive policy is enforced, e.g. if the file has full control set for a user and the share only has read then the user will be limited to read-only privileges, likewise if the file had only read-only but the share had full the user would still be limited to read-only.

Share protections are only used when the file system is accessed through a network connection, if the user is using the partition locally then the share protections will be ignored.


Q. How can I backup/restore my Master Boot Record?

A. The Windows NT Resource kit supplies a utility DISKSAVE.EXE which enables a binary image of the Master Boot Record (MBR) or Boot Sector to be saved.

DISKSAVE has to be run from DOS and so you will need to create a bootable DOS disk and copy DISKSAVE.EXE to the disk. To create a DOS bootable disk just use the command

C:\> format a: /s

from a DOS machine (do not do it from a Windows NT command session).

Once you boot with the disk you will have a number of options:

F2 - Backup the Master Boot Record - This function will prompt for a path and filename to save the MBR image to. The path and filename are limited to 64 characters. The resulting file will be a binary image of the sector and will be 512 bytes in size. The MBR is always located at Cylinder 0, Side 0, Sector 1 of the boot disk.

F3 - Restore Master Boot Record - This function will prompt for a path and filename for the previously save Master Boot Record file. The only error checking is for the file size (must be 512 bytes). Copying and incorrect file to the MBR will permanently destroy the partition table information. In addition, the machine will not boot without a valid MBR. The Path/filename is limited to 64 characters.

F4 - Backup the Boot Sector - This function will prompt for a path and filename to save the Boot Sector image to. The path and filename are limited to 64 characters. The resulting file will be a binary image of the sector and will be 512 bytes in size. The function opens the partition table, searches for an active partition, then jumps to the starting location of that partition. The sector at that location is then saved under the filename the user entered. There are no checks to determine if the sector is a valid boot sector.

F5 - Restore Boot Sector - This function will prompt for a path and filename for the previously save Boot Sector file. The only error checking is for the file size (must be 512 bytes). Copying and incorrect file to the Boot Sector will permanently destroy Boot Sector information. In addition, the machine will not boot without a valid Boot Sector. The Path/filename is limited to 64 characters.

F6 - Disable FT on the Boot Drive - This function may be useful when Windows NT will not boot from a mirrored system drive. The function looks for the bootable (marked active) partition. It then checks to see if the SystemType byte has the high bit set. Windows NT sets the high bit of the SystemType byte if the partition is a member of a Fault Tolerant set. Disabling this bit has the same effect as breaking the mirror. There is no provision for re-enabling the bit once it has be disabled.


Q. How do I convert an NTFS partition to NTFS 5.0? - NT 5.0 only

A. Windows NT 5.0 introduces NTFS 5.0 which enables a number of new features. By default when you install Windows NT 5.0 it will automatically convert any NTFS 4.0 partitions to NTFS 5.0 (however this may change).

Service Pack 4 has an updated NTFS.SYS which can read NTFS 5.0 partitions so apply this to any systems that need to read Windows 2000 NTFS 5.0 partitions.

To check the version of an NTFS partition use the CHKNTFS.EXE utility.

C:\> chkntfs <drive>:
The type of the file system is NTFS 5.0.
or
The type of the file system is NTFS 4.0
<drive>: is not dirty

If the file system is not NTFS 5.0 and you want to upgrade it use the command

C:\> chkntfs /e <drive>:

The machine will need to be rebooted for the upgrade to take place.


Q. I cannot compress files on an NTFS partition.

A. If when you try and compress files on an NTFS partition using Explorer (right click on a file/directory, select properties and check the compress box) the option is not available or when you try from the command prompt using the command:

C:\> compact /c ntfaq.txt /s

you get the error

"The file system does not support compression"

the cause is normally that the cluster size of the NTFS partition is greater than 4096. To check the cluster size of your NTFS partition use the CHKDSK command, e.g.

C:\> chkdsk <disk>: /i /c

The /i /c are used to speed up the chkdsk and at the end of the display it will tell you the bytes in each allocation unit:

2048 bytes in each allocation unit.
1012032 total allocation units on disk.
572750 allocation units available on disk.

If this number is greater than 4096 you will need to backup all the data on the disk and then reformat the partition using any of the following methods:

Once reformatted you can then restore your backed up data.

To understand more about the 4,096 limit please read Knowledge base article Q171892 at http://support.microsoft.com/support/kb/articles/q171/8/92.asp


Q. How can I modify the CHKDSK timer?

A. Service Pack 4 introduces a new feature which before performing a chkdsk of a disk if its dirty bit is set a 30 second countdown timer is given allowing you to cancel to chkdsk from running.

If you want to modify this 30 second value perform the following:

  1. Start the registry editor
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  3. From the Edit menu select New - DWORD Value. Enter a name of AutoChkTimeOut and press ENTER
  4. Double click this new value and set to 0 to disable the timer, or the time in seconds you wish to be given to cancel the chkdsk.
  5. Close the registry editor

The change will take effect at the next reboot


Q. How can I view the current owner of a file?

A. The normal method would be to right click on the file in Explorer, select Properties, click the Security tab and click Ownership. This will then show the current owner and give the option to take ownership.

To view from the command line you can use the SUBINACL.EXE utility that is shipped with the Windows NT Resource Kit Supplement 2. To view the current owner use as follows:

C:\> subinacl /file <file name>
//++++
// D:\Documents\<file name>
//----
+ Owner = builtin\administrators
+ Primary Group= lnautd0001\domain users
+ System ACE count =0
+ Disc. ACE count =1
lnautd0001\saviljo ACCESS_ALLOWED_ACE_TYPE FILE_ALL_ACCESS

You could perform on *.* to list owners for all files in all subdirectories (no need for any /s switch).


Q. How can I view/defrag pagefile fragmentation?

A. System Internals has released PageDefrag, a free utility that shows fragmentation in the pagefile and then offers the option of defragmentation at boot time.

The utility can be downloaded from http://www.sysinternals.com/pagedfrg.htm. Once you download just unzip the file and run pagedfrg.exe. Below is a sample output.

Pagedfrg.exe

I understand that Executive Software's Diskeeper 4.0 can also defragment pagefiles however I have not seen it in action (http://www.diskeeper.com/).


Q. I get a disk maintenance message during setup.

A. If during setup up get the message:

Setup has performed maintenance on your hard disk(s) that requires a reboot to take effect. You must reboot and restart Setup to continue.

Press F3 to reboot.

This is returned when the Autochk part of the installation was able to repair the partition, but will require a reboot.

For a FAT partition, this could include corruption of extended attributes was fixed, the dirty bit was cleared, orphaned long filename entry was fixed (or any other fixing of lfns), directory entry fixed, crosslinked files fixed, non-unique filename uniqued, or any other structural issues at all fixed. There will of course be other specific "fixing steps" that would cause this for NTFS, or other non-file system specific structures.

In short this is not a problem as long as the setup does not get stuck in a loop keep running this stage.


Q. Where is Disk Administrator in Windows 2000? - Windows 2000 only

A. As with every other Administration tool in Windows 2000, Disk Administrator has been replaced with a Microsoft Management Console (MMC) snap-in.

By default it is accessible via the Computer Management MMC snap-in

  1. Start the Computer Management MMC (Start - Programs - Administrative Tools - Computer Management)
  2. Select the Storage branch
  3. Select Disk Management
  4. Should look familiar

Disk Management MMC

Alternatively create your own MMC console

  1. Start the MMC (Start - Run - MMC)
  2. Select "Add/Remove Snap-in" from the Console menu
  3. Click Add
  4. Select Disk Management and click Add
  5. Select Local Computer and click Finish
  6. Click Close
  7. Click OK to the main dialog

You now have your own MMC with just the Disk Management. You could save by selecting "Save As" from the Console menu, enter "Disk Admin" as the name and click Save. You will now see under the Programs menu a new folder, My Administrative Tools with Disk Admin as a MMC snap-in.


Q. How do I convert a basic disk to dynamic? - Windows 2000 only

A. Windows 2000 introduces the idea of a dynamic disk needed for fault tolerant configurations. To convert perform the following:

  1. Start Computer Manager
  2. Expand Storage - Disk Management.
  3. Right click on the disk and select 'Upgrade to Dynamic Disk'
  4. Select the disks to upgrade and click OK
  5. A summary will be displayed.
  6. Click Upgrade
  7. Click Yes to the confirmation

Converting Basic disks to Dynamic disks don't require reboots - however any volumes contained on them after the conversion will generate a popup that basically says a re-boot is necessary before the volumes can be used. I generally say - NO, do not reboot - until all the volumes are identified and all the popups go away, then perform a single re-boot.

When you upgrade from basic to dynamic any existing partitions become simple volumes. Any existing mirrored, striped or spanned volumes sets created with NT 4.0 become dynamic mirrored, striped or spanned volumes respectively.

If you get a message that says you are out of space then you may not have enough unallocated free space at the end of the disk for the private region database that Dynamic disks use to keep volume information. To be Dynamic it needs about 1 MB of this space, sometime the space is not visible to the user in the GUI but it is still there.

You may not have the space if the partition(s) on the disk take up the entire disk and were created with Setup, an earlier version of NT or another OS. If partitions are created within Windows 2000 the space is reserved, partitions created with Setup will reserve the space in a later release.

To undo this conversion run Dmunroot.exe which will revert boot and system partition back to basic but all other volumes will be destroyed. Alternatively you should backup any data on the disk you wish to preserve, then delete all partitions - that should activate the menu choice "Revert to Basic Disk", the entire disk HAS to be unallocated or free space.


Q. How do I delete a volume in Windows 2000?

A. To delete a volume just perform the following, be warned you will lose any data on these volumes.

  1. Start the Computer Management MMC (Start - Programs - Administrative Tools - Computer Management)
  2. Expand the Storage branch and select 'Disk Management'
  3. Right click on the volume to be deleted and select 'Delete Volume..' from the context menu shown
  4. Click Yes to the confirmation

Q. How do I import a foreign volume in Windows 2000?

A. If you take a disk from another machine and place in a Windows 2000 box it will be shown as foreign and its partitions not available, however its partition information can be imported and volumes used. Any volumes that were part of a set will be deleted during the import phase unless the whole set of disks are imported.

  1. Start the Computer Management MMC (Start - Programs - Administrative Tools - Computer Management)
  2. Expand the Storage branch and select 'Disk Management'
  3. Right click on the volume to be imported and select 'Import Foreign Disks..' from the context menu shown
    Import foreign
  4. Click OK to the displayed dialog of the disk to import. If you imported multiple disks they will be grouped by the computer they were moved from and can be selected by clicking the 'Select Disk' button. If the disks imported are not dynamic they will all be imported regardless of you choices.
  5. A dialog will be shown showing the volumes to import. Click OK
    List of volumes to import
    Notice the partition that was part of a RAID 5 set is not usable.

The data on the imported volumes will now be accessible (you have to refresh in Explorer to see them (press F5)).


Q. How can I wipe the Master Boot Record?

A. The normal method is using the DOS FDISK command:

C:\> fdisk /mbr

however there are some cases where this does not work and a more direct method may be needed.

A program called DEBUG.EXE is supplied with DOS, Windows 9x and NT and can be used to run small Assembly language programs and just such a program can be used to wipe the MBR. Perform the following, but BE CAREFUL, this WILL wipe your MBR leaving your system unbootable and its data lost.

  1. Boot to 9x or DOS (this cannot be done from NT since direct disk access is not allowed)
  2. Start a command prompt
  3. Enter the following commands (in bold):
    C:\> debug
    -F 9000:0 L 200 0
    -a
    0C5A:0100 Mov dx,9000
    0C5A:0103 Mov es,dx
    0C5A:0105 Xor bx,bx
    0C5A:0107 Mov cx,0001
    0C5A:0109 Mov dx,0080
    0C5A:010A Mov ax,0301
    0C5A:010D Int 13
    0C5A:0110 Int 20
    <press Enter twice>
    -u 100 L 12   <check the code matches the above>
    -g    <executes>

    Program terminated normally
    -quit

You can now install a replacement MBR via a normal installation.

Thanks to Mark Minasi for giving permission to reproduce this Assembler code and a full explanation can be found in Windows NT Magazine Summer 1999 issue

Another method from David Lynch:

C:\> debug
-a
xxxx:0100 mov ax,0301
xxxx:01xx mov cx,1
xxxx:01xx mov dx,80
xxxx:01xx int 13
xxxx:01xx int 3
xxxx:01xx <CR>
-G

 This is much shorter. It has 2 theoretically possible failure cases

  1. ES:BX accidentally and randomly points to a valid MBR. This is extremely unlikely and probably technically impossible. I ES:BX is initialized when debug starts. BX is normally the high part of the length of the file being debugged and I think therefore 0 if there is nor file and I think ES is the same as DS, SS, CS by default.
  2. The 510th word pointed to by ES:BX is AA55. I do not know what the probability is here but it is at least 1/64K Further even if this is the case it still may not fail, just subsequent attempts to format the drive will believe there is a valid though maybe unusual MBR.

There is nothing special about filling the MBR with 0's. It just need to not be valid. Any invalid MBR is the same as no MBR.


Q. How can I cancel a scheduled NTFS conversion?

A. If you have scheduled a NTFS conversion for next reboot using the CONVERT command it can be canceled as follows:

  1. Start the registry editor (regedt32.exe NOT regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  3. Double click BootExecute
  4. Change from
    autoconv \DosDevices\x: /FS:NTFS
    to:
    autocheck autochk *
  5. Click OK
  6. Close the registry editor

Q. What is the Encrypted File System (EFS)?

A. New to Windows 2000 and the NTFS 5.0 file system is the Encrypted File System (EFS) which as the name suggests is used to encrypt files.

NTFS is a secure file system however with more and more people using portables and utilities such as NTFSDos which bypasses NTFS security another layer or protection is needed.

EFS uses a public and private key encryption and the CryptoAPI architecture. EFS can use any symmetric encryption algorithm to encypt files however the initial release only uses DES. 128-bit keys are used in North America, 40-bit internationally.

No preparation is needed to encrypt files and the first time a user encrypts a file an encryption certificate for the user and a private key are automatically created.

If encrypted files are moved they stay encrypted, if users add files to an encrypted folder the new files are automatically encrypted. There is no need to decrypt a file before use, the operating system automatically handles this for you in a secure manner.

In the event of a users private key being lost (either by reinstallation or new user creation) the EFS recovery agent can decrypt the files.


Q. What do I encrypt/decrypt a file?

A. Encrypting and compressing a file/folder is mutually exclusive, you can encrypt a file or compress it, not both.

To decrypt a file perform the following:

  1. Start Explorer
  2. Right click on the file/folder
  3. Select Properties
  4. Under the General tab click Advanced
  5. Check the 'Encrypt contents to secure data'. Click OK
  6. Click Apply on the properties
  7. If you selected a file it will ask if you want to encrypt the parent folder to prevent the file from becoming unencrypted during modification. Click OK If you selected a folder if will ask if you want to encrypt subfolders and files also. Click OK.
  8. Click OK to the main dialog

To decrypt repeat the above but unselect the box. If you decrypt a folder it will ask if you also want to decrypt all child folders and files.

Compress encrypted file will not save in most case. Encrypt compressed file makes sense. There is a technical issue here. It is not because of reparse point. Neither compression nor encryption uses reparse point. The reason we do not support both is backup\restore. We provide a way for backup operator to backup encrypted file. The operator has no way to read the file in plaintext. The NTFS compression result depends on the disk cluster. If the backup source and the restore destination has the different cluster size, NTFS could not restore the encrypted data because NTFS does not know how to understand the data.

Sparse and encryption.
Encryption is compatible with sparse. In other words, you can encrypt a sparse file and still keep it a sparse file.


Q. What do I encrypt/decrypt a file from the command line?

A. A command line utility, CIPHER.EXE, can be used to encrypt and decrypt files from the command line.

CIPHER [/E | /D] [/S:dir] [/I] [/F] [/Q] [dirname [...]]

/E Encrypts the specified directories. Directories will be marked so that files added afterward will be encrypted.
/D Decrypts the specified directories. Directories will be marked so that files added afterward will not be encrypted.
/S Performs the specified operation on directories in the given directory and all subdirectories.
/I Continues performing the specified operation even after errors have occurred. By default, CIPHER stops when an error is encountered.
/F Forces the encryption operation on all specified directories, even those which are already encrypted. Already-encrypted directories are skipped by default.
/Q Reports only the most essential information.
dirname Specifies a pattern, or directory.

Used without parameters, CIPHER displays the encryption state of the current directory and any files it contains. You may use multiple directory names and wildcards. You must put spaces between multiple parameters.


Q. How can a user request an EFS recovery certificate?

A. To request a EFS certificate you first need the domain to have a trusted list of Certificate Authorities and the user needs to be a domain Administrator.

  1. Start the MMC console (Start - Run - MMC.EXE)
  2. From the Console menu select 'Add/Remove Snap-in...'
  3. Click Add
  4. Select Certificates and click Add
  5. Select 'My user account' and click Finish
  6. Click Close
  7. Click OK to the main dialog
  8. Expand the Certificates root and right click on Personal
  9. Select 'Request New Certificate' from the 'All Tasks' menu
  10. Click Next to the Certificate Request Wizard
  11. Select 'EFS Recovery Agent' and click Next
  12. Enter a friendly name and description. Click Next
  13. Click Finish the summary dialog
  14. Click 'Install Certificate'. Click OK

You will now have a File Recovery certificate under the Personal\Certificates folder.


Q. How can I add a user as an EFS recovery agent for a domain?

A. Recovery agents are users who can recovery encrypted files for a domain. To add new users as recovery agents they must first have recovery certificates.

  1. Start the Active Directory Users and Computers (Start - Programs - Administrative Programs - Active Directory Users and Computers)
  2. Right click on the domain and select Properties
  3. Select 'Group Policy' tab
  4. Select the 'Default Domain Policy' and click Edit
  5. Expand Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypted Data Recovery Agents
  6. Right click 'Encrypted Data Recovery Agents' and select Add
  7. Click Next to the 'Add Recovery Agent Wizard'
  8. Click 'Browse Directory'. Locate the user and click OK
  9. Click Next to the agent dialog select
  10. Click Finish to the confirmation
  11. Close the Group Policy Editor

Refresh the machine policy

C:\> secedit /refreshpolicy machine_policy

The agent will only be able to recover files encrypted after the user was made an agent. If an encrypted files is unencrypted and the encrypted or even just opened the new agent WILL be able to recover it as the file will "refresh" its recovery certificates (if the recovery policy has changed).

The local admin on a standalone PC or the first logon admin on a DC is the recovery agent by default. However this can be modified. You can remove the default recovery agent and assign any one as the recovery agent. In other words, admin can not read other person's encrypted file unless he is the recovery agent. The purpose of assigning the first logon admin as the recovery agent is to make life easier for most of our customer. The corp user is recommended to modify the recovery agent.


Q. How do I delete an orphaned share?

A. An orphaned share is one that the directory it shares has been deleted. If you delete a directory in Explorer that is shared any shares will automatically removed. If you delete by a different method, such as from the command prompt then the share will be left and it may result in messages in the System Event Log of the form:

The server service was unable to recreate the share NTFAQ because the directory D:\ntfaq files no longer exists.

You can manually update the registry to remove these "rogue" shares.

  1. Start the registry editor (regedt32.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares
  3. There is an entry for each share
  4. Select the entry for the share you wish to delete and select Delete from the Edit menu.
  5. Click Yes to the confirmation
  6. If the share had special security set it will also have an entry under the Security sub-key so move to Security (under Shares), select the share value name and delete

If you type net share the share name will still be displayed until the lanmanserver service is restarted. If you manually restart it will also stop the services, net logon, computer browser and Distributed File System.

Another method (if you have access) is to use Server Manager in NT 4.0, connect to the machine and orphaned shares are grayed out, you can then delete them. Windows 2000 Computer Manager does not display orphaned shares in a different colour making this approach impossible in Windows 2K.


Q. How can I check who last opened a file?

A. The only way I know of would be to enable auditing on the file and then examine the Security Event log for access.

In order to do this you will need the following:

  1. Enable auditing for files and folders via User Manager (Policies - Audit - Audit These Events - File and Object Access). In Windows 2000 use the Group Policy editor and edit the local policy or another GPO (Computer Configuration - Windows Settings - Security Settings - Local Policies - Audit Policy)
  2. Start Explorer
  3. Right click on the files/folders select Properties
  4. Select the Security tab
  5. Click the Advanced button
  6. Select the Audit tab
  7. Click Add
  8. Select 'Everyone'
  9. Click OK
  10. Select the actions to audit such as 'List folder/read data'
  11. Click OK
  12. Click OK to all dialogs

Q. I've increased the size of a hardware RAID volume but NT does not see the size increase, what can I do?

A. You need to reset the Disk Administrator configuration by performing the following:

  1. Backup your disk configuration by starting disk administrator (Start - Programs - Administrative Tools - Disk Administrator or just run WINDISK.EXE)
  2. Insert a floppy disk and from the Partition menu select Configuration - Save. You configuration will then be saved to the disk
  3. Close the Disk Administrator
  4. Start the registry editor (regedit.exe)
  5. Move to HKEY_LOCAL_MACHINE\SYSTEM\DISK
  6. Select the Disk key and press DEL.
  7. Close the registry editor
  8. Restart the Disk Administrator
  9. It will say its the first time Disk Administrator has been run and it will update the disk configuration


Q. I'm unable to use the Encrypted File System under Windows 2000 as I'm a member of a 4.0 domain.

A. Because a machine in a domain uses the domain policy for recovery if the domain does not support EFS (such as a 3.51 or 4.0 domain) EFS is disabled. To get around this perform the following:

  1. Remove the Windows 2000 computer from the Windows NT 4.0 domain.
  2. From the command prompt, type:
    secedit /refreshpolicy machine_policy /enforce
  3. Rejoin the Windows 2000 computer to the Windows NT 4.0 domain.

Q. What is Distributed File System?

A. Distributed File System (or Dfs) is a new tool for NT server that was not completed in time for inclusion as part of NT 4.0, but is now available for download. It basically allows Administrators to simulate a single server share environment that actually exists over several servers, basically a link to a share on another server that looks like a subdirectory of the main server.

This allows a single view for all of the shares on your network, which could then simplify your backup procedures as you would just backup the root share, and Dfs would take care of actually gathering all the information from the other servers across the network.

You do not have to have a single tree (Dfs directory structures are called trees), but rather could have a separate tree for different purposes, i.e. one for each department, but each tree could have exactly the same structure (sales, info. etc).

For more information on DFS see http://www.microsoft.com/ntserver/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp


Q. Where can I get Dfs?

A. Dfs is available for download from Microsoft http://www.microsoft.com/ntserver/nts/downloads/winfeatures/NTSDistrFile/default.asp. Follow the instructions at the site and fill in the form about your site. The file you want for the I386 platform is dfs-v41-i386.exe.

Once downloaded just double click on the file, and agree to the license. It will then install files to your drive which you need to install.

Windows 2000 has Dfs built-in as a core component.


Q. How do I install Dfs?

A. Follow the instructions below, you must have first downloaded and expanded the file dfs-v40-i386.exe:

  1. Right click on Network Neighborhood and select properties (or double click Network in the Control Panel)
  2. Click the services tab and click Add
  3. Click the "Have disk" button and when asked where enter %systemroot%/system32/dfs. Do not actually type %systemroot%, but rather what it points to, i.e. d:\winnt, so the full path would be d:\winnt\system32\dfs
  4. Click Enter and press OK for Dfs installation
  5. A dialog box will be shown, and click "New Share", and type the name of the required root, e.g. c:\dfsroot and click "Yes" to create the directory
  6. Select the "Shared As" and fill in required information and click OK
  7. Close the dialogs and reboot the machine

Windows 2000 does not require you to install Dfs, it is built into the operating system, all it requires is configuration.


Q. How do I create a new folder as part of the Dfs?

A. Once Dfs is installed a new application, the Dfs Administrator, is created in the Administrative Tools folder. This app should be used to manage Dfs. To add a new area as part of the Dfs tree follow the procedures below:

  1. Start the Dfs Administrator application (Start - Programs - Administrative Tools - Dfs Administrator)
  2. Select "Add to Dfs" from the Dfs menu
  3. Enter the name of folder you want an existing share to be known as
  4. Next select what it should point to, you can either type the path, or use Browse.
  5. Click Add
  6. Close the Dfs Administrator

Q. How do I uninstall Dfs?

A. Follow the procedure below:

  1. Start the network control panel applet or right click on Network Neighborhood and select propertied
  2. Click the Services Tab
  3. Select "Distributed File System" and click remove
  4. You will be prompted to continue, click Yes
  5. A reboot will then be required

Q. How do I create a Dfs root volume in Windows 2000?

A. Windows 2000 currently supports one Dfs root per server however this will be expanded in future versions of the operating system/service packs.

The Distributed File System has its own DFS Microsoft Management Console snap-in which has a shortcut on the Administrative Tools folder.

To create a new Dfs root perform the following:

  1. Start the Distributed File System MMC snap-in (Start - Programs - Administrative Tools - Distributed File System)
  2. If its the first time you have run it a dialog will be displayed confirming no roots currently exist. Click OK
  3. Right click on the Distributed File System root and select ‘New Dfs Root…’
  4. The Dfs root creation wizard will be started, click Next to the introduction screen

  5. The next screen gives the option of a fault-tolerant Dfs root which uses the Active Directory to store the information or a standalone Dfs root if the Active Directory is not available or not wanted. Select ‘Create a domain Dfs root’ and click Next

    Select a domain to use. A list of available domains will be displayed and the current domain will be selected as the current choice. Click Next. This screen is not displayed if you are not creating a fault-tolerant Dfs root.
  6. You will need to select a server to host the Dfs root (a domain member if fault tolerant) and must be running the Dfs service. The current server will be selected but can be changed by typing a domain name or click Browse. Click Next
  7. The next stage is to select a share to act as the Dfs root. A list of existing shares will be displayed or you can select to create a new share by entering a share name and location. Click Next
  8. Each Dfs root requires a unique name and will, by default, be the name of the share although you can change this. You can also select to add the new Dfs root to the current console. Click Next
  9. A summary screen will be displayed showing the domain, server, share and Dfs root name. Click Finish to create the Dfs root
  10. Once complete a success message will be displayed. Click OK

Q. How can I add a replica Dfs root volume in Windows 2000?

A. If your Dfs root was created as a fault-tolerant Dfs root you may add other Dfs servers as part of the Dfs root replica set.

To add a new Dfs root replica member perform the following:

  1. Start the Distributed File System MMC snap-in (Start - Programs - Administrative Tools - Distributed File System)
  2. Right click on the root you wish to add a replica to and select ‘New Root Replica’
  3. You will be asked for a server that will host a copy of the Dfs root. Click Next
  4. As when creating the original you need to either select an existing share or create a new folder and share. Click Finish
  5. Click OK to the success confirmation

These root replicas will all contain the Dfs root information by utilitizing and replicating via the Active Directory. You can actually see the Dfs information using the Active Directory Users and Computers snap-in, select Advanced Features view, System, Dfs.


Q. How can I add a child node to Dfs in Windows 2000?

A. Once your Dfs root is created the next step is to populate with child nodes/leafs which actually link to information.

To add a new Dfs child node perform the following:

  1. Start the Distributed File System MMC snap-in (Start - Programs - Administrative Tools - Distributed File System)
  2. Right click on the root you wish to add a replica to and select ‘New Dfs Child Node’
  3. You will need to enter a location and name for the child node, a UNC for the destination and a comment. You can also select the amount of time clients cache the request.
  4. Click OK

Any subdirectories of the child leaf will also be published to the Dfs with the parent directory, for example if a share, ntfaq, was added as a child node to Dfs, any subdirectories of that share would be viewable on the Dfs tree as children of the documents Dfs entry.


Q. How can I add a replica child node to Dfs in Windows 2000?

A. The Windows 2000 version of Dfs allows child replica sets to be created in which a single Dfs leaf points to multiple shares on different servers the File Replication Service will keep the contents of all shares in sync with each other. This allows fault tolerance AND load balancing.

Members of a node replica set must:

  1. All be members of the domain
  2. Use NTFS 5.0
  3. Must be on different servers. You cannot replicate between shares on the same server.

To add a new Dfs child replica member perform the following:

  1. Ensure an up-to-date copy of the resource to which a new replica member is to be added is placed in the new share which will join the set
  2. Start the Distributed File System MMC snap-in (Start - Programs - Administrative Tools - Distributed File System)
  3. Right click on the child node you wish to add a replica to and select ‘NewReplica’
  4. You will need to enter the UNC of the new share and you have the option for
    - Manual replication
    - Automatic replication
    ’Manual replication’ is useful if the contents are read-only documents which do not often change. Joint replication will replicate the contents of the shares with all members in the replica set. Click OK
  5. The replication set topology dialog will be shown. Check replication has been enabled and click OK

Multi-master replication is used except on the first replication path where the contents of the Primary server is copied to the other members. Any content currently in the other shares is moved to a NtFrs-PreExisting subdirectory (but a checksum is performed and if the files match with the primary servers share they are moved back into the main directory to save network bandwidth in copying them from the Primary server).

Replication is every 15 minutes by default.


Q. How do I assign User Rights for a standalone server (not the PDC/BDC) in a domain?

A. In NT Workstation, User Manager/Policies/User Rights... assigns the privileges (e.g. the Shutdown or Log On Locally privilege) for the local machine. However, in NT Server the User Rights you assign with User Manager for Domains affect the Domain Controller(s). To modify privileges for the local machine, first choose Select Domain... from the User menu, and type in the name of the computer at the Domain prompt (you cannot browse the domain).


Q. I can't FTP to my server, although the FTP service is running?

A. Have you unchecked the "Allow only anonymous connections" option, but still receive a "530 User xyz cannot log in. Login failed." message? To log on to the FTP server with your domain account, it is not sufficient to specify your name at the User prompt. The FTP service checks local accounts only, even if the computer is participating in a domain. Use domainname\username instead, e.g. if the domain name was savilltech and the user was john, enter savilltech\john as the username.


Q. How do I validate my NT Logon against a UNIX account?

A. There is software to do this available at


Q. Can I synchronize the time of a NT Workstation with a NT Server?

A. Yes, enter the command

NET TIME \\<name of the server to set time to> /SET /YES

Please note that users will require "Change System Time" user right, via User Manager\User rights. There is a utility on the resource kit called TimeServ which runs the time synchronization as a service and works even when there are no logged on users.

Also see Q. How do I configure a user so it can change the system time?


Q. How can I send a message to all users?

A. Ensure the "Messenger" service is started (Control Panel - Services - Messenger - Auto). To send a message type:
c:> net send <machine name> "<message>"
Or instead of a machine name type * to broadcast to all stations

There are also various GUI utilities, and one of the best is NT Hail at http://www.geocities.com/SiliconValley/Bay/1999/NT_Hail.html


Q. How do I change a Workstations Name?

A. Follow the steps below

  1. Logon to the NT server and in Server Manager add the new computer name (Computer - Add to Domain)
  2. On the Workstation from Control Panel double click Network (or right click on Network Neighborhood and select properties)
  3. Click Change and type the new computer name
  4. Press OK and accept reboot
  5. The machine should then reboot with the new name
  6. On the NT server you should now delete the OLD computer name (select and press DEL)

Q. How do I stop the default admin shares from being created?

A. This can be done through the registry.

  1. Start the registry editor
  2. Move to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
  3. If you are using Workstation create a value (Edit - Add Value) called AutoShareWks (AutoShareServer for server) of type DWORD and press OK. It will ask for a value, type the number 0.
  4. Close the registry editor
  5. Reboot

This can also be done using the policy editor. Start the policy editor (poledit.exe), load the default computer profile, and expand the Windows NT Network tree, then Sharing and set "Create hidden drive shares" to blank for server/workstation.

There are a few other options though. The first is to use NTFS and set protections on the files so people may be able to connect to the share, but they will not be able to see anything. The second is to delete the shares each time you logon, this can be done through explorer, but it would be better to have a command file run each time with the lines
net share c$ /delete
and for all the other shares, however these shares are there for a reason so your machine can be administered by the servers, so if you delete them system managers may have something to say about it!


Q. How do I disconnect all network drives?

A. Use net use * /del /yes


Q. How do I hide a machine from Network Browsers?

A. Using the registry editor set the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters and set value Hidden from 0 to 1 which should be of type DWORD. You should then reboot. You can also type

net config server /hidden:yes

The above command also automatically creates quite a lot of other values under \Parameters key, too.

You can still connect to the computer, but it is not displayed on the browser.


Q. How do I remote Boot NT?

A. NT does not support remote boot. It is possible to reboot a machine from another computer using the Shutdown Manager that comes with the NT resource kit.

You could also reboot by using the shutdown.exe resource kit utility and specify another machine name.

C:\>shutdown \\<machine name> /r /y /c

Software such as PC Anywhere can also remotely reboot machines.


Q. How can I get a list of users currently logged on?

A. Use the net sessions command, however this will only work if you are an Administrator. You can also use control panel and choose server.

The resource kit utility, Net Watch, can also show current logged on users that are connected to the Netlogon share if you connect to the domain controller, however these connects terminate after a finite amount of time so will not necessarily show all users.


Q. How do I configure NT to be a gateway to an ISP?

A. Firstly the hardware required would be a network and a modem. The network card would be so the other clients in the network can communicate with the "to be" gateway, and the modem to connect to the gateway. Dial-up networking is not covered here, and you should first be confident with dial-up networking before attempting this.

  1. Start the registry editor (regedit.exe) and add a value of type DWORD called DisableOtherSrcPackets in the HKey_Local_Machine\System\CurrentControlSet\Services\RasArp\Parameters area, and set to a value of 0. This is so packets that are sent through the NT gateway, the original IP address stored in each packet is retained, i.e. of machine a is sending a packet through b, then the packet retains the IP address of a, rather then be automatically changed to b. Also change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter to a value of 1.
  2. On the gateway machine ensure TCP/IP is installed with a static IP address, and a correct subnet address (usually 255.0.0.0 for a class a, 255.255.0.0 for class b, and 255.255.255.0 for class c). Make sure the default gateway address is blank.
  3. Install Dial Up networking and configure for NT to dial out only. You will have to reboot
  4. Add a phonebook entry for your ISP as you would as normal, however uncheck the "Use default gateway".
  5. Enable the PC to be able to forward IP packets, by starting control panel, double click Network and choose the protocols tab. Select TCP/IP and then routing. Check the Enable IP Forwarding. You will need to reboot
  6. If when you connect to your ISP you are given an IP address, you will need to connect to your ISP, and then find out which IP address you are given. To get the address type
    IPCONFIG
    Look for a Wan adapter and write down the IP address. If you know your IP address before you connect you can forget this step.
  7. Add a route for the IP address used when connecting to the ISP (the one identified in step 6)
    route add 0.0.0.0 mask 0.0.0.0 <ip address> metric 2
  8. Configure all clients gateway as the network card IP address of the NT gateway.

This would enable the machines to send out IP packets to the internet, however the packets would have no way of finding there way back, as the ISP would not know to route them through the gateway, so you ISP will have to either a) have host entries for each of the machines or b) point to the gateway as another DNS.

Other things to check are as follows:

Have a look at http://support.microsoft.com/support/ntserver/serviceware/nts40/e9mslcs1z.asp for more information.


Q. How do I install the FTP server service?

A. In prior version of NT, the FTP server service was installed as part of TCP/IP, however as of NT 4.0, it became part of IIS/PWS, so it needs to be installed manually. Before you install the FTP server, TCP/IP must be installed.

  1. In Control Panel, double-click Network.
  2. Click Services, click Add, and then click Microsoft Peer Web Services if you are using NT Workstation or click Microsoft Internet Information Server 2.0 if you are using NT Server.
  3. Click OK, and then type the path for the Windows NT source files. For example, if you are using the Windows NT CD-ROM in drive E, type the following line: E:\i386
  4. Click OK to start the Microsoft Peer Web Services Setup or Internet Information Server.
  5. The FTP Service is selected by default, but you should clear the check boxes for options you do not want to install.

Q. How do I get a list of all connections to my PC?

A. Use the command netstat -a


Q. How can I get the Ethernet address of my Network card?

A. Type ipconfig /all from a command box.


Q. How can I configure the preferred Master Browser?

A. On the NT server you want to be the preferred master browser change the registry setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster to True


Q. Is it possible to protect against Telnet attacks?

A. There was a recent well-known problem that a telnet client could connect to an NT machine on port 135, type 10 characters and it would hang NT. There is no simple way to protect NT from a certain port attack. It is possible to configure NT to only accept incoming packets from a set of configured ports, however you have to name the ports you want to accept input from:

  1. From Control Panel, Double click on Network
  2. Click the Protocols tab
  3. Select TCP/IP and click Properties
  4. Click Advanced (bottom right)
  5. Check the "Enable Security" and click configure
  6. For TCP select "Permit Only" and enable only the ports you want to work (e.g. Web Browser is 80, FTP 21)
  7. Exit
  8. Reboot NT

To protect against the port 135 attack, install the RPC hotfix for Service Pack 2.

Service Pack 3 and some its Hotfixes are also highly desirable, and address a number of Internet attack methods.


Q. What Telnet Servers/Daemons are available for Windows NT?

A. A Telnet Server on NT allows connection to an NT machine using a Telnet client from any hardware platform. Products are available from:


Q. How do I install MSN under NT?

A. The new MSN 2.0 only runs under Windows 95, however a version for NT 4.0 is being developed. In the mean time it is possible to use MSN to connect to the Internet, however you cannot read Mail

  1. Phone Microsoft and request for a manual Internet PPP access to be setup.
  2. Assuming RAS is already installed, select Add New phonebook entry
  3. Type in a name for the phone book entry, e.g. "MSN connection"
  4. Clear the "I know about phone book entries" and click Next
  5. Check "I am calling the Internet" and click Next
  6. Click Finish
  7. Select your new "MSN" and click Edit from More
  8. Click the Server tab, and select TCP/IP, Enable PPP LCP, and clear NetBEUI and IPX
  9. Click the TCP/IP settings box and check "Server assigned IP addresses" and "Use default gateway"
  10. Click OK and exit back to the main dial screen
  11. Select MSN and click Dial
  12. When prompted for username/password enter
    Username : MSN/<user name>
    Password : <MSN password>
    Domain : <blank>

Q. What FireWall products are available for NT?

A. Below are a selection of FireWall systems for NT:


Q. How do I install the Remoteboot Service?

A. Before installing the Remoteboot service you must have both the NetBEUI and DLC protocols installed. The remoteboot service will only run on NT server.

  1. Start Control Panel (Start - Settings - Control Panel)
  2. Double click the Network icon
  3. Click on the services tab and click Add
  4. Select "Remoteboot Service"
  5. Check the path where Remoteboot will be installed (by default %systemroot%\RPL)
  6. Click OK and complete the installation
  7. After installation has completed start Remoteboot Manager
  8. Click "Fix Security" from the Configuration menu, which will create the RPLUSER local group and assign the permissions to the RPL directory.

Q. How many connections can NT have?

A. NT workstation can have up to 10 concurrent connections, with one exception, Peer Web Services which allows unlimited concurrent connections.


Q. How can I secure a server that will be a Web Server on the Internet?

A. Below are points to be aware of


Q. How can I stop a user logging on more than once?

A. There is no way in NT to stop a user logging on more than once, however it is possible to restrict a workstation so that only a certain user can login, and with this method each user would be tied to one workstation and thus could only logon once.

  1. Logon to the Workstation as the Domain Administrator
  2. Start User Manager (Start - Administrative Tools - User Manager)
  3. Double click the Users group and select the Domain\Everyone and click remove
  4. Next click add and select the specific domain user and click Add
  5. Close User Manager
  6. Logoff and only that specific user will be able to logon (be careful that Administrators still include Domain\Administrators or you will not be able to logon)

This solution is far from ideal, and it may be plausible to write a login script that checked if a user was currently logged on and if so, logoff straight away (using the logout command line tool).


Q. How can I get information about my domain account?

A. From the command prompt type

net user <username> /domain

And all your user information will be displayed including last logon time, password change etc.


Q. A machine is shown as Inactive in Server manager when it is not.

A. Sometimes Server Manager fails to see a machine has become active, you can attempt to force it to see the machine by typing:
C:> net use \\<machine name>\IPC$

If this fails it may be the machine has been configured to be invisible to the network such as if hidden from Network Neighborhood as seen in 'Q. How do I hide a machine from Network Browsers?'.


Q. How do I automatically FTP using NT?

A. I use a basic script to update my main site and the mirrors using two batch files. The first consists of a few lines:

d:
cd \savilltechhomepage
ftp -i -s:d:\savmanagement\goftp.bat

The -i suppresses the prompt when performing a multiple put, and the -s defines an input file for the FTP like:

open ftp.savilltech.com - the name of the FTP server
johnny
- username
secret
- password
cd /www
- remotely move to a base directory
lcd download
- locally change directory
cd download
- remotely move to a sub directory of the current directory
binary
- set mode to binary
put faqcomp.zip - send a file
cd ..
- move down a directory remotely
lcd ..
- move down a directory locally
cd ntfaq
lcd ntfaq
mput *.html
- send multiple files (this is why we needed -i)
close - close the connection


Q. How can I change the time period used for displaying the password expiration message?

A. Follow Instructions below:

  1. Start the Registry editor (regedit.exe)
  2. Goto the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  3. From the Edit Menu, click New - DWord
  4. Type the name PasswordExpiryWarning and press enter
  5. Double click on the new value you have created and set to the number of days prior to the expiration you want the message to appear.

Q. How can I modify share permissions from the command line?

A. The Windows NT resource kit ships with a utility called RMTSHARE.EXE that is used to modify permissions on shares, the syntax to grant access to a share is as follows

rmtshare \\<server name>\<share> /grant <username>:<permission>, e.g.
rmtshare \\bugsbunny\movies /grant savillj:f

Valid permissions are f for full, r for read, c for change and n for none. To revoke access to a share type

rmtshare \\<server name>\<share> /grant <username>, e.g.
rmtshare \\bugsbunny\movies /grant savillj

This would remove savillj's access to the share. To view share permissions enter:

rmtshare \\<server name>\<share> /users, e.g.
rmtshare \\bugsbunny\movies /grant

RMTSHARE.EXE also allows the creation and deletion of shares. Type rmtshare /? for help.


Q. How can I change the protocol binding order?

A. Network bindings are links that enable communication between the network adapter(s), protocols and services. If you have multiple protocols installed on a machine you can configure NT to try a certain protocol first for communication:

  1. Log on to the machine as a member of the Administrators group
  2. Start the Network control panel applet (Start - settings - control panel - network, or right click Network Neighborhood and select properties)
  3. Click the bindings tab
  4. Select "all services" from the drop down list of bindings
  5. Select the service you wish to change the binding order for by clicking its plus sign (usually you should change the workstation service as this is used for connecting to resources etc.)
  6. A list of all the protocols installed will be shown, and can be ordered by selecting the protocol and clicking "move up" or "move down".
  7. Click OK when finished, and you will have to reboot for the changes to take effect.

Q. What criteria are used to decide which machine will be the Master Browser?

A. There are 5 roles a machine can have

When an election takes place, a number or criteria are used. Firstly the browser type

If two machines have the same role then the operating system is used

If there is still a tie, the Windows NT version is used

To set a machine as a certain type of browser perform the following

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters
  3. Double click on MaintainServerList
  4. Set to
    No - for the computer to be a non-browser
    Yes - the computer will be a master or backup browser
    Auto - will be a master, backup or potential depending on the number of browser currently in action
  5. Click OK
  6. Close the registry editor and reboot

Q. How can I get a list of MAC to IP addresses on the network?

A. An easy way to get a list of MAC to IP addresses on the local subnet is to ping every host on the subnet and then check you ARP cache, however pinging every individual node would take ages and the entries only stay in the ARP cache for 2 minutes. An alternative is to ping the broadcast mask of your subnet which will ping every host on the local subnet (you can't ping the entire network as you only communicate directly with nodes on the same subnet, all other requests are via the gateway so you would just get a ARP entry for the gateway).

What is the broadcast mask? The broadcast mask is easy to calculate if the subnet mask is in the format 255.255.255.0 or 255.255.0.0 etc. (multiples of 8 bits). For example if the IP address was 134.189.23.42 and the subnet mask was 255.255.0.0 the broadcast mask would be 134.189.255.255, where 255 is in the subnet mask the number from the IP address is copied over, where 0 it is replaced with 255, basically the network id part is kept. If the subnet mask is not the basic 255.255 format, you should use the following, all you need is the IP address and the subnet mask

  1. For each bit set to 1 in the subnet mask, copy the corresponding but from the IP address to the broadcast mask
  2. For each bit set to 0 in the subnet mask, copy a 1 into the corresponding bit of the broadcast mask

for example, IP address 158.234.24.98 and subnet mask 255.255.248.0

Network

Host

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0
1 0 0 1 1 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 1 0 0 0 0 1 1 0 0 0 1 0
1 0 0 1 1 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1

Byte 1

Byte 2

Byte 3

Byte 4

The first row is the subnet mask 255.255.248.0, the second row the IP address 158.234.24.98 and the third row is the broadcast mask, 158.234.31.255.

