WIN & OFFICE 2000 TIPS...

Mike L
October, 1999

* TIP: DETERMINE COMPATIBILITY PROBLEMS BEFORE STARTING AN UPGRADE

Windows 2000 (Win2K) setup includes many improvements over its predecessors; the most valuable might be the /CHECKUPGRADEONLY switch you can use to determine whether you have a compatibility problem before starting an upgrade. Unfortunately, it won't work on systems configured to boot more than one OS. In that case, download chkupgrd_1.exe from http://ntbeta.microsoft.com; it performs the same check and works just fine in a multiboot environment.

* PERFORMANCE DATA ON WIN2K

Microsoft has released some performance data on Win2K Pro Release Candidate 2 (RC2), including Winstone scores for several different configurations. Here's a summary (remember that with Winstone, a higher score means better performance):

32MB RAM
Win98: 1.6
NT 4.0: 1.3
Win2K: 1.39

64MB RAM
Win98: 2.16
NT 4.0: 2.69
Win2K: 2.71

128MB RAM
Win98: 2.31
NT 4.0: 3.06
Win2K: 3.14

These results show that Win2K RC2 outperforms NT 4.0 in all cases, and outperforms Win98 in 64MB+ configurations. The results also show that 64MB isn't really enough memory--note the considerable performance difference between 64MB and 128MB. I've completed some slightly different testing and obtained similar results; for my particular configuration, the sweet spot is about 80MB--a good fit with the 96MB I have on my system. I've also found some benefit to moving the paging
file to a physically separate drive or running two page files on physically separate drives (not just partitions).

* BOOK HIGHLIGHT: PLANNING FOR WINDOWS 2000
By Eric K. Cone, Jon Boggs, and Sergio Perez
Online Price: $23.95
Softcover; 415 Pages
Published by New Riders Publishing, May 1999

Part I: Preparing for Windows 2000 Installation provides detailed descriptions of the real upgrade hurdles and how this book will help the reader clear them. Time- and labor-saving tips on inventory and reconfiguration will simplify migration to Windows 2000 (Win2K). Topics include the restructuring of domains, assessment of critical applications, and the cleanup of NetBIOS-based applications and OSs.

Part II: Designing Windows 2000 Networks presents techniques to create workable design strategies. This section will guide you through effective Active Directory (AD) design, DNS service design, TCP/IP standards, and security configurations. The authors cover often-overlooked topics, such as hardware planning and simplifying everyday administration.

Part III: Deploying Windows 2000 presents rollout procedures in detail. The authors draw from their experiences and scenarios to explain an otherwise tangled series of procedures.

* WARNING! WINDOWS 2000 PRO DEFAULT INSTALL BYPASSES SECURITY
Users that accept all the default choices when they install Windows2000 Professional (Win2K Pro) on their workstations are in for asurprise. The most current builds of the fledgling OS include a NetworkIdentification Setup Wizard that runs before the system boots for thefirst time. Using this wizard, users can choose between two logonmethods. The first choice, every user requires a separate logon, willset up the system to behave as earlier versions of Windows NT do. Eachuser that accesses the system must log on with an appropriate usernameand password. However, the second choice, which is the default, createsa user account that matches the user's full name as entered duringSetup (in my case, Paul Thurrott). If you accept this choice, no logonis required to access the system. More damaging, however, is that thisdefault account has full administrative privileges, which is an obviousviolation of the most basic security principles. Though Microsoft has said repeatedly and categorically that itdesigned Win2K solely for businesses, this feature is clearly designedfor home users who don't want to log on every time they turn on theirmachines. In a corporate setting, there is no place for such a logonscheme, no place at all. But more damaging is the possibility thatmalicious hackers will be able to easily break into such a system usingWin2K Pro's built-in Telnet service. Don't you wish Microsoft hadn't removed that custom install option now? Here's how it works: A user can enable the Telnet service, which the OS disables bydefault, by entering a simple command on a local network or, moredamaging, through a simple blurb of VBScript/HTML in a Web document.This code can remotely start the Telnet service from anywhere on theInternet--the Microsoft Web site, for example, or a Web page that auser has specifically set up to bypass the nonexistent security on a standard Win2K Pro system. I'm not going to publish this code, ofcourse, but I do have a copy of the code, and I've been testing it onmy development network at home. Because Microsoft has not yet released Win2K Pro, the company mightbe able to fix this glaring security hole before the product releasesto manufacturing this fall. And, although this problem takes advantageof a feature that is useful only on a standalone system, such as oneyou'd expect to see at home, why did Microsoft make this the defaultchoice during setup? If you already set up Win2K Pro this way and you'dlike to better secure your system, back up your data and create a newuser account in Computer Management (this account should not haveadministrative privileges). Then, log off, log on with the Administrative account, and delete the automatically created account.Finally, log off again and log on with the new account you created.

* WINDOWS 2000 PRO Q & A: UPGRADING TO WINDOWS 2000 PRO/ENABLING NUMLOCK

Q: I wanted to upgrade my Windows NT 4.0 Workstation to Windows 2000 Professional (Win2K Pro). I booted my computer with the Win2K Pro CD- ROM, but the setup program never gave me the option to upgrade my existing OS. I decided to start the setup program using the Win2K Pro 3.5" disks. Much to my dismay, the setup program also proceeded to perform a fresh install. Am I doing something wrong? A: The setup program's behavior is by design. You can't upgrade your existing OS with Win2K Pro 3.5" disks or CD-ROM. To upgrade your NT 4.0 workstation, run winnt32.exe from the CD-ROM within your current OS. According to Microsoft, forcing an upgrade from within the OS is by design. This behavior makes the setup program more stable because the software doesn't need to search for multiple NT installations and decide which one to upgrade. Also, the setup program can disable any applications or services on your system that can render setup useless. You can upgrade the following OSs to Win2K Pro: Windows 95 (including OSR1 and OSR2), Windows 98 (including Second Edition), Windows NT 3.51, and Windows NT 4.0 Workstation.

Q: I prefer to use the numbers on my Numpad. How can I automatically enable the NumLock key on my Win2K computer? A: Run regedt32.exe. Go to HKEY_CURRENT_USER\Control Panel\Keyboard\InitialKeyboardIndicators and set the string value to 2.

* WINDOWS 2000 INSTALLATION HINTS AND TIPS
While preparing for Windows 2000 (Win2K), I researched installation issues and wasn't surprised when my TechNet search for "installation" returned 119 matches, and my search for "upgrade" returned 133. Installation problems fall into several familiar categories: selecting the installation drive/partition and directory, upgrading vs. installing a fresh copy, identifying the location of distribution files, fixing NTFS issues, and overcoming various device problems. Here's a sampling of the cone zones waiting for you during your Win2K installation or upgrade.

- Network Adapter Card Detection
Microsoft Support Online article Q227428 (http://support.microsoft.com/support/kb/articles/Q227/4/28.asp) reports that you can't override Win2K automatic network adapter card detection during installation. If the installer selects the wrong card, you need to reboot, manually remove the incorrect adapter, and reinstall the correct one with the Control Panel's Add/Remove Hardware applet. As a failsafe mechanism, you can always install the Microsoft Loopback Adapter to load the network components.

- TCP/IP Clients are DHCP Clients by Default
When you select TCP/IP for your new Win2K system, the computer automatically configures as a DHCP client, and you can't manually specify a static IP address. To specify your own IP address, you need to use the Control Panel's Make New Connection and Local Area Connection tools after the installation completes.

- Win2K and NTFS
First, to avoid problems, install Win2K on an NTFS partition; if you install the OS on a FAT or FAT32 partition and later convert the partition to NTFS, the convert utility might not apply the default security settings correctly. Second, after you convert a drive to NTFS 5.0, you can't revert to the Windows NT 4.0 version--you'll need to reformat the drive. Service Pack 6 (SP6) for NT includes a version of NTFS that's compatible with most of Win2K's file system features.

- Source Files
NT has been confused about the location of source files since the beginning of time, and Win2K is keeping the tradition alive. To minimize problems accessing installation files for a CD-ROM or a network drive, many of us copy the installation directories to a local hard disk and then perform the install. Unfortunately, when you install Win2K from a local hard disk, the OS automatically records the source media as the first available CD-ROM drive letter instead of the local hard disk. So, when you add a new component, Win2K assumes the source media is the CD-ROM, and you have to enter the correct path manually. To work around the problem, you can change the default source media location by editing the source path value entry in these three Registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup Installation Sources Win2K will correctly record the source media in the Registry when you install from a network drive. However, as I noted above, if you have problems with your network adapter card, you might not be able to access a network drive after the install completes.

- Installation Errors
In some cases, Win2K reports that it has detected software that's not completely installed, and it aborts the installation procedure. Win2K generates this message if there's any data associated in either of the Registry keys below. You can correct the problem by deleting any data in these keys. Then, when you restart the install, it should proceed normally. HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows NT\CurrentVersion\RunOnceEx HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Runonce

- UPS According to Microsoft Support Online article Q238860 (http://support.microsoft.com/support/kb/articles/Q238/8/60.asp), Win2K's serial port detector toggles the signal, and when you have a UPS connected to a serial port, the UPS interprets this toggle as a power failure. To avoid this problem, disconnect the UPS before you start your Win2K installation. I've experienced this problem many times in the past with a UPS and NT 4.0, which makes me think this problem is a holdover concern instead of a new one.

- Other Installation Hints
* If the Checkdisk utility (chkdsk.exe) needs to repair your disk during installation, you'll get an error message that might make you think the installation failed: "Setup has determined that you attempted unsuccessfully to upgrade the Windows NT installation shown." However, after the Checkdisk utility completes the repair, it reboots your system, and the Win2K installation continues.

* To avoid problems with print DLLs, upgrade your system to SP5 or later before you install Win2K.

* If you follow the default installation procedure, all versions of Win2K install to a directory called Winnt (why not Win2K, I wonder?).

* Microsoft recommends a minimum of 650MB of free space on the system disk and considers 2GB standard--is this a definition of the term "install bloat"?

* The system disk drive letter is hard coded in the Registry, so you can't change the drive designation after you get Win2K up and running.

WINDOWS 2000 PRO Q&A: DISABLE INTELLIGENT MENUS

Q: One thing that I find very irritating on Windows 2000 (Win2K) computers is that the items that I don't use frequently keep disappearing. I have to click on the down arrow at the bottom of the Programs menu to unhide them. Do you know a Registry hack that will prevent these items from disappearing?

A: A lot of users don't appreciate this vanishing act. Perhaps we all need to get used to some of these new features. What you have described is a feature of Win2K known as Intelligent Menus. This feature is supposed to make your life easier. Items that are not used frequently become hidden so that you can focus on the items that you commonly use. I personally don't like this feature, and I turn it off. You can disable this behavior through the user interface (UI) or by modifying the Registry. To change this behavior using the UI, go to Start, Settings, Taskbar, and Start Menu. Uncheck the Use Personalized Menus box. This procedure will disable the Intelligent Menus feature for the person who is currently logged on.

To disable the Intelligent Menus feature for all your network clients, you can modify the Registry on your standard desktop configuration. To locate the proper Registry key, run regedt32.exe. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Ad vanced. Locate the IntelliMenus key on the right-hand pane. Double- click the key and change the default string value from yes to no. Specifying no will disable the personalized menus. This method disables the Intelligent Menus for the Explorer shell but doesn't affect your Web browser. To disable the Intelligent Menu feature in Internet Explorer (IE), go to Tools, Internet Options, and uncheck the box Enable Personalized Favorites Menu. You can disable this feature in the Registry by running regedt32.exe. Go to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main. Locate the FavIntelliMenus key on the right-hand pane. Double-click the key and change the default string value from yes to no.

What version of Win2K are you using:
To determine which version you are running, go to the command prompt and type winver, in the run box or dos prompt. It can be used to distinguishing between the time-bombed 120-day preview code and final release to manufacturing (RTM) versions of Windows 2000 (Win2K)

How to disable Automatic Private IP Addressing in Windows 2000
Run the Registry editor (regedt32.exe). Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
Interfaces\adapter_name. Create a new REG_DWORD entry
IPAutoconfigurationEnabled and set the entry to 0 to disable it. If
this entry is not present, the default value of 1 (enable) is assumed.
You must be logged on as an administrator or a member of the
Administrators group to make this change. If you have multiple
adapters, you can disable APIPA for all adapters by following the above
procedure at the following level in the Registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

INSTALLING WINDOWS 2000 AND HOTFIXES CONCURRENTLY
Many of us groan when we have to build a new system and apply multiple
hotfixes. With some versions of Windows NT 4.0, we have to apply as
many as 14 order-dependent hotfixes, so, with a reboot after each
hotfix, an installation could take as long as 4 hours. Microsoft
Support Online article Q249149
(http://support.microsoft.com/support/kb/articles/Q249/1/49.asp)
documents a four-step procedure that you can use to install Windows
2000 (Win2K) and multiple hotfixes in one operation:
1. Create a distribution folder called i386 on a local or remote
system.
2. Create an answer file using the Setup Manager tool.
3. Add command lines in the cmdlines.txt file to run the hotfixes
during the Win2K setup.
4. Copy the hotfix files to the distribution folder.

See the article for details about how to create the $OEM$
subdirectory hierarchy under the i386 directory, how to create an
answer file, and how to copy hotfix files in the proper format. I
didn't test this process, so let me know if the instructions are
accurate and if the procedure works

Over-use of the CPU With Windows 2000 Professional
I just installed the released version of Windows 2000 Professional. After my installation, I noticed that the system seemed to run much slower than with NT 4.0. So I checked the percent of CPU usage in task manager and found that the CPU had a constant load of between 42-50% continuously. I was not running programs at the time as I had just finished rebooting and logging in as Admin.

To solve the problem, simply do the following: Control Panel/System/Hardware(tab)/Device Manager In Device Manager, select Computer, in Computer check what processor was found by Win2K. On mine it was ACPI Uniprocessor. To solve the problem you must change this to "MPS Uniprocessor". To do this, simply right click on the ACPI Uniprocessor/Sect Driver(tab)/click Update Driver(upgrade device driver wizard will start)/Select - display list of known drivers for this device/ select MPS Uniprocessor. Then continue to install the MPS Uniprocessor driver and windows will reboot and the problem will be gone.

This solution works with both Uniprocessor boards or multiprocessor boards. Just remember to MPS Multiprocessor or Uniprocessor instead of the default ACPI drivers.

* WINDOWS 2000 CRITICAL UPDATE
It's time for a Windows 2000 (Win2K) bug update. Microsoft released a
Critical Update on February 17 that closes two Index Server security
vulnerabilities, eliminates a file-corruption problem that arises when
you save Word 2000 and Excel 2000 files in .htm format, and corrects a
Visual Basic (VB) scripting date problem in a Wareki or Taiwan calendar
(i.e., a non-Gregorian calendar). The Index Server vulnerabilities and
the .htm file-corruption problems, which apply equally to Win2K and
Windows NT 4.0, are significant. You can download the fixes from
http://www.microsoft.com/windows2000/downloads/critical/q253934/default.asp.
If you want to perform an online update, go to
http://windowsupdate.microsoft.com and click Product Updates. Microsoft
Support Online articles Q251170
(http://support.microsoft.com/support/kb/articles/Q251/1/70.asp),
Q252463
(http://support.microsoft.com/support/kb/articles/Q252/4/63.asp),
Q252633
(http://support.microsoft.com/support/kb/articles/Q252/6/33.asp), and
Q253342
(http://support.microsoft.com/support/kb/articles/Q253/3/42.asp)
provide details about each of the bug fixes in the Critical Update
download.

I installed the update on my Windows 2000 Professional (Win2K Pro)
machine in just a few minutes, but I found six confusing messages in
the system event log that initially made me doubt that the installation
had succeeded. Each of the records, which had Event ID 64021, indicated
a problem loading a .dll file such as webhits.dll or olepro32.dll in
the dll cache, but the error code in each record stated that the
operation completed successfully. Here's the text of one of the
records:

"The system file c:\winnt\system32\olepro32.dll could not be copied
into the DLL cache. The specific error code is 0x00000000 [The
operation completed successfully.] This file is necessary to maintain
system stability."

When I checked the event log after rebooting, no other error
messages appeared. My best guess is that these records fall into the
white noise or obfuscation category, but if you have a different
experience, be sure to let me know. When we're patching a brand new OS,
we deserve better results and clearer information. The folks that
packaged the update could have paid more attention to the details so
that we don't end up scratching our heads after installing fixes that
close gaping security holes.
The update also wrote a system event log record, Event ID 4359, with
the text "Windows 2000 Hotfix Q253934 was installed" and created two
keys in the Registry under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix.
One key, Q147222, has no associated text except for an installed value
entry; the other key, Q253934, indicates that the hotfix is pre-Service
Pack 1 (SP1).

***WEB-EXCLUSIVE: The following item is posted on the Windows 2000
Magazine Web site. For the complete story, go to
http://www.win2000mag.com/Articles/Content/8283_01.html.

OTHER WINDOWS 2000 BUG FIXES
Microsoft has released three more bug fixes you might want to apply to
your Win2K systems. The first solves two Iomega Jaz drive problems, one
corrects a crash that can result from an attempt to eject a tape or CD-
ROM using the Control Panel's Add/Remove Hardware applet, and one
corrects a problem you might encounter if you try to save an Adobe
FrameMaker file in .pdf format or as a file with print separations. The
Jaz drive and FrameMaker patches are available for public download, but
you have to call Microsoft Support for the update that eliminates the
device-eject blue screen. For more details and to download the patches,
visit our Web site at
http://www.win2000mag.com/Articles/Content/8283_01.html.

General Protection Faults with Windows3 (16-bit) applications
When I launched a couple of 16-bit programs, they would act like they were going to start, but would suddenly stop. Others would actually GPF (blaming NETVDM.EXE). In an obscure reference in one of the troubleshooters, it noted that some 16-bit programs 'MUST have a DEFAULT printer installed' before they could operate. I then went into my printer folder and set an active printer as the default one. Lo and behold, all of my legacy applications ran without a glitch

WINDOWS 2000 PRO Q&A: USING AN EXTERNAL MODEM WITH WINDOWS 2000 PROFESSIONAL (contributed by Zubair Ahmad, zubair@win2000mag.com)

Q: I use an external 56K modem on my Windows 2000 Professional (Win2K Pro) computer. If I turn the modem on before I start the computer, the modem works fine. However, if I turn the modem on after I'm already in Win2K Pro, I can't get the modem to work properly. Do you know a solution or workaround?

A: This problem is a known bug in Win2K. Depending on your connection type, you'll see different error messages. For example, when you try to dial out with your modem, you might see the following error message:

"Error 633. The modem is already in use or not configured for dialing out." Or you might see "Error 692: There was a hardware failure in the modem (or other connecting device)." If you look at the device in Win2K Pro, the system reports that the device is working fine, but you still can't dial out.

According to Microsoft, you must restart your computer while your modem is on. As a workaround, Microsoft suggests you go to Control Panel, System, Hardware. Right-click the modem and select "Scan for hardware changes." Microsoft describes this procedure in Support Online article Q238317 (http://support.microsoft.com/support/kb/articles/Q238/3/17.ASP?LNG=ENG&SA=ALLKB&FR=0).

However, this workaround won't work in all cases. My solution, which has always worked for me, is to turn the modem on and off. Sometimes I have to do this several times.

* MICROSOFT ANNOUNCES IIS 5.0 CONFIGURATION TOOL
Late last week, Microsoft announced the availability of the Windows 2000 (Win2K) Internet Server Security configuration tool. This tool lets you tighten IIS 5.0 configurations, including Registry settings, security policies, and other settings important for properly securing an IIS 5.0 installation. Microsoft strongly warns tool users to thoroughly read the README file included in the distribution before using the tool. You can download the tool fromhttp://www.microsoft.com/Downloads/Release.asp?ReleaseID=19889.

Dual-booting Win2K Pro and NT 4.0 - Some Approaches...

If you run into boot problems with Win2K (perhaps after installing another OS), boot from the Win2K installation CD-ROM and try the Recovery Console option. One command available from the console is FIXBOOT, and it can repair unbootable partitions.

If you use a dual-boot desktop in a Win2K Server or NT Server domain, you'll require two different domain names--one when booted from Win2K and the other when booted from NT.
Otherwise, the second install will overwrite the first, and you'll be able to boot only from the second OS.

Some been running a triple-boot system (Win2K, NT, and Windows 98) for some time now. And use PowerQuest's Partition Magic to switch active partitions. Finally, Winternals offers a product bundle called Dual Boot Tools that enables any Microsoft OS to access FAT, FAT32, or NTFS partitions.

* BOOK HIGHLIGHT: MICROSOFT WINDOWS 2000 PROFESSIONAL RESOURCE KIT
By Microsoft Corporation Online Price $41.95
Softcover;
1792 Pages Published by Microsoft Press,
February 2000 ISBN 1572318082

This official Microsoft resource kit includes the technical information and tools IT professionals need to successfully deploy, manage, and maintain Windows 2000 Professional (Win2K Pro). Readers get exhaustive reference, in-depth detail, and timely insights for maximizing the productivity of their desktop environments from those who know the technology best--the Win2K product group. The companion CD-ROM contains essential tools for deploying and supporting Win2K PRo, including the Setup Manager and tools for administering Active Directory (AD)
Services, along with a searchable electronic version of the text.

For Windows 2000 Pro UPDATE readers only--Receive an additional 10 percent off the online price by typing WIN2000MAG in the discount field on the Shopping Basket Checkout Page. To order this book, go to http://www.fatbrain.com/shop/info/1572318082?from=win2000mag.

* TIP: MINIMIZE THE RISK OF USING WINDOWS 2000 PROFESSIONAL

Windows 2000 Professional (Win2K Pro) is a brand new OS with lots of bells and whistles, so its available services deserve careful inspection before connecting it to the Internet. If you perform your own Win2K Pro installation, install only the services that you absolutely require. If someone other than yourself built or maintains your system, you should review all services for proper configuration. For example, did you know that Win2K Pro lets a remote user start the Telnet service if your system is not protected against such action? Therefore, if you don't need a Telnet service, don't install it. And if the service is already installed, remove or disable it.

Minimally, inspect each installed service to ensure no unwanted services have been enabled for automatic or manual start. If you have services installed that you'll never use, remove them from your systems. These actions help prevent intruders from starting services without your knowledge. If you have a service installed that you'll use only on rare occasions, disable that service until you need it.

Be sure to inspect and test all the security aspects of any installed services for proper configuration. For example, if you have an FTP service installed, ensure that only authorized accounts can log on to that service and that those accounts can access only the parts of the file system you authorize.

* WINDOWS 2000 ROAMING PROFILES IN A MIXED ENVIRONMENT

Many of us are testing or running mixed environments with Windows 2000 (Win2K) and Windows NT 4.0 servers and clients, and the majority of us implement server-based user profiles to ensure user desktop integrity.

Here's a quick summary of two important changes in Win2K user profile management and a couple of pointers for avoiding roaming profile update problems in a mixed environment of Win2K workstations and NT 4.0 servers.

Win2K requires greater access permission than NT 4.0 does to update user profiles. When Win2K updates a user profile, it writes information about any desktop changes a user makes during the interactive session.

In addition to updating the contents of the profile, Win2K also updates the user profile file's ACL (an extended file attribute). In NT 4.0, the system updates only the contents of the user profile file, not the ACL associated with the file. Another critical difference between the old and new OSs is that the Win2K user profile update code requires WRITE_DAC access to update the ACL on a server-based roaming profile.

While Change permission in NT Server 4.0 doesn't allow this access, Change permission in Windows 2000 Server (Win2K Server) has the appropriate rights to update the server-based profile's ACL.

The upshot is that when you store a Win2K user profile on an NT 4.0 server and the profile share has only Change permission, Win2K can't update the profile file's ACL and the roaming profile update fails. If you're running this configuration, your users will see the error message, "Windows cannot update your roaming profile. Contact your network administrator. DETAIL - Access is denied" when they log off. To eliminate the profile update error and ensure that Win2K updates the profile successfully on an NT 4.0 server, you must give each user Full Control access to his or her profile share on the server.

If you support NT 4.0 clients but store user profiles on a Win2K server, you don't have to grant Full Control to user profile shares because the enhanced Win2K Change permission lets the OS correctly update the user profile ACL. See Microsoft Support Online articles Q255113 (http://support.microsoft.com/support/kb/articles/Q255/1/13.asp) and Q257848 (http://support.microsoft.com/support/kb/articles/Q257/8/48.asp)

for more information about roaming profiles. You can also find good hints and tips on managing user profiles in a mixed environment in Microsoft Support Online article Q224012 (http://support.microsoft.com/support/kb/articles/Q224/0/12.asp).

* USER PROFILE SPACE REQUIREMENTS

Win2K employs a two-step process to copy a user profile. To successfully update a profile, Win2K's two steps require that the profile directory have free space equal to twice the user profile file size.

* USER PROFILE REGISTRY ENTRIES

You can't change the Default User Profile cache location on a local machine in NT 4.0, but in Win2K, you can change the two Registry entries that identify the directory and the path of the Default User profile.

* TIP: WINDOWS 2000 DEFAULT SECURITY (contributed by http://www.jsiinc.com)

If you perform a clean install of Windows 2000 Professional (Win2KPro) or Windows 2000 (Win2K) as a member server, neither Everyone nor User group members will have the broad write access to the system that they had in Windows NT 4.0. Instead, they will have write access to their profile folder and read access to most of the system. Users don't have interactive logon rights to a domain controller.

