Windows NT FAQ Single File Version

This FAQ is copyright © 2000 John Savill (SavillTech Ltd) all rights reserved. No part of this document should be reproduced, distributed or altered without my permission. You may print it for your own use personnel use.

The Web version of the Windows NT FAQ is at http://www.ntfaq.com. To subscribe to the Windows NT FAQ send a mail to nt-faq@ed-com.com with subscribe in the body of the message to receive the updated single file version of the FAQ once a week.

This single file version of the FAQ is available for download from http://www.ntfaq.com/faqcomp.zip.

Contents

• Active Directory
• Backup's
• Batch Files
• Compatibility
• Core
• DHCP
• Distributed File System
• DNS
• Domains
• Environment - Command Prompt
• Environment - Desktop
• Exchange/Windows Messaging
• File Systems
• Group Policy
• Hardware
• Installation
• Internet Explorer 4.0/5.0
• Internet Information Server
• License
• Macintosh
• MS-SQL Server
• Multimedia
• NetWare
• Network
• Performance
• Printing
• Problem Solving
• Proxy Server 2.0
• RAID
• RAS
• Recovery
• Registry
• Security
• Service Packs and Hotfixes
• Support
• System Configuration
• System Information
• System Policy
• TCP/IP
• Terminal Server
• Training
• User Configuration
• Utilities
• Various
• Windows 2000 (NT 5.0)
• Windows 95/98 as a client
• Windows Scripting Host
• WINS

---

Active Directory

• What is the Active Directory?
• A number of Active Directory descriptions.
• What is X.500 and LDAP?
• What is the Global Catalog?
• How do I configure a server as a Global Catalog?
• What is the Schema?
• What is a domain tree?
• What is a domain forest?
• What is a Kerberos trust?
• How do I create a new Active Directory Site?
• How do I move a server to a different site?
• How can a server belong to more than one site?
• How can I backup the Active Directory/System State?
• How can I restore the Active Directory?
• What are the FSMO roles in Windows 2000?
• How can I change the RID master FSMO?
• How can I change the PDC emulator FSMO?
• How can I change the Infrastructure master FSMO?
• How can I change the Domain naming master FSMO?
• How can I change the Schema master FSMO?
• What is Multi-master replication?
• How can I move objects within my Forest?
• How do I allow modifications to the Schema?
• What are Tombstone objects?
• How do I switch my 2000 domain to native mode?
• How can I force replication between two domain controllers in a site?
• How can I change replication schedule between two domain controllers in a site?
• Can I rename a site?
• What DNS entries are added when a Windows 2000 domain is created?
• How can I manually defragment the Active Directory?
• How can I audit the Active Directory?
• How can I automate a server upgrade to a Domain Controller during installation?
• How do I enable circular logging for the Active Directory?
• I can't add a 4.0 BDC to my Windows 2000.
• I can't have spaces in my Windows 2000 NetBIOS domain name, why?
• How can I create trusts from the command line in Windows 2000.
• How can I modify the number of objects searched in Windows 2000?
• I can't create an OU/child domain with the same name from a single parent, why?
• How are objects named in the Active Directory?
• How does replication work intra-site in Windows 2000?
• How can I change the intra-site replication interval in Windows 2000 for domain information?
• How can I set the RPC port used for Intra-site replication?
• What tools are available to monitor/change replication?
• How do I remove a non-existent domain controller?
• How do I remove a non-existent domain from the Active Directory?
• How does Inter-site replication work in Windows 2000?
• How do I create a new site link?
• How do I disable site link transitivity?
• How do I create a site link bridge?
• How do I specify a bridge head server?
• How do I disable the KCC?
• How can I change the NetBIOS name of my Windows 2000 domain?
• How can I monitor when the Knowledge Consistency Checker (KCC) is run?



Backups

• What backup software is available for Windows NT?
• How do I add a tape drive?
• What types of backup does NTBACKUP.EXE support?
• What backup strategies are available?
• What options are available when using NTBACKUP.EXE?
• Can I run NTBACKUP from the command line?
• How do I schedule a backup?
• How do I restore a backup?
• How do I backup open files?
• What permissions do I need to perform a backup?
• How do I backup the registry?
• How can I erase a tape using NTBackup that reports errors?
• How can I remove a dead submitted Backup process?



