.
Be sure to use the fully qualified DNS name of the target DC. You can
get a quick list of the DCs in a domain using NETDOM. The syntax is netdom
query dc.
—Bill Boswell
Do Bulk User Adds
If you have to add dozens or hundreds of users at a time, you know
how tedious it can be to use GUI-based tools like Active Directory Users
and Computers. You can script this work, but scripts take a while to debug
and are often difficult to pass between colleagues thanks to scant documentation.
Because Active Directory is an LDAP directory service, it can import objects
directly if they’re in LDAP Directory Interchange Format, or LDIF. Win2K
comes with a utility called LDIFDE for doing this type of import and export.
The problem with LDIF is that it deals with attributes in vertical fashion.
For instance, here are a few lines from a sample LDIF dump of a user object:
dn:CN=Administrator,CN=users,DC=company,DC=com
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
distinguishedName:CN=Administrator,CN=Users,DC=company,DC=com
memberOf: CN= Group PolicyCreatorOwners,CN=Users,DC=company,DC=com
It’s
much handier to deal with spreadsheets, and Win2K has a utility called
CSVDE that does just that. It imports and exports comma-delimited files
rather than LDIF files. To get an idea of what to put in the spreadsheet,
build a sample user object with values for all the attributes you’d normally
want to have for a new user. Export the contents of this object to a file
using CSVDE then examine the contents using a spreadsheet editor like
Excel. When you’re doing the CSVDE export, use the –m switch to eliminate
SAM-specific information that can’t be re-imported.
—Bill Boswell
Clean Up Replication
Connections
If you observe in Sites and Services snap-in that a DC has more than one
connection from a single DC or that it’s not a GC, yet it has many connection
objects (a non-GC DC should only have three at the most), they should
be cleaned up. The Knowledge Consistency Checker (KCC) often creates temporary
connections to route around trouble and doesn’t do a great job of always
cleaning them up.
The solution: In the Sites and Services
Snap-in, go to the problem server object and open the NTDS Settings object.
In the right pane, select all the connection objects and delete them.
You can wait for the KCC to regenerate them on its next cycle, or you
can force it by right-clicking on the NTDS Settings object, go to All
Tasks and select “Check Replication Topology.” This forces the KCC to
regenerate the connection objects that it needs. It might take a while
and you’ll have to refresh the snap-in to see them, but they will be created.
If they never are created, replication is broken on this DC.
—Gary Olsen
Recover Your Original
Default Domain Policy
Say you’ve modified the default domain policy many times, and you have
a problem and want to get back to the original, but you didn’t save a
copy. The policy is in a folder contained in the Sysvol directory. Since
the default domain policy is created by the Win2K installation, the GUID
of the GPO will be the same on every domain.
Promote a server to a new domain (test.local).
This creates the default Default Domain Policy. Go to %windir%\sysvol\sysvol\test.local\policies\.
Copy the folder {31B2F340-016D-11D2-945F-00C04FB984F9} to a place the
real DC can get to it (will fit on a floppy). Don’t zip it or it won’t
work. Delete the folder {31B2F340-016D-11D2-945F-00C04FB984F9} from a
DC in the “live” domain. Then copy the folder {31B2F340-016D-11D2-945F-00C04FB984F9}
you just created in the test.local domain into %windir%\sysvol\sysvol\test.local\policies\.
Wait for replication to catch up with these changes. You now have a clean,
original default domain policy.
Note: You can do the same thing
with the Default Domain Policy, {6AC1786C-016F-11D2-945F-00C04Fb984f9},
since it’s created by the Win2K Install as well. This process won’t work
with any other group policies.
—Gary Olsen
Creating A Multi-domain
Organization-wide Distribution Group
If you’re in a multiple domain environment and need to create an
organization-wide distribution group, such as “All Employees,” then do
the following. First, implement a mail-enabled Universal Distribution
Group (which can be done even if Win2K is in mixed mode). Second, create
a mail-enabled Global Distribution Group in each domain in your forest.
Third, in the Global Group’s properties, set each group’s expansion server
to be a DC in its local domain. Finally, nest these Global Groups inside
the mail-enabled Universal Distribution Group. The one big advantage of
this model is that since the Universal Group’s membership is static, you’ll
reduce Global Catalog Replication traffic. Why? Because every time a Universal
Group’s membership changes, the entire group’s membership must be replicated
to each Global Catalog server. By nesting Global Groups inside the Universal
Group, you bypass this replication while still allowing for day-to-day
changes to each Global Group’s membership.