By default, new users are added to the Power Users group. The Authenticated users group is also added to the Power Users group. As was the case in NT 4.0, Power Users have enough write access to install programs. Members of the Administrators group have the same access that they had with NT 4.0. Members of the Server Operators, Account Operators, and other built-in groups have the same access that they had in NT 4.0. If you perform an upgrade from NT, your previous security settings are maintained, but the above defaults do not apply.

NOTE: You can elect to remove Authenticated Users and Users from the Power Users group.

* MICROSOFT POSTS RTM VERSION OF THE AD MIGRATION TOOL
Microsoft recently posted the release to manufacturing (RTM) version of the Active Directory (AD) Migration Tool for download to the general public. The AD Migration Tool provides an easy, secure, and fast way to migrate your users from Windows NT 4.0 to the Windows

2000 Server (Win2K Server) AD service. You can also use the AD Migration Tool to restructure your Win2K Server AD domains. This tool can help a systems administrator diagnose any possible problems before beginning migration operations. Task-based wizards then let you migrate users, groups, and computers; set correct file permissions; and migrate Microsoft Exchange Server mailboxes. The tool's reporting feature lets you assess the impact of the migration, both before and after move operations. The AD Migration Tool is invaluable for any business considering a migration from NT to Win2K.

You can find more information about and download the AD Migration Tool at http://www.microsoft.com/WINDOWS2000/downloads/deployment/admt/default.asp.

Windows Dynamic Disks
Windows 2000 (Win2K) introduces dynamic disks, which are necessary for fault-tolerant configurations. To convert basic disks to dynamic disks, perform the following steps:

1. Start Computer Manager.

2. Expand Storage - Disk Management.

3. Right-click the disk and select Upgrade to Dynamic Disk.

4. Select the disks to upgrade and click OK.

5. A summary will be displayed.

6. Click Upgrade.

7. Click Yes to the confirmation.

Converting basic disks to dynamic disks doesn't require rebooting.

However, any volumes remaining on the disks after the conversion generate a pop-up that basically says a reboot is necessary before the volumes can be used. I generally say "No, do not reboot" until all the volumes are identified and all the pop-ups go away. Then I perform a single reboot.

When you change basic disks to dynamic disks, any existing partitions become simple volumes. Any existing mirrored, striped, or spanned volume sets created with Windows NT 4.0 become dynamic mirrored, striped, or spanned volumes respectively.

If you get a message that says you are out of space, you may not have enough unallocated free space at the end of the disk for the private region database that dynamic disks use to keep volume information. Each dynamic disk requires about 1MB of this space.

(Sometimes the space is not visible to the user in the GUI, but it is still there.) You may not have the space if the partition(s) on the disk take up the entire disk and were created with Setup, an earlier version of NT, or another OS. When partitions are created within Win2K, the space is reserved. (In a later release, partitions created with Setup will reserve the space.)

To undo this conversion, run Dmunroot.exe (an unsupported utility available from Microsoft), which will revert to basic boot and system partitions--but all other volumes will be destroyed. Alternatively, you can back up any data you want to preserve, then delete all partitions.

That should activate the menu choice "Revert to Basic Disk."

How much memory for Windows 2000
The entire disk must be unallocated or free space How much RAM does Windows 2000 Professional need? I've been asking this question for some time, and I think we finally have some answers. The Windows 2000 Magazine lab staff has been busy over the past few months conducting performance tests. Here are results from BAPCo's SYSmark

2000 benchmarking software running on Windows NT Workstation 4.0 and Win2K Pro on desktop (550MHz Pentium III) and notebook (300MHz Celeron) platforms. NT consistently outperforms Win2K in our tests, although at 256MB of RAM on the desktop, the difference is less than 5 percent. Also, notice that you can nearly equalize performance with a memory upgrade: Win2K Pro at 128MB of RAM equals or beats NT 4.0 at

64MB of RAM on both platforms. Results vary from application to application (SYSmark uses a weighted average for a dozen applications running a variety of scripts), so your mileage might differ.

With that said, the results are consistent enough across both platforms (we also have incomplete results about a third platform) that I feel reasonably comfortable with them. As I've said before, 64MB of RAM is just not enough for Win2K Pro! Look for a complete report about our tests in an upcoming issue of Windows 2000 Magazine.

WINDOWS 2000 UPGRADE FAILS TO CONVERT SYSTEM DRIVE TO NTFS
If you created an NT 4.0 system with the system preparation tool Sysprep, a bug in the Sysprep installation prevents the Win2K upgrade from converting the system drive to NTFS. Microsoft Support Online article Q256917 (http://support.microsoft.com/support/kb/articles/Q256/9/17.asp) presents steps for reproducing this problem and indicates that the only workaround is to manually convert the drive with the Convert command (i.e., Convert c: /fs:ntfs) after you complete the Win2K installation.

Office 2000 Save My Settings Wizard

 http://officeupdate.microsoft.com/2000/downloadDetails/o2ksmsdd.htm

"The Save My Settings Wizard stores your settings for Office 2000 at a secure location on the Office Update Web site. When you are away from your computer, you can easily download the settings to another computer. So even if you are not using your own computer, you can still access your settings as long as you have an Internet connection. This is especially useful if you log on to different computers or if you share your computer with another person. Microsoft does not open the files or examine the contents in any way while they are saved to the server

Office 2000 Tips  

The new package offers helpful features and frustrating nuisances

As most software releases do, Microsoft Office 2000 offers new features that you'll love and other features that you'll find annoying. In this Top 10, I share some Office 2000 tips, tell you how to find and use Office 2000's coolest new features, and show you how to avoid the nuisances.

10. The Office 2000 installation requires a specific Windows NT and Windows 95 service pack level. To save yourself installation headaches, apply Service Pack 4 (SP4) to your NT system before you begin. An installation on Win95 requires SP1.

9. If you blindly select all the default Office 2000 installation options, you'll need to access your installation CD-ROM repeatedly. To avoid the reinstallation blues, take the time during installation to carefully choose the Office 2000 features that you want.

8. Office 2000's new Office Clipboard lets you use as many as 12 individual clipboard buffers. You can select View, Toolbars, Clipboard to display the Office Clipboard in any Office 2000 program.

7. Corrupted or missing DLLs can stop any application, including Office 2000. Finding and replacing the right files with the right versions can be a time-consuming chore. To reinstall the components that each Office 2000 application requires, run the Detect and Repair option from the Help menu.

6. A handy new Microsoft Word editing option displays synonyms for common words. Simply right-click a word and select Synonyms from the pop-up menu.

5. Automatic numbered lists is a feature that gets in the way more often than it proves useful. To turn off Word's automatic numbering feature, select Format, AutoFormat, Options. Then, in the AutoCorrect dialog box, clear the Automatic numbered lists check box.

4. Office 2000's Web Folders option lets you easily publish Office 2000 documents on your Web server, where users with a standard Web browser can share them. Simply select Web Folders from the Places bar, then choose Save as Web Page. To use Web Folders, you must install the FrontPage Server extensions on the Web server.

3. Microsoft Access 2000's Access Database Project (ADP) lets Access use Microsoft SQL Server and Microsoft Database Engine (MSDE) as a database back end (instead of Microsoft Jet Engine). ADP uses the high-performance SQL Server OLE DB provider to integrate Access' user-friendly and powerful database-query and reporting tools with SQL Server.

2. Adaptive menus are one of Office 2000's most exasperating new features. Adaptive menus change in response to frequent menu selections, thereby customizing your desktop. However, I've found that adaptive menus typically hide options I want to leave on the desktop—an annoyance that doubles the work and time required to find them.

Fortunately, you can disable adaptive menus. To display full menus, go to Tools, Customize, and clear the Menus show recently used commands first check box.

1. The universally irritating Office Assistant is back in Office 2000. To turn off Office Assistant for your current editing session, right-click the Office Assistant icon, select Options from the pop-up menu, and clear the Use Office Assistant check box. To permanently remove Office Assistant, use Office 2000's Add/Remove Components option.

Configuring Windows 2000  

Mold the OS to your specifications

You've just installed Windows 2000 (Win2K), and your first impression is that the OS looks quite different from Windows NT. You want to configure your new system, but first you need to know where to find the configurable options. In this installment of Getting Started with Windows 2000, I show you where to find new and familiar options that you might want to configure before you use Win2K in a production environment. These configuration suggestions apply to systems administrators and technical support personnel. End users will probably want to use the more restrictive settings that their company policy defines.

Name That Computer

I always rename my computers. Simply right-click My Computer, select Rename, and type the computer's name. Most Help desk personnel rename client computers because many users don't know how to find the name of their computer. To find the computer's name in NT 4.0, you right-click the Network Neighborhood icon and click Properties. In Win2K, this technique brings up a dialog box from which you can configure network properties, but the dialog box doesn't provide the computer's name. Instead, right-click the My Computer icon and select Properties to access the System Properties dialog box. On the Network Identification tab, you'll find your computer's name. Renaming the My Computer icon lets even the most inexperienced users know their computer's name.

Size the Pagefile

While you're browsing the System Properties dialog box, take a look at the Advanced tab. This tab is the gateway to three sets of configurable variables: Performance, Environment, and Startup and Recovery. Under Performance, click Change, then configure the pagefile from the Virtual Memory dialog box, which Screen 1, page 166, shows. Ideally, the pagefile needs to reside on a disk separate from the disk that holds the system files.

I also suggest that you set the Initial size and Maximum size fields to the same value. Be sure to choose a value high enough to give you a sufficiently sized swap file. You might want to go with the recommended default value, then use Performance Monitor to watch the pagefile and ensure that the system doesn't approach its pagefile size limit. Setting Initial size and Maximum size to the same value prevents the pagefile from growing while users access the system and from slowing users down as the system searches for and allocates space.

On the Advanced tab, you might also open Startup and Recovery and change the time frame for which the system displays the OS choices. The default 30 seconds is glacial—if you can't decide which OS you want in 10 seconds, you've been staring at computer screens for too long.

Upgrade to Dynamic Disks

New to Win2K is the concept of the dynamic disk, which lets you create dynamic volumes. The upgrade from NT 4.0's basic disk to Win2K's dynamic disk converts any existing partitions to volumes. The benefit is that you can configure and manage dynamic volumes without needing to reboot the computer. For example, you can create a spanned volume on multiple disks without rebooting. The equivalent operation in NT 4.0—creating a volume set—requires a reboot. The disadvantage is that you can't access dynamic disks from NT 4.0 or any other OS; therefore, don't perform this conversion on a system that you dual-boot. You can, however, access dynamic disks remotely from other computers. In this scenario, you don't access the disk directly; rather, Win2K reads the files and sends them back to you through its server service.

To convert your disk, right-click the My Computer icon, select Manage, expand the Computer Management console's Storage item, and select Disk Management. The right pane shows the disks on your system, as Screen 2, page 166, shows. Right-click the disk icon in the lower window. Select the Upgrade to Dynamic Disk option, choose the disks you want to upgrade, and click OK.

The next window that pops up asks you to confirm that you want to upgrade the selected disks. Select the Upgrade option, and you receive a reminder that you won't be able to boot previous versions of Windows from the converted disks. Click Yes, and you receive yet another warning: The procedure will force-dismount file systems on any of the disks you upgrade. No applications should be running while you attempt this conversion. I suggest that you perform the conversion before turning the system over to production use. Click Yes, and you get another confirmation dialog box. This dialog box informs you that a reboot will complete the upgrade process—another reason to perform this upgrade before you turn the computer over to users. (Let's hope that after you convert to dynamic disks, you won't need to keep rebooting.) Finally, the system reboots. My system rebooted twice during the conversion process.

Theoretically, you can convert from dynamic disk to basic disk. However, to accomplish this backward conversion, you need to remove all volumes on the disk and rebuild the partitions and logical drives. Of course, removing the volumes also removes the data, so you'll need to back up the volumes' data and restore the data to the partitions. Such a conversion is difficult if the disk contains your OS. I recommend experimenting on your system's second hard disk—not the first.

Configure the Event Viewer Logs

Systems administrators often forget to prevent event logs from overflowing. Go to the Control Panel Administrative Tools applet and open Event Viewer. Right-click each log, and select Properties. The default settings allocate 512KB to each log and overwrite events older than 7 days. If these settings work for you, go with them. But if some of your applications (e.g., Microsoft SQL Server) write to the log frequently, you might want to increase the maximum log size or select Overwrite events as needed, as Screen 3 shows. However, for high-security environments (e.g., C2 security), you need to select Do not overwrite events (clear log manually)—an option that systems administrators often combine with saving the log to a file for audit purposes.

Set the Date Rollover

The Control Panel Regional Options applet brings up a tabbed dialog box. On the Date tab, which Screen 4 shows, you can control how the OS handles a two-digit year. By default, the OS assumes that a two-digit year falls between 1930 and 2029. Therefore, the OS would interpret 6-6-44 as 6-6-1944 and 7-7-17 as 7-7-2017. However, you might not want to use that setting as your corporate standard, or you might have applications that follow a different standard. For example, SQL Server by default assumes that two-digit years fall between 1950 and 2049, although the DBA can change that setting. I suggest that you establish a corporate standard for date rollover.

Configure Folder Options

Win2K's default folder-option settings are as inadequate as NT 4.0's settings. You'll probably want to reconfigure these settings before you do anything else on your computer. To open Windows Explorer, right-click the My Computer icon or go to the Start menu and select Programs, Accessories, Windows Explorer. (The fact that Windows Explorer is an accessory whereas Internet Explorer—IE—resides under Programs is a mystery, given that Win2K Server is supposed to be about getting work done, not surfing the Internet.) On the Windows Explorer window's top menu bar, click Tools, Folder Options to access a tabbed dialog box. On the General tab, I recommend clearing the Web content in folders check box because this complex display probably takes processing cycles away from other tasks. The other defaults on the General tab seem reasonable. On the View tab, which Screen 5 shows, I select the Display compressed files and folders with alternate color check box so that I can distinguish compressed and uncompressed files at a glance. I also like my system to display the full path in the address bar and title bar. I always select the Show hidden files and folders check box and clear the Hide file extensions for known file types and Hide protected operating system files check boxes because those files are often the ones I need to find when problems arise. Finally, I clear the Show My Documents on the Desktop check box because I prefer to store documents on a disk dedicated to data files. After I set these options, I make sure to click the Like Current Folder button to propagate these settings to all my other folders.

Tweak Your Power Options

In the Control Panel Power Options applet, Win2K introduces power-handling options that laptop users will find familiar. The default Always On setting makes sense for a server—cutting power to the monitor after 20 minutes (or less) of inactivity is harmless, but you need to keep the computer and disks running. However, I recommend more aggressive settings for a desktop system. For example, to conserve power and avoid generating heat in your office, you might want to shut down the system's disks and video after a certain period of inactivity.

Create a Checklist

Whenever you install a new OS or add a new computer, consider following a configuration checklist to make sure that the computer meets your specifications before you turn it over to users. A configuration checklist can save time and effort later. For example, Win2K's new dynamic disk feature will prevent the need for reboots when you perform disk reconfiguration at a later date. Win2K offers many other configurable options, and you'll no doubt add your preferences to such a configuration checklist.

Disabling Win2k Services To Save On Memory
Last week's column about Windows 2000 Professional performance generated comments from two readers who said they're getting acceptable results from Win2K Pro on notebook PCs with just 64KB of RAM. One thing they did that we didn't do in our performance tests is turn off unused services. You can turn off unused services using the Services applet in the Administrative Tools section of the Win2K Control Panel. Many standard Win2K Pro services are intended for computers running on a network; disabling those services on systems that don't require them--such as notebook PCs--can save significant RAM.

Memory, Memory, Memory
Last month, I wrote a column about dual-booting Win2K Pro and Windows NT, in which I discussed problems with restoring a corrupted Win2K boot sector after installing NT. I've now discovered how to repair the boot sector--and it's easy, particularly if you have a system that supports booting from the CD-ROM (if not, you'll need the setup disks). Simply insert your Win2K Pro CD-ROM, boot it to start Win2K setup, and select the option to repair your existing Win2K installation using the emergency disk method. Don't worry if you don't actually have an emergency disk--you won't need it to fix the boot sector. I've tried this method on two systems that I rendered unbootable using NT 4.0 setup--and it worked without a hitch.

John Ruley Windows 2000 Pro UPDATE News Editor jruley@win2000mag.com

* HOT THREAD: YOUR SYSTEM IS LOW ON VIRTUAL MEMORY

 The following text is from a recent threaded discussion on the Windows 2000 Magazine online forums (http://www.win2000mag.com/support).

April 25, 2000, 07:50 A.M.

Your System Is Low on Virtual Memory I recently had a dual boot Win98/Win2000 machine. I decided to get rid of my 98 partition. Using PQMagic5, I deleted the partition and expanded the Win2K partition to maximize the whole drive (20GB). Now upon bootup, I keep getting an error regarding the pagefile.sys--saying that my pagefile is too small/My system is low on virtual memory. It then never lets me into the OS. It keeps on going in a loop on the Administrator login. Besides the conventional way of modifying the pagefile, is there a way to do it in the console? Any other suggestions would truly be appreciated.

Thread continues at http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=70&Message_ID=100535

Multi-Booting Windows 2k/NT/W9x/DOS

http://support.microsoft.com/support/kb/articles/Q217/2/10.ASP

* WINDOWS SOCKETS BUG FIX
Under stress, Microsoft Exchange and other programs might stop working and generate Dr. Watson access violation error messages. The problem results from an incorrect buffer-length calculation in the EnumProtocols function in Windows Sockets (mswsock.dll) that corrupts the heap and causes unpredictable access violations. Microsoft Support Online article Q259148 (http://support.microsoft.com/support/kb/articles/q259/1/48.asp) documents the problem and indicates that you can call Microsoft Support for the bug fix, new versions of mswsock.dll and wsock32.dll released March 21.

* SYSPREP AND ACPI
Win2K Sysprep contains a bug that hangs systems supporting Advanced Configuration and Power Interface (ACPI). The bug causes Sysprep to attempt to reboot the system on which you're preparing the disk  twice--as a result, the system hangs. If you plan to configure Win2K systems disks with Sysprep, you need to call Microsoft Support for the April 7 version of sysprep.exe, which eliminates the second boot. See Microsoft Support Online article Q259144 (http://support.microsoft.com/support/kb/articles/q259/1/44.asp) for more information.

* USB DRIVER PROBLEMS
A Win2K USB driver bug prevents the driver from recognizing a Plug and Play (PnP) device after you disconnect it and plug it back in. Microsoft Support Online article Q259711 (http://support.microsoft.com/support/kb/articles/q259/7/11.asp) indicates that when you disconnect a USB device, the USB driver doesn't release a handle to the device.

* TIP: MOVE MY COMPUTER ICON FROM DESKTOP TO START MENU
On Windows 2000, you can drag the My Computer icon from the desktop onto the Start menu. This will let you navigate the complete name space including Control Panel, drives, and folders from the Start menu.

Microsoft Office 2000 Automation Help File
Unearthed by Albert Suh http://support.microsoft.com/support/kb/articles/q260/4/10.asp "The Auto2000.exe file contains the Microsoft Office 2000 Automation Help file created by Microsoft Technical Support. This Help file contains Automation theory and has multiple examples that show you how to automate the Office 2000 products (Microsoft Access, Microsoft Excel, Microsoft Outlook, Microsoft PowerPoint, Microsoft Project, and Microsoft Word) as well as Microsoft Binder and Microsoft Graph."

WINDOWS 2000 PRO Q&A: DEVICE MANAGER DOES NOT DISPLAY ALL CURRENTLY INSTALLED DEVICES?
In Windows 2000, Device Manager displays only connected devices, even if you check View/Show hidden devices. You can display ghosted devices (non-Plug and Play devices and devices that are not currently connected)--if you check View/Show hidden devices--by opening a CMD prompt and typing: set devmgr_show_nonpresent_devices=1 cd %SystemRoot%\System32 start devmgmt.msc You might need to replace %SystemRoot% with the actual drive and folder of your Win2K install. When you quit Device Manager, the %devmgr_show_nonpresent_devices% environment variable will become undefined, so you need to start Device Manager using the above method to see ghosted devices again.    You can also set a global environment variable using Control Panel/System/Advanced/Environment Variables and entering devmgr_show_nonpresent_devices and 1 in the System Variables box, allowing you to start Device Manager normally.

* DNS BUG FIX
When you try to clear Windows 2000's DNS cache, you might receive the error message, "The server cache cannot be cleared. DNS zone already exists in the directory service." If you try to clear the cache from the command line (e.g., using dnscmd /clearcache), you might see the error message, "failed: status = 9718 (0x000025f6)." Microsoft Support Online article Q257828 (http://support.microsoft.com/support/kb/articles/q257/8/28.asp) indicates that you can call Microsoft Support for a new version of dns.exe that correctly purges the cache.

INSTALLING MICROSOFT PROXY SERVER ON WIN2K

Microsoft created an add-on installation file named msp2wizi.exe to let you install Microsoft Proxy Server 2.0 on Windows 2000. The file and installation instructions are available at http://www.microsoft.com/proxy/support/win2kwizard.asp. Msp2wizi.exe is a pre-installation executable patch for the Microsoft Proxy server that lets you install the product. If you try to install Microsoft Proxy Server 2.0 on Win2K without first running this installation file, a warning appears to let you know that Proxy Server 2.0 doesn't work on the Windows version that you're using. If you already have an installation of Microsoft Proxy on your Windows NT Server when you upgrade to Win2K, you're expected to reinstall Microsoft Proxy 2.0 on your Win2K server. Whatever your configuration is, you'll need the msp2wizi.exe file to make Microsoft Proxy Server 2.0 work on your Win2K server. You also need the installation files for Microsoft Proxy Server 2.0, which are available on the BackOffice 4.5 CD-ROM number 3 or the Proxy 2.0 CD-ROM. Here are the steps to follow: 1. Download the installer package (msp2wizi.exe) from Microsoft Web site via http://www.microsoft.com/proxy/support/win2kwizard.asp. 2. Once you have downloaded the package, begin installation by double- clicking the msp2wizi.exe file. You'll need 16MB of free space to extract the package. 3. To proceed beyond this point, you must agree to the license agreement by clicking Yes. 4. If you have the BackOffice 4.5 CD-ROM in your CD-ROM drive, installation will proceed automatically. Otherwise, you may be prompted to insert the CD-ROM or point to the folder that contains the installation files. After you point to the location of your installation files, click OK. If you receive the error message, "Installation files not found," click OK, which shuts down the installation, and read the installation note that follows.

Note: The executable patch program checks for both the 71.5K setup.exe file and the _mspver.txt file. If you have a Proxy CD-ROM that doesn't include this file, you can fix the problem without calling Microsoft. Just create a text file named _mspver.txt and type the words Microsoft Proxy Server Version 2.0 on the first line of the file. Save and Close the file and be sure to place it in the same directory as your Proxy 2.0 setup.exe file.

Do you have a great tip for using Windows 2000 or Windows NT? Let the UPDATE staff know about it at updatetips@win2000mag.com. We will edit all submissions for style, grammar, length, and technical accuracy. Please include your full name and an email address where other UPDATE readers can reach you.

Patch Available for "Office 2000 UA Control" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms00-034.asp

TIP: CONVERTING NTFS PARTITIONS TO NTFS 5.0

Windows 2000 introduces NTFS 5.0, which supports a number of new features. By default, installing Win2K will automatically convert any NTFS 4.0 partitions to NTFS 5.0. Any and all NTFS volumes that Win2K "sees"--including removable media--are automatically converted on the fly when Win2K mounts them. Also by default on server installations (you can override the default using the advanced option button), the boot partition will be upgraded to NTFS--as long as you're not in dual-boot environments.

 Service Pack 4 (SP4) has an updated ntfs.sys that can read NTFS 5.0 partitions, so before you install Win2K, apply this service pack to any systems that need to read Win2K NTFS 5.0 partitions and in a multiboot environment.

TROUBLESHOOTING PROFILE QUOTA PROBLEMS
If you use the Limit Profile Size system policy to restrict the size of your NT user profiles and you have problems with profile management, you might want to install the checked version of the Profile Quota Manager utility, proquota.exe, from the checked build of NT. You can find the file in the \winnt\system32 directory. After you install the checked version of the utility, you must add a value to the Registry's Winlogon key to instruct the utility to generate a log file.

To install the checked version, rename the proquota.exe file proquota.old. Make sure the checked version of proquota.exe matches the version of the OS you're using, and then copy the file to the \winnt\system32 directory on the computer you want to troubleshoot. Open a Registry editor (e.g., regedt32.exe) and go to the Winlogon key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon. Create a new value, ProquotaDebugLevel:REG_DWORD, assign it a hexadecimal value of 10002, and reboot the machine. The checked build generates a text log file called proquota.log at the root of your C drive that should help you identify your profile problem. Microsoft Support Online article Q259826 (http://support.microsoft.com/support/kb/articles/q259/8/26.asp) describes this technique.

TIP: MAKE MY COMPUTER SHOW CURRENT USERNAME AND MACHINE NAME
This is actually a very old one - but whats new are instructions of how to do it in Win2K

As you know, each Windows desktop has a My Computer icon. Clicking the icon opens the My Computer folder, displaying available resources such as hard disks, printers, Dialup Networking, scheduled tasks, and mobile device connections. Did you know you can change the folder name to display the locally logged in user's name?

To do so, open Regedt32.exe and navigate to HKEY_CLASSES_ROOT\CLSID\ subtree, locate the key named 20D04FE0-3AEA-1069-A2D8-08002B30309D, and follow one of the two instruction sets below, depending on whether you have Windows 2000 or Windows NT 4.0.