Batch Files

• What is a batch file?
• What commands can be used in a batch file?
• How can I perform an action depending on the arrival of a file?
• How can I access files on other machines?
• How can I send a message from a batch file?
• The command I enter asks for input, can I automate the response?
• How can I pass parameters to a batch file?
• How can I stop my batch files outputing the command to screen as it runs it?
• How do I call a batch file from within another batch file?
• .bat files have lost their association.
• How do I search files for a string from a batch file/command line?
• Environment settings set by a batch file are not working.
• How can I perform an operation on every machine on the network that is running?
• How can you send a programs output to a NULL device?
• How can I change colour within a batch file?
• How can I call a subroutine in a batch file?
• How do I enter freehand comments in my batch file without using 'rem'?



Compatibility

• Does application x work with NT 4.0?
• Does game x work with NT 4.0?
• Does NT run 16bit applications?
• Will NT 3.51 drivers work with NT 4.0?
• How can I fool a program into thinking my NT installation is actually Windows 95?
• How can I fool a program into thinking my Windows 2000 installation is actually Windows NT/95/98?
• Is BackOffice Server Windows 2000 compatible?
• How do I get the RIO 500 player to work on Windows 2000?



Core

• What are the differences between NT Workstation and NT Server?
• What does NT stand for?
• What is the NT Boot Process?
• What is Virtual Memory?
• What is the history of NT?
• How do I install the SYMBOL files?
• What is Windows NT?



DHCP

• What is DHCP?
• How do I install the DHCP Server Service?
• How do I configure DHCP Server Service?
• How do I configure a client to use DHCP?
• How can I compress my DHCP database?
• How can a DHCP client find its IP address?
• How can I move a DHCP database from one server to another?
• How do I create a DHCP Relay Agent?
• How can I stop the DHCP Relay Agent?
• How can I backup the DHCP database?
• How can I restore the DHCP database?
• How do I reserve a specific address for a particular machine?
• What registry settings control the DHCP log in Windows 2000?
• How do I authorize a DHCP server in Windows 2000?
• How do I create a DHCP scope in Windows 2000?
• How do I configure DHCP scope options in Windows 2000?
• How can I view DHCP address leases in Windows 2000?
• How do I change the DHCP address lease time in Windows 2000?
• My Windows 2000 DHCP client has an IP address not in any scopes, how?



Distributed File System

• What is Distributed File System?
• Where can I get Dfs?
• How do I install Dfs?
• How do I create a new folder as part of the Dfs?
• How do I uninstall Dfs?
• How do I create a Dfs root volume in Windows 2000?
• How can I add a replica Dfs root volume in Windows 2000?
• How can I add a child node to Dfs in Windows 2000?
• How can I add a replica child node to Dfs in Windows 2000?



DNS

• How do I install the DNS Service?
• How do I configure a domain on the DNS Server?
• How do I add a record to the DNS?
• How do I configure a client to use the DNS?
• How do I change the IP address of a DNS server?
• How can I configure DNS to use a WINS server?
• Where in the registry are the entries for the DNS servers located?
• I receive error message "No More Endpoints".
• How do I configure DNS for a Windows 2000 domain? - Windows 2000 only
• How do I configure Active Directory integrated DNS? - Windows 2000 only
• Setting a secondary DNS server as primary results in errors.
• How do I turn off Dynamic DNS? - Windows 2000 only
• How do I configure a forwarder on DNS 5.0? - Windows 2000 only
• I am missing the forwarder and Root Hints tabs in DNS 5.0. - Windows 2000 only
• How do I enable DNS round robin resolution?
• DNS resolution of a valid domain fails on NT.
• How can I force a Windows 2000 domain controller to re-register its DNS entries?
• I'm getting DNS zone transfer messages in the event log, is someone hacking me?
• How do I perform a DNS zone transfer?
• How can I stop DNS Cache pollution?
• How can I enable my web site to be accessible as ntfaq.com instead of www.ntfaq.com?
• How can set the primary DNS suffix in Windows 2000?
• How do I create a caching-only DNS server?



