Cheap Clusters Building Fault Tolerance with Multiple A Records and Round Robin DNS

This isn't a record type, but as long as I'm talking about A records, let me explain a great (and free ) way to handle a lot of Web traffic. Suppose I've got a Web server at IP address 206.246.253.100. I've named it www .minasi.com because, well, that's what people expect the Web server at minasi.com to be named. But now let's suppose that several thousand people all decide at the same time to hit my Web site to find out how to hire me to speak at their next engagement. (Hey, it could happen.)...

Is It Supported

Before you even begin, you want to verify that the hardware is compatible with Windows 2000 and that you have a suitable driver. Start with the Hardware Compatibility List (HCL). The HCL can be found on the Windows 2000 Server CD, under the SUPPORT directory, as HCL.TXT. The HCL can also be found on the Web at http www.microsoft.com hwtest hcl . So what is the significance of the HCL Every item on the HCL has passed compatibility testing with Windows 2000. It is sort of like your guarantee from...

Installing and Configuring the DSMT

Depending on how you chose to configure Windows 2000 Server during installation, the DSMT may or may not be installed on your system. Let's work under the assumption that the DSMT is not installed on your computer and walk through the steps to install and configure it. To add the DSMT to a server that doesn't have it, start by choosing Start Settings Control Panel and double-clicking the Add Remove Programs icon. This will launch the Add Remove Programs dialog box, which should have Add Remove...

How ICS Shares a Routable Address with Nonroutable Machines

What happened Well, first of all, the routing computer the one running ICS distributes unique IP addresses to all of your other computers. But what IP addresses Well, it's not kosher to start making up routable IP addresses and handing them out unless you actually own those addresses, so the routing computer hands out safe IP addresses from one of the nonroutable ranges specified in RFC 1918, the range from 192.168.0.2 through 192.168.0.254, and gives itself an extra IP address, 192.168.0.1. So...

Info

They cannot, however, modify Administrator accounts, the Domain Admins global group, or the local group's Administrators, Server Operators, Account Operators, Print Operators, and Backup Operators. 2. In order to actually do this, the member of the group must have the right to log in locally at the server. 3. In order to actually do this, the user must either have the right to log in locally at the server or have access to the DSA.MSC tool. Administrators Administrators have almost every...

Dont want my dialup users to get the WINS and DNS addresses that are defined on our network

Okay, so let's say that you want to override the default behavior of RAS to offer its WINS and or DNS addresses to clients that are dialing in, without removing the WINS and DNS configuration from the RAS server itself. In that circumstance, you'll need to dive into the registry to tweak Windows 2000 a bit. To prevent your RAS server from offering a WINS address to dial-in clients, look in the following key in the registry You may see a value in that key called SuppressWINSNameServers. If you...

Viewing the DNS Client Cache

You won't use a HOSTS file very often, though. Instead, your system will probably resolve many names out of its own DNS cache here's how that works. Suppose you pointed your browser to www.minasi.com first thing in the morning that causes your workstation to go ask the local DNS server to search the public DNS namespace for the IP address of www.minasi.com. But then suppose you returned to www.minasi.com later that day in that case, your workstation wouldn't have to ask a DNS server for the IP...

Acknowledgments

He initial two editions of this book were among the greatest challenges in my experience of book writing. Windows 2000 is so completely new, different, and larger than earlier versions of NT that I simply could not have turned out a volume this comprehensive by myself in less than three years and I somehow got the feeling that all of you needed it before then What that means is that, while no book is the work of just one person, this book relied more than most on the close working of the team...

Directly Enter the Domain Name into Network Identification

But wait this may not always make sense. Phillip Morris owns Kraft Foods and Miller Brewing Company. From an internal corporate point of view, it may be (I don't know, as I've never worked for any of the three entities) that everyone working for any of the three think of themselves as Phillip Morris employees, and Phillip Morris could be headquartered in one large complex in Richmond, VA. So from an internal management and IT point of view, they're one organization. But to the outside world,...

Performing an Authoritative Restore

If you're backing up a Win2K domain controller, the System State data includes Active Directory data. You can restore that data. During a normal file restore operation, Backup operates in non-authoritative restore mode, restoring all files, including Active Directory objects, with their original update sequence numbers (USNs). The AD replication system uses the USNs to detect and replicate changes to the Active Directory to all of the domain controllers on the network. All data that is restored...

But Not Everything Is Multimaster

In general, Active Directory tries to carry this notion of decentralized control throughout its structure. In general, all DCs are equal, but, to paraphrase George Orwell, some DCs are more equal than others. Those DCs are the ones that serve in any of five roles called either operations master or Flexible Single Master of Operator roles. By the way, no one says flexible single master of operator it gets acronym-ized to FSMO and is pronounced fizz-moe. Strictly speaking, FSMO was the phrase...

Representing Hex Suffixes in Lmhosts

But how to handle the nonprinting characters in a NetBIOS name, the < 1B> used by the primary domain controller, the < 1C> used by all domain controllers Recall that the hex suffixes are always the 16th character in a NetBIOS name, so write out a suffixed NetBIOS name like so Enclose the name in quotes. Add enough spaces to the end of the name so that you've got 15 characters in the name. After the spaces, add 0x followed by the hex code. For example, suppose I had a domain named CLOUDS...