For Win2K systems, select and edit LocalizedString. Copy its text contents to a safe location such as Notepad. The contents should be something similar to "@D:\WINNT\system32\shell32.dll,-9216@1033,My Computer" without the quotes. Next, delete the LocalizedString value.

Create a new value with the same name (LocalizedString) with a type of REG_EXPAND_SZ. Paste the saved text into the text field of the newly created value, but edit the prefix before saving it. Replace the text "My Computer" in the string with "%username% on %computername%" without the quotes. For example, a modified string might read @D:\WINNT\system32\shell32.dll,-9216@1033,%username% on %computername%.

For NT 4.0 systems, select the <No Name> item in the right pane and delete it. On the Edit menu, click Add Value, and leave the Value Name blank. Select a Data Type of REG_EXPAND_SZ and in the string box enter "%userName% on %computername%" without the quotes. Now close Regedt32 and refresh the desktop to see the new display caption.

Start Menu and Favorites Not Listed in Alphabetical Order
http://support.microsoft.com/support/kb/articles/Q177/4/82.ASP

"Symptoms: when you view the Start menu and Favorites menu, the shortcuts and folders may not be in alphabetical order and new shortcuts that you create may be added to the bottom of the menu. Cause: this behavior can occur when you rearrange the shortcuts and folders on the Start menu or Favorites menu manually, or when you install a new program. Resolution: use the Registry Editor to delete a certain keys (listed here)." NOTE: IE5 users can quickly right-click on a shortcut and choose the 'Sort by Name' option

* TIP: MICROSOFT'S ONLINE SECURITY PAPERS
Many people still aren't familiar with Windows 2000-related security.

To help get up to speed, Microsoft has made lots of information available online. For example, in one streaming media presentation, Microsoft's Darol Timberlake discusses various Win2K security enhancements, such as Kerberos, the new Encrypting File System (EFS), the IP Security (IPSec) protocol, group policies, and security templates. You can find Timberlake's presentation at the first URL listed below.

In addition, Microsoft's Web site has dozens of papers that give users in-depth information and deployment procedures for Windows 2000 Security Services, including security management using the Microsoft Security Configuration Tool Set and support for IPSec, EFS, public key infrastructure (PKI), smart cards, and Kerberos. You can find this supplemental reading at the second URL listed below.

http://www.microsoft.com/windows2000/library/technologies/security/default.asp

* WINDOWS 2000 SECURITY: CREATING A CUSTOM PASSWORD-RESET MMC

In a previous part of this fike, I explained how to give your Help desk staff the authority to handle forgotten passwords without giving them sweeping administrative privileges. But what if your company wants to delegate password-reset authority or a similar task to users other than the Help desk staff? By creating a custom Microsoft Management Console (MMC), you can provide designated users with a simplified, streamlined interface for quickly handling these password resets. In his latest column, this guy outlines how to create such a customized MMC.

http://www.ntsecurity.net/go/win2ksec.asp

* TIP: FORCING REPLICATION BETWEEN TWO WIN2K DOMAIN CONTROLLERS IN A SITE (contributed by Windows2000faq.com)

In Windows NT 4.0, you can force replication between domain controllers using Server Manager. In Windows 2000, you can also force domain controller replication using the following steps:

1. Start the Active Directory (AD) Sites and Services Microsoft Management Control (MMC) snap-in. Expand the branch that shows the various sites. (The default site Default-First-Site-Name might be your only site.)
2. Expand the site that contains the domain controllers.
3. Expand the servers. Select the server to which you want to replicate and expand it.
4. Double-click that server's NTDS settings.
5. Right-click the server you want to replicate. Select Replicate Now from the context menu. In the confirmation dialog box, click OK.

   The replication is one way. For two-way replication, you need to replicate in each direction.

Win2K Security Settings on upgrading
When you upgrade a Windows NT system to Windows 2000, the security settings for the new installation are defined in one of two configuration template files: dwup.inf for Win2K Professional and dsup.inf for Win2K Server. To prevent the upgrade from overwriting any custom security settings, you must modify the appropriate template file using the Microsoft Management Console (MMC). For step-by-step instructions, be sure to visit our Windows 2000 FAQ Web site.

http://www.windows2000faq.com/Faq.cfm?FaqID=1975

* TOPICS FOR EXAM 70-219
To pass the Windows 2000 MCSE track, you must pass at least one of
three design exams. These exams are unlike most other exams in that
they are case-study-based, which means they consist of a series of
scenarios with a number of questions related to each scenario. To get a
feel for the exam layout, take the time to look at the sample at
http://download.microsoft.com/download/vb50pro/Update/2.0/W9X2K/EN-US/IIT_Demo.EXE.
The most important advice for tackling these exams is to read the
scenario and questions thoroughly. In fact, I recommend reading through
the scenario and all related questions, then rereading the scenario
before attempting to answer a question. On the exam, each scenario is
organized into subject areas that are presented on separate tabs. The
All tab, which contains all the information for the scenario, is very
useful for reading through the entire scenario; it is, in fact, the
only view I use.
Here is a short sample scenario that tests Active Directory (AD)
design issues.

Scenario: Example Cheeses, Ltd., is a leading cheese producer. The
company has asked you to architect the deployment of Active Directory
within Example Cheeses.

Current IT Environment
There are three Windows NT 4.0 domains: RESEARCH, EXAMPLE, and
RESOURCE. The research department has its own domain with two-way trust
to EXAMPLE. The RESOURCE domain holds all resources for the rest of the
company and trusts the EXAMPLE domain.

Office Locations
Example Cheeses has headquarters in Chester and facilities in Leicester
and Gloucester. The facility in Gloucester consists of two adjacent
buildings joined by a wireless network link. In addition, the company
has an R&D office in Lancaster.

Help Desk Supervisor
"Too much time is spent with basic problems. Most users don't deal with
critical data and often forget their passwords, so passwords can't be
too complicated. We reinstall 100 computers every month because
careless users delete critical files."

Chief Technology Officer (CTO)
"The wireless link between the warehouse and office building in
Gloucester is heavily used. Our WAN links are unreliable. I want users
in all offices to be able to log on, even if all out-of-building
connectivity is lost."

Head of R&D
"The R&D department is at the forefront of technology and requires its
own security settings, including lengthy passwords. Also, we administer
ourselves and don't want to be controlled by the administrators in the
main company."

Question 1
How many Active Directory sites should your design call for?

A. 1
B. 2
C. 3
D. 4
E. 5

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9137#Answers.

Question 2
Which final domain model is best suited to Example Cheeses? (Select all
that apply.)

A. Single domain: example.com
B. Two forests: example.com and example-research.com
C. Two domains in one tree: example.com and research.example.com
D. Three domains on one tree: example.com, resource.example.com, and
research.example.com

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9137#Answers
and scroll down to "Answer to Question 2."

Question 3
Which locations should contain Global Catalog (GC) servers? (Select all
that apply.)

A. Chester
B. Gloucester warehouse
C. Gloucester offices
D. Lancaster
E. Leicester

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9137#Answers
and scroll down to "Answer to Question 3."

* TIP: DISABLE THE WINDOWS 2000 SECURE DESKTOP
(Contributed by http://www.windows2000faq.com/)

On June 15, Microsoft released a "Desktop Separation" patch for Windows
2000 systems that prevents certain types of software from sniffing and
recording I/O on the desktop, including a user's keystrokes. An
intruder could exploit this vulnerability to insert a Trojan capable of
stealing passwords and other sensitive information.
Although the patch works admirably to prevent this type of action,
in some instances, the patch interferes with other software. If you
want to disable the patch, open the Registry Editor and navigate to the
following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Select New from the Edit menu and add a DWORD value named
"SecureDesktop" without the quotes. Set the value to "0" (zero) without
the quotes. To re-enable the Desktop Separation patch, set the value to
1.

WINDOWS 2000 PRO Q&A: USING SYSTEM FILE CHECKER TO CHECK FOR DAMAGED
FILES
(contributed by Doug Toombs, doug@netarchitect.com)

Q: A few weeks ago, our building experienced some power problems. We
lost power several times throughout the week, causing dozens of
improper shutdowns for all our Windows 2000 Professional systems. This
week, we've noticed strange behavior from a few of the computers--
namely, odd lockups and bluescreens. How can I tell if the power
failure damaged any of the Windows files?

A: Although "act of God" failures will always be a problem for
computers, you're in luck: Microsoft has included a new tool in Win2K
Pro called the System File Checker. It's designed to check the files on
your system for data corruption, improper versions, and missing files.
If the System File Checker finds any questionable files, it will
replace the file with a known good copy.
Launch the System File Checker by running sfc.exe from a Win2K
command prompt. You'll see several options; you'll probably want to
choose the /SCANNOW option to immediately scan your system. Sfc.exe
checks every protected file on your system (most .sys, .dll, .exe,
.ttf, .fon, and .ocx files). If any of the protected files on your
system are missing, corrupt, or an incorrect version, SFC retrieves a
replacement from the cached copy in the folder
%systemroot%\system32\dllcache, or from your Win2K Pro CD-ROM. If this
process doesn't correct your situation, your problems are probably
application specific, and you need to reinstall your third-party
applications. Good luck!

* IPCONFIG HANGS SERVICES.EXE
The IPconfig command includes two useful switches that you can use to
troubleshoot local name resolution problems. The /displaydns switch
returns the list of all cached DNS names, and the /flushdns switch
clears the cache. When the cache contains many names and you run
ipconfig.exe with either of these switches, enumerating the cache
entries causes services.exe to hang.

 TIP: DIRECTORY SERVICES CANNOT START

When you start Windows 2000, the screen might be blank, and you might
receive the message "LSASS.EXE - System Error, security accounts
manager initialization failed because of the following error: Directory
Service cannot start. Error status 0xc00002e1. Please click OK to
shutdown this system and reboot into directory services restore mode;
check the event log for more detailed information."
The event log might contain any of the following messages:
Event ID 700 "NTDS (260) online defragmentation is beginning a pass on
database NTDS.DIT."
Event ID 701 stating that the initialization completed successfully.
Event ID 101 "NTDS (260) the database engine stopped."
Event ID 1004 "The directory was shut down successfully."
Event ID 1168 "Error: 1032 (fffffbf8) has occurred (internal ID 4042b).
Please contact Microsoft product support services for assistance."
Event ID 1103 "The Windows directory services database could not be
initialized and returned error 1032. Unrecoverable error, the directory
can't continue."

The problem is that you've set permissions on the drive root, NTDS
folder, or Active Directory (AD) log files to be too restrictive. To
resolve the problem, restart your domain controller and press F8 to
select the Directory Services Restore Mode. Make sure that the
Administrator and System accounts have Full Control of the NTDS folder
and AD log files and that the System account has Full Control of the
drive root and of the %SystemRoot% folder. If you changed the location
of the AD or its log files during installation, use the new paths
instead.

WINDOWS 2000 SECURITY: CRACKING USER PASSWORDS IN WIN2K
Because passwords are the fundamental lock on your systems, it's a good
practice, provided your management approves, to regularly assess the
quality of your users' passwords and provide feedback to users who
select easy-to-guess passwords. Without such a program, users will pick
simple passwords such as repeating characters, simple words, and spouse
names. Although you might be familiar with using L0phtCrack on Windows
NT, note that the process has changed with Windows 2000. To learn how
to use L0phtCrack on a Win2K system, read Randy Franklin Smith's latest
Web exclusive column on our Web site.

http://www.ntsecurity.net/go/win2ksec.asp

WINDOWS 2000 PRO Q&A: RECOVERY CONSOLE
Q: I hear people referring to a Recovery Console in Windows 2000, but I
don't see it installed anywhere on my system, and I can't find it in
the Add/Remove Programs. Where is the Recovery Console, and is it
helpful?

A: Microsoft has gone to great lengths to make finding things intuitive
in Win2K, but it fell a bit short on this one. You can run the Recovery
Console by booting your system with the Win2K setup disks or CD-ROM and
following the instructions to run the Recovery Console, or you can pre-
install the console on your system. Personally, I prefer to pre-install
the Recovery Console so that I don't have to hunt for my Win2K CD-ROM
in an emergency. To pre-install the recovery console, run the command

\i386\winnt32.exe /cmdcons

from your Win2K CD-ROM. This approach adds the Recovery Console to your
boot.ini file and lists it as a startup option on your system. Note: If
you're using software mirroring, you must break your mirror before
trying this or the console won't install.
What can you do with the Recovery Console? After you log on as the
local Administrator for your machine, you can copy new files onto your
system, disable services or drivers, repair the boot sector, or perform
any number of other DOS-related tasks. Type HELP when you're in the
Recovery Console to see a list of DOS-style commands that you can use.
It's important to note, however, that the Recovery Console will let you
access only the root folder, the %systemroot% folder and subfolders,
the cmdcons folder, and any removable media such as CD-ROMs. You can't
use the Recovery Console to access other areas on your systems--only
the crucial areas necessary for system repairs.

MICROSOFT RELEASES METADIRECTORY SERVICES 2.2
Microsoft has released Microsoft Metadirectory Services (MMS) 2.2. MMS
is a powerful tool that makes it easier for enterprise customers to
manage multiple directories in a heterogeneous directory environment.
The service has the added benefit of simplifying the deployment of
Active Directory (AD). MMS extends the network-management capabilities
of AD across multiple kinds of directories. "If you have an AD
infrastructure and you want to get email addresses or phone numbers
from your Lotus Notes directory into AD, [MMS] does that for you," says
Jackson Shaw, MMS product manager. Thanks to a new feature that enables
real-time synchronization of directory information into AD, MMS 2.2
also makes AD deployment much simpler for customers who have
information about employees, customers, and partners in multiple
directories. Another advantage of MMS 2.2 for enterprise customers is
improved directory-enabled provisioning, whereby administrators can set
up rules to govern synchronization and trigger sets of events. For
example, an administrator might create a record in the Human Resources
(HR) directory for a new employee. MMS can then "notice" that a new
person has been hired and perform automatic services provisioning for
that person, assigning him or her an email address and other resources
that until now administrators had been providing manually. For more
details about MMS 2.2, visit

http://www.microsoft.com/windows2000/guide/server/features/mms.asp

TIP: WINDOWS 2000 SERVER RESOURCE KIT HAS USEFUL TERMINAL SERVICES
UTILITIES

The Windows 2000 Server Resource Kit has the following useful Terminal
Services utilities:
- Appsec--A utility that restricts nonadministrative users' execution
access to a limited set of authorized programs.
- Drive Share--A utility used to share and connect to local drives
during Terminal Services client session initialization.
- File Copy--A utility that provides copy/paste file transfer between a
Terminal Services client session and a local desktop.
- Lsreport--A utility that connects to Terminal Services License
servers and displays information about the license key packs installed
on the servers.
- Lsview--A utility that displays the name and type of currently
available license servers in a domain.
- Roboclient--A Terminal Services capacity-planning tool.
- Simclient--A Terminal Services capacity-planning tool.
- Tsreg--A graphic utility used to change client Registry settings
relating to such functions as bitmap caching and glyph caching.
- Tsver--A utility that allows or disallows client connections based on
the client version.
- Winsta--A utility that monitors Terminal Services client sessions.

PATHPING is a combination of two useful TCP/IP utilities, ping and
trace route. Start the program by typing PATHPING at a command prompt,
followed by a TCP/IP host name such as a Web site or an FTP server.
PATHPING resolves the trace route information first. After PATHPING has
counted (and identified) the hops between your system and the remote
computer, it runs ping tests against each device in the trace route to
find nodes that are dropping packets.
For 25 seconds per hop, PATHPING will run 100 ping tests against
each node in the trace route. The utility measures the amount of packet
loss at each step along the trace route and reports the packet loss as
a percentage in a table. Gathering this information takes a while
because most trace routes have eight or more hops in them, but the
information is invaluable if you're having connectivity problems to
remote systems. You might find that one of the routers in the path
between your system and the remote host is overloaded and dropping too
many of your packets. PATHPING is an extremely useful troubleshooting
tool. 

TIP: WIN2K SP1 INSTALL GENERATES WFP ERROR MESSAGES

When you install Windows 2000 Service Pack 1 (SP1), your event viewer
may contain many Windows File Protection (WFP) error messages, such as
- The system file c:\winnt\system32\xenroll.dll could not be copied
into the DLL cache. The specific error code is 0x0000000 (The operation
completed successfully.) This file is necessary to maintain system
stability.
- The system file c:\winnt\system32\inetsrv\smtpadm.dll could not be
copied into the DLL cache. The specific error code is 0x00000002 (The
system cannot find the file specified.) This file is necessary to
maintain system stability.
- The system file c:\winnt\system32\gdi32.dll could not be copied into
the DLL cache. The specific error code is 0x800b0100 (No signature was
present in the subject.) This file is necessary to maintain system
stability.
SP1 corrects the problem that triggers these messages, but the
updated sfc.dll for the system File Checker (SFC) doesn't function
until restart. You can ignore these errors.

* THE WINDOWS 2000 NETWORK CONNECTIVITY TESTER
The Win2K Network Connectivity Tester (netdiag.exe) is a command-line
diagnostic tool. Netdiag.exe helps you isolate networking and
connectivity problems by performing a series of tests to determine the
state of your network client (whether it be on a server or on a
workstation). The tests that netdiag.exe performs expose key network
status information, thereby providing IIS administrators, network
administrators, and support personnel a more direct means of
identifying and isolating network problems. Training users on this
powerful tool is unnecessary because the tool doesn't require that you
specify parameters or switches. Running without requiring parameters
lets you focus on analyzing the output rather than on training users
how to use the tool.
Here are a few Network Connectivity Tester features:
- The tool is command-line executable, which allows for easy
scripting or inclusion in .cmd files.
- The tool gathers static network information and tests the local
machines' network drivers, protocol drivers, send/receive capability,
and well-known target accessibility.
- Netdiag.exe runs on Windows 32-bit OSs (e.g., Win2K, Windows NT
4.0, Windows 9x, Windows Millenium Edition--Windows Me).
- You can use the tool with the Scheduler Service to generate
reports at regularly scheduled intervals.
- The tool receives input and returns output that other applications
and services can leverage.
- Netdiag.exe ships as a Windows Management Instrumentation (WMI)
Source Provider DLL, so software developers can leverage the tool's
power in their applications.

WINDOWS 2000 PRO TIP: INTEGRATE SP1 WITH YOUR WIN2K SOURCE FILES

If you've been working with Windows for a while, you're probably
familiar with the service pack process. As a matter of fact, the most
recent service pack CD-ROM often becomes a standard item on any power
user's tool belt. But carrying around my Windows NT CD-ROM and a
service pack CD-ROM is a hassle. For a long time, my solution was to
burn the \i386 directory from my NT CD-ROM onto a new disk, along with
the service pack installation routines. Then I had one CD-ROM with my
Windows source files and the latest service pack on it. I had to carry
only one CD-ROM, but I still had to run both setup routines.
Microsoft has finally done something that I've been wanting for a
long time: The company has given us a means to integrate a service pack
directly into the Windows source files. This integration capability
will replace all of your source files (in the \i386 directory) with
updated files from the service pack. Therefore, when you install
Windows 2000, you'll automatically get the latest patched version. This
is a great feature and very easy to set up.
First, make a directory on your system for your Windows source
files. Call the directory whatever you want--C:\Win2KPro, for example.
Copy the contents of the \i386 directory from your Win2K Professional
CD-ROM into the directory you created. I recommend using the XCOPY
command with the /e option.
Find the update.exe program for Service Pack 1 (SP1), and run the
following command:

Update.exe -s:C:\Win2KPro

This command updates to SP1 levels all the DLLs, EXEs, and other files
that make up the Win2K Pro OS. Now, if you do a typical installation
from your C:\Win2KPro directory, you'll automatically install SP1 at
the same time.
NOTE: Unlike other service pack upgrades, you can't uninstall a
service pack installed in this manner.

WINDOWS 2000 PRO TIP: REMOTE COMMAND PROMPT VIA WIN2K PRO'S BUILT-IN
TELNET SERVER

One handy feature that Microsoft bundled with Windows 2000 Professional
is a Telnet server. Using this server, you can remotely log on to your
computer via a command prompt from any location that has connectivity
and a Telnet client. If you connect to the Internet with a public IP
address, you can get to a command prompt from anywhere in the world!
By default, the Telnet server doesn't start automatically because of
security risks. You can start the service one time by typing the
following command at a command prompt:

net start telnet

If you want the Telnet service to start up all the time, you must set
the startup to Automatic in the services configuration for your system
(right-click My Computer, Manage, Services and Applications, Services).
Your computer is now ready to accept Telnet logons on TCP port 23.
By default, your system will try to perform an NT LAN Manager (NTLM)
authentication to automatically log you on. If you'll be accessing your
Win2K Pro computer from outside your organization, you need to step-
down this authentication requirement. Launch the Telnet server
administration tool by typing the following at the command prompt (you
must be a member of the local administrator's group):

tlntadmn

In the options menu that appears, choose "Display/Change Registry
settings," and then choose NTLM. By default, this value is set to 2,
which supports only NTLM authentication. If you set this value to 1,
the system will try NTLM authentication first and then prompt for a
username and password. Setting this value to 0 bypasses NTLM
authentication altogether. After you've configured your system, you can
remotely connect to your system by typing "telnet <hostname or ip
address>" from a command prompt or even from a UNIX system!

TOPICS FOR EXAM 70-216 and 70-217
The following questions cover topics similar to those you can find Exam
70-216: Implementing and Administering a Microsoft Windows 2000 Network
Infrastructure and Exam 70-217: Implementing and Administering a
Microsoft Windows 2000 Directory Services Infrastructure.

Question 1
You are the sole administrator of a Windows 2000 network that uses
static IP addresses on all clients. You want to move toward dynamic
allocation, and you plan to install DHCP.
Your network currently uses the private address range
192.168.1.0/24, and you have 240 hosts, of which 10 servers will retain
their fixed IP addresses. Once you have installed the DHCP Server
Service on Win2K, how can you minimize administration while ensuring no
unnecessary network downtime during the migration?

A. Create a DHCP Scope for all of 192.168.1.0/24 with exclusions for
the servers. Configure each client in turn to use DHCP.
B. Create a DHCP Scope for all of 192.168.1.0/8 with exclusions for all
servers currently in use. Delete each server exclusion immediately
after its clients are configured to use DHCP.
C. Create a scope for all of 10.0.0.0/24 on the DHCP Server. Configure
clients to use DHCP. Do not change the IP configuration on any servers.
D. Install RRAS and configure a router to route between 10.0.0.0/24 and
192.168.1.0/24 on the same network adapter. Create a scope for all of
10.0.0.0/24 on the DHCP Server. Configure clients to use DHCP. Do not
change the IP configuration on any servers.

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15447#Answers

Question 2
You are the administrator of your company's Windows 2000 domain. You
suspect that there have been attempts to breach security on the
domain's Win2K Professional computers using "brute force" attacks on
the local administrator accounts. Win2K Pro computer accounts reside in
Organizational Units (OUs) according to department. You take the
following actions in the default domain controller's Group Policy
Object (GPO):
- Set the "Account Lockout Threshold" to one invalid logon attempt
- Set the "Reset account lockout after" to 15 minutes
- Set the "Maximum security log size" to 150KB
- Enable "Shut down the computer when the security audit log is full"

These actions help you achieve which of the following goals? (Choose
all that apply.)

A. You can view all security logs from one computer.
B. Individual security logs are prevented from exceeding 150KB on
workstations.
C. Security events are always audited and never lost.
D. At least 10 minutes are required between failed logon attempts.

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15447#Answers
and scroll down to "Answer to Question 2."

WHAT THE ACTIVE DIRECTORY, SCHEMA & GLOBAL CATALOG ARE IN A NUTSHELL

The Global Catalog (GC) in Windows 2000 Active Directory (AD) is widely
misunderstood and it's no wonder why: The catalog serves multiple
purposes, has tons of features, and houses dissimilar forms of data. To
understand the GC, you must first understand the concept of a "forest."
A forest is a collection of one or more AD trees organized as peers and
connected by two-way transitive trust relationships between the root
domains of each tree. All trees in a forest share a common schema,
configuration, and GC.
Every domain controller in a forest stores three full, writable
directory partitions:
- Domain directory partition--You might be familiar with the AD
Users and Computers Tool. This Microsoft Management Console (MMC) snap-
in manages the domain directory partition, which mainly contains the
computers, groups, and other objects for a specific Win2K domain.
- Schema directory partition--This partition contains the Schema
container, which stores class and attribute definitions for all
existing and possible AD objects. You can view the contents of the
Schema container in the AD Schema Editor. (If you're an "IIS
Administrator" subscriber, you can learn how to install this tool from
my article "Extending the User Class in the AD Schema," September
2000.)
- Configuration directory partition--This partition stores
configuration objects for the entire forest, such as information about
sites, services, and directory partitions. To view the contents of the
Configuration container, use Active Directory Services Interfaces
(ADSI) Edit, which is part of the Win2K Support Tools.