—Bill English
Include At Least
Two GC Servers in Each Site
When you create your Active Directory design, you already know
to include at least two Global Catalog servers in each Win2K site. But
there’s another reason for redundancy: the smooth running of Exchange.
If there’s only one GC server in each Win2K site, then you have a single
point of failure for GC lookups. Should such a failure occur, the DSAccess
service on the Exchange 2000 Server will be forced to find a GC server
in a remote Win2K site through an additional query to the DNS server.
After a remote GC server is found, queries for address book lookups will
be sent to that remote GC server, which, by definition of its being in
a different site, will travel across slow and/or unreliable bandwidth.
I’m guessing you won’t like this scenario. So, best practice is to have
at least two GC servers per Win2K site so that if one server goes down,
the other one can service address book lookup requests. By the way, the
number of domains in the Win2K site doesn’t affect this best practice.
For instance, if you have three domains represented in the same Win2K
site, this best practice doesn’t change. Moreover, you won’t need to map
at least one GC server per domain. The site boundaries matter in this
scenario.
—Bill English
Flush the DNS
Cache When Troubleshooting
Win2K incorporates negative query caching based on RFC 2308, “Negative
Caching of DNS Queries (DNS NCACHE).” This means that if a client requests
a record for server WWW in the zone Company.com, and the DNS server replies
that it has no host record by that name, then the client will include
the negative reply in its local name cache. You can see the contents of
the name cache by entering ipconfig /displaydns. Here’s a sample
listing of a negative query cache entry:
www.wazula.com
————————————————————
Name does not exist.
The negative reply stays in the cache
for the time duration specified by the Start of Authority (SOA) record
at the DNS server. For Windows DNS servers, the default cache interval
is one hour. During this interval, even if the host record is entered
in the DNS zone, the client will continue to return a negative reply to
any applications using that host name.
Negative query caching can disrupt troubleshooting
if you aren’t aware that it’s happening. You can clear the contents of
the client’s DNS cache using the ipconfig command as follows:
ipconfig /flushdns
—Bill Boswell
Speed Up DNS
Lookups for GC Servers
If you have multiple Win2K domains in a forest, you might have
a situation where a DNS server for a site has only the SRV records for
the local domain. This forces clients to do recursive searches of DNS
looking for Service Locator (SRV) records for Global Catalog servers and
other forest-wide resources. These recursive searches reach out across
the WAN, causing performance problems for the clients. You could avoid
this problem by putting a full secondary zone of each domain onto the
DNS server in each site, but this might result in more zone transfer traffic
than you want to incur. Instead, you can create a zone specifically for
the forest-wide SRV records. This zone would be named _msdcs.,
for example:
_msdcs.company.com
Create this zone in the root domain
of the forest then create a secondary of the zone on each DNS server.
There aren’t many SRV records in this zone, and they don’t change often,
so the zone transfer traffic is minimal.
—Bill Boswell
How to Run SysPrep
Without Querying for the CD Key
The problem: The system administrator is using the System Preparation
Tool (SysPrep) to set up Win2K machines, but he or she wants to remove
the option in the mini-setup that queries for the CD key. The solution:
If a SysPrep.inf file is used when running SysPrep.exe, only the dialogues
omitted in the .INF file will be presented to the user. Run SetupMgr.exe
from the Win2K Server Resource Kit to create a SysPrep.inf file, then
modify SysPrep.inf with the product ID information. For example:
[UserData]
FullName=" Computer Center"
OrgName=NMIMT
ComputerName=test3d
; skips prompting for
product code
ProductID=C69DV-HGJTF-8FYY8-Y3BXM-FH29D
When the mini-setup wizard runs, the
product ID information is provided automatically.
—Gary Marshall
Use Terminal
Services for Testing
Often, we make setting changes on machines and then want to test
the effects on a representative user. For example, suppose you’ve configured
some new software deployment policies via a GPO that’s linked to your
Marketing department OU. You could test the configuration by logging on
under a test user on a different machine (or, you could log off the local
machine and log on as the test user). However, a quicker and easier way
to do this on a server that is running Terminal Services for remote administration
is simply to open up a “remote” connection to the same machine. You’ll
now have two users logged on to the same machine, and you can quickly
and easily switch between the two to test the effects of your settings.