To get the MAC to IP addresses, you would therefore perform the following

ping <broadcast mask>
arp -a

Voila, a list of IP addresses and their MAC address (you can add > filename to get the list to a file, e.g. arp -a > iptomac.lst). You could repeat this exercise on the various subnets of your organization.

Unfortunatly due to limitations in NT's implementation of PING the above will not work correctly so put the following into a file

REM arpping.bat
ping -n 1 -l 1 %1.%2
arp -a %1.%2

You can then call the batch file as follows:

C:\> for /l %i in (1,1,254) do arpping 160.82.220 %i

In this case it would generate a list of all MAC to IP addresses for 160.82.220.1 to 160.82.220.254. Again you could put this all in a file, redirect to a file and then search, e.g.

REM test.bat
for /l %%i in (1,1,254) do arpping.bat 160.82.220 %%i

Notice you have to use two %%. You could run as

C:\> test.bat > file.txt

Then search listing.txt for (example) dynamic

C:\> findstr dynamic file.txt
160.82.220.1 00-00-0c-60-8b-41 dynamic
160.82.220.9 00-60-97-4b-bf-4c dynamic
160.82.220.13 00-10-4b-49-94-e1 dynamic
160.82.220.17 00-80-5f-d8-a4-8b dynamic
160.82.220.22 00-a0-d1-02-a4-cf dynamic
160.82.220.25 00-60-08-75-0d-7a dynamic
160.82.220.26 00-10-4b-44-e4-73 dynamic
160.82.220.33 00-10-4b-44-d6-33 dynamic
160.82.220.34 00-10-4b-4e-67-6a dynamic
160.82.220.35 00-60-97-4b-c4-53 dynamic
160.82.220.39 00-10-4b-44-eb-ae dynamic
160.82.220.41 00-10-4b-49-7b-f7 dynamic
160.82.220.42 00-00-f8-21-7a-7f dynamic
160.82.220.43 08-00-20-88-82-57 dynamic
160.82.220.221 00-80-5f-88-d0-55 dynamic


Q. How can I control the list of connections shown when mapping a network drive?

A. When you map a network drive (Explorer - Tools - Map network drive), if you click the down arrow on the path, a list of previous connections will be shown. These are stored on the registry and can be edited

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Network\Persistent Connections
  3. You will notice in the left pane is a number of string values called a,b,c etc. For the connections you do not want shown, click on the entry and then either press the Del key and say yes to the confirmation or select delete from the edit menu.
  4. Once you have deleted entries you need to update which ones explorer will show by double clicking on order and remove the letters of the entries you deleted
  5. Click OK
  6. Close the registry editor

Q. How do I grant users access to a network printer?

A. The same way as files have security information, so do printers, and you need to set which users can perform actions on each network printer

  1. Logon as an Administrator
  2. Double click "My Computer" and then select printers
  3. Right click on the printer whose permissions you wish to change and select properties
  4. Click the security tag and select permissions
  5. You can now add users/groups and grant them the appropriate privilege
  6. Click OK when finished

Q. How can I create a share on another machine over the network?

A. From a Windows NT Server machine a share can be created by opening Server Manager, highlight the target system, select Computer, Shared Directories, and click on New Share.

The Windows NT Resource kit comes with a utility called RMTSHARE.EXE and this can be used to create shares on other machines providing you have sufficient privilege. The basic syntax is as follows

rmtshare \\<computer name>\"<share name to be created>"="<path>" /remark="<share description>"
e.g. rmtshare \\savillmain\miscfiles=d:\files\misc /remark="General files"

You only need to use double quotes around the share to be created and the path if there are spaces in the share/file name, e.g. if the share was to be called misc files instead of miscfiles it would have to be in quotes, e.g.

rmtshare \\savillmain\"misc files"="d:\my files\misc" /remark="With space share"

There is also a wizard to share and administer your NT server c:\%systemroot%\system32\wizmgr.exe.

Remember share names cannot contain the " / \ [ ] : | < > + ; , ? * = characters.


Q. I get errors accessing a Windows NT FTP Server from a non Internet Explorer browser.

A. If you run the Microsoft FTP Server Service then you may find problems accessing an area other than the root from a non Internet Explorer browser. This is because most other FTP Servers use the UNIX type naming conventions and that is what browsers such as Netscape expect, however the Microsoft FTP service outputs using dos naming conventions. This can be resolved by forcing the FTP server service to use Unix conventions rather than dos

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ftpsvc\Parameters
  3. If the value MsdosDirOutput exists double click on it and set it to 0, click OK
  4. If it does not exist from the Edit menu select New - DWord value and enter the name MsdosDirOutput and click OK, then perform step 3

You will need to stop and start the FTP server service for this change to take effect (Start - Settings - Control Panel - Services - FTP Service - stop - start)


Q. How can I view which machines are acting as browse masters?

A. There are 2 utilities shipped with the NT resource kit (one GUI, on command line) which can be used to view current browse master status.

BROWMON.EXE - Select from the Diagnostics Resource Kit menu. The master browser will then be displayed for each domain. Double clicking on a machine will then list the other machines that are browsers and a subsequent double click on these machines will tell their status, e.g. backup browser.

BROWSTAT.EXE - Start a command session. There are a number of commands that can be used, however to get a general view enter the command
browstat status <domain name>
Browsing is active on domain.
Master browser name is: PDC
Master browser is running build 1381
2 backup servers retrieved from master PDC
\\PDC
\\WORKSTATION

As can be seen the master browser name is shown, as are backup servers.


Q. Is there any way to improve the performance of my modem internet connection?

A. By default, NT will use a Maximum Transmission Unit (MTU) (packet size) over the path to a remote host of 576. Problems can arise if the data is sent over routes etc that cannot handle data of this size and the packets get fragmented.

The parameter EnablePMTUDiscovery set to 1 forces NT to discover the maximum MTU of all connections that are not on the local subnet. To change this perform the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  3. From the Edit menu select New-DWord value
  4. Enter a name of EnablePMTUDiscovery and press enter
  5. Double click on this new value and set to 1 then click OK
  6. Close the registry editor and reboot the machine.

By discovering the Path MTU and limiting TCP segments to this size, TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs. Fragmentation adversely affects TCP throughput and network congestion.


Q. How can I remotely tell who is logged on at a machine?

A. The easiest way to do this is to use the NBTSTAT command. There are two ways to use this command depending on if you know the machines name or just its IP address. If you know the machines name enter the command

nbtstat -a <machine name>
e.g. nbtstat -a pdc

The output will be of the format:

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
PDC <00> UNIQUE Registered
PDC <20> UNIQUE Registered
SAVILLTECH <00> GROUP Registered
SAVILLTECH <1C> GROUP Registered
SAVILLTECH <1B> UNIQUE Registered
SAVILLTECH <1E> GROUP Registered
PDC <03> UNIQUE Registered
SAVILLJ <03> UNIQUE Registered
SAVILLTECH <1D> UNIQUE Registered
INet~Services <1C> GROUP Registered
..__MSBROWSE__.<01> GROUP Registered
IS~PDC.........<00> UNIQUE Registered

MAC Address=00-A0-24-B8-11-F3

The user name is the <03>.

If you only know the IP address use the command

nbtstat -A <IP address>
e.g. nbtstat -A 10.23.23.12

The output is the same and notice we just use a capital A instead of a lowercase a.

This will only work if the remote machine in question is running it's messenger service, otherwise the username is not returned.


Q. How do I remove a NT computer from a domain?

A. The first way would be to logon to the machine you wish to remove from the domain and start the Network Control Panel Applet (Start - Settings - Control Panel - Network or just right click on Network Neighborhood and select properties). Select the Identification tab and click Change. Just enter a different domain or workgroup, you will receive a notice welcoming you to the new domain/workgroup. The problem with this is the machine can still rejoin the domain as its account has not been removed from the domain.

To actually remove the computer account from the domain perform the following:

  1. Logon to the PDC as an Administrator
  2. Start Server Manager (Start - Programs - Administrative Tools - Server Manager)
  3. Select the machine you wish to remove and click Delete (or select "Remove from Domain" from the Computer menu)
  4. Click Yes to the confirmation

Alternatively you can remove a computer from the command line using the Resource Kit utility NETDOM

netdom /Domain:<domain> MEMBER <machine name> /delete
e.g. netdom /Domain:savilltech MEMBER kevinpc /delete

You can use this command from any machine workstation or server as long as you are logged on as an administrator. When you enter the command it will find the PDC and delete, the output is as follows:

Searching PDC for domain SAVILLTECH ...
Found PDC \\PDC
Member \\KEVINPC successfully deleted.


Q. How can I shutdown a number of machines without going to each machine?

A. I have a number of machines setup in my Lab and at the end of an entertaining evening of computing I don't want to have to goto each machine and shut them down so I wrote a small batch file that uses the shutdown.exe resource kit utility. Just enter the following into a file with a .bat extension:

rem Batch file to shutdown local machine and the PDC, BDC
shutdown \\pdc /t:2 /y /c
this shuts down a machine called PDC in 2 seconds, repeat with other machine names
shutdown \\bdc /t:2 /y /c this shuts down a machine called BDC in 2 seconds
shutdown /l /y /c /t:5 this line shuts down the local machine in 5 seconds

You can then just right click the file in explorer and drag onto the desktop, release and select "Create shortcut". Clicking this icon will then shutdown all the machines in the file. On a NT Server these shutdowns are not graceful and the users will not be asked to save work if they are not logged on or the machine is locked. If they are logged on then they have the option of saving files (unless a force switch is used).

If you have installed a SP4 or SP5 on Win NT, remote shutdown command will shutdown machine immediately without stopping services (dirty shutdown event ID 6008)


Q. How can I close all network sessions/connections?

A. The command below will close all network sessions

net session /delete


Q. How can I connect to a server using different user accounts?

A. It is possible to specify a user account to use when connecting to a share using the /user switch, e.g.

C:\> net use k: \\server\share /user:domain\user

If you then attempt to connect to the server again with a different username an error will be given. A workaround is to connect to the server using its IP address rather than its NetBIOS name, e.g.

C:\> net use l: \\<ip address>\share /user:domain\user


Q. How do I set the comment for my machine that is displayed in Network Neighborhood?

A. There are 3 ways to set this, from the command line, edit the registry or via the GUI.

The easiest way is via the Server control panel applet

  1. Start the server control panel applet (Start - Settings - Control Panel - Server)
  2. Enter the new description of the machine in the Description field
  3. Click OK

An alternative method is from the command prompt using the "net config" command.

C:\> net config server /srvcomment:"machine comment"

Note that even if you are performing this on a workstation machine you still use "net config server" as this is a configuration on the server service of the machine.

Both of the methods shown update a single registry value so this can also be edited directly.

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
  3. Double click on srvcomment
  4. In the "Value data" box enter the new description and click OK
  5. Close the registry editor

This method only works once the Server Service has been restarted, however, both other methods work instantly. This is because the registry area is only read during startup of the service.

You can remotely change the comment of other machines by using the NT Server utility "Server Manager". Double click on a machine and you will then be presented with the same dialog box as with the Server control panel applet. This has the advantage of allowing the Administrator to set a common description format.


Q. How can I define multiple NetBIOS names for a machine?

A. This would be useful if, for instance, you wanted to migrate a number of shares to a different machine and rather than having to switch all clients to the new machine instantly you could define the new machine to also answer to the old machines NetBIOS name and then slowly migrate the machines. To define extra names for a machine perform the following:

  1. Start the registry editor (regedt32.exe)
  2. Move to HKEY_Local_Machine\System\CurrentControlSet\Services\LanmanServer\Parameters
  3. From the Edit menu select "Add Value"
  4. Set the type to REG_SZ is you want one extra name or REG_MULTI_SZ if you want more than one and enter a name of OptionalNames. Click OK
  5. You will then be prompted for a value. Enter the other name (or names if type REG_MULTI_SZ, one on each line) you want it to be known as and click OK.
  6. Close the registry editor
  7. Reboot the machine
  8. There may be a WINS resolution problem. The entries for the additional NetBIOS names will have been dynamically added to the WINS database complete with IP number. However, a "real" server machine in the WINS dbase normally has three WINS entries, 00h, 03h and 20h. Your aliases may only have one, 03h. Therefore you may need to add static entries for the additional NetBIOS names, which created all three entries. You should now be able to ping by NetBIOS name.

There is bug when using multiple NetBIOS names on print servers, see 'Q. The additional NetBIOS name of my server does not work for print services.'


Q. How can I manage my NT domain over the net?

A. Microsoft have released "Web Administrator 2.0 for Microsoft Windows NT Server" which allows you to use to manager the following via the web

The additional software required has to be installed on a server (though it does not have to be a domain controller) with

Internet Information Server 4.0 is available as part of Option Pack 4 which can be obtained from http://www.microsoft.com/windows/downloads/contents/updates/nt40ptpk/default.asp or as part of MSDN. Option Pack 4 has its own requirement that Internet Explorer 4.0 be installed.

Once all the software is installed you can download the Web Admin tools from http://www.microsoft.com/ntserver/nts/downloads/management/NTSWebAdmin/default.asp

To begin the installation just execute the required executable and the installation wizard will begin.

Once the installation is complete you will be able to administer your domain by connecting to http://<the server name>/ntadmin/default.asp. For example if I had installed the software on titanic in the savilltech.com I would connect to http://titanic.savilltech.com/ntadmin/default.asp.

You will need Internet Explorer 4.0 or above to use the site and once connected you can perform a number of options. Below is an example of viewing/changing users.

NT Web Admin


Q. How can I remotely manage services?

A. The Windows NT Resource kit has two utilities, SC.EXE and NETSVC.EXE, which allow remote services to be managed. The resource kit has help on both on these but we will only look at NETSVC.EXE.

To view the services on a remote machine use

C:\> netsvc /query \\<server name> /list

To see the current state of a service use

C:\> netsvc <service name> \\<server> /query

You can then modify the state of the service using the /start, /stop, /pause and /continue switches, e.g.

C:\> netsvc <service name> \\<server> /stop


Q. Net.exe reference.

A. Below is a summary of all the net.exe usage methods.

net accounts

Used to modify user accounts. Specified on its own will give information about the current logon.

Options:

/forcelogoff:<minutes or no> Minutes until the user gets logged off after logon hours expire. No means a forced logoff will not occur
/lockoutthreshold:<number of failed attempts> This parameter allows you to configure the number of failed logon attempts before the account is locked. The range is 1 to 999.
/lockoutduration:<minutes>  This parameter specifies the number of minutes accounts remain locked before automatically becoming unlocked. The range is 1 to 99999.
/lockoutwindow:<minutes>   This parameter lets you configure the maximum number of minutes between two consecutive failed logon attempts before an account is locked. The range is 1 to 99999.
/minpwlen:<length> Minimum number of characters for the password. Default is 6, valid range is between 0 and 14
/maxpwage:<days> Maximum number of days a password is valid. Default is 90, valid range is between 0 and 49710
/minpwage:<days> Number of days that must occur before the password can be changed. Default is 0, valid range is between 0 and maxpwage
/uniquepw:<number> Password may not be reused for number attempts
/sync Forces a domain sync
/domain Performs any of the above actions on the domain controller

net computer

Used to add and remove computer accounts from the domain.

Options:

\\<computer name> Name of the computer to be added or removed
/add Add the specified computer
/del Removes the specified computer

net config server

Allows modifications to the server service. Entered with no parameters give details of the current configuration

Options:

/autodisconnect:<minutes> Number of minutes an account may be inactive before disconnection. Default is 15, valid range between 1 and 65535. -1 means never disconnected.
/srvcomment:"text" Set the comment for the machine
/hidden:<yes or no> Specified is the computer is hidden in the listing of computers

net config workstation

Allows modifications to the workstation service. Entered with no parameters give details of the current configuration

Options:

/charcount:<bytes> Number of bytes to be collected before data is sent. The default is 16, valid range is between 0 and 65535.
/chartime:<msec> Number of milliseconds NT waits before sending data. If charcount is also set whichever is satisfied first is used. Default is 250, valid range is between 0 and 65535000.
/charwait:<seconds> Number of seconds NT waits for a communications device to become available. Default is 3600, valid is between 0 and 65535.

net continue <service name>

Restarts the specified paused service.

net file

Lists any files that are open/locked via a network share.

Options:

id Identification of the file (given by entering net file on its own)
/close Close the specified lock

See Q. How can I tell who has which files open on a machine? for more details.

net group

Adds/modifies global groups on servers. Without parameters will list global groups.

Syntax:

net group <group name> [/command:"<text>"] [/domain]
net group <group name> [/add [/comment:"<text>"] or /delete] [/domain]
net group <group name> <user name> /add or /delete [/domain]

Options:

groupname Name of the global group
/comment:"<text>" Comment if a new global group is created. Up to 48 characters
/domain Performs the function on the primary domain controller
username Username to which apply the operation
/add Adds the specified user to the group or the group to the domain
/delete Removes a group from a domain or a user from a group

net localgroup

Performs actions on local groups. Same parameters as net group.

net name

Adds/removes a name to which messaging may be directed to. Running the command on its own will list all messaging names eligible on the machine.

Options:

name The messaging name to be added/removed
/add Add the name
/delete Remove the name

net pause <service name>

Used to pause a service from the command line.

net print

Used to list/modify print jobs.

Options:

\\computername Indicates the computer that hosts the printer queue
sharename Name of the printer queue
job The job number to modify
/hold Pauses a job on the print queue
/release Removes the hold status of a job on the print queue
/delete Deletes a job off of the print queue

net send

Sends a message to a computer, user or messaging name.

Options:

name Name of the user, computer or messaging name. Can also use * to send to everyone in the group
/domain:<domain name> All users in the current domain or the specified domain
/users To all users connected to the server
message The message to send

net session

Lists or disconnects sessions. Used with no options lists the current sessions.

Options:

\\<computer name> The computer of whose session to close
/delete Closes the session to the computer specified. Omitting a computer name will close all sessions

net share

Used to manage shares from the command line.

Syntax:

net share <sharename>=<drive>:\<directory> [/users=<number> or /unlimited] [/remark:"text"]
net share <sharename> [/users=<number> or /unlimited] [/remark:"text"]
net share <sharename or device name or drive and path> /delete

Options:

<sharename> Name of the share
<device name> Used to specify the printer name if specifying a printer share
<drive>:<path> Absolute path
/users:<number> Number of simultaneous connections to the share
/unlimited Unlimited usage
/remark:"<text>" Comment for the share
/delete Delete the specifed share

net start <service name>

Start the specified service

net statistics [workstation or service]

Gives information about either the server or workstation service.

net stop <service name>

Stops the specified service

net time

Used to synchronize the time of a computer.

Options:

\\<computer name> The name of the computer to which synchronize the time
/domain:<domain> Synchronize the time with the specified domain
/set Sets the time

net use

Connects or disconnects to a network share. Used with no qualifiers lists the current network mappings.

Syntax:

net use <device name> or * \\<computer name>\<share name> [password or *] [/user:[domain\user] /delete or [persistent:[yes or no]]
net use <device name> /home /delete or /persistent:[yes or no]

Options:

<device name> Name of the device to map to. Use * to use the next available device name
\\computer name The name of the computer controlling the resource
\sharename Name of the share
\volume Name of the volume if on a NetWare server
password Password to which to map
* Gives a prompt to which to enter the password
/user:<domain>\<user> Specifies the user to connect as
/home Connects to a users home directory
/delete Closes a connection
/persistent:[yes or no> Sets if the connection should be reconnected at next logon

net user

Used to add/create/modify user accounts

Syntax:

net user <username> [password or *] [/add] [options] [/domain]
net user <username] /delete /domain

username The name of the account
password Assigns or changes a password
* Gives a prompt for the password
/domain perform on a domain
/add Creates the account
/delete Removes the account
/active:[yes or no] Activates or deactivates the account
/comment:"<text>" Adds a descriptive comment
/counterycode.nnn nnn is the number operating system code. Use 0 for the operating systems default
/expires:<date or never> The expiry date of the account. Date format is mm,dd,yy or dd,mm,yy which is determined by the country code
/fullname:"<name>" The full name of the account
/homedir:<path> Path for the users home directory
/passwordchg:[yes or no] Used to specify if the user can modify the password
/passwordreq:[yes or no] Used to determine if the account needs a password
/profilepath:<path> Used to specify the profile path
/scriptpath:<path> Path of the logon script
/times:<times or all> Hours user may logon
/usercomment:"<text>" A comment for the account
/workstations:<machine names> Names the user may logon to. * means all.

net view

Lists shared resources on a domain. Used with no parameters lists all machine accounts in a domain.

Options:

\\computer name Specifies the computer whose resource should be viewed
/domain:<domain name> The domain to be used
/network:<NetWare network> A NetWare network to be used

Q. How can I make net.exe use the next available drive letter?

A. The normal syntax to map a network drive is

C:\> net use <drive letter>: \\<server>\<share>

however this can be modified to

C:\> net use * \\<server>\<share>

which will make the net use command utilize the next available drive letter.


Q. How can I check if servers can communicate via RPC's?

A. Exchange ships with RPINGS.EXE and RPINGC32.EXE which can be used to test RPC communication between two servers. These programs are located in the SERVER\SUPPORT\RPCPING directory of the Exchange CD. Test as follows:

  1. On one server start Command (CMD.EXE) and enter
    C:\> RPINGS
  2. On the other server run the RPINGC32.EXE utility
  3. You should then enter the name of the Exchange server to test communication with, e.g. NT4PDC
  4. Click Start

The connection will then be checked. Once complete close the RPINGC32.EXE utility by clicking Exit and on the target machine enter the sequence '@q'.

Below is an example of a successful test.

RPC Ping


Q. How can I reduce the delay when using multiple redirectors?

A. The MUP (Multiple UNC Provider) first establishes whether Distributed File System (Dfs) is in use and passes the request to DFS.

The delays come from two locations:

  1. The attempt to access the resource through DFS
  2. The MUP must wait and accept all responses from all redirectors before completing the request. Therefore, even if a resource is readily available and accessible over one redirector, the request must still be made over the other installed redirectors before the request completes.

Depending on the number of redirectors, protocols, and timer configurations for connectivity, these delays can exceed 13 seconds for each initial connection.

Service Pack 4 for Windows NT 4.0 has introduced an updated MUP.SYS giving better performance and a new registry entry which may speed up the initial connect to non-Windows UNC resources, DisableDFS. Perform the following change on each client:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup
  3. From the Edit menu select New - DWORD value
  4. Enter a name of 'DisableDFS' (don't enter the quotes) and press enter
  5. Double click the new value and set to 1. Click OK
  6. Close the registry editor
  7. Reboot the machine

Setting the DisableDFS value to 0 or deleting will set the machine back to its old behaviour.

If you have the Novell IntranetWare client also installed you must also perform the following before rebooting:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetwareWorkstation\NetworkProvider
  3. Double click DeviceName and change from '\Device\NetwareWorkstation' to '\Device\NetwareRedirector'. Click OK
  4. Close the registry editor

Knowledge base article Q171386 at http://support.microsoft.com/support/kb/articles/q171/3/86.asp has more information on this.


Q. How can a DOS machine connect to an NT domain?

A. Microsoft provide software to enable a DOS machine to participate on a network using a variety of protocols and to connect to a Windows NT domain.

NT Server ships with the "Network Client Administrator" which allows the creation of an installation disk set or a disk to allow Network based installation of a variety of clients, including a network client for DOS.

'Q. How do I install NT over the network?' has an example of creating a network installation disk, instead we will concentrate on creating an installation disk set.

  1. Start Network Client Administrator (Start - Programs - Administrative Tools - Network Client Administrator)
  2. Select "Make Installation Disk Set" and click Continue
  3. You will need to specify the location of the "clients" directory that is on the Windows NT Server CD-ROM (easiest to copy clients from the CD-ROM, enter the location in the path box and select Share Files". Click OK
  4. Select the client to install "Network Client v3.0 for MS-DOS and Windows". Select the destination and click OK.
  5. Insert the first disk and click OK to the dialog.
  6. Files will be copied to the disk

To install on a DOS machine you perform the following:

  1. Insert DISK 1
  2. Change to the disk drive, a:
  3. Run setup.exe
  4. Press ENTER to start the installation
  5. Select the installation target directory, by default C:\NET. Press Enter
  6. Select the network adapter from the displayed list or use a custom adapter by selecting "Network adapter now shown on list below". Press Enter. If you are using a custom disk the program looks for protocol.ini, on my test machine I specified the NDIS\WFW directory on the install disk as the DOS directory did not have all the necessary files.
  7. You now have the option of changing the setup, by default only IPX will be installed, select "Change Network Configuration" and you can remove protocols and add the Microsoft TCP/IP protocol. You can then change the TCP/IP settings to configure IP address/subnet mask etc. Make sure if you are not using TCP/IP to set "Disable Automatic Configuration" to 1.
  8. Restart the machine

When the machine reboots it will load all the network and protocol drivers and then attempt to logon to the network by issuing the

net start

command. You will then be asked for a username and password:

Type your user name, or press ENTER if it is ADMINISTRATOR:
Type your password:

You will be asked if you want to create a password file. If you select yes then you will no longer be asked for a password at start-up time, like an auto-logon but be aware it means anyone accessing your computer can logon as you.


Q. Where are Windows 2000 network connections stored in the registry?

A. The Windows 2000 connections consist of entries of not only remote connections such as to your ISP, but also your Local Area Connection and these are contained under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\GUID\Connection registry key which GUID is the Globally Unique IDentifier of the connection.

Its just interesting to know as if you have a stray connection which gets corrupted maybe as you remove the network card you can manually remove by editing the registry.


Q. How do I install the loopback adapter in Windows 2000?

A. The loopback adapter is useful for those machines with no network card but would like to experiment with installing network protocols and other network related items. Obviously since there is no physical network connection you cannot talk to other machines.

  1. Start the Add/Remove Hardware control panel applet (Start - Settings - Control Panel - Add/Remove Hardware).
  2. Click 'Add/Troubleshoot a device', and then click Next.
  3. Click 'Add a new device', and then click Next.
  4. Click 'No, I want to select the hardware from a list', and then click Next.
  5. Click 'Network adapters', and then click Next.
  6. In the Manufacturers box, click 'Microsoft'.
  7. In the Network Adapter box, click 'Microsoft Loopback Adapter', and then click Next.
  8. Click Finish.

You should then configure the device with an IP address etc. If you select DHCP it will use an address 169.254.x.x/16 (subnet mask 255.255.0.0) as no DHCP server can be contacted due to the lack of network connectivity.


Q. How can I turn off/on connection ghosting?

A. Windows uses Ghosted connections for when a user doesn’t need or want an actual connection until there is a need for the connection to be utilized. Once the user uses the connection, Windows NT/2000 will make the necessary connection. In some instances, this technique can cause problems; for example, there will be a delay the first time that an inactive, ghosted connection is used.

To turn off the ghosting and eliminate the initial delay when connecting perform the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider
  3. From the edit menu select New - DWORD value
  4. Enter a name of RestoreConnection and press Enter
  5. Double click the new value, set to:
    0 - Windows NT/2000 will ghost the connections
    1 - Windows NT/2000 will not ghost the connections. Windows will restore connections when the user logs in
  6. Click OK
  7. Close the registry editor
  8. Restart the computer

Q. What is the Active Directory?

A. The Active Directory is Microsoft's implementation of a 'Directory Service' and a directory service is basically something that stores data in an organized format and has the mechanisms needed to publish and access the data.

Active Directory is not a Microsoft innovation, but rather an implementation of an existing model (X.500), an existing communication mechanism (LDAP) and an existing location technology (DNS), and each of these are covered in the FAQ.

Before the details of Active Directory are considered, it is important to have an overview of what it is trying to achieve. A directory in its most basic sense is just a container for other information, such as a telephone directory has various entries, and each entry has values. An example would be a name, address and telephone number that would make up a single entry in the directory.

Name: John Savill
Address: 2 SavTech Way, (yeah right :-))
London
Tel: 353 3523
E-mail: john@serverfaq.com

In a large directory these entries may be grouped by location or by their type, e.g. lawyers, pest control, etc, or both which would lead to a hierarchy of each type of person in each location. The actual telephone directory would be a directory service as it contains not only the data but also a means to access and use it. The telephone operator would also constitute a directory service as it has access to the data and presents it to you where you can request data and an answer to your query is given.

Active Directory is a type of Directory Service, it holds information about all resources on the network and clients can query the Active Directory for information about any aspect of the network. Active Directory has a number of powerful features:

The last point regarding partitioning the information in the Directory into different stores does not mean that the Active Directory cannot be queried for information from other domains. Global catalogs are used which contain information about every object in the enterprise forest allowing forest wide searches.


Q. A number of Active Directory descriptions.

A. Below are some definitions for the active directory:

ONE SENTENCE SUMMARY OF DNS AND ACTIVE DIRECTORY:

A dns server is used by a client to provide the address of the client's nearest domain controller, which has a copy of Active Directory, which the client then uses to locate whatever object it's looking for.

ONE PARAGRAPH SUMMARY OF DNS AND ACTIVE DIRECTORY:

First a client contacts a dns (domain name system) server which looks up the client's domain, and provides him with the address of the closest dc in that domain. The client proceeds to contact the dc which can then authenticate him. Once authenticated, the client can search Active Directory (a database on the dc) to find objects the client is looking for, like an address for mail, a file, printer, or list of users in a group, etc. If the client cannot contact a dns server, it won't be able to find its domain controller, since only the dns server has the address of it.

ONE PAGE SUMMARY OF DNS AND ACTIVE DIRECTORY:

When dcpromo is performed on a W2K machine named, say, "fido" for the first time creating a new domain, say, "narnia", dcpromo creates two different kinds of "domains". First it creates a domain on the dns server, in our example: "narnia.extest.microsoft.com". This will be found on the extest dns servers, which are in exlab's minilab in bldg 43. Exlab maintains these as community dns servers to save testers the trouble of installing a dns server every time they want to install W2K. Simplified a little, the dns domain on the extest master dns servers looks like this:

extest.microsoft.com
    narnia.extest.microsoft.com
        bigthud dc 172.30.224.34
        blackie dc 172.20.32.13
        etc. (this is very approximate, but functionally identical)

Clients contact the dns server and it looks up the client's domain. Looking for "narnia" the dns server also discovers "bigthud" and "blackie", both dc's of "narnia". Let's say "bigthud" is the closest dc to the client. The dns server would send the client the address of the dc "bigthud", namely, 172.30.224.34. The client connects and accesses the Active Directory domain database stored on "bigthud" to find objects (like printers, file servers, users, groups, organizational units, etc) in the "narnia" domain. "bigthud" also stores links to other domains in the tree "com". Thus, the client can search a whole tree of domains.

If the search needs to go beyond the client's tree of domains, then a version of Active Directory listing the objects in the whole forest is also available. It is called the Global Catalog. The GC can be kept on any dcs in the forest you may choose, or all, but it does not have to be kept on all.

GC is a shorthand way to access an object ANYWHERE in the forest, but it only provides a few of its attributes, you have to go to the domain AD (always on a dc in that domain) to get the whole object. The GC can be configured to provide whatever object attributes you choose, too, not just a rigid default set of them.

To help in creating objects in AD, the dc also keeps a copy of the classes and hierarchy of classes for the whole forest, too. For example, if we had a class of "baseball players", and a derived class "pitchers" (which is just a player with a few records added of strikeouts and no-hitters, etc) then the class structure would be kept in AD in the part called the "Schema". If we then created an actual group of players we would use our Schema classes to make the players as objects (instances of the classes) in Active Directory. We can also add more classes, eg: "football players" and "quarterbacks" to the Schema, and we call that freedom an "extensible Schema".

The schema is a part of the W2K "configuration namespace" kept on all dcs in a forest. A namespace is a range of labels you put on things, eg: a supermarket "aisle" namespace: aisle=cookies, shelf=top, item=oreo. The configuration namespace in W2K consists of a number of defined items such as physical locations, W2k "sites" (a site is a child of a forest, and can contain machines from any domain, only condition being that all machines in a site have fast reliable net connections for dc replication), and "subnets" which are IP address groupings assigned to sites which help further speed up AD replication amongst dc's, eg: "your dc rocks if it's in the IP subnet and W2K site where its friends are".

Active Directory employs LDAP (Lightweight Directory Access Protocol, a standard Internet protocol that many applications use) to access its records. Why? Because its records are STORED on the dc in "LDAP distinguished name format". But what is LDAP distinguished name format? In the following LDAP distinguished name format example "fred" is a user in the "programming" organizational unit in "narnia" domain in "extest" domain in "microsoft" domain in "com" domain:

cn=fred,ou=programming,dc=narnia,dc=extest,dc=microsoft,dc=com

where cn stands for common name, ou stands for organizational unit, and dc in this case stands for "domain component", NOT domain controller. This is how "fred" appears in Active Directory, and a client such as an administrator can access attributes about fred using that syntax, assuming the client has security permissions to do so.

The client's actions are straightforward, as long as the client talks LDAP to Active Directory. However, an action may be done from a client running an application that uses a different name format. To support this, there are two other name formats that can be used (with a little translating) to access Active Directory:

1. "LDAP URL":
Example:
LDAP://server1.narnia.extest.microsoft.com/cn=fred,ou=programming,dc=narni a,dc=extest,dc=microsoft,dc=com.

2. "Active Directory Canonical name":
Example:
narnia.extest.microsoft.com/programming/fred. This last one, "Active Directory Canonical name" is what you'll see in user interfaces in W2K.


Q. What is X.500 and LDAP?

A. X.500 is the most common protocol that is used for Directory Management and there are currently 2 main standards, the 1988 and 1993 standards with the 1993 standard providing a number of advances over the older standard. The Windows NT 5.0 implementation of its Directory Services is derived from the 1993 X.500 standard as described below.

The X.500 model uses a hierarchical approach to the objects in the name space with a root at the top of the namespace with children coming off of it. Domains in Windows 2000 are DNS names, for example savilltech.com is a domain name, legal.savilltech.com is a child domain of savilltech.com. Child domains are covered elsewhere.

X.500 structure

The example shows a root of the directory service and then a number of children. In this case the first layer or children represent countries, however there are no rules and you may break these down however you want. Imagine each country as a child domain of the root, for example usa.root.com and england.root.com. Each child domain can then be broken into a number of organizations. These organizations can be broken down further into organizational units and various privileges/policies can be applied to each Organization unit. Each Organizational Unit has a number of objects such as users, computers, groups etc.

While the directory service is based on X.500, the access mechanism actually uses LDAP (Lightweight Directory Access Protocol) which solves a number of problems with X.500.

X.500 is part of the OSI model however this does not translate well into a TCP/IP protocol environment so LDAP uses TCP/IP for its communication medium. LDAP cuts down on the functions available with a full X.500 implementation making a leaner faster directory service while keeping the overall structure of X.500.

LDAP is actually the mechanism used to communicate with the Active Directory and performs basic read, write, and modify operations.

More on X.500 can be found at http://www.salford.ac.uk/its024/X500.htm


Q. What is the Global Catalog?

A. The Global Catalog contains an entry for every object in the enterprise forest (the term forest is explained later) but contains only a few properties of each object. The entire forest shares a global catalog with multiple servers holding copies. Searches in the whole enterprise forest can only be done on the properties in the Catalog where as searches in the users own domain tree can be for any property. Only Directory Services (or Domain Controllers) can be configured to hold a copy of the Global Catalog.

Do not configure too many global catalogs in each domain, as you will waste network bandwidth with the replication. One global catalog server per domain in each physical location is sufficient, however NT will set servers as Global Catalogs as it thinks are necessary so there should be no need for you to modify this unless you notice slow query response times.

Since full searches involve querying the whole domain tree rather that the global catalog, grouping the enterprise into a single tree will improve your searches as it will allow you to query on items not in the global catalog, thus a larger search criteria.


Q. How do I configure a server as a Global Catalog?

A. To configure a Windows 2000 domain controller as a global catalog server perform the following:

  1. Start the Active Directory Sites and Services Manager (Start - Programs - Administrative Tools - Active Directory Sites and Services Manager)
  2. Select the sites branch.
  3. Select the site that owns the server, expand the servers branch and the server in question
  4. Right click on "NTDS Settings" and choose Properties
  5. Check or uncheck the "Global Catalog Box". Click Apply then OK

Global Catalog


Q. What is the Schema?

A. The Schema is a blueprint of all objects in the domain and when first created a default Schema exists which contains definitions for users, computers, domains etc. Because of this, you can only have one schema per domain as you cannot have multiple definitions of the same object.

The default schema definition is defined in the SCHEMA.INI file that also contains the initial structure for the NTDS.DIT (storage for the Directory data). This file is located in the %systemroot%\ntds directory. This file is a plain ASCII format file and can be typed out.


Q. What is a domain tree?

A. In Windows 2000 one domain can be a child of another domain, e.g. child.domain.com is a child of domain.com (a child domain always has the complete domain name of the parent in it), and a child domain and its parent share a two way transitive trust.

When you have a domain as a child of another, a domain tree is formed. A domain tree has to have a contiguous name space.

Tree
Notice in the second diagram the lack of contiguous names means they are not part of the tree

The name of the tree is the root domain name, so in the example the tree would be referred to as root.com. Since the domains are DNS names and inherit the parent part of the name, if a part of the tree is renamed, then all of its children will implicitly also be renamed, for example if parent ntfaq.com of sales.ntfaq.com was renamed to backoffice.com the child would be renamed to sales.backoffice.com. This is not actually currently possible though.

Domain trees can currently only be created during the server to Domain Controller promotion process with DCPROMO.EXE, this may change in the future.

There are a number of advantages in placing domains in a tree. The first and most useful is that all members of a tree have kerberos transitive trusts with its parent and all its children. These transitive trusts also mean that any user or group in a domain tree can be granted access to any object in the entire tree. This also means that a single network logon can be used at any workstation in the domain tree.


Q. What is a domain forest?

A. You may have a number of separate domain trees in your organization that you would like to share resources and this can be accomplished by joining trees to form a forest.

A forest is a collection of trees that do not have to form a contiguous name space (however each tree still has to be contiguous). This may be useful if your company has multiple root dns addresses.

Forest

As can be seen from the example, the two root domains are joined via a transitive, two-way Kerberos trusts as in the trust created between a child and its parent. Forests always contain the entire domain tree of each domain and it is not possible to create a forest containing only parts of a domain tree.

Forests are created during the server to Domain Controller promotion process with DCPROMO and can currently not be created at any other time, this will change in the next version.

You are not limited to only 2 domain trees in a forest, you can add as many trees as you want and all domains within the forest will be able to grant access to objects for any user within the forest. Again this cuts back on having to manually manage the trust relationships. The effect of creating a forest is the following:

You may of course choose not to join trees to become a forest and may instead create normal trusts between individual elements of the tree's.


Q. What is a Kerberos trust?

A. Windows NT 4.0 trust relationships are not transitive so if domain2 trusts domain1, and domain3 trusts domain2, domain3 does not trust domain1.

Transitive Trusts

This is not the case with the trust relationships used to connect members of a tree/forest in Windows 2000, trust relationships used in a tree are two-way, transitive Kerberos trusts which means any domain in a tree implicitly trusts every other domain in the tree/forest. This removes the need for time-consuming administration of the trusts as they are created automatically when a domain joins a tree.

Kerberos is the primary security protocol for Windows NT. Kerberos verifies both the identity of the user and the integrity of the session data. The Kerberos services are installed on each domain controller, and a Kerberos client is installed on each Windows NT workstation and server. A user's initial Kerberos authentication provides the user a single logon to enterprise resources. Kerberos is not a Microsoft protocol and is based on version 5.0 of Kerberos. For more information see IETF RFCs (Requests For Comments) 1510 and 1964. These documents are available on the web from http://www.isi.edu/rfc-editor/rfc.html.


Q. How do I create a new Active Directory Site?

A. Active Directory has the concept of sites which can be used to group servers into containers which mirror the physical topology of your network, and allow you to configure replication between domain controllers (among other things). A number of TCP/IP subnets can also be mapped to sites which the allow new servers to automatically join the correct site depending on their IP address and for clients to easily find a domain controller closest to them.

When you create the first domain controller a default site, Default-First-Site-Name is created to which the domain controller is assigned. Subsequent domain controllers are also added to this site however they can then be moved. This site can be renamed if you wish.

Sites are administered and created using the "Active Directory Sites and Services Manager" MMC snap-in. To create a new site perform the following:

  1. Start the Active Directory Sites and Services MMC snap-in (Start - Programs - Administrative Tools - Active Directory Sites and Services Manager)
  2. Right click on the Site branch and select New - Site from the displayed context menu
  3. Enter a name for the site, e.g. NewYork. The name must be 63 characters or less and cannot contain . or space characters. You must also select a site link (by default there will only be one, DEFAULTIPSITELINK or type IP).
  4. Click OK

Now the site is created you can assign various IP subnets to it as follows:

  1. Start the Active Directory Sites and Services MMC snap-in (Start - Programs - Administrative Tools - Active Directory Sites and Services Manager)
  2. Expand the Sites branch
  3. Right click on Subnets and select New - Subnet
    New subnet
  4. You used to have to enter the name of subnet of the form <network>/<bits masked>, e.g. 200.200.201.0/24 would be network 200.200.201.0 with subnet mask 255.255.255.0. This proved to complicated so you now just enter the address and mask. Select the Site to associate the subnet with, e.g. Australia.
  5. Click OK

You now have a subnet linked to a site. You can assign multiple subnets to a site if you wish.

If you are confused about the bits masked in the subnet name it can be between 22 and 32 and is just the number of bits set in the subnet mask. The subnet mask is made up of 4 sets of 8 bits. To convert the subnet mask to bits you can use the illustration below.

Subnet mask

Therefore the subnet mask 255.255.255.0 would be 11111111.11111111.11111111.00000000 in binary which therefore uses 8+8+8 bits (24) to define the subnet mask. A subnet mask of 255.255.252.0 would be 11111111.11111111.11111100.00000000 which is 8+8+6 or 22.


Q. How do I move a server to a different site?

A. If your sites and subnets are configured then new servers will automatically get added to the site that owns the subnet however you can also manually move a server to a different site:

  1. Start the Active Directory Sites and Services MMC snap-in (Start - Programs - Administrative Tools - Active Directory Sites and Services Manager)
  2. Expand the Sites container.
  3. Expand the site that currently contains the server, expand the Servers container
  4. Right click on the server and select Move from the context menu
    Move server
  5. You will be shown a list of all sites. Select the new target site and click OK

The move will take immediate effect.


Q. How can a server belong to more than one site?

A. By default a server will belong to one site however you may want to configure a server to belong to multiple sites.

Bear in mind sites are used for replication, for clients to find resources and to cut down on traffic on inter-site connections so just modifying the site membership may cause performance problems.

To configure a server to have multiple site membership perform the following:

  1. Logon to the server who should join multiple sites
  2. Start the registry editor (regedt32.exe not regedit.exe)
  3. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesNetlogon\Parameters
  4. Select "Add Value" from the Edit menu
  5. Enter a name of SiteCoverage and of type REG_MULTI_SZ. Click OK
  6. Enter the names of the sites to join, each on a new line, e.g.
    Australia
    London
    Press Shift-Enter to move to the next line. Click OK
  7. Close the registry editor

The above does not create the objects in the Active Directory to evaluate the sites and these need to be added manually.


Q. How can I backup the Active Directory/System State?

A. The Active Directory is backed up using the NTBACKUP.EXE utility. The Active Directory is part of the machines System State which is defined as follows:

For all Windows 2000 machines the System State includes the registry, class registration database and the system boot files. For a Windows 2000 Server that is a certificate server it also contains the Certificate Services database. Finally for a Windows 2000 machine that is a domain controller it includes the Active Directory and the SYSVOL directory also.

To backup the System State using the Backup Wizard perform the following:

  1. Start NTBACKUP.EXE
  2. NTBACKUP.EXE will start in the Welcome screen. Click the 'Backup Wizard' button
  3. Click Next to the introduction dialog
  4. In the dialog that asks what to backup select 'Only back up the Distributed Service Set' and click Next
  5. You should then continue as per normal by selecting the backup media etc.

If you don't want to use the wizard it can be manually backed up as follows:

  1. Start NTBACKUP.EXE
  2. Select the Backup tab
  3. Check the 'System State' box (and any other drives)
    Active Directory Backup
  4. Select the backup destination
  5. Click 'Start Backup'
  6. Confirm the backup description and click 'Start Backup'
  7. The backup will then begin

To backup only the System State from the command line use the command

C:\> ntbackup backup systemstate /f d:\active.bkf

Of course this is the most basic backup to file and you can use more complex options.