A GC server is a Win2K domain controller that stores these three
writable directory partitions, as well as a partial, read-only copy of
all other domain directory partitions in the forest. The additional
directory partitions are "partial" because although they collectively
contain every object in the directory, they have a limited set of
specific attributes for each object. The AD replication system
automatically builds the GC. AD automatically designates the first
domain controller in a forest as a GC server, although any domain
controller can be a GC server. (You can configure this controller in
the NTDS Settings Properties dialog box in the AD Sites and Services
tool.)
All three directory partitions exist on a GC server, whether they
are full or partial partitions, in one directory database (Ntds.dit) on
that server. No separate storage area is necessary for GC attributes:
The Global Catalog Server treats them as additional information in the
domain controller directory database. When you add a new domain to a
forest, AD automatically stores the information about the new domain in
the configuration directory partition, which the GC server (and all
domain controllers) automatically touches through replication of
forest-wide information.
Because the GC stores every object in the forest, software
developers can use the catalog to locate objects in any domain without
a referral to a different server. When a search request is sent to port
389 (the default Lightweight Directory Access Protocol--LDAP--port for
AD) on a specific domain, computer, or IP address, the search is
performed on one domain directory partition. If the object isn't found
in that directory partition (and isn't in the schema or configuration
directory partitions), the request is referred to a domain controller
in a different domain that might contain the requested object (on the
basis of the distinguished name--DN--you present in the search
request). Such a referral is called an LDAP referral and can be very
expensive in terms of the time it takes the search to find what it's
looking for.
When a search request is sent to port 3268 (the default GC port),
the search includes all directory partitions in the forest. In other
words, a GC server processes the search. A GC search can return results
for objects in any domain without generating a referral to a domain
controller in a different domain. This tool is extremely powerful for
software developers in a huge company with AD forests residing in
different locations all over the world.

* TOPICS FOR EXAM 70-216
Exam 70-216, Implementing and Administering a Microsoft Windows 2000
Network Infrastructure ( for more questions for Exam 70-216, see the
August 25 Certifiable column,
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15447 ).
Although Exam 70-216 is an elective for both the Windows NT 4.0 and
Win2K MCSE programs, it focuses strictly on Win2K. If you take Exam 70-
059 as an elective, remember that its objectives relate to how TCP/IP
services work on NT 4.0.
A significant change in Win2K is its integration of DNS and DHCP.
DNS is now the primary means of resolving a human-readable computer
name into a "dotted" IP address; DHCP now allocates those IP addresses
automatically. Because of the increased use of these two services, two
main objectives for Exam 70-216 are "Install, configure, and
troubleshoot DNS" and "Install, configure, and troubleshoot DHCP."
Let's start with two questions about a new feature in Win2K, dynamic
DNS (DDNS). (Note: You can find the answers to all three questions in
the "Microsoft Official Curriculum (MOC)--Course 2153, Implementing a
Microsoft Windows 2000 Network Infrastructure.")

Question 1
Which two events occur in dynamic DNS (DDNS)? (Choose 2)
A. The client computer automatically queries DNS for a dynamic domain
name.
B. The DHCP client automatically updates an A resource record on the
DNS server.
C. The DHCP server obtains a domain or host name for the DHCP client.
D. The DHCP server updates the PTR record in DNS.

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15540#Answers

Question 2
How do you configure a Windows 98 computer to use dynamic DNS (DDNS)?
A. Select dynamic DNS updates through the winipcfg utility.
B. Set dynamic updates to "yes" on your DNS zone. Win98 automatically
updates DNS.
C. Upgrade the machine to Windows 2000 Professional.
D. Give the computer the appropriate permissions in Active Directory
(AD).

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15540#Answers
and scroll down to "Answer to Question 2."

Question 3
This question seems simple, but the key is to know why the correct
answers are correct and why they are important. In many cases, if you
don't know the correct answer but you do understand how things work,
you can eliminate obviously wrong choices and have better odds of
determining the correct answer. For this one, after you read the
answer, see whether you can explain to someone why the seemingly
plausible wrong answers are incorrect.

What are three types of scopes available in Windows 2000 DHCP? (Choose
3)
A. Dynamic scopes
B. Scopes
C. Superscopes
D. Multicast scopes
E. Active Directory integrated scopes

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15540#Answers
and scroll down to "Answer to Question 3."

* TIP: HOW DO I CREATE A CAPTIVE ACCOUNT?
You can't create a captive account, but you can force a user to run a
program, and if the user closes that program, the system logs the user
off. The following steps outline how to accomplish this:
1. Create a command file with the following lines:
<name of the program you wish to run>
Logout
2. Create a mandatory profile for the user.
3. Remove all groups from the profile except the Autostart group.
4. Put the file you created in Step 1 in the Autostart group.

The logout.exe program uses the command file above (available at the
FAQ URL below) to log off the user.
You can also restrict a user's access to applications with the
Policy Editor. From the Policy Editor, select which applications a user
can access. Make sure you let users run Windows Explorer or they might
not get a desktop! In addition, Microsoft offers the Zero
Administration Kit (second URL below), which lets the administrator
confine a user to one application or a set of applications. For more
help with restricting user access to the desktop, visit our Web site.
http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=15045
http://www.microsoft.com/windows/zak

AUTOMATE REMOTE ACCESS DIALING WITH RASDIAL

Have you had a situation where you needed to automate some type of
network connection operation--perhaps dialing a remote network,
transferring a file, then disconnecting? I've run into this situation
while developing solutions for clients, but Microsoft's standard
interface for dialing up remote networks is GUI-based and difficult to
automate. Fortunately, Windows 2000 has a helpful command-line utility
called RASDIAL that automatically dials a remote network for you. The
proper syntax for RASDIAL is

RASDIAL <pre-defined ras entry name>

If you've defined a dial-up network connection on your system, you can
use this command to automatically log on, assuming you've saved the
username and password information associated with that dial-up
connection. For example, if you have a dial-up networking connection
called "Earthlink," you simply type "RASDIAL Earthlink" on a command
line to remotely log on to the network. From there, you can build a
batch routine to copy files from one location to another, do an FTP
file transfer, or perform other functions. After you complete your
transactions, disconnect your system with the following command:

RASDIAL <pre-defined ras entry name> /DISCONNECT

WIN2K PROFESSIONAL DOMAIN-CONTROLLER SELECTION
The domain-controller selection process decides which domain controller
a client will use to handle Windows 2000 or Windows NT authentication.
Connection-based problems can occur in NT 4.0 because the NT 4.0
client/server architecture can't account for a physical network's
complexities. To address the shortcomings of NT 4.0's domain-controller
selection process, Microsoft made Win2K Professional's process more
sophisticated than NT 4.0's process. Understanding Win2K Pro's domain-
controller selection process can help you predict your Win2K domain
design's consequences at every network location and troubleshoot client
logon problems. To gain that understanding, read Sean Deuby's article
on our Web site.
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9180

Why don't ALT menu key strokes show?
This tip doesn't involve the registry, but it does change the way your
system looks. You might have noticed that under Win2K, the application
shortcut keys in menus and dialog boxes aren't available. Well,
actually, the shortcuts are there, but you have to press the Alt key to
display them. This is probably not a big problem because most people
who use shortcut keys use them as second nature, without checking the
menu to determine what the key is--except in the case of a new
application with new shortcuts. And stopping to press the Alt key for
the shortcut menu can be somewhat intrusive.

If you want applications to show the navigation keys by default:

1. Open Control Panel.
2. Open the Display applet.
3. Click the Effects tab.
4. Under Visual Effects, deselect "Hide keyboard navigation indicators
until I use the Alt key."
5. Click OK.

HOW CAN I RESTRICT ACTIVE DIRECTORY REPLICATION TRAFFIC TO A SPECIFIC PORT?
By default, Active Directory (AD) replication via remote procedure
calls (RPCs) takes place dynamically over an available port via the RPC
Endpoint Mapper using port 135 (the same port as Microsoft Exchange).
An administrator can override this functionality and specify the port
that all replication traffic passes through. To set a specific port,
perform the following steps:
1. Start a Registry Editor (e.g., regedit.exe)
2. Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
3. From the Edit menu, select New, then DWORD Value.
4. Enter the name as "TCP/IP Port" without the quotes and click Enter.
5. Double-click TCP/IP Port, set the value to the desired port, and
click OK.
6. Close the Registry Editor and reboot.

* TOPICS FOR EXAM 70-240
The following questions cover topics similar to those you can find on
Exam 70-240: Microsoft Windows 2000 Accelerated Exam for MCPs Certified
on Microsoft Windows NT 4.0. Active Directory (AD) is the most
significant difference between Win2K and NT. If you hope to pass Exam
70-240, you need to thoroughly understand how to design and administer
AD. Whether you can correctly answer scenario-based exam questions
depends on your understanding of how different AD features work and
when and how you should use them.
One tool you can use to manage computers in a Win2K domain is Group
Policies. Although policies are available in NT, Win2K's Group Policies
offer many more options. The following questions will help you
determine whether you understand how to implement policies to manage
computers for an entire enterprise.

Question 1
Which steps must you take to implement Group Policies in Active
Directory (AD)? (Choose two)
A. Create a Group Policy Object (GPO).
B. Create a Group Policy template.
C. Create a Group Policy container.
D. Associate the GPO with the appropriate container.
E. Associate the GPO with the appropriate Group Policy template.

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15654#Answers

Question 2
What are the Administrative Template settings for policies?
A. Allow
B. Deny
C. Enabled
D. Disabled
E. Not configured

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15654#Answers
and scroll down to "Answer to Question 2."

Question 3
Which steps should you take to apply a Group Policy in Active Directory
(AD)?
A. Right-click the appropriate container and choose Properties, Group
Policy, Properties, Security, and then select the Allow Group Policy
check box.
B. Right-click the appropriate GPO and choose Properties, Group Policy,
Security, and then select the Allow Group Policy check box.
C. Right-click the appropriate group policy container and choose
Properties, Group Policy, Security, and then select the Allow Group
Policy check box.
D. Open Active Directory Users and Computers and choose Properties,
Group Policy, Security, and then select the Allow Group Policy check
box.

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15654#Answers
and scroll down to "Answer to Question 3."

WINDOWS 2000 PRO TIP: REPAIR BROKEN APPLICATIONS WITH THE WINDOWS
INSTALLER

Let's face it--application troubles are an annoying part of today's
computing environment. Applications have grown so complicated that
diagnosing problems quickly is becoming an art. Simply re-installing
the application isn't always the best option, and tracking down buggy
DLL files can take an excessive amount of time, especially if the
product isn't well documented.
Applications based on Windows Installer must be self-repairing. I
haven't taken time to delve into what Microsoft's definition of self-
repairing actually is (never assume too much), but the Windows
Installer service does present some nice command-line options for
trying to repair buggy applications.
At the command prompt, type:

MSIEXEC /fe packagename.msi

MSIEXEC starts the Windows Installer service. The /f switch informs the
Windows Installer service that you want to repair a product. The e
option next to the /f switch tells the Windows Installer service to
reinstall missing files or tells it whether an equal or older version
is installed. A number of options are available for the /f switch,
including:

c - Reinstall if file is missing or the checksum is invalid
a - Force all files to be reinstalled
u - Rewrite all required user-specific entries
m - Rewrite all required computer-specific entries

The packagename.msi file is the .msi file for the application that you
want to repair, such as Office 2000.
You might still have application problems, but with the ability to
easily repair them, you shouldn't have as much of a problem in the
future.

UDMA Hard Drives & Win2K Pro Optimisation
You've upgraded your new system to Win2K Pro and think, "Now I'm
finally going to get top performance out of the Ultra DMA/66 IDE hard
drives I've been using," only to find that your disk performance hasn't
improved. By default, Win2K doesn't enable UDMA/66 support. You need to
add a UDMA 80-pin ribbon connector to the drive (be sure that your
system supports UDMA) and manually enable this support.

1. Open Regedit.
2. Open
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E96A-
E325-11CE-BFC1-08002BE10318}\0000.
3. Open the Edit menu, and select New | DWORD Value
4. Name the new value EnableUDMA66.
5. Set the data value to 1.
6. Close Regedit and reboot.

Transfer Configurations of OS from one machine to another
Professional are on the way. Then you start to think about the task
you've actually set for yourself. You'll need to configure all those
new machines with the applications that you want, and all your users
will need to back up their data files and perform all those little
personalization tweaks to their desktops that they would have retained
had you just upgraded their Windows NT 4.0 or Windows 9x systems to
Win2K Pro.
But, if the machines are network attached, the task is not as bad as
it sounds, thanks to a handy little utility in the Windows 2000
Resource Kit: the User State Migration Tool (USMT). USMT lets you read
the state of a user's machine and migrate that state and data to a
network server. Then you can move that information to the user's new
machine. The utility won't move applications or DLL files, but it will
move all of the users' settings, application data files, and personal
data files (e.g., address books) to the server storage.
The USMT is actually two scriptable command line utilities:
scanstate.exe, which moves the data from any NT 4.0 or Win9x system to
the server storage; and loadstate.exe, which moves the information from
the server to the target Win2K Pro machine. Each application's text
configuration files control the how and where of which files are stored
and written.
You don't need to buy the resource kit to get the tool; you can
download it from Microsoft's Web site.
http://microsoft.com/windows2000/library/resources/reskit/tools/new/usmt-o.asp

WHY ARE MY TERMINAL SERVICES CLIENTS WITH ROAMING PROFILES BEING
LOST?

If you use the same roaming profile for a Windows client and a Windows
2000 Server Terminal Services client, the profile might be corrupted
because changes made to the profile from the Windows client overwrite
the Terminal Services profile changes if the Windows client logs off
last, or vice-versa. The same is true for multiple Terminal Services
client sessions that use the same roaming profile concurrently.
Roaming profiles are useful when all desktops in the workplace use
the same applications and settings. However, a Terminal Services client
has a different configuration than seen on regular Windows-based
desktops, so Microsoft doesn't advise sharing a profile among Terminal
Services clients and standard sessions. Disable this functionality by
following these steps.

1. Start the MMC Active Directory Users and Computers snap-in (Start,
Programs, Administrative Tools, Active Directory Users and Computers).
2. Select the Users branch.
3. Right-click the user whose profile you want to change, and select
Properties.
4. Select the Terminal Services Profile tab.
5. Remove the User Profile: string.
6. Click OK.

MORE ON WIN2K-NT 4.0 COEXISTENCE
Several issues can crop up when you run a mixed environment of Windows
2000 and Windows NT 4.0 systems in an NT 4.0 domain. After writing
about some of these issues last week, I received a great deal of reader
feedback. This week, I clarify a few issues and happily pass on tips
that readers sent my way. Thanks to all of you for your feedback--keep
it coming.
- Password Problem Follow-up. Last week, I wrote about a problem I
experienced when changing an expired password on a Win2K workstation
that was a member of an NT 4.0 domain. Thanks to the readers who
responded, we now have a solution. To ensure that Win2K users can
successfully change expired passwords for NT 4.0 accounts, you must
disable the “User must logon to change password” option (User Manager
displays this check box when you select the Account option on the
Policies menu). Disabling this feature affects all accounts in the
domain, so I'm not very comfortable with this solution's security
implications. However, I tested the solution, and it works as
advertised.
- Running NT 4.0's User and Server Manager on Win2K. Last week, I
discussed creating a shortcut to User Manager on my Win2K Advanced
Server machine so that I could manage the NT 4.0 domain account
database without walking downstairs. In response, one reader pointed
out that the Windows 2000 Server Resource Kit contains several
utilities you can use to manage NT 4.0 systems from a Win2K desktop.
After installing the resource kit, you'll find a plethora of tools in
the Network Management Tools folder. Although most of the tools run
only from the command line and have unusually cryptic and poorly
documented argument lists, the Win2K versions of User Manager for
Domains and Server Manager have the same GUI that NT 4.0's native
applets employ. I tried both utilities and was pleasantly surprised by
how well they work.
If you prefer to add or modify Win2K or NT 4.0 user accounts from
the command line, check out the Console User Manager utility
(cusrmgr.exe). And while we're on the subject of user accounts, you
might want to try the user status utility usrstat.exe, which displays
the full name and last logon time for each user in a domain. If you
maintain a large NT 4.0 account database, you should pipe this
utility's output to a file.
- Win2K-NT 4.0 Time Synchronization. One reader wrote to say that he
tried to set up an NT 4.0 time server that his Win2K systems could use
for synchronization, but he discovered that the timesrv.exe utility
from the original Windows NT 4.0 Server Resource Kit doesn't support
the Network Time Protocol (NTP) that Win2K systems need. After some
exploration, I discovered that Microsoft has released updates for
w32time and timesrv, the tools you need to successfully set up an NT
4.0 system that operates as an official time server. However, the
updates are hidden in a most unlikely spot: a folder called Y2kfix at
Microsoft's FTP site. You can download the tools and documentation from
ftp.microsoft.com/reskit/y2kfix/x86. Microsoft article Q258059 contains
all the information you need to create an NT 4.0 NTP server.
http://support.microsoft.com/support/kb/articles/q258/0/59.asp

* MORE ON WIN2K-NT 4.0 COEXISTENCE
Several issues can crop up when you run a mixed environment of Windows
2000 and Windows NT 4.0 systems in an NT 4.0 domain. After writing
about some of these issues last week, I received a great deal of reader
feedback. This week, I clarify a few issues and happily pass on tips
that readers sent my way. Thanks to all of you for your feedback--keep
it coming.
- Password Problem Follow-up. Last week, I wrote about a problem I
experienced when changing an expired password on a Win2K workstation
that was a member of an NT 4.0 domain. Thanks to the readers who
responded, we now have a solution. To ensure that Win2K users can
successfully change expired passwords for NT 4.0 accounts, you must
disable the “User must logon to change password” option (User Manager
displays this check box when you select the Account option on the
Policies menu). Disabling this feature affects all accounts in the
domain, so I'm not very comfortable with this solution's security
implications. However, I tested the solution, and it works as
advertised.
- Running NT 4.0's User and Server Manager on Win2K. Last week, I
discussed creating a shortcut to User Manager on my Win2K Advanced
Server machine so that I could manage the NT 4.0 domain account
database without walking downstairs. In response, one reader pointed
out that the Windows 2000 Server Resource Kit contains several
utilities you can use to manage NT 4.0 systems from a Win2K desktop.
After installing the resource kit, you'll find a plethora of tools in
the Network Management Tools folder. Although most of the tools run
only from the command line and have unusually cryptic and poorly
documented argument lists, the Win2K versions of User Manager for
Domains and Server Manager have the same GUI that NT 4.0's native
applets employ. I tried both utilities and was pleasantly surprised by
how well they work.
If you prefer to add or modify Win2K or NT 4.0 user accounts from
the command line, check out the Console User Manager utility
(cusrmgr.exe). And while we're on the subject of user accounts, you
might want to try the user status utility usrstat.exe, which displays
the full name and last logon time for each user in a domain. If you
maintain a large NT 4.0 account database, you should pipe this
utility's output to a file.
- Win2K-NT 4.0 Time Synchronization. One reader wrote to say that he
tried to set up an NT 4.0 time server that his Win2K systems could use
for synchronization, but he discovered that the timesrv.exe utility
from the original Windows NT 4.0 Server Resource Kit doesn't support
the Network Time Protocol (NTP) that Win2K systems need. After some
exploration, I discovered that Microsoft has released updates for
w32time and timesrv, the tools you need to successfully set up an NT
4.0 system that operates as an official time server. However, the
updates are hidden in a most unlikely spot: a folder called Y2kfix at
Microsoft's FTP site. You can download the tools and documentation from
ftp.microsoft.com/reskit/y2kfix/x86. Microsoft article Q258059 contains
all the information you need to create an NT 4.0 NTP server.
http://support.microsoft.com/support/kb/articles/q258/0/59.asp

DCPromo Install Errors
DCPromo Fix. If you run dcpromo.exe and it fails, check the Dcpromo
log file for the error message, "The replication system encountered an
internal
error."
http://support.microsoft.com/support/kb/articles/q267/8/87.asp

SYMPTOMS
When you run Dcpromo.exe, it may not run successfully, and the following error message may be recorded in the Dcpromo log file: 

The replication system encountered an internal error. 

CAUSE
Dcpromo.exe replication does not succeed and generates an internal error when it replicates a tombstone with a phantom parent. The replication process tries to read the globally unique identifier (GUID) of the parent tombstone to send to the destination, but does not succeed when it finds that the parent is a phantom rather than a live object or tombstone. 

RESOLUTION
A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to computers that are experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Windows 2000 service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please go to the following address on the World Wide Web:

http://support.microsoft.com/directory/overview.asp

The English version of this fix should have the following file attributes or later: 
Date Time Version Size File name
-----------------------------------------------------
7/21/00 6:15PM 5.0.2195.2103 906,000 Ntdsa.dll
7/19/00 8:08PM 5.0.2195.2103 378,640 Samsrv.dll 

BREAKING A MIRROR SET (RAID 1) IN WIN2K
Breaking a mirror set (e.g., to extend the set by adding more disks or
to upgrade an existing Windows installation) doesn't result in data
loss; you will have two single volumes with duplicate data. To break a
RAID 1 set, perform the following steps:
1. Start the Microsoft Management Console (MMC) Computer Management
snap-in: (Start, Programs, Administrative Tools, Computer Management).
2. Expand the Storage branch and select Disk Management.
3. Right-click on the mirror volume to be removed and select Break
Mirror from the context menu.
4. Click Yes to the confirmation dialog box.
5. Another dialog box might appear warning you about possible data
loss on the broken mirror. Click Yes to Continue.
You will have two volumes. You may want to delete the now-unwanted
ex-mirror to avoid any confusion.

Application Permissions
How can an administrator install applications so that all users who log
on will have permission to use/execute the application? Current
problem: Administrator installed all the software and the software
works fine for administrators and power users; however, the typical
domain user cannot execute the programs.

Thread continues at
http://www.win2000mag.net/Forums/Application/Thread.cfm?CFApp=64&Thread_ID=45130&mc=4

HOW TO SECURE COMMUNICATIONS BETWEEN WINDOWS TERMINAL SERVER AND
THE CLIENT SYSTEMS
Windows 2000 Server's Terminal Services supports three levels of
encryption: low, medium, and high. The default encryption is medium,
which uses a 56-bit key to encrypt traffic flowing between the client
and server. If you have 128-bit encryption capabilities on your systems
(available freely in North America), consider using the high setting,
which encrypts all traffic with a 128-bit key. To learn more about
Terminal Services' encryption capabilities, including step-by-step
instructions about how to adjust the security level, read the FAQ on
our Windows 2000 Magazine Network's Windows 2000 FAQ channel.
http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=15670

SLIPSTREAMING SERVICE PACK 1, A WINDOWS 2000 TECHNOLOGY
SHOWCASE
Microsoft promised several features for Windows 2000 Service Pack 1
(SP1), but none are more promising than an install integration feature
called slipstreaming, which lets system administrators meld the updated
SP1 files into a Win2K install share on a network, giving future
installations of the OS the SP1 update without needing a separate
install. As you'll learn in Paul Thurrott's article on our Supersite
for Windows, the ability to perform an integrated installation, or
slipstream, of Win2K SP1 is a very powerful feature, and yet it's very
easy to use!
http://www.winsupersite.com/showcase/sp1_slipstream.asp

UPDATING ROAMING PROFILES FOR WIN2K AND NT 4.0 CLIENTS
When you set up a user profile in Windows 2000 or Windows NT 4.0, you
typically define a file share that points to the user's profile
directory. If you run a mix of Win2K and NT 4.0 systems, you can store
the profile directories on either a Win2K or an NT 4.0 system. However,
the platforms require different levels of security to perform a
successful profile update. When NT 4.0 updates a user profile, the user
must have Change permission on the profile share; when Win2K updates a
profile, the user must have Full Control on the profile share.
If you don't extend the security on the profile share to give the
user account Full Control, NT 4.0 will successfully update the profile.
However, if the same individual logs on to a Win2K workstation and then
logs off, the Win2K profile update will fail with the error message,
"Windows cannot update your roaming profile. Contact your network
administrator. DETAIL - Access is denied." Microsoft article Q257848
documents this issue.

Copy Windows 2000 to another Partition / Drive / System 

http://www.nic.fi/~point/win2copy.htm

"This page intended for those who know what the Windows Registry, hard disk partitions, drive mappings, and boot loaders are. Cloning an OS installation to multiple workstations is a more simple task than, for instance, connecting a new, bigger hard drive [to the system]. With a brand new drive, you'll probably want to make more flexible system (say, to create additional partitions for secondary OSes, etc.). Although the procedure has been developed by author primarily for MS Windows 2000, it can be used to transfer MS Windows NT installations as well."

WINDOWS 2000 TOPICS
Before we turn to the questions, I want to issue a small correction. In
the September 8 Certifiable column, I implied that Exam 70-216 is a
Windows 2000 MCSE elective, and several readers pointed out that it is,
in fact, a core exam. I was trying to say that you should consider Exam
70-059 a *mandatory* elective for the Windows NT MCSE because of
TCP/IP's pervasiveness. Microsoft plans to retire Exam 70-059 at the
end of the year, but if you're pursuing the NT MCSE, you'll find that
studying for Exam 70-059 will give you a head start in preparing for
Exam 70-216, which focuses on TCP/IP's role in Win2K. I apologize for
any confusion I caused by mentioning Exam 70-216 while discussing NT
MCSE electives.
The following questions test your understanding of disk quotas (a
feature that's new to Win2K), RAID support (a feature whose
functionality has changed from NT), and file permissions on an NTFS
volume's shared folder (a feature whose configuration still plagues
administrators every day). Experienced MCSEs should focus on learning
Win2K's new features and its improvements on NT 4.0 features. However,
some skills, such as setting permissions properly on NTFS and shared
folders, are still job-critical skills that Microsoft considers fair
game for testing. Keep in mind that Microsoft wants to determine
whether NT 4.0 MCSEs remember how to perform critical tasks, and
prepare accordingly.