—Anil Desai
Control Admin Permissions
on Terminal Services
As you probably know, a Win2K server has a Terminal Services feature
that can be configured to give concurrent connection privileges to two
administrators. The definition of “administrator,” in this case, is someone
in the Administrator local group on the server. Win2K makes it possible
to delegate administrative permissions at a server without giving them
full Administrator rights. This makes it a nuisance to manage the server
remotely. You can give non-Administrators permission to make a terminal
service connection to a Win2K server by putting the user (or a group containing
the user) on the permissions for the RDP (Remote Desktop Protocol) connection
for the server. To do this, launch Terminal Services Configuration console
for the server. Open the Properties window for the RDP-Tcp connection.
Select the Permissions tab. Place the individual or group on the access
list with User Access and Guest Access permissions.
In Windows .NET, you can accomplish
the same thing by making the user a member of the Remote Desktop Users
group, a new default group designed specifically to give terminal service
access to non-Administrators.
—Bill Boswell
On SharePoints
Sharing a Server
There are situations where it might be beneficial to install SharePoint
Portal Server on a system with SharePoint Team Services. There are no
restrictions on having both on the same system, but there are plenty of
caveats. Even though some of the requirements of the two products are
similar, there are some major differences. Team Services is designed to
be used by small groups (less than 75) working on documents on a single
Web site. Portal Server is designed for large corporations with 75-plus
users with multiple Web sites and data stores. Other differences include
memory and disk space requirements, Web site customizations, storage systems,
document management, and licensing. If you have Team Services installed,
and you wish to install Portal Server on that system, you must remove
Team Services before installing Portal Server. You must also remove a
registry key. You’ll also lose some of the functionality of Portal Server
by installing Team Services after Portal Server is installed. The loss
of functionality relates to Web discussions, subscriptions, and the backup
process. To learn more, visit www.microsoft.com/sharepoint.
—Michael Keter
Give SharePoint
Portal Server Its Own Place
Exchange 2000 Server and SharePoint Portal Server don’t belong
on the same server. Period. Such a configuration isn’t supported, and
while it may appear to work out of the box, the first time you need support,
you’ll find yourself out in the cold. Have you been thinking about implementing
SharePoint Portal Server in your environment? If so, then plan on installing
SPS on a separate physical server and leave your Exchange 2000 Server
alone.
—Bill English
Assign More
Than One SMTP Address To A Mailbox
If you want to have more than one SMTP address assigned to each
mailbox in your organization, either create a new Recipient Policy or
modify the default Recipient Policy to include the new address. For instance,
if your domain name is trainsbydave.com, and you need to receive mail
at this address plus trainsbyanna.com, then modify the Recipient Policy
for your Exchange organization. To do this, open the Recipient Policy
container in the Exchange System Manager snap-in, then open the E-mail
Addresses tab, click on New, select the e-mail address type and enter
the desired address. Be sure to click Apply or OK and then select the
address’ check box in the E-Mail Addresses tab. Select Yes when prompted
if you want this address to be propagated immediately around your organization.
—Bill English
| Tip
Contributors |
|
Bill Boswell,
MCSE, is an instructor, consultant and author specializing
in Windows networking topics. He’s the author of Inside
Windows 2000 Server and the upcoming Inside Windows.NET
Server, both from New Riders. You can contact Bill
at bill.boswell@home.com.
Chris Brooke,
MCSE+Internet, is a contributing editor for MCP
Magazine and product and technology editor for ComponentSource,
an online component market place for professional developers
and technical decision-makers. He’s been a practicing
tech head for more than 14 years, specializing in development,
integration services, and network/Internet administration.
You can contact Chris at chrisb@componentsource.com.
J. Peter Bruzzese,
MCSE, MCT, CCNA, has been in the IT training and support
fields for eight years, working with companies like
Goldman Sachs & Co., Solomon Smith Barney, CommVault
Systems and New Horizons. He has written several books
for Coriolis Press revolving around MCSE certification,
including the Directory Services Exam Cram. He’s
also written for Sybex, recently completing Windows
2000: Enterprise Storage Solutions.
Anil Desai,
MCSE, MCSD, MCDBA, is an independent consultant working
in Austin, Texas. He specializes in systems and server
management and is the author of several technical books,
including Windows 2000 Directory Services Administration
Exam Guide (Sybex) and SQL Server 2000 Backup
and Recovery (McGraw-Hill/Osborne Media). Reach him
at anil@austin.rr.com.