SOA Record in Zone File Format

IN SOA bigdog.bowsers.com. help.minasi.com. ( It's basically saying this the start of authority record for bowsers.com. Waitaminute I don't see bowsers.com anywhere in that line. Where'd I get that this is the SOA for bowsers.com The answer is the sign. It's got a magic meaning inside zone files completely different from the magic meaning that it has in e-mail addresses. Instead of separating an e-mail name from a user's domain, the here is shorthand for this zone. So, because this is the...

Figure

IP addr' OOOO Enet addr OOBBOOOOOOOO Sure also take this subnet mask, DNS server address, WINS server, node type, and domain name. IP address used 255.255.255.255 (broadcast) Ethernet address used 00CC00000000 (directed) Transaction ID 18923 You can find out what your IP configuration looks like after DHCP by typing ipconfig all. It may run off the screen, so you may need to add more to the line. This works on DOS, Windows for Workgroups, and NT machines. You can see a sample run of ipconfig...

Beyond ICS Setting Up Network Address Translation NAT on Windows

ICS is great, but what if you want more On the one hand, ICS lets you easily connect a bunch of internal machines to the Internet via one routable address it's quite literally a matter of a click or two and you're done. But you can't change the range of addresses that ICS's mini-DHCP server gives out. Nor can you facilitate incoming traffic ICS is basically a simple port address translation router. Any system inside your network can initiate an outbound conversation, but outside systems on the...

Extending Pre Installing Service Packs

Let's presume, then, that you've figured a way to get your workstations attached to a network distribution share. Now we can start reaping the benefits of doing installs from a share on a hard disk rather than a CD-ROM we can add to the data on the CD. The first terrific thing that we can do is to pre-install service packs. As I write this, Service Pack 1 has been out for a while. You can download it as an 89MB file named sp1network.exe. SP1 lets you attach it to an I386, assimilating itself so...

Ok

The scripts you create and assign should be copied to the following path in the SYSVOL directory Scripts Startup or Shutdown (or User Scripts Logon or Logoff, depending on whether you are assigning scripts to the Computer Configuration or to the User Configuration node). The Global Unique Identifier (GUID) for the group policy object is a long string that looks like FA08AF41-38AB-11D3-BD1FC9B6902FA00B . If you wish to see the scripts stored in the GPO and possibly open them for editing, use the...

Inspect Boot Sector

This option repairs the active system partition boot sector and reinstalls the boot loader functionality. If the partition uses the FAT or FAT32 file system and contains a non-Windows 2000 boot sector, this repair option also creates a new bootsect.dos file to be used to dual-boot MS-DOS, Microsoft Windows 95, or Microsoft Windows 98 if these operating systems were previously available to be booted. If you also select the Inspect Startup Environment option and a new bootsect.dos file is...

Set of Credentials Conflicts

Sometimes when you're trying to attach to a share, you'll get an error message that says something like, A set of credentials conflicts with an existing set of credentials on that share. What's happening there is this You've already tried to access this share and failed for some reason perhaps you mistyped a password. The server that the share is on has, then, constructed some security information about you that says that you're a deadbeat, and it doesn't want to hear anything else about you....

Whats New in Windows Terminal Services

Microsoft released an earlier version of multiuser Windows in July 1998 with its Windows NT, Terminal Server Edition (TSE). TSE had basic functionality, supporting multiuser access to the terminal server through the Remote Desktop Protocol (RDP), but frankly wasn't all that when it came to supporting users. If you wanted support for client-side mapped printers or hard drives, applications published as part of a Web page, remote control of user sessions, or a Clipboard shared between remote and...

Fast Repair Option

The Fast Repair option performs all the same repairs as the Manual Repair option without asking you whether you want to do them. It also attempts to load each Windows 2000 registry file (SAM, SECURITY, SYSTEM, and SOFTWARE). If it discovers that a file is damaged or it can't load it, then it will copy the missing or corrupted registry file from the SystemRoot Repair folder to the SystemRoot System32 Config folder. Notice that that's SystemRoot Repair, not SystemRoot Repair Regback. The Registry...

Class A B and C Networks CIDR Blocks Routable and Nonroutable Addresses and Subnetting

Before leaving IP routing, let's take a more specific look at networks, subnets, and IP addresses. The whole idea behind the 32-bit IP addresses is to make it relatively simple to segment the task of managing the Internet or, for that matter, any intranet. To become part of the Internet, you'll need a block of IP addresses and a name (like acme.com) or a set of names. Find a local Internet service provider (ISP) for the block of addresses. ISPs may also handle registering names for you, but...

Customizing the Console Interface

You can give the customized tool a simplified look and feel by hiding the console tree and those navigation tabs that allow users to move between the normal view and the taskpad views. Ya know, that reminds me, if we hide the console tree and the navigation tabs, lock the tool down, and prevent the user of the tool from navigating the console tree, they have no way of getting to the Services taskpad we created in our earlier example. They'll be stuck at the Main taskpad. So before we customize...