Question 1
On the D drive of a Windows 2000 server, you have used the Win2K quota
management service to assign 100MB disk quotas to all user folders.
Recently, your backup administrator moved some large files from the C
drive to a user's folder on the D drive. Before the administrator moved
the files, the user's folder contained 80MB of files. However, the
folder now contains 150MB of files. Your backup administrator didn't
report any problems when adding files to the folder, and you're certain
that you configured the quota system correctly to limit user folders to
100MB. Why does the folder contain 150MB of files? (Choose the best
answer.)
A. The user is not the owner of the files you moved.
B. The user's personal directory is exempt from the disk quota.
C. The administrator moved the files from a FAT partition.
D. Files you move from another partition are exempt from the quota.
E. The files are compressed.

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15788#Answers

Question 2
When you upgraded from Windows NT Server 4.0 to Windows 2000 Server,
you migrated a mirror set. After several months in service, a disk has
failed. The Disk Management service reports the status of the mirror
set as "Failed Redundancy"; the status of the disk is "online." What
should you do? (Choose two.)
A. Replace the failed basic disk with a dynamic disk and use Repair
Volume.
B. Replace the failed basic disk with another basic disk and use Repair
Volume.
C. If the status doesn't change to "Healthy," replace both disks and
restore from backup.
D. If the status doesn't change to "Healthy," choose "Regenerate
Mirror."

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15788#Answers
and scroll down to "Answer to Question 2."

Question 3
Carlos is a member of the Domain Users and Telemarketing domain global
groups at your company. Department managers are members of the Managers
domain global group and have Full Control access to a shared folder
called Timesheet on your Windows 2000 server. The Telemarketing
department manager is on vacation, and Carlos is in charge of updating
timesheets for the department. Carlos just called to tell you that he
can read files in the Timesheet share, but he can't save changes. You
check the permissions and NTFS security and find the following
configuration:

Timesheet share permissions:
Managers--Full Control
Domain Users--Read

Timesheet security permissions:
Managers--Full Control
Telemarketing--Change
Domain Users--Read

Which of the following steps can you take to enable Carlos to open
timesheet files and save changes while granting him the fewest
permissions? (Choose the best answer.)
A. Give the Telemarketing group Read access to the share.
B. Remove Carlos from the Telemarketing group.
C. Ask Carlos to access the files directly by logging on to your
server.
D. Add Carlos to the Managers group.
E. Remove Carlos from the Domain Users group.

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15788#Answers
and scroll down to "Answer to Question 3."

NETWORK INFRASTRUCTURE TOPICS
The following questions, which cover related concepts and have
overlapping answers, provide a good example of how you can use
information from one question to narrow the choices in another. If you
don't know the answer to the first question below, for example, you
should find information in question 2 that helps you with the answer to
Question 1. Also, the information you find in Question 2 might help you
answer Question 3 and vice versa. You can use similar tactics on many
certification exams, vastly improving your chances of passing.
This week's questions will help prepare you for the exams that
address designing and planning a network infrastructure. A critical
task for MCSEs in the coming year will be to redesign existing Windows
NT 4.0 domain structures so that users can find information about other
users and network resources more easily. Windows 2000's Active
Directory (AD) can hold a wealth of information, and the primary
challenge for MCSEs will be to design networks so that users can search
AD without overloading a network. As you answer these questions, start
to think about how AD will affect your own network.

Question 1
What special designations does Active Directory (AD) give to domain
controllers? (Choose 2.)
A. PDC
B. Global Catalog (GC) server
C. Master Catalog server
D. Operations Master

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15858#Answers

Question 2
What important functions does a Global Catalog (GC) server perform for
users in Active Directory (AD)? (Choose 2.)
A. A GC server lets a user search the entire forest to find directory
information.
B. A GC server maintains a list of the user's resources.
C. A GC server enables the logon process by providing universal group
membership information to the domain controller.
D. A GC server helps users find services anywhere in the world.

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15858#Answers
and scroll down to "Answer to Question 2."

Question 3
As the administrator for XYZ, Inc., what can you do to decrease the
traffic that results from queries to the Global Catalog (GC) across
sites? (Choose the best answer.)
A. Limit GC searches to the local site.
B. Create separate forests so that searches remain local.
C. Create additional GC servers so that the GC is available locally.
D. Create a local catalog so that searches don't cross WAN links.

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15858#Answers
and scroll down to "Answer to Question 3."

Win2K Memory & Applications Tip...
Leaping to W2k wasn't too difficult; I was expecting to face more software foibles. MaxMem (one of ANALOGX.COM's killer utilities) was an indispensable for Windows 98 add-on. I figured I'd run into the same old memory leaks on this new platform. Check this out: in Windows 2000, you should keep every open app minimized when its not in use. Why? Because memory allocation minimizes, too. Watch the Task Manager if you don't believe me. 13 MB can drop to 2 MB in a click; that's a GOOD thing. What's really weird: even with all EXPLORER.EXE windows closed, less resources are used when one Explorer instance is open and minimized (to the taskbar). 

TIP: CHANGING PASSWORDS IN WINDOWS 2000
When Windows 2000 users try to change their passwords, they might see
the error message, "The Password Cannot Be Changed At This Time."
This problem occurs when you haven't defined a minimum password age for
the users' Group Policy. To resolve the matter, configure a minimum
password age of 0 instead of none. For step-by-step instructions,
including screen shots, be sure to visit our Windows 2000 FAQ site.
http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=15757

Synchronize Time On All Servers
Q. Does anyone know a procedure for synchronizing the time on all my servers? Can the
synchronization be configured to flow down to clients (Windows 2000
Professional and Windows 9x)?

A.  try TimeServ in ResKit or net time or if you like to have a professional solution, try 'Domain Time II' (http://www.greyware.com), especially if you also have UNIX boxes in your environment.
Thread continues at
http://www.win2000mag.net/Forums/Application/Thread.cfm?CFApp=69&Thread_ID=47337&mc=5

Stop Personalised Menus Through the Registry
The Personalized Menus in the new Microsoft products can be
infuriating. You can use the following steps to disable them:
To turn off the Windows 2000 Scrolling Program Menu,
1. Go to the Taskbar, Start, Properties.
2. On the Advanced tab, clear the check box for Scroll the Programs
menu.
To turn off the Win2K Personalized Programs Menu,
1. Go to the Taskbar, Start, Properties.
2. On the General tab, clear the check box for Use Personalized Menus.
To turn off Internet Explorer's (IE's) Close Unused Favorites
folders in Win2K, change "yes" to "no" in the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
FavIntelliMenus

To turn off the Personalized Menu in Office 2000,
1. Go to Tools, Customize.
2. On the Options tab, clear the check box for "Menus show recently
used commands first."

TIP: HOW TO ENABLE BUS MASTERING (DMA) IN WINDOWS 2000
Direct memory access (DMA) support might not be enabled for all
systems, even though hardware supports it. To make sure that your
system can take advantage of the better-performing DMA support, follow
these steps:
1. Right-click My Computer and select Properties.
2. Select the Hardware tab, then select Device Manager.
3. Expand IDE ATA/ATAPI Controllers.
4. Right-click Primary IDE Channel, then right-click Secondary IDE
Channel (if it is available).
5. Select Advanced Settings.
6. For Device 0 and Device 1 under Transfer Mode, select "DMA if
available." Click OK.
7. Click OK to the main system properties.
8. Click OK to reboot the computer.

Automated Logon for Terminal Services
Q. I'VE ENTERED A PASSWORD FOR A TERMINAL SERVICES CLIENT
CONNECTION. WHY DOES THE SYSTEM CONTINUE TO PROMPT ME?
( contributed by http://www.windows2000faq.com )

By default, a Windows 2000 Server Terminal Services connection always
prompts for a password, even if you've configured one in the connection
logon information. To disable this option, perform the following steps:
1. Start the Microsoft Management Console (MMC) Terminal Services
Configuration snap-in (Start, Programs, Administrative Tools, Terminal
Services Configuration).
2. Right-click the configuration for which you want to disable the
default password setting, and select Properties from the context menu.
3. Select the Logon Settings tab.
4. Clear the "Always prompt for password" check box. Click Apply, click
OK.
5. Close the dialog box. Future connections will no longer force a
password entry, which facilitates automatic logon.

* MORE ON WIN2K-NT 4.0 COEXISTENCE
- Win2K Logon Problems in an NT 4.0 Domain
To ensure that your Windows 2000 systems can successfully log on to a
Windows NT 4.0 domain, you must first perform several setup and
configuration steps. Start by creating a computer account for each new
Win2K system in NT 4.0's Server Manager. You can create the accounts
before installing Win2K or, if you have an administrator account,
during setup. Next, configure Win2K systems with valid addresses for
DNS and WINS servers; otherwise, Win2K systems won't be able to locate
an NT 4.0 domain controller. If you install standalone Win2K servers in
your NT 4.0 domain, be sure that each server has a valid DNS suffix
(Setup doesn't automatically define this field when you install a
standalone Win2K server). Finally, if your Win2K clients also log on to
a Win2K domain, be sure that you check the box that lets Win2K change
the DNS suffix when the domain name changes. To avoid continuous NT 4.0
DNS Event Log messages, disable Win2K's dynamic DNS (DDNS) update
option. Win2K enables this option during setup.
Your Win2K systems might have trouble logging on to an NT 4.0 domain
if you unbind or remove Client for Microsoft Networks or if you run a
third-party DNS server. As with an improper or incomplete TCP/IP
configuration, either or both of these problems can prevent a Win2K
system from locating an NT 4.0 BDC. Symptoms of both these problems
include the following:
- Win2K might display the message, "The specified domain either does
not exist or could not be contacted."
- Pinging the domain controller by name fails, but pinging the
domain controller by IP address succeeds.
- If you issue the command net view \\<domain-controller-name>, you
get your least favorite and most generic error message: "System error
53 has occurred. The network path was not found."

If by some remote chance you have Server Message Block (SMB) signing
(also known as Common Internet File Sharing--CIFS--protocol) enabled on
any of your NT 4.0 domain controllers, Win2K users might have trouble
logging on. If a Win2K user enters an invalid password when SMB signing
is turned on, Win2K responds with the error message "Network name is no
longer available" instead of prompting for the correct password. One
obvious workaround is to have your users enter the correct password the
first time; you can also disable SMB signing on the NT 4.0 domain
controllers. To resolve the problem, call Microsoft Support and ask for
the new version of the NT 4.0 redirector.

- Managing Win2K and NT 4.0 User Profiles
User profile management is a broad subject with a million possible
complications. However, before you get started, you should know a few
things about user profiles and system policies. First, NT 4.0 caches
local profiles in the Profiles directory of the system root. If you
upgrade an NT 4.0 system to Win2K, Win2K maintains this location.
However, if you perform a clean Win2K installation, Win2K stores local
user profiles under their respective usernames in the Documents and
Settings folders on the boot drive. Second, NT 4.0 and Win2K manage
duplicate profiles differently.
http://support.microsoft.com/support/kb/articles/q236/6/21.asp

- File-Sharing Issues
The default permission on all my Win2K volumes is Everyone:Full
Control, and, by default, each top-level directory on the drive
inherits this permission from the volume. Win2K further sets the
default permission for all file shares to Everyone:Full Control. To
ensure a modicum of security, be sure that you set NTFS file permission
appropriately for any directory you want to share, whether it hosts a
user profile, an application, or data.
http://support.microsoft.com/support/kb/articles/q263/0/06.asp

Q. Why has the NT File Replication System (NTFRS) stopped responding?

A. A typical cause for this problem is that the NTFRS's intermediate
storage area, the staging area, is full. The staging area stores data
as it travels between the network drive and the final local
destination. Because data can move faster locally than across the
network, this area's space fills quickly when you replicate large
amounts of data. By default, the system allocates 660MB for the staging
area, but you can increase this value if the staging area volume has
sufficient free space.
Before you make the change, you must determine the hexadecimal value
of the required size in kilobytes. For example, if you need a 1GB
staging area (1,000,000KB), you would perform the following steps to
calculate the hex value:
1. Start calc.exe.
2. From the View menu select Scientific.
3. Set the type to Dec.
4. Enter the number in kilobytes (in this example, 1000000).
5. Set the type to Hex. The number will change to the hex equivalent
(in this example, F4240).
6. Note the hex value.

To increase the staging area's size, perform the following steps:
1. Start regedit.exe.
2. Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters.
3. Double-click the "Staging Space Limit in KB" value.
4. Change the base to Hex, and enter the value (in this example,
F4240).
5. Click OK.
6. Close regedit.

ACTIVE DIRECTORY ADMINISTRATION AND PLANNING TOPICS
This week's questions test your understanding of basic Active Directory
(AD) administration and planning. If you've already upgraded your
Windows NT domains to Windows 2000 domains, you'll find these questions
straightforward. However, if you have yet to upgrade, these questions
will help prepare you to face some common pitfalls.
AD's most significant pitfalls result from its flexible
architecture. As many of us transition to Win2K next year, I believe
we'll find that the rule of thumb is to spend at least as much time
assessing requirements and planning as we spend implementing the plan.
Use the following questions to start thinking about your transition.

Question 1
As the network administrator, you're in the process of migrating your
organization's network to Windows 2000. The network consists of both
Windows NT and Win2K domain controllers. After successfully migrating
your users and groups to the Users container, you decide to reengineer
the organization's existing groups to take advantage of Win2K's new
features. As you begin to make changes to the groups, you find that you
can't nest global groups within other global groups. What prevents you
from doing this?
A. You aren't a member of the enterprise administrators group, and only
members of the enterprise administrators group can nest groups.
B. Group nesting is a special right that an administrator must assign
to you before you can perform that task.
C. The domain must be in native mode before you can nest groups.
D. You must perform group nesting on the Global Catalog (GC) server,
not on just any domain controller.

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15922#Answers

Question 2
You are one of five administrators on your organization's Windows 2000
system administration team. You initially migrated your five Windows NT
4.0 domains to Win2K domains but have since collapsed all five into one
of the Win2K domains. However, when you removed the other four domains,
you didn't choose the option that specifies the remaining domain
controller as the last domain controller in the domain, so the system
failed to delete the other four domains. How can you delete the
domains?
A. Use Active Directory Domains and Trusts to remove the domains.
B. Use eseutil to remove the domains.
C. Use ntdsutil to remove the domains.
D. Use Active Directory Users and Computers to remove the domains.

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15922#Answers
and scroll down to "Answer to Question 2."

Question 3
As your organization's senior Windows 2000 administrator, you're
responsible for planning and implementing the Active Directory (AD)
site, domain, and organizational unit (OU) structures. You have created
a root domain, mcsejobs.net, and two child domains, America and Europe.
You have also created a second tree, techjobs.com, with child domains
America and Europe. Your organization has just merged with another
company, and the merged company will become mcsejobs.com. How can you
rename the root domain?
A. Install a new domain controller in the new root domain mcsejobs.com
and then reinstall all the other domain controllers in both the root
and child domains and the second tree.
B. Rename the existing root domain controller as the new root domain
mcsejobs.com. Next, rename all the other domain controllers in the root
domain, rename all the domain controllers in the child domains, and
rename the second tree.
C. Create a new DNS zone for the new AD root named mcsejobs.com. Next,
rename the existing root domain controller as the new root domain
mcsejobs.com. Finally, rename all the other domain controllers in the
root domain, rename all the domain controllers in the child domains,
and rename the second tree.
D. Create a new DNS zone for the new AD root named mcsejobs.com. Next,
demote the domain controller acting as the Global Catalog (GC) server
in the root domain and re-promote it to the new root domain.

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15922#Answers
and scroll down to "Answer to Question 3."

Simplify administration with these resource kit scripts 
In this Top 10, I present my favorite VBScript utilities that you can find in the Microsoft Windows NT Server 4.0 Resource Kit. These utilities provide useful administrative functions and demonstrate how to use the Web-Based Enterprise Management (WBEM) classes with VBScript. (For another opinion about some of these tools, see Mark Minasi, This Old Resource Kit, page 135.)

10. Addusers.vbs and delusers.vbs use Microsoft Active Directory Service Interfaces (ADSI) to add and delete users based on entries in a Microsoft Excel spreadsheet. Before you run these scripts, you must modify the addusers.xls or delusers.xls spreadsheets so that they contain the correct Directory Service (DS) entry for your server. Then, enter the following command:

addusers.vbs addusers.xls
9. Checkbios.vbs uses WBEM to display information about the system BIOS. You can optionally supply parameters that let the script query a remote system. The following example shows how to run checkbios.vbs on a networked system named remotesystem (using the logon remoteid and the password remotepwd):

cscript checkbios.vbs /s remotesystem /u
remoteid /w remotepwd
8. Drives.vbs uses WBEM to display information about the system's physical disks. To check the disks on the current system, enter the following command:

cscript drives.vbs
7. Processor.vbs uses WBEM to display a local or remote system's CPU information. To get the processor information for the networked system named remotesystem (using the logon remoteid and the password remotepwd), enter the following command:

cscript processor.vbs /s remotesystem /u
remoteid /w remotepwd
6. Ps.vbs retrieves process information (i.e., process ID, name of the executable program, path to the executable program) for all the current jobs running on the system. To retrieve the list of jobs running on the local system and write them to the file process.txt, enter the following command:

cscript ps.vbs /o process.txt
5. Protocolbinding.vbs displays a local or remote system's network protocol bindings. To run the script for the local system, enter the following command:

cscript protocolbinding.vbs
4. Eventlogmon.vbs uses WBEM to monitor either a local or remote event log. The script writes the record number, log file, source, and time of entry to the screen or an output file. This script runs until you press Ctrl+C (or Ctrl+Break).

cscript eventlogmon.vbs
3. Kill.vbs terminates a running job. First, use ps.vbs to write all the current jobs to an output file. Second, use findstr or grep to process the output file and locate a specific entry. Third, pass the task ID of that entry to the kill.vbs script. The following example shows how to kill the local process with the task ID 278:

cscript kill.vbs /x 278
2. Service.vbs is a powerful remote-administration script that lets you list, start, stop, and install a service on a local or remote system. To list all the services on the local system, enter the following command:

cscript service.vbs
1. Share.vbs uses WBEM to list, create, or delete a machine's shares from a local or remote system. To list all of remotesystem's shares (using the logon remoteid and the password remotepwd), enter the following command:

cscript share.vbs /s remotesystem /u
remoteid /w remotepwd

* SCENARIO-BASED TOPICS
In the "old days" (i.e., a couple of years ago), you commonly saw what
I call "What is your favorite color?" type questions on Windows NT
exams. These questions ask you to recall some fact about a product
without regard to the fact's relevance to the real-world skills the
exam is supposed to measure. "What two things must you do before
installing DNS service on a Windows 2000 server?" fits into this
category. Sure, it's useful for you to know the answer, but knowing the
answer doesn't help determine whether you understand why.
The main difference between the Win2K and NT exams is how the exams
measure your skills. Rather than asking you to memorize random pieces
of trivia as if preparing for a game show, Win2K exam questions pose
scenarios similar to what you might encounter in your work environment.
Usually, answering these questions requires you to adapt what you know
about several different parts of the OS. For example, consider this
question: "Joe needs to access the CompanyDirectory.xls file on the
server.mydomain.com\files share. The Domain Users group has Read
permission on that share. Joe tells you that he can't access the file,
but he can see a list of files in the folder. What are possible reasons
for the problem?" This simple version of the scenario question requires
you to remember that all domain accounts are in Domain Users, that
shared folders on NTFS partitions have additional permissions that you
need to check, and that a user's total set of permissions depends on
all his group memberships. All three of these pieces of information
come into play in determining the correct answer, and you can probably
bring in even more information to disqualify the wrong answers.
The difference is that the question doesn't ask you to determine
Joe's effective permissions for the file. Instead, it asks you to apply
what you know to determine the problem's possible cause, which tests
both your problem-solving skills and product knowledge. These exams
don't reward rote fact memorization, and I suspect that is why the
Win2K exams have a reputation of being more difficult than the NT
exams.
As has been the case in previous Certifiable columns, in the
following questions, the trick isn't knowing the correct answer but
knowing why the wrong answers are wrong. The main goal of this new
style of exam question is to determine whether experience has honed
your instincts for finding the correct path to a solution; therefore,
answering scenario questions correctly depends mostly on your ability
to sift out extraneous information. Use the following questions to work
on that skill.

Question 1
You are the administrator of a small contracting company. Your ISP
hosts your Web site and manages the DNS server with the primary zone
for your company. You manage an internal DNS server that holds the
secondary zone records for your company. One day you receive an email
explaining that your ISP is changing the IP address of its DNS server
and that you should reconfigure your servers accordingly. What do you
do?
A. Nothing--all your clients and servers use DHCP and will
automatically get the new DNS addresses.
B. Manually change the TCP/IP configuration to update the DNS server IP
address.
C. Change the records in your secondary zone to reflect the new IP
address of the master server.
D. On the secondary zone's general Properties page, add the new IP
address for the master server and remove the old one.

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15959#Answers

Question 2
You are the administrator of a small branch office of a large
corporation. The head office manages the DNS servers. You want to speed
up name resolution for your users who access Internet resources. What
would be the simplest solution?
A. Install a local caching-only DNS server; configure your local DHCP
server scope options to give out the address of the local DNS server;
make the corporate DNS servers forwarding partners.
B. Install a WINS server.
C. Install Windows 2000 Professional on all your users' desktops.
D. Configure a HOSTS file with commonly used server names and IP
addresses and copy this file to each workstation's
%systemroot%/sysem32/drivers/etc directory.

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15959#Answers
and scroll down to "Answer to Question 2."

Question 3
You created a Dfs Root (named XFILES) on your Windows 2000 Server for
your network clients. You named your Dfs Root server xdot3.xcorp.com;
you named its replica xdot4.xcorp.com. Recently, a client on a Win2K
Professional system tried to access a folder named CRYPTO that your Dfs
server publishes, but received an access denied message. The user says
that she is trying to access the folder via the name xcorp\xfiles.
You trace a Dfs link to a Windows 95 system named 95Cryptic sharing the
folder CRYPTO. You then discover that the Win95 system is down. When
you recheck your Dfs configuration, you see that a replica link points
to a Windows NT Server. Which of the following are possible
explanations for the access denied message? (Choose all that apply.)
A. The Win95 system is denying access.
B. The NT Server doesn't recognize the user's account.
C. The client is using the Dfs replica, which is trying to access the
Win95 system only.
D. The NT Server is specifically denying access to the user.
E. A Win95 share can't be linked to from a Dfs Root.

For the correct answer and an explanation, go to
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15959#Answers
and scroll down to "Answer to Question 3."

Hibernation Security Settings
This is an easy one. If you're a notebook user who has been using
Win2K's Hibernation feature, you'll find that the system will recover
from hibernation mode and be right back where you were when you told it
to hibernate, not prompting you for a password. If you want the system
to require a password, follow these steps:

1. Open Settings, Control Panel, Power Options.
2. Click the Advanced tab.
3. In the Options box, click "Prompt for password when computer goes
off standby."
4. If you already get the login screen and would rather not re-enter
your password, clear that setting.

HOW DO I ENABLE NNTP, POP, AND SMTP ON MICROSOFT'S ISA SERVER?

To enable clients to access news servers (Network News Transfer
Protocol--NNTP), POP3, and SMTP, on Microsoft's Internet Security and
Acceleration (ISA) Server, you need to create custom filters with the
following details:
- NNTP--Custom, Both, Local Fixed Port 119, Remote Fixed Port 119
- POP3--Custom, Both, Local Fixed Port 110, Remote Fixed Port 110
- SMTP--Custom, Both, Local Fixed Port 25, Remote Fixed Port 25

For example, to create an NNTP filter, perform the following steps:
1. Start the ISAServer administration tool (Start, Programs, Microsoft
ISA Server, ISA Administration Tool).
2. Expand Array, Server, Access Policy, IP Packet Filters.
3. Click "Create Packet Filter."
4. Enter a packet filter name (e.g., NNTP Filter), and click Next.
5. Select the server and click Next.
6. Select "Allow packet transmission," and click Next.
7. Select a type of Custom, and click Next.
8. Select
* IP protocol--TCP
* Direction--Both
* Local fixed port--119
* Remote fixed port--119
9. Click Next.
10. Select the IP address to apply the filter to, and click Next.
11. Select "All remote computers" for "IP packet filter to apply to,"
and click Next.
12. Click Finish.

* NT 4.0 AND WIN2K SYSTEM POLICY MODE SETTINGS IN THE REGISTRY
Have you ever defined a system policy, logged on to a system where the
policy should apply, and wondered where the policy settings went?
Apparently, some OEMs are shipping Win2K and NT 4.0 systems with a
registry setting that disables the application of system policy.
http://support.microsoft.com/support/kb/articles/Q168/2/31.asp

* HOW TO RESTORE CONTROL PANEL
Occasionally--and especially after playing with computer and user
policy or Group Policy--Control Panel's .cpl files become corrupted.
The corruption can exhibit many different symptoms, but among the most
obvious are missing Control Panel icons or icons that don't match the
utilities they represent. If things are in really bad shape, your Win2K
or NT 4.0 system hangs when you try to open Control Panel--and when
Control Panel is this corrupted in Win2K, you can't even open it when
you boot in Safe mode.
http://support.microsoft.com/support/kb/articles/Q221/1/53.asp

* TIP: ERROR WHEN ATTEMPTING TO CONNECT TO A WIN2K SERVER USING RAS
If you're connecting with a Windows 2000 server using RAS, you might
see one of the following errors:

For a Windows 2000 client:
Error 913: A Remote Access Client attempted to connect over a port that
was reserved for Routers only.

For a Windows NT 4.0 client:
Error 629: The data link was terminated by the remote machine.