Q. How can I restore the Active Directory?

A. The Active Directory cannot be restored to a domain controller while the Directory Service is running so to restore perform the following:

  1. Reboot the computer
  2. At the boot menu select "Windows 2000 Server" but do NOT press Enter. Press F8 for advanced options
    OS Loader V5.0

    Windows NT Advanced Options Menu
    Please select an option:

      Safe Mode
      Safe Mode with Networking
      Safe Mode with Command Prompt

      Enable Boot Logging
      Enable VGA Mode
      Last Known Good Configuration
      Directory Services Restore Mode (Windows NT domain controllers only)
      Debugging Mode

    Use | and | to move the highlight to your choice.
    Press Enter to choose.
  3. Scroll down and select "Directory Services Restore Mode (Windows NT domain controllers only)"
  4. Press Enter
  5. You will be taken back to the boot menu and now press Enter to Windows 2000 Server (notice at the bottom of the screen in red the text 'Directory Services Restore Mode (Windows NT domain controllers only)' will be shown)

The computer will boot into a special safe mode and will not start the Directory Service. Be warned that during this time the machine will not act as a domain controller and will perform not perform authentication etc.

  1. Start NTBACKUP.EXE
  2. Select the Restore tab
  3. Select the backup media and select "System State"
  4. Click 'Start Restore'
  5. Click OK to the confirmation

Once you have restored the backup reboot the computer and start in normal mode to start using the restored information. You may find a hang after the restore has completed and I found a 30 minute wait on some machines.


Q. What are the FSMO roles in Windows 2000?

A. In Windows 2000 all domain controllers are equal and through a process known as multi-master replication changes are replicated to all domain controllers in the domain. However in keeping with George Orwell's Animal Farm some Domain Controllers are more equal than others.

Multi-master replication resolves conflicts however in some situations it is better to stop the conflict before it happens and to this end there are five difference Flexible Single Master of Operations (FSMO) roles (formally known as Floating Single Master of Operations as the roles were originally going to be dynamically changeable) each managing an aspect of the domain/forest. These roles can be moved between domain controllers but not dynamically, they must be manually moved in the same manner as a BDC has to be manually promoted to a PDC.

There are two types of roles, some are per domain, some are per forest. Only a domain controller in the domain can hold a domain specific FSMO role, any domain controller in the forest can hold a forest FSMO role. Domain controllers cannot hold FSMO roles in other domains/forests.

These roles are assigned in different GUI ways or using the NTDSUTIL utility.

The five roles are defined below:

Role name Description Per domain/forest
Schema master At the heart of the Active Directory is the schema which is like the blueprint of all objects/containers. Since the schema has to be the same throughout the entire forest only one machine can authorize modifications to the schema. One per forest
Domain naming master To add a domain to the forest its name has to be verifiably unique and so the Domain naming master FSMO's of the forest is contacted to authorize the domain name operation. One per forest
RID master Any domain controller can create new objects (such as a user, group, computer account) however after creating 512 user objects the domain controller must contact the domains RID master for another 512 RID's (it actually contacts when it has less than 100 RID's left, this means the RID master can be unavailable for short periods of time without causing object creation problems). This is to ensure each object has a unique RID.
When a DC creates a security principal object it attaches a unique SID to the object. The SID is created using the domain SID and a relative ID (the RID).
The RID master has to be available when attempting to move objects between domains with the resource kit movetree utility.
One per domain
PDC emulator For backwards compatibility reasons one domain controller in each 2000 domain must emulate a PDC for the benefit of 4.0 and 3.5 domain controllers and clients. One per domain
Infrastructure master When a user and group are in different domains there can be a lag between changes to the user (e.g. name) and its display in the group. The infrastructure master of the groups domain is responsible for fixing up the group-to-user reference to reflect the rename. The infrastructure master performs is fixups locally and relies upon replication to bring all other replicas of the domain up to date. One per domain

Q. How can I change the RID master FSMO?

A. The RID master is defined here.

To modify the role perform the following:

  1. Start the Active Directory Users and Computers MMC snap-in on the Domain Controller (Start - Programs - Administrative Tools - Active Directory Users and Computers)
  2. In the left hand pane right click on the domain and select 'Connect to Domain Controller'
  3. Select the domain controller you wish to make the FSMO role owner and click OK.
    Change Domain Controller
  4. Right click on the domain again and select 'Operations Masters' from the context menu
  5. Select the 'RID Pool' tab
  6. The current machine holding the RID master FSMO role will be shown. To change click 'Change..'
    RID master
  7. Click OK to the confirmation dialog.
  8. A dialog confirming the role change will be displayed.

This can also be accomplished using the NTDSUTIL.EXE utility. Enter the commands it bold

C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server <server name>
server connections: quit
fsmo maintenance: transfer rid master

Click Yes to the role transfer dialog

Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na me,CN=Sites,CN=Configuration,DC=savilltech,DC=com

fsmo maintenance: quit
ntdsutil: quit


Q. How can I change the PDC emulator FSMO?

A. The PDC emulator is defined here.

To modify the role perform the following:

  1. Start the Active Directory Users and Computers MMC snap-in on the Domain Controller (Start - Programs - Administrative Tools - Active Directory Users and Computers)
  2. In the left hand pane right click on the domain and select 'Connect to Domain Controller'
  3. Select the domain controller you wish to make the FSMO role owner and click OK.
    Change Domain Controller
  4. Right click on the domain again and select 'Operations Masters' from the context menu
  5. Select the 'PDC' tab
  6. The current machine holding the PDC emulator FSMO role will be shown. To change click 'Change..'
    PDC Emulator
  7. Click OK to the confirmation dialog.
  8. A dialog confirming the role change will be displayed.

This can also be accomplished using the NTDSUTIL.EXE utility. Enter the commands it bold

C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server <server name>
server connections: quit
fsmo maintenance: transfer pdc

Click Yes to the role transfer dialog

Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na me,CN=Sites,CN=Configuration,DC=savilltech,DC=com

fsmo maintenance: quit
ntdsutil: quit


Q. How can I change the Infrastructure master FSMO?

A. The Infrastructure master is defined here.

To modify the role perform the following:

  1. Start the Active Directory Users and Computers MMC snap-in on the Domain Controller (Start - Programs - Administrative Tools - Active Directory Users and Computers)
  2. In the left hand pane right click on the domain and select 'Connect to Domain Controller'
  3. Select the domain controller you wish to make the FSMO role owner and click OK.
    Change Domain Controller
  4. Right click on the domain again and select 'Operations Masters' from the context menu
  5. Select the 'Infrastructure' tab
  6. The current machine holding the Infrastructure FSMO role will be shown. To change click 'Change..'
    Infrastructure FSMO
  7. Click OK to the confirmation dialog.
  8. A dialog confirming the role change will be displayed.

This can also be accomplished using the NTDSUTIL.EXE utility. Enter the commands it bold

C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server <server name>
server connections: quit
fsmo maintenance: transfer infrastructure master

Click Yes to the role transfer dialog

Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na me,CN=Sites,CN=Configuration,DC=savilltech,DC=com

fsmo maintenance: quit
ntdsutil: quit


Q. How can I change the Domain naming master FSMO?

A. The Domain naming master is defined here.

To modify the role perform the following however make sure the machine is a global catalog:

  1. Start the Active Directory Domains and Trusts MMC snap-in on the Domain Controller (Start - Programs - Administrative Tools - Active Directory Domains and Trusts)
  2. In the left hand pane right click on 'Active Directory Domains and Trusts' and select 'Connect to Domain Controller' from the context menu
  3. Enter the domain controller to connect to.
    Change DC
  4. Right click on 'Active Directory Domains and Trusts' and select 'Operations Master' from the context menu
  5. The current machine holding the Domain name operations FSMO role will be shown. To change click 'Change..'
    Operations master
  6. Click OK to the confirmation dialog.
  7. A dialog confirming the role change will be displayed.

This can also be accomplished using the NTDSUTIL.EXE utility. Enter the commands it bold

C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server <server name>
server connections: quit
fsmo maintenance: transfer domain naming master

Click Yes to the role transfer dialog

Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na me,CN=Sites,CN=Configuration,DC=savilltech,DC=com

fsmo maintenance: quit
ntdsutil: quit


Q. How can I change the Schema master FSMO?

A. The Schema master is defined here.

To modify the role perform you must use the 'Active Directory Schema Manager' and you must first register the .dll for the MMC snap-in

C:\> regsvr32 schmmgmt.dll

You can now start the Schema Manager via the Resource Kit Tools console or by creating a custom MMC and add the Active Directory Schema snap-in to it (Start - Run - MMC - Console menu - Add/Remove Snap-in - Add - Active Directory Schema - Add - Close - OK)

  1. Start the Active Directory Schema MMC snap-in on the Domain Controller (using on of the methods above)
  2. In the left hand pane right click on 'Active Directory Schema' and select 'Change Domain Controller' from the context menu
  3. Enter the domain controller to connect to.
    Change DC
  4. Right click on 'Active Directory Domains Schema' and select 'Operations Master' from the context menu
  5. The current machine holding the Domain name operations FSMO role will be shown. To change click 'Change..'
    Schema Master Change
    You can also set the registry to allow changes to the Schema by checking the Schema modification box. Also notice this machine is already the schema master.
  6. Click OK to the confirmation dialog.
  7. A dialog confirming the role change will be displayed.

To modify the role from the command line enter the commands in bold

C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server <server name>
server connections: quit
fsmo maintenance: transfer schema master

Click Yes to the role transfer dialog

Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na me,CN=Sites,CN=Configuration,DC=savilltech,DC=com

fsmo maintenance: quit
ntdsutil: quit


Q. What is Multi-master replication?

A. In a Windows 2000 domain, all domain controllers are equal which means changes can be made on ANY domain controller and each servers complete domain directory has to be kept up-to-date with each other through a process of multi-master replication.

Each time a change is made to the Active Directory the servers Update Sequence Number, or USN, where the change is implemented is incremented by one and this USN is also stored along with the change to the property of the object modified. These changes have to be replicated to all domain controllers in the domain and the Update Sequence Number provides the key to the multi-master replication.

Update Sequence Number increments are atomic in operation which means that the increment to the USN and the actual change occurs simultaneously, if one part fails the whole change fails which means its not possible for a change to be made without the USN to be incremented, which means changes will never be "lost". Each domain controller keeps track of the highest USN's of the other domain controllers that it replicates with so it can calculate which changes it needs to be replicated on each replication cycle.

At the start of the replication cycle each server checks its Update Sequence Number table and then queries the domain controllers it replicates with for their latest USN's. For example the table below represents the USN table for server A

DC B DC C DC D
54 23 53

Server A then queries the domain controllers for their current USN's and gets the following:

DC B DC C DC D
58 23 64

From this server A can calculate the changes it needs from each server:

DC B DC C DC D
55,56,57,58 Up-to-date 54-64

It would then query each server for the changes needed.

It is possible for multiple changes to the same property of an object to occur, and collisions are detected via a Property Version Number (PVN) which every property has. These work like the USN's and each time a property is modified, the PVN is incremented by one.

In the event of a modification to the same property of the same object then the change with the highest PVN takes precedence, and if the PVN's are the same for a property update then a collision has occurred. If the PVN's match then the time stamp is used to resolve any conflicts. Each change is time stamped and this highlights the need for the domain controllers time to be accurate with one-an-other. In the highly unlikely event that the PVN's match AND the time stamp is the same then a binary buffer comparison is carried out with the larger buffer size change taking precedence. Property Version Numbers are only incremented on original writes and not on replication writes (unlike USN's) and are not server specific but rather travels with the property.

A propagation-dampening scheme is also use to stop changes being repeatedly sent to other servers which already have the change and to this end each server keeps a table of up-to-date vectors which are the highest originating writes that are received from each controller and take the form of:

<the change>,<domain controller making the original change>,<USN of the change>

For example

<object savillj, property Password xxx>,Titanic,54

Domain controllers then also send this information with the USN's so they can calculate if they already have the change the other domain controllers are trying to replicate.


Q. How can I move objects within my Forest?

A. The Windows 2000 Resource Kit ships with the MOVETREE.EXE utility which can be used to move organization units, users or computers between domains in a single forest. This is useful for the consolidation of domains or to reflect organization restructuring.

Certain objects cannot be moved with MOVETREE such as Local and Domain Global groups and if the container they are in is moved these objects will be placed in an "orphan" container in the "LostAndFound" container in the source domain.

Associated data is not moved with MOVETREE such as policies, profiles, logon scripts and personal data. To accomplish the movement of these items you should write custom scripts using the 'Remote Administration Scripts'.

The syntax of MOVETREE is

MoveTree [/start | /continue | /check] [/s SrcDSA] [/d DstDSA] [/sdn SrcDN] [/ddn DstDN] [/u Domain\Username] [/p Password] [/quiet]

/start Start a move tree operation with /check option by default. Instead, you could be able to use /startnocheck to start a move tree operation without any check.
/continue Continue a failed move tree operation.
/check Check the whole tree before actually move any object.
/s <SrcDSA> Source server's fully qualified primary DNS name. Required
/d <DstDSA> Destination server's fully qualified primary DNS name. Required
/sdn <SrcDN> Source sub-tree's root DN. Required in Start and Check case. Optional in Continue case
/ddn <DstDN> Destination sub-tree's root DN. RDN plus Destinaton Parent DN. Required
/u <Domain\UserName> Domain Name and User Account Name. Optional
/p <Password> Password. Optional
/quiet Quiet Mode. Without Any Screen Output. Optional

You should first run in /check mode as this will perform a test without actually performing the move. Any errors will be displayed and also written to the file movetree.err in your current directory. If the test is OK run with the /start option.

An example use would be

C:\> movetree /check /s titanic.market.savilltech.com /d pluto.legal.savilltech.com /sdn OU=testing,DC=Market,DC=Savilltech,DC=COM /ddn OU=test2,DC=Legal,DC=Savilltech,DC=COM

This would move the OU testing from domain market.savilltech.com to test2 in domain legal.savilltech.com.


Q. How do I allow modifications to the Schema?

A. The Schema is extensible which means it can be changed but modifying the Schema is a dangerous task as it will affect the entire domain Forest (since a forest shares a common schema) and someone at Microsoft once said the following:

"If you find you have to change the schema find another way. If you still have to, look again. If after all that you find you still need to change the schema you better make sure your managers are fully aware of the implications"

That being said to allow modifications there are two ways.

If you want to use the GUI first register the .dll for the MMC snap-in (if you haven't all ready)

C:\> regsvr32 schmmgmt.dll

You can now start the Schema Manager via the Resource Kit Tools console or by creating a custom MMC and add the Active Directory Schema snap-in to it (Start - Run - MMC - Console menu - Add/Remove Snap-in - Add - Active Directory Schema - Add - Close - OK)

  1. Start the Active Directory Schema MMC snap-in on the Domain Controller (using on of the methods above)
  2. In the left hand pane right click on 'Active Directory Schema' and select 'Operations Master' from the context menu
  3. The current machine holding the Domain name operations FSMO role will be shown.
    Enable Schema Modification
    Check the "The Schema may be modified on this server" box.
  4. Click OK to the confirmation dialog.

This can also be accomplished by directly editing the registry

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
  3. Double click on 'Schema Update Allowed' (of type REG_DWORD)
  4. Set to 1.
  5. Click OK
  6. Close the registry editor

Other related FAQ items:


Q. What are Tombstone objects?

A. Because of the complex replication available in Windows 2000 and the Active Directory just deleting an object would result in it potentially being recreated at the next replication interval and so deleted objects are 'Tombstoned' instead. This basically marks them as deleted and applies to all objects.

Objects marked as tombstoned are actually deleted 60 days after their original tombstone status setting, however this time can be changed by modifying tombstonelifetime under cd=DirectoryServices,cn=WindowsNT,cn=Services,cn=Configuration,dc=DomainName however it is not advised.


Q. How do I switch my 2000 domain to native mode?

A. Windows 2000 domains have two modes, mixed and native. Mixed mode domains allow Windows NT 4.0 Backup Domain Controllers to participate in a Windows 2000 domain.

In native mode only 2000 based domain controllers can participate in the domain and 4.0 based Backup Domain Controllers will no longer be able to act as domain controllers. Also the switch to native mode allows use of the new "Universal" groups which unlike global groups can be nested inside each other. Older NetBIOS based clients will still be able to logon using the NetBIOS domain name even in native mode.

To perform the switch perform the following:

  1. Start the Active Directory Domains and Trusts MMC snap-in
  2. Right click on the domain you want to convert to native mode and select Properties
  3. Select the General tab
    Change Mode
  4. Click the 'Change Mode' button
  5. Click Yes to the confirmation
  6. Click Apply to the main dialog
  7. A success message will be displayed. Click OK
    Mode Switch
  8. Reboot the machine (although I have been told a reboot is not needed).

You will need to check all other domain controllers in the domain and when the domain operation mode says "Native Mode" (instead of mixed mode) reboot them. This can take 15 minutes (or more if contact is not able to be made).

If a domain controller cannot be contacted (if on a remote site and only connects periodically) when you make the change the remote DC will switch mode the next time replication occurs.


Q. How can I force replication between two domain controllers in a site?

A. In Windows NT 4.0 replication between domain controllers could be forced using Server Manager. Replication can also be forced with Windows 2000 domain controllers as follows.

  1. Start the Active Directory Sites and Services MMC snap-in
  2. Expand the sites branch which will show the various sites
  3. The default site 'Default-First-Site-Name' may be your only site. Expand the site containing the domain controllers
  4. Expand the servers
  5. Select the server who you want to replicate to and expand it
  6. Double click on NTDS Settings for the server
  7. Right click on the server you want to replicate from
  8. Select 'Replicate Now' from the context menu
  9. Replication will occur. Click OK to the confirmation dialog.

Force replication
This would replicate from TITANIC to the VENUS domain controller

The replication is one way and if you want two way replication you will need to replicate in each direction.


Q. How can I change replication schedule between two domain controllers in a site?

A. By default domain controllers will replicate once an hour but this can be changed as follows. This is only for domain controllers in a single site, cross site replication is configured differently.

  1. Start the Active Directory Sites and Services MMC snap-in
  2. Expand the sites branch which will show the various sites
  3. The default site 'Default-First-Site-Name' may be your only site. Expand the site containing the domain controllers
  4. Expand the servers
  5. Select the server who you want to configure replication to and expand it
  6. Double click on NTDS Settings for the server
  7. Right click on the server you want set replication from
  8. Select 'Properties' from the context menu
  9. Select the 'Active Directory Service connection' tab
  10. Click the 'Change Schedule...' button
  11. Modify the replication as required. Click OK
    Intersite replication
  12. Click Apply then OK

This replication schedule is one way and would to be repeated for the other direction.


Q. Can I rename a site? - Windows 2000

A. Basically yes. When you install your first domain controller it creates a default site of Default-First-Site-Name which is not very helpful and can be changed as follows:

  1. Start the Active Directory Sites and Services MMC snap-in (Start - Programs - Administrative Tools - Active Directory Sites and Services)
  2. Expand the Sites branch
  3. Right click on the site you wish to rename (e.g. Default-First-Site-Name) and select rename (or just select the site and press F2)
  4. Enter the new name and press Enter

That's it!


Q. What DNS entries are added when a Windows 2000 domain is created?

A. Windows 2000 domains rely heavily on DNS entries however the entries are created automatically providing you have enable dynamic update on the relevant DNS zones. Below are explanations of what the entries are used for:

_ldap._tcp.<DNSDomainName>
Allows a client to localte a Windows 2000 domain controller in the domain named by <DNSDomainName>. A client searching for a DC in domain savilltech.com would query the DNS server for _ldap._tcp.savilltech.com

_ldap._tcp.<SiteName>._sites.<DNSDomainName>
This allows a client to find a Windows 2000 domain controller in the Domain and site specified, e.g. _ldap._tcp.london._sites.savilltech.com for a DC in the London site of savilltech.com

_ldap._tcp.pdc._ms-dcs.<DNSDomainName>
Allows a client to find the Primary Domain Controller (PDC) FSMO role holder of a mixed-mode domain. Only the PDC of the domain registers this record.

_ldap._tcp.gc._msdcs.<DNSTreeName>
Allows a client to find a Global Catalog (GC) server. Only domain controllers serving as GC servers for the tree will register this name. Should a server cease to be a GC it will deregister the record.

_ldap._tcp.<site>._sites.gc._msdcs.<DNSTreeName>
Allows a client to find a Global Catalog (GC) server in the specified site, e.g. _ldap._tcp.london._sites.gc._msdcs.savilltech.com.

_ldap._tcp.<DomainGuid>.domains._msdcs.<DNSTreeName>
Allows a client to find a domain controller in a domain based on its Globally Unique IDentifier (GUID). A GUID is a 128-bit (8 byte) number this is generated automatically for referencing objects in the Active Directory.

<DNSDomainName>
Allows clients to find a Domain Controller by a normal Host record.


Example DNS screen for a domain


Q. How can I manually defragment the Active Directory? - Windows 2000 only

A. By default Windows 2000 servers running directory services will perform a directory online defragmentation every 12 hours (by default) as part of the garbage collection process. This defragmentation only moves data around the database file (NTDS.DIT) and does not reduce its size.

To create a new, smaller NTDS.DIT and offline defragmentation must be performed as follows:

  1. Backup the Active Directory (as seen in 'Q. How can I backup the Active Directory/System State?')
  2. Reboot the server, select the OS option and press F8 for advanced options. Select the 'Directory Services Restore Mode' option and press Enter. Press Enter again to start the operating system.
  3. Windows 2000 will start in safe mode with no directory service running. Logon using the Administrator account and password if the LOCAL SAM.
  4. A dialog informing you are in safe mode will be displayed. Click OK
  5. From the Start menu select Run and type
    CMD.EXE
  6. A command window will be displayed. Type the words in red:
    C:\> ntdsutil
    ntdsutil: files
    file maintenance: info
    ....
    file maintenance: compact to c:\temp
  7. The progress of the defragmentation will be shown. If successful type quit twice to return to the command prompt
  8. Now replace the old NTDS.DIT with the new compressed version
    C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit
  9. Restart the computer and boot as normal

Below is an example of the entire procedure

Microsoft Windows 2000 [Version 5.00.2031]
(C) Copyright 1985-1999 Microsoft Corp.

D:\>ntdsutil
ntdsutil: files
file maintenance: info

Drive Information:

C:\ FAT (Fixed Drive ) free(1.2 Gb) total(1.9 Gb)
D:\ NTFS (Fixed Drive ) free(152.4 Mb) total(1.9 Gb)

DS Path Information:

Database : D:\WINNT\NTDS\ntds.dit - 8.1 Mb
Backup dir : D:\WINNT\NTDS\dsadata.bak
Working dir: D:\WINNT\NTDS
Log dir : D:\WINNT\NTDS - 30.0 Mb total
res2.log - 10.0 Mb
res1.log - 10.0 Mb
edb.log - 10.0 Mb
file maintenance: compact to c:\temp
Opening database [Current].
Using Temporary Path: C:\
Executing Command: D:\WINNT\system32\esentutl.exe /d "D:\WINNT\NTDS\ntds.dit" /
/o /l"D:\WINNT\NTDS" /s"D:\WINNT\NTDS" /t"c:\temp\ntds.dit" /!10240 /p


Initiating DEFRAGMENTATION mode...
Database: D:\WINNT\NTDS\ntds.dit
Log files: D:\WINNT\NTDS
System files: D:\WINNT\NTDS
Temp. Database: c:\temp\ntds.dit

Defragmentation Status ( % complete )

0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................

Note:
It is recommended that you immediately perform a full backup
of this database. If you restore a backup made before the
defragmentation, the database will be rolled back to the state
it was in at the time of that backup.

Operation completed successfully in 17.896 seconds.


Spawned Process Exit code 0x0(0)

If compaction was successful you either need to
copy "c:\temp\ntds.dit" to "D:\WINNT\NTDS\ntds.dit"
or run:
D:\WINNT\system32\ntdsutil.exe files "set path DB \"c:\temp\"" quit quit
file maintenance: quit
ntdsutil: quit

D:\>copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit
Overwrite D:\WINNT\ntds\ntds.dit? (Yes/No/All): y
1 file(s) copied.


Q. How can I audit the Active Directory?

A. It is possible to configure auditing on the Active Directory to produce both successful and failed entries in the Directory Service event log.

To configure perform the following:

  1. Start the 'Active Directory Users and Computers' MMC snap-in (Start - Programs - Administrative Tools - Active Directory Users and Computers)
  2. From the View menu select 'Advanced Features'
  3. Expand the domain, right click on the 'Domain Controllers' container and select Properties from the context menu
  4. Select the 'Group Policy' tab
  5. Select 'Default Domain Controllers Policy' and click Edit
  6. Expand the Computer Configuration branch, the Windows Settings branch, Security Settings branch, and finally the Local Policies branch
  7. Select 'Audit Policy'
  8. In the right hand window it will show auditing levels
  9. Double click 'Audit Directory Service Access'
  10. Check the relevant boxes (e.g. Audit success, audit fail). Click OK
  11. Close the Group Policy window
  12. Click OK to the main Domain Controllers Properties dialog
  13. Close the Active Directory and Users MMC snap-in

The logs can be viewed in the Security Log (using Event Viewer). The policy change may take a while to take effect as domain controllers poll for policy changes every five minutes. Other domain controllers in the enterprise receive the changes at this interval plus the time of replication.


Q. How can I automate a server upgrade to a Domain Controller during installation?

A. Its possible to run the DCPROMO.EXE utility automatically during an unattended installation using the following method:

The Dcpromo process can be scripted by using the dcpromo /answer:%path_to_answer_file% command. In the following example, the [DCInstall] section and parameters are added directly to the unattended answer file. The parameters for the DCInstall section are detailed in the Unattend.doc supplied with the resource kit but below are the main entries:

AdministratorPassword The new password for the domain Administrator account
AutoConfigDNS Indicates if the wizard should configure DNS
ChildName Name of the child part of domain
CreateOrJoin Specifies if the domain will join an existing forest or create a new one
DatabasePath Location for the Active Directory database
DNSOnNetwork Used when a new forest of domains is being installed and no DNS client is configured on the computer
DomainNetBiosName NetBIOS name for the domain
IsLastDCInDomain Only valid when demoting an existing domain controller to a member server
LogPath Path for the DS logs
NewDomainDNSName Name of the new tree or when a new forest is being created
ParentDomainDNSName Specifies name of parent domain
Password Password for username being used to promote server
RebootOnSuccess Whether an automatic reboot should be performed
ReplicaDomainDNSName Name of the domain to be replicated from
ReplicaOrMember Specifies if a 3.51 or 4.0 BDC being upgraded should become a replica domain controller or be demoted to a regular member server.
ReplicaOrNewDomain Specifies if this is a new DC in a new domain or if its a replica of existing domain
SiteName Name of the site, by default this is "Default-First-Site"
SysVolPath Path of SYSVOL
TreeOrChild If this is a new tree of child of existing domain
UserDomain Domain for the user being used in promotion
UserName Name of user performing the upgrade

Because this process occurs after setup, the answer file created is named $winnt$.inf and is copied to the \system32 folder. Because the parameters are in this file, you must add the following text to the [GUIRunOnce] section of the unattended Setup answer file:

[GUIRunOnce] "DCpromo /answer:%systemroot%\system32\$winnt$.inf"

Once the Dcpromo process completes, password information is removed from the $winnt$.inf file. To make this process easier because the Run-once command does not execute until someone logs on to the computer, you can add the following text to the unattended answer file:
[GUIUnattended]
Autologon = yes ; automatically logs on the administrator account
AutoLogoncount = n ; number of times to perform auto-admin logon 

Easy :-) Don't use items like %systemroot% or %windir% etc as they are not understood during unattended installations.

You can just create a [DCInstall] section directly in your unattend.txt file and to avoid having multiple unattended setup files.

[DCInstall]
AdministratorPassword = cartman
CreateOrJoin = Create
DomainNetBiosName = savtech
NewDomainDNSName = savtech.com
RebootOnSuccess = Yes
ReplicaOrNewDomain = Domain
SiteName = "London"
TreeOrChild = Tree

The script above would create a new forest with domain savtech.com at the top with the created domain controller in site London. Default locations for the SYSVOL, logs and Active Directory files will be used. The new domain Administrator account password would be cartman (Southpark rules!).

You can of course use this outside of an unattended installation if you wish after you've installed by just typing:

DCPROMO /answer:<DCInstall answer filename>

A small dialog saying DCPROMO is running in unattended mode will be displayed and then it will reboot.


Q. How do I enable circular logging for the Active Directory?

A. Active Directory can record either sequential or circular logs, although sequential is the default and is preferred. Circular logs overwrite transactions at specific intervals, whereas sequential logs are never overwritten (but data in sequential log files whose transactions have been committed to the database are deleted during garbage collection intervals.) 

Sequential log files are not overwritten with new data. They grow until they reach a specified size. Once all the transactions in a log file are committed to the database, this log file is no longer needed. Active Directory’s garbage collection process deletes unnecessary log files every 12 hours (the default garbage collection interval). If your server never stays up longer than 12 hours between reboots, the old log files are never cleaned up and they take up more and more space on the disk (but you have bigger problems :-) ).

Some administrators prefer circular logging because it helps minimize the amount of logged data stored to the physical disk. Imagine circular logs as a donut with new data overwriting the oldest as needed. You must edit the registry to enable circular logging. 

  1. Start regedt32.exe
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
  3. If the value CircularLogging does not exist select New - String value from the Edit menu and enter a name of CircularLogging
  4. Double click CircularLoggin and set to 1 to enable (0 for disable and sequential log files)
  5. Close the registry editor
  6. Restart the directory service via a reboot for the change to take effect

Q. How do I change Domain Names?

A. This is not so much a procedure but things to think about.

  1. NT stores both the textual name and the Security ID (SID) associated with the name, when you change the Domain name you only change the textual part and NOT the SID.
  2. All users should log off before starting the Domain Name change
  3. Break all trust relationships with other Domains
  4. If possible all BDC's should have the domain name changed and want to reboot. Say reboot later, and shutdown the machine and power it off.
  5. On the PDC run control panel, and change the Domain Name through Network Panel. The computer will prompt for a reboot and select "Reboot Now".
  6. Once the PDC is up let it stabilize for a few minutes then bring up each BDC with a minute gap, so it can validate with the PDC
  7. Re-create trust relationships with other Domains
  8. Move all clients to the new Domain, for Workstation see next FAQ.

A knowledge base article exists at http://support.microsoft.com/support/kb/articles/q178/0/09.asp.


Q. How do I move a Workstation to another Domain?

A. Logon to the Workstation locally as Administrator (i.e. name of machine) and goto Control Panel. Double click Network and click change. Enter the new Domain name and click OK. You will receive a message "Welcome to Domain x". Reboot the machine and you are part of the new domain.

If you wish to administer this box from the new domain you will need to add <Domain>\DomainAdmins to the local administrators group by connecting to the local user database via User Manager for Domains (i.e. \\computername)


Q. How many user accounts can I have in one Domain?

A. The real problem is that each user account and machine account takes up space in the SAM file, and the SAM file has to be memory resident. A user account takes up 1024 bytes of memory (a machine account half as much), so for each person (assuming they each had one machine) would be 1.5 KB. This would mean for a 10,000 user domain each PDC/BDC would need 15MB of memory just to store the SAM! Imagine a network with 100,000 people. This is one of the reasons you have multiple domains and then setup trust relationships.


Q. How to I change my server from Stand Alone to a PDC/BDC?

A. You cannot change the role of a NT server, you will need to reinstall NT.

As an alternative, you can use a 3rd party utility called U-Promote, http://u-tools.com/UTools/UPromote.asp however this works by making registry changes that would render your system unsupportable by Microsoft and may lead to problems later in the servers life time, for example moving to Windows 2000.

In Windows 2000 you can promote a server to a domain controller by using DCPROMO.EXE.


Q. What is a PDC, BDC?

A. A PDC is a Primary Domain Controller, and a BDC is a Backup Domain Controller. You must install a PDC before any other domain servers. The Primary Domain Controller maintains the master copy of the directory database and validates users. A Backup Domain Controller contains a copy of the directory database and can validate users. If the PDC fails then a BDC can be promoted to a PDC. Possible data loss is user changes that have not yet been replicated from the PDC to the BDC. A PDC can be demoted to a BDC if one of the BDC's is promoted to the PDC.


Q. How many BDC's should I have?

A. Microsoft say one BDC for every two thousand users. This is fine considering a 486DX2 with 32MB of RAM can, on average, perform at least 10 logons per minute, however if everyone in your company arrives at 9:00 on the dot and log on (except for the helpful people who arrive half an hour late) there will be a surge of logon requests to deal with, resulting in large delays. To try and improve on this, it is possible to configure the Server service to throughput for Network Applications rather than File Applications. Remember the more powerful the processor, the more logons (for a Pentium 133, would be able to logon at least 30 people).


Q. How do I configure a Trust Relationship?

A. Domains by default are unable to communicate with other domains, which means somewhere in domain x cannot access any resource that is part of domain y. Before a trust relationship is configured

After a trust relationship is defined, say x trusts y the following happens

In the example above x is the trusting domain, and y is the trusted domain. Also the above is a one-way trust relationship, i.e. while domain y users can use domain x resources, users of domain x cannot use domain y resources. A two-way relationship would allow each domain to access resources of the other (if given permission).

The basics of a trust relationship is to first configure domain y to allow domain x to trust it, and then configure domain x to trust domain y:

  1. Log onto domain y as Administrator
  2. Start User Manager for Domains (Start - Programs - Administrative Tools)
  3. Select "Trust Relationships" from the Policies menu
  4. Click the Add button to the Trusting Domains box
  5. Enter the name of the domain you want to be able to trust you, i.e. domain x
  6. You can type a password in the Initial Password and Confirm Password, however this is only used when the trust relationship is started. You can leave it blank Click OK to complete the addition
  7. Close the Trust Relationship dialog box
  8. Log off of domain y and logon onto domain x as Administrator
  9. Start User Manger for Domains, and choose "Trust Relationships" from the Policies menu
  10. Click the Add button to the Trusted Domains box
  11. Enter the name of domain y and the password if one was configured in step 6
  12. Click OK and close the User Manager for Domains application.
  13. Domain x now trusts domain y

Q. How do I terminate a Trust Relationship?

A. Firstly you have to stop domain x trusting domain y, then remove domain x's ability to trust domain y:

  1. Logon as Administrator to domain x
  2. Start User Manager for Domains, and click Trust Relationships from the Policies menu
  3. Select domain y from the Trusted Domains and click Remove and confirm
  4. Logoff, and logon to domain y as Administrator
  5. Start User Manager for Domains, and click Trust Relationships from the Policies menu
  6. Select domain x from the Trusting Domains and click Remove and confirm
  7. Exit

Q. How can I join a domain from the command line?

A. The NT Resource Kit Supplement 2 ships a new utility called NETDOM.EXE which can be used to not only join domains, but create computer account and trust relationships.

To join a domain there are 2 paths, the first is to just add the computer to the domain and create the computer account simultaneously which is OK if you are logged on as a domain administrator, if you are not a domain administrator the account needs to be added in advance and then you join the domain.

If you are logged on as a domain administrator then enter the command below to create the account and join the domain

netdom /domain:savilltech /user:savillj /password:nottelling member <computer name> /joindomain
where <computer name> is the name of your machine, e.g. johnstation

If you are not an administrator the domain admin people will have to add you an account first using either server manager or using NETDOM.EXE

netdom /domain:savilltech /user:savillj /password:nettelling member <computer name> /add

Once the account has been add the normal user could join the domain using the first command shown.


Q. How do I demote a PDC to a BDC?

A. Normally when you promote a BDC to the PDC, the existing PDC is automatically demoted to a BDC, but in the event that the PDC was taken off line and then a BDC promoted when the old PDC is restarted it will still think its the PDC and when it detects another PDC it will simply stop its own netlogon service.

To actually modify the machine to be a BDC the registry needs to be changed directly:

  1. Logon to the machine as an Administrator
  2. Start the registry editor (regedt32.exe)
  3. Move to HKEY_LOCAL_MACHINE\Security
  4. Select Permissions from the Security menu
  5. Select Administrators and change the access type to Full Control, check the "Replace Permission on Existing Subkeys" and click OK. Click Yes to the confirmations dialog box
  6. You can now navigate the Security menu, move down to Policy\PolSrvRo
  7. Double click on the default <no name> value and change the second digit (which should be 3 for a PDC) to a 2 (which means BDC). Click OK. E.g. 03000000 to 02000000.
  8. You should now reset the Security on the Security part of the registry using the same method as before but changing back to Special Access for Administrators. The permissions for Administrators should be
    - Write DAC
    - Read Control
  9. Restart the machine and it will come up as a BDC

To avoid having to set security perform the registry change from the system account by submitting the registry editor via the schedule service.

C:\> net start schedule (only if not already running)
C:\> at <time> /inter regedt32.exe
C:\> net stop schedule (only if you had to start it)


Q. How can I configure a BDC to automatically promote itself to a PDC if the PDC fails?

A. There is no way to do this, the assumption is that the PDC would be configured to write out the dump information and then reboot itself thus coming back online. You configure this behavior using the System Control Panel Applet - Startup/Shutdown tab.


Q. How do I rename a PDC/BDC?

A. To rename a Primary Domain Controller perform the following:

  1. Log onto the PDC as an Administrator
  2. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network)
  3. Click the Identification tab.
  4. Click the Change button and enter in the new computer name and click OK
  5. Restart the PDC for the name change to take effect.
  6. Once the machine has rebooted start Server Manager (Start - Programs - Administrative Tools - Server Manager), if the old name still appears as a Backup, or if there is no entry for the new name:
    - Create an entry for the new name. To do this, select Add to Domain in the Computer menu of Server Manager.
    - Add the new computer account as a "Windows NT Backup Domain Controller" (it will be added and displayed as a Primary).
    - Remove the old name by selecting the entry. To do this, select Remove from Domain on the Computer menu.

To Rename a Backup Domain Controller

  1. Log onto the PDC as an Administrator and in Server Manager (Start - Programs - Administrative Tools - Server Manager) add an account for the BDC's new name
  2. Log onto the BDC as an Administrator
  3. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network)
  4. Click the Identification tab.
  5. Click the Change button and enter in the new computer name and click OK
  6. Restart the BDC for the name change to take effect. The NETLOGON service will not yet start on this server.
  7. On the PDC, open Server Manager. Select the new BDC name and from the Computer menu, choose Synchronize With Primary. This will start the NETLOGON service.
  8. In Server Manager, select the old BDC name from the list and from the Computer menu, choose Remove From Domain.

Note: If the BDC begins to receive 7023 or 3210 errors after synching the domain in server manager, on the PDC choose the BDC and then synch that specific BDC with the PDC. After an event indicating that the synch is complete, restart the BDC.


Q. Can I move a BDC to another domain?

A. Normally no, the BDC shares a common SID with the PDC of the domain and so there is no way to move a BDC to another domain, you would need to reinstall the BDC.

System Internals have released NewSID 3.0 ( from http://www.sysinternals.com/) which has a SID-synchronizing feature that let's you have one machine copy the SID of another. This makes it possible to move a BDC to a new domain. On the BDC start NewSID and click "Synchronize SID", enter the name of the PDC and click OK.


Q. Can I change a PDC/BDC into a stand-alone server?

A. No, the PDC/BDC registry is different from that of a stand alone server, again a reinstallation would be needed.

As an alternative, you can use a 3rd party utility called U-Promote, http://u-tools.com/UTools/UPromote.asp however this works by making registry changes that would render your system unsupportable by Microsoft and may lead to problems later in the servers life time, for example moving to Windows 2000.

In Windows 2000 you can change a domain controller to a normal server by running DCPROMO.EXE.


Q. Can I administer my domain from an NT Workstation?

A. Yes, if you install the NT Server client based Administration tools:

  1. Insert the NT Server CD-ROM into your NT Workstation
  2. Run the file <CD-ROM drive>:\clients\srvtools\winnt\setup.bat. This will detect you processor and install the correct images into the %SystemRoot%\System32 folder. You will have to press return.
  3. Remove the CD-ROM
  4. You now need to create shortcuts either on the desktop or start menu for the applications:
    - dhcpadmn.exe --- DHCP Manager
    - poledit.exe --- System Policy Editor
    - rasadmin.exe --- Remote Access Administrator
    - rplmgr.exe --- Remoteboot Manager
    - srvmgr.exe --- Server Manager
    - usrmgr.exe --- User Manager for Domains
    - winsadmn.exe --- WINS Manager

Q. In what order should I upgrade my PDC and BDC's from 3.51 to 4.0?

A. The two different versions can coexist happily so you can upgrade in order you want however the safest option may be the following schedule:

  1. Upgrade a BDC from 3.51 to 4.0
  2. Leave it for a week and check it is OK
  3. Promote the BDC to the PDC
  4. Leave for another week and check everything is OK
  5. Upgrade the other BDC's to 4.0
  6. Promote the old PDC back to the main PDC (the current PDC will automatically be demoted to a BDC)

Q. What tuning can I perform on PDC/BDC Synchronization?

A. There are several registry settings that can be configured for PDC/BDC Synchronization :

These are all values under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters

ChangeLogSize (REG_SZ) Default size for the Change Log. By default 64KB with a maximum of 4MB
Pulse This determines the gap in seconds between replication from the PDC to the BDC's. The lowest value is 60, and the max is 3600 (1 hour). The default is 300 (5 minutes). You may want to increase this time if the BDC's are over a slow WAN link.
PulseConcurrency The number of BDC's that the PDC sends pulses to concurrently. By default this is 10.
PulseMaximum The PDC performs a check that the BDC's are still there every so often. This is in seconds and once again the minimum is 60 and the maximum is 86,400.
Randomize The number of seconds a BDC waits after an announcement before answering. 1 by default.
ReplicationGovernor This is a percentage of the 128K blocks that are sent. If you had a slow link you may not want the PDC sending 128K blocks so you could change this to 25, meaning only 32K would be sent at a time. This will mean that the blocks are sent more frequently (25 would mean 4 times as often).
Update By default this is set to no, which means only changes are replicated. Setting this to Yes will cause everything to be replicated even if there is no change. This needs to be set on the import server.

Q. I cannot add a BDC over a WAN.

A. To add a BDC to a domain, the PDC has to be contactable. Therefore the first task is to check that communications are working.

If you are using TCP/IP then ensure you can PING the PDC,

ping <ip address of the PDC>

If this is OK then the problem is at the NetBIOS level. If you have WINS on the network ensure the BDC is configured to use the WINS server as when the PDC starts it will register the WINS name <domain><1Bh> which is used to identify the domain controller.

Alternatively the LMHOSTS file can be updated.

  1. Start Notepad
  2. Open the file <systemroot>\system32\drivers\etc\lmhosts
  3. Add a line with the following syntax
    <IP address> <machine name> #PRE #DOM:<domain name>
  4. Save the file

To use the lmhosts file during installation you should create the file on another machine and copy it over when the BDC is being installed.


Q. How can I synchronize the domain from the command line?

A. To force a domain synchronization use the command

net accounts /sync


Q. How can I force a client to validate its logon against a specific domain controller?

A. Before answering this it is best to understand what happens when a login occurs.

When a logon request is made to a domain, the workstation sends out a request to find a domain controller for the domain. The domain name is actually a NetBIOS name that is a 16-character name with the 16th character used by Microsoft networking services to identify the NetBIOS type.

The type used for a domain controller is <1C> and so the NetBIOS name for domain controller of domain "SAVILLTECH" would be "SAVILLTECH <1C>" The NetBIOS type has to be the 16th character, hence the name of the domain has to be filled with blanks to make its length up to 15 characters.

If the client is WINS enabled then a query for the resolution of "<domain name> <1C>" will be sent to the WINS server as defined in the clients TCP/IP properties. The WINS server will return up to 25 IP addresses that correspond to domain controllers of the requested domain, a \mailslot\net\ntlogon is broadcast to the local subnet and if the workstation receives a response then it will attempt logon with the local domain controller.

If WINS is not configured then it is possible to manually configure the LMHOSTS file on the Workstations to specify the Domain Controller. This file is located in the %systemroot%\system32\drivers\etc directory.

An example entry in LMHOSTS would be as follows

200.200.200.50 titanic #PRE #DOM:savilltech #savilltech domain controller

The above sets up IP address 200.200.200.50 to be host Titanic, which is the domain controller for savilltech and instructs the machine that this entry is to be preloaded into the cache.

To check the NetBIOS name cache you can use command nbtstat -c, which will show all the entries including their type. If WINS is not configured and there is no entry in LMHOSTS then the Workstation will send out a series of 3 broadcasts. In the situation where no response is received and WINS is configured to use DNS for WINS resolution a request to the DNS server will be sent and finally the HOSTS file checked. If all of this fails then an error "A domain controller for your domain could not be contacted.