Ntm

Notice anything Those folders were all created automatically under I corp as I created the links. If I try to look into one of those folders under I corp, I get an Access Denied because the system has those areas protected in order to handle the Dfs referrals the process of passing users to a respective link member, rather than the physical subdirectory. Speaking of referrals, when a client goes to hit the APPS folder within the Dfs CORP, what exactly happens Using the Network Monitor, you can...

The Distributed File System

One of the new and exciting features in Windows 2000 is the Distributed File System (Dfs). With Dfs, you can create a single share that encompasses every file share-based resource on your network. Think of it like a file share home or links page. Under this one share, you have links that point to all of your other shares across numerous servers. Now, using this Dfs share, your users only need to remember one place to connect. Let's say you had the following set of shared resources across the...

Slipppp Serial Connection

If you've got one of those 10 month or 20 month Internet accounts, then you fit in this category. A somewhat better way to connect to a TCP IP-based network that is, an intranet or the Internet is by a direct serial connection to an existing intranet host. If you use PCs, then you may know of a program called LapLink that allows two PCs to share each other's hard disks via their RS232 serial ports SLIP and PPP are similar ideas. An intranet may have a similar type of connection called a SLIP or...

Definition Recursive versus Iterative Queries

So we've seen that your DNS server will go to great lengths to answer a query. Mine works that way, too, and so will most DNS servers that you'll ever work with. But those root servers, and the DNS servers for the com domain and other top-level domains, don't do that. That's because DNS recognizes two kinds of queries iterative and recursive. A recursive query is the kind that you make against your local DNS server. You tell it to keep asking the questions until it gets an answer. An iterative...

Creating Taskpad Views

Once you've decided which tasks your user or admin person will perform with this tool and identified the necessary snap-ins, you are ready to create the console. In this example, you'll create a view and a select set of tasks from the Computer Management snap-in to keep things simple. This tool will be for gathering information we'll use the Event Logs, System Information, and Device Manager functions. Open a blank console as described earlier (Start Run and enter mmc.exe) and load the required...

Advanced Ris Ii Using OEM

Once you start getting a bit fancy with your RIS-based installs, you'll soon pine for the power of the OEM folder. So you might tunnel down into your RemoteInsta11 Setup Eng1ish Images whateveryouca7 7edit I386 folder and place a OEM folder inside that I386 folder, hoping to see some of OEM 's power transferred to RIS. The problem For some bizarre reason, RIS installs need the OEM folder at the same directory level as I386, not inside it. So, for example, if I created an image folder just...

Definition A Caching Only DNS Server

Before leaving this section, it's worth briefly defining a term caching-only DNS server. I've just explained that a DNS server that contained a zone for some domain would look in that zone first, rather than searching the Internet. But I haven't explicitly pointed out yet that you might well be running DNS servers that contain no zones at all in fact, the majority of DNS servers are zoneless. What's the point of a zoneless DNS server Simple it focuses solely on searching other DNS servers to...

Restricting the Programs a User Can Run with Explorer Policies

RestrictRun is another mildly complex Registry setting, but it's extraordinarily powerful. You can use it to say to the Windows interface, Do not run any programs unless they are on the following list. For example, you could say, The only programs that this user can run are Word and Internet Explorer. RestrictRun is another 1 or 0 Registry setting. A value of 0 says, Don't restrict which programs this user can run, and 1 says, Only allow this user to run the programs listed in HKEY_CURRENT_USER...

Atomic Permissions

These permissions are the building blocks of the permissions that we normally speak of, like Read, Modify, and Full Control. You will probably never see these permissions, much less refer to them on their own. Traverse Folder Execute File Traversing folders applies to folders only. There are times when you execute files that call other files in other folders. Let's say you execute a file in the APP1 folder, to which you have read-only permissions. Sure, read...

Modern Uses for Telnet

But telnet's still quite useful for network administrators, so it's great that Windows 2000 includes a telnet server that will support up to two simultaneous connections. Think of telnet on Windows 2000 as being sort of a low-bandwidth form of Windows Terminal Server. You can't run any graphical applications over it you just get a C > style command line, but you can get an awful lot done with just that. Before you can telnet into your machine, though, you must start up the server part of...

Probable Meaning

The local policy of this system does not allow you to log in interactively. You do not have access to this session. Your interactive logon privilege has been disabled. Please contact your system administrator. The terminal server has exceeded the maximum number of allowed connections. The system cannot log you on (1B8E). Please try again or consult your system administrator. Terminal server sessions disabled. Remote logins are currently disabled. Because of a network error, the session will be...

Terminating Applications

Gertrude and the other TSQUAKE players aren't paying attention to your pleas. Time to get tough and terminate the application. Every instance of TSQUAKE that you close will exit immediately, with no warning to the user and no chance to save data. NOTE Before we get into this, let me distinguish between terminating and resetting. Both options close applications with no warning, but single processes are terminated and entire To kill a single application from the GUI, select the server or domain...