Bill English,
MCSE, MCT, CTT, is an author, trainer, and consultant
specializing in network security and the Microsoft Exchange
and SharePoint platforms. He owns Networknowledge, (www.networknowledge.com)
a consulting and training business, and has co-authored
four books on Exchange 2000 Server, including The
Exchange 2000 Server Administrator’s Companion (Microsoft
Press) and Exchange 2000 Server: The Complete Reference
(McGraw-Hill/Osborne Media). He’s currently working
on a new book from Addison Wesley on SharePoint Portal
Server 2001.
Michael Keter,
MCP, works with the Windows Enterprise Team for Compaq
Global Services.
Ann Lovell, MCSE, Compaq ASE, CNE, is a Support
Specialist in Compaq's Windows Enterprise Team. She
has supported Compaq and Digital hardware and software
for 21 years.
John MacGown,
MCSE+I, Master CNE, A+, ASE, is a consultant at Compaq's
Customer Support Center in Colorado Springs. He’s been
supporting Windows NT since 1994.
Gary Marshall,
MCSE, MCSE+Internet, Compaq ACT, has been working for
Compaq since 1996 in the Customer Support Center in
Colorado Springs, Colorado. He’s a technical account
manager in the Business Critical Organization providing
support to premier customers.
Dan McLeod,
MCSE, MCSD, MCDBA, is a software specialist who has
been working in Compaq Technical Support for two decades.
Derek Melber,
MCSE, MCP + I, A+, is a co-founder of Brainshare (www.braincore.net)
has 10 years of experience in training, speaking, sales,
IS management, network administration, computer programming,
and technology solutions development. He specializes
in management, solution development, network optimization,
and troubleshooting of Windows NT 4.0 Server and Workstation,
Windows 2000 Server and Professional, Windows 95/98,
Microsoft Internet Information Server, and TCP/IP.
Reach him at derekm@braincore.net.
Gary Olsen,
MCSE, is currently a consultant with Compaq Global Services,
Customer Support Center, which provides customer support
for Windows NT, Win2K and all Microsoft products. He
also consults with Compaq customers on Active Directory
design and deployment. He’s the author of Windows
2000: Active Directory Design and Deployment (New
Riders) and a frequent speaker at MCP TechMentor events.
Contact him at Gary.Olsen@compaq.com.
Charles Oppermann
is founder and president of Copper Software, a software
engineering and design firm specializing in directory
services, user interface design and training.. Formally,
a program manager at Microsoft, Charles retired in late
1999 after working on several products, including Windows
95, Internet Explorer, Windows 2000 and Exchange 2000
Server. At Microsoft he specialized in creating adaptive
and accessible user interfaces for people with disabilities
and was the program manager and co-inventor of the Microsoft
Active Accessibility technology for which he hold two
patents. Contact him at Charles@coppersoftware.com.
Frank Steinberger,
MCSE, MCP+I, MCT, is a server/support engineer with
Compaq at the North America Customer Support Center.
He specializes in Microsoft Clusters for NT 4.0, Windows
2000 AS and Datacenter.
Larry Weber,
MCP, is currently attending Colorado Technical University
and nearing graduation with a master’s degree in Science
in Management Information Technology.
|
|
|
The Two Versions
of Exchange 2000 Server
There are two versions of Exchange 2000 Server: Standard and Enterprise.
The Standard version only allows for one mailbox store and up to 19 public
stores per server. This version is best suited for the small office that
doesn’t have a compelling reason to place users in different mailbox stores,
for the installation of a dedicated public folder server, or for an SMTP
relay server that won’t be hosting any mailboxes or public folders. When
used as a public folder server, replicas of public folders can be load
balanced across multiple databases; if a single database goes down or
becomes corrupt, it doesn’t bring down all the public folder trees and
their public folders, but only the ones hosted in that public store. The
Enterprise version allows you to create any combination of mailbox and
public stores you need on a single, physical server. Hence, if you need
18 mailbox stores and two public stores, the Enterprise version allows
you to do this. In addition, the Enterprise version provides several additional
features that don’t ship with the Standard version, including front-end/back-end
services, an unlimited mailbox store (the standard version is limited
to 16GB), support for Cluster Server and chat services. If you want to
do data, voice and video conferencing, you’ll need to purchase Conferencing
Server, a separate application altogether.
—Bill English
Is SMTP Really
Working?