To force a client to use a specific domain controller we need only do the following:

  1. Start the registry editor
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
  3. From the Edit menu select New - DWORD value
  4. Enter a name of NodeType and press ENTER
  5. Double click on the new value and set to 4 (this sets the network to an M-mode/mixed which means it will perform a broadcast before querying name servers for resolution). By default a system is 1 if no WINS servers are configured (B-node/broadcase) or 8 if at least one WINS server is configured (H-node/queries name resolution first then broadcasts)
  6. Double click on the EnableLMHOSTS value and set to 1. If it does not exist select New - DWORD value from the Edit menu and enter a name of EnableLMHOSTS
  7. Close the registry editor
  8. Reboot the machine

The machine is now configured to broadcase for a domain controller on a local subnet and then query a name server. If no domain controllers are found on the WINS server, or WINS is not used it will then search the LMHOSTS file. The next stage is to edit this file.

  1. Check for the LMHOSTS file
    C:\>dir %systemroot%\system32\drivers\etc\lmhosts
  2. If the file does not exist copy the sample host file
    C:\>copy %systemroot%\system32\drivers\etc\lmhosts.sam %systemroot%\system32\drivers\etc\lmhosts
    1 file(s) copied.
  3. Edit the file using edit.exe, don't use notepad.exe
    C:\>edit %systemroot%\system32\drivers\etc\lmhosts
  4. Goto the end of the comments and add a new line of the format
    <ip address> <name of DC> #PRE #DOM:<domain name> #<comment>
    e.g. 200.200.200.50 titanic #PRE #DOM:savilltech #savilltech domain controller
  5. Save the changes to the file and exit edit.exe
  6. Force the machine to reload the LMHOSTS file (or just reboot)
    C:\>NBTSTAT -R
    Note: The -R must be in capitals, the command is case sensitive
  7. Check the cache
    C:\>NBTSTAT -c
  8. At this point the configuration is complete and a reboot is advisable.

Service Pack 4 includes a new utility, SETPRFDC.EXE, which will direct a secure channel client to a preferred list of domain controllers.

The syntax is:

C:\> SETPRFDC <Domain Name> <DC1, DC2, ....., DCn>

SETPRFDC will try each DC in the list in order, until a secure channel is established. If DC1 does not respond, DC2 is tried, and so on. Once you run SETPRFDC on a WinNT 4.0, SP4 computer, the list is remembered until you change it. You can run SETPRFDC in batch, via the scheduler, or even in a logon script (for future logons). Don't forget to undo any LMHOSTS entries you might have set.


Q. How do I promote a server to a domain controller? - Windows 2000 only

A. Windows 2000 ships with a utility, DCPROMO.EXE, which is used to promote a stand-alone/member server to a domain controller and vice-versa.

In Windows 2000 domains are DNS names which means you can have a hierarchy of domains leading to parent-child domain relationships. The advantage of these parent-child relationships is that there have a bidirectional transitive trust which means that if domain b is a child of domain a, and domain c is a child of domain b, domain c implicitly trusts domain a. This is very different from the way trusts work in earlier versions of Windows NT.

Since Windows 2000 domains rely on DNS it is vital that DNS is correctly configured to enable the domain to be created (if you are creating a new top level domain). Information on configuring DNS for a domain can be found here.

A final pre-requisite is that an NTFS 5.0 volume is required to house the SYSVOL volume and so ensure you have at least one NTFS 5.0 volume (use CHKNTFS to check the versions of your partitions).

To upgrade a stand-alone/member server to a domain controller perform the following:

  1. Start the DCPROMO utility (Start - Run - DCPROMO)
  2. Click Next to the introduction screen
  3. You will have a choice to "New domain" or "Replica domain controller in existing domain". There is no concept of a BDC in NT 5.0 and all domain controllers are equal (more or less :-) ). Select New Domain and click Next
  4. A new concept is trees which enable the idea of child domains. If you are starting a new top level domain select "Create new domain tree", to create a child domain select "Create new child domain". Click Next
  5. If you selected to create a new domain tree you will be asked if you want to "Create a new forest of domain trees" or "put this new domain tree in an existing forest". Forests enable you to "join" a number of separate domain trees and again a transitive trust relationship is created between them. If this is your first NT 5.0 domain tree you should create a new forest. Click Next
  6. You will then be asked for the DNS name of your domain, e.g. savilltech.com is a valid domain name. It is important this matches information configured on the DNS server. Click Next
  7. You will then be asked for a NetBIOS domain name which by default will be the left most part of the DNS domain name (up to the first 15 characters), e.g. savilltech, however this can be changed. Click Next to continue.
  8. You will then have to provide a storage area for the Active Directory and the Active Directory log. Except the defaults and click Next
  9. Finally you must select an area on an NTFS 5.0 partition for the SYSVOL volume for storage of the servers public files, %systemroot%\SYSVOL by default. Click Next
  10. An option to weaken security for pre-Windows 2000 services such as a 4.0 RAS server. Select your option and click Next
  11. You will be asked for an Administrator password to be used in Directory Server restore mode. Click Next
  12. A summary screen will be displayed and click Next to start the upgrade. It sets security and creates the Directory Server schema container. Information from the default directory service file and the old SAM is then read in if the machine is an upgraded PDC.
  13. You should then click Finish and reboot the machine.

You now have a Windows 2000 domain controller. Additional domain controllers (old BDC's) can be added by performing the above and selecting "Replica domain controller in existing domain" in step 3. It would then ask you the name of the domain to replica.


Q. How can I generate a list of all computer accounts in a domain?

A. The normal method under Windows NT 4.0 and earlier is to use Server Manager (Start - Programs - Administrative Tools - Server Manager) and computer accounts can be viewed/added/deleted.

Under Windows NT 5.0 this information can be viewed using the Active Directory MMC (Microsoft Management Console) snap-in and browse the domain/Computers group. Of course under Windows NT 5.0 and the Active Directory computers can also be created in Organisation Units so would not all be shown under this tree (as shown below the computer account in the law OU would not be listed in the Computers group).

Active Directory computer list

A more complete method is to use the Windows NT Resource Kit NETDOM.EXE utility (which runs under Windows NT 5.0) to generate the list, e.g.

C:\> netdom member
Searching PDC for domain SAVILLTECH ...
Found PDC \\TITANIC
Listing members of domain SAVILLTECH ...

Member 1 = \\ODIN
Member 2 = \\garfield

It is also possible to list other domains using a mixture of command line switches, e.g.

C:\> netdom /d:<domain name> [/u:<domain>\<user to which query> /p:<password] member

The information in the [] is only needed if your account does not have privileges in the requested domain.

The advantage of the command line tool is it lists all computer accounts, even those in OU's in the Active Directory.

An alternative method is to use the net view /domain:<domain> command which has the advantage that you can pipe the output to a file or another command, e.g.

C:\> net view /domain:savtech


Q. How can I verify my Windows 2000 domain creation? - Windows 2000 only

A. To verify the tcp/ip configuration is OK check for the ldap.tcp.<domain> service record, e.g. ldap.tcp.savilltech.com

C:\> nslookup
> set type=srv
> _ldap._tcp.savilltech.com
Server: [200.200.200.50]
Address: 200.200.200.50
_ldap._tcp.savilltech.com SRV service location:
priority=0
weight=0
port=389
svr hostname=titanic.savilltech.com
titanic.savilltech.com internet address=200.200.200.50

The ldap record used to be ldap.tcp.<domain> but was modified in build 1946 onwards. The underscore is necessary to definitively differentiate our unique names in the DNS namespace from internic registered domain names on the internet. In this way we can ensure that there will never be a DNS name clash. My understanding is that RFC 1034\1035 (may be wrong with these numbers as they may have been superceded) say that the underscore character is NOT a valid character to use in a DOMAIN NAME. All internet registered names should never contain the underscore. Now, RFC2181 states that the underscore is a valid label to use in DNS (as well as plenty of other characters too) so we the underscore is used to prevent possible clash with INTERNET names. This change was introduced in earlier builds of windows 2000. For a while DC's generated both styles of names in DNS to support both styles of clients (ie newer and older builds). Now that client code is changed to look for underscores, we have now retired the ldap.tcp names in favour of the _ldap.tcp names.

Also make sure the NetBIOS computer name is OK

C:\> net view \\<computer name>

Finally check the NetBIOS Domain name works

C:\> usrmgr <domain name>

The NetBIOS domain name is used for backwards compatibility. Use a 4.0 version of usrmgr.


Q. How can I configure multiple Logon Servers with LMHOSTS?

A. Service Pack 4 adds support for multiple domain controllers for a single domain to be configured in the LMHOSTS file (located in %systemroot%\system32\drivers\etc). Normally when a computer starts, the WINS server is queried for any [1C] entries, domain controllers, and it will return a list. This list is not geographically aware and you could be given a domain controller on the other side of the world.

An alternative is to specify a list of domain controllers in the LMHOSTS file (which is now checked before WINS is #PRE is in the entry) and have different LMHOSTS files in different regions.

Example entries in the file would be

200.200.200.50 titanic #PRE #DOM:SAVILLTECH
200.200.200.80 cuttysark #PRE #DOM:SAVILLTECH

You will need to ensure the computer is configured to use the LMHOSTS file

  1. Right click on Network Neighborhood and select Properties
  2. Select the Protocol's tab
  3. Select "TCP/IP Protocol" and click Properties
  4. Select "WINS address"
  5. Check the "Enable LMHOSTS Lookup" box
  6. Click Apply then OK
  7. You will need to restart the computer

Q. Are trust relationships kept when upgrading for a 4.0 domain to a Windows 2000 domain?

A. When a 4.0 PDC is upgrade to Windows 2000 all trust relationships are maintained.


Q. How are trust relationships administered in Windows 2000?

A. Instead of using User Manager as in NT 4.0, a new MMC snap-in, Active Directory Tree Manager is used. Although the host application is different the usage is exactly the same.

To view/add/remove perform the following:

  1. Start the Domain Tree Manager (Start - Programs - Administrative Programs - Domain Tree Management)
  2. Expand the root and right click on the domain
  3. Select Properties from the displayed context menu
  4. Select the Trusts tab and add/view as required.
  5. Click Apply then OK

Windows 2000 trusts
- Example of one domain that trusts ours

Obviously you should try and use the tree and forest concept rather than manual trust relationships with pure Windows 2000 domains. This is discussed in the Active Directory section (which will be added shortly).


Q. I can't promote a BDC to PDC.

A. If you receive an 'Access Denied' message when attempting to promote a BDC to the PDC it may be due to the fact the PDC has Service Pack 4 installed.

This is because Service Pack 4 upgraded the security mechanism used so you will either have to perform the promotion from a Service Pack 4 domain controller or upgrade the BDC in question to SP4.

Another reason for this error is trying to get a renamed and upgraded (3.51 to NT4) server to sync with the domain. The accounts database may have become out of date and thus couldn't be synchronised. NETLOGON may not even be startable.

The way round is to do a "connect as" from the PDC to the rogue BDC using an admin ID known to be good by the BDC before it was upgraded. Once the "connect as" (say to Cc) was accepted, the BDC would then accept the synchronise request from the PDC's Server Manager, restarting NETLOGON in the process.


Q. Unable to join a domain because of SMB signing, what can I do?

A. If the following error message is displayed when you attempt to add a computer running Windows NT to the domain:

"Unable to connect to the domain controller for this domain. Either the username or password entered is incorrect."

The error message is displayed even though networking is enabled and the correct administrator name and password credentials were supplied. The problem is that the PDC has SMB signing set to required and the client cannot communicate as it does not have SMB signing enabled.

Two options are possible. The first is to disable RequireSecuritySignature SMB signing on the domain controller as described in Q. How do I enable SMB signing? or install the machine into a workgroup, enable SMB signing then join the domain. Of course this would not work with BDC's.


Q. How can I create a child domain?

A. Windows 2000 allows the creation of a domain as a child of another domain. When two or more domains are joined in a parent-child relationship a domain tree is formed.

A child domain is created when executing the DCPROMO.EXE image and the parent domain must be accessible to create.

  1. Install Windows 2000 on the machine
  2. Ensure the machine has TCP/IP and DNS configured correctly
  3. Execute DCPROMO
  4. Click Next to continue the upgrade
  5. Select 'Domain controller for a new domain' and click Next
  6. Select 'Create a new child domain in an existing domain tree' and click Next
  7. Enter a Username, password and domain you will be using to join the domain tree. This account must reside in the parent domain a domain in the forest you are joining. Click Next
  8. Select the parent domain name by selecting Browse, e.g. savilltech.com. Enter the child domain (just the left most part), e.g. legal. The new complete name will be shown, e.g. legal.savilltech.com. Click Next
  9. If this is a new domain controller enter a NetBIOS name for backwards compatibility. By default it will be the left most 15 characters of the DNS domain name (up to the first .). If you are upgrading an existing DC then the NetBIOS name cannot be changed. Click Next
  10. Database and log locations will be shown. Click Next
  11. The System Volume area will be shown. Click Next
  12. An option to weaken security for 4.0 RAS servers. Select your option and click Next
  13. A summary will be shown. Click Next
  14. The new domain creation will begin
  15. Click Finish and reboot the machine

Instead of performing screenshots I've produced an animated GIF of the entire child domain creation (I was bored ;-) ). Click Refresh to make it start from the beginning, a gap of 2 seconds is shown between each screen.

Child domain creation


Q. How can I create a domain trust through a firewall?

A. When creating trust relationships communications between the two domains is carried out over a number of protocols with each protocol using different TCP/IP port. Below is a list of ports which need to be enabled on the firewall for a trust relationship:

You may use LMHOSTS for name resolution (which would have #pre #dom entries for the domain controllers) or WINS can be used which requires:

Alternatively, a trust can be established through point-to-point tunneling protocol (PPTP). For PPTP, the following ports must be enabled:

If you only wish to perform management through a firewall and/or RRAS you can only allow TCP any-139, TCP 139-any and UPD 138-138 through the firewall. Also allow UDP 137-137 to the WINS Servers. This allows all the remote management tools to run from the management NT Workstations.

Also see the following knowledge base articles:


Q. How can I check the browse masters for a domain?

A. The resource kit has a utility BROWSTAT.EXE which allows status of the browse service to be ascertained. To check browse masters for a domain use the following command:

C:\> browstat status <domain>

To check statistics for a single server use the command

C:\> browstat stats \\<server>


Q. How can I stop a remote master browser?

A. The resource kit utility BROWSTAT can be used to remotely stop a browse master with the following command:

C:\> BROWSTAT TICKLE <transport> <domain> | \\<server name>

Where <transport> is the Windows NT transport device name, and <domain> is the domain in which the master browser is located, and <server name> is the computer name of the master browser.

To check which transport use the command:

C:\> net config rdr
Workstation active on NetbiosSmb (000000000000) NetBT_Tcpip_{C2F....

The transport device is indicated by '<network service>_<NIC type>', where <network service> is the session-layer network service, and <NIC type> is the type of network interface card on your computer. The session-layer network services are NetBT for NetBIOS over TCP/IP, NwlnkNb for IPX, or Nbf for NetBEUI, e.g. NetBT_Tcpip.

C:\> browstat tickle NetBT_Tcpip_{C2F8C130-F2AF-11D2-B748-DAEDF5F58140} \\titanic


Q. How can I force a browser election?

A. The resource kit utility BROWSTAT can be used to force a browser election:

C:\> BROWSTAT ELECT <transport> <domain> | \\<server name>

Where <transport> is the Windows NT transport device name, and <domain> is the domain in which the master browser is located, and <server name> is the computer name of the master browser.

To check which transport use the command:

C:\> net config rdr
Workstation active on NetbiosSmb (000000000000) NetBT_Tcpip_{C2F....

The transport device is indicated by '<network service>_<NIC type>', where <network service> is the session-layer network service, and <NIC type> is the type of network interface card on your computer. The session-layer network services are NetBT for NetBIOS over TCP/IP, NwlnkNb for IPX, or Nbf for NetBEUI, e.g. NetBT_Tcpip.

C:\> browstat elect NetBT_Tcpip_{C2F8C130-F2AF-11D2-B748-DAEDF5F58140} savilltech


Q. How can I modify the domain refresh interval?

A. Windows refreshes the domain list whenever the machine is locked for more than two minutes (120 seconds). This can lead to a delay while it does this until the user gets control of the system again.

You can modify the amount of time it waits until refreshing by performing the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  3. Double click on DcacheMinInterval (or if it does not exist create of type REG_DWORD)
  4. Modify between 120-86400 seconds
  5. Click OK
  6. Close the registry editor
  7. Restart the computer

Q. How is the list of cached domains stored?

A. When you logon a list of known (trusted) domains are displayed that you may logon to.

You can view these entries by performing the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DomainCache
  3. You will be able to see all known domains
  4. Close the registry editor

There is no point editing this list as it will be recreated the next time the machine is started/locked.


Q. What is Group Policy?

A. You will no doubt be familiar with the concept of group policies in NT 4.0 and by utilizing the Group Policy Editor you can configure various restrictions, save it as file NTCONFIG.POL in the netlogon share and the settings will be applied to all users of the domain. Effectively all the policies of Windows NT 4.0 allowed were registry updates.

These policy settings could be configured for users, computers or groups of users.

Windows 2000 takes this to the next level and promises the following ideal

"The ability for the Administrator to state a wish about the state of their Users environment once, and then rely on the system to enforce that wish"

In Windows 2000 the Group Policy model has been completely updated and now utilizes the Active Directory and offers much more than just registry restrictions, for example

Group Policy Object's (GPO's) are a policy unit and can be applied to a site, domain or organizational unit (OU), in fact it will often be the case that a user/computer will have multiple GPO's applicable to them and in the event of a clash of a setting the order of precedence is Site, Domain then OU, SDOU, and so any setting defined at a site level can be overwritten by a domain setting, anything defined on a domain can be overwritten by an OU setting. There is a fourth type, the Local computer policy and this has bottom priority and any policies will be overwritten by any of the others which gives us an order of LSDOU.

The three mechanisms to apply Group Policies for sites, domains and OU’s are as follows:

By default when you select Group Policy for a container there will be no GPO and you have the option of either adding an existing GPO to the container or creating a new one. To create a new GPO just click the New button and enter a name for the GPO. Once created clicking the Edit button can modify the specified policy. A new instance of the Microsoft Management Console will be started with the Group Policy Editor loaded with the selected GPO at the root.

Windows NT 4.0 policies already in place are NOT upgraded to 2000 and you will need to redefine all your policies as GPO's. In a mixed environment of both 4.0 and 2000 clients you will need to keep a NTCONFIG.POL in the NETLOGON share of the domain controllers (even the 2000 DC's as they may authenticate 4.0 client logons in a mixed environment) to ensure 4.0 clients still receive their policy settings. Windows 2000 clients will ignore NTCONFIG.POL unless you make a policy change to instruct them to implement the NTCONFIG.POL contents. If you do then the order of reading is

  1. GPO(s) Computer at startup
  2. Computer NTCONFIG.POL at login
  3. User NTCONFIG.POL at login
  4. GPO(s) User at login

As has been said, GPO information is stored in the Active Directory but the policy itself is stored on the SYSVOL container on each domain controller as sysvol\Policies\<GUID of GPO> (GUID is Globally Unique IDentifier).

To avoid any conflicts with GPO modifications only the PDC role holder can make changes to the GPO.

Another change is that old 4.0 policies are 'tattooed' in the registry, meaning that even after a policy has been removed, its settings stay in the registry until changed by something else. An advantage of the Windows 2000 Group Policies is that this does not occur. The reason for this is that in Windows 2000, registry settings written to the following two secure registry locations are cleaned up when a Group Policy Object no longer applies:

Finally unlike the 4.0 Group Policies the policy actually gets refreshed at certain times, well not ALL of the policy,  software deployment and folder redirection are not updated as, for example, you would be unhappy if the GPO was modified to remove Word and you were using it at the time and it suddenly uninstalled! All 2000 machines refresh the policy every 90 minutes except domain controllers who replicate every 5 minutes. These times and the parts to replicate can be modified within the GPO.


Q. How can I force GPO updates to take effect?

A. Policies are refreshed every 90 minutes (5 on DC's). To force a machine to update the policy use the SECEDIT command.

To update the computer policy type

C:\> secedit /refreshpolicy machine_policy

To update the user policy type

C:\> secedit /refreshpolicy user_policy

Adding /enforce to any of the above forces a  reapply of the security policy even if there is no GPO change.


Q. How can I enable the old NTCONFIG.POL to be used by Windows 2000 clients?

A. By default Windows 2000 based clients don't use NTCONFIG.POL but instead use Group Policy Objects (GPO) as defined in the Active Directory. NT 4.0 clients still use NTCONFIG.POL even in a 2000 domain.

It is possible to enable the 2000 clients to use NTCONFIG.POL however you should have a good reason as GPOs are superior to the old system policies. One reason to use NTCONFIG.POL in a 2000 domain may be that you have just created some 2000 clients in a newly upgraded 2000 domain but have not yet recreated your policies as GPOs.

To enable system policies (NTCONFIG.POL) perform the following

  1. Start the Active Directory Users and Computers MMC snap-in (Start - Programs - Administrative Tools - Active Directory Users and Computers)
  2. Right click on the root domain name, for example savilltech.com and select Properties
  3. Select the 'Group Policy' tab
  4. Select the 'Default Domain Policy' GPO and click Edit
  5. The Group Policy MMC snap-in will be started with the domain GPO at the root
  6. Move to Computer Configuration\Administrative Templates\System\Group Policy
  7. Double click 'Disable system policy' and set to Disabled. Click OK

    Disabling disable system policy means enable the system policy, two minus's make a plus :-)
  8. Close the Group Policy MMC

The updated GPO will take effect on the client the next time you logon (it will actually take effect max 90 minutes after you make the change but this only affects logon).

This update actually changes registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableNT4Policy to 0.


Q. How can I add additional templates to a Group Policy Object?

A. The old style NT 4.0 templates (.adm) are still supported in Windows 2000 Group Policy Objects (GPO) and are listed in the Group Policy under the 'Administrative Templates' branch. These settings are all "registry" based settings.

Windows 2000 ships with two .adm files

When a adm file is applied to a GPO it is copied from the %systemroot%\inf folder to the %systemroot%\SYSVOL\domain\Policies\<GUID of GPO>\Adm folder.

To add/remove a new template to a GPO perform the following:

  1. Start the Active Directory Users and Computers MMC snap-in (Start - Programs - Administrative Tools - Active Directory Users and Computers)
  2. Right click on the container whose GPO you wish to change, for example savilltech.com and select Properties
  3. Select the 'Group Policy' tab
  4. Select the GPO and click Edit
  5. The Group Policy MMC snap-in will be started with the GPO at the root
  6. Under User or Computer configuration right click on 'Administrative Templates' and select 'Add/Remove Templates'
  7. Click Add (or to remove select one and click Remove)
  8. Select the ADM to add and click Open
  9. Click Close
  10. The new options will now be available

The ADM file will be copied to the GPO's Adm folder. 


Q. How can I apply a group policy to a security group?

A. Its not possible to apply a group policy to a security group however what you can do is to filter a group policy by changing the permissions on the Group Policy so that only certain users/groups have read and apply privileges.

  1. Start the Active Directory Users and Computers MMC snap-in (Start - Programs - Administrative Tools - Active Directory Users and Computers)
  2. Right click on the container (OU or domain) that has the Group Policy Object whose permissions you wish to change and select Properties
  3. Select the 'Group Policy' tab
  4. Select the GPO from the list and click Properties
  5. Select the Security tab
  6. Modify the permissions so that only the required users have the read and apply privileges and Administrators who need to modify the GPO have read and write
  7. Click OK to the dialog
  8. Click Close the containers properties

Now only the selected users will run the GPO


Q. What is Terminal Server?

A. Modern day PC users are used to having a system with large amounts of memory, disk and CPU power to run their applications. This is very different to UNIX and VMS environments where servers have all the memory, disks and CPU and users have "dumb" terminals which just send keystrokes to the server which in turn sends back screen updates.

There are a number of advantages with the UNIX/VMS approach. Most desktop computers are idle for most of the time with the CPU only 10% busy normally and a significant amount of memory spare, this is a waste of resources. A central server approach distributes resource's to sessions as needed, minimizing waste and ensuring resources are available when needed.

Installing applications and maintaining them on each desktop is very time consuming. A central server based install simplifies this significantly and lowers the Total Cost of Ownership (TCO).

Windows NT Terminal Server and Windows 2000 address this with client software for Windows 9x/NT and Windows for Workgroups machines that allow a window to be created which allows all processing and execution to be carried out on the server and the only task the local machine does is to pass back keyboard and mouse actions. The Terminal Server does all the computation and storage and passes back screen updates to the client.

Example
Here you can see an example Terminal Server session in its own windows, with its own Start menu and taskbar. All applications in this window are being run on the terminal server. The information shown in Explorer is the Servers drives, not the local machine.

Obviously Windows NT/95 are operating systems of their own and it may seem pointless running terminal server client on these machines however it could be used for application management, install Office 97 on the Terminal Server and all clients use Office via the Terminal Server connection. Imagine running Office 97 on a Windows for Workgroups machine!

Communication is via RDP (Remote Desktop Protocol) which was designed by Microsoft.

Windows Terminal Server is based on Citrix's WinFrame product and Citrix provide a bolt-on, MetaFrame, which adds functionality to Terminal Server including support for DOS, OS/2, Unix, Java and much more. http://www.citrix.com/


Q. How do I install Windows NT 4.0 Terminal Server Edition?

A. The installation of Windows NT Terminal Server edition is the same as a normal Windows NT Server installation except during installation you will additional be asked:

Once installation is complete if IE 4.0 was selected it will be installed and configured and an additional reboot performed.

Due to the method applications need to be installed on Terminal Server (for use with clients) an upgrade of a Windows NT 4.0 server is not supported or advised.

It is also not advised to run backoffice applications on a Terminal Server due to the massive amounts of resources Terminal Server uses for its clients and as such Terminal Server is not part of the Backoffice suite of applications.

You will also notice that Terminal Server is supplied with Service Pack 3 installed, do NOT install a normal version of a service pack on Terminal Server, special service packs will be made available for Terminal Server installations.

Once install is complete you will notice 4 new tools under the Administrative Tools branch of the Programs Start menu

These will be looked it in detail later in the Terminal Server section. You will also notice User Manager is modified to include a new 'Config' button for each user which allows Terminal Server settings to be configured.


Q. How do I enable Terminal Server under Windows 2000?

A. Windows 2000 has Terminal Server components built into the operating system and they can be installed at installation time or at a later time. To install the components perform the following:

  1. Start Control Panel (Start - Settings - Control Panel)
  2. Select Add/Remove Programs
  3. Select Configure Windows in the left hand pane
  4. Click the Components button
  5. Click Next at the wizard
  6. Check the "Terminal Services" and "Terminal Services Licencing" components. Click Next
  7. Warnings may be given about installed components, click Next
  8. You can select to install printer drivers. Click Next
  9. Files will be copied to the server
  10. Click Finish
  11. The machine will reboot

Once reboot is complete 4 new programs will be under the Administrative Tools branch of the Start menu

  • Terminal Server Administration
  • Terminal Server Client Creator
  • Terminal Server Connection Configuration
  • Terminal Server License Manager

  • Q. How do I install Windows NT/9x based Terminal Server clients?

    A. Terminal Server has built in support for the following clients

    The first 4 all share a common piece of software and terminal server (both NT 4.0 and Windows 2000) ships with a utility to create it on a single floppy disk:

    1. Logon to the Terminal Server machine
    2. Select 'Terminal Server Client Creator' from the Administrative tools branch (Start - Programs - Administrative Tools - Terminal Server Client Creator)
    3. You will be shown a dialog box giving options for
      - Terminal Server Client for WFW
      - Terminal Server Client for Windows 95/NT Intel
      - Terminal Server Client for Windows 95/NT Alpha (I never knew 95 run on Alpha! ;-) ).
      Client Create
    4. Select the client (Terminal Server Client for Windows 95/NT Intel) and the destination drive (you can only select a floppy) and click OK
    5. You will be asked to insert a disk. Click OK
    6. The required files will then be copied to the disk
    7. Click OK once complete
    8. Close the dialog box

    All the above does is copy the contents of %systemroot%\system32\clients\tsclient\win32\disks\disk1 to disk so you could directly copy or share this directory. There is also a net subdirectory of tsclient which also contains the clients with each client in its own subdirectory without the disk1 etc. folders, so you could share out this folder to allow access to all client installations. Sharing the net folder would be the prefered method.

    To install the client perform the following:

    1. Either insert the disk created above or connect to a share containing its files
    2. Execute Setup.exe
    3. The Terminal Server client execution program will start and click Continue to the license agreement
    4. Enter username and company. Click OK. Click OK again to the confirmation
    5. Click 'I agree' to the license agreement
    6. Click the large setup button (you can change the installation folder at this point)
      Client Install
    7. You will be asked how you want the application installed, either for all users to have the same initial settings or just for you. Click Yes
    8. Files will be copied and a success message shown. Click OK.

    A new folder "Terminal Server Client" has been added with 2 utilities and an uninstall option.


    Q. How do I install Windows for Workgroups based Terminal Server clients?

    A. Terminal Server has built in support for Windows for Workgroups but they must have TCP/IP 32b installed (this can be downloaded from Microsoft at http://support.microsoft.com/support/kb/articles/q111/6/82.asp). I found this out the hard way! TCP/IP can be installed using the Network setup icon in WFW. You may want to run MEMMAKER after installation of TCP/IP to "tidy" your memory, I had to, just choose Express.

    To create floppy disks for Windows for Workgroups TS client installation perform the following:

    1. Logon to the Terminal Server machine
    2. Select 'Terminal Server Client Creator' from the Administrative tools branch (Start - Programs - Administrative Tools - Terminal Server Client Creator)
    3. You will be shown a dialog box giving options for
      - Terminal Server Client for WFW
      - Terminal Server Client for Windows 95/NT Intel
      - Terminal Server Client for Windows 95/NT Alpha
      Client Create
    4. Select the client (Terminal Server Client for WFW) and the destination drive (you can only select a floppy) and click OK
    5. You will be asked to insert a number of disks. Click OK
    6. The required files will then be copied to the disk
    7. Click OK once complete
    8. Close the dialog box

    All the above does is copy the contents of %systemroot%\system32\clients\tsclient\win32\disks\disk1 to disk so you could directly copy or share this directory. There is also a net subdirectory of tsclient which also contains the clients with each client in its own subdirectory without the disk1 etc. folders, so you could share out this folder to allow access to all client installations. Sharing the net folder would be the prefered method.

    To install the client perform the following:

    1. Either insert the disk created above or connect to a share containing its files
    2. Execute Setup.exe
    3. The Terminal Server client execution program will start. Click OK to the dialog.
    4. Enter username and company. Click OK. Click OK again to the confirmation
    5. Click 'I agree' to the license agreement
    6. Click the large setup button (you can change the installation folder at this point)
    7. You will be asked how you want the application installed, either for all users to have the same initial settings or just for you. Click Yes
    8. Files will be copied and a success message shown. Click OK.

    A new program group "Terminal Server Client" has been added with 2 utilities and an uninstall option.

    WFW
    Windows 2000 3D Pinball on Windows for Workgroups 3.11, impressive :-)


    Q. How do I connect to a Terminal Server from WFW/9x/NT/2000?

    A. The first action is to install the client which is explained in 'Q. How do I install Windows NT/9x based clients?'.

    Once the client is installed there are two methods to connect to a terminal server. The first is a very manual method and while simple may not be ideal for many normal users.

    1. Select "Terminal Server Client" from the "Terminal Server Client" programs folder
    2. From the dialog select the server (or enter a different server name or IP address) and select a screen resolution. (The WFW version is slightly different in look but functionally the same)
      Connecting
    3. Click Connect
    4. You will then have a window come up with a logon screen. Logon and you are now running a terminal server session!

    Logon

    You should be aware that pressing Ctrl-Alt-Del will bring up the Local security menu and not the remote. To bring up the remote security menu select "Windows NT Security" from the Start menu. You will notice you don't have a shutdown button (unless you are an Administrator) as this would shutdown the terminal server machine.

    An alternative is to setup a shortcut to connections and this is accomplished using the "Client Connection Manager".

    1. Start Client Connection Manager (CCM) by selecting it from the Terminal Server Client programs branch of the start menu
    2. From the File menu select 'New Connection'
    3. Enter a description and the servername or IP address of the terminal server. Click Next
    4. You may select Automatic logon by checking the Autologon box and entering username, password and domain details. Click Next
    5. Select settings such as desktop size and speed settings. Click Next
    6. The next screen gives the option of either running a full desktop or a specific application. If you select a program you must enter the executables name and location and a working directory. Click Next
    7. You should now select an icon for the connection by clicking the 'Change Icon' button and the program group to house the shortcut (Terminal Server Client by default). Click Next
    8. A summary will be displayed, click Finish.
    9. A new icon will now be displayed in CCM as shown below.

    Shortcut

    You may create a shortcut to this on the desktop by right clicking on it and selecting 'Create shortcut on desktop'.

    This shortcut actually calls the normal Terminal Server Client with a parameter of the configuration name, e.g.

    "C:\Program Files\Terminal Server Client\MSTSC.EXE" "TS 1 Connect"

    This may be useful for you to build into batch menus etc. The actual connection details are stored in the registry under the 'HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client' key. You could therefore dump out this registry key and import into other machines automating the shortcut installations. The only item not read in is the password if autologon was selected.

    To dump out to file just select the registry key in REGEDIT.EXE, e.g. "TS 1 Connect", and select "Export Registry File" from the File menu. Enter a file name and click OK. You can then copy this .reg file to any machine and execute using

    C:\> regedit /s <file>.reg


    Q. How do I close a Terminal Server connection?

    A. If you click Start from a Terminal Server session you will see two options if connected to a Windows NT 4.0 box

    Terminal Server disconnect

    There is a major difference between the two.

    If you select Logoff your session is logged off and your connection to the terminal server is closed and the connection slot you were using may be used by someone else.

    If you select Disconnect you are not logged off, rather the session window closed but if you restart and logon as the same person it will remember all applications and their state. This may seem ideal but remember a Terminal Server has a finite number of allowed connections and a disconnected session constantly uses a connection stopping someone else from connecting.

    A disconnected session remains active until one of the following:

    If you connect to a Windows 2000 box you will see Disconnect and Shutdown, selecting Shutdown gives the option of logging off.


    Q. How do I install applications for use with Terminal Server?

    A. Installing applications on a terminal server has to be done in a special way to ensure it is usable by all users of the terminal server.

    There are two modes in terminal server, Execute and Install. By default all users are logged on in Execute mode and this means they can run programs etc. When you want to install an Application for use by everyone the Administrator should change to Install mode.

    The best way to install software is to use the Add/Remove programs control panel applet as this will automatically set the mode to Install during the installation and then back to Execute at the end. Alternatively you can manually change your mode to install by typing

    C:\> change user /install

    To change back to execute use

    C:\> change user /execute

    And to check you current mode use

    C:\> change user /query

    In this example we will use Add/Remove to install Winzip on a terminal server.

    1. Start the Add/Remove programs control panel applet (Start - Settings - Control Panel - Add/Remove Programs)
    2. Select the 'Install/Uninstall' tab and click 'Install'
    3. You will be told to insert the setup media, click Next
    4. The installation wizard will look for setup.exe on the CD or disk, it won't find it, select an alternate by clicking the 'Browse' button, and select the winzip.exe file. Click Next
    5. You will now be given the option to change your mode so all users can use the application. Select 'All users begin with common application settings.' and click Next
      User mode
    6. The install of the application will begin and you will notice your mode has been changed to Install if you typed 'change user /query'.
    7. Proceed to install the application as normal
    8. Once setup is complete click Next to the install dialog then Finish

    All terminal server users will now have Winzip. An alternative would be to manually set the mode to install, install the software and set back to execute.


    Q. I can't install Office 97 SR2 on Terminal Server.

    A. If when you try and install Office 97 SR2 on a terminal server via the Add/Remove Programs control panel applet you get the error:

    "Setup cannot register MSJET35.dll in the system registry because an older version is in use. Close all applications and try again"

    this is because the Terminal Server License Service is using the file. To workaround this stop the licensing service

    C:\> net stop "terminal server licensing"

    Click Retry on the error dialog and install will continue.

    Retry the MSJET35.DLL

    Once installation is complete restart the service

    C:\> net start "terminal server licensing"

    Office 97 has now been installed for use by all your terminal server clients.


    Q. How do I install Citrix Metaframe?

    A. Citrix Metaframe is an add-on to Windows NT Terminal Server and although there is currently no version for Windows 2000 it is under development. To install perform the following:

    1. Logon as an Administrator on the Terminal Server box
    2. Insert the Citrix Metaframe CD and click the "MetaFrame Setup" button (or run setup.exe from the I386 directory on the CD-ROM)
    3. Click Next to the install wizard dialog
    4. Click Next to the copy files dialog
    5. The license dialog will then be shown. Click the "Add License Packs" button to add the basic MetaFrame license. Enter the serial number on the back of the CD and click OK. Click No to install other license packs. Click Next to the main license dialog
    6. Click Next to the ICA connections protocol dialog (these are the protocols that clients may connect over).
    7. You may select to install TAPI modems for connection, to configure click Add Modems. A list of installed modems will be shown, select the modem and click Close. Click Next to the main TAPI dialog
    8. Next the ability to access local drives on the client are displayed. By default the servers drives will be the same on the client, e.g. C: is C:, and the client drives will be visible starting from V: working downwards, e.g. local C: would be V:, local D: would be U:. Click Next
    9. You have the option to remap server drives so that clients would see their local drives as C:, D: etc and the servers drives will be changed to M:, N: etc. I would advise against this unless you are very confident of what you are doing. Click Next.
      Remap the server drives
    10. Finally the system will reboot. Click Finish

    Once the machine has rebooted upon logon a new toolbar is added to your desktop which allows control of the MetaFrame environment.


    Q. How do I create Citrix Metaframe client media?

    A. MetaFrame ships with a utility, ICA Client Creator, which is in the MetaFrame Tools program group. It can also be started by clicking the client creator button on the MetaFrame toolbar, .

    Once started the utility will check for the CD-ROM and give options to create a variety of clients:

    Client Create

    Select the client to install, the disk drive and whether to format the disks.

    Alternativly all the clients are copied to the %systemroot%\system32\clients\ica directory, e.g. DOS is wfcdos, so share the directory and allow clients to map directory and install.


    Q. How do I install the ICA DOS client?

    A. You will first need to create the DOS ICA client installation disk as explained in 'Q. How do I create Citrix Metaframe client media?'.

    The DOS machine will also need the ability to connect to the network as explained in 'Q. How can a DOS machine connect to an NT domain?'.

    To install the client perform the following:

    1. At the DOS machine insert the created install disk (or map to a network share containing the wfcdos files)
    2. Run install.exe
    3. Select the installation target, C:\wfclient by default. Press Enter
    4. The client files will then be coped to the target directory

    To run the client simply change to the wfclient directory (or add to the machines path variable) and run WFCLIENT.EXE.

    When you run for the first time you will need to create a new entry, click Yes to create a new entry.

    Enter connection details such as connection medium (Microsoft TCP/IP), server name/address.

    You should then select the Entry and select Connect.


    Q. How do install Backup Exec 7.X on TSE?

    A. Be sure to disable Terminal Server Licensing before you start the installation.

    1. Go to Start -> Settings -> Control Panel
    2. Double-click on Services
    3. Mark Terminal Server Licensing and press stop.
    4. Install Backup Exec via Add/Remove programs
    5. Go back to Services and Start Terminal Server Licensing

    Q. Can I use normal Service Packs on Windows NT Terminal Server Edition?

    A. No, Terminal Server has modifications to its components meaning normal Service Pack's cannot be applied. Terminal Server Edition has Service Pack 3 built in and Service Pack 4 for terminal server was released April 1999.

    In Windows 2000 this will not be the case as Terminal Server is just a component of the normal product.


    Q. Can I use normal Hot fixes on Windows NT Terminal Server Edition?

    A. It depends. Some components of Windows NT Terminal Server Edition are specially modified and some are not. You will need to check if the file you are replacing is specially modified for Terminal Server Edition:

    Enter the command:

    C:\> filever /v <filename>

    -r--- W32i DRV ENU 4.0.1381.32772 shp 25,840 06-08-1998 atapi.sys
    FileDescription ATAPI IDE Miniport Driver
    OriginalFilenam atapi.sys
    ProductName Microsoft(R) Windows NT(TM) Operating System
    ProductVersion 4.00

    VS_FIXEDFILEINFO:
    Signature: feef04bd
    FileVer: 00040000:05658004 (4.0:1381.32772)
    ProdVer: 00040000:05658004 (4.0:1381.32772)

    We are interested in the FileVer property. If the final number is greater than 32767 then the file was built for Terminal Server, you should therefore only apply a hotfix that is specially released for Terminal Server.

    The actually bit value we are interested in is the 0x8000 bit. If set then it is modified for Terminal Server. Below is a file that is not specially modified for Terminal Server

    Signature: feef04bd
    FileVer: 00040000:05650004 (4.0:1381.4)
    ProdVer: 00040000:05650004 (4.0:1381.4)

    Special Terminal Server fixes can be found under ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40TSE/

    In Windows 2000 this will not be the case as Terminal Server is just a component of the normal product.


    Q. I've reached 40 - 45 users and additional users can't log onto Terminal Server?

    A. If you have more than 40 users you should increase the amount of PTEs (page table entries) on the system.

    Microsoft says that you should increase this if you'll have more than 45 connections. But I've seen that this can be a problem with less users as well. TSE Memory Manager allocates 10,000 PTEs as default. TSE uses PTEs to map the location of physical memory pages. Each user who logs on to TSE requires a minimum of 200 PTEs.

    If the PTE pool is exhausted, additional users will not be able to log on. The maximum allowed limit of PTEs are 50,000.

    To change the number of PTE's on the system see Q. How do I increase the number of Page Table Entries on my system?


    Q. How do I configure a CE based Terminal Server client?

    A. One option for Terminal Server clients is to use a "thin" client which has no disks but an embedded operating system and one such device is a Windows CE based client. The advantage is the machine has zero maintenance apart from the initial configuration. The instructions below are for the Viewpoint series from http://www.boundless.com/ (many thanks for letting me have one to use).

    When you first turn on the machine it will ask for certain details:

    1. The setup wizard will first display the product ID. Click Next
    2. Click Accept to the license agreement.
    3. You will be asked if you want to use DHCP or manual IP configuration. Click Next.
    4. If you selected manual IP configuration you will need to enter an IP address, subnet mask and a gateway. Click Next
    5. Enter DNS and WINS details. Click Next
    6. Select the Desktop resolution and click Next
    7. Click Finsh to complete

    You will have no start bar, just a dialog asking for a connection to be made. You should configure sessions as you would a normal Terminal Server client by selecting the Configure tab.


    Q. I am having troubles getting the ICA DOS client to work.

    A. The ICA DOS client uses a LOT of memory and to get working I had to remove nearly every other process from memory, thankfully Citrix have now released a new 32 bit DOS client which can access more of your machines memory eliminating the memory problems.

    It can be download from http://download.citrix.com/ and its usage is exactly the same as the old 16bit DOS client.


    Q. Where can I download updates for MetaFrame?

    A. These can be downloaded from http://www.citrix.com/support/ftpserve.htm.


    Q. What Service Packs are available for Windows NT Terminal Server Edition?

    A. Windows NT Terminal Server Edition is supplied with Service Pack 3 built in. The following Service Packs are available for Windows NT 4.0 Terminal Server Edition.

    Service Pack 4 - http://www.microsoft.com/ntserver/terminalserver/downloads/recommended/tsesp4/ordercd.asp

    Special hotfixes (when available) can be downloaded from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40TSE/hotfixes-postSP3


    Q. How do I send a message to a Terminal Server client?

    A. Terminal Server supports two methods of communicating with a Terminal Server client process.

    The first is via the GUI:

    1. Start the Terminal Services Manager MMC snap-in (Start - Programs - Administrative Tools - Terminal Services Manager)
    2. Expand the domain - Server and a list of connected processes will be shown
    3. Right click on the process and select 'Send Message' from the context menu
      Message Send
    4. You can then enter a title for the message and a message text. Click OK

    To send from the command line perform use the MSG command,

    msg <user> [/time:<seconds>] [/w] [/server:<server name>] <message>

    For example:

    C:\> msg savillj /w Get off that computer John!

    The /w switch will force the administrators session to pause until the user has clicked OK to the message.


    Q. How do I locate machines that are running Terminal Server?

    A. Starting the Terminal Services Manager MMC snap-in (Start - Programs - Administrative Tools - Terminal Services Manager) will list machines running the Terminal Server services by expanding the domain. It can also be done with the following command:

    qappsrv [/address] [/domain:<domain name>] [/continue]

    For example

    C:\> qappsrv /address
    Known Terminal servers Network Node Address
    ---------------------- ------- ------------
    DEMO                          [ A024E34948]*

    The /domain is optional unless you wish to query a domain other than the machines membership and /continue does not pause after each screen of information.