Preventing Printers from Being Redirected

But what if you don't want clients to use their local printers during terminal server sessions You may not, especially if the client is connecting to a printer across a dial-up connection. Sending a print job from terminal server to client-side printer may be acceptable at LAN speeds but unwise over a 56Kbps modem connection, since sending the print job back to the client for printing can make the connection slow to a crawl. Or, you may want people to use a networked printer for their terminal...

Distribution Groups and Contacts

In NT 4, every group was a security group and could be used for controlling access to resources and granting rights. A distribution group is simply a nonsecurity group. Distribution groups don't have SIDs and don't appear on ACLs. So what are they for If you've worked with Exchange or a similar product, you are familiar with distribution lists. These are groups of recipient addresses. It's easier to send mail to ACME Managers, for example, than to individually select each manager's name from a...

Figure T

The lease duration specifies how long a client can use an IP address from this scope. Lease durations should typically be equal to the average time the computer is connected to the same physical network. For mobile networks that consist mainly of portable computers or dial-up clients, shorter lease durations can be useful. Likewise, for a stable network that consists mainly of desktop computers at fixed locations, longer lease durations are more appropriate. Set the duration for scope leases...

Special Suffix for Domain Controllers DOM

In most cases, the only hex suffix you'll care about is < 1C> , the suffix indicating a domain controller. You can create an entry for it as above, with a 0x1C suffix, or you can use a special metacommand that Microsoft included in LMHOSTS DOM. To indicate that a given entry is a domain controller, enter a normal LMHOSTS entry for it, but add to the end of the line DOM and the name of the domain controller. In the CUMULONIMBUS example above, you could register CUMULONIMBUS's name and the...

DNS Boot Order

First let's take a look at what files DNS reads to get started and in what order it reads them. There are just a few files that control a DNS server's behavior One named boot, another named cache.dns, and one zone file for each of the zones for which the DNS server is responsible boot has two main jobs. First, it tells a DNS server whether the server is a root name server or not. Second, it tells the DNS server what domains it acts as the primary DNS server for and which domains it acts as the...

The Terminal Server

In Win2K, Terminal Services is one of the optional components that you can choose to install during Setup, like Transaction Services or Internet Information Services. If you've enabled Terminal Services, when Win2K boots up and loads the core operating system, the terminal service begins listening for client connection requests at a TCP port. At the same time, a special client session for the console (that is, the interface available from the terminal server itself) is created, along with two...

Using Sysprep Overview

In any case, Microsoft knew that many people use cloning products and that they'd do well to help their customers use those cloning products. So Windows 2000 comes with a SID scrubber called System Preparation Tool (Sysprep.exe). Sysprep's simple to use here are the basic steps. 1. Put Sysprep on a directory named C Sysprep. You can then script it and, if you do, put the script in C Sysprep, calling the script sysprep.inf. 2. While you were acting as the administrator and setting the system up,...

Mail Site EMWACS

As you've read, I've been a fan of the free Internet Mail Service (IMS) software for NT and Windows 2000 from EMWACS for a long time. EMWACS mail doesn't do everything that I'd like in particular, I wish that it did IMAP4, a protocol that lets you check your mail by retrieving only the headers of the mail messages rather than the entire message. That's important because I travel a lot, and it's usually just my luck to dial in to the mail server at home at 31Kbps (the actual speed of most of my...

BaseT BaseT or BaseT

Today it is nearly a foregone conclusion that some form of Ethernet will be used in the LAN network environment. The question remains, How fast will we go For you, this will be an easy decision because you can make the same choice for all of your platforms. Gone are the days of slow and incompatible LocalTalk networking. Ethernet has made major inroads into the Macintosh platform for many years now. Part of the equation depends on the type of Macintosh equipment you have (see the next section...

Ensure That WinK Can Continue to Autotune

Win2K's file server module includes almost two dozen tuning and control parameters. Most of them control exactly how much memory Win2K devotes to different parts of the server module. For example, what's the maximum number of sessions the server will have to keep track of at any moment in time Win2K must know that so it can pre-allocate some RAM as working space, a place in memory to track each session. That's set by an autotuning parameter every time you start up a server. Similarly, what's...

Stand Alone versus Fault Tolerant

Before we begin making a Dfs, we need to decide which kind of Dfs we want. This will be primarily decided based on whether or not we have an Active Directory. The big difference is going to be on the root. In an Active Directory-based Dfs, or fault-tolerant Dfs, the root itself can have replicas. In other words, that one single point of failure the root has been spread out into the Active Directory. Using root replicas, if you have 27 servers housing the Active Directory, you have 27 places...

Error Seize Schema Master Windows 2000 0x20af

But to transfer the RID, domain naming, or schema FSMO, you'll need to use a command-line tool, NTDSUTIL. You start it from the command line by typing ntdsutil. Then do this 1. Type roles NTDSUTIL will respond by changing the prompt to fsmo maintenance . 2. Type connections to point to the computer that you are going to transfer the FSMO role to. NTDSUTIL will respond by changing the prompt to server connections . 3. Type connect to servername, where servername is the server that you want to...