If you don’t know whether the SMTP service on one of your Exchange
2000 Servers is really working, you can use Telnet to check it out. Here’s
what to do: Open a command prompt and enter the following sequence of
commands:
Telnet
Set local_echo
Open 25
(assuming you get a positive response…) ehlo
mail from: administrator@yourdomainname.com
rcpt to: youralias@yourdomainname.com
data
This is a test from myself to myself
. (Yes, type a single period on this line ".")
Then, go check your inbox in Outlook.
If the mail is there, you’ll know that SMTP is working properly. If it
isn’t, then you’ve got some troubleshooting to do. First, if you weren’t
able to open a connection to port 25 on the Exchange 2000 Server, then
ensure that the SMTP service is started. Second, if you could open the
connection but were unable to send e-mail, then stop the anti-virus services
on your Exchange 2000 Server. If this fixes the problem, then contact
your anti-virus vendor. If it doesn’t fix the problem, then you may have
a problem that may require support from Microsoft’s Product Support Services.
One other thing to check is to ensure that your routing group connections
are in the UP state and that the sending and target mailboxes are in databases
that are mounted.
—Bill English
Moving User
Mailboxes Without Error
There may be times when you’ll need to move a user’s mailbox from one
Exchange 2000 Server to another. In most cases, the Move Mailbox command
in the Exchange Tasks Wizard will work just fine. However, in some instances,
you may encounter a MAPI error message saying that the server was unable
to connect to the mailbox. The confusing part will be that the user can
open his or her mailbox using the Outlook client and perform all the functions
he or she is accustomed to performing. Should this scenario arise in your
environment, turn off the anti-virus services before attempting to move
the mailbox. Some anti-virus products interfere with execution of the
Move Mailbox command. After turning off anti-virus protection on the source
server, you should be able to move the mailbox without difficulty.
—Bill English
Smaller is Better
in Exchange
Exchange Server 5.5 had one huge database for the Private Information
Store. To back up the store meant backing up the entire database (unless
you used third-party backup agents). With Exchange 2000 you can create
additional storage groups with multiple stores to manipulate your mailboxes
and public folders in such a way so as to distribute your information
across multiple databases. This makes it easier to back up and restore
your e-mail. For example, rather than having 500 mailboxes as part of
one database, you can break them into individual groups of 100. The backup
and restore processes would only handle 100 at a time, making it quicker
in the case of a recovery issue.
—Peter Bruzzese
Meeting
Schedules in Outlook
When your users attempt to schedule a New Meeting in Outlook, they
may find that they can see calendar information for some users but not
for others. If this is the case, ensure that you’re replicating the Schedule+
Free Busy system public folder to all your Exchange 2000 Servers. To find
this folder, right-click on the default public folder tree and select
System Folders. Then, open the properties of the Schedule+ Free Busy public
folder and replicate it fully around your Exchange organization. Ensure
that this replication schedule is applied to any subfolders that exist
beneath this folder. Allow time for replication to occur. This should
solve your problem.
—Bill English
Avoid
Piling On a New .NET DC
When you upgrade an NT PDC to Win2K or Windows .NET, all the existing
Win2K and XP clients in the domain will perform their next authentication
at that DC. This is done by design so that all modern desktops will get
group policies. Unfortunately, if you’ve already rolled out 10,000 desktops
into your NT domain, the PDC is going to get very busy on the day after
the upgrade.
Win2K SP2 and Windows .NET include a
feature that permits the newly upgraded server to continue to pretend
to be a classic NT DC. This feature requires a special Registry entry:
Key:
HKLM | System | CurrentControlSet
| Services
| Netlogon | Parameters.
Value: NT4Emulator
Data: 1 (REG_DWORD)
It’s important that you enter this
Registry entry prior to upgrading the NT DC. Once you have sufficient
Win2K DC in strategic locations to handle the onslaught, set the NT4Emulator
entry to 0 on all DCs.
While the NT4Emulator entry is in effect,
if you want to manage a Win2K DC from a Win2K or XP workstation, you must
make the following Registry entry:
Key: HKLM | System | CurrentControlSet
| Services
| Netlogon | Parameters.
Value: NeutralizeNT4Emulator
Data: 1 (REG_DWORD)
This permits the client to perform
a Kerberos authentication, which is required to use LDAP tools such as
Active Directory Users and Computers and Active Directory Sites and Services.
—Bill Boswell