    Q. How can I check if a user is logged on via Terminal Server?

    A. Starting the Terminal Services Manager MMC snap-in (Start - Programs - Administrative Tools - Terminal Services Manager) will list user processes by machine but this may be cumbersome if a large number of terminal servers are running. It can also be done with the following command:

    query user [<user name>] [/server:<server name>]

    For example

    C:\> query user
    USERNAME   SESSIONNAME     ID  STATE   IDLE TIME   LOGON TIME
    >administrator  console    0   Active          . 09/05/99 18:19
     savillj        rdp-tcp#1  1   Active         10 09/05/99 14:23

    The above lists all users.

    You can also check what the user is running with the QPROCESS command:

    C:\> qprocess <user name>

    To check who is running a certain program (e.g. winword.exe)

    C:\> qprocess <process>

    will list all users running the passed program.


    Q. Mouse movement is jerky in Terminal Server sessions.

    A. By default the terminal server client sends updates to the terminal server every 100 milliseconds however you can change this as follows:

    1. Logon to the client
    2. Start the registry editor (regedit.exe)
    3. Move to HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client
    4. From the Edit menu select New - DWORD value
    5. Enter a name of 'Min Send Interval' (don't type the quotes) and press Enter
    6. Double click the new value and set to the number of milliseconds between each update. The lower you set it the more bandwidth will be used. Click OK
    7. Close the registry editor
    8. Restart the terminal server client software

    Q. Does MetaFrame run on Windows 2000?

    A. The normal MetaFrame 1.8 does not, however a 1.8a will and a beta can currently be purchased from the Citrix web site, http://www.citrix.com/.

    Installation is basically the same as 1.8.


    Q. How can I switch a session between window and full screen?

    A. Normally terminal server client sessions are in a window however you can switch to full screen mode so you can't tell you are in a session. To toggle between window and full screen mode press Ctrl+Alt+Break.

    You can always tell a terminal server session as the Start menu text says Windows 2000 Terminal instead of Windows 2000 Professional or Server.


    Q. How can I remote control another terminal server session in Windows 2000?

    A. Users and Administrators may be familiar with the software which allows an Administrator to take control of a users desktop in order to, for example, install software or fix a problem. The Citrix Metaframe add-on for 4.0 TSE enabled Administrators to take control or view users sessions without the need for third party software.

    The new Windows 2000 terminal server component now allows session shadowing without the need for the MetaFrame add-on, but now its called 'remote control'.

    A condition is that console controlling must have a resolution equal or greater than that of the session that will be shadowed.

    By default Administrators have the ability to shadow other users sessions providing the user agrees to have their session controlled/viewed. By default the ability to remote control a users session is defined on the user object on the ‘Remote Control’ tab and the default is to enable remote control providing the users gives permission.

    Its possible to override these user settings by editing the configuration of the RDP connection using the ‘Terminal Services Configuration’ MMC snap-in, yes, as with everything else in Windows 2000, all of the Terminal Server tools are MMC snap-ins (but more on them later).

    Under the connections branch, right click on the ‘RDP-Tcp’ connection and select properties. Select the ‘Remote Control’ tab and by default it will say to use the users settings however selecting on of the other options allows you to set the remote control to whatever your wishes.

    In order to remote control a session you must be logged on as a terminal server session, you can’t remote control from the console (MetaFrame allows you to do this).

    Once you have logged in as an Administrator to remote control a session just:

    1. Start the Terminal Services Manager
    2. Right click on the remote users session and select ‘Remote Control’
    3. You will be asked for a key sequence which will allow you to stop controlling a session and return to their own terminal server session
    4. The user to be controlled is asked if they agree and if they click yes then you have control of their session. Their session does not display in a window, rather your session “switches” to theirs.
    5. To end remote control press the key sequence you defined

    Q. What user environment extensions does the Windows 2000 terminal server component add?

    A. A new built-in group has been added in 2000 called ‘Terminal Services Users’ which works in a similar way to the ‘Interactive Users Group’ and when a user logs on via Terminal Services they are part of this groups.

    The Terminal Services Users group SID can then be applied to files, folders, anything with an ACL and allow only people logged on via Terminal Services access. You could also test for this group membership during login script etc to perform different actions.

    On top of the ‘Remote Control’ tab for users, three extra tabs are added. As shown in figure 3, ‘Terminal Services Profile’ allows an alternative profile and local path to be specified when connecting via terminal server.

    The ‘Environment’ tab allows you to specify a program to automatically run when you login via Terminal Services and options to connect to client drives and printers.

    Finally the ‘Sessions’ tab allows times to be set before active and idle sessions are disconnected and how long after a session is disconnect before it is totally closed.


    Q. How do I install Active Desktop on Terminal Server?

    A. Active Desktop is not supported on Windows Terminal Server through SP4.


    Q. How do I enable client computers to logon to a Terminal Server?

    A. To log on successfully to Windows 2000 Terminal Server, follow these steps:

    1. Logon to the Terminal Server as an Administrator
    2. Start the Computer Management MMC snap-in (Start - Programs - Administrative Tools - Computer Management)
    3. To expand the branches, click the plus symbol (+) next to System Tools, click the plus symbol (+) next to Local Users and Groups, and then click the plus symbol (+) next to Users. 
    4. Double-click the user that you want to be able to log on as a Windows NT Terminal Server client. 
    5. On the Profile tab, click to select the Allow to log on to Terminal Server check box, and then click OK. 
    6. Close Computer Management. 
    7. Start the Terminal Services Configuration MMC snap-in (Start - Programs - Administrative Tools - Terminal Services Configuration)
    8. Open the Connections folder, and then click Rdp-Tcp. 
    9. On the Actions menu, click Properties. 
    10. On the Permissions tab, add the users or groups that you want to have permissions to this Windows NT Terminal Server

    Q. How do I connect two Workstations using RAS?

    A. NT Workstation supports one inbound RAS connection so one NT station will be the RAS server, and one will be the client. The procedure below is what I did to connect two machines.

    Server

    If RAS is already installed

    1. Goto Control Panel, and double click Network
    2. Goto Services and click on “Remote Access Server”, and click Properties
    3. Click on the Port and click Configure
    4. Select “Dial Out and Receive” or just Receive
    5. Click Continue
    6. Select if user can access Just Computer or Entire Network for NetBEUI
    7. Click Continue and fill in details for TCP/IP, For this setup we will assume the dial in client will have a TCP/IP address so check the box “Allow clients to use preconfigured address”
    8. Click OK and then close
    9. You will then be prompted to restart the computer

    If RAS is not already installed, goto “My Computer” and double click “Dial-up Networking”, it will then detect your modem and then take you to step 3 as above.

    Client

    This assumes RAS is not installed

    1. Goto “My Computer”, and double click “Dial-up Network”
    2. You will be asked for the NT CD, and it will install Modem and RAS
    3. It will then detect any modems, once the modem has been found click continue
    4. It will then say the phone book is empty and you should add an entry. Give a name and select “Next” (do not select “I know about modem properties” unless you do”)
    5. Select “I am calling the Internet” and click Next
    6. Enter the phone number and click Next, then click Finish
    7. Select the entry, and click More, select Edit Entry
    8. Goto server Tab, and check NetBEUI and TCP/IP. Click TCP/IP details and fill in then press OK. Finally click OK again.
    9. Select the PhoneBook entry and click Dial.
    10. The first time you connect you will have to supply a username, password and domain (select “save password” so this information does not have to be entered again).

    Q. Is it possible to dial an ISP using the command line?

    A. Yes, use RASPHONE -d <entry> or RASDIAL <entry>

    To disconnect you can type RASPHONE -h <entry> or RASDIAL /disconnect.


    Q. How can I stop the RAS connections closing when I logoff?

    A. Perform the following:

    1. Start the registry editor (regedt32.exe, not regedit.exe)
    2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    3. Create a new value called KeepRasConnections of type REG_SZ
    4. Set the new value to have a value of 1

    Q. How can I create a RAS Connection Script?

    A. It is possible to write a script that will run when you connect during a RAS connection to automate actions such as entering your username and password. To specify a script perform the following

    1. Double click on My Computer and start up the Dial-up Networking applet
    2. Select the phonebook entry and click More.
    3. From the More menu select "Edit entry and modem properties"
    4. Click the Script tab and select "Run this script"
    5. Click the "Edit script..." button and the SWITCH.INF file will be opened
    6. Go to the bottom of the file and create a new connection section and then select exit
    7. Answer Yes to save changes
    8. Click the "Refresh List" button and the new entry will now be displayed.
    9. Select the new entry you created and click OK.

    An example addition to the SWITCH.INF would be

    ; the phonebook entry
    [Savill1]
    ; send initial carriage return
    COMMAND=<cr>
    ; wait for : (after username, may be different at your site) omit the U as it may be capitals. You could just have :
    OK=<match>"sername:"
    LOOP=<ignore>
    ; send username as entered in the connection dialog box, alternaticly you could just enter the username e.g. savillj<cr>
    COMMAND=<username><cr>
    ; wait for : (after password this time, may be different at your site)
    OK=<match>"assword:"
    LOOP=<ignore>
    ; send the password entered in the connection dialog box, again you could just manually enter the password, e.g. password<cr>
    COMMAND=<password><cr>
    NoResponse
    ; send the "start ppp" command
    COMMAND=ppp default<cr>
    OK=<ignore>

    In depth information on all of the commands can be found in the SWITCH.INF file.


    Q. How can I debug the RAS Connection Script?

    A. It is possible to create a log file of the connection by performing the following steps

    1. Start the registry editor (regedit.exe)
    2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
    3. Double click on Logging
    4. Change the value data to 1 and click OK
    5. Close the registry editor
    6. Restart the computer

    Each dial-up session will now be appended to the file %systemroot%/system32/RAS/device.log. To stop logging perform the steps above but set the value back to 0.


    Q. How do I configure RAS to connect to a leased line?

    A. The method will vary depending on your systems current setup, however assuming you have RAS already installed below are the actions needed to configure in your leased line. It is assumed the modems (at both ends) are configured correctly for leased line usage (&D0 for DTR override).

    1. Start the Modem control panel applet (start - settings - control panel - modems)
    2. Click Add
    3. Check the "Don't detect my modem, I will select it from a list" and click Next
    4. In the Manufacturers box select "Standard Modem Types" and in the Models area select "Dial-Up Networking Serial Cable between 2 PCs", click Next
    5. Select the port, e.g. COM1 and click Next
    6. You now have a modem setup ready for leased line use

    You should now configure the RAS connection (server/client) in the normal way (use the RAS service properties).

    1. Right click on Network and select properties, click the services tab and select RAS, click Properties.
    2. Select the COM port and click Configure
    3. Select the connection type dial in/dial out/both and click OK. Click Continue
    4. You will be asked about NetBEUI client Access, select the desired and click OK
    5. If you selected server you will be prompted for TCP/IP access and also which IP addresses should be given, either by DHCP (if configured) or from a given pool of addresses. You can also check the box to allow a client to request a specific IP address
    6. Click Close in the Network dialog box, the bindings of the machine will be updated and you will be asked if you want to reboot. Click Yes

    Once this has been done you may also want a phonebook entry for outgoing use as you would normally except under the Dialing section check the "Persistent connection" box.


    Q. How can I disable RAS AutoDial?

    A. The easiest way to do this is to disable the RAS AutoDial service:

    1. Start the services control panel applet (start - settings - control panel - services)
    2. Scroll down to "Remote Access AutoDial Manager" and select
    3. Click the Startup button and change the startup to Manual. Click OK
    4. If you want to stop if now just click the Stop button
    5. Click the Close button

    To re-enable you would repeat the above but change the startup to automatic.


    Q. RAS tries to dial out even on local resources.

    A. Perform the following:

    1. Start the registry editor (regedit.exe)
    2. Move to HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses (a better way to view these is to type "rasautou -s" from the command prompt)
    3. In the subkeys look from the local address (and name). If you find it select the key and select Delete from the Edit menu.
    4. Close the registry editor

    You may also wish to add addresses to the disabled list:

    1. Start the registry editor (regedt32.exe not regedit.exe)
    2. Move to HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Control
    3. Double click on DisabledAddresses and add the address on a new line. Click OK when finished
    4. Close the registry editor

    You will need to reboot the machine in both of the above cases.


    Q. I have connected via RAS to a server however I can only see resources on the machine I connect to.

    A. When you configure the RAS server you set for each protocol the scope of the connection, the server or the whole network. To change this perform the following:

    1. Start the Network Control Panel Applet (Right click on Network and select properties)
    2. Select the Service tab and select the Remote Access Service and click Properties
    3. Select the COM port and click the Network button
    4. Click the Configure button next to the protocol you wish to change access (e.g. TCP/IP)
    5. At the top check the "Entire network" button
    6. Click OK

    Clients should now be able to view the entire network.


    Q. How do I force the "Logon Using Dialup Networking" to be checked by default on the logon screen?

    A. This can be accomplished with a registry change on each client machine.

    1. Start the registry editor (regedit.exe)
    2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    3. From the Edit menu select New - String Value (REG_SZ type)
    4. Enter a name of RASForce
    5. Double click the new value and set to 1
    6. Close the Registry editor
    7. Reboot the machine

    Q. Where are the RAS phone book entries and settings stored?

    A. The actual phone book entries are stored in the file %systemroot%/system32/ras/rasphone.pbk (pbk - phone book). You could therefore copy this file to another machine to copy the phone book entries.

    Another important file is %systemroot%/system32/ras/switch.inf which is used to create terminal login scripts (as discussed earlier in this section), and you may find phone book entries may refer to an entry in this file at the end of the entry:

    DEVICE=switch
    Type=Terminal

    In this case, Type=Terminal means bring up a terminal window after connection so it does not use switch.inf,

    DEVICE=switch
    Type=Pipex

    would cause the script "Pipex" (which is in switch.inf) to be run once a connection has been made. If these two lines are missing don't worry, it just means you don't need a terminal window once you have connected (probably means you are connecting to a Windows NT box). Usually if you connect to a non-NT machine you have to send it a username and password, along with the connection type (protocol), which is usually PPP on most modern systems, SLIP is an older option.

    RAS information relating to phone book entries and outbound connections in the registry is actually stored under HKEY_CURRENT_USER\Software\Microsoft\RAS Phonebook, and contains details about redial attempts, display settings etc. Again you export this section of the registry to a reg file (using regedit.exe) and import into another machine to copy the machine specific settings.


    Q. How can I change the number of rings that RAS server waits for before answering?

    A. The normal method is to edit the file %systemroot%\system32\ras\modem.inf. Edit the file, find the sections relating to your modem and find the line

    COMMAND_LISTEN=ATS0=1<cr>

    Change the numeric value to the number of rings to answer after, e.g.

    COMMAND_LISTEN=ATS0=10<cr>

    would answer after 10 rings (you must really hate your users, don't we all :-) ). You must restart Windows NT for this change to take effect.

    The above does not work if RAS is using any TAPI (Telephony Application Programming Interface )/Unimodem-based devices. If this is the case perform the following:

    1. Start the registry editor (regedit.exe)
    2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
    3. From the Edit menu select New - DWORD Value.
    4. Enter a name of NumberOfRings and press Enter
    5. Double click on this new value and set to the number of rings you want the RAS Server to wait before answering the phone (1-20). Any number greater than 20 and the default value of 1 is used. Click OK
    6. Close the registry editor

    Q. How can I configure how long RAS Server waits before calling back a user when callback is enabled?

    A. By default the RAS Server will wait 12 seconds before calling back a RAS client however this can be changed by editing the registry.

    1. Start the registry editor (regedit.exe)
    2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP
    3. From the Edit menu select New - DWORD Value.
    4. Enter a name of DefaultCallbackDelay and press Enter
    5. Double click on this new value and set to the number of seconds you want the RAS Server to wait before dialing the client (1-255). Click OK
    6. Close the registry editor

    Q. Whenever I connect via RAS I cannot connect to local machines on my LAN.

    A. To enable WWW and FTP browsing when you connect via RAS you enable the "use default gateway on remote network" of the RAS options. This has the effect of when the connection is made a new route is added to the route list superseding the existing LAN routes so any traffic destined for a node outside your local subnet will attempt to be sent using the RAS route. This is because a metric is used to identify the number of hops needed and once connected to RAS it will have a metric 1 and existing routes will be bumped out to a metric of 2.

    To solve this a persistent route can be manually added for your LAN's subnet and the associated subnet gateway. While not connected via RAS you can examine your route information using the ROUTE PRINT command:

    If your network was 160.82.0.0 (your company has a class B address) and the gateway was 160.82.220.1 for your local subnet you can add a route for the LAN only and all addresses outside of 160.82.0.0 will be routed using the RAS gateway.

    C:\>route -p add <ip network> mask <subnet mask> <local gateway for the route>
    e.g. C:\>route -p add 160.82.0.0 mask 255.255.0.0 160.82.220.1

    This would mean all addresses from 160.82.1.1 to 160.82.254.254 would be routed via 160.82.220.1 and anything else via the RAS gateway.

    If you wanted to add a route for a single host (maybe your internet firewall which is on another subnet) use the following:

    C:\>route -p add 192.168.248.8 mask 255.255.255.254 160.82.220.1

    Notice the subnet mask of 255.255.255.254 which means only for this single host.

    When connected via RAS you will still be able to access resources outside of your local subnet on the LAN with no problems.


    Q. How can I disable the "Save Password" option in dial-up networking?

    A. When you connect via RAS you can cache the password. If you feel this is a security problem then you can disable the option to enable the password to be saved.

    1. Start the registry editor (regedit.exe)
    2. Move to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\Parameters
    3. From the Edit menu select New - DWORD value
    4. Enter a name of DisableSavePassword and press ENTER
    5. Double click the new value and set to 1

    If you disable the "save password" make sure "redial on link failure" is not activated as one redial attempts as it does not save user information it will attempt to connect as Administrator which will not work (unless the ISP has very poor security :-) ).


    Q. How can I set the number of Authentication Retries for Dial-Up connections?

    A. By default after two unsuccessful authentication attempts the dial-up networking (DUN) component will hang up the line however this can be changed to between 0 and 10. 0 means the line will be hung up after the first attempt, 1 will allow one retry etc.

    1. Start the registry editor (regedit.exe)
    2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters
    3. Double click on AuthenticateRetries and set to the required value. Click OK
    4. Close the registry editor
    5. Reboot the machine for the change to take effect (or stop and restart the RAS services)

    Q. How can I set the Authentication Time-out for Dial-Up connections?

    A. As well as changing the number of Authentication Retries that are allowed, the amount of time between each attempt can also be configured and after that time has elapsed it will count as a logon failure. This can be between 20 and 600 seconds.

    1. Start the registry editor
    2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters
    3. Double click on AuthenticateTime and set to the required value. Click OK
    4. Close the registry editor
    5. Reboot the machine for the change to take effect (or stop and restart the RAS services)

    Q. Enabling 128-bit RAS Data Encryption.

    A. Service Pack 3 (128 bit version) introduced the ability to use 128-bit RAS data encryption with a Windows NT 4.0 RAS server as opposed to the normal 40-bit encryption.

    To enable this 128-bit encryption perform the following:

    1. Start the Network control panel applet (Start - Settings - Control Panel - Network)
    2. Select the services tab
    3. Select Remote Access Service and click Properties
    4. Click Network then Require Microsoft encrypted authentication
    5. Click Require data encryption and click OK
    6. Click continue and close the Network control panel applet
    7. Do not restart the computer at this point

    It is now necessary to enable the 128-bit setting:

    1. Start the registry editor (regedit.exe)
    2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\COMPCP
    3. From the Edit menu select New - DWORD value
    4. Enter a name of ForceStrongEncryption and press Enter
    5. Double click the new value and set to 1. Click OK
    6. Close the registry editor
    7. Reboot the computer

    After reboot is completed clients connecting via RAS or PPTP will have to authenticate using 128-bit key encryption. A number of event logs can be viewed using Event Viewer (Start - Programs - Administrative Tools - Event Viewer).

    If a successful connection is made you will see the log:

    Event ID: 20107
    Source: RemoteAccess
    Description: The user RAS connected to port COMx using strong encryption

    If the connection was unsuccessful you will see entry

    Event ID: 20077
    Source: RemoteAccess
    Description: An error occurred in the Point to Point Protocol module on port COMx. The remote computer does not support the required encryption type.

    The client attempting connection would also receive a 629 error.


    Q. Why does my RAS client have the wrong subnet mask, etc.?

    A. The only parameter from DHCP that the RAS client uses is the IP address. Other parameters come as follows:

    The subnet mask is that used by the NIC in the workstation, if fitted. IPCONFIG shows the mask as being the default mask for the class of IP address in use but this is irrelevant. MS used to display it as 0.0.0.0 which is clearly wrong, but the default is more subtly wrong. If there is no NIC in the client, then the subnet mask is irrelevant as all traffic is passed through the dial-up connection.

    The default router is displayed as the same as the address of the client RAS interface. What is actually used as default router is the RAS server itself.

    WINS server addresses and DNS server addresses for use by the client similarly do not come from the parameters set on the DHCP server but instead are those used by the RAS server itself.

    Node Type is not taken from the DHCP parameters but can change on the RAS client depending on WINS information. If the RAS server has no WINS servers defined locally, a b-node Windows NT RAS client will remain a b-node client. If the RAS server has WINS servers defined locally, a b-node Windows NT RAS client will switch to h-node for the duration of the connection.

    More information can be found in knowledge base article Q160699 at http://support.microsoft.com/support/kb/articles/q160/6/99.asp


    Q. How long is the lease on the IP address when issued to a RAS client from DHCP?

    A. When a RAS server is set to allocate IP addresses from DHCP, it grabs n+1 addresses when the service starts, (where n is the number of dial-up interfaces), and keeps them. Therefore, the lease time is largely irrelevant. When a client dials in, the RAS server issues one of these cached leases and the RAS server maintains the lease on behalf of the client. The RAS server only records the address of the DHCP server and the lease parameters. All other DHCP options are discarded.

    You may notice that, if you use IPCONFIG or WINIPCFG on a RAS client to look at lease information, it has null dates (ie. Jan 1, 1980). When the client disconnects, the IP address will be released back to the RAS server, NOT back to the DHCP server. This causes a lot of confusion when people expect to get their IP addresses back to the DHCP server. These will only be released back to DHCP when the RAS service is stopped and then the lease expires in due course.

    Thanks to Peter Smith


    Q. How can I disconnect users from the RAS server?

    A. It is possible to disconnect any user using the "Remote Access Admin" utility:

    1. Start the Remote Access Admin utility (Start - Programs - Administrative Tools - Remote Access Admin)
    2. Select the domain or server in the main window
    3. From the Users menu select 'Active Users'
    4. Select the account you wish to disconnect and click the 'Disconnect User' button.
    5. Click OK to the confirmation

    If you also wanted to revoke the users dial-in permission check the 'Revoke Remote Access Permission' check box from the dialog.


    Q. How can I disable the modem speaker when dialing?

    A. Its possible to disable the modem speaker in a number of ways. The easiest method is to use the RAS properties:

    1. Double click 'My Computer'
    2. Double click "Dial-Up Networking'
    3. Select the Dial-up connection, click More and select 'Edit entry and modem properties'
    4. Select the Basic tab and at the bottom next to 'Dial using:' click Configure
    5. At the bottom of the Modem Configuration dialog is a 'Disable modem speaker' check box, check it and click OK
    6. Click OK to the main dialog and close all other dialogs

    Disable speaker

    An alternative (and you may try this if the above fails to work) is to edit the dial string and add the control sequence for your modem to disable the speaker, its normally M0 however this can vary.

    1. Start the Modem control panel applet (Start - Settings - Modems)
    2. Select the modem and click Properties
    3. Select the Connection tab
    4. Click the Advanced button and the bottom of the dialog
    5. In the 'Extra settings' box enter the command string to disable the speaker, e.g.
      M0
    6. Click OK to the dialogs

    Q. How can I limit RAS callers to see only the machine they connect to rather than the whole network?

    A. When you configure the RAS server, you set for each protocol the scope of the connection, the server or the whole network. To change this perform the following:

    1. Start the Network Control Panel Applet (Right click on Network and select properties)
    2. Select the Service tab and select the Remote Access Service and click Properties
    3. Select the COM port and click the Network button
    4. Click the Configure button next to the protocol you wish to change access (e.g. TCP/IP)
    5. At the top check the "This computer only" option
    6. Click OK

    Clients should now be able to only view local RAS server connections.


    Q. How do I install the Windows 98 Virtual Private Network adapter?

    A. Windows 98 contains the Virtual Private Network as standard and to install perform the following:

    1. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network or right click on Network Neighborhood and select Properties)
    2. Select the Configuration tab
    3. Click Add
    4. Select Adapter and click Add
    5. Under Manufacturers select Microsoft and select "Microsoft Virtual Private Networking Adapter" in the Network Adapters box. Click OK
    6. You may be asked for the Windows 98 CD.
    7. Reboot the machine

    Once the machine has rebooted to create a new VPN connection start the Dial-Up Networking software and double click the 'Make New Connection'.

    Under the device select "Microsoft VPN Adapter", click Next and enter the host name or IP address of the VPN server.

    To make a connection dial into the Internet then double click the VPN connection, enter a username and password and you are connected!


    Q. How do I install the Point To Point Tunneling Server?

    A. Windows NT Server contains the Point To Point Tunneling Protocol as standard and to install perform the following:

    1. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network or right click on Network Neighborhood and select Properties)
    2. Select the Protocols tab
    3. Click Add
    4. Select "Point To Point Tunneling Protocol"
    5. Click OK
    6. You will be asked for the installation media. Enter the location and click Continue. If RAS is not currently installed it will be installed at this point.
    7. You will be asked for the number of private networks and click OK
    8. The Add RAS Device dialog will be displayed. Select "VPN1 - RASPPTMPM" and click OK. By default the connection will be configured to receive calls only, to change click Configure. Keep clicking Add to add more VPN devices (VPN2 etc.) Click Continue when all VPN devices have been added.
    9. Select TCP/IP options for RAS if it was not already configured. Click OK
    10. Click Close to the Network dialog
    11. Reboot the machine

    Once the machine has rebooted it will operate as a Virtual Private Network server. Make sure any users who want to logon to it have RAS dial in rights (as configured using User Manager).

    If you experience any problems with protocols make sure that the RAS server has the protocols configured, e.g. TCP/IP correctly. This can be done by starting the Network Control panel applet, select Services, select RAS and click Configure. Select the VPN port and click Network. You can then configure TCP/IP etc., ensure there are no problems with addresses etc.

    Extra VPN connections can also be configured by clicking Add and selecting VPN2, VPN3 etc. You can only have simultaneous VPN connections for the number of VPN devices on the server.


    Q. How do I install the Windows NT Virtual Private Network client?

    A. Windows NT contains the Virtual Private Network as standard and to install perform the following:

    1. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network or right click on Network Neighborhood and select Properties)
    2. Select the Protocols tab
    3. Click Add
    4. Select 'Point To Point Tunneling Protocol' and click OK
    5. You may be asked for the Windows NT CD.
    6. Select the number of virtual private networks and click OK
    7. The RAS setup dialog will be shown. Click Add
    8. Select 'VPN1 - RASPPTPM' and click OK
    9. Click Continue to the RAS dialog
    10. Click Close on the Network dialog
    11. Reboot the machine

    Once the machine has rebooted to create a new VPN connection start the Dial-Up Networking software and double click New.

    Under the device select "Microsoft VPN Adapter", and under Phone number the host name or IP address of the VPN server.

    To make a connection dial into the Internet then select the VPN connection, enter a username and password and you are connected!

    You can check PPP is working by using the IPCONFIG command

    PPP adapter NdisWan4:
    IP Address. . . . . . . . . : 200.200.200.16
    Subnet Mask . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . : 200.200.200.16


    Q. How can I remove the dial-up networking icon from My Computer?

    A. The dial-up networking icon can be removed by editing the registry as follows:

    1. Start the registry editor (regedit.exe)
    2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace
    3. Select {a4d92740-67cd-11cf-96f2-00aa00a11dd9}
    4. This step is optional but from the Registry menu select "Export Registry File". Enter a name for the reg file which will be created. This file will allow you to automatically undo this if you wish.
    5. Press the Del key to delete the key.
    6. Click Yes to the deletion confirmation dialog
    7. Dial-up networking will no longer be visible from My Computer

    To restore it using your reg file just double click on the reg file from Explorer and dial-up networking will be restored.


    Q. I've connected two computers using two 56K modems but I never connect at more than 33Kb, why?

    A. The problem is that your modems cannot send faster than 33.6k. The 56k technologies, such as X2, K56flex and the new standard V.90 are asymmetric - 56k from a service such as an ISP to you, and 33.6k (maximum negotiated rate, may be less) from you to an ISP.

    Having one of your V.90 modems call the other won't create a connection faster than 33.6k since neither side can transmit faster than 33.6k. The 56Kb is possible because the line from your house to the telephone company switching office is analog, and that the rest of the path from the CO to the service (ISP) is 100% digital. At the service end, they specifically install digital modems designed to operate as the service end of V.90/X2/K56flex connection.

    This means you would need on of the boxes the same kind of modem that an ISP would buy. You may find however that you can't get one of those without also having the digital phone circuit to connect it to.

    If you need 56Kb look at ISDN. The easiest way to setup a system which can accept 56K V90 incoming connections is to get an ISDN2 or home highway and a 3COM Courier-I modem. The Courier-I can act as a standard and ISDN modem. It will also act in V90 mode as a server it it detects an incoming analogue call across the ISDN.


    Q. My modem is not supported by RAS, what can I do?

    A. Windows NT RAS has support for Unimodem modems and can be configured as follows:

    1. Start the registry editor (regedit.exe)
    2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ras\Protocols
    3. From the Edit menu select New - DWORD value
    4. Enter a name of EnableUnimodem and press enter
    5. Leave as the default value of 0
    6. Close the registry editor

    Once enabled you will only have the options to select from the list of modems (in modem.inf) and not 'Have disk' or 'Install Modem' option.

    If your modem does not exist on the list of modems download the modems .inf file from the manufacturer and copy to modem.inf in the %systemroot%\system32\RAS or just add details to the original modem.inf file. Make sure you backup the original modem.inf file.

    Run the Network control panel applet and select services. Select Remote Access Services and click Properties. Remove any ports currently defined and click Add, add the ports and RAS will use the MODEM.INF file to get initialization information for the modem.


    Q. I get error 'There is no answer' from the PPTP server, why?

    A. This is caused by either the RAS Connection Manager and Remote Access Server cannot be started or they are set to manual startup.

    To fix just start the RAS Connection Manager and RAS and change the RAS Connection Manager startup to automatic using the Services control panel applet.

    To test try to PING the PPTP server over the internet.


    Q. DEVICE.LOG does not capture modem commands, what can I do?

    A. When you use a Unimodem the device.log no longer captures the command however you can create an alternate log file to capture the modem commands:

    1. Start the Modems control panel applet (Start - Settings - Control Panel - Modems)
    2. Select the modem for which a log file should be created
    3. Click Properties
    4. Click the Connection tab
    5. Click Advanced
    6. Select the 'Record a Log File' check box. There is no need to restart the computer

    The log file will be created in the %systemroot% directory with name MODEMLOG_<modem>.TXT.


    Q. How do I create a dial-up connection in Windows 2000?

    A. Windows 2000 has removed the segregation between LAN and dial-up connections, they are all just connections now.

    To create a Dial-up connection to an ISP or your work you need to create a new connection using a modem as the connection medium:

    1. From the Start menu select 'Network and Dial-up Connection'
    2. Double click 'Make New Connection'
    3. Click Next to the introduction wizard
    4. Select 'Dial-up to the Internet' and click Next
    5. Select 'I want to set up my Internet connection manually' and click Next
    6. Select 'I connect through a phone line and a modem' (if you are using ISDN you would select local area network). Click Next
    7. Make sure your modem is connected and turned on, check the 'Don't detect my modem' box is not selected anc click Next
    8. If it can't find your modem click Next and you can choose it from a list.
    9. Enter the phone details of the ISP. Click Next
    10. Enter your username and password and click Next
    11. Finally give it a name, for example 'Connection to UUnet'. Click Next
    12. You will be asked if you wish to setup mail. Make your choice and click Next
    13. Click Finish

    Your new connection will now be visible from 'Network and Dial-up Connections'. To change its properties right click on the connection and select Properties.


    Q. What is TCP/IP

    A. If you are viewing this page on the web then you are using TCP/IP now! TCP/IP is a suite of related protocols and utilities used for network communications. TCP/IP is actually two protocols, Internet Protocol (IP) and Transmission Control Protocol (TCP). There are many different implementations of TCP/IP however they all conform to a standard which means different implementations can communicate with each other.

    Each machine that uses TCP/IP must have a unique TCP/IP address which is a 32 bit number, which is usually displayed in the dotted quad (or dotted decimal) format xxx.xxx.xxx.xxx, where xxx is a number from 0 to 255, for example the IP address 147.98.26.11 is shown in its 32 bit form, and how it breaks down into the dotted quad format

    10010011

    01100010

    00011010

    00001011

    147

    98

    26

    11

    TCP/IP was originally used on ARPANET, a military network and grow to universities and is now used on virtually every computer system.


    Q. How do I install TCP/IP

    A. Below are the instructions on installing non-DHCP clients:

    1. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network)
    2. Click the Protocols tab and click Add
    3. Select TCP/IP Protocol and click OK
    4. You will be asked if there is a DHCP server on the Network, click NO for DHCP
    5. A number of files will be installed and the protocols will be re-binded, and you will be shown the TCP/IP configuration dialog
    6. Click the IP Address tab and enter the IP address and subnet mask. When you enter the IP address it will guess the subnet mask (however you may want to configure a subnet mask different from the Default).
    7. You can also configure DNS servers by clicking on the DNS tab and enter a Domain name (e.g. Savilltech.com) and a host name
    8. Click OK when finished and you have to reboot the machine

    Q. Is there a way to trace TCP/IP traffic using NT?

    A. As part of the Systems Management Server there is a Network Monitor module which enables the entire network to be monitored, also traffic over a modem. There is a limited version of this with NT 4.0 server, however only communications between the server and other computers can be monitored. The Network Monitor Service has to be installed (Control Panel - Network - Services - Add).


    Q. I do not have a network card, but would like to install TCP/IP.

    A. Microsoft provide a Loopback adapter that can be used for the testing of TCP/IP. To install the Loopback adapter perform the following actions:

    1. Start the Control Panel (Start - Settings - Control Panel)
    2. Double click on the Network icon
    3. Click on the Adapters tab, and click Add
    4. Select MS Loopback Adapter and click OK
    5. You will then need to configure TCP/IP as normal

    Q. I have installed TCP/IP, what steps should I use to verify the setup is correct?

    A. Follow the steps below:

    1. From a command prompt type
      ipconfig /all
      This will show information such as IP address, subnet mask and the physical address. Check the IP address and subnet mask are what you expect.
    2. Next there is a special IP address that is used for loopback testing 127.0.0.1, so try and ping this
      ping 127.0.0.1
      You should get 4 lines of
      Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
      Pinging 127.0.0.1 does not send any traffic out on the network. If this does not work it means the TCP/IP stack is not loaded correctly so go back and check your configuration
    3. Next try and ping your own IP address, once again this will not send any traffic out on the Network, but it just confirms the software
      ping 200.200.200.53
      Once again you should get 4 reply messages. If this does not work, but the loopback did, you probably have typed the IP address wrong, go back and check your configuration.
    4. Try and ping the gateway.
      ping 200.200.200.1
      This is the first traffic going out over the network. The gateway should be on your subnet. If you fail to ping the gateway, check the gateway is up, and that your network is correctly connected.
    5. Ping something on the other side of the gateway, i.e. something not own your subnet
      ping 158.234.26.46
      If this does not work then the gateway may not be functioning correctly.
    6. If all of the above worked, than Name Resolution should be tested by pinging by name, this will test the HOSTS and/or DNS. If your machine name was john, and the domain savilltech.com, you would ping john.savilltech.com
      ping john.savilltech.com
      If this does not work, check in the Network Settings - Protocols - TCP/IP that the domain name is correct, also check the hosts file and the DNS.
    7. Next try and ping a name outside the network
      ping ftp.microsoft.com
      If this does not work then check with your ISP (Internet Service Provider)
    8. If all of the above works then get down to the serious stuff and start surfing! :-)

    Q. How can I trace the route the TCP/IP packets take?

    A. In general TCP/IP packets will not always take the same route to a destination, however the start of the journey is likely to be the same, i.e. to your gateway, to the firewall etc. The command to use is tracert and the syntax is as follows

    c:\tracert <host name or IP address>,e.g.
    c:\tracert news.savilltech.com
    Tracing route to news.savilltech.com [200.200.8.55]
    over a maximum of 30 hops:

    1 <10 ms <10 ms <10 ms 200.200.24.1 200.200.200.24.1 is the gateway
    2 <10 ms 10ms <10 ms 200.200.255.81
    3 30 ms 10 ms 10 ms news.savilltech.com [200.200.8.55]

    Trace complete

    The first column is the hop count, the next 3 columns show the time taken for the cumulative round-trip times (in milliseconds), the 4th column is the hostname if the IP address was resolved, and the last column is the IP address of the host. It is really like a street map telling each turn to take. An important thing to note is to look for looping routes, so host a goes to b then c then back to a, as this indicates a problem usually.

    Tracert will not always work with some FireWalls for hosts outside the FireWall.


    Q. What is the subnet mask?

    A. As has been shown the IP address consists of 4 octets and is usually displayed in the format 200.200.200.5, however this address on its own does not mean much and a subnet mask is required to show which part of the IP address is the Network ID, and which part the Host ID. Imagine the Network ID as the road name, and Host ID as the house number, so with "54 Grove Street", 54 would be the Host ID, and Grove Street the Network ID. The subnet mask shows which part of the IP address is the Network ID, and which part is the Host ID.

    For example, with an address of 200.200.200.5, and a subnet mask of 255.255.255.0, the Network ID is 200.200.200, and the Host ID is 5. This is calculated using the following:

    IP Address 11001000 11001000 11001000 00000101
    Subnet Mask 11111111 11111111 11111111 00000000
    Network ID 11001000 11001000 11001000 00000000
    Host ID 00000000 00000000 00000000 00000101

     What happens is a bitwise AND operation between the IP address and the subnet mask, e.g.

    1 AND 1=1
    1 AND 0=0
    0 AND 1=0
    0 AND 0=0

    There are default subnet masks depending on the class of the IP address as follows:

    Class A : 001.xxx.xxx.xxx to 126.xxx.xxx.xxx uses subnet mask 255.0.0.0 as default
    Class B : 128.xxx.xxx.xxx to 191.xxx.xxx.xxx uses subnet mask 255.255.0.0 as default
    Class C : 192.xxx.xxx.xxx to 224.xxx.xxx.xxx uses subnet mask 255.255.255.0 as default

    Where's 127.xxx.xxx.xxx ??? This is a reserved address that is used for testing purposes. If you ping 127.0.0.1 you will ping yourself :-)

    The subnet mask is used when two hosts communicate. If the two hosts are on the same network then host a will talk directly to host b, however if host b is on a different network then host a will have to communicate via a gateway, and the way host a can tell if it is on the same network is using the subnet mask. For example

    Host A 200.200.200.5
    Host B 200.200.200.9
    Host C 200.200.199.6
    Subnet Mask 255.255.255.0

    If Host A communicates with Host B, they are both have Network ID 200.200.200 so Host A communicates directly to Host B. If Host A communicates with Host C they are on different networks, 200.200.200 and 200.200.199 respectively so Host A would send via a gateway.


    Q. What diagnostic utilities are there for TCP/IP?

    A. We have already seen PING and TRACERT, and below is a full list

    For more information on these commands just enter the command with a -?, e.g. netstat -?


    Q. What is routing and how is it configured?

    A. When host a wants to send to host b, if they are on the same local network then the IP protocol resolves the IP address to a physical address using ARP (Address Resolution Protocol), and the physical address (e.g. 00-05-f3-43-d3-3e) of the source and destination hosts are added to the IP datagram to form a frame, and using the frame, the two hosts can communicate directly with each other.

    If the 2 hosts are not on the same local network, then they cannot communicate directly with each other, and instead have to go through a router. You have probably already come across a router when you install TCP/IP, as the default gateway is just a router that you have chosen to use as a means of communicating with hosts outside your local network if no specific route is known. A router can be a Windows NT computer with 2 or more network cards (one card for connection to each separate local network) or it can be a physical hardware device, such as Cisco routers.

    Assuming our two hosts are not on the same local network, host A will check its routing table for a router that connects to the local network of host B. If it does not find a match then the data packets will be send to the "default gateway". In most cases, there will not be one router that connects straight to the intended recipient, rather the router will know of another route to pass on your packet, which will then goto another router etc.

    For example:

    Host A - 200.200.200.5
    Host B - 200.200.199.6
    Subnet Mask - 255.255.255.0
    Router - 200.200.200.2 and 200.200.199.2
    Host A's routing table - Network 200.200.199.0 use router 200.200.200.2

    In this example, Host A would deduce that Host B is on a separate network, as its Network ID is 200.200.199. Host A would then check its routing table and see that it knows for network 200.200.199 (the zero means all) it should send to 200.200.200.2. The router would receive the packets and then forward them to network 200.200.199.

    What actually happens is each router will have its own routing table that will point to other routes.

    To actually configure a route, you use the route command, for example to configure a root for network 200.200.199 to use router 200.200.200.2 you would type

    route -p add 200.200.199.0 mask 255.255.255.0 200.200.200.2

    The -p makes the addition permanent, otherwise it will be lost with a reboot.

    To view your existing information type route print.


    Q. What is ARP?

    A. ARP stands for Address Resolution Protocol and was touched on in the previous question as a means of resolving a IP address to an actual physical network card address.

    All network cards have a unique 48 bit address, that is written as six hexadecimal pairs, e.g. 00-A0-24-7A-01-48, and this address is hard coded into the network card. You can view your network cards hardware address by typing

    ipconfig /all
    .
    Ethernet adapter Elnk31:

    Description . . . . . . . . : ELNK3 Ethernet Adapter.
    Physical Address. . . . . . : 00-A0-24-7A-01-48
    DHCP Enabled. . . . . . . . : No
    IP Address. . . . . . . . . : 200.200.200.5
    Subnet Mask . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . : 200.200.200.1
    Primary WINS Server . . . . : 200.200.50.23
    Secondary WINS Server . . . : 200.200.40.190

    As discussed in the Subnet question, if a packets destination is on the same local network as the senders, then the sender needs to resolve the destinations IP address into a physical hardware address, otherwise the sender needs to resolve the routers IP address into a physical hardware address. When a NT machines TCP/IP component starts, it broadcasts an ARP message with its IP to hardware address pair. The basic order of events for sending to a host on the local network is as follows:

    1. ARP checks the local ARP cache for an entry for destinations IP address. If a match is found, then the hardware address of the destination is added to the frame header and the frame sent.
    2. If a match is not found, then an ARP request broadcast is sent to the local network (remember it knows the destination is on the local network by working out the Network ID from the IP address and the subnet mask). The ARP request contains the senders IP address and hardware address, the IP address that is being queried and is sent to 255.255.255.255 (everyone, but it won't get routed).
    3. When the destination host receives the broadcast, it sends a ARP reply with its hardware address and IP address.
    4. When the source receives the ARP reply, it will update its ARP cache and then create a frame and send it.

    If you are sending to a destination not on your local network, then the process is similar except the sender will resolve the routes IP address instead.

    To inspect your machines ARP cache, type:
    arp -a

    and a list of IP address to hardware address pairs will be shown. Try pinging a host on your local network and then displaying the ARP cache again and you will see an entry for the host, also try pinging a host outside your local network and check the ARP cache and an entry for the router will have been added. You will notice that the word dynamic is listed with the records, and this is because they were added as needed and are volatile, hence will be lost on reboot. In fact the entries will be lost quicker than this! If an entry is not used again within 2 minutes then it will be deleted from the cache. If it is used within 2 minutes, it will not be deleted for a further 10 minutes, unless used again and then it would be ten minutes from when used :-).

    You may wish to add static entries for some hosts (to save time with the ARP requests) and the format is
    arp -s <IP address> <hardware address>, e.g.
    arp -s 200.200.200.5 00-A0-24-7A-01-48


    Q. My Network is not connected to the Internet, can I use any IP address?

    A. The basic answer would be Yes, however it is advisable to use one of the following ranges which are reserved for use by private networks:

    10.0.0.0 - 10.255.255.255 this is a single class A network
    172.16.0.0 - 172.31.255.255 this is a group of 16 contiguous class B networks
    192.168.0.0 - 192.168.255.255 this is a contiguous group of 256 class C networks

    The addresses above are detailed in RFC 1918 (Request for comment). The advantage of these addresses is that they should be automatically filtered out by routers, thus protecting the internet. Obviously if you did one day want to part of your network on the internet you would need to apply for a range of IP addresses (from Internic or from your ISP).

    These addresses are routable and routers will route them by default. You aren't supposed to route them publicly, and need to configure your router accordingly. Internet backbone routers have been specifically configured to not route these addresses, but that is a specific configuration choice.

    People using these addresses must specifically configure their routers to not route these addresses.