Dk

For most installations, the default TCP IP settings should work fine, but if your situation is a bit more specific, you can enter values for the IP address the client should use and which DNS servers and WINS servers to use for name resolution. If you don't enter any settings for the DNS and WINS servers to use, the dial-up networking client will inherit the same values the RAS server uses itself. This is an important point, because if you are using DHCP to assign addresses, you might assume...

Oops I Deleted a Port I Was Using

It is easy to replace accidentally deleted parallel ports. Click the Add Port button and choose to add a local port. Give the port the appropriate name (such as LPT1) and you're done. It is not so easy to replace an accidentally deleted serial port. In that case, you'll need to add the port, then edit the Registry to define it as a serial port. Add the port as described earlier, then open REGEDT32 and move to HKLM Software Microsoft Windows NT Current Version Ports. Find the value for the port...

Setting Up the Telnet Server

Telnet is built as a service under Windows 2000. You can start it by just opening up a command line and typing net start tlntsvr and pressing Enter. Alternatively, you can tell your system to always have the telnet server available by setting up the telnet service to start automatically. Here's what you need to do to set up the telnet service to start automatically 1. Right-click the My Computer icon and select Manage. 2. Under Computer Management, you'll see Services and Applications open it...

Group Scope Locals Globals and Universals

Where are they recognized and what can they contain These are the main issues surrounding local, global, and universal groups. Since they are used to grant rights and permissions, we need to know where that group membership means something, where it is accepted (kind of like American Express). Since we want to nest groups to simplify the granting of rights and permissions, we need to know the rules and recommendations for nesting as well. The regular local group is the only type of group that...

Installing a New Physical Disk

When you first add a new hard disk to your computer, Win2K will not recognize the new disk even if it shows up at boot time (SCSI or IDE). You must add support for the new drive, either manually or by following the Write Signature and Upgrade Disk Wizard. The wizard will start up automatically when you open the Disk Management folder in the Computer Management tool and have new physical disks attached. There are two steps to setting up a new hard disk writing a disk signature and choosing...

Manipulating NDS Data in the DSMT

Once you have successfully imported your bindery or NDS data from your NetWare environment, there are several things that you can do to manipulate or tweak the data as necessary before writing the data to your Active Directory environment. One of the first things that you can do is actually edit the properties of any of the objects the DSMT imported by double-clicking them. For example, double-clicking the user named Admin brings up the object properties in a dialog box like the one shown in...

Adjusting Client Connection Settings

Everything's ready to go on the client side, but you may still have some work to do to get the server side configured. The following are optional but useful settings that allow you to define how long a session may last, whether someone can take remote control of a user's terminal session, how the RDP protocol is configured, and client path and profile information. The location of these settings depends on whether you've set up the member accounts on the terminal server itself (as a member...

Assigning a Package to Users or Computers

Assigning a package to a user or a computer is the coolest thing about this Software Installation stuff. As with publishing an application, the current user doesn't need administrator privileges on the computer and the package will still get installed. However, if the package is assigned to a user, it gets installed when the user logs in. If the package is assigned to a computer, it gets installed when the computer boots up, and no one needs to be logged in. If the user tries to delete the...

Routable and Nonroutable Addresses

Once upon a time, getting hold of a bunch of IP addresses was easy. But nowadays, they're scarcer and scarcer. Four billion possible addresses sounds like a lot, but the A B C class approach tends to waste addresses on large companies and those who just got in line at the right time With all due respect to the organizations involved, it's hard to believe that certain universities, Apple, and the Network+Interop conference really need 48 million unique IP addresses. Don't misunderstand me, I'm...

Simple Mail Transfer SMTP Server

At first glance, having a mail service included in IIS might seem like Microsoft is cannibalizing their own e-mail platform Exchange. Unfortunately, if you are hoping that you might use this feature as an e-mail platform for your organization, you will be a bit disappointed. Microsoft has included an SMTP service with IIS primarily for support of the other services within IIS namely HTTP and NNTP. In other words, the SMTP server that comes with IIS is not sufficient to act as an e-mail server....

Molecular Permissions

A full understanding of what atomic permissions do and of Table 11.1, which shows the atomic makeup of molecular permissions, provides exceptional insight into what these molecular permissions are and how they work. This section will try and put the atomic makeup of permissions in better perspective, but flip back and forth to the table while you read about these permissions. This information will form a very solid foundation to help you manage permissions later. Read Read permissions are your...

Bad Bad Application Go to Sleep Reducing Demands of Windows Applications

Even if you turn off CPU-hogging effects, some applications are just more cycle-hungry than others. In a terminal server environment, this is a Bad Thing. Not only do CPU-sucking applications themselves underperform in a multiuser environment because they're contending with other applications, but they hurt other applications' performance by denying them cycles. You can edit the Registry to make Win2K keep a closer eye on Windows application management, denying CPU cycles to applications that...

DMA Channels

I O channels provide a means for the CPU to talk to all hardware components. In a similar fashion, there are memory addresses, which the CPU uses to talk to different areas of memory. Memory is the lifeblood of the computer. A CPU can only process one thing at a time. Take a simple command like 3 + 5. There are three different major components in the command. First is the 3. Next is the operator, plus. Then comes the second argument, 5. Actually, there is a whole lot more to 3 + 5 than three...