For a Windows 98 client:
Error 645: Dial-Up Networking could not complete the connection to the
server. Check your configuration and try the connection again.

In the server's System event log:
Event ID: 20188
Source: RemoteAccess
Description: The user <UserName>, attempting to connect on port <port>
was disconnected because of the following reason:
A Remote Access Client attempted to connect over a port that was
reserved for Routers only.

The cause might be that you forgot to configure the server's RAS
port to accept remote access connections.
To configure the port:
1. Start the Routing and Remote Access administration tool.
2. Expand the options under your RAS server's name.
3. On the Action menu, click Ports, then Properties.
4. Select the appropriate port (e.g., L2TP, Modem, PPTP, LPT1) and
click Configure.
5. Check the remote access connections (inbound only) box and click OK.
6. Click Apply.
7. Click OK.

Protecting The Built in Admin account on Win2K Prof & Member Servers
Windows 2000's built-in Administrator account needs special protection against attacks because of several idiosyncrasies that Win2K inherited from Windows NT. Each Win2K Professional workstation and Win2K member server (e.g., not a domain controller—DC) has a local SAM database that always contains at least two user accounts: Administrator and Guest. Both of these accounts are potential targets for intruders, and you can't delete either account. Although Win2K disables the Guest account by default, which reduces the associated risk as long as you keep this account disabled, the Administrator account is different. For example, even though you can specify an account lockout policy for the local system using the Local Security Policy Microsoft Management Console (MMC) snap-in, Win2K ignores this policy for the Administrator account. In other words, you can't lock out the Administrator account no matter how many times you try to log on.

According to Win2K’s Help text, Microsoft made these exceptions so "that you never lock yourself out of the computer by deleting or disabling all the administrative accounts." Although this decision sprang from good intentions for inexperienced or careless users, it leaves serious security administrators who need to harden systems out in the cold. Attackers know that the Administrator account exists; that this account must be enabled; that it is all powerful; and that no matter how long they pound on this account with password guesses, it won’t lock out.

To make matters worse, a Windows NT Server 4.0 Resource Kit tool called Passprop that helps NT administrators strengthen the Administrator account doesn't work on Win2K, and Microsoft hasn’t included an updated version of Passprop in the Windows 2000 Resource Kit. In NT, you can use Passprop with the /adminlockout switch to lock out the Administrator account according to the system’s lockout policy for network logons; however, the account remains available for interactive logons (at the system’s local keyboard and screen). This approach provids a nice balance between security and preventing a completely locked out system. If you install the NT resource kit on Win2K, you can run Passprop with the /adminlockout switch, but the Administrator account doesn’t lock out even though Passprop completes successfully. Even without this tool, you can take several actions to reduce the risks associated with the Administrator account.

Start by creating a hard-to-guess password for the Administrator account, and keep it secret. This tactic might sound obvious, but I've seen several systems with a blank or trivial password for this all-powerful and well-known account, especially on workstations. Many PC rollout technicians aren't properly trained on security issues and frequently neglect to give the Administrator account a password when installing the OS.

Next, you can protect against remote attacks by removing the local Administrator account's Access this computer from the network right. To access any native resource (e.g., the file system, registry, SAM, event log, or services) on a Win2K system from over the network, the user account you use to connect must have this right. If the Administrator account doesn’t have this right, it doesn’t matter whether attackers do find and guess the account password, they still won’t be able to log on to the system. The easiest way to remove this access is by assigning the Administrator account the Deny access to this computer from the network right. This deny right takes precedence, even if you've assigned its counterpart right, Access this computer from the network, to the Administrator account.

As further protection, you can rename the Administrator account to make it more difficult for attackers to find. However, the old hacker tool, RedButton, which reveals the new name of the Administrator account on NT systems, works on Win2K workstations and member servers. RedButton connects to a system anonymously and enumerates all the local user accounts and their corresponding SIDs. RedButton can find the Administrator account, even if you rename it, because the built-in Administrator account’s SID always ends in 500. To defeat RedButton on Win2K, open Local Security Policy and set Additional restrictions for anonymous connections to Do not allow enumeration of SAM accounts and shares, as Figure 1 shows. To defeat RedButton on a Win2K system that belongs to a domain, implement the same setting in a Group Policy Object (GPO) in Active Directory (AD). If you rename the Administrator account, don’t forget to also change the account’s description because this description can tip off an attacker to the account’s real identity.

In addition to renaming the Administrator account, you might want to create a decoy account called Administrator. Don’t give this account any permissions or rights on the system and remove it from the Users group using the Local Groups and Users section of the Computer Management MMC snap-in.

Finally, monitor the system’s local Security log for logon activity involving the Administrator account. I recommend assigning all legitimate administrators their own administrative accounts. By using individual accounts, you don't ever have to use the built-in Administrator account and you can treat all generic administrative logon attempts as suspicious and investigate them. Failed logons events as a result of a bad password will show up in the local system’s Security log as event ID 529 with the built-in Administrator’s account name in the description section of the event. Logon attempts that fail because you deny the Administrator account the right to log on locally show up as event ID 534. You should be even more suspicious of any successful logons for this account (event ID 528) because they likely signify a successful break in or an administrator that isn’t using his or her account and thus breaking policy. In addition, if you create a decoy Administrator account, you should be vigilant in checking for event IDs 528 and 529 for this account as well.

The Administrator account is a well-known and attractive target for attackers and takes some extra effort to protect in Win2K. Don’t forget that good passwords are your first line of defense. If you follow best practice and assign each an account to each administrator, you can deny the built-in Administrator account the Access this computer from the network right that protects you against all but local attacks. You can rename the Administrator account, but make sure you back that measure by disabling anonymous connections so that RedButton doesn't discover the real Administrator account's new name. Finally, create a decoy Administrator account and monitor for event IDs 528, 529, and 534 in connection with both of these accounts.

* IMPORTING AND EXPORTING AD INFORMATION
You can use one of three approaches to Active Directory (AD) data
manipulation. First and most common is using the limited set of
Microsoft Management Console (MMC) tools that Windows 2000 provides. No
Web-based tools ship with Win2K to manipulate AD, but you can download a
Web-based tool called Active Directory Web Administrator, which I wrote
and presented at Microsoft TechEd 2000, from my company's Web site. Go
to 

http://www.interknowlogy.com/resources/support.asp 

and scroll down to
"TechEd (6-411) Windows DNA with Middle Tier Active Directory COM+
Objects." This tool lets you modify user data in AD in a
spreadsheet-like view.
Second, you can write code to manipulate data in AD. Active Directory
Service Interfaces (ADSI) is the most common programming interface, but
it's not for the beginner or faint of heart. Because of the lack of a
sufficient AD toolset in Win2K, many administrators with large AD
installations are using ADSI to write their own tools or are
commissioning companies to do it for them.
Third, you can use a Win2K utility program called ldifde.exe (LDIF
Data Exchange) to perform batch updates to AD. To help facilitate
exchanging data, ldifde.exe uses LDAP Data Interchange Format (LDIF), a
file format standard used for exchanging data with Directory Services
(DSs) such as the Win2K AD. You can use ldifde.exe to
- Export and import data to and from AD (e.g., exporting all the
users of one domain to another domain)
- Add, create, and modify data in AD (e.g., adding new users in batch
format without having to depend on an administrative console)
- Create schema additions in AD (e.g., adding a new attribute such as
favoriteColor to AD schema)

A command-line utility such as ldifde.exe gives you the power to make
potentially massive data updates to AD without having to depend on a
cumbersome tool such as the MMC Active Directory Users and Computers
snap-in, which lets you affect one attribute on one user at a time in a
form-based GUI. Of course, ldefde.exe is much easier to deploy than a
custom solution because you don't have to write code.
Ldifde.exe has a companion called csvde.exe, which uses a Comma
Separated Values (CSV) format instead of an LDIF data format. The power
here is that you can use Microsoft Excel or some other program that
reads .csv files to prepare your data before using the tool to import
it. Both tools use the same command-line parameter formats.
Unfortunately, you can use csvde.exe only for additions to AD, not for
modifications.
Both ldifde.exe and csvde.exe reside in the \winnt\system32
directory; because that directory is "pathed" (i.e., in the DOS search
path), you can run the tools from any folder on your Win2K server. (See
Win2K Online Help for a summary of the command-line parameters.)
As you might guess, the command-line Help isn't enough to get you
started using the ldifde.exe tool. The best reference I've found for
ldifde.exe is the Microsoft article "Using LDIFDE to Import/Export
Directory Objects to the Active Directory" at the following link.

http://support.microsoft.com/support/kb/articles/Q237/6/77.asp

Programs not compatiable with Win2K?
Try Win2K's appcompat.exe tool, which lets an otherwise incompatible application run under the Win2K environment

Show Hiden Programs to Add & Remove - In Add & Remove Programs
The Add / Remove Control Panel applet is extremely different, for one. There aren't as many additional Windows components to be added or subtracted. Or are there? Fly to the INF folder (which should be sitting inside your W2k system folder). Open SYSOC.INF in Notepad and remove all instances of the word 'HIDE' (and be sure to make a backup copy of this file beforehand). The next time the applet is opened, you should see a few more programs waiting to be eliminated -- or brought aboard

Force A Blue Screen Of Death On Demand!
Windows 2000 includes a feature (as described in Microsoft article
Q244139) that lets you crash the OS to create a memory.dmp file by
holding the right Ctrl key and pressing the Scroll Lock key twice. To
enable this feature, perform the following steps:

1. Start regedit.exe.
2. Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters.
3. From the Edit menu, select New, DWORD.
4. Enter a name of CrashOnCtrlScroll, and press Enter.
5. Double-click the new value and set it 1.
6. Click OK.
7. Close regedit.
8. Reboot your system.

Now, when you hold the right Ctrl key and press the Scroll Lock key
twice, the system crashes and displays a bug check code of
MANUALLY_INITIATED_CRASH (0xE2). This keystroke combination works in
some situations where Ctrl+Alt+Del has no effect.
http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=16149
http://support.microsoft.com/support/kb/articles/Q244/1/39.asp

* FREE E-BOOK ABOUT WIN2K ADMINISTRATION
Fastlane Technologies and Realtimepublishers.com announced "The
Definitive Guide to Windows 2000 Administration" by Sean Daily and
Darren Mar-Elia, a free e-book published on a chapter-by-chapter basis.
When new chapters are available, you'll receive email notification.
Chapter topics include Windows 2000 Network Administration, Managing
Security, Administrative Scripting, Managing the Distributed File
System, Storage Management, and Remote Access Services. The first
chapter, Managing the Active Directory, is available now. For more
information, contact Realtimepublishers.com,
info@realtimepublishers.com.
http://www.fastlane.com/windows2000admin

WINDOWS 2000 PRO TIP: DISPLAY ADDITIONAL PROPERTIES IN EXPLORER
WINDOWS

It never ceases to amaze me what cool little things you can find within
Windows 2000 when you accidentally click something the wrong way in the
wrong place. For example, earlier today I needed to sort one of my
Explorer windows by the date field to find out which files in that
directory had most recently been updated (this works only in the Details
style view). Instead of left-clicking the modified column to sort it, I
accidentally right-clicked instead.
I was surprised to find that right-clicking a column in an Explorer
window opens a list of additional fields that you can display. I never
knew that I could customize the columns in my Explorer windows!
Try it yourself: Open an Explorer window (any window will do), and
right-click the column fields. Depending on the type of window you have
open, you'll see a menu of additional fields that you can display
in the detail view. For example, if you're in an Explorer window for
your C:\ directory, right-clicking the column headers shows that you
can display additional fields such as comments, creation date, or
date last accessed. But, the real fun comes when you select the
"More..." option.
Under the "More..." option, you can customize the placement of the
columns by using the Move Up and Move Down buttons or add more fields
such as owner, title, pages, sample rate, frame rate, and even strange
things such as caller-ID (bonus points to whoever can email me and tell
me definitively what that field is actually used for). Just select which
fields you want to use by checking the appropriate boxes.
I added the Pages option to my Details view and noticed that Win2K
can tell me how many pages are in a Word document--sometimes. Some
documents it just couldn't seem to figure out. However, the other
fields--attributes, creation date, owner--are a necessity in my book.
Definitely a helpful addition for a power user.

* TIP: INSTALLING THE RECOVERY CONSOLE ON A MIRRORED SYSTEM DRIVE

Q. How can I install the Recovery Console (RC) on a mirrored system
drive?

A. When you attempt to install the RC locally on a mirrored system
partition (with either basic disks or dynamic disks) using winnt32.exe's
/cmdcons switch, the installation fails with the message "No valid
system partitions were found. Setup cannot continue."
During the RC installation, the system performs the same disk checks
that it performs for a full installation, which also fails on a mirrored
system partition. To work around this problem, you need to break the
mirror, install the RC, then recreate the mirror.
But there is one caveat. In Windows 2000, you can create mirrors only
on dynamic disks. If you have a mirrored volume on a basic disk that was
created in Windows NT 4.0 and you break the mirror, you can recreate it
only if you upgrade to dynamic disks. However, dynamic disks cause
problems if you multiboot with non-Win2K installations. In this case,
you can't install the RC.

Basic physical security policy for a building calls for eliminating all unnecessary doors and putting locks, guards, or cameras on the rest. For computers, network services are the doorways into a Windows 2000 system, so "eliminate all unnecessary services" is a time-honored commandment for protecting computers. Win2K comes with a lot of services enabled by default, many of which you don’t need. Even if the service doesn’t offer direct access to system resources, it might expose a system to buffer overflow attacks and denial of service (DoS) attacks. Consider disabling vulnerable or unnecessary services on workstations and servers—you’d be surprised at how many times you can access confidential information or impersonate a high-level user simply by breaking into an unsecured workstation. Let’s look at a few of the services common to Win2K that you might consider disabling on your systems.

The Clipbook service. The Clipbook service is an interesting tool that lets you copy and paste the contents of your computer’s clipboard to another. If you want to try out this tool, run clipbrd and look at the Help file. Although this service lets you configure who has remote access to your clipboard, why enable an open target on your system for attackers? Don’t enable this feature unless you need it.

The Computer Browser Service. The Computer Browser service maintains a list of computers and shared resources available on the network and makes this list available to other computers when a user browses the network using tools such as My Network Places. Windows systems that use the Computer Browser service participate in an election process that selects various browser roles. To learn more about this service, look up Computer Browser in the Win2K Help text index. This service exists because Windows NT relies on NetBIOS broadcast name resolution. With Win2K’s move to DNS, the need for the Computer Browser Service is questionable as more and more systems migrate to Win2K. Before you disable the Computer Browser service on servers in your internal network, research Win2K’s Help file. However, you can safely disable this service on workstations and servers exposed to the Internet. So, why should you? First, you can save some system resources and cut down on network traffic by reducing the number of potential browsers. More important, some DoS attacks over the Internet target this service, and that usually means more of these types of attacks will appear. If this service isn’t on your systems, you won’t need to worry about loading any related hotfixes. In effect, you’ve "bricked up" yet another door.

The IIS Admin Service. The IIS Admin Service appears only on systems where you’ve installed Microsoft IIS. According to the description in the Microsoft Management Console services snap-in, this service "allows administration of Web and FTP services through the Internet Information Services snap-in." Enable this service only on Web servers and where administrators manage the system using the MMC interface rather than through a Web browser and the IIS Administration Web site.

The Internet Connection Sharing service. With the Internet Connection Sharing (ICS) service, you can use one Win2K system to connect your home network or small office network to the Internet. This service is one you don’t want to enable on systems that aren’t being used to connect a SOHO LAN to the Internet. If you need to use the ICS service, be sure to read the Microsoft article "Security Features of Internet Connection Sharing."

The Indexing service. The Indexing service provides fast full-text searching of documents by periodically building a catalog of documents on the system. On Win2K Server, this service is a component of IIS, but on Win2K Professional, the Indexing service is a standalone component. Several exploits have been publicized where attackers viewed confidential information through the Indexing service. Unless you need to use this service, disable it.

The Infrared Monitor service. The Infrared Monitor service lets computers and other devices with infrared support communicate with each other and share files. This scenario is a possible way to attack systems, especially laptops, in close proximity. Unless you use infrared regularly for legitimate purposes, such as printing or Personal Digital Assistant (PDA) synchronization, disable this service.

The NetMeeting Remote Desktop Sharing service. The NetMeeting Remote Desktop Sharing service lets users who have proper authorization access your desktop remotely. Sound dangerous? I agree! NetMeeting is compliant with applicable industry standard protocols and has security features for authentication, authorization, and encryption. However, NetMeeting still represents a significant doorway that you must lock and guard if you choose to enable this service. For information on NetMeeting’s security features, see Microsoft’s Web site.

The Remote Registry service. The Remote Registry service makes the registry available to other authorized users on the network. To try this, load regedt32 and click Registry\Select Computer. Disabling the Remote Registry service can make it difficult to administer a system remotely, so you will want to disable this service only on hardened systems exposed to a hostile network. For other systems, you need to keep the Remote Registry service enabled, but make sure you "lock the door." To control who has remote access to the registry through this service, you need to edit the permissions for the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg key. For more information see Microsoft’s Web site.

The Routing and Remote Access service. Depending on how you’ve configured the Routing and Remote Access Service (RRAS), you can use this service with dial-up connections on the system’s local modem or VPN connections from the Internet to provide remote access to the local system and to the rest of the network. If you are using a legitimate RRAS server, make sure you’ve properly configured this major doorway. Consult the Win2K Help text for a description of RRAS’s security options. Be aware, however, that you can also use this service on Win2K Pro workstations. I’ve seen instances where employees configured RRAS on a workstation so they could dial in from their home PCs to access the Internet through their employer’s firewall and avoid paying for an ISP account. To avoid exposing your company’s network to dial-up attacks, make sure you disable this service on all user workstations. This task can be a chore if you have a lot of users. Thankfully, Group Policy comes to the rescue for configuring services centrally.

Article Information InstantDoc ID: 16363 Find related articles Print this article Email this article Reader Comments Comment on this article

In Part 1 of this article, I described several services in Windows 2000 that open potential doors to attackers or present Denial of Service (DoS) targets. Here, in Part 2, I’ll share some other important tips for keeping your systems secure from network attacks.

The Server service. It's important for users to understand the Server service. Microsoft documents the Server service as simply providing file-and-print sharing, which is true. If you disable this service on a given system, no one can map drives or use printers that connect to that system. But the Server service also provides administrators remote access to other Win2K resources that they manage when using the Microsoft Management Console (MMC), including the event log, and local user and group maintenance. Even if no one has explicitly shared any folders, the Server service automatically creates hidden administrative shares at the root of each volume, such as C$ for the C drive.

Obviously, if you can connect to the Server service, you can do a lot of damage. Ideally, you might want to disable this service on workstations and other hardened servers such as Web servers; however, disabling the Server service makes it impossible to administer these systems from anywhere but the local console. Thankfully, Win2K limits access, by default, to these resources to Domain Admins and the local Administrator account in that system’s local SAM. If you assume that Domain Admins are protected by quality passwords and an appropriate account lockout policy, then all that remains is protecting the local Administrator account, which I describe how to do in "Protecting the Administrator Account".

The Simple TCP/IP services. Simple TCP/IP services provide seldom-used services from the UNIX world, such as Character Generator, Daytime, Discard, Echo, and Quote of the Day. This component of Networking Services does not install by default, and because DoS attacks already exist that target Simple TCP/IP services in Win2K, I recommend that you don’t install these services.

The SMTP service. The SMTP service makes your system an SMTP server. Running SMTP on a system exposes you to DoS attacks, arbitrary code attacks, and attackers who try to use your server as a way point for spoofed email. Carefully determine whether your system really needs SMTP. The only time Win2K might require SMTP is for domain controllers (DC). SMTP is an optional transport used for replicating information between DCs. Win2K installs SMTP by default when you promote a server to DC status. Unless you explicitly configure the DC for SMTP replication, you can disable the SMTP service.

The FTP Publishing service. I consider the FTP Publishing service (a component of Microsoft IIS) to be dangerous. FTP makes your local file system available to other systems on the network with all the potential exposures this protocol brings with it. Native Win2K features, such as DC functionality, don't require FTP. Unless you have clients that require FTP or other applications that need to send files using FTP (such as those that communicate with UNIX systems), I recommend that you disable this service. I also encourage you to disable the Network News Transfer Protocol (NNTP) service (another IIS component); you need to enable NNTP only for hosting a discussion site on the Internet or for doing the same on your intranet.

The Telnet service. The Telnet service is another dangerous service. Telnet provides remote command-line access. If attackers use Telnet to break into your system, they can run arbitrary commands according to their authority. Because you can administer the system using the MMC or scripts, you typically don’t need Telnet on a Win2K system.

The Task Scheduler service. The Task Scheduler service lets you schedule commands to run in the future in the background. Using the AT command or Task Scheduler, you can schedule jobs on remote systems. However, the Server service provides remote access to the Task Scheduler and limits access to administrators. The protection measures for the Server service also provide protection for remote tasks, so enabling the Task Scheduler service doesn’t significantly increase your risk to remote attacks.

The Terminal service. The Terminal service uses thin-client technology to provide remote access to your server’s desktop—in effect, making it as though a user at another workstation were sitting at the server’s console. The Terminal service is a powerful tool for both remote administration and for reaping the benefits of delivering applications in a thin-client environment. However, consider the door you are opening with this service—full console access from a remote system. As with any service, if you aren’t using it, disable it. If you need the Terminal service, be sure to read up on its many security features so you can properly secure this door.

The Windows Media services. The Windows Media services lets you deliver streaming video and audio to intranet or Internet clients. These services, like many others, have already been the victim of DoS attacks. Remember, any service accepting incoming connections is a potential target for DoS and buffer overflow attacks, providing the perpetrator with high-level access to run arbitrary code with administrator authority.

The World Wide Web Publishing service. As the name suggests, the World Wide Web Publishing service makes your system an http Web server. Several Win2K features, including Certificate Services, require this principal component. Unfortunately, this service is probably the source for 50 percent of Win2K server exploits that the Windows IT Security Web site alerts you to each week. The issue is not that the Web service in Win2K is weaker than other areas; it's just that the Web service receives more attention from hackers. Because you can’t disable the World Wide Web Publishing service on every system, you can protect yourself using two approaches. First, separate server roles. Don’t combine Web server responsibilities on the same server that handles other tasks, such as a file server or application server (e.g., Oracle, SAP, PeopleSoft). If someone breaks into one of your servers using the World Wide Web Publishing service, they’ll probably be able to access other information on that server as well. Make sure you never use an internal DC as a public Web server. Otherwise, if attackers compromise your Web site, they'll get the users, applications, and resources in your internal domain. Second, for those systems where you can’t disable the World Wide Web Publishing service, make sure you stay up-to-date with service packs, hotfixes, and other countermeasures. Just check the Windows IT Security Web site regularly, and subscribe to Microsoft's security alert service.

As you can see, many doorways exist for accessing a Win2K system from the Internet. The doorways I've discussed in this series of articles are by no means all of them. To harden systems exposed to a hostile network, don’t try to identify and disable only risky services. Instead, disable everything you can. Each service you disable is one less drain on resources, one less target for attackers, and one less component that you must configure for security and keep up-to-date with security patches. Next time, I’ll show you how to manage services centrally using the Security Settings portion of Group Policy.

FOCUS: AD BUILDING BLOCKS
In the September issue of Windows 2000 Magazine, we focus on building
your Active Directory (AD) infrastructure. We help you decide how many
domains you need and what your site topology should be, and we show you
the AD Sizer tool so you can determine the domain controller hardware
your AD design requires. We identify Win2K network components you need
to monitor and tell you which features to look for in a monitoring tool.
We cover the AD Delegation of Control Wizard so you can leverage Win2K's
ability to delegate your enterprise's management and support tasks.
Finally, we show you how to build and test a large AD.

* Planning for Active Directory
Ready to roll out your company's AD infrastructure? Think again about
how many domains you need and what your site topology should be.
--Darren Mar-Elia
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9643

* Monitoring Your AD-Enabled Network
Identify the Win2K network components that you need to monitor and the
features you should look for in a monitoring and management tool.
--Sean Daily
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9645

* The Active Directory Delegation of Control Wizard
Successfully leverage Win2K's ability to safely delegate routine
management and support tasks throughout your enterprise.
--Paula Sharick
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9646

* Who Wants a 100-Million-Entry AD?
You might not want a large AD, but if you must build one, learn how from
a couple of people who've done it.
--Tony Redmond
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9647

* Configure a Win2K VPN
Follow these step-by-step guidelines to set up a secure Internet channel
between two locations.
--Douglas Toombs
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9650

* Scripting Solutions: Easy Active Directory Scripting for Systems
Administrators, Part 1
Learn basic AD and Active Directory Service Interfaces (ADSI)
terminology and put ADSI to work in a sample script.
--Bob Wells
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9168

* Top 10: New Resource Kit Utilities
Check out 10 useful Windows 2000 Professional Resource Kit Management
utilities.
--Michael Otey
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9674


TOOLKIT
* Windows 2000 Pro: 8 Common Questions
Get answers to frequently asked questions about Win2K Pro compatibility,
upgrades, system requirements, and dual-booting.
--John D. Ruley
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9671

* Inside Out: Active Directory Oddities
As people begin to use AD, they're finding some gotchas.
--Mark Minasi
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=9672


FEATURES
* Changing Passwords over the Web
Examine how ADSI lets users change their passwords through a Web
interface.
--Ken Spencer
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=16225

* WINDOWS 2000 PRO TOOLS: NEW VERSION OF TWEAKUI

For those of you who use TweakUI, Microsoft's handy little UI utility,
but now find the earlier version of TweakUI (version 1.1) incompatible
on computers running Windows 2000, Windows Millennium Edition (Windows
Me), or Windows 98, help is here. Microsoft has an updated version of
the utility that runs on these OSs. For those who haven't tried TweakUI,
I highly recommend it. It's full of great little utilities such as Logon
Automatically at system startup, Covering your tracks, Repairing your
icons, Limiting which applets appear in Control Panel, and more. You can
download the TweakUI 1.33 update from the following URL.
http://www.microsoft.com/ntworkstation/downloads/PowerToys/Networking/NTTweakUI.asp

In Part 1 and Part 2 of this article, I described several services in Windows 2000 that open potential doors to attackers or present Denial of Service (DoS) targets. Here, in Part 3, I'll show you how to use Group Policy to centrally control services on all the computers in your domain. I'll also share some tips about Group Policy security settings that you might want to use to keep your systems secure from network attacks.