    Routers route these addresses by default as they don't know whether they are gateway routers or some intermediate router on a WAN (behind a gateway).


    Q. How can I increase the time entries are kept in the ARP cache?

    A. The default 2 minutes can be changed by performing the following:

    1. Start the registry editor (regedit.exe)
    2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    3. From the Edit menu select New - DWord value and enter a name of ArpCacheLife, click OK
    4. Double click the new value and set to the new value in seconds and click OK
    5. Close the registry editor
    6. Reboot

    Q. What other registry entries are there for TCP/IP?

    A. There is a whole knowledge base article on them that may be useful at http://support.microsoft.com/support/kb/articles/q120/6/42.asp .


    Q. How can I configure more than 6 IP addresses?

    A. Using the TCP/IP configuration GUI you are limited to 6 IP addresses however more can be added by directly editing the registry:

    1. Log on as an Administrator
    2. Start the registry editor (regedt32.exe)
    3. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and scroll down to the service for your adapter card (Look at the adapters tab on the Network Control panel applet). For example the Etherlink 3 card is Elnk3, however you want the first occurrence so goto Elnk31.
    4. Move to the Parameters\TCPIP subkey
    5. Double click the IPAddress value. Enter in additional IP addresses separated by a new line
      IPAddress.gif (4020 bytes)
    6. When finished click OK
    7. Next edit the SubnetMask and again add an entry for each IP address added (in the same order). Click OK when finished.
    8. Close the registry editor
    9. Reboot the machine

    Q. What are the common TCP ports?

    A. Below is a list of the most common TCP ports.

    Keyword Port Description
    echo 7 Echo
    systat 11 Active Users
    qotd 17 Quote of the day
    msp 18 Message Send Protocol
    ftp-data 20 File Transfer (Data Channel)
    ftp 21 File Transfer (Control)
    telnet 23 Telnet
    smtp 25 Simple Mail Transfer
    name 42 TCP Nameserver
    bootps 67 Bootstrap Protocol Servre
    bootpc 68 Bootstrap Protocol Client
    tftp 69 Trival File Transfer
    gopher 70 Gopher
    finger 79 Finger
    www 80 World Wide Web
    kerberos 88 Kerberos
    pop3 110 TCP post office
    nntp 119 USENET
    nfs 2049 Network File System

    Q. How can I perform a migration to DHCP?

    A. There are only a few basic registry entries that define a client as a DHCP client so an easy way to migrate clients to DHCP is to create a registry script that sets the required values via logon script. You should obviously be careful that there is no overlap between the addresses in the DHCP address pool and those statically assigned.

    The DHCP service needs to be configured to start at system startup.Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP\ and change the value entry Start from 1 to 2.

    TCPIP parameters are defined to each NIC (Network Interface Card).

    The following is an example registry script you may consider using. If you are unsure of the card service goto HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\1 and write down the data for the value entry ServiceName

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<card service>\Parameters\Tcpip]
    "EnableDHCP"=dword:00000001
    "IPInterfaceContext"=dword:00000001
    "IPInterfaceContextMax"=dword:00000001

    You should then add something into the logon script to detect the NIC installed into the computer, run the reg script and request an IP address, e.g.

    if reg=elpc575 (for the 3com575tx) goto dhcp
    ..
    ..
    ..
    :dhcp
    regedit /s NIC_dhcp.reg
    ipconfig /renew
    net send %computername% Congrats Your computer has been configured for DHCP!
    endif

    A quick way to find out which network card you are using is on you LAN you will have various types of NIC.

    For instance you may have the 3c89d, netflx3,3c575tx for instance for the Neflx3 driver, when the install takes place on the NT 4.0 it adds a registry key in the HKEY_LOCAL_MACHINE\systems\Current control set\system\services\cpqNF31 with the parameters:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CpqNF31\Parameters\Tcpip]
    "EnableDHCP"=dword:00000000.

    You have to find out what the key name is because it is different for each NIC then you can run kix32.exe and use the arguement:

    EXISTKEY (
    "Key"
    )

    Checks for the existence of a registry key.

    Parameters
    Key - Identifies the key you want to check the existence of.

    Returns
    0 the key specified exists (Note : this is different from the way the EXIST function works...)
    >0 the key does not exist, returncode represents an errorcode

    $ReturnCode=ExistKey(
    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CpqNF31" )

    If $ReturnCode=0
    ? "Key exists...."
    Endif

    ...to detemine if the key exist and then execute accordingly for that specific card.

    You may also set the value IPAddress=0.0.0.0 and value SubnetMask=0.0.0.0 for the card service however they will be ignored anyway. Fill in the IPAddress and SubnetMask with 0.0.0.0. Blanking out or deleting the values won't work. Restart the workstation to complete the change.

    This can also be done using Windows Scripting Host

    From MS SupportOnline Article ID: Q197424
    
    '-----------------------------------------------------------------------
       ' The following script reads the registry value name IPAddress to
       ' determine which registry entries need to be changed to enable DHCP.
       ' This sample checks the first 11 network bindings for TCP/IP, which is
       ' typically sufficient in most environments.
       ' ----------------------------------------------------------------------
       Dim WSHShell, NList, N, IPAddress, IPMask, IPValue, RegLoc
       Set WSHShell = WScript.CreateObject("WScript.Shell")
    
       NList = array("0000","0001","0002","0003","0004","0005","0006", _
                     "0007","0008","0009","0010")
    
       On Error Resume Next
       RegLoc = "HKLM\System\CurrentControlSet\Services\Class\NetTrans\"
    
       For Each N In NList
         IPValue = ""      'Resets variable
         IPAddress = RegLoc & N & "\IPAddress"
         IPMask = RegLoc & N & "\IPMask"
         IPValue = WSHShell.RegRead(IPAddress)
         If (IPValue <> "") and (IPValue <> "0.0.0.0") then
           WSHShell.RegWrite IPAddress,"0.0.0.0"
           WSHShell.RegWrite IPMASK,"0.0.0.0"
         end If
       Next
    
       WScript.Quit        ' Tells the script to stop and exit.

    Q. How do I assign multiple IP addresses to a single NIC?

    A. It is possible to assign more than one IP address to a single NIC (Network Interface Card). To configure extra IP addresses under NT 4.0 perform the following:

    1. Right click on Network Neighborhood and select Properties (if you are unable to do this start the Network Control Panel applet via control panel)
    2. Select the Protocols tab
    3. Select 'TCP/IP Protocol' and click the Properties button
    4. Select the 'IP Address' tab and you will see your normal IP address. Click the Advanced button at the bottom of the dialog
    5. Select the Adapted and click Add under the IP addresses section
    6. Enter the new IP address and subnet mask. Click Add
      Add IP address
    7. Click OK to the advanced dialog
    8. Click Apply then OK to the TCP/IP dialog
    9. Close all other dialogs
    10. Reboot the computer

    Under Windows 2000 the procedure is the same except to get the TCP/IP protocol properties you need to:

    1. Right click on "My Network Places" and select Properties
    2. Right click on "Local Area Connection" and select Properties
    3. Select "Internet Protocol (TCP/IP) and select Properties
    4. The procedure is then as above except the reboot is not necessary

    Q. How do I install the Network Monitor Utility?

    A. Windows NT Server ships with a limited version of the Network Monitor utility which allows you to monitor only traffic to and from the installed box. The full SMS version allows promiscuous monitoring of the network.

    To install the basic NT version:

    1. Start the Network Control Panel applet (Start - Settings - Control Panel - Network)
    2. Select the Services tab
    3. Click Add
    4. Select "Network Monitor Tools and Agent". Click OK
    5. Click OK to the main dialog
    6. The protocols will be rebound and you will need to reboot the machine

    The SMS 1.2 version can be installed as part of a full SMS installation by selecting "Install Admin Tools" option and clicking Custom to add the network monitor. It can also be installed directly from the SMS\nmext directory on the SMS 1.2 CD-ROM:

    1. Insert the SMS 1.2 CD-ROM
    2. Move to SMS\nmext\disk1
    3. Run setup.exe
    4. Select the installation directory (C:\nm by default). Click Continue
    5. Files will then be copied
    6. You will have to set a Network Monitor passwords for capturing and viewing captures (or click No Password).
    7. Enter your name and click OK
    8. If the Network Monitor Agent is not installed it will being up the Network control panel applet where you must select the Services tab, click Add and select "Network Monitor Agent". Click OK
    9. Reboot the machine

    SMS 2.0 version instructions will be added shortly.


    Q. How do I perform a network trace using NetMon?

    A. To start Network Monitor select "Network Monitor" from the "Network Analysis Tools" Start menu Programs folder. Once started you will be presented with the initial trace dialog which is split into 4 main windows.

    Network Monitor

    Initially the trace will be for all hosts to all hosts however you will probably want to refine this using a filter as follows:

    1. From the Capture menu select Filter (or press F8)
    2. You will see and Address Pair entry of *ANY <--> *ANY. Select this line
    3. Click the Line button in the Edit area
    4. You will be shown a list of addresses the computer knows about, you may add new ones by clicking the "Edit Addresses" button.
    5. Select the host for station1 and station2 and the direction and click OK
    6. Click OK to the main dialog. You should see the *ANY <--> *ANY line has changed to the two nodes, e.g. LNTLL2 <--> LNPCSW0030

    You are now ready to start the search by selecting Start from the Capture menu (or click F10). Once you have collected the data you require stop the search by selecting Stop from the Capture menu (or click F11). An alternative is to select Stop + View data which will stop the trace and show the captured data.

    The normal method to display captured data is to select "Display Captured Data" from the Capture menu or click F12. A new dialog will be shown will all frames sent between the selected hosts. For more detail about a frame just double click it. It will then give the full frame information and content.

    Example frame capture

    Notice you can actually see the data that was sent and full IP and TCP headers can also be inspected. If you start another search it will ask if you want to save the current captured data. You can also manually save by selecting "Save As" from the File menu.


    Q. Nothing shows up on my NETMON trace, why?

    A. Netmon is capable of capturing data on all adapters including RAS adapters and by default it will trace the adapter with the lowest MAC address, which would be 000000000000 for a RAS device and thus the default.

    To change the adapter used perform the following:

    1. Within Netmon select Networks from the Capture menu
    2. Select the correct local adapter (the MAC address will be non-zero)
      Choosing the "network"
    3. Click OK

    Restart your capture. You could check your cards MAC address (if you had several) using the IPCONFIG /ALL command.


    Q. What is the NETMON agent?

    A. In some situations you may want to monitor traffic for a certain machine but are unable to actually use that machine to perform the network monitor (maybe because of physical location).

    The Network Monitor agent is installed on the machine whose traffic you wish to monitor and then you can "connect" to it from a machine running the Network Monitor application and capture its traffic.

    The Network Monitor agent runs as a service and needs to be started on the machine whose traffic you wish to capture.


    Q. How do I install the Network Monitor agent?

    A. The Network Monitor agent is supplied with both Windows NT Workstation and Windows NT Server and is installed as follows:

    1. Logon to the machine
    2. Start the Network Control Panel applet (Start - Settings - Control Panel - Network)
    3. Select the Services tab
    4. Click Add
    5. Select "Network Monitor Agent" and click OK
    6. It may ask for the location of the files, enter the location, e.g. d:\i386 and click OK
    7. Click Close to the main location
    8. Click Yes to reboot the machine

    Once the reboot has completed you need to configure the Network Monitor so it starts automatically

    1. Start the Services control panel applet (Start - Settings - Control Panel - Services)
    2. Select "Network Monitor Agent"
    3. Click Start
    4. Click Start-up
    5. Select Automatic. Click OK

    To start the Network Monitor Service from the command line use the command

    C:\> net start nmagent


    Q. How do I monitor traffic for an agent?

    A. To monitor traffic from an agent perform the following:

    1. Start Network Monitor (Start - Programs - Network Analysis Tools - Network Monitor)
    2. Select Networks from the Capture menu
    3. Select Node Name of Remote
    4. Click Connect
    5. Enter the machine name of the Agent (or IP address), a comment and how often you want the status updated.
      Network Monitor Agent
      Click Connect
    6. A connection will be made

    If the connection fails ensure the Network Monitor Agent is running on the remote machine and that you have local Administrator rights on it.

    You can now perform captures as per normal. To switch back to local just select Networks from the Capture menu and select one of the Local node options.


    Q. How do I filter captured packets?

    A. Once you have captured data it is possible to apply a filter to view only certain type of packets:

    1. Once you have displayed your captured data select Filter from the Display menu
    2. You can select the protocol to monitor by selecting the Protocol==Any line and click Edit - Operator
    3. A new dialog will be displayed with 3 tabs, Address, Protocol and Property. You can click Disable All to disable the protocols and then selectively add the one you require, e.g. DNS
      Network filter
    4. From the Property tab you can select certain matches for each protocol to refine even further.
    5. Click OK to close the dialog
    6. Click OK to the main filter dialog

    The data displayed will now be that which matches the specified criteria. Do disable the filter just select "Disable Filter" from the Filter menu.


    Q. What is IPv6?

    A. IPv6 is the next verions of the Internet Protocol, version 6.0 hence IPv6.

    Current computers use IP version 4.0 which despite being created in the mid-1970's has done very well however it has reached its limit and is about to run out of addresses and is not the most bandwidth friendly protocol so its time for an upgrade.

    Below are the 4 main reasons that IP version 4.0 needs an upgrade:

    Current IP addresses consist of 32 bits, represented as 4 bytes, dotted-quad format, e.g. 200.200.200.202. IP version 6 uses 128 bits for addresses!

    IPv6 is defined in the following RFC's (Request for Comments)


    Q. How will IPv6 addresses be written?

    A. Since IPv6 address's are 128-bit and hence four times longer than an IPv4 address, addresses are expressed as:

    X:X:X:X:X:X:X:X

    where each X is a 4-digit hexadecimal integer (16 bits) and each digit is 4 bits and so can be between 0 and F (F is 15 in hexadecimal) and so examples of valid addresses would be

    FEDC:BA98:7654:3210:FEDC:BA98:7654:3210
    1080:0:0:0:8:800:200C:417A

    Notice in the second address you can leave off any leading zeros, but you must have at least one numeral in each part. For example :0800: can be written as :800:.

    Obviously you may have a large sequence of zero's in the address and so it is possible to have a single gap by writing :: which will fill the gap with zero's, for example

    1080:0:0:0:8:800:200C:417A

    may be written as

    1080::8:800:200C:417A

    0:0:0:0:0:0:0:1 the loopback address (the same as 127.0.0.1 in IPv6) can be written as ::1.

    A third format is available, when dealing with a mixed environment of IPv4 and IPv6 nodes is

    x:x:x:x:x:x:d.d.d.d

    where the 'x's are the hexadecimal values of the six high-order 16-bit pieces of the address, and the 'd's are the decimal values of the four low-order 8-bit pieces of the address (standard IPv4 representation). Examples:

    0:0:0:0:0:0:13.1.68.3
    0:0:0:0:0:FFFF:129.144.52.38

    or in compressed form:

    ::13.1.68.3
    ::FFFF:129.144.52.38

    The subnet mask is now replaced by a number appended to the network address specifying the number of bits making up the network part (CIDR notation), e.g. ipv6-address/prefix-length:

    12AB:0000:0000:CD30:0000:0000:0000:0000/60
    12AB:0000:0000:CD30::/60

    Means the first 60 bits make up the network part of the address.

    When writing both a node address and a prefix of that node address (e.g., the node's subnet prefix), the two can combined as follows:

    the node address 11AC:0:0:CA20:123:4567:89AB:CDEF
    and its subnet number 11AC:0:0:CA20::/60

    can be abbreviated as 11AC:0:0:CA20:123:4567:89AB:CDEF/60


    Q. What is the IPv6 header format?

    A. Below is the specification for the header format of IPv6:

    Version  Traffic Class Flow Label
    Payload Length  Next Header Hop Limit
    Source Address
    Destination Address

    Version - 4-bit Internet Protocol version number.

    Traffic Class - 8-bit traffic class field

    Flow Label - 20-bit flow label

    Payload Length -16-bit unsigned integer. Length of the IPv6 payload, i.e., the rest of the packet following this IPv6 header, in octets. (Note that any present are considered part of the payload, i.e., included in the length count.)

    Next Header - 8-bit selector. Identifies the type of header immediately following the IPv6 header. Uses the same values as the IPv4 Protocol field [RFC-1700 et seq.].

    Hop Limit - 8-bit unsigned integer. Decremented by 1 by each node that forwards the packet. The packet is discarded if Hop Limit is decremented to zero.

    Source Address - 128-bit address of the originator of the packet.

    Destination Address - 128-bit address of the intended recipient of the packet (possibly not the ultimate recipient, if a Routing header is present).

    Notice that the IPv6 header has far less fields than the IPv4 header and IPv6 introduces a number of extension headers as defined in RFC 2460.


    Q. I am unable to install TCP/IP, why?

    A. If you are trying to reinstall TCP/IP after previously uninstalling it the problem may be due to certain TCP/IP registry values not being removed correctly.

    To manually remove perform the following:

    1. Start the registry editor (regedt32.exe)
    2. Select the key you want to delete.
    3. Select the 'Security' menu and select 'Owner...'. (The 'Owner' dialog box appears.)
      Click 'Take Ownership'.
    4. Select the 'Security' menu and select 'Permissions...'. (The 'Registry Key Permissions' dialog box appears.)
    5. In the 'Name' list box, select 'Everyone'.
    6. Select 'Full Control' from the 'Type of Access' drop-down list box.
    7. Select the 'Replace Permission on Existing Subkeys' check box.
    8. Click 'OK'.
    9. Repeat steps 2 to 8 for all registry keys to be deleted
    10. Reboot the computer so that Registry changes are recognized by Windows NT.

    An alternative which avoids having to change security is to start regedt32.exe under the System account by submitting it via the schedule service

    C:\> net start schedule (only if not already running)
    C:\> at <time> /inter regedt32.exe
    C:\> net stop schedule (only if you had to start it)

    Once the computer has rebooted restart REGEDT32.EXE and ensure all of the following are deleted (these are the keys whose security you must set)

    Connectivity Utilities:

    SNMP Service:

    TCP/IP Network Printing Support:

    FTP Server Service:

    Simple TCP/IP Services:

    DHCP Server Service:

    WINS Server Service:

    Windows sockets:

    It may also be necessary to remove the following keys:


    Q. What switches can be used with PING?

    A. PING is used to test TCP/IP connectivity with another host and gives information about the length of time test data takes to be sent to the host and a reply received.

    Its most basic use is as follows:

    C:\>ping <IP address or hostname>

    Pinging 160.82.52.11 with 32 bytes of data:

    Reply from 160.82.52.11: bytes=32 time=10ms TTL=252
    Reply from 160.82.52.11: bytes=32 time<10ms TTL=252
    Reply from 160.82.52.11: bytes=32 time<10ms TTL=252
    Reply from 160.82.52.11: bytes=32 time<10ms TTL=252

    From the above you can see it send 32 bytes to host 160.82.52.11 and each time a reply was received in 10ms or less, this shows a good connection.

    PING does have a number of option parameters to accomplish different objectives.

    ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] destination-list

    -t Ping the specifed host until interrupted.
    -a Resolve addresses to hostnames.
    -n count Number of echo requests to send.
    -l size Send buffer size.
    -f Set Don't Fragment flag in packet.
    -i TTL Time To Live.
    -v TOS Type Of Service.
    -r count Record route for count hops.
    -s count Timestamp for count hops.
    -j host-list Loose source route along host-list.
    -k host-list Strict source route along host-list.
    -w timeout Timeout in milliseconds to wait for each reply.

    In Windows 2000 you can press Ctrl-Break when running the -t option for a list of statisitics. Press Ctrl-C to actually stop the ping.

    It can be useful to have a small batch file ping various hosts and terminal servers at regular intervals to ensure all are still present (although there are commercial software packages that do this). A simple command like:

    C:\>ping -f -n 1 -l 1 148.32.43.23

    Pinging 148.32.43.23 with 1 bytes of data:

    Reply from 148.32.43.23: bytes=1 time<10ms TTL=128

    pings a host once with one byte of data.

    You should be aware that PING works by sending ICMP echo packets and some routers etc may filter these out meaning a PING will not work.


    Q. How can I modify TCP retransmission timeout?

    A. Service Pack 5 adds a new registry entry, InitialRtt, which allows the retransmission time to be modified. The range is 0 - 65535 milliseconds and can be set as follows:

    1. Start the registry editor (regedit.exe)
    2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    3. From the Edit menu select New - DWORD value
    4. Enter a name of InitialRtt and press Enter
    5. Double click the new value and set to the number of milliseconds for the timeout, e.g. 5000 for 5 seconds (the old default was 3 seconds). Click OK
    6. Close the registry editor
    7. Restart the machine for the change to take effect

    This parameter controls the initial retransmission timeout used by TCP on each new connection. It applies to the connection request (SYN) and to the first data segment(s) sent on each connection.

    Care should be used when adjusting this value. Setting it to large values will dramatically increase the amount of time that it takes for a TCP connection attempt to fail, if the target IP address does not exist.

    For instance, the default value is 3,000, or 3 seconds. By default, a connection request is retried 2 times. The total time-out is (3+6+12) seconds, or 21 seconds.

    If this registry value is set to 6,000 (6 seconds), the total timeout will be (6+12+24) seconds, or 42 seconds. During this time, an application can appear to stop responding (hang).


    Q. How can I disable media-sense for TCP/IP?

    A. Windows 2000 introduces media-sense which in a Network Interface Card can detect if it is connected to a network cable and if it is not connected it disables protocols on that adapter (although the loopback address 127.0.0.1 and the local hostname still works).

    This may be very inconvenient especially on portables as you may have programs running which requires use of its normal IP address so you can disable this media-sense for TCP/IP only (not the other protocols)

    1. Start the registry editor (regedit.exe)
    2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    3. From the Edit menu select New - DWORD value
    4. Enter a name of DisableDHCPMediaSense and press Enter
    5. Double click the new value and set to 1
    6. Click OK
    7. Reboot the computer

    Cheers to Thomas Lee for letting me know media-sense existed :-)


    Q. What is DHCP?

    A. DHCP stands for Dynamic Host Configuration Protocol and is used to automatically configure a host during boot up on a TCP/IP network and also to change settings while the host is attached.

    This means that you can store all the available IP addresses in a central database along with information such as the subnet mask, gateways, DNS servers etc.

    The basics behind DHCP is the clients are configured to use DHCP instead of being given a static IP address. When the client boots up it sends out a BOOTP request for an IP address. A DHCP server then offers an IP address that has not been assigned from its database, which is then leased to the client for a pre-defined time period.

    If the DHCP client is Windows 2000 and no offer is made and IP auto configuration has not been disabled the client will attempt to find and use an IP address not currently in use otherwise TCP/IP will be disabled.


    Q. How do I install the DHCP Server Service?

    A. The DHCP server service can only be install on a NT Server.

    1. Start the Network Control Applet by clicking on Network from Control Panel (Start - Settings - Control Panel) or right click on Network Neighborhood and select Properties
    2. Click on the Services tab and click Add
    3. Select "Microsoft DHCP Server" and click OK
    4. You will be prompted to insert the NT Server installation CD or say where the i386 directory is
    5. A warning that all local adapters must use a static IP address and click OK
    6. Click Close and select Yes to reboot

    Under Windows 2000 to install perform the following:

    1. Start the Add/Remove Programs Control Panel applet (Start - Settings - Control Panel - Add/Remove Programs)
    2. In the left hand pane click 'Add/Remove Windows Components"
    3. Click the 'Components' button to start the Components wizard
    4. Click Next
    5. Select 'Networking Services' and click Details
    6. Check the 'Dynamic Host Configuration Protocol (DHCP)' option and click OK
    7. Click Next and the relevant files and services will be configured.
    8. Click Finish when all operations have completed
    9. Click Close to the Add/Remove Programs dialog

    Q. How do I configure DHCP Server Service?

    A. The DHCP Server Service is configured using "DHCP Manager" that is installed after the installation of the DHCP Server Service.

    1. Start DHCP Manager (Start - Programs - Administrative Tools - DHCP Manager)
    2. Double click "*Local Machine*"
    3. From the Scope menu select Create
    4. A dialog will be shown and following should be entered
      - Start Address, e.g. 200.200.200.10
      - End Address, e.g. 200.200.200.100
      this would mean the address 200.200.200.10 to 200.200.200.100 would be available
      - Subnet Mask, e.g. 255.255.255.0
      - Exclusion - start and end, e.g. 200.200.200.20 and 200.200.200.30, would mean available addresses would 200.200.200.10-200.200.200.20 and 200.200.200.30-200.200.200.100
      - Exclusion - just start is a single address, e.g. 200.200.200.56
      - Set lease duration, by default 3 days, however can be set to unlimited
      - Name - this is the name of the scope, e.g. "subnet 200.200.200"
      - Comment - anything you want
    5. Click OK
    6. A message that the Scope has been added, but is not active, would you like it to be active, click Yes.

    Usually items such as DNS servers, WINS server etc will be configured on a global scale and this is also done using Server Manager

    1. Select the Scope, and select Global from the "DHCP Options" menu
    2. Select "06 DNS Servers" and click Add
    3. Click Value button
    4. Click Edit Array at the bottom
    5. Enter the IP address and click ADD, continue adding until all added
    6. Click OK to close the Edit Array dialog
    7. Select "15 Domain name" and click Add
    8. Select it and edit the string at the bottom, e.g. savilltech.com
    9. Click OK to exit

    Q. How do I configure a client to use DHCP?

    A. For NT workstation and Windows95 follow the instructions below:

    1. Start the Network Control Applet by clicking on Network from Control Panel (Start - Settings - Control Panel) or right click on Network Neighborhood and select Properties
    2. Click on the Protocol tab
    3. Select TCP/IP and click Properties
    4. Select "Obtain an IP address from a DHCP Service". DHCP settings will only override IP address and subnet mask locally configured. If you have configured DNS, WINS etc locally then the DHCP configuration will not overwrite it.

    For Windows 98:

    1. Start the Network Control Applet by clicking on Network from Control Panel (Start - Settings - Control Panel) or right click on Network Neighborhood and select Properties
    2. Select 'TCP/IP -> Adapter' and click Properties
    3. Select the 'IP address' tab
    4. Select"Obtain an IP address automatically".

     


    Q. How can I compress my DHCP database?

    A. NT Server ships with a utility called JETPACK.EXE which can be used to compact DHCP and WINS databases. To compact your DHCP database perform the following:

    1. Start a command prompt (cmd.exe)
    2. Enter the following commands
      cd %SystemRoot%\SYSTEM32\DHCP
      e.g. cd d:\winnt\system32\dhcp
      net stop DHCPSERVER
      jetpack DHCP.MDB TMP.MDB
      net start DHCPSERVER

    Note: While you stop the DHCP service, clients using DHCP to receive a TCP/IP address will not be able to start this protocol and may hang.

    Jetpack actually compacts DHCP.MDB into TMP.MDB, then deletes DHCP.MDB and copies TMP.MDB to DHCP.MDB! Simple :-)

    For more information, see Knowledge base article Q145881 at http://support.microsoft.com/support/kb/articles/q145/8/81.asp


    Q. How can a DHCP client find its IP address?

    A. Depending on the client:

    Windows NT machine - type ipconfig from the command prompt
    Windows 95 machine - run winipcfg.exe


    Q. How can I move a DHCP database from one server to another?

    A. Perform the steps below on the server that currently hosts the DHCP Server service. Be warned that while doing this no DHCP clients will be able to start TCP/IP so this should be done outside working hours.

    1. Log on as an Administrator and stop DHCP (Start - Settings - Control Panel - Services - Microsoft DHCP server - Stop).
    2. You also need to stop DHCP from starting again after a reboot so start the Services Control Panel applet and select Microsoft DHCP Server and click Startup. From the startup choose disabled and click OK.
    3. Copy the DHCP directory tree %systemroot%\system32\DHCP to a temporary storage area for use later.
    4. Start the registry editor (regedt32.exe)
    5. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer \Configuration
    6. From the Registry menu, click Save Key. Create a name for this key, for example dhcpcfg.bck
    7. Close the registry editor

    Optionally if you want to remove DHCP from the source machine totally delete the DHCP directory (%systemroot%\system32\dhcp) and then delete the DHCP Service (Start - Settings - Network - Services - Microsoft DHCP Server - Remove)

    On the new DHCP server perform the following

    1. Log on as an Administrator
    2. If the server does not have the DHCP server service installed, install it (Start - Settings - Control Panel - Network - Services - Add - DHCP Server)
    3. Stop the DHCP service (Start - Settings - Control Panel - Services - Microsoft DHCP server - Stop).
    4. Delete the contents of %systemroot%\system32\dhcp
    5. Copy the backed up DHCP directory tree from the storage area to %systemroot%/system32/dhcp, but rename the file system.mdb to system.src. You may not have this file if you are using NT 4.0, skip this step.
    6. Start the registry editor (regedt32.exe)
    7. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Configuration and select it
    8. From the registry menu select restore
    9. Located the file dhcpcgf.bck you saved from the original machine and click open
    10. Click Yes to the warning
    11. Close the registry editor
    12. Reboot the machine

    Q. How do I create a DHCP Relay Agent?

    A. If you have routers separating some of your DHCP clients from the DHCP server you may have problems if they are not RFC compliant. This can be solved by placing a DHCP relay agent on the local network area which is not actually a DHCP server which communicates on behalf of the DHCP Server. The DHCP Relay Agent must be a Windows NT Server computer.

    1. On the NT Server log on as an Administrator
    2. Start the Network control panel applet (Start - Settings - Control Panel - Network)
    3. Click the Services tab and click Add
    4. Select "DHCP Relay Agent" and click OK
    5. Type the path of the files (e.g. d:\i386) and click OK
    6. You will be asked if you wish to add IP address to the DHCP servers list, click Yes
    7. Click the DHCP relay tab and click Add
    8. In the DHCP Server field enter the IP address of the DHCP Server and click Add
    9. Click OK
    10. Restart the computer

    Q. How can I stop the DHCP Relay Agent?

    A. All you have to do is stop the DHCP Relay Agent service:

    1. Log on as an Administrator
    2. Start the Services control panel applet (Start - Settings - Control Panel - Network)
    3. Select "DHCP Relay Agent"
    4. Click the startup button
    5. Click the disabled and click OK
    6. Close the control panel applet
    7. You can reboot or just stop the service

    Q. How can I backup the DHCP database?

    A. The DHCP database backs itself up automatically every 60 minutes to the %SystemRoot%\System32\Dhcp\Backup\Jet directory. This interval can be changed:

    1. Start the registry editor
    2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\BackupInterval
    3. Double click on BackupInterval and set to the number of minutes you want the backup to be performed. Click OK
    4. Close the registry editor
    5. Stop and restart the DHCP server service (Start - Settings - Control Panel - Services - DHCP Server - Start and Stop)

    You could backup the %SystemRoot%\System32\Dhcp\Backup\Jet directory if you wish.


    Q. How can I restore the DHCP database?

    A. Perform one of the following:

    1. When the DHCP Server service starts, if an error is detected in the database it will automatically restore the backup version
    2. Edit the registry and set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\RestoreFlag to 1, restart the DHCP Server service, this will restore the backed up version and set RestoreFlag back to the default 0
    3. Stop the DHCP Server service, copy the files from %SystemRoot%\System32\Dhcp\Backup\Jet to %SystemRoot%\System32\Dhcp and then start the DHCP Server service.

    Q. How do I reserve a specific address for a particular machine?

    A. Before performing this you will need to know the hardware address of the machine and this can be found by entering the command

    ipconfig /all

    Look for the line

    Physical Address. . . . . . : 00-60-97-A4-20-86

    Now at the DHCP server perform the following

    1. Log on as an Administrator
    2. Start the DHCP Server management software (Start - Programs - Administrative Tools - DHCP Manager)
    3. Double click on the DHCP server, e.g. *Local Machine*
    4. Select the light bulb and from the Scope menu select "Add Reservations"
    5. In the Add Reserved Clients dialog box you should enter the IP address you wish to reserve and in the "Unique Identifier" box enter the hardware address of the client machine (got from the ipconfig /all). Do not enter the hyphens, e.g.
      006097A42086
      Also enter a name for the machine (and a comment if you wish) and click Add
    6. Click close when you have added all the reservations

    Q. What registry settings control the DHCP log in Windows 2000?

    A. DHCP has always had auditing abilities for DHCP however these abilities have been expanded in 2000 to reduce problems CAUSED by the log files. These improvements will stop log files filling to take up whole partitions and cause system problems.

    The following keys are all located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters

    Value Name Type Description
    DhcpLogFilePath REG_SZ The partition and directory for the audit logs to be written to. Make sure you write the entire path
    DhcpLogMinSpaceOnDisk REG_DWORD If free space falls below this number (in megabytes) audit logging is stopped
    DhcpLogDiskSpaceCheckInterval REG_DWORD Number of times the audit log is written to before checking for free disk space
    DhcpLogFileMaxSize REG_DWORD Maximum size in megabytes the logs can grow to. By default it is 7.

    Q. How do I authorize a DHCP server in Windows 2000?

    A. Any user running Windows 2000 server could install the DHCP server service causing potential problems and so Windows 2000 adds the concept of authorizing the servers with the Active Directory before they can service client requests. If the server is not authorized in the Active Directory then the DHCP service will not be started.

    To Authorize a server perform the following:

    1. Logon as a member of the Enterprise Administrators group
    2. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools - DHCP)
    3. Select the DHCP root, right click and select 'Browse authorized servers'
    4. A list of authorized DHCP servers will be displayed. Click Add
    5. Enter the name or IP address of the DHCP server and click OK.
    6. Click Close

    The red arrow over the DHCP server should now change to a green one if you select refresh (it may take a few minutes).


    Q. How do I create a DHCP scope in Windows 2000?

    A. A DHCP scope is a range of addresses that can be assigned to clients and can also optionally provide information about DNS servers, WINS etc.

    DHCP scopes are configured using the DHCP MMC snap-in as follows:

    1. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools - DHCP)
    2. Right click on the server and select New - Scope from the context menu
    3. The scope creation wizard will be started, click Next
    4. Enter a name and comment for the scope. Click Next
    5. Enter the address range to use, for example from 200.200.200.1 to 200.200.200.15 (remember the host part cannot be 0). Also enter the subnet mask as either the number of bits used or the actual mask, e.g. 24 is the same as 255.255.255.0. Click Next
    6. You can specify addresses to be excluded either by range, e.g. 200.200.200.5 to 200.200.200.7 and click Add, or just enter a Start address and click Add, e.g. 200.200.200.12 to exclude a single address. Click Next
    7. You can now configure the lease time for the address. Setting too large will mean you will lose the use of addresses if the client machine is inactive for long periods of time, too short and you will generate unnecessary traffic renewing the address. The default 8 days is fine. Click Next
    8. The wizard gives the option to configure the most common DHCP options. Select Yes and click Next
    9. Enter the address of the gateway, and click Add. You can enter several. Click Next when all are entered.
    10. Enter the DNS domain, e.g. savilltech.com and the DNS server addresses. Click Next
    11. Enter the WINS server addresses and click Add. Click Next
    12. You will then be asked if you wish to activate the scope. Select your answer and click Next
    13. Click Finish to the wizard

    The new scope will now be listed and the status as either Active or Inactive.

    If you selected to not activate the scope it can be manually activated by right clicking on the scope, select 'All Tasks' and select Activate. The activation is immediate. Likewise you can deactivate by selecting deactivate

    Useful links:


    Q. How do I configure DHCP scope options in Windows 2000?

    A. When you create a scope the more common options such as DNS and WINS servers can be configured but many more options are available.

    1. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools - DHCP)
    2. Expand the server
    3. Expand the scope whose options you wish to modify
    4. Select the 'Scope Options' branch and in the right hand window you will see the currently configured options.
    5. Right click on 'Scope Options' and select 'Configure Options'
    6. Select the Basic tab and you can configure other options by checking its box and entering the details. For example a Time Server, check '004 Time Server', enter an IP address and click Add.
    7. Click Apply. Click OK

    The new option(s) will now show in the right hand window. You can change existing options by performing the above and selecting an item already configured and change the details in the Data entry area.


    Q. How can I view DHCP address leases in Windows 2000?

    A. When a client is offered and accepts an IP address a 'lease' is created for x amount of days. To view current leases perform the following:

    1. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools - DHCP)
    2. Expand the server
    3. Expand the scope whose leases you wish to view
    4. Select the 'Address Leases' branch and in the right hand window you will see the current lease details.

    It will give details of the IP address, client name and the lease expiration date. Expired leases are also shown for approximately one day but have a dimmed icon. This grace period protects a client lease in the event of the client and server being in different time zones, clocks not synced or simply offline.


    Q. How do I change the DHCP address lease time in Windows 2000?

    A. To modify the DHCP lease duration from the normal 8 days perform the following:

    1. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools - DHCP)
    2. Expand the server
    3. Right click the scope whose lease time you wish to change and select Properties
    4. Select the General tab
    5. At the bottom of the window you can select lease duration either Unlimited or a finite time.
    6. Click Apply then OK


    Q. How do I install the DNS Service?

    A. The DNS Service can only be installed on NT Server and is installed as follows:

    1. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network)
    2. Click the Services tab and click Add
    3. Select "Microsoft DNS Server" and click OK
    4. The software will be installed and the machine will then reboot

    Q. How do I configure a domain on the DNS Server?

    A. A new application has been added to the Administrative Tools group, DNS Manager, to configure the domain follow the procedures below:

    1. Start the DNS Manager (Start - Programs - Administrative Tools - DNS Manager)
    2. From the DNS menu, select New Server and enter the IP address of the DNS Server, e.g. 200.200.200.3, and click OK
    3. The server will now be displayed with a CACHE sub part
    4. Next we want to add the domain, e.g. savilltech.com, from the DNS menu, select New Zone
    5. Select Primary and click Next
    6. Enter the name, e.g. savilltech.com, and then press tab, and it will fill in the Zone File Name and click Next
    7. Click Finish
    8. Next a zone for reverse lookups has to be created, so select New Zone from the DNS menu
    9. Select Primary and click Next, enter the name of the first 3 parts of the domain IP + in-addr.arpa, e.g. if the domain was 158.234.26, the entry would be 26.234.158.in-addr.arpa, in my example it would be 200.200.200.in-addr.arpa, click tab for the file name to be filled and click Next, then click Finish
    10. Add a record for the DNS server, by right clicking on the domain and select "New Record"
    11. Enter the name of the machine, e.g. BUGSBUNNY (I had a strange upbringing :-) ), and enter and IP address, e.g. 200.200.200.3 and click OK
    12. If you click F5 and examine the 200.200.200.in-addr.arpa a record has been added for BUGSBUNNY there as well

    Q. How do I add a record to the DNS?

    A. To add a record, for example TAZ with IP address 200.200.200.4 perform the following

    1. Start the DNS Manager (Start - Programs - Administrative Tools - DNS Manager)
    2. Double click on the name of the DNS server to display the list of zones
    3. Right click on the domain, and select New Record
    4. Enter the name, e.g. TAZ and enter IP address. Select the record type. For adding a new host accept the default, record type A.
    5. If you have the Reverse Arpa zone configured and want the PTR record automatically added, make sure the Create Associated PTR record is checked
    6. Click OK

    Q. How do I configure a client to use the DNS?

    A. For an NT machine (and Windows 95) perform the following:

    1. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network)
    2. Select the Protocols tab
    3. Select TCP/IP and select Properties
    4. Click the DNS tab
    5. Make sure the machines name is entered in the first box, and the domain name, e.g. savilltech.com in the Domain box
    6. In the DNS Server part click Add, and in the dialog box enter the IP address of the DNS Server and click Add
    7. In the Domain Suffix Search Order part, click Add and enter the domain, e.g. savilltech.com and then click Add
    8. Finally click OK

    To test, you can start a command prompt and enter

    nslookup <host name>
    e.g. nslookup taz

    The IP address of Taz will be displayed. Also try the reverse translation by entering

    nslookup <ipaddress>
    e.g. nslookup 200.200.200.4

    The name Taz will be displayed.


    Q. How do I change the IP address of a DNS server?

    A. The information below assumes you have already changed the IP address of the machine ( Start - Settings - Control Panel - Network - Protocols - TCP/IP - Properties) and have rebooted. The scenario below assumes the old IP address was 200.200.200.3 and the new is 200.200.200.8

    1. We need to configure a second IP address for the network card
      - Start the Network Control Panel Applet ( Start - Settings - Control Panel - Network)
      - Click on the Protocol tab
      - Select TCP/IP and click Properties
      - Click Advanced and click Add
      - Enter the old IP address, e.g. 200.200.200.3 and click Add
      - Click OK until you are back at the Control Panel
      - Reboot
    2. Start the DNS Manager (Start - Programs - Administrative Tools - DNS Manager)
      - Right click the "Server List" and select New Server
      - Enter the new IP address, e.g. 200.200.200.8 and click OK
      - Select the old IP address, e.g. 200.200.200.3 and right click
      - Select "Delete Server" from the context menu and click Yes to confirm
    3. While in the DNS Manager, update the record for this server
      - Select the IP address of the DNS server, e.g. 200.200.200.8, select the domain name, e.g. SAVILLTECH.COM
      - Double click the entry for the server and update the IP address, i.e. it would have had 200.200.200.3 to bugsbunny, change to 200.200.200.8
      - Click OK
    4. Now we will delete the secondary IP address we added
      - Start the Network Control Panel Applet ( Start - Settings - Control Panel - Network)
      - Click on the Protocol tab
      - Select TCP/IP and click Properties
      - Click Advanced and select the address, e.g. 200.200.200.3 and click Remove
      - Click OK until back at control panel
      - You will need to reboot at some point to remove the 200.200.200.3 from being active

    Update all the clients to use the new DNS server IP address.

    The above procedure is the most complete way, however it should still work if you only perform steps 2 and 3.


    Q. How can I configure DNS to use a WINS server?

    A. Is is possible to configure the DNS to use a WINS server to resolve the host name of a Fully Qualified Domain Name (FQDN).

    1. Start DNS manager (Start - Programs - Administrative Tools - DNS Manager)
    2. Right click on the zone you wish to communicate with the WINS server and select properties
    3. Click the "WINS Lookup" tab
    4. Select the "Use WINS Resolution" check box and then enter the WINS server IP address and click ADD
    5. Click OK when finished

    Q. Where in the registry are the entries for the DNS servers located?

    A. The entries for the DNS servers are stored in the registry in the location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters under the NameServer value, Each entry should be separated by a space. Using the Resource Kit utility REG.EXE the command to change would be as follows

    reg update HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\NameServer="158.234.8.70 158.234.8.100" \\<machine name>

    where 158.234.8.70 and 158.234.8.100 were the addresses of the DNS servers you wanted to configure. Note it sets the value, it does not append so ensure you enter in the existing DNS servers as well as the new ones.

    This may be useful for granting users access to the internet by remotely updating their registry to know which DNS servers to use.


    Q. I receive error message "No More Endpoints".

    A. This can be caused by installing DNS on a machine that has previous settings contained in the %systemroot%\system32\dns directory. To correct perform the following.

    1. Stop the Microsoft DNS server using the Services control panel applet ( Start - settings - control panel - services). Select Microsoft DNS and select stop
    2. Backup any zone files from the %systemroot%\system32\dns directory that you may want
    3. Remove the DNS server by right clicking on network neighborhood and selecting properties. Click the services tab, select DNS and click Remove
    4. Delete all files in the %systemroot%\system32\dns
    5. Reinstall DNS server using the services tab of the network control panel applet

    Q. How do I configure DNS for an NT 5.0 domain? - NT 5.0 only

    A. Windows NT 5.0 domains rely on DNS and require Dynamic DNS which is an update to the basic DNS specification and details can be found in RFC 2136 that can be viewed at ftp://ftp.isi.edu/in-notes/rfc2136.txt.

    Another major update in DNS 5.0 is the addition of service (SRV) records and these have already been seen as a mechanism for publishing the ldap server, ldap.tcp.<domain> and it is through these records that domains can be looked up through the DNS service.