Few Final Thoughts on Group Policy

In the last few sections, I have discussed the concepts of group policies, including local policies. We have created a sample group policy and seen how to turn on the various settings, like No Override and Block Policy Inheritance. We have looked at filtering policies for security groups and delegating policy administration to others. We have explored many of the actual policy settings, including administrative templates for desktop control, security settings, folder redirection, MMC...

Explorer Policies

The first bunch is located near NoNetHood, in a user's HKEY_CURRENT_USER Software Each entry is of type REG_DWORD. You activate these settings with a value of 1 and deactivate them with a value of 0 unless otherwise stated NoClose When set to 1, removes the Shut Down option from the Start button. The user can still shut down using the Security Dialog (Ctrl+Alt+Del). NoCommonGroups When set to 1, removes the common groups from the Start Programs menu. Recall that common groups are the program...

WINS Proxy Agents

Using an NBNS (NetBIOS naming server) like WINS can greatly cut down on the broadcasts on your network, reducing traffic and improving throughput. But, as you've seen, this requires that the clients understand WINS the older network client software just shouts away as a B node. WINS can help those older non-WINS-aware clients with a WINS proxy agent. A WINS proxy agent is a regular old network workstation that listens for older B node systems helplessly broadcasting, trying to reach NetBIOS...

How Offline Files Works

Offline Files acts by automatically caching often-accessed network files, storing the cached copies in a folder on a local hard drive, a folder not surprisingly called Offline Files. Offline Files then uses those cached copies to speed up network access (or apparent network access), as subsequent accessing of a file can be handled out of the local hard disk's cached copy rather than over the network. Offline Files can also use the cached copies of the files to act as a stand-in for the network...

Hkey Current Config

Contains information about the hardware currently installed in the machine and the settings for systems running on the machine. You do most of your work in this and the next subtree. Contains the user profile for the person currently logged on to the Windows 2000 Server machine. Contains user preferences and settings for desktop applications running on this machine. Contains a pointer to the HKEY_CURRENT_USER subtree and also to a profile called the DEFAULT profile. The DEFAULT profile...

Forest Wide Time Synchronization

As you'll read in the upcoming sections on replication, AD needs all of its domain controllers to pretty much agree about the current time and date. They don't have to be exactly the same, but they need to be close. Under NT 4 and earlier, establishing time synchronization across a domain was difficult to accomplish. But Windows 2000 includes a service called the Windows Time service that keeps all of your Windows 2000 workstations and servers in good time sync. Win2K does that in the following...

DNS Deception An Example

You're going to learn a bit later in this chapter that sometimes you quite deliberately want to present one set of DNS names to your private internal intranet and quite a different set of names to the external Internet I think of it as keeping two sets of books, DNS-wise. (Some people call it split-brain DNS.) But I want to offer a simple example to underscore how a DNS server resolves, and that locally held zones take priority over anything on the Internet. Suppose you wanted to visit Dell and...

Remote Registry Modification

You can modify another computer's Registry, perhaps to repair it or to do some simple kind of remote maintenance, by loading that computer's hive. You do that with the Registry Editor by using the Load Hive or Unload Hive command. You can load or unload the hives only for HKEY_USERS and HKEY_LOCAL_MACHINE. The Load Hive option appears only if you've selected one of those two subtrees. Unload Hive is available only if you've selected a subkey of one of those two subtrees. Why, specifically,...

Alternative Number Systems

It's never fun, but anyone talking about hardware addresses soon runs up against having to talk in hex and perhaps binary. If you're not familiar with these alternative methods of representing numbers or if you maybe just need a short refresher then this sidebar is for you. Hexadecimal numbers are used very frequently, not only in hardware applications but in many software applications. It is very important to understand how this numbering scheme works. Before we jump into hexadecimal, let's go...

Installing Multiuser Enabled Applications

As terminal services become more widespread, it's probable that more applications will come with multiuser installation packages. Microsoft Office 2000 is one that presently does. If you try to run the normal installation program on a terminal server, you'll see a nag screen telling you that you can't do that and prompting you to use the installation files provided with the Office 2000 Resource Kit. First, get the terminal server transform file, TermSrvr.mst, and place it in an accessible...

Groups Can Exist inside Groups inside Groups inside Groups

Sometimes it's convenient to put a group inside a group. For example, every server has a group built into it called Administrators. Anyone in the group is, as you'd guess, treated by that server as an administrator, someone with the power to perform any task on that server. But what if I had a group in the enterprise that I wanted to be able to act as administrators on every machine Well, I could walk over to every single machine in the company and add each of those enterprise-wide...

Clean and Pristine Migration

The other approach is called clean and pristine (C& P). In this approach, you leave your existing NT 4 domains alone and create a new, empty AD domain. Then you use a program called a migration tool to copy user and machine accounts from the NT 4 domain (or domains) into the new AD domain. In most cases, I prefer the C& P approach. For one thing, it's gradual. With an in-place upgrade, you walk your domain through a one-way door. If you find later that 2000 just isn't the thing for you,...