You can use a Group Policy Object (GPO) to set the startup mode and ACL for services by defining settings in Computer Configuration, Windows Settings, Security Settings, System Services, as Figure 1 shows. You can configure a service to start automatically with each system boot, or you can set a service to manual startup mode, which waits for the administrator to start the service from the Microsoft Management Console (MMC) Services snap-in. Win2K also starts a service configured for manual startup if another service that depends on it starts. You can view the dependencies for each service in the Services snap-in by double-clicking the service and selecting the Dependencies tab. However, if you disable a service that you decide might be a security risk, Win2K lets you start the service only if you first switch to manual or automatic startup mode.

A service's ACL specifies who can start, stop, and change the service. As with everything in Win2K, you can delegate authority over services to nonadministrators. For instance, you might have a SQL Server operator who needs to start and stop the SQL service on several computers. In Windows NT, you had to make the SQL Server operator a member of the Administrators group. In Win2K, you can grant the operator Start, Stop, and Read access to the SQL Server service in a GPO that you apply to all computers. For each computer with SQL Server, Win2K adjusts the permissions on the service as you’ve configured them.

The first time you edit a newly created GPO and look in Computer Configuration, Windows Settings, Security Settings, System Services, you see a list of services. The startup and permissions columns read "Not defined" for each service. The services listed in the GPO are based on the services you’ve installed on the local workstation where you logged on, so the services listed might vary depending on which computer you log on to when you edit the GPO. This approach might cause problems. For instance, if you are at your workstation trying to create a GPO that disables the Simple TCP/IP Services service and you don't have the Simple TCP/IP Services service installed on your computer, this service won’t appear in the list. The simplest way to add this service is to log on as a domain administrator to a computer running the Simple TCP/IP Services service, edit the GPO, and disable this service . Then, you can close the GPO, log out, go back to your workstation, and edit the GPO from there. When you look under System Services, you should see the new service; however, it might not have the full name that you saw on the other computer. In the case of Simple TCP/IP Services, you will only see SimpleTcp because Group Policy stores only the comparatively short service name. However, when you edit the System Services section of a GPO, Win2K looks at the actual services installed on the local computer (specified in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services) and tries to translate the service name into the service’s longer display name. If the service isn’t installed, Win2K displays the service’s name as stored in Group Policy.

When you configure either the startup mode or the ACL of a service in Group Policy, you must configure the other as well. In other words, when you configure the startup mode of Simple TCP/IP Services in a GPO, that GPO also modifies the service’s ACL. This interaction is important because the default ACL on services in a GPO grants Full Control to Everyone for the service. If you disable a dangerous service but leave the ACL at its default, you are vulnerable to anyone who starts the service. Therefore, whenever you disable a potentially dangerous service in a GPO, you should also tighten control of the ACL by changing the default service ACL from granting everyone Full Control to granting Administrators and SYSTEM users with Full Control and granting Authenticated Users with Read access only.

Consider the various types of computers in your domain including workstations, file servers, domain controllers (DCs), and other types of servers. As I discussed in Parts 1 and 2 of this series, you typically need to disable different services on each type of computer. To disable these services, you need to create a different GPO for each type of computer and disable the appropriate services in each GPO. You have two options for controlling to which computers you apply each GPO. First, you can use organizational units (OUs) to control how Win2K applies Group Policy. For instance, if you have created a Workstations OU and put all your workstations into it, open Active Directory Users and Computers, select the Group Policy tab from the Workstations OU Properties dialog box, and disable the appropriate services.

You should be aware that some computers aren’t arranged into different OUs according to the type of computer; instead, they might be divided according to geographical or departmental OUs. In this case, you need to use the GPO’s ACL and a Security Group to control which computers receive changes from the GPO. Create a new Security Group in Active Directory Users and Computers called Workstations. Don’t put any users in this group; instead, add all the workstations in the domain as members in this group. Next, right-click the root of the domain and select Properties. Click the Group Policy tab and create a new GPO called "Services Disabled on Workstations," as Figure 2 shows. Edit the GPO, disable the appropriate services, and close the GPO. Back at the OU’s dialog box, select the Group Policy tab from the Workstations OU Properties dialog box you just edited, and click the Properties button to display the Properties dialog box for this GPO. Select the Security tab, and remove the entry that grants Authenticated Users with Read and Apply Group Policy access. Add a new entry to let the Workstations group Read and Apply Group Policy access, as Figure 3 shows. Click OK, and close the Properties dialog boxes for the GPO and domain. Now only computers that are members of the Workstations group will apply the changes in the "Services Disabled on Workstations" GPO, regardless of your domain’s OU structure. The only downside to this method is that you must keep the Workstations group and other groups of computers up-to-date when you install new computers.

Q. How do I back up and restore the Dfs structure on a Windows 2000
server?

A. Dfs does for network shares what file systems do for hard disks.
Using Dfs, you can create a directory tree that provides a single point
of access to a group of network shares. However, even though the shares
themselves may be physically located on remote systems, it's still
important to back up the structure itself.
To back up the Dfs volume structure, follow these steps:
1. Open a Command prompt.
2. Type

DFSCMD /VIEW \\DFSSERVERNAME\DFSSHARE /BATCH >>
<path>\<Output_File_Name>.bat

This creates a batch file that can later be used to restore the Dfs
structure.

To restore the Dfs structure, follow these steps:
1. Go to Administrative Tools/Distributed File System.
2. On the Action menu, select New DFS Root.
3. Click Next and select the proper type of Dfs root.
4. Select the server that will host the Dfs root. Click Next.
5. Select the share that will become the Dfs Root Share. Click Next.
6. Type a comment. Click Next.
7. Click Finish to create the new Dfs root.
8. Run the batch file, <path>\<Output_File_Name>.bat, from step 2 of the
backup procedure.
9. Verify that the structure has been properly created.

Windows 2000 Performance Tuning 
http://microsoft.com/technet/win2000/win2ksrv/technote/perftune.asp 

"This white paper provides information on how to tune the Microsoft® Windows® 2000 operating system to achieve optimal performance. It also provides useful information on how to test the performance capabilities of Windows 2000; presents data generated using various servers and industry benchmarks that show the performance capabilities of Window 2000 when running in an optimized environment; and, finally, shows how to use the integrated performance monitoring tools in Windows 2000 to eliminate potential bottlenecks." 

* WIN2K COMPUTER NAME CONFUSION
Are you planning to upgrade Windows NT systems with all-numeric computer
names to Windows 2000? If so, read on for an explanation of a potential
computer-name confusion issue. Although NT permits all-numeric computer
names, Win2K does not. However, for compatibility reasons, Win2K
maintains the all-numeric computer name when you upgrade a machine from
NT to Win2K.

Password Protected Screensavers and Auto-Lock Computer
I discovered that if you tick off Password Enabled for a screen saver that works entirely differently to ALL other OS...what happens is the screen saver engages, and when you move the mouse pointer - it has LOCKED the workstation...!!! Like doing Control+Alt+Delete, and Lock Computer...which means its no longer possible to put a password on a the screen saver thats different to your login password!

STOP USERS FROM CHANGING THE MY DOCUMENTS PATH

If users right-click the My Documents icon on their desktops and click
Properties, the Target tab lets them change the path of this folder. If
you want to remove this possibility, you can use the Prohibit user from
changing My Documents path group policy, User
Configuration\AdministrativeTemplates\Desktop. If the policy is Not
Configured, you can use Regedt32 to navigate to

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

On the Edit menu, select Add Value name DisablePersonalDirChange, a
REG_DWORD data type, and set the data value to 1.

* WINDOWS 2000 PRO TIP: PUSHING AND POPING NETWORK CONNECTIONS

In the world of Microsoft networking, mapping network drives is a common
occurrence. Although Windows 2000 fully supports accessing resources
through UNC names, in some instances users (and some applications) still
want to see an actual drive letter.
One such instance occurs when you need to automate a procedure to
temporarily map a network drive (e.g., to run a quick batch file or
setup routine) and then disconnect it. The problem with automating such
a procedure is that you can't always be sure which drive letters might
be mapped on a user's workstation at any given time. If you try to
automate the NET USE command to map a drive letter M, you might step on
a user's custom drive mapping for the same letter.
Two Win2K commands--PUSHD and POPD--you help work around this
problem. PUSHD maps a network drive to a network share, automatically
picking the highest available drive letter, and then changes to that
mapped directory. For example, the command

PUSHD \\servername\sharename

maps the Z drive on your system (assuming it's not already mapped) to
\\servername\sharename, and then leaves you at a Z:\> prompt. This
procedure is perfect for running batch files and installation commands
on users' workstations. If you need to map a second drive, this
procedure would map it as Y.
After you complete your work over the network share, a simple POPD
command removes the network connection and returns your system to the
previous directory.
PUSHD also works with local paths. In that circumstance, PUSHD simply
notes the system's current directory, and changes to the new one. The
POPD command returns the user to the original directory.

Win98 cannot logon to a Upgraded Win2K

When you upgrade your Windows NT 4.0 PDC to an Active Directory (AD)
Windows 2000 domain controller (DC), Windows 98 clients can no longer
log on. You get the messages:

This device does not exist on the network.
The domain password you supplied is incorrect or access to your logon
server has been denied.

This problem occurs if the SAM becomes corrupted during the AD
install. To recover, follow these steps:
1. Use addusers.exe to dump the user and group accounts to a text file.

2. Use dcpromo to remove AD, demoting the DC to a server.
3. Use dcpromo to promote the server to an AD DC.
4. Use addusers.exe to import the users and groups from the text file
created in step 1.

Windows Registry Guide
Formerly RegEdit.com, which still provides an extensive range registry
tips, tricks & tweaks for optimizing, enhancing and securing the Windows
operating system.
URL: http://registry.winguides.com/

Windows Scripting Guide
Which provides technical resources, information and source code to help
you automate the Windows operating system using Windows Script Host
(WSH) with VBScript and JScript.
URL: http://scripting.winguides.com/

Windows Security Guide
Which provides information and resources to secure the Windows operating
system and networks with details about the latest vulnerabilities and
fixes, articles and technical support.
URL: http://security.winguides.com/

Change the Start Button Text (95, 98, ME & NT/2000)
Would you like to change the Start button to say something else, perhaps
your name, company or any other 5 or less letter word? This article
explains the procedure to manually modify the text of the Windows Start
button.
More Info: http://registry.winguides.com/display.php/791/

Disable Windows File Protection (Windows 2000)
Windows 2000 introduced a new feature called Windows File Protection
(WFP), part of the System File Checker, which is intended to avoid some
of the common DLL consistency issues. This feature may also block valid
attempts to change system files and it can therefore be disabled using
this tweak.
More Info: http://registry.winguides.com/display.php/790/

Restrict Help Menu Items in Internet Explorer (Windows 9x and NT)
The menu items with the Internet Explorer "Help" menu can be
individually removed or the menu disabled completely using this tweak.
More Info: http://registry.winguides.com/display.php/792/

Manage Attachment Security in Outlook (Windows 9x and NT)
New security measures that improve the dialog box warnings for
attachments were included in Microsoft Outlook beginning with Outlook
2000 (SR-1). The file extensions that trigger the more secure warnings
can be managed through the registry.
More Info: http://registry.winguides.com/display.php/793/

Introduction to Windows Scripting
Windows scripting is easy. This may sound like a bold statement, but
spend a few hours playing with it, get your feet wet and I think you’ll
agree. To get started using WSH begin with this introduction tutorial.
More Info: http://www.winguides.com/article.php?id=2

Secure Password Generator
One of the most important security measures with any computer, network
or secure software is using a password that is extremely hard to guess
or crack. That’s why we have created the free Secure Password Generator,
which is designed to create highly secure random passwords with
configurable options such as length, case sensitivity and numeric &
punctuation characters. Give it a try now and you’ll never have to think
up another password again.
More Info: http://security.winguides.com/password.php

Win2k & Plug & Play Devices
Win2K lets you install Plug and Play (PnP) devices even if you aren't
logged in as an Administrator. If the PnP device has a matching
digitally signed driver, any user can install the device. If the device
doesn't meet the criteria needed for this install, you can still install
it using the runas command. The following syntax

Runas /u:<computername>\administrator devmgmt.msc

launches the Device Manager applet after prompting you for an
Administrator password.

Renaming the Recycle Bin
Okay, right-click on your "Recycle Bin" and... wait a second. Where's the option to rename? It ain't there! Fire up REGEDIT.EXE and navigate your way to HKEY_LOCAL_MACHINE \ Software \ Classes \ CLSID \ {645FF040 - 5081 - 101B - 9F08 - 00AA002F954E} \ ShellFolder. Double-click the "Attributes" value and change its number... AFTER you backup the key, of course. Enter "50010020" (sans quotes) for the "Rename" option only, "60010020" for "Delete" only, and "70010020" for adding both the "Delete" and "Rename" menu functions. My suggestion? Stick with 50010020.

Windows 2000 Shutdown Problems
Jack Sanderson sheds some light on troubleshooting Windows 2000 problems. Seems as though Jack's computer wasn't shutting down by itself (with an ATX power supply). He was fiddling with the Device Manager in the Computer Management Console and found a 'Show Hidden Devices' option in the View menu. He enabled 'NT APM / Legacy Interface Node' and that fixed his contention. While you may not be having a power problem, this "secret" feature could get you out of other jams. Care to have your Windows 2000 PC automatically reboot when it smacks into a blue screen? Lockergnomie Marc Lane found something for ya. Right-click on My Computer, pull up its properties and flip to the Advanced tab. Click the "Startup and Recovery" button. On the subsequent sheet, place a checkmark in the "Automatically reboot" field.

CRASH DUMP ANALYSIS
Many systems administrators forgo exploring Windows 2000's and Windows
NT 4.0's crash dump options in the belief that using them is too
difficult. Although Microsoft's debugger documentation has improved in
the past year, it's still oriented toward device-driver developers. But
even if just one crash dump in five contains information that proves
useful, you'll find it worthwhile to learn at least a little about crash
dump analysis. Be sure to read Mark Russinovich's primer on crash dump
analysis on our Web site.
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=16425

CD-Burning, Re-writers & Windows 2000
I recently decided to back up the 40GB or so of .wma music files I had
on one of my servers. For several reasons, I decided to copy all of the
files to CD-Recordable (CD-R) disc. I figured that doing so would work
well at 650MB per CD-R disc, and I would be able to move the music files
to any computer or grab a handful to take with my notebook when I
travel.
I ran into a couple of problems while performing the file transfers.
The first was that the CD-ROM File System (CDFS) has a limit of 64
characters in a filename. Because the filenames of the music files I had
created contained the name of the artist, album, and song title, many of
them exceeded 64 characters. Adaptec EZ-CD Creator will automate
renaming the files, but I didn't want to lose the information contained
in the filenames. To keep the filenames intact, I decided to zip the
files on a per album basis. This approach meant CDFS had to deal only
with whatever I named the zip file, and for a little extra effort on my
part, I retained all of the information contained in the filenames. I
can't play the files back directly from the CD-R disc, but I can easily
extract the desired files to a local disk. I didn't zip the files for
the file compression because the files are barely compressible.
The second problem I encountered was that 650MB on NTFS doesn't seem
to equal 650MB on CDFS. I found that if I tried to copy more than about
610MB to a CD-R disc, I received a "disk full" message. So I wrote what
the local machine reported as 590MB to 610MB, and when I checked the
CD-R disc, the total file size was now more than 640MB.
So after 50 plus CD-R discs, I've mastered the trick of backing up my
music collection, and I now have a semipermanent archive of more than
15,000 tracks from my personal CD collection. Now, when I travel on
extended business trips, I can bring almost my entire CD collection with
me in a small binder.

 WINDOWS 2000 PRO TIP: CONDITIONAL PROCESSING AT THE COMMAND PROMPT, PART II

One of the most valuable benefits I get from writing this section of the
Windows 2000 Pro newsletter is the reader feedback. Many of you come up
with new and improved ways to implement tips that I've shared, which I
can then share with the rest of you.
This week is no exception. Last week's tip showed you how to create
conditional processing on command prompt commands by using the && and ||
separators. To recap, if you type a command on a command line and follow
it with && and another command, the second command executes only if the
first one is successful. If you use a || between two commands on a
command line, the second command executes only if the first one fails.
Reader Jim Ruby wrote to share some more information about this type
of command processing. He wrote, "Did you know you could chain the &&
and || pipes on a command line? This allows you to make a 'do this if it
succeeds, do this if it fails' single command line. For example:

dir c:\ && Echo Drive Exists || Echo Drive Doesn't Exist

displays the listing followed by 'Drive Exists' when used with a defined
drive letter, and displays 'Drive Doesn't Exist' when used with an
undefined drive letter."

Sure enough, he's absolutely right! Thanks Jim!
For this procedure to work properly, the first command on the line
must have some way to indicate to the system whether it succeeded or
failed. Simple commands, such as DIR, will work correctly, but not every
command-line program behaves in the same manner; you'll have to try the
procedure on your own commands to see whether it works. For the commands
that work, this is a great capability.

Disabling Self Repair...
I've replaced Notepad with Metapad as my default text editor (which came from welcome.to/metapad). In Windows 98, I simply renamed the binary and threw it into my Windows folder. When I tried to do the same in Windows 2000, the operating system wouldn't let me. Within seconds, it would reverse my replacement. What!? That's a nice safeguard, but I really wanted to use the Metapad binary. In a matter of minutes, I discovered that files in the "WINNT \ system32 \ dllcache" folder were my problem. Upon replacing its copy of Notepad with the Metapad binary, I was saved. Of course, not before being warned about the issues which may have come up (which haven't yet). Now, if you care to stop this auto-recovery from ever happening again, you'll need to launch your registry editor. Navigate to "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon" and look for the "SFCDisable" DWORD value. Set it to "1" and you'll be good to go. 

I've replaced Notepad with Metapad as my default text editor (which came from welcome.to/metapad). In Windows 98, I simply renamed the binary and threw it into my Windows folder. When I tried to do the same in Windows 2000, the operating system wouldn't let me. Within seconds, it would reverse my replacement. What!? That's a nice safeguard, but I really wanted to use the Metapad binary. In a matter of minutes, I discovered that files in the "WINNT \ system32 \ dllcache" folder were my problem. Upon replacing its copy of Notepad with the Metapad binary, I was saved. Of course, not before being warned about the issues which may have come up (which haven't yet). Now, if you care to stop this auto-recovery from ever happening again, you'll need to launch your registry editor. Navigate to "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon" and look for the "SFCDisable" DWORD value. Set it to "1" and you'll be good to go.

Terminal Services Security Acticle (Part 2) (Part one was too basic)
When you install Terminal Services, Win2K creates a connection object. This connection object represents different combinations of network adapters, connection types, and transport protocols that you use to enable clients to connect to Terminal Services. One such connection object is RDP-Tcp. Double-click the connection object, and you'll notice that on the General tab you can connect clients to the server using RDP instead of TCP/IP, as Figure 1 shows.

The first important security setting is the encryption level you select for the RDP-Tcp connection. Terminal Services uses the RSA RC4 encryption algorithm to encrypt data you send over the network. The type of data that you send over the network between a Terminal Services client and Terminal Services server is different from the data you send between a standard workstation and file server or application server. For instance, with a conventional client/server configuration, when you execute Microsoft Word on your workstation and open a document on your file server, the server sends the contents of the entire file to your client over the network. When you run MS Word in a Terminal Services session and open a document stored on the Terminal Services server, the server sends only the first screen of the MS Word document to your client over the network. As you scroll through the document, the server sends screen updates to the client. Whenever you edit the document, the client sends your keystrokes and mouse movements to the server. Terminal Services uses RDP for all this data. Theoretically, if you scroll through the entire document, a malicious intruder on your network can capture each RDP packet and reconstruct the contents of your file. (However, capturing these packets would be much more difficult than in the conventional file server scenario I just described.) It's important, therefore, that you select one of three encryption levels (Low, Medium, or High) from the General properties tab shown in Figure 1.

Low encryption specifies that only data you send from the client to the server should be encrypted. This one-way encryption protects the passwords that users enter to access the Terminal Services server. Remember: when you use Terminal Services, the client sends each keystroke to the server. Therefore, when you open a Terminal Services session and log on, someone else on the network can easily capture those packets and steal your password if you don't encrypt the data you send from the client to the server. If you select Medium encryption, Terminal Services encrypts the data sent in both directions. If your client is a Win2K computer, Terminal Services uses a 56-bit key for Low and Medium encryption. If you connect with any other client, Terminal Services uses a shorter 40-bit key. If you select High encryption, Terminal Services encrypts data sent in both directions—like Medium, except that High encryption uses a much stronger 128-bit key. (High encryption is available only in the US and Canada.) If you use Terminal Services over an untrusted network such as the Internet, I recommend you use Medium or High encryption. When you administer servers, you expose a large amount of sensitive information (e.g., user accounts, groups, configuration settings), which is valuable to a network intruder. If you use Medium or High encryption, you ensure that someone else won't view the information-filled screens you view during your administrative activities. The other security setting under the General tab, Use standard Windows authentication, isn’t relevant unless you’ve installed a third-party authentication package on your server.

For the next security setting, click the Logon Settings tab. This tab is where you can control whether users who connect to the Terminal Services server need to explicitly log on. If you select Always use the following logon information, as Figure 2 shows, you can specify that as soon as a user opens a session on this server, the server will automatically log on this user using the user name, domain, and password you specify under the Logon Settings tab. If these credentials fail to successfully log on the user, Terminal Services presents the standard logon dialog box and lets the user enter different credentials. This option is convenient for those times when users access an application that requires its own logon. In those cases, you might decide to have all users log on with one generic Win2K user account. You can then rely on the application to authenticate the user. Of course, this setting isn't appropriate for remote administration. Instead, I recommend that you select Use client-provided logon information, where Terminal Services presents the standard logon dialog box and requires that the user specify logon credentials. Back at their own workstations, users can use the Client Connection Manager to create shortcuts that remember the server, username, and password. 

You can use these shortcuts to open a session quickly and automatically log on to a Terminal Services server. However, I don’t recommend storing passwords in shortcuts. If intruders access your workstation or profile, they can easily steal the passwords. If you select Use client-provided logon information but you don’t want to let users log on with a password stored in a shortcut, you can check the Always prompt for a password check box. Alternatively, if you select Always use the following logon information and check Always prompt for a password, Terminal Services displays the logon dialog box with a default username and domain filled, waiting for the user to enter the password. In this case, the dialog box lets the user change his or her username and domain. Next time, I’ll complete this discussion of Terminal Services’ security features, and I'll show you some ways you can benefit from managing services remotely while still keeping your systems secure.

Terminal Services, Part 3

In Part 1 and Part 2 of this article, I described some of the options for securing Windows 2000 Server Terminal Services. Here, in Part 3, I'll continue the tour by looking at some of the properties for Terminal Services connection objects.

Remote Control 
Terminal Services security is controlled primarily through properties on Terminal Services connection objects using the Microsoft Management Console (MMC) Terminal Services Configuration snap-in. To begin, select the connection object, right-click, and select Properties. The Remote Control tab sets the properties that let administrators and support personnel take remote control of a session. Although this functionality is very useful in an application server scenario, you don’t want someone viewing your Terminal Services session while you are administering a server—much less taking control of it. 

The Remote Control tab of a Terminal Services connection object offers three options. First, you can select Use remote control with default user settings, as Figure 1 shows. If you select this option and try to take control of a user’s session, Terminal Services will refer to the remote control settings specified in that user's account. If you are using Active Directory (AD), you can also find these settings in the MMC Active Directory Users and Computers snap-in. If your Terminal Services server isn’t a member of an AD domain, open Computer Management and maneuver to Local Users and Groups. Find the desired user, and open the associated Administrator Properties window. Select the Remote control tab to view the options, as Figure 2 shows.

If you specify that Remote control is enabled, you can stipulate that Terminal Services ask the user for permission before letting an administrator or support staff personnel take control of the session. To control whether Remote control for this user is limited to view-only mode, specify View the user's session or Interact with the session. If you select Interact with the session, you can take control of the user's keyboard and screen to function as that user. If you're securing your server for remote administration only, you will want to disable remote control for all administrative user accounts.

The second choice on the Remote Control tab of a Terminal Services connection object presents an even better way to prevent someone else from using remote control. The Do not allow remote control option, as Figure 1 shows, prevents remote control for any sessions opened that are using this connection object, regardless of the user's remote control settings. I recommend using this setting when you implement Terminal Services only for remote administration.

The third choice on the Remote Control tab is Use remote control with the following settings, as Figure 1 shows. If you select this choice, you get the same options found on the Remote Control tab of user accounts, and the settings you specify here override those made at the user level.