    You could perform this on a separate NT 5.0 machine, the domain controller and the DNS server will probably not be the same machine, it just has to exist before upgrading the server to a domain controller. To install DNS 5.0 on the server perform the following:

    1. Start the Install/Remove Programs Control Panel Applet (Start - Settings - Control Panel - Add/Remove Programs)
    2. Click the "Configure Windows" left hand pane
    3. Click the "Components" button that is displayed
    4. Select "Networking Options" and click Details
    5. Select "Microsoft DNS Server" and click OK
    6. Click Next

    You then need to configure the DNS service

    1. Start the "DNS Management" MMC snap-in (Start - Programs - Administrative Tools - DNS Management)
    2. It will detect this is the first time it has been run and start the configuration applet. Click Next
    3. It will detect there are no root servers so select "This is the first DNS server on this network" and click Next
    4. Check "Yes, add a forward lookup zone" and click Next. This zone is used for the storage of host name to IP addresses
    5. You should now select the zone type, Select "Standard Primary" and click Next. "Active Directory Integrated" stores the DNS database in the Active Directory however there is no Active Directory at this point. This option can be set later
    6. Enter the name of the zone, e.g. savilltech.com and click Next
    7. Select "New File" and click Next. If you had an existing .dns file you may import this
    8. Check "Yes, add a reverse lookup zone" and click Next. The reverse lookup zone is used to find the IP address from a host name. When you create a host record a PTR record can also be selected to be created and this adds a record in the reverse lookup zone
    9. Again select "Standard Primary" and click Next
    10. Enter the first parts of your subnet, e.g. 200.200.200.0 (subnet will be filled in for you). If you subnet mask was 255.255.0.0 you would enter the first 2 parts of you IP address, if 255.255.255.0 you would enter the first 3. Click Next
    11. Again Check "New File" and click Next
    12. A summary will be displayed and click Finish to complete the installation

    Now the basic zone is configured the required entries for the domain need to be added

    1. Start the "DNS Management" MMC snap-in (Start - Programs - Administrative Tools - DNS Management)
    2. Expand the DNS server, expand the "Forward Lookup Zones", select the domain, e.g. savilltech.com
    3. Right click on the domain and select New - Host from the context menu
    4. Leave the Host name blank and enter the IP address of the domain controller (to be), check the 'create associated PTR record' and click "Add Host"

    The final stage is to configure the zones to be dynamic update enabled which allows hosts to add records in the DNS server.

    1. Start the "DNS Management" MMC snap-in (Start - Programs - Administrative Tools - DNS Management)
    2. Expand the DNS server, expand the "Forward Lookup Zones", select the domain, e.g. savilltech.com
    3. Right click on the domain and select Properties from the context menu
    4. Select "Yes" from the "Allow dynamic updates?" drop down box
    5. Click Apply then OK
    6. Now expand the "Reverse Lookup Zones" and select the reverse lookup zone, e.g. "200.200.200.x Subnet"
    7. Select the zone and right click the zone and select Properties from the context menu
    8. Again select "Yes" from the "Allow dynamic updates?" drop down box
    9. Click Apply then OK

    DNS is now configured for a domain and you can create the domain.


    Q. How do I configure Active Directory integrated DNS? - NT 5.0 only

    A. It is possible to configure DNS servers that are also domain controllers to store the contents of the DNS database in the Active Directory which will then be replicated to all domain controllers in the domain. The option to store the DNS database in the Active Directory is not available on DNS servers that are not domain controllers.

    1. Start the "DNS Management" MMC snap-in (Start - Programs - Administrative Tools - DNS Management)
    2. Expand the DNS server, expand the "Forward Lookup Zones", select the domain, e.g. savilltech.com
    3. Right click on the domain and select Properties from the context menu
    4. Under Type click Change
    5. Select "Active Directory-integrated" and click OK
    6. Click OK to "Are you sure you want this zone to become an Active Directory-integrated"
    7. Click Apply then OK

    Q. Setting a secondary DNS server as primary results in errors.

    A. If you have a secondary DNS server configured to duplicate all entries from another DNS server you may experience a problem if you try and set it as a primary DNS server, which results in the service not starting and an error to the effect of the data being wrong:

    Event ID: 7023
    The MS DNS Server service terminated with the following error:
    The data is invalid.

    Event ID: 130
    DNS Server zone zone name has invalid or corrupted registry data.
    Delete its registry data and recreate with DNSAdmin.

    Event ID: 133 DNS
    Server secondary zone zone name, had no master IP addresses in registry.
    Secondary zones require masters.

    The DNS Manager forgets to set the correct value for the DNS Type in the registry (secondary is remaining), but it is erasing the address of the primary DNS, where the data came from. To correct this perform the following:

    1. Start the registry editor (regedit.exe)
    2. Move to, locate the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dns\Zones\< zonename >, where < zonename> is the domain (e.g. savilltech.com)
    3. Double click on the TYPE value and change from 2 to 1.
    4. Close the registry editor

    You should now be able to successfully start the DNS service

    C:\> net start dns

    The TYPE value can have one of two values,

    0x1 specifies Primary zone
    0x2 specifies secondary zone

    A fix for this can be downloaded from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/%20hotfixes-postSP3/dns-fix


    Q. How do I turn off Dynamic DNS? - Windows 2000 only

    A. By default, the TCP/IP stack in NT 5.0 Beta 2 (and later builds) attempts to register it's Host (A) record with it's DNS server. This makes sense in an all NT (Windows 2000) environment. But if you are using a static, legacy DNS server, the DNS guys might not like all the 'errors' this shows up on their server since the DNS servers will not understand these "updates".

    You will get errors such as:

    To make the clients stop attempting to publish their DNS names/addresses to the DNS server perform the following:

    1. Log on to each client as Administrator
    2. Start the registry editor (regedit.exe)
    3. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    4. From the Edit menu select New - DWORD value
    5. Enter a name of DisableDynamicUpdate and press Enter
    6. Double click on the new value and set to 1. Click OK

    If you have multiple adapters in the machine you may not want to disable for all so instead of setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableDynamicUpdate to 1, set as 0 and then move to the sub key Interfaces\<interface name> and create the DisableDynamicUpdate value there and set to 1.

    If you needed to perform this on a large number of machines you should create a reg script or set from the login script.


    Q. How do I configure a forwarder on DNS 5.0? - Windows 2000 only

    A. If you create a DNS server on your network but are not the main DNS server, i.e. your company has a central main DNS server, you will want to forward queries your DNS server cannot service to that DNS server.

    This is because only certain servers in your network will have access to DNS servers outside your network (due to firewalls etc) and thus your (departmental?) DNS server cannot access the DNS servers higher up in the DNS hierarchy. To configure a forward perform the following:

    1. Start the DNS Management MMC snap-in (Start - Programs - Administrative Tools - DNS Management)
    2. Right click on the DNS server and select Properties
    3. Select the "Forwarders" tab
    4. Check the "Enable forwarder(s)" box
    5. Enter the IP address of the DNS server and click Add
    6. Click OK
    7. Close the DNS Management snap-in

    Setting a Forward

    If you are missing the forwarder tab see Q. I am missing the forwarder and Root Hints tabs in DNS 5.0


    Q. I am missing the forwarder and Root Hints tabs in DNS 5.0. - Windows 2000 only

    A. This is caused if your server thinks it is the root server in the domain, and will hence have a "." zone. To enable the forwarder you need to delete this zone from your server:

    1. Start the DNS Management MMC snap-in (Start - Programs - Administrative Tools - DNS Management)
    2. Expand the server, expand Forward Lookup Zones and select "."
    3. Right click and select Delete
    4. Click Yes to the confirmation
    5. Stop and Start the DNS manager and the tabs are available

    Delete the dot zone


    Q. How do I enable DNS round robin resolution?

    A. Recent Windows NT service packs introduced LocalNetPriority which tries to return Host resources that are local to the requestor instead of using round robin however round robin can be enabled as follows:

    1. Start the registry editor (regedit.exe)
    2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
    3. From the Edit menu select New - DWORD Value
    4. Enter a name of LocalNetPriority and press Enter
    5. Double click the new value and set to 0 to disable LocalNetPriority and re-enable round robin. Click OK
    6. Close the registry editor
    7. Stop and restart the DNS service

    Q. DNS resolution of a valid domain fails on NT.

    A. if you are running NT4 DNS with either SP4 or SP5 installed you may  find a domain that resolves on Unix DNS servers server times out when you do an NSLOOKUP on NT.

    This is a known bug and a Quick Fix Engineering patch for NT bug 267085 is available from Microsoft support or wait for SP6 to come out.

    Q. How can I force a Windows 2000 domain controller to re-register its DNS entries?

    A. To re-register the domain controller DNS entries perform one of the following:

    1. Stopping  & start the netlogon service which will reregister all SRV records in
      the netlogon.dns file.
    2. Netdiag /fix will also do this.
    3. Ipconfig /registerdns

    Q. I'm getting DNS zone transfer messages in the event log, is someone hacking me?

    A. No, don't panic, it just means someone is listing the content of a zone and this is fine since you are making the information publicly available anyway. To do this list see 'Q. How do I perform a DNS zone transfer?'

    If you want to stop people performing zone transfers start the Microsoft DNS Manager, select the Zone, go into the Properties for the zone and select the Notify tab. Check the "Only Allow Access for Secondaries included on the notify list".

    A typical event log is shown below:


    Q. How do I perform a DNS zone transfer?

    A. To list the content of a DNS zone perform the following commands (remember this does not actually remove any information from the host DNS server, it only lists it)

    C:\>nslookup
    Default Server: adm1.srv.uk.deuba.com
    Address: 10.142.10.2

    > set q=ns                Sets the query type to name servers
    > db.com                  The name of the DNS zone you wish to list
    Server: adm1.srv.uk.deuba.com
    Address: 10.142.10.2

    db.com nameserver = ns1.eur.deuba.com
    db.com nameserver = ns2.eur.deuba.com
    db.com nameserver = ns1.uk.deuba.com
    db.com nameserver = ns2.uk.deuba.com
    ns1.eur.deuba.com internet address = 10.70.136.140
    ns2.eur.deuba.com internet address = 10.70.137.140
    ns1.uk.deuba.com internet address = 10.141.39.181
    ns2.uk.deuba.com internet address = 10.140.8.12
    > server ns1.eur.deuba.com      Set the server to be one of those listed
    Default Server: ns1.eur.deuba.com
    Address: 10.70.136.140

    > ls -d db.com                  List out the zone
    [ns1.eur.deuba.com]
    db.com. SOA ns1.eur.deuba.com hostmaster.ose.eur.deub
    a.com. (1999091500 3600 1800 604800 1800)
    db.com. NS ns1.uk.deuba.com
    db.com. NS ns2.uk.deuba.com
    db.com. NS ns1.eur.deuba.com
    db.com. NS ns2.eur.deuba.com
    db.com. A 10.141.44.112
    db.com. MX 10 bmr1-e1.srv.uk.deuba.com
    testxyz CNAME ns2.eur.deuba.com
    atwork CNAME clust1v2.srv.uk.deuba.com
    search.atwork CNAME homepage.mev.eur.deuba.com
    phone.atwork CNAME nerys.x500.esb.eur.deuba.com
    www2 A 38.163.212.70
    www3 CNAME nyc00pah11.na.deuba.com
    infohost.herold A 193.150.167.33
    pmg NS ns1.eur.deuba.com
    pmg NS ns2.eur.deuba.com
    mgam CNAME clust1v2.srv.uk.deuba.com
    it.mgam CNAME clust1v2.srv.uk.deuba.com
    iis.mgam CNAME clust1v2.srv.uk.deuba.com
    etsg.mgam CNAME clust1v2.srv.uk.deuba.com

    Thats it, you have now listed out all the records in the zone.


    Q. What is WINS?

    A. WINS stands for Windows Internet Name Service. WINS is a NetBIOS Name Server that registers your NetBIOS names and resolves into IP addresses.

    If you're using NetBIOS over TCP/IP you will need to have WINS running so that each can find out the correct IP address of the other to communicate.

    Need to browse over an interdomain network? WINS!


    Q. How does WINS work?

    A. Once your machine is configured to point at a WINS server (and maybe a second backup WINS server);

    1. Upon startup, registers your NetBIOS name with WINS. This dynamic update means that you will ALWAYS get the name/IP mapping that is current.
      If there is already a machine out there with the same name, a request is sent to it by WINS. If it doesn't respond, you get the OK. If it is out there and alive, you get a negative name acknowledgment.
    2. Need to talk with machine XXX? Send a NetBIOS name query to the WINS server. (no broadcasts! no LMHOSTS!)
    3. If WINS finds a match, it will respond with the correct TCP/IP address of the target machine.

    Q. How do I set up WINS?

    A. WINS is a server service.
    Go to Control Panel->Network->Services and install the Windows Internet Name Service.

    If you have any non-WINS clients, add them in as static name->IP mappings.
    Configure a WINS Proxy Agent if needed.
    Configure WINS support on your DHCP server.

    NT Workstation TCP/IP->Properties->WINS add the IP address of the WINS server (and your secondary if you have one).


    Q. What is a WINS Proxy Agent?

    A. If you have non-WINS machines on your subnet and want them to be visible participants, you will want a Proxy Agent to be active within this subnet.
    A WINS Proxy Agent is a WINS client that allows non-WINS clients to participate, by listening for broadcast name requests and then forwards them to a WINS server. It then returns the result to the requesting client.

    Use a Registry Editor (e.g. regedt32.exe) to open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters and set the EnableProxy parameter to 1.


    Q. How do I configure WINS static entries for a non-WINS client?

    A. Go into WINS Manager (under Admin Tools)
    Mappings->Static Mappings->Add Mappings enter the NAME and IP ADDRESS of the machine in question. Under TYPE usually you'll just enter as Unique. Now click ADD.


    Q. How do I configure WINS to work with DHCP?

    A. If the computer is a DHCP client, then at the DHCP server, go into DHCP Administrator (Admin Tools) and add two new SCOPE options:

    1. 044 WINS/NBNS Servers - add the address of WINS server(s)
    2. 046 WINS/NBT Node - configure as 0x8 (H-Node)

    Q. How can I compress my WINS database?

    A. NT Server ships with a utility called JETPACK.EXE which can be used to compact DHCP and WINS databases. To compact your WINS database perform the following:

    1. Start a command prompt (cmd.exe)
    2. Enter the following commands
      cd %SystemRoot%\SYSTEM32\WINS
      e.g. cd d:\winnt\system32\wins
      net stop WINS
      jetpack WINS.MDB TMP.MDB
      net start WINS

    Note: While you stop the WINS service, clients using WINS to resolve addresses will fail unless another mechanism of name resolution is in place.

    Jetpack actually compacts WINS.MDB into TMP.MDB, then deletes WINS.MDB and copies TMP.MDB to WINS.MDB.

    For more information, see Knowledge base article Q145881 at http://support.microsoft.com/support/kb/articles/q145/8/81.asp


    Q. WINS Automatic Backup does not run every 3 hours.

    A. By default WINS backup will actually take place every 24 to 27 hours after the last backup completed.

    To work around this perform the following:

    1. Create a batch file that stops and starts the WINS service, e.g. WINSRSTR.BAT
      @net stop wins
      @net start wins
      exit
    2. Configure Wins to backup the database on exit
    3. Schedule the WINSRSTR.BAT to run at whenever you want the database backed up, e.g.
      C:\> at 22:00 cmd /c "%systemroot%\winsrsrt.bat"

    Q. WINS Log files are created in incorrect locations.

    A. The WINS service creates a number of log files, J50.log or J50.chk, in the %systemroot%\system32\WINS directory. This is normal.

    If these files are being created in other directories then it may cause a problem and stop the WINS service from starting. The log files can be created in different directories from one of the following reasons:

    If your system now has the log files in the wrong place and the WINS service will not start just copy the log files to the %systemroot%\system32\WINS directory and restart the service

    C:\> net start wins

    If the WINS service is running it will lock the file and you will not be able to delete them so you should perform the following:

    1. Stop the wins service
      C:\> net stop wins
    2. Backup the WINS data using the Backup Database function in the WINS manager
    3. Remove the files that are in the wrong directory and restore the data back to the directory
    4. Run JETPACK
    5. Restart the wins service
      C:\> net start wins
    6. Turn on Logging Enabled (WINS Manager - Server - Configuration - Advanced)

    Q. WINS server is not being queried for entries in LMHOSTS after Service Pack 4.

    A. Before Service Pack 4 a resolution request was always passed to a WINS server and only if no entry was found the LMHOSTS file checked.

    Under Service Pack 4 any entry in the LMHOSTS file that has the #PRE qualifier (preloaded) will be used and the WINS server not queried. Therefore if you have incorrect entries in your LMHOSTS file it will prevent the WINS server from being queried so you should therefore edit the file %systemroot%\system32\drivers\etc\lmhosts (e.g. d:\winnt\system32\drivers\etc\lmhosts) and remove the offending entries.


    Q. The Outlook/Exchange client takes a long time to start.

    A. Sometimes the protocol binding for Exchange can be wrong if more than one protocol is installed, for example if you have NetBEUI and TCP/IP installed, and you connect to the Exchange server via TCP/IP, you need to ensure TCP/IP is first in the binding order, otherwise Exchange will attempt to communicate via NetBEUI initially. To check/set perform the following:

    1. Start the registry editor (regedit.exe)
    2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Exchange Provider
    3. In the right hand pane, double click Rpc_Binding_Order
    4. A dialog box will be shown containing a text string of the installed protocols separated by commas. You can move items, for example, you may want to move ncacn_ip_tcp (TCP/IP) to the front if you connect over TCP/IP. Make sure you keep them separated by commas!
    5. Click OK
    6. Close the registry editor
    7. Stop and start Exchange/Outlook

    Q. How can I stop Outlook dialing my Internet Account on Startup?

    A. Perform the following:

    1. Start the Mail Control Panel Applet (Start - Settings - Control Panel - Mail)
    2. Click the Services tab
    3. Select "Internet E-mail" service and click properties
    4. Click the connection tab
    5. Check the "Work Offline and use Remote Mail"
    6. Close the dialog boxes
    7. Reboot the machine

    Q. How do I install Exchange?

    A. The following instructions are to install Exchange 5.0

    1. Insert the Exchange CD-ROM into the computer
    2. Run <CD-ROM>\setup\i386\setup.exe (Start - Run)
    3. You may want to change the destination folder by clicking the "Change Directory" button
    4. Click the Custom Button
    5. Select the components you wish to install, you will only be able to install the Active Server Page extensions if you have IIS 3.0 with ASP installed.
    6. Click OK to continue
    7. Select your licensing method and click OK, check the "I agree" box and click OK
    8. Assuming this is the first Exchange server, click the "Create new site" and you should enter the organization and site name, click OK
    9. You need to select the Exchange admin account, by default the account you are currently logged on as will be displayed, however it is a good idea to have a separate Exchange Admin account (make sure it has "Log on as a service" and "Restore files and directories" rights). Enter the password for the account selected and click OK
    10. Once the installation is completed you will be asked if you want to run the optimizer utility, click "run optimizer" or exit.

    It is a good idea to have a large pagefile.sys when running Exchange, a good size would be the amount of memory plus 100.


    Q. How do I enable the Exchange Active Server Pages?

    A. This functionality is new in 5.0, and enables a user to view their exchange mailbox from an Internet browser, such as Internet Explorer or Netscape. Before the Exchange Active Server Pages extension can be installed, there are two pre-requisites

    NT Server 4.0 ships with IIS 2.0, therefore assuming you have not upgraded your system since then you will need to perform the following

    1. The upgrade to IIS 3.0 is part of Service Pack 3 for NT 4.0, therefore you should install this service pack
    2. Once the machine has rebooted install the Active Server Pages extensions (these are included on the Service Pack 3 CD-ROM, \winnt400\Iis30\Asp\I386\Asp.exe)
    3. Run the Exchange setup program and select Add/Remove components
    4. Check the box "Active Server Components" and click continue
    5. The setup program will then continue as normal

    Once this has finished, you will be able to connect to your Exchange mailbox by entering the URL

    http://<Exchange server>/exchange

    You then need to enter you Exchange alias and then click the "click here" text.


    Q. How do I use the Exchange Optimizer utility?

    A. After you install Exchange you are prompted to run the Exchange Optimizer utility, however it can also be run afterwards:

    1. From the Microsoft Exchange folder choose Microsoft Exchange Optimizer
    2. A dialog will be shown asking permission to stop the Exchange services, click Next
    3. Next the user and server configuration dialog will be shown and you should enter details of the number of users and how the server will be configured. Also a Limit memory option is available, by default Exchange will use as much memory as it needs, however if you have other apps running on the server you may wish to limit the memory Exchange can use, the minimum is 24MB, but you are recommended to use a limit of 32MB. Click Next to continue
    4. The application will then test your disks to decide where best to place the Exchange database files and then click Next
    5. A dialog will be shown with the new recommended file locations and click Next
    6. If files are being relocated then make sure the box on the new dialog is checked and click Next
    7. Finally click Finish

    Q. How can I convert mail system X to Exchange?

    A. Exchange is supplied with a migration wizard which can convert the following mail systems to Exchange

    The wizard is in the Microsoft Exchange folder and below is an example of converting a MsMail Postoffice

    1. Start the Migration Wizard (Start - Programs - Microsoft Exchange - Microsoft Exchange Migration Wizard)
    2. Select MsMail for PC Networks and click Next
    3. Click Next to the dialog box that explains how MsMail and Exchange can coexist
    4. Enter the Path to the MsMail post office and the Administrator account name and password for the Postoffice, then click Next
    5. Select "One step Migration" and click Next
    6. Select the type of information you want to import and click Next
    7. Click "Select All" to migrate all users and click Next
    8. Enter the name of the Exchange server to store the new accounts and messages. Click Next
    9. You will now need to select the type of access for the shares MS Mail folders, the common one is "Author access: read, create, edit items" and click Next
    10. Select the recipient container and template (optional), click Next
    11. Finally choose the type of passwords to create for the new Windows NT accounts that will be created from the MS Mail mailboxes. In a multi domain environment you must select the domain for the new accounts. Click Next to begin the conversion.
    12. A process box will be displayed showing the progress, once completed a dialog will be displayed and click OK to complete.

    Q. How can I create shortcut on the desktop with the "to" field completed?

    A. As you may be aware, if you enter the command
    exchng32 /n
    This creates a blank new message, however it is not possible to specify a qualifier containing information to the content. A workaround to this is the following

    1. Start Exchange/Outlook and create a new message
    2. Fill in information for the to: field, cc: field etc.
    3. Instead of sending select Save As from the file menu
    4. Select the Save As type as "Message Format" and enter a file name and location (the default extension is .msg). Click Save
    5. Start Explorer (Win Key + E, or Start - Programs - Explorer)
    6. Move to the directory you saved the Message Format file to and right click on the file
    7. While holding down the right mouse button drag to the desktop and release the button, from the context menu displayed select "Create shortcut here"

    If you now double click on the desktop message icon it will create a new message which you can edit and then send with information already filled in!


    Q. NT Server hangs at shutdown if User Manager is running.

    A. This is caused by an Exchange dll file which is used by User Manager, to fix this perform the following

    1. Start the registry editor (regedit.exe)
    2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UMAddOns
    3. Click on Mailumx and click the DEL key
    4. Click yes to the confirmation

    Q. How can I send a mail message from the command line?

    A. You need to use the MAPISEND.EXE utility that is supplied with the Exchange Resource kit. The resource kit can be downloaded from http://www.microsoft.com/msdownload/exchange/rkintel/rkintel.htm and you need to download the AdminNT part.

    Once downloaded double click on the zip file and it will expand to a specified location. Copy the MAPISEND.EXE from the restored path (i386\admin\mapisend) to an area of your choice. The usage is simple as long as the exchange client is installed on the computer already (outlook is also OK).

    mapisend -u "<profile>" -p <anything> -r <recipient> -s "<subject>" -t <text file containing the message>
    e.g. mapisend -u "john savill" -p anything -r john@savilltech.com -s "Test message" -t c:\message\mail4.txt

    This is just an example usage, and you may not be sure what you profile name is so instead of using -u and -p, use just -i and this allows interactive login and will also allow you to create a profile which you can then use in future. The full list of switches are

    -u Profile name (user mailbox) of sender
    -p Login password
    -i Interactive login (prompts for profile and password)
    -r Recipient(s) (multiples must be separated by ';' and
    must not be ambiguous in default address book.)
    -c Specifies mail copy list (cc: list)
    -s Subject line
    -m Specifies contents of the mail message, this is ignored if -t is specified
    -t Specifies text file for contents of the mail message
    -f Path and file name(s) to attach to message
    -v Generates an 8 line summary of the sent message

    In all cases if the passing parameter is more than one word it should be enclosed in quotes.


    Q. What files does Exchange use?

    A. Below is a list of the more common files used by Exchange

    File Directory Use
    Priv.pat Pub.pat Mdbdata Patch files, safe to delete if no backup is taking place and no startup recovery is in operation
    Dir.pat DsaData Patch files, as above
    Dlv.log Snd.log Dlvxxxxx.log Sndxxxxx.log Mdbdata These are created when Sending and Delivering diagnostics logging for either the private and public information stores are set. These can be deleted at any time. Dlv.log and Snd.log are the most recent logs created.
    PUB.EDB PRIV.EDB MDBdata Information store
    DIR.EDB DSAdata Directory information
    EDB.LOG   Transaction Log
    EDB00nn.LOG   Previous Transaction Logs
    EDB.CHK   Check Point file
    RES1.LOG RES2.LOG   Emergency logs for when disk is full
    TEMP.EDB   In progress transaction

    Q. How can I change the location of my mail file in Outlook 98?

    A. Your messages are stored in a .pst file, and by default this is kept in your personal profile space (%systemroot%/Profiles/<user name>/Application Data/Microsoft/Outlook). This is fine unless you use roaming files which mean you mail file is stored on a central server taking up space.

    Fortunately moving you mail file is easy.

    1. Stop Outlook if it is running
    2. Move to you profile area and move your .pst file to another location (e.g. c:\savillj\outlook). Make sure the .pst file is no longer under your profile
    3. Start Outlook. It will give an error "The file <filename> could not be found". Click OK
    4. You can now browse to where you moved the file to. Select the .pst file and click Open.
    5. Outlook will then start as normal.

    What this actually does is update one registry key, HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\14780fd532f9d11181cc00600851c569\001e6700 and its value is the name and location of the .pst file.


    Q. How can I reduce the size of my mail file?

    A. When you delete files from your mail file the space is usually not cleared away and your mail file may actually grow! To reclaim the wasted space you can "compact" the mail database. The information below is for Outlook 98 but previous versions have similar functions.

    1. Start Outlook 98
    2. From the view menu select "Folder List"
    3. In the folder list pane right click on the root folder (Personal Folders) and select Properties from the context menu
    4. Click the Advanced button from the Personal Folders Properties dialog box
    5. Click the "Compact Now" button. The database will now be compacted
    6. Click OK to all dialog boxes to return to Outlook 98

    If you find the mail file has not been substantially reduced in size it may be there is no redundant information or you may need to run the compaction a couple more times as sometimes the process does not work 100%.


    Q. I have a bad message in my POP3 mail box , how can I remove it/read POP using TELNET?

    A. It is possible to connect to a POP3 mailbox using Telnet so you should connect via telnet and delete the problem message.

    1. Telnet to the pop3 mail server on port 110
      C:\> telnet <pop3 mail server> 110
      e.g. telnet pop.savilltech.com 110 (this does not exist so don't bother!)
      Once you connet you will get a +OK prompt
    2. Tell the pop3 server your username (the name you usually logon as)
      user john
    3. Now tell the server your password
      pass password
    4. You will now be logged in and to see how many messages you have enter the word STAT which will tell you the number and size of the messages.
    5. To get a list of each message type LIST.
    6. To view the contents of a message use
      retr <message number>
      or to view just the header type
      top <message number> 0
    7. Once you find the problem just delete it using the DELE comamdn
      dele <message number>
    8. Finally to exit just type QUIT

    This is obviously useful in a number of scerios and you could use it just to read you mail if you did not have access to a mail client.

    Below is an example of the above in action.

    Reading a POP mailbox using Telnet


    Q. How can I send mail to a SMTP server using Telnet?

    A. As with POP3, SMTP messages can also be sent using telnet by connecting to port 25 on the SMTP server, e.g.

    C:\> telnet smtp.savilltech.com 25

    Once connected you optionally announce to the server who you are (this is needed for some SMTP servers)

    helo <domain>
    e.g. helo savilltech.com

    vrfy <user account>
    e.g. vrfy john

    Once you are verified you can commence to write an e-mail message. The first command is mail and you specify who it is from, e.g.

    mail from:<billg@microsoft.com>

    The address has to be in <>. Next you have to specify who will be receiving the message using rcpt, e.g.

    rcpt to:<john@savilltech.com>

    The from and to have been completed you can start the body of the message using the data command. You have to create the header information in the first lines of the message. Once you have completed the message enter a '.' on a blank link and the message will be sent. Below is an example creating a message.

    Telnet SMTP send

    As you can see I entered a from, date, to and a subject and then entered the body of the text. Make sure you don't make a mistake as if you backspace this is enterpreted as a bad character and will be rejected. If a message is rejected a rejection will be send to the address specified in the "mail from:<...>" and for this reason you should only ever put your e-mail address. Although I have used a different address as a joke you should NEVER do this.

    Below is how the message looks when received in Outlook 98:

    Bill loves me :-)

    The above shows how easy it is to send a message and make it look from a different address but if you examined the header you would easily see it was sent from a different mail server and rumble its a fake (and a very bad one)!

    I shall be adding future entries describing how to STOP people sending mail from your server (as they probably can at the moment).

    For full information on SMTP and the commands you can use see Request For Comments 821.


    Q. Is there a list of known Exchange Directory and Information store problems?

    A. An excellent collection has been compiled and is located at http://support.microsoft.com/support/exchange/content/whitepapers/dsis.asp


    Q. How do I install Exchange Server 5.5?

    A. These instructions are to install the first Exchange Server in the Enterprise

    Before you install Exchange Server 5.5, two accounts need to be decided on. The first account is the account that you log on as when you perform the installation of Exchange as this account will be automatically granted the Exchange Administrator permission.

    The second account needs to be created and this will be used as the service account for running the Exchange Server services. Any name can be used, the most obvious would be "Exchange Service". To create this account perform the following:

    1. Start User Manager (Start - Programs - Administrative Tools - User Manager for Domains)
    2. From the User menu select New User
    3. Enter a name of "Exchange Service" with a password.
    4. Make sure you clear "User Must Change Password At Next Logon" and "Account Disabled", and check "User Cannot Change Password" and "Password Never Expires" is set
    5. Close User Manager

    Under Windows 2000 this would be set using the Active Directory Users and Computers MMC snap-in, expand the domain, right click on Users and select New - Users. Enter Exchange Service, click Next and then select the options as in step 4 and click Finish. I found under Windows 2000 I had to make the Exchange Service account a member of the local Administrators group on the server Exchange is being installed on.

    Also before installing make sure you have a complete backup of your system.

    Now you can start the installation.

    1. Logon to the server as the account you want to be the Exchange Administrator
    2. Insert the Exchange Server 5.5 CD-ROM
    3. Run Launch.exe off the CD-ROM if it does not start automatically.
    4. Select "Setup Server and Components"
    5. Select "Microsoft Exchange Server 5.5"
    6. The Exchange server Setup will then run. Click "Accept" to the license agreement.
    7. Select the installation type, typical, complete/custom or minimum. Click Complete/Custom. You could also change the installation directory if you wish by clicking "Change Directory".
    8. Select the components to install. Click Continue.
    9. Enter the CD-Key and click OK.
    10. Click OK to the Product ID dialog.
    11. Check the "I agree that" licensing dialog box and click OK.
    12. As this is the first Exchange server select the "Create a new site". Enter an Organization Name and a site name, e.g. SavillTech and London. Click OK.
    13. Click Yes to create a new site.
    14. You should then select the user account that you created as the Exchange Service account by clicking browse and enter the password you set. Click OK
    15. The rights 'Log on as a service', 'Restore files and directories' and 'Act as part of the operating system' will be granted to the Exchange Service account. Click OK to the notification dialog box.
    16. Files will then be copied.

    Once Installation is complete you should run the Microsoft Exchange Performance Optimizer (Start - Programs - Microsoft Exchange - Microsoft Exchange Optimizer). You will be given the option to run this automatically if installation is successful.


    Q. How do I run the Exchange Optimizer?

    A. Exchange ships with a utility that allows the program to gather information about the computer and make changes to the Exchange configuration to enhance performance. These performance enhancements are primarily gained by moving the files that make up Exchange to different physical disk drives.

    1. Start the Exchange Optimizer (either as part of the installation of Exchange or from the Exchange sub menu of Programs)
    2. Chose options for the server (see diagram below). You can always run this again at a later time if the configuration scaling changes.
    3. Disk analysis runs, click Next
    4. Recommended file moves displayed. Adjust or accept and click Next
    5. Select whether the optimizer should copy files automatically (by checking the "Move files automatically" box and click Next
    6. Services will then be restarted. Check the "Do not restart these services" if its not convenient. Click Finish
    7. Parameters will then be saved the were calculated by the optimizer, services stopped, files moved then services started again.

    Exchange Optimizer


    Q. What Service Packs are available for Exchange?

    A. Below is a list of the service packs available:

    Exchange 5.5

    Service Pack 2 from ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/Sp2/Server/

    Files to download:

    SP2_550A.EXE Server update for Alpha
    SP2_550I.EXE Server update for Intel
    SP2_55CA.EXE Chat server update for Alpha
    SP2_55CI.EXE Chat server update for Intel
    SP2_55DC.EXE Documentation
    SP2_55FO.EXE HTML Form Converter 
    SP2_55SS.EXE Server support files (cluster,KMS,etc)
    SP2_55XA.EXE Exchange connector installation(Alpha)
    SP2_55XI.EXE Exchange connector installation(Intel)
    SP2S550A.EXE Server symbols for Alpha
    SP2S550I.EXE Server symbols for Intel
    SP2S55CA.EXE Chat server symbols for Alpha
    SP2S55CI.EXE Chat server symbols for Intel
    SP2_55RE.EXE Readme and HTML file

    Service Pack 1 from ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/SP1/Server/

    Files to download:

    SP1_550A.EXE Server update for Alpha
    SP1_550I.EXE Server update for Intel
    SP1_55CA.EXE Chat server update for Alpha
    SP1_55CI.EXE Chat server update for Intel
    SP1_55DC.EXE Documentation
    SP1_55FO.EXE HTML Form Converter
    SP1_55SS.EXE Server support files (cluster,KMS,etc)
    SP1_55XC.EXE Exchange connector installation
    SP1S550A.EXE Server symbols for Alpha
    SP1S550I.EXE Server symbols for Intel
    SP1S55CA.EXE Chat server symbols for Alpha
    SP1S55CI.EXE Chat server symbols for Intel
    SP1_55RE.EXE Readme and HTML file

    Hotfixes post Service Pack 1

    PSP1STRI.EXE Store Fix

    Exchange 5.0

    Service Pack 1 from ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.0/Sp1/Server/

    Files to download:

    SP1_500A.EXE Server update for Alpha
    SP1_500I.EXE Server update for Inter
    SP1S500A.EXE Server symbols for Alpha
    SP1S500I.EXE Server symbols for Intel

    Service Pack 2 from ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.0/Sp2/Server/

    Files to download:

    SP2_500A.EXE Server update for Alpha
    SP2_500I.EXE Server update for Inter
    SP2S500A.EXE Server symbols for Alpha
    SP2S500I.EXE Server symbols for Intel

    Q. How can I retrieve mail from a POP3 mailbox and forward it to Exchange server?

    A. If your ISP does not support ETRN, then you have to use a third party utility to retrieve the mail from a POP3 mailbox. One of these utilities is Mail essentials Small Business (http://www.gficomms.com/). For one mailbox this is a freeware utility.

    A more complete listing of utilities can be found on http://www.slipstick.com/


    Q. How do I upgrade from Exchange 5.0 to 5.5?

    A. The Exchange 5.5 upgrade process actually performs a database upgrade before it actually copies any of the code of 5.5 to the server. This allows for a complete rollback in case the upgrade of the database fails. Below are the steps in performing the upgrade

    1. Start the setup.exe program as per a normal installation
    2. It will detect the existing installation and you will be asked if you want to Upgrade or Remove the existing installation. Click Upgrade
    3. A confirmation that the database will be reformatted is displayed. Click OK
    4. You will be shown the Database Upgrade Options. By default the Fault Tolerant Option is selected however this does require extra disk space as it makes a copy of the database and if the Fault Tolerant Option is not selected, you may not have enough drive space for this method. You may want to change the default location for the Fault Tolerant Upgrade temp files from the C:\TEMP location to a location on the database drive. Click OK to continue.
    5. The upgrade will progress. First the database will be upgraded (this may take up to 40 minutes per GB of original database). Next the code will be copied to the server, and finally the registry will be modified, the services installed, and other system changes will take place.
    6. The Exchange Services will then be re-started
    7. As with a normal installation, once completed you will be asked if you wish to run the optimizer utility.

    Q. How do I uninstall Exchange?

    A. To uninstall Exchange perform the following. Be aware you will lost all information.

    1. Run Exchange setup (setup.exe)
    2. Click "Remove All"
    3. Click "Yes" to the dialog box
    4. Click "Yes" to remove the shared components
    5. The files will then be removed
    6. Click OK to the remove complete confirmation

    Q. How do I install a duplicate Exchange server?

    A. With the concepts of sites in Exchange, it is possible to install multiple Exchange services in a site which will replicate to one another. Duplicates servers in a site provide fault-tolerance and load balancing. To install a duplicate server in a site perform the following. Servers within a site don't have to be in the same domain but should be connected by a fast connection, 128KB is the normal definition of a fast link.

    1. Logon as an Administrator of the domain currently hosting the Exchange service. If you logon as an account that does not have administrative rights on the current Exchange server you will be unable to add a duplicate server.
    2. Run Exchange's setup.exe
    3. Click Accept to the license agreement
    4. Setup will search for the installed components (such as IIS and ASP)
    5. Select the installation type. Click Custom/Complete Select the options and click OK
    6. Enter the product code number (xxx - xxxxxxx) and click OK
    7. Click OK to the displayed Product-ID that is generated by the setup program
    8. Check the "I agree that" for the licensing and click OK
    9. Select "Join an existing site" and enter the name the name of a server in the site you wish to join, e.g. Mars and click OK
    10. You will be shown details of the Exchange server on that site, including ORG name and site. Click Yes
      Exchange Site
    11. The service account currently used for the original Exchange Server will be shown, just enter its password (if this is on its own domain you should create a new service account for fault tolerant reasons (i.e. main domain controller not available)). Click OK
    12. Files will then be copied, services installed, registry updated and then the relevant services will be started. Once the Directory Service has started replication will occur between the sites. Once complete the other Exchange services will start
    13. Click OK to the replication dialogue box.
    14. You can then proceed to run Optimizer optionally as normal

    You now have a duplicate Exchange server in the specified site.


    Q. How do I connect Exchange sites?

    A. If you configure multiple sites by installing new servers and entering a different site name (but the same organizational name) you can connect the sites using Exchanges built-in site connector. To connect sites using the built-in connector they must be able to communicate via RPC calls and to test this see Q. How can I check if servers can communicate via RPC's?. Many routes actually filter out RPC's so it is important you perform this test.

    To add a connector between sites perform the following:

    1. Start the Exchange Administrator program on one of the servers (Start - Programs - Microsoft Exchange - Microsoft Exchange Administrator)
    2. You may need to choose a Exchange server to connect to
    3. Expand the server, expand the site name and finally expand Configuration
    4. Select Connections
    5. From the File menu select 'New Other' - 'Site Connector'
    6. Enter the name of the server that maintains the site you wish to connect to and click OK
    7. Information about the site that is hosted by the server and optional information can be entered. Once all details have been entered click OK. Information you may have to enter is in the Override tab which allows you to enter logon information for the connection if the sites are not in the same domain or part of a trust relationship.
    8. If there is no connection for vice-versa you will be asked if such a connection should be created

    The connection will now be visible under the Connections tab.


    Q. Exchange Security Knowledge Base list.

    A. Below is a list of useful Knowledge Base articles.

    1) How to install Exchange 5.5 with support for V1 and V3 Certificates for SMIME and Public/ Private Key encryption (Signing and Sealing Mail Messages). This uses the CA version 1.0 (Certificate Authority) in IIS 4.0 that comes in the NT 4.0 Option Pack. This requires the Updated CA Server. See these KB's.

    Q192044 Setting Up X509v3 Certs on Exch 5.5 SP1 KMS with Local CertSrv
    Q184695 Readme Notes for Certificate Server Update

    2) How to setup SSL/TLS between between Exchange Server 5.0 /5.5 and Internet Email Clients, POP3, IMAP4, NNTP, HTTP, SMTP.

    Q175439 XFOR: Enabling SSL For Exchange Server

    3) How to setup SSL/TLS between Exchange Server and other SMTP (non-exchange) host. This requires enabling SSL for the SMTP protocol first. See Q175439 for instructions, but select SMTP as the Protocol to be used in Key Manger.

    Q174755 XFOR: Connecting IMS to IMS with SASL

    4) When you use Microsoft Outlook Express to connect to Microsoft Exchange Server, version 5.0 with Service Pack 1 installed, the Information Store may stop responding (crash). Fixed in the Latest Service Pack.

    Q166627 XCLN: Outlook Express Crashes Store When SSL Is Used

    5) When trying to access a mailbox in Internet Explorer version 3.02 when the WWW Service for the Internet Information Server (IIS) computer is configured to use Windows (NTLM) authentication only, you may receive the following error message: The Login Request was Denied. Fix is to upgrade to IE 4.0 or use Registry Entry.

    Q173307 XWEB: "The Login Request was Denied" Error Message

    6) If you configure the Internet Mail Service on two Microsoft Exchange Server computers to use Secure Sockets Layer (SSL) without authentication, you may receive a non-delivery report (NDR) when you attempt to send mail from one server to another through the Internet Mail Service. The text of the NDR includes a 505 error and indicates that authentication is required for the message to be delivered. Fixed in the Latest Service Pack for 5.5.

    Q181481 XFOR: Non-Delivery Report When Using SSL Without Authentication

    7) On July 17, 1998 Microsoft released an updated version of Schannel.dll. This latest version provides the following benefits: Updates the SChannel.dll used by IIS and Exchange Server for Encryption. See article for Details.

    Q148427 Generic SSL (PCT/TLS) Updates for IIS and MS Internet Products
    Q181937 Latest SGC-Enabled Schannel.dll Breaks IIS 3.0 Key Manager [iis]

    8) Microsoft Proxy Server is designed to work well with other servers like Microsoft Exchange Server. Most Windows Sockets server applications are able to use the server proxy feature while installed on or behind the Proxy Server. Certain additional advanced settings may be required, based on your particular internal server configuration.

    Q181420 How to Configure Exchange or Other SMTP with Proxy Server
    Q187652 Accessing Data Published Behind MS Proxy Server 2.0
    Q178532 Configuring Exchange Internet Protocols with Proxy Server
    Q177153 Additional Proxy Server 2.0 Configurations [proxysvr]

    9) This article discusses the known TCP/IP ports (TCP and/or UDP) that are used by services within Microsoft Windows NT version 4.0 and Microsoft Exchange Server version 5.0 and 5.5.

    Q150543 WinNT, Terminal Server, & Exchange Services Use TCP/IP Ports [crossnet]

    10) Microsoft Exchange Server versions 5.0 and 5.5 support a variety of Internet-focused protocols, including POP3, HTTP, LDAP, and NNTP. This article explains the different authentication forms for each protocol.

    Q175440 Protocol Authentication on Exchange Server [exchange]


    Q. How do I configure Exchange Directory Replication?

    A. Once you have connected sites by a connector, be it Exchange, X.400 or Dynamic RAS, no data will be replicated until you configure the directory replication. You must have defined connections between the sites before Directory Replication can be configured.

    To configure Directory Replication perform the following:

    1. Start the Exchange Administrator Program (Start - Programs - Microsoft Exchange - Microsoft Exchange Administrator)
    2. Expand the tree and expand the site, e.g. Operations, select Configuration then select Directory Replication
    3. From the File menu select 'New Other' and select 'Directory Replication Connector'
    4. The first dialog allows you to select (from a dropdown) the remote site name (only sites that are connected via a connector will be shown). You should enter the name of an Exchange server in the selected site. You also should leave the defaults of "Configure both sites". Click OK
    5. The general tab of the Directory Replicator will be displayed. You may enter an Administrative note if you wish. You may click the Schedule tab to select how often Directory Replication takes place. Selecting Always means changes will be replicated as they happen, this is OK if you don't care about bandwidth usage. Click OK.

    The Directory Replicator between the sites is now configured and can be modified by double clicking on the replicator as part of the Directory Replication folder.


    Q. How do I monitor an Exchange link?

    A. It is possible to install link connectors which can be configured to perform a number of actions in the event of a link failure.

    1. Start the Exchange Administrator program
    2. Select the Monitors folder of the Configuration folder of the site
    3. From the File menu select 'New Other' - 'Link Monitor'
    4. Under the General tab you must enter a Directory Name which is a 64 character name identifying the monitor, a Display Name which will be shown in the Exchange Administrator application, a log file specified and how often the link should be checked (polled).
      Exchange Monitor
    5. Under the Notification tab you can add notification methods such as an e-mail, start a process or write an event log by clicking the 'New' button. You will also have the opportunity to test the method specified by clicking the Test button. Click OK to the notification dialog box.
    6. Under Servers you should select the Servers to Monitor in the left hand box and click Add, they will then be shown in the 'Monitor Server' area.
    7. The Recipients tab is used with non-Exchange servers that support "mail bounce" whereby a mail is sent to the server and a reply is expected back.
    8. The Bounce tab allows the times considered reasonable for a round trip.
    9. Once happy click OK

    Q. How do I delete a server from an Exchange site?

    A. If you have multiple servers in a site and a server no longer exists you can delete it from the Exchange Administrator program by performing the following:

    1. Start the Exchange Administrator Program
    2. Expand the site name, e.g. Legal, expand Configuration then Servers
    3. Select the server you wish to delete and press the DEL key
    4. A check will be performed that the server can't be found
    5. Once the server is not found accept any of the dialogs

    The server will now be removed.