Building Subdomain Control with an Organizational Unit

You've read earlier that one of Windows 2000's strengths is that it can let you grant partial or complete administrative powers to a group of users, meaning that it would be possible for a one-domain network to subdivide itself into Uptown and Downtown, Marketing and Engineering and Management, or whatever. Let's look at a simple example of how to do that. Let's suppose that there are five people in Marketing Adam, Betty, Chip, Debbie, and Elaine. They want to designate one of their own,...

Using System Policies with Legacy Clients

Well, cool except for the fact that to change these important Registry entries on a bunch of machines, it seems like you'd have to walk around the building, sit down at each computer, and run REGEDT32 or REGEDIT to modify its Registry. Don't worry there's an answer to that. There's an automatic feature built right into Windows NT and Windows 95 98 machines that can make remote Registry modification much easier. Whenever a user logs in to a domain from a Windows NT or Windows 95 98 machine, the...

Another Free Migration Tool ADMT

About a month after releasing Windows 2000, Microsoft posted a free migration tool on their Web site. Named the Active Directory Migration Tool (ADMT), the tool is (or was when I wrote this just search the Microsoft site if this URL doesn't work any more) at admt.asp The NetIQ folks built this under contract to Microsoft. ADMT does a lot of things, but mainly it moves large numbers of user accounts, groups, and similar information en masse from an existing NT 4 or Windows 2000 domain into an...

Directory Services Restore Mode

Choosing this mode is the second step for restoring a domain controller. Ordinarily, you can restore the Active Directory from Windows Backup and then log back on again normally. When you log in after restoring the Active Directory data, the AD should recheck its indices and perform an integrity check. The Directory Services Restore Mode (DSRM that's too much to type) is for those times when you want to be doubly sure that the AD data is back and re-indexed. When you choose this option, it will...

Deleting and Purging WINS Records

You'll eventually look at your WINS name database and realize that there are a bunch of old, useless records that you'd like to get rid of. Some of those records may be, as mentioned earlier, garbage left over from an old, now-defunct WINS server. Those are easy to get rid of just choose the Delete Owner function, as described earlier. For other records, though, the approach is a bit different. Consider how a record gets created and propagated around an enterprise. A machine named TRAY (what...

Controlling WINS versus DNS Order in Winsock

Now, what I just showed you is the order of events by default in NT, Windows 9x, or Windows 2000 clients. But if you feel like messing around with the way that Winsock resolves names, you can. As usual, let me take this moment to remind you that it's not a great idea to mess with the Registry unless you know what you're doing. Look in the Registry under Services Tcpip ServiceProvider and you see HostsPriority, DnsPriority, and NetbtPriority value entries. They are followed by hexadecimal...

Lost Our Lease Must Sell

What happens when the lease runs out Well, when that happens, you're supposed to stop using the IP address. But that's not likely to happen. When the lease is half over, the DHCP client begins renegotiating the IP lease by sending a DHCP request to the server that originally gave it its IP address. The IP and Ethernet addresses are both specific to the server. The DHCP server then responds with a DHCPACK. The benefit of this is that the DHCPACK contains all of the information that the original...

Regedit

Note the blank line between REGEDIT4 and HKEY you need that. Now open up a command line and tell REGEDIT to apply this change by typing regedit s cdfix.reg the s means be Silent, Regedit and so you won't get a message. But reboot your NT machine and you'll find that AutoRun is now disabled. Notice how what I could call the REGEDIT command language works the first line is REGEDIT4, then a blank line, then you indicate what key you want to work with, in brackets, and then the value entry. And...

Even More Cautions about Editing the Registry

If you're just learning about the Registry, you're probably eager to wade right in and modify a value entry. Before you do, however, let me just talk a bit about using caution when you manipulate the Registry. (I know I've mentioned it before, but it's important, so I'm mentioning it again.) The vast majority of Registry items correspond to some setting in the Control Panel, Active Directory Users and Computers, or some other MMC snap-in. For example, you just saw where we could change the...

Application Grafting an Active Directory Domain into an Enterprise with Old DNS Servers

Suppose you bring Windows 2000 into your firm, acme.com. At a meeting of the IT planning staff, you sell the CIO on the whole idea of Active Directory as a directory service. Everyone loves the idea (or at least no one has attacked you with a sharp object). until you enthusiastically say something like, And Microsoft was even smart enough to use DNS as its naming infrastructure All of a sudden, the Unix guys, who have been scowling in the corner, say in unison, Whaaaaaat They're not dumb. They...

Multimaster versus Single Master Replication

One of the things that differentiates Windows 2000 DCs from earlier versions of NT's DCs is multimaster replication. Under NT 4 and earlier products, you had one DC called the primary domain controller, which held a copy of the SAM, the file that contained the user accounts. That SAM on the PDC was the only one that you could modify. All other DCs in an NT 4-and-earlier domain were backup DCs. They could authenticate people, but not accept changes to their accounts. If, for example, you work...

NOTE You cannot manually redirect a printer connected to a USB port

To manually redirect a printer for a terminal services client, follow these steps 1. Get the name or IP address of the client device. (If your Window's terminals don't use names not all do you'll need to use the terminal's IP address.) Start a terminal session from that client machine. 2. Start the process of manually adding a locally connected printer to the terminal server. 3. In the part of the wizard where you're choosing the port the printer is connected to, scroll down in the list until...