Permissions 
The final tab on the properties page for Terminal Services connection objects that relates to security is Permissions. Like all objects in Win2K, connection objects have an ACL that controls who can open a session to the server through Terminal Services and who can perform administrative functions on those sessions and the connection itself. There are three levels of access you can grant to a connection object from the Permissions tab: Full Control, User Access, and Guest Access. However, these access levels are actually different combinations of lower-level permissions, which you can view if you click Advanced and then click View/Edit. There are 10 different permissions, as Figure 3 shows. 

Query Information lets you use Terminal Services Manager to view the status of the current sessions associated with that connection. Logon is the most basic permission—you must have Logon access to open a new session and log on to Terminal Services. Message access lets you send messages to other users connected to the server. 

Terminal Services gives you the ability to temporarily disconnect from your session, walk over to another computer, and reconnect to the session from that workstation. To disconnect and reconnect to your own sessions, you need only Connect access, but if you also have Disconnect access, you can disconnect someone from his or her session and connect to it yourself from your own workstation. To hijack a session like that, you need Connect and Disconnect access, but being able to reconnect to another user's session is a feature you should disable for remote administration connections. You don't want someone hijacking your session, but disabling reconnection is a somewhat confusing procedure, although at first it seems simple. If you explore user accounts in Active Directory Users and Computers, you'll notice the Sessions tab, which provides time limits for how long Terminal Services keeps applications open in active, idle, and disconnected sessions. There is another option, however—Allow reconnection: From originating client only—that seems more appropriate. You might think that selecting this option prevents someone at another computer from hijacking your session. However, if you carefully read Win2K's Help text, you learn this feature applies only to users connecting through a third-party Citrix ICA client—not the typical Terminal Services client that comes with Win2K. So, to remove this risk, you need to lock down the permissions on the connection object so that the Everyone group is explicitly denied Connect and Reconnect.

The Reset permission lets you end any session associated with the connection object. Resetting a user’s session ends all of its active applications abruptly and can result in lost data. Logoff permission is similar to Reset—the difference is that Logoff causes Terminal Services to log off the user and present the logon dialog box again, whereas Reset closes the entire session. 

To configure a connection object’s properties in Terminal Services Configuration, you need the Set Information permission. To successfully take over a user’s session, you must have the Remote Control permission on the associated connection object. Don’t confuse the Remote Control permission with the Remote Control tab on connection objects and user objects. The Remote Control permission specifies who can take control of sessions. The Remote Control tabs on connection objects and user objects limits which sessions and which users another person can take control of remotely. 

The Virtual Channels permission controls whether users may access devices on their client workstation from programs they are running in a Terminal Services session on the server. For instance, to use the local COM port on your workstation from an application inside a Terminal Services session, you need the Virtual Channels permission. The default ACL on a connection object in Terminal Services when you install Terminal Services for remote administration simply grants Administrators and the SYSTEM account Full Control. The only change I would recommend is adding an access control entry (ACE) for Everyone that explicitly denies Remote Control, Connect, and Disconnect. This precaution will reduce the possibility of someone using vulnerabilities in RDP to hijack your session. Next time, I'll complete this discussion of securing Terminal Services for remote administration

CLEANING UP YOUR SYSTEM TRAY

The first thing I do with a new laptop or desktop is clean out all the
applications and installation routines that the hardware manufacturer
preloaded on the system. The task is annoying and time consuming, but
not difficult. What's even more annoying is how many little (useless)
tools automatically load themselves into my system tray.
Unloading items from the system tray can be tricky, depending on how
well the application vendor wrote the software; some application
developers want you to see their product's icon all day long, so they
make removing it difficult. But system tray icons take up memory, so if
they don't serve a purpose, I recommend you remove them. Here's how:
1. Check the program. Sometimes, if you right-click a system tray icon,
it lets you unload it and never have it load again. My compliments to
software vendors who follow this user-friendly standard.
2. Check your startup folders. Right-click your Start button, and select
Open. Navigate to Programs, Startup. Look for any icons in the start up
folder. If you don't want a program to load at startup, remove the icon
by either deleting the icon or moving it somewhere else. Repeat the
process for the "Open All Users" option.
3. Check the registry. This approach is a bit trickier. Back up your
registry, run regedit.exe, and navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Anything in this key runs at startup. Delete items carefully here
because some items might be necessary for your system to function
correctly. Always note the command-line value for each entry you delete,
in case you need to add it back.
4. Check .ini files. Some old software programs still follow this
standard. Before the registry existed, Windows used .ini files to store
configuration information, including which programs should load at
startup. For backward compatibility purposes, these files are still
maintained today. Using Notepad, open %SystemRoot%\win.ini and
%SystemRoot%\system.ini, and look for any load= or run= statements. If
you see those statements, with references to programs, try removing the
statements. Again, remove them carefully because some files might be
necessary for the proper operation of your system.
If you follow the above methods, you can remove most of the clutter
from your system tray. Your boot times will be quicker because Windows
doesn't need to load all of the extra items, and you'll have more usable
RAM in your system.

Another way of Getting Rid of the Logon Box
If so then you might have Secure Boot turned off. To turn it on, open the Control Panel, double click the Users and Passwords icon, select the Advanced Tab, and check the "Requires user to press Ctrl+Alt+Delete before logging on." check box. Then click OK. Next time you boot you should have the secure log in screen.

RESTRICTIONS ON EXTENDED AND SPANNED VOLUMES IN WIN2K

Q. What restrictions exist on extended and spanned volumes in Windows
2000?

A. You can extend a simple volume on the same disk if the file system is
NTFS. A simple volume can be set to span other disks. Neither requires a
restart.
You can create a spanned volume on FAT or NTFS, but volumes created
on FAT can't be extended or spanned further. If the volume existed when
the disk was still basic, it can't be extended or spanned. If you try to
extend or span the volume, you receive the following message:

The selected volume was originally created on a basic disk and cannot be
extended. Only volumes originally created on dynamic disks can be
extended.

Some of the real limitations with spanned volumes are that they can't
be mirrored or striped and don't offer fault tolerance. If one of the
disks containing a spanned volume fails, the entire volume fails. They
can also be created only on dynamic disks, not on basic disks. Further,
after a spanned volume is extended, no portion of it can be deleted
without deleting the entire spanned volume.

FINDING STUFF
Searching through your hard drives has become more of a concern as the
size of those drives routinely exceeds 20GB, even with notebook
computers. Desktop systems with 100+GB of storage are common, and
keeping track of all of your files can be quite an adventure. I'm always
looking for files that I know I have somewhere, especially zip files,
application installers, and, unsurprisingly in my line of work,
Microsoft Word documents.
Windows 2000's built-in search engine can handle most of my searches.
If you've never looked at the options available in this little search
application, you're missing out on some pretty powerful search
definition tools.
The Date option lets you search for files based on when you created,
modified, or accessed them. The Type option lets you select any
registered file type, which comes in handy if you remember the file's
icon type but not the application you created it in; this option
displays the registered file types and their icons. The Size option lets
you specify a size range for the hunted file. And the Advanced options
lets you search subfolders (selected by default), use a case-sensitive
search, or if you're searching file content, search slow files.
I often find myself trying to find files that contain information
about a specific topic, usually within Word documents or text files that
contain notes I've taken. Although the Win2K search application can
search for text within files, the command line has two ways to quickly
search through files. The first is the FIND command:

FIND [/V] [/C] [/N] [/I] "string" [[drive:][path]filename[ ...]]

/V Displays all lines that DON'T contain the specified string.
/C Displays only the count of lines containing the string.
/N Displays line numbers with the displayed lines.
/I Ignores the case of characters when searching for the string.
"string" Specifies the text string to find.
[drive:][path]filename Specifies a file or files to search.

If you don't specify a path, FIND searches the text typed at the prompt
or piped from another command.
FIND is very fast, and it's useful if you're looking for a simple
expression in a known group of files. But when I need a complex search
that lets me search entire directory trees for files that contain
something I can't quite remember (the "I know it said something like
xxx" search), I use the FINDSTR command:

FINDSTR [/B] [/E] [/L] [/R] [/S] [/I] [/X] [/V] [/N] [/M] [/O] [/P]
[/F:file] [/C:string] [/G:file] [/D:dir list] [/A:color attributes]
[strings] [[drive:][path]filename[ ...]]

/B Matches a pattern if at the beginning of a line.
/E Matches a pattern if at the end of a line.
/L Uses search strings literally.
/R Uses search strings as regular expressions.
/S Searches for matching files in the current directory and all
subdirectories.
/I Specifies that the search isn't to be case-sensitive.
/X Prints lines that match exactly.
/V Prints only lines that don't contain a match.
/N Prints the line number before each line that matches.
/M Prints only the filename if a file contains a match.
/O Prints character offset before each matching line.
/P Skips files with nonprintable characters.
/F:file Reads file list from the specified file(/ stands for
console).
/C:string Uses specified string as a literal search string.
/G:file Gets search strings from the specified file(/ stands for
console).
/D:dir Searches a semicolon-delimited list of directories
/A:attr Specifies color attribute with two hex digits. See "color
/?"
strings Text to be searched for.
[drive:][path]filename Specifies a file or files to search.

Use spaces to separate multiple search strings unless the argument is
prefixed with /C. For example, "FINDSTR 'hello there' x.y" searches for
"hello" or "there" in file x.y. "FINDSTR /C:'hello there' x.y" searches
for "hello there" in file x.y.

Regular expression quick reference:
. Wildcard: any character
* Repeat: zero or more occurrences of previous character or class
^ Line position: beginning of line
$ Line position: end of line
[class] Character class: any one character in set
[^class] Inverse class: any one character not in set
[x-y] Range: any characters within the specified range
\x Escape: literal use of metacharacter x
\<xyz Word position: beginning of word
xyz\> Word position: end of word

For more information about FINDSTR regular expressions, refer to the
online Command Reference.
I usually create a FINDSTR search using Notepad and save it as a
batch file with the results redirected to a file that I can then search
through. This approach lets me create very complex string searches to
sort through the hundreds of Word documents I've stored in multiple
folders in the same directory tree. When you've been writing for a
living as long as I have, this search can be incredibly useful.
So, if you're a Web developer, writer, or anyone that works with lots
of text files and document files (though all of these commands can also
search for text in binary files), I'm sure you'll find these
command-line options useful.

* WINDOWS 2000 PRO TIP: CLEANING UP THE SYSTEM TRAY, PART 2 (contributed
Last week, I told you how to remove all those annoying little
applications from your system tray. Of course, utilities are available
that perform that task automatically, but I like to learn how things
work, so I prefer to do it myself.
Speaking of learning, once again alert readers have tipped me off to
the fact that a few more places exist where programs can hide themselves
during your system boot. Last week, I mentioned four key areas to check
when trying to permanently remove items from your system tray:
1. Check the program itself; it might let you unload it and never
have it load again.
2. Check your startup folders, and remove any icons you don't want.
3. Check the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
4. Check win.ini and system.ini files on your computer.

Alert reader Claude Turner caught a few additional registry keys that
slipped past me:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\IniFileMapping\Win.ini, System.ini; and winfile.ini"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\Load
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\WinLogon\ParseAutoexec (If you set this value to 1,
commands in the autoexec.bat file will run.)

So, that's about eight different places that Microsoft lets vendors hide
system tray icons that come up at startup. Again, each of these icons
takes resources (memory) from your system, so if you don't want 'em,
clean 'em out!

* How to Get the Most Out of Your Win2K Pro Installation
Learn what to expect from your Win2K Pro installation and the tools to
use to get the most out of this OS.
--Douglas Toombs
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15880

* Win2K Pro Hotfixes
A few problems still remain after SP1. Here's how to remedy them.
--Paula Sharick
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15881

* Win2K Pro for the Win9x User
Get acquainted with Win2K Pro and discover the features essential to
power users.
--Christa Anderson
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15885

FEATURES
* Controlling Group Policy, Part 2
Find out how processing options let you control how Win2K applies Group
Policy.
--Randy Franklin Smith
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15886

* IIS 5.0 Opens the Throttle
Performance improvements in IIS 5.0 help applications run faster.
--Ken Spencer
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15887

* High Class
Boost your network's efficiency with multicasting and Class D IP
addresses.
--Emmett Dulaney
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15891

* Win2K Password Protection
Win2K's password protection is stronger than NT's, but backward
compatibility can leave Win2K systems vulnerable.
--Randy Franklin Smith
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15892

* Internals: Inside Win2K NTFS, Part 2
Mark Russinovich explains the workings of NTFS5's Distributed Link
Tracking, sparse file support, volume change tracking, encryption, and
alternate data streams.
--Mark Russinovich
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15900

TOOLKIT
* Inside Out: Decrypting EFS
Encrypting File System (EFS) looks simple on its face, but the devil is
in the details.
--Mark Minasi
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15907

* Top 10: Things I Dislike About Win2K Pro
Although Win2K is a terrific upgrade, it's not perfect. Here's why.
--Michael Otey
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15908

* Remote Possibilities: RRAS and DHCP Leasing
Do Win2K RRAS servers handle DHCP server interaction and client IP
address allocation more intelligently than their NT 4.0 predecessors
do?
--Sean Daily
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15909

* This Old Resource Kit: Writing Command Shell Script Status to the
Application Event Log
Use Win2K and NT command shell scripts to automate repetitive
administrative tasks.
--Mike Otey
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15910

* Tricks & Traps: Daily Answers
Learn about troubleshooting connection-speed problems, displaying OS
version and build number, tweaking Start menu settings, distributing
Windows updates, enabling filename and directory name completion, and
administering user profiles.
--Sean Daily
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15911

L2TP Ports on Firewall
We have a need to allow L2TP connections to come in from certain
networks. But currently the security policy restricts them because no
one has asked for them. I searched TechNet and all I can find is that
L2TP needs UDP 500 (IKE) and UDP 1701 (data) for a connection. No
mention of any TCP port. What other ports are needed? Those ports are
currently open and I still can't make valid L2TP connection from remote
networks.
http://63.88.172.96/go/page_listserv.asp?A2=IND0103a&L=HOWTO&P=413

Stop Users Exceeding Concurrent Logons
Unfortunately in NT and Win2k there is no built-in restriction such as found in Netware where you can limit a user to a specific number of concurrent logons. The nearest alternative is workstation restrictions. To set workstation restrictions for a user, open Active Directory Users and Computers, find the user, open its properties window. To get true concurrent logon restrictions you’ll need to check out the Cconnect tool in the Windows 2000 Resource Kit. Cconnect works on NT and Win2k. 

If you install CConnect.exe on each Windows 2000 / Windows NT 4.0 client, you can:

Limit concurrent connections per user.
Log off remote computers when concurrent connections are reached.
List all computers that a user is logged on to.
List logon servers for each user.
Show how many users are logged on to a domain controller (DC).
Force a logoff when concurrent connections are reached.
Enable debugging of the CConnect tool.
Write events to the event log of a specified server concerning the status of the CConnect tool.
Save all lists to a file for further examination.
Track the last user of the computer and only limit that user from
logging on to the computer if the computer was shut down improperly.
Windows 2000 clients have no special requirements to run CConnect.exe. Windows NT 4.0 computers must have:
Windows NT 4.0 Service Pack 3 or later must be installed.

Microsoft Data Access Components (MDAC) 2.0 must be installed.

Windows Scripting Host must be installed.

Web Based Enterprise Management (WBEM) must be installed.

HOW CAN I MOVE ACTIVE DIRECTORY LOG FILES?

Along with the ntds.dit file, the Active Directory (AD) keeps several
log files that you might want to move to a faster disk. To do so,
perform the following steps:

1. Restart the domain controller (DC).
2. Press F8 at the Startup menu when the system displays the list of
OSs.
3. Select Directory Services Restore Mode.
4. Select the appropriate installation, if more than one exists, and log
on as an Administrator at the logon prompt.
5. Start a command prompt (Start, Run, cmd.exe).
6. Start the NTDS utility, ntdsutil.exe.
7. At the ntdsutil prompt, type "files" as shown below:
ntdsutil: files
8. At the file maintenance prompt, type the following:
file maintenance: move logs to [new location for file]
9. To view the log files, at the file maintenance prompt, type "info":
file maintenance: info
10. Type "quit" (without the quotation marks) twice to return to a
C-prompt.
11. Restart the computer in Normal mode.

Make your own messages in Win2K
Drop to the command prompt and run the "MSGBOX" utility. If you need assistance with interpreting the switch structure, trail the file name with a "/?" (sans quotes). Now you'll be creating message boxes left and right; use the ALT + PRINT SCREEN keyboard combo to copy the graphic to the clipboard; paste it into your favorite image editor and save it for later. Hey, remember back in the days when Windows wasn't so gooey? There's another tool that's still alive in W2k. TREE! That's right, you can run "TREE" from the command line and it'll show you the current path's hierarchical structure. Just as a reminder, any Windows user can redirect the output of any command line program to a text file. The syntax would appear something like this: "PROGRAM > TEXTFILE.TXT" (sans quotes). Useful, eh?

NT4 & Win2K Prof TOGETHER - AND THE PROBLEMS YOU HAVE

Be aware that if you have a system policy that sets the "do not display last username", it will not work on Win2Kp. You will need to go into the local security settings and enable that setting on each machine, until you can get Group Policies going. The other gotcha is in the roaming policy area. Since Win2KP places profiles in C:\Documents and Settings, and Winnt4 places profiles in C:\winnt\profiles, we have found that users jumping from a Winnt4 workstation to a Win2KP workstation can have some interesting issues, mostly that all settings may not migrate, or none at all

I have 9 Win2K machines in one NT4 Server domain. The group policy NTconfig.pol on the server works but, I have tried to restrict the local C: visibility for 8 of them and not for the other. What you get is either all visible or all not visible. Have tried different combinations of groups and their priority to no avail

When a user logs on to the win2k computer everything is fine. if he the goes to a NT-machine and logs in he can´t use his e-mail anymore.. NT asks for a password that doesn´t exists. Only solution is to disable ProtectedStorage service or delete the whole profile and recreate it

We recently added over 50 W2K Pro machines into an existing NT4 domain and came across several problems. An NT4 standard user priveleges differ greatly to a W2K standard user. One main area is that a W2K standard user cannot install software that will be available to other users, you need to be at least a W2K Power User (which is too powerful for a normal user). This caught us out when trying to use a web application that required the user to install an Active-X control - a standard user was not allowed to install it, so the application failed. Microsoft provide security templates that can be applied by the "secedit" command line or the relevant mmc snapin. These templates include a compatability script (compatws.inf) which makes a W2K Pro machine align the security settings akin to that on NT4. (TechNet Article Q234926 is a starting point.)This is one of the many quirks of running W2K in an Nt4 domain. 

Browse Windows 2000 and 98 faster. 

It turns out that you can experience a delay as long as 30 seconds when you try to view shared files across a local network from Windows 2000. For example, this delay would effect your search if you:

1. Right-click the My Network Places icon on your Windows 2000 desktop, click Search For Computers, and search for a Windows 98 or Windows Me computer name; or

2. Click Start, Run, and then type \\computername in reference to a Windows 98 or Windows Me machine.

Microsoft confirms this is a problem in Windows 2000. See support.microsoft.com/support/kb/articles/Q245/8/00.asp. The problem doesn't occur when browsing directly to a named computer share, just when using the computer name as shown above.

Windows 2000 is using the extra time to search the remote computer for Scheduled Tasks, a slow and unnecessary process. Kehoe provides a work-around that dramatically speeds things up.

Step 1. In Windows 2000, click Start, Run, type regedt32, and click OK.

Step 2. In the Registry Editor, navigate to the following branch: HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Current Version/Explorer/RemoteComputer/NameSpace.

Step 3. Under that branch, select the key {D6277990-4C6A-11CF-8D87-00AA0060F5BF}. This key instructs Windows Explorer to search for Scheduled Tasks. If you wish, pull down the Registry menu and click Save Key to back up this value. Name the output file, say, Scheduled.reg, and you can easily restore the key if necessary.

Step 4. Delete the key and close the Registry Editor.

This change takes effect immediately and doesn't require a reboot, so you can determine how much it speeds up the process.

* TIP: CUSTOMIZING THE WIN2K DHCP BACKUP INTERVAL

Q. How can I customize the Windows 2000 default DHCP Backup Interval?

A. First, note that the DHCP Database Files section in the DHCP online
Help incorrectly states that the default DHCP Backup Interval is 15
minutes (the default is actually 60 minutes). You can customize the DHCP
backup interval by modifying the value in the following key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DhcpServer\
Parameters BackupInterval is a REG_DWORD value with a range from 1 to
71582 minutes.

QChain.exe, Install Multiple Hotfixes With Only 1 Reboot 
Unearthed by Daniel Mullings 

http://support.microsoft.com/support/kb/articles/Q296/8/61.asp

"Microsoft has released a command-line tool named QChain.exe that gives system administrators the ability to safely chain hotfixes together. Hotfix Chaining is when you install multiple hotfixes without rebooting between each install. Without this tool, the only supported method is to reboot between each hotfix installation. The QChain.exe tool has the following benefits: It increases uptime for servers because computers are not being rebooted between each hotfix installation. It allows faster installations of multiple hotfixes on a single computer. It is a solution that works on both Windows 2000 and Windows NT 4.0."

* Whistler Materializes: Windows Comes Together
Preview the most significant changes slated for Windows XP and
Windows 2002.
--Michael Otey
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=19875

* 10 Steps for Replacing Your Aging PDC
The author shares the steps she took to replace her aging PDC with a
new one, all without the help of a BDC.
--Melissa Wise
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=19877

* NTFS Alternate Data Streams
Malicious users can easily take advantage of NTFS's alternate data
streams. Will this breeding ground for computer viruses become a
nightmare for Win2K users?
--Denis Zenkin and Eugene Kaspersky
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=19878

* Monitoring Network Traffic
Meet Network Monitor, and learn some tips for getting the most out of
this utility.
--Ed Wilson
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=19879

* Working with IIS 5.0 Logs
Want to move Web site log data into a SQL Server database without
compromising site performance? Here's how.
--Ken Spencer
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=19880

* Inside Out: Scavenging Stale DNS Records
Windows 2000 dynamic DNS (DDNS) gives you a way to delete old records
from the DNS database.
--Mark Minasi
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=19897

* Remote Possibilities: Licensing Woes
Terminal Services is plagued with ill-conceived licensing policies
that can wreak havoc on the life of an unwary administrator.
--Sean Daily
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=19899

* Tricks & Traps: Daily Answers
Learn how to edit the routing table, work around default Single
Instance Store (SIS) behavior, troubleshoot InoculatIT's realtime
monitor, and improve WINS performance.
--Sean Daily
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=16460

* Stay on Target
Paul Thurrott gives you his take on whether you should move forward
with Win2K or leap frog to Windows XP.
--Paul Thurrott
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21133

MANAGING DISK QUOTAS WITH WIN2K
If you're new to disk quotas, see Microsoft article Q300979 for a
great how-to article about implementing and enforcing disk quotas in
Windows 2000. You implement disk quotas on a partition basis, and you
can only activate disk quotas on NTFS-formatted volumes.
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21485

NEWS: NSA RELEASES WIN2K SECURITY RECOMMENDATION GUIDELINES
The US National Security Agency (NSA) has released a set of
guidelines and templates to help you secure Windows 2000 systems. The
materials contain 5 templates to use with Microsoft's Security
Configuration Editor, 17 guides to secure various aspects of the OS, and
3 supporting documents with in-depth defense coverage and details about
various popular software packages.
http://www.windowsitsecurity.com/articles/index.cfm?articleID=21451

Q. How do I remove the icons that appear in my system tray?

A. The system tray icons are midway between a service and an application
and have the advantage of a UI. They are listed under the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
registry subkey. You can remove them; however, be aware that doing so
not only removes the icon but also stops the application from performing
its actions.

To remove one of these icons from your system tray, perform the
following steps:

1. Start regedit.exe.
2. Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
3. Select the run value you want to remove (e.g., Microsoft
IntelliType).
4. Click Delete.
5. Close regedit

* WIN2K SECURITY: IP SECURITY FILTERING
One of the lesser-known features of Windows 2000's IP Security
(IPSec) is packet filtering based on IP addresses and port filtering.
With IPSec filtering, you wrap your servers or workstations with another
layer of security that protects them against attackers who try to
connect from elsewhere on your internal network or from the Internet.
You can use this technology in many ways, but in this article, Randy
Franklin Smith shows you how to protect onsite workstations exposed to
the Internet, laptops that employees use to dial into an ISP when
traveling off site, and computers that employees use to telecommute.
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21546

* WINDOWS 2000 RESOURCE KIT BOOKS AND REFERENCES ONLINE
Let me guess. You've postponed buying the Windows 2000 Resource Kits
because you have the silly notion that Microsoft might put them up on
its Web site for free. Well, that notion isn't so silly after all. As
"DS-MCSE" pointed out this week on MCSE Live!, Microsoft's Resource Kits
are now available on the Web site in electronic format. For details, go
to the following page:
http://www.microsoft.com/windows2000/techinfo/reskit/default.asp

Q. When does Windows 2000 need rebooting?

A. In Windows 2000, Microsoft has reduced the number of functions that
require a reboot from about 50 in Windows NT 4.0 to 7 in Windows 2000.
Now the only items that require a reboot are:
Changing ISA adapter configuration
Changing the system font
Adding and removing communications ports
Changing the default system locale
Changing the computername (but not domain)
Installing service packs or hotfixes
WHEN YOU INSTALL TERMINAL SERVICES...
AFTER DOING A DC PROMO...
ALSO AFTER INSTALL IN THE Client For Netware - although you can blag your way thru!