    Q. How do I setup an Exchange forward?

    A. A forward can be configured in a number of places. The first place is at the Exchange server:

    1. Start the Exchange Administrator program
    2. Select the Recipients folder of the site, e.g. Operations\Recipients
    3. From the File menu select 'New Custom Recipient'
    4. Select 'Internet Address' (to forward to an Internet address) and click OK
    5. Enter the E-mail address, e.g. colin@travers.com and click OK
    6. You will then be shown the normal recipient dialog where you can enter a name etc. The option to set an NT account will not be shown. Once you have entered all details click OK

    People will now be able to send mail to this person and it will be forwarded accordingly.

    You could also in Exchange Administrator setup a Custom Recipient (as above), then in the Delivery Options for your mailbox set an Alternate Recipient which points to the Custom Recipient that you just created. Select the "Deliver messages to both recipient and alternate recipient" checkbox. In the properties for the custom recipient you can select the option to hide it from the address list.

    Other options that can be done at the client end include


    Q. How do I configure a X.400 Exchange connector?

    A. Aside from the native Exchange Connector, the X.400 connector is the most common Exchange connector, allowing Exchange to connector to non-Exchange systems. While X.400 suffers a 20% drop in performance in comparison to the native Exchange connector it is still impressive.

    X.400 is a common standard and Exchanges implementation is based on the 1988 standard. X.400 operates on the MTA stack and has to be installed before installing a X.400 connector. MTA stacks are available for TCP/IP, X.25 and TP4. It is available for RAS as well but that stack does not support X.400. In this walkthrough we will look at implementing X.400 over TCP/IP.

    Only Exchange Enterprise edition has the X.400 connector and not the standard edition (also Enterprise has the SNADS and OV/VM(PROFS) connectors which standard does not have). If you only have standard edition and require X.400 connector you will need to upgrade or purchase the X.400 connector as a separate product from Microsoft.

    The first step is to install the MTA transport stack

    1. Start the Exchange Administrator program
    2. Select 'New Other' - 'MTA Transport Stack' from the File menu
    3. Select "TCP/IP MTA Transport Stack" from the list and the local server and click OK
    4. A dialog for the configuration of MTA will be shown. You can leave the OSI information blank. Under the Connectors tab leave blank. Make sure you enter a display and directory name. Click OK

    If you find you don't have a number of MTA stacks check you installed the X.400 connector at installation time. Re-run setup and click Add/Remove. Select Exchange Server and click Change Options. Check the "X.400 Connector" box and click OK. Click Continue. You will now be able to install the TCP/IP MTA stack.

    Now the MTA stack is installed you can install the actual X.400 connector and configure it accordingly.

    1. Start the Exchange Administrator program
    2. Select the Connections container of the required site to add the connection too
    3. Select 'New Other' - 'X.400 Connector' from the File menu
    4. Accept the default "TCP/IP X.400 Connector" and click OK
    5. The X.400 configuration dialog will be displayed. Under the General tab enter a display and directory name (this can be any string of text). You should enter the remote MTA name (and a password if required) which is used to identify the Message Transfer Agent on the other host/site.
    6. Click the Schedule tab to configure replication settings
    7. Select the Stack tab to enter the IP address of name of the system to connect to. Again you can leave the OSI information blank.
    8. Use the Override tab to specify a different local MTA name/password
    9. Connected sites is only used when connecting Exchange sites via X.400.
    10. If you don't enter anything under Connected Sites you must configure an address space under the "Address Space" tab
    11. Delivery Restrictions and Advanced all along other non-essential settings to be set
    12. Once all information is entered click OK

    You now have a functionality one-way X.400 link. You would now need to repeat the above for the opposite directory.


    Q. How do I allow a user to administer Exchange?

    A. When Exchange is installed the user who performs the installation is granted Exchange Administrator rights. To grant additional users the ability to administer Exchange perform the following:

    1. Logon as an Exchange administrator
    2. Start the Exchange Administrator program
    3. Select the site whose permissions you wish to modify
    4. From the File menu select Properties
    5. Click the Permissions tab
    6. Click Add and select the user (or group) to whom you wish to grant Exchange Admin rights
    7. Once usrs have been selected click OK. You now choose the role, e.g. "Permissions Admin" and click OK

    The user (or group) will now have the granted rights to Exchange. You may want to create a group, e.g. Exchange Admins, grant this access in Exchange, then Add/Remove users to this group.


    Q. How do I grant permission for people to create top level public folders?

    A. By default all users can create top level folders however this can be changed if you would like to restrict this

    1. Start the Exchange Administrator program
    2. Expand the site and select Configuration
    3. Select "Information Store Site Configuration" and select Properties from the File menu
    4. Select the "Top Level Folder Creation" tab
    5. You will notice that under "Allowed to create top level folders" All is selected by default. Change this to list and click the Modify button
    6. You will be shown a list of Exchange mail boxes, select the ones that should be allowed to create top-level folders and click OK
    7. Click Apply then OK

    Exchange top level creation
    - Setting top level folder creation access

    Alternatively you could have left is as All and modified the list of people who should not be able to create top-level folders.

    If people are still logged in they will be able to continue to create top-level folders until they close Outlook/Exchange and restart it.


    Q. How do I create public folders?

    A. Public folders are administered/created using the 32-bit Exchange clients such as Exchange and Outlook.

    To create a top-level public folder perform the following:

    1. Start the Exchange client
    2. From the View menu select "Folder List" if not already enabled
    3. Expand "Public Folders" and double click on "All Public Folders"
    4. From the File menu select New - Folder
    5. In the dialog enter a name and click OK
    6. You can also have an optional shortcut created on the Outlook bar at this point by clicking Yes to the "Add shortcut to Outlook Bar" dialog (if you have the Outlook Bar visible)

    To create non-top level folders just select the folder that you wish to be the parent and select New - Folder from the File menu. You will then be able to name the sub-folder as with above.


    Q. How do I connect my Exchange server to a SMTP server?

    A. Exchange Server 5.5 ships with the Internet Mail Service which allows Newsgroup feeds and, among other things, connections to a SMTP mailbox.

    You will need a connection method to the SMTP mailbox, for example a RAS dial-up connection to an ISP. If you are connecting via a firewall make sure the ports used by POP and SMTP and not disallows (ports 25, 110 and 995).

    Before doing any of this you should ensure DNS is correctly configured for you local domain (or this may be done by the ISP) by adding a MX record for the Exchange server in DNS (this is not needed if you are connecting via a RAS dial-up connection and just connecting to a specific host).

    In this example we will connect to a SMTP mailbox at a ISP.

    1. Start the Exchange Administrator program
    2. Expand the root, select your site then expand that, expand Configuration and select the Connections container
    3. Select "New Other" - "Internet Mail Service" from the File menu
    4. Click Next to the introduction dialog
    5. Click Next to the dialog outlining the steps that should have been completed (DNS configuration etc)
    6. Select the Exchange server that will have the IMS installed and check the "Allow internet mail through a dial-up connection". Click Next
    7. Select a phone book entry and click Next
    8. Check the "Route all mail through a single host" and enter the TCP/IP address or hostname of the host, e.g. SMTP.DIAL.PIPEX.COM. Click Next
    9. Check the "All internet mail addresses" and click Next
    10. Next specify the name that should appended to the mailbox names, e.g. ntfaq.com. Click Next
    11. Select the mailbox to be used to send notification/non-delivery reports to. Click Next
    12. Enter the Exchange Service account password and click Next
    13. A number of changes will occur and an extra service added.

    To configure items such as the dial-up account username and password double click on "Internet Mail Service" under Configuration\Connections, select the Dial-up Connections tab and click Logon Information. From this tab you can also configure time-out and how ofter to dial out.

    If you have problems try applying Service Pack 1 which I found fixes a number of problems.


    Q. How do I connect my Exchange server to a NEWS feed?

    A. Exchange Server 5.5 has the ability to accept a news feed and publish to the Public Folders area. It can also be configured to post back any articles posted by your networks user to the appropriate news server.

    1. Start the Exchange Administrator tool
    2. Expand the sites, expand Configuration and select Connections
    3. From the File menu select "New Other" - "Newsfeed"
    4. Click Next to the welcome dialog
    5. Select the Exchange server to install from the drop down list and enter a USENET site name (you can except the default which will be <sitename>.<domain>, e.g. operations.savilltech.com. Click Next
    6. Select the type of newsfeed, inbound and output, inbound only or outbound only. You also need to specify the type of feed, push or pull. Push means you wait for incoming to be send to you, pull means at a scheduled interval you go and grab the news posts off of the news server. Click Next.
    7. Select the connection type, Lan or dial-up. If dial-up you will need to select a RAS phonebook entry and enter the connection username and password (if it supports CHAP) or make sure you have an automated script configured. Click Next
    8. Next select how often to connect to the news server, 15 minutes, 1 hour, 3 hours, 6 hours, 12 hours or 24 hours. You can change this to be more specific later if you wish. Click Next
    9. Enter the USENET site name, e.g. msnews.microsoft.com. Click Next
    10. Enter the IP address or hostname of the news server. Click Next
    11. If you require a password to connect to the news server enter it here otherwise leave it blank and click Next
    12. Click Next to the summary dialog
    13. Select an Internet News administrator by clicking the Change button and click Next
    14. Next you have to tell the configuration program where to get a list of newsgroups on the server. You can choose to import from a current file, download now or to configure it later. Click Next. If you select "Download Now" after you click Next it will connect (if via RAS it will dial out) and retrieve the news list. This could take a while depending on the news server.
    15. You will then be shown all the newsgroups available and you should select which branches you wish to download messages from as part of your feed. To select just click one and click Include, the icon for the newsgroup will change. When finished click Next
    16. Click Finish

    It will now connect for the first time and get an initial feed for all newsgroups selected.

    Exchange News feed
    - Always download the Exchange Admin newsgroup :-), don't we all?

    Clients will now be able to view via the Folders List in Outlook, Public Folders - All Public Folders - Internet Newsgroups - microsoft .....

    Reading News

    You can change any details but double clicking on the appropriate Newsfeed entry under Connections. For example click Schedule allows you to specify how often to connect at certain times of the day/days of the week.

    If you are connecting via dial-up you can change the time-out parameter as follows:

    1. Start the Exchange Administrator program
    2. Select the site, then expand Configuration and select Protocols
    3. Double click on "NNTP (News) Site Defaults"
    4. Select the "Idle Time-out" tab
    5. Change the close idle connections value (between 10 and 32767) and click Apply then OK

    Q. What web sites have good Exchange information?

    A. Below are a list of some of the best sites I have found

    Good Downloads are:


    Q. How do I download to Exchange from multiple POP3 mail boxes?

    A. Exchange does not really support the downloading of mail from POP3 since you would be asking a Server to act like a client. A 3rd party piece of software called PULLMAIL which can be downloaded from http://www.swsoft.co.uk/pullmail can be used to download from a POP3 mailbox and deposit in an Exchange mailbox. Using the command procedure below it can be made to download from multiple POP3 mailboxes and depost in the correct mailbox.

    Enter the following into file getmail.cmd and save.

    @ECHO OFF
    TITLE GetMail

    REM getmail.cmd 20-Aug-1997 Luke Brennan
    REM
    REM Get the POP3 mail in POP3 accounts and deposit into
    REM EXCHANGE accounts
    REM
    REM uses the PULLMAIL program from -> http://www.swsoft.co.uk/pullmail
    REM PULLMAIL specific Info/support -> pullmail@swsoft.co.uk
    REM general enquiries -> mark@swsoft.co.uk
    REM

    SET POPUSERS=%SystemRoot%\POPUSERS.DAT
    SET PARSEARG="eol=; tokens=1,2,3,4* delims=, "

    REM RASPHONE -d OzEmail
    For /F %PARSEARG% %%i in (%POPUSERS%) Do PULLMAIL %%i %%j %%k /to:%%l
    REM RASPHONE -h OzEmail

    REM
    TITLE Command Prompt

    The next step is to create the file that GETMAIL.CMD will read in, POPUSERS.DAT. Below is an example. GETMAIL.CMD expects to find the file in the %systemroot% directory (e.g. d:\winnt) however you can change that by altering the "SET POPUSERS=.." line.

    POPusers.dat
    ; space or comma delimited file
    ; 1. ISP pop server 2. POP3 account 3. POP3 password 4. EXCHANGE username
    ;
    savcom.demon.co.uk rita pass savillr
    cello.cchs.usyd.edu.au brennan ###### LDB
    savill.pipex.co.uk johnsavill pass savillj


    Q. How do I install the Key Management Server?

    A. Key Management Server allows secure e-mail via both signed and encrypted messages. To install perform the following:

    1. Log on the Exchange server as an Exchange Administrator
    2. Insert the Exchange Server 5.5 CD
    3. Run the Exchange SETUP.EXE
    4. Click Add/Remove
    5. Select "Microsoft Exchange Server" and click Change Option
    6. Check "Key Management Server" and click OK
    7. Click Continue
    8. Enter the site services account and password and click OK
    9. You now have an option for the special start password to be displayed (only once) and you need to securely store it and enter it every time you start, or select this to write to a floppy disk and a backup copy and click OK.
    10. If you selected write to disk you will be asked where to write to. By default it is A: however you can change this to a permanent drive. If you do permanently store it then anyone will be able to have the secure KM password.
    11. The setup will complete. You should now reinstall any service packs installed.

    You will notice whether you choose to store the password a single file kmserver.pwd will be created with a single word in, for example:

    SWOBRQSBQZPSPQC

    The final step is to configure the Key Management service to start automatically at reboot time.

    1. Start the Services Control Panel applet (Start - Settings - Control Panel - Services)
    2. Select "Microsoft Exchange Key Management Server"
    3. Click Startup
    4. Select Automatic and click OK
    5. You can also choose to start now by clicking Start. You will have to enter the disk containing the password or manually enter the password.

    Q. How do I manage the Certificate Authority of Key Management Server?

    A. This is managed through the Exchange Administrator program as follows but make sure that the Microsoft Key Management service is running (Start - Settings - Control Panel - Services)

    1. Start the Exchange Administrator Program
    2. Expand the sites and select Configuration
    3. Double click on CA
    4. You will be asked for the password. If this is the first time enter "password" (lowercase, no quotes). You can also select for it to save the password for up to 5 minutes to avoid having to retype it in the short term. Click OK
    5. Once logged in various functions can be performed

    To change your CA password perform the above then:

    1. Select the Administrators tab
    2. Click "Change My KM Server Password"
    3. Enter the current password and set a new one. Click OK
    4. Click OK to the main dialog

    You can also add new KM administrators from the Administrators tab


    Q. How do I enable advanced security for a user?

    A. By default users do not have advanced security after GM server is installed. To enable for a user perform the following actions

    1. Start the Exchange Administrator program
    2. Select the site and select the Recipients container
    3. Double click on the mailbox who you want to enable advanced security for, e.g. Garfield
    4. Click the Security tab. You will be asked for your KM server password, only KM administrators can view the security tab, not just normal Exchange administrators. Enter the password and check the "Remember box" if you want to make multiple changes to mailboxes and don't want to retype the password everytime
    5. You will notice the current status is "Undefined". Click the "Enable Advanced Security" button
    6. A dialog will be shown with the temporary key or it will be mailed to the user depending on your options and configuration. Click OK

    To allow the key to be sent via e-mail to the user perform the following:

    1. Start the Exchange Administrator Program
    2. Expand the sites and select Configuration
    3. Double click on CA
    4. Select the Enrollment tab
    5. Check the "Allow email to be sent to the user" box
    6. You can also change the welcome message that is sent by clicking "Edit Welcome Message"
    7. Click OK

    Now notify the recipient to read their mail or give them the password and they should perform the following:

    1. Start the Outlook client
    2. Select Options from the Tools menu
    3. Select the Security tab
    4. In the "Secure email" area click "Change Settings"
    5. Click "Get a Digital ID" in the "Digital IDs" section
    6. Select "Set up Security for me on the Exchange Server" and click OK
    7. Enter the password and click OK
    8. Click OK to the confirmation dialog
    9. The client will then be sent a reply message. Open the message and click OK to all dialog boxes and then Yes to the installation of the Certificate.

    Install Key
    - Hmmm, looks like a year 2000 problem!

    Options for which security to use, signing or encryption can be set using the Security tab of the clients Options dialog or on an individual message basis by clicking the Options button.


    Q. How do I automatically create an Exchange mailbox for all members of the domain?

    A. Exchange can import users from a comma-separated-file (CSV) of the format:

    Obj-Class,Common-Name,Display-Name,Home-Server,Comment
    Mailbox,Administrator,,~SERVER,Built-in account for administering the computer/domain
    Mailbox,batman,Bruce Wayne,~SERVER,
    Mailbox,denise,denise van outen,~SERVER,
    Mailbox,Exchange Service,Exchange Service,~SERVER,
    Mailbox,Guest,,~SERVER,Built-in account for guest access to the computer/domain
    Mailbox,IUSR_ODIN,Internet Guest Account,~SERVER,Internet Server Anonymous Access
    Mailbox,IWAM_ODIN,Web Application Manager account,~SERVER,Internet Server Web Application Manager identity Mailbox,krbtgt,,~SERVER,Key Distribution Center Service Account
    Mailbox,MTS_ODIN,MTS_ODIN,~SERVER,Transaction Server system package administrator account

    Exchange has the ability to generate this file from either a NT domain listing or a NetWare account list.

    1. Start the Exchange Administrator Program
    2. From the Tools menu select "Extract Windows NT Account List" (also notice the NetWare option)
    3. Select the domain and a domain controller and click the browse button to select a directory and filename for the output. Click OK
    4. A summary will be shown listing any errors encountered. Click OK

    The file generated has ALL accounts in the domain (as can be seen in the example), for example Exchange service accounts, guest account, IIS accounts so you may want to edit the file generated and remove the lines for whom accounts should not be created.

    Once the file has been edited to satisfaction perform the following:

    1. Start the Exchange Administrator Program
    2. From the Tools menu select "Directory Import"
    3. Select the Windows NT domain and the MS Exchange Server. You can also select the container however you should leave this as the default "Recipients"
    4. Click the "Import File" and enter the location and name of the .CSV file created earlier. You can also select to create a Windows NT account however since these accounts were generated by a domain listing its not needed. Click the Import button
    5. The file will be read in and mailboxes created. Again a summary will be displayed showing any errors.

    Exchange Domain import
    - Example Import from Domain file

    Every member of your domain now has a mailbox on the Exchange server. In larger domains with multiple Exchange sites you may edit the file and import some people into one Exchange site and others into a different site depending on their geographical location.


    Q. How do I avoid having to enter the Key Management password?

    A. If you have the Key Management Server installed each time you start the KM service you have to either insert a disk with the password on or manually enter it depending on your configuration.

    It is possible to configure the service to look on the hard disk although this is not recommended due to security reasons however on development systems this may be OK.

    1. Create a directory on your local harddisk (or you could use an existing directory)
    2. Copy the file kmserver.pwd from the floppy disk created to the local directory, e.g. d:\exchsrvr
    3. Start the registry editor (regedit.exe)
    4. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\KMServer
    5. Double click on MasterPasswordPath
    6. Change from A:\ to the directory, e.g. d:\exchsrvr. Click OK
    7. Close the registry editor

    Next time the service is started it will look for the password file on the local harddisk and not prompt for a disk to be entered.


    Q. I archived some .pst files to a CD-ROM but unable to load the files.

    A. When Outlook opens a PST file it needs write access so you will be unable to load a file from a read-only media such as a CD-ROM drive.

    To resolve simply copy the file to a writeable media and read accordingly.

    Messages can be send to a .pst file by using Outlooks archive function. To open with Outlook 98 select File - Open - Personal Folders File.

    If you store the PST files in a ZIP file on a CD they can be accessed (as when you access a ZIP file it is decompressed locally which would be writable).


    Q. How can I limit Exchange mailbox size?

    A. Exchange comes built in with the ability to limit and notify of quota violations.

    To set the limits perform the following:

    1. Start the Exchange Administrator Program
    2. Expand the organisation, then the site and then the servers branch
    3. Expand the server whose quota's you wish to set, select "Private Information Store". Select Properties from the file menu
    4. Select the general tab
    5. You can set a policy for the keeping of deleted items (this is useful if you have users who delete mail they wanted to keep and will save you having to fish out a backup. Be careful of setting the "Don't permanently delete items until the store has been backed up" as if backups are not often this could affect performance badly.
    6. The bottom half of the dialog allows you to set actions for quotas, namely
      - A warning to be issued, e.g. 900 KB
      - Stop the user sending mail, e.g. 1100 KB
      - Stop the user receiving mail, e.g. 1500 KB
    7. Click Apply then click OK

    Exchange Quotas

    Individual limits can be set for users by double clicking on them under the Recipients branch and selecting the "Limits" tab. Under "Information Store storage limits" sections unselect the "Use information store defaults" and set explicit values for the user. Useful for your own mailbox ;-)

    Now the values for the warning have been configured you must tell the system how often to warn the mailbox owner.

    1. Start the Exchange Administrator Utility
    2. Expand the organisation and site
    3. Expand Configuration
    4. Double click on the "Information Store Site Configuration"
    5. Select the "Storage Warnings" tab
    6. Select the warning level, either never, always (which is every 15 minutes) or at Selected Times.
    7. Click Apply then OK

    If a client exceeds the limit they will be given warnings to the effect of

    Quota gone bad :-)

    If the client does not have the helpful Office Assists enabled they will just get a normal dialog box.

    A message from the "System Administrator" with the conditions of the mailbox quotas will also be sent:

    Your mailbox has exceeded one or more size limits set by your administrator.
    Your mailbox size is 1518 KB.

    Mailbox size limits:
    You will receive a warning when your mailbox reaches 900 KB.
    You cannot send mail when your mailbox reaches 1100 KB.
    You cannot send or receive mail when your mailbox reaches 1500 KB.

    You may not be able to send or receive new mail until you reduce your mailbox size. To make more space available, delete any items that you are no longer using or move them to your personal folder file (.pst). Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit. You must empty the Deleted Items folder after deleting items or the space will not be freed.

    See client Help for more information.


    Q. How can I limit message sizes in Exchange?

    A. Maximum size limits can be set on the Message Transfer Agent (MTA) for inter server traffic by selecting the General tab of the MTA configuration dialog of the server. The message would then be returned to sender in the event of the message being to large however for the people on the same server this limit is not used.

    Limits can also be set on a per user basis for all traffic:

    1. Start the Exchange Administrator Program
    2. Expand the Organisation and select the Recipients branch
    3. Select the user and select Properties from the File menu
    4. Select the Limits tab
    5. Its then possible to set outgoing and incoming maximum message sizes
    6. Click Apply then OK

    Limit size
    - Setting the maximum outgoing size to 2MB


    Q. How can I undelete mail in Outlook?

    A. When you delete an item from the Outlook client (and its been removed from the Deleted Items folder) it is actually kept on the Exchange server for a set amount of time (Exchange Server 5.5 and above only), obviously this only applies if the mail is from an Exchange server, if you use Outlook to download from POP3, IMAP etc this does not work. Mail and can be recovered as follows:

    1. Start the Outlook client
    2. Select the "Deleted Items folder"
    3. Select "Recover Deleted Items" from the Tools menu
    4. Select the message and click the "Recover selected message" button
    5. Close the dialog
    6. The message will be added to the "Deleted Items" folder

    Message Recover

    To change the number of days Exchange stores deleted items for perform the following:

    1. Start the Exchange Administrator Program (Start - Programs - Microsoft Exchange - Exchange Administrator Program)
    2. Expand the Org, site, Configuration, Servers and select the server
    3. Select Private Information Store and select Properties from the File menu
    4. Select the General tab
    5. Under "Item Recovery" select the number of days to keep deleted items for. You can also select to not delete items until the store has been backed up
    6. Click OK
    7. Close the Exchange Administrator Program
    Keep Exchange messages

    Q. What workflow software is available for Exchange server?

    A. Workflow software is a tool to manage and automate business processes such as order processing, purchasing, support and sales.

    Using Microsoft Exchange Server or an SMTP/POP3 server and third party workflow software, you can easily implement powerful workflow applications that will streamline and decrease the cost of a business process.

    There are several third party workflow packages available for Exchange server. A few of them are

    For a complete list please go to http://www.exchangesoftware.com/ or for more information on workflow, go to http://www.workflowsoftware.com/.


    Q. How do you add an additional Global Address Book or another view to the global address book?

    A. This would be useful so, for example, you could separate out vendors email addresses (internet mail) from your actual post office users.

    This can not be done easily.

    You would have to create Address Book Views. This would divide GAL any way you wanted based on criteria that you provide.

    But you have to assign search rights to everyone and if you make one mistake, NO ONE will be able to see anything of Address lists

    Here is the procedure for setting up Container Level Search Control using Address Book Views. This allows you to create virtual Exchange Server organizations within a single Exchange Server organization or site. This is useful if you have multiple companies or departments within one Exchange Server organization and you want to prevent these companies or departments from viewing the mailboxes of other companies or departments in the Global Address List.

    To set up Container Level Search Control using Address Book Views, perform the following steps:

    1. Set up an anonymous account in the properties of the DS Site Configuration object in the Exchange Administrator program. This can be any Windows NT account.
    2. Open User Manager for Domains and create Global Groups for each department or company (depending on how you wish to separate the organization). Add the respective Windows NT User Accounts to each Global Group. These will be needed for step 4.
    3. Set up an Address Book View. You can use any name for the Display and Directory names. Click the Group By tab in the properties for the new Address Book View, and choose either Company or Department for the Group items by: field (this depends on how you wish to separate the organization).
    4. Open the newly created Address Book View so that you can see the separate companies or departments listed below it. Open the properties of each of these, click the Permissions tab, and add the respective Global Group created in step 2 to the Windows NT accounts with permissions with a role of Search.
    5. In the Exchange Administrator program, click Tools then Options. Click the Permissions tab. Ensure that the two check boxes that read "Show Permissions Page for all objects" and "Display Rights for Roles on Permissions page" are checked.
    6. Open the properties of the Organization object and click the Properties tab. Add the Search right to the Exchange Service Account.

    NOTE: Before changing the rights of the Exchange Service Account, make sure that at least one other Windows NT account or group has at least the Permissions Admin Role on the Organization object.

    After you perform these steps, you should be able to log on to an Exchange Sever mailbox. Open the Address Book and choose "Show Names from the:" Global Address List. You should only see mailboxes and/or custom recipients from the Address Book View that your mailbox is associated with.

    This will not work for any mailbox whose associated Windows NT account has permissions on objects that give them inherited rights to the Address Book Views. These mailboxes will still be able to view the complete Global Address List.


    Q. How do I delete a bad Schedule + message?

    A. When users free busy information that is not being published to the Schedule+ Free Busy public folder server correctly or free busy information shows free even though a user has appointments you may need to remove the "stuck" or corrupted messages in the Schedule+ Free Busy hidden public folder.

    To resolve this use mdbvu32 to remove the corrupt message. Mdbvu32.exe is on the Exchange Server CD in the support/utils directory.

    1. Logon as Exchange Service Account
    2. Create a TEST mailbox with Service Account as NT account on the same server as the Schedule+ Free Busy folder. To find the Schedule+ Free Busy HOME SERVER open the Exchange Administrator program, expand Organization object, Expand Folders Object, Expand System, Folder ObjectExpand Schedule+ Free Busy Object. Beneath the Schedule+ Free Busy object will list SITES where free busy information is being replicated from - Choose the object of YOUR site (not a replicated site). Choose File Properties of the Site Object for the Schedule+ Free Busy. At the bottom of this dialog box (General Tab) HOME SERVER will be listed
    3. Create a profile for the TEST Mailbox in Step 2.

    MDBVU32 STEPS

    1. Start the MDB Viewer by double-clicking the executable file Mdbvu32.exe from CD
    2. The MAPILogonEx dialog box will appear click OK.
    3. The Choose Profile dialog box should appear. Select the TEST mailbox profile you created in the prior steps. Click OK. NOTE: If the Choose Profile dialog box does not appear, you are most likely already logged on to a profile. Exit and Log Off the client and profile, and re-attempt step 3.
    4. On the MDB Viewer Test Application menu, click MDB, and then select the OpenMessageStore option.
    5. In the Select Message Store To Open dialog box, select the PUBLIC FOLDER item and click the Open button.(Open Mode should default to Best Access. Leave as default.)
    6. From the MDB Viewer Test Application menu, click the MDB menu item, and click Open Root Folder.
      NOTE: 3 MAPI_E_CALL_FAILED dialog boxes will appear. Choose OK to each of these.
    7. From the Child Folders list box, double-click NON_IPM_SUBTREE. You will now see the SCHEDULE+ FREE BUSY folder.
    8. Double-Click the SCHEDULE+ FREE BUSY object.NOTE: 3 MAPI_E_CALL_FAILED dialog boxes will appear. Choose OK to each of these.
    9. A list of SITES will appear in the Child Folder box. (same sites mentioned in determining HOME SERVER) Example: EX:/o=Organization/ou=Site
    10. Double-click YOUR Site (not a replicated site)
      NOTE: If you cannot read the full name of the site double click each one one at time to see the full name at the top of the next screen. If you've selected the incorrect site choose CLOSE to go back to the list of SITES.
    11. Once the correct site is double-clicked a list of the SCHEDULE+ FREE BUSY messages will appear in the CENTER "Messages In Folder" list box.
    12. Scroll to the RIGHT & DOWN to see user names. Each users should only have 1 item(message). Normally when this problem occurs the user will have 2 items(messages) listed.
    13. Once the message(s) are located for the problem user select the message or messages (using the shift key for multiple messages) so that it becomes highlighted.
    14. Locate the Operations Available drop down box (located below the Messages In Folder dialog box).
    15. 15. Use the drop down and choose lpFld --> DeleteMessages() ON SELECTED MSGS
    16. Once the lpFld --> DeleteMessages() ON SELECTED MSGS is selected. Click the CALL FUNCTION button.
      NOTE: The messages may still be listed in the Messages in Folder list box - this screen will not refresh unless you choose the CLOSE button and come back to it.
    17. Next Exit out of Mdbvu32.exe by choosing CLOSE 4 times which will get you back to the MDB Viewer Test Application dialog box. Choose Session from the Menu Option and then choose Exit.
    18. Have the user who's free busy is not being published logon to their client and make an appointment (this will cause free busy information to be published to the SCHEDULE+ FREE BUSY hidden public folder)
    19. Exit and logoff of the client then check the Free Busy times of the > user by creating a new meeting request. The free busy information should now be visible.

    If the information is still not visible go back to step 1 on using mdbvu32 to look at the schedule+ free busy information again check to make sure that 2 messages don't exist. If they do follow steps to remove and complete the process again.


    Q. How do I link Exchange 5.5 and the Windows 2000 Active Directory?

    A. The latest beta of Windows 2000 ships with the Microsoft Active Directory Connector (ADC) which replicates a hierarchy of directory objects between the Exchange Server 5.5 directory and the Windows 2000 Active Directory.

    But first a potential problem:

    Protocol 389 is used for LDAP communication but if you are running Windows 2000 and Exchange 5.5 on the same computer then you may find Exchange has problems starting the LDAP directory service and thus stopping you creating the connection.

    To get around this change the port the Exchange LDAP service uses by double clicking LDAP under <Org>\<Site>\Configuration\Protocols and change the protocol, e.g. to 1020. Restart the Exchange Directory service for the change to take effect.

    Exchange 5.5 with Service Pack 3 allows you to change the port used by LDAP SSL.

    Also if you install Exchange 5.5 on a 2000 domain controller you must make the Exchange Server account a member of the local Server Operators group.

    Back to ADC :-)

    The software is under the VALUADD\MGMT\ADC directory of the Windows 2000 CD. To install perform the following on the Windows 2000 domain controller:

    1. Run setup.exe from the VALUADD\MGMT\ADC directory
    2. Click Next to the install wizard
    3. Select both the connector service and management components. Click Next
    4. You will be asked where to install. Accept the default and click Next
    5. Enter the Exchange Service account and click Next The account will be granted the 'Audit' right. Click OK
    6. Files will be copied and click Finish once completed

    A new icon 'Active Directory Connector Management' will have been added to the 'Administrative Tools' branch.

    Now we need to setup a connection agreement between the Exchange Server and the Active Directory:

    1. Start the ADC Management MMC snap-in (Start - Programs - Administrative Tools - Active Directory Connector Management)
    2. Right click on the Active Directory Connector (<machine name>) branch and select 'New - Connection Agreement'
    3. Under the General tab enter a name and select the replication directory:
      - Two-way
      - From Exchange to Windows
      - From Windows to Exchange
    4. Select the 'Connections' tab and fill in connection information as shown below:
      ADC Connector
      Notice I have both on the same machine however you will probably have different Exchange and Domain Controller machines.
    5. Select the Schedule tab to select how often and when to replicate
    6. Select the Deletion tab to control how deletions are handled, either delete from both directories when deleted from one or just note the deletion to a log file.
    7. Under the 'From Exchange' and 'From Windows' tab select the items to replicate.
    8. Click OK
    9. The Exchange Schema will be modified and its directory service will be stopped and restarted.

    Now changes will be replicated between the Exchange and Windows 2000 directory services.


    Q. What is the upgrade to large table option in Outlook?

    A. Microsoft Outlook 98 has a feature, "Allow upgrade to large tables," for Personal Folder (.pst) files. This feature increases the limit on the number of folders per file and the number of messages per folder in a .pst file. The limit has been increased from approximately 16,000 folders per file and messages per folder to approximately 64,000. This upgrade is permanent and cannot be undone.

    To enable the upgrade on the Internet Mail Only version of Outlook 98 perform the following:

    1. Start Outlook
    2. Right-click the Folder List, and select Properties on the context menu.
    3. Click the Advanced button.
    4. Click "Allow upgrade to large tables."
    5. Click OK and OK.

    To enable on the Corporate Workgroup version:

    1. Start Outlook
    2. On the Tools menu, click Services.
    3. Click to select the Personal Folders service, and click Properties.
    4. On the General tab, click "Allow upgrade to large tables."
    5. Click OK.

    Q. How can I disable the Journal in Outlook?

    A. The Journal function in Outlook can be used to track document changes and openings, mail actions, meetings and task management however it can take up a large amount of space if not archived regularly.

    If you don't want the features of the Journal it can be disabled as follows:

    1. Start Outlook
    2. Select Options from the Tools menu
    3. Select the Preferences tab and click 'Journal Options'
    4. Unselect all boxes and click OK
      Disable the journal
    5. Click OK to the main dialog

    No records will be written to the journal now.

    If you want to delete all current Journal information select the Journal branch, right click on each entry type, for example Microsoft Word, and select Delete from the context menu.


    Q. Internet Mail Server hangs on start-up, ID 7022, why?

    A. A FAQ reader recently brought this to my attention who after changing RAS in the network applet to only dial out and rebooting the server the NT event viewer showed an error message saying that The Internet Mail Server hung on start up ID7022. This occurs even if you install Exchange server to NT4 where RAS incoming call handling is disabled. The RAS setting was changed and the event was still generated.

    This was resolved by re-enabling the Incoming and outgoing dial access in RAS-> Network -> control applet. In Control panel -> Services selecting RAS Connection manager and setting it to start up as automatic and RAS Access Server and setting it to start up as automatic.


    Q. How can I search my Exchange stores for virus infected messages?

    A. After the problems with the recent Melissa virus, Microsoft have produced a utility which can search your Exchange store for messages which have been infected with a virus and clean them. This will not in any way prevent the virus from being introduced into the email system, you should ensure you are running anti-virus software to prevent the virus infecting your message stores.

    The utility can be downloaded for Exchange 5.5 and 5.0 for both Intel and Alpha

    Exchange 5.5 Intel  ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.5/ISSCAN/ISSCANI.EXE
    Exchange 5.5 Alpha ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.5/ISSCAN/ISSCANA.EXE
    Exchange 5.0 Intel ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.0/ISSCAN/ISSCANI.EXE
    Exchange 5.0 Alpha ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.0/ISSCAN/ISSCANA.EXE

    Once downloaded the self extracting file produces two files, ISSCAN.EXE and the symbol file ISSCAN.DBG. Once you copy the files to the server running Exchange it is used as follows (you don't need to copy the .dbg file)

    For Exchange 5.5

    1. Logon as an Administrator
    2. Stop the Microsoft Exchange Server Information Store server (via Control Panel - Services)
    3. Enter the command below from the command prompt (cmd.exe)
      C:\> ISSCAN -fix {-pri | -pub} -test badmessage, badattach [-c <criteria file>]
      Where the -fix parameter instructs ISSCAN to remove the messages or attachments found. Without the -fix parameter, ISSCAN will record all the messages and attachments it finds in a log file.
      The -pri or -pub parameter instructs ISSCAN to scan either the private or public information store (priv.edb or pub.edb).
      The -test badmessage parameter deletes messages from the message table determined to be bad. The -test badattach parameter deletes attachments from the attachment table determined to be bad.
      The -c <criteria file> is optionally and allows you to specify which messages ISSCAN will search for. If not used the Melissa virus will be searched for. The format of the criteria file is supplied in the readme file for ISSCAN which can be downloaded from here.

    ISSCAN will create a report called either isscan.pri or isscan.pub, depending on whether you are scanning a private store or public store. This report will include the attachment's filename that is deleted, and the sender of a message that is deleted. You can then use this information to determine the users computers who may need extra attention.

    This utility is very powerful and can be very constructive or destructive depending on how it is used. Please use with caution and consider every action twice before implementing. There is no undo so restoring a backup is the alternative if a problem occurs. It is recommended that you do not use this utility until a known good backup is secured.


    Q. How do I create an Outlook vCard?

    A. Microsoft Outlook supports the use of vCards, the Internet standard for creating and sharing virtual business cards. In Outlook, as well as other e-mail applications and personal information managers, you can save a contact as a vCard or save vCards sent in e-mail messages.

    To create a vCard to be attached to all outgoing messages perform the following under Outlook 98 and Outlook 2000:

    1. Create a new contact in Contacts of what you want your expanded vCard to look like. Remember this will go to everyone you send mail to so don't include personal information such as home number, address unless you really want to!
    2. From the Tools menu select Options
    3. Select the 'Mail Format' tab
    4. Click the 'Signature Picker..' button
    5. Click New to create a new signature
    6. Enter a name for the signature and click Next
    7. Enter text to be displayed and click 'New vCard from Contact'
    8. Select the contact and click Add. Click OK
    9. Select the new vCard from the dropdown list and click OK
    10. Click OK to the Signature Picker
    11. Click OK to the main options dialog

    All outgoing mail will now have your signature and vCard attached.


    Q. How can I configure Outlook to be the default mail client?

    A. Outlook 98 and Outlook 2000 will prompt you when starting to set as the default mail client if they are not already configured as such however if you checked the "Don't ask me this again" box you cannot display this dialog.

    To force Outlook 98 and 2000 to check type the following:

    C:\> "c:\program files\microsoft office\office\outlook.exe" /checkclient

    Click Yes to the

    "Outlook is not currently your default manager for Mail and News.
    Would you like to register Outlook as the default manager?"

    displayed message.

    Clicking Yes updates the following registry entries which you can also manually update (and will need to for older Outlook clients such as Outlook 97)

    1. Start the registry editor (regedit.exe)
    2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail
    3. Double click the (Default) value and set to "Microsoft Outlook" (don't type the quotes)
    4. Move to HKEY_CLASSES_ROOT\mailto
    5. Double click the (Default) value and set to "URL:MailTo Protocol" (don't type the quotes)
    6. Double click the EditFlags value and set to 02 00 00 00
    7. Double click the URL Protocol value and clear
    8. Move to the DefaultIcon folder (HKEY_CLASSES_ROOT\mailto\DefaultIcon)
    9. Double click the (Default) value and set to
      "C:\Program Files\Microsoft Office\Office\outllib.dll",-12
    10. Move to HKEY_CLASSES_ROOT\mailto\shell\open\command
    11. Doucle click (Default) and change to
      "C:\Program Files\Microsoft Office\Office\outlook.exe" -c IPM.Note /m "%1"
      Alternate values (such as Lotus Notes) are:
      "C:\Program Files\notes\notes.exe"=C:\WINNT\notes.ini %1
    12. Reboot the computer

    Q. How do I install a digital signature in Outlook?

    A. A Digital ID, also known as a digital certificate, is the electronic equivalent to a passport or membership card. It is a credential, issued by a trusted authority, that you can present electronically to prove your identity or your right to access information. There are a number of authorities who can grant these certificates, VeriSign is the Microsoft preferred certificate provider.

    To request a digital certificate perform the following:

    1. Start Microsoft Outlook
    2. Choose "Options..." from the Tools menu.
    3. Select the "Security" tab.
    4. Click on the "Get a Digital ID..." button at the bottom of the security options window.
    5. From the Microsoft web page that is displayed, click on VeriSign's "Enrol Now" icon.
    6. Fill out the enrolment form with your identifying and billing information.
    7. You will receive an email from VeriSign to corroborate your email address. Follow the instructions in this email to download and install your Digital ID on your computer's hard drive

    You can now configure Outlook via the Tools - Options - Security to attach a digital signature to every outgoing message or it can be manually added to messages individually. More information on this can be found at http://www.verisign.com/securemail/outlook98/outlook.html.

    If you have multiple machines with Outlook you can install your digital certificate on them by exporting the digital certificate and then importing on the others as follows:

    On the machine with the certificate installed perform the following:

    1. Start Outlook
    2. From the Tools menu select Options
    3. Select the Security tab
    4. Click the 'Import/Export Digital ID..' button
    5. Select the 'Export your digital ID to a file'
    6. Under Digital ID click Select and choose your certificate
    7. Select an area to save to and enter a password
    8. Click OK

    On the other machines copy the digital ID file created and perform the following:

    1. Start Outlook
    2. From the Tools menu select Options
    3. Select the Security tab
    4. Click the 'Import/Export Digital ID..' button
    5. Select the 'Import existing digital ID from a file'
    6. Select the file the digital ID was saved to
    7. Enter the password for the ID
    8. Enter the Digital ID name, e.g. John Savill
    9. Click OK

    Q. How do I create a distribution list in Outlook 2000?

    A. Outlook 2000 introduces the ability to create distribution list and populate with people from your contacts list. To create a distribution list perform the following:

    1. Start Outlook 2000
    2. From the Tools menu select 'Address Book'
    3. In the 'Show Names from the' list, click Contacts.
    4. Select 'New Entry' from the File menu
    5. Under the entry type select 'New Distribution List'
    6. Under the 'Put this Entry' select 'In the Contacts'. Click OK

    The empty distribution list will now be shown. To add members perform the following:

    1. In the name box type the name for the distribution list
    2. Click the 'Select Members' button to add people to the list
    3. Click Save and Close

    Distribution lists can be identified as they are shown in bold.


    Q. How can I add a disclaimer to each outgoing mail at server level?

    A. You can't do this in Exchange server. You would have to use a third party application such as EMail Essentials for Exchange. To setup a disclaimer in Mail Essentials perform the following:

    1. Start-up the Mail essentials configuration
    2. Go to the disclaimer tab
    3. Switch on disclaimer and enter disclaimer text.

    All outgoing mail will now include the disclaimer at the bottom.


    Q. How I can I block mail with certain attachments or certain words at server level?

    A. You can't do this in Exchange server. You would have to use a third party application such as EMail Essentials for Exchange or Mimesweeper.

    To setup a the content checking feature in Mail Essentials;

    1. Start-up the Mail essentials configuration
    2. Go to the content checking tab
    3. Now you can enter:
      a. types of attachments that must be blocked
      b. mails with particular words/phrases in the subject that must be blocked
      c. mails with particular words/phrases in the body that must be blocked
    4. Any mail that is blocked is quarantined in the moderator client.

    Administrators/supervisors can then check the mail and either approve or reject it.


    Q. How can I automatically compress all outbound mail to save on bandwidth?

    A. You would have to use a third party product to do this. Two of these are

    1. Mail essentials (http://www.gficomms.com/)
    2. Max compression (http://www.centralhouse.com/)


    Q. Unix users can't talk to an Exchange box News server without requiring authentication domain\user, why?

    A. This can be corrected by allowing anonymous access to News as follows:

    1. Start the Exchange Administrator program (Start - Programs - Microsoft Exchange - Microsoft Exchange Administrator)
    2. Expand the Org, site, Configuration and Protocols
    3. Double click NNTP
    4. Select the Anonymous tab
    5. Check the "Allow anonymous access" box
    6. Click Apply
    7. Click OK
    8. Close the Exchange Administrator program