Creating a New Separator Page

Given that the separator pages that come with Win2K are mostly necessary in specific instances, you'll probably want to create your own separator pages if you use them at all. Separator page files are just text files, so you can create the file in Notepad. On the first line of the new file, type a single character any character will do and press Enter. This character will now be the escape character that alerts Win2K that you're performing a function, not entering text, so make it one that you...

DDNS Registrations in More Detail

My simple example with one workstation MYPC and just one DNS server BIG-DOG obscured some of the complexity of a DDNS registration. Here is more specifically how a registration happens. On a System with a Static IP Address 1. First, the client computer asks its local DNS server to retrieve the SOA record for the client computer's DNS suffix. So, for example, because MYPC sees that its DNS suffix is bowsers.com, it asks its local DNS server (which happens to be BIG-DOG) to go find the SOA record...

Group Policy Application Order

All this inheritance and accumulation is nice and simple as long as the policies received from the domain are changing settings different from those specified in the OU policy. But what if the policy settings are the same What if both policies change the same setting, and the domain policy says one thing while the OU policy says something else Policies are applied in the following order local policy, sites, domains, organizational units, then OUs inside of OUs. If the domain policy says, You...

Name Resolution in Perspective Introduction to WINS Even for Windows and DNS

Consider the two following commands, both issued to the same server In the ping command, the server is referred to as server01.bigfirm.com. In the net use command, that same server is called server01. The difference is important for these reasons Ping relies upon a traditionally Internet-oriented programming interface called Winsock, and any program running Ping generally needs access to something called a DNS server in order to execute the Ping command. NET USE relies upon a traditionally...

Fault Tolerance Primary and Secondary DNS Servers

Next, let's consider how to make this DNS database highly available and fault-tolerant. If a ton of people all decide at the same time to come surf www.minasi.com, then that means that a ton of DNS servers will all be trying at the same time to resolve the address www.minasi.com. But what if I only have one DNS server That's asking for trouble. It'd be nice if I had more than one DNS server containing a copy of the minasi.com zone file then those servers could share some of the burden of name...

User and Computer Configuration Settings

Now that you've learned all about creating and linking and delegating administration of Group Policy, we'll explore some of the policy settings themselves in the next few sections. Since you can use various types of policies to configure a range of settings, we won't try to cover every single setting in the pages allotted to this chapter (otherwise it could be a book all by itself ). Rather, think of this section as an overview of what group policies can accomplish to make your life easier as...

Transferring FSMO Roles the Hard

Transferring FSMO roles is very simple via the GUI, as I've shown you. But there's a catch you can only use the GUI to transfer a FSMO role if the present FSMO is up and running. If you FDISK-ed the computer that was acting as your PDC FSMO, then there's no one around to approve transferring the PDC FSMO role to another computer. In that case, you don't just transfer the operations master role, you seize the master. If your PDC FSMO or infrastructure FSMO will be temporarily offline, then it's...

The Hack that

Windows Terminal Server, and terminal sessions running on early betas of Win2K Server, had a little problem when it came to running WinChat, the graphical chat application that comes with Windows. Because WinChat referenced computers, not users, you couldn't use it from a terminal server session to talk to someone running another terminal session. Try to connect to someone, and you'd see a list of computers to choose from, as you see in Figure 15.33. Chat sessions with yourself get dull, so...

Ghosts Little Helper Sysprep

RIS and scripting are cool, but the fastest way to blast an image onto a new system continues to be Ghost or something like it. The idea is to first create a server or workstation just the way you like it, as you would before RIPrep-ing a system. Then use a disk copying tool like Symantec's Ghost or PowerQuest's Drive Image Pro to essentially photocopy the drive these tools don't look at files, they just copy an entire partition from one drive right atop another. Or, for about 1000, you can...

An Alternative Dynamic Routing Protocol OSPF

While RIP has been around for some time, it's an awfully chatty protocol. Twice a minute, each RIP router broadcasts its entire routing table for all to hear. A more intelligent and bandwidth-parsimonious but more complex to set up dynamic routing protocol is available in the form of the Open Shortest Path First OSPF protocol. You have to feed the routers a bit more information about the layout of your sites, but once you do, OSPF quickly generates the shortest routes for your packets.

Ip

Records activity related to serving Internet WWW and FTP client requests. Counters for this object record the caching and retrieval of binary large objects BLOBs used for handling the large strings of data associated with video and image files, and also of file handles and URLs. The IP counters record events associated with the sending and receiving of IP datagrams, including the rate at which they're sent, received, and processed the discard rate for outbound and inbound packets and the...

GUIRun Once

I haven't included this section in my example scripts yet, but I should mention that you can include a section, GUIRunOnce , in a setup script. It tells 2000 to finish installing and then to reboot. Once 2000 reboots, it then lets you log in. Once you've logged in, Setup runs the commands in GUIRunOnce typically these are setup commands for applications. They run under whatever user account you logged in as, so if you're installing something that requires Administrator-level privileges, then be...