Domains

• How do I change Domain Names?
• How do I move a Workstation to another Domain?
• How many user accounts can I have in one Domain?
• How to I change my server from Stand Alone to a PDC/BDC?
• What is a PDC, BDC?
• How many BDC's should I have?
• How do I configure a Trust Relationship?
• How do I terminate a Trust Relationship?
• How can I join a domain from the command line?
• How do I demote a PDC to a BDC?
• How can I configure a BDC to automatically promote itself to a PDC if the PDC fails?
• How do I rename a PDC/BDC?
• Can I move a BDC to another domain?
• Can I change a PDC/BDC into a standalone server?
• Can I administer my domain from an NT Workstation?
• In what order should I upgrade my PDC and BDC's from 3.51 to 4.0?
• What tuning can I perform on PDC/BDC Synchronization?
• I cannot add a BDC over a WAN.
• How can I synchronize the domain from the command line?
• How can I force a client to validate its logon against a specific domain controller?
• How do I promote a server to a domain controller? - Windows 2000 only
• How can I generate a list of all computer accounts in a domain?
• How can I verify my Windows NT 5.0 domain creation? - Windows 2000 only
• How can I configure multiple Logon Servers with LMHOSTS?
• Are trust relationships kept when upgrading for a 4.0 domain to a Windows 2000 domain?
• How are trust relationships administered in Windows 2000?
• I can't promote a BDC to PDC.
• Unable to join a domain because of SMB signing, what can I do?
• How can I create a child domain?
• How can I create a domain trust through a firewall?
• How can I check the browse masters for a domain?
• How can I stop a remote master browser?
• How can I force a browser election?
• How can I modify the domain refresh interval?
• How is the list of cached domains stored?
• How can I disable trust password changes?
• How can I change the password change for computer/trust accounts?
• The list of domains in the logon box is not updated, what can I do?
• Is it possible to administer a 4.0 domain from a Windows 2000 machine?



Environment - Command Prompt

• How can I configure the command prompt?
• How do I enable/disable command extensions?
• What commands can be used to configure the command window?
• How can I configure a scroll bar on my command window?
• How do I cut/paste information in a command box?
• How do I enable Tab to complete file names?
• How do I create a shortcut from the command prompt?
• How can I redirect the output from a command to a file?
• How can I get a list of commands I have entered in a command session?
• How can I start explorer from the command prompt?
• How can I change the title of the CMD window?
• What keyboard actions can I take to navigate the command line?
• How can I change the default Dir output format?
• How do I pause output from a command to one screen at a time?
• How can I increase the environment space for a single command session?
• How can I stop a process from the command line?
• How can I open a command prompt at my current directory in Explorer?
• How can I open a command prompt at my current drive in Explorer?
• How can I change the editor used to edit batch/command files?
• The AT command works differently under NT 4.0 than NT 3.51.
• How can I append the date and time to a file?
• How can I switch my command window to full screen mode?
• International versions of NT have strange behavior in command prompt.
• What is the difference between cmd.exe and command.com?
• How can I configure the command prompt to output to files in UNICODE/ANSI?
• How can I force the output of a program into an environment variable?



Environment - Desktop

• How do I delete/rename the Recycle Bin?
• How do I disable Task Manager?
• How do I disable Window animation?
• How do I reduce/increase the delay for cascading menus?
• How do I change the My Computer icon?
• How do I hide the "Network Neighborhood" icon?
• Why can't I move any icons?
• How can I disable the Right mouse button?
• How do I change the colour used to display compressed files/directories?
• How can I configure the wallpaper to be displayed other than the center of the screen?
• How can I stop the "Click here to begin" message?
• How can I get more room on the Task Bar?
• How do I add the Control Panel to the Start Menu?
• How can I remove a program from the "Open With" when right clicking?
• How do I change the Internet Explorer icon?
• How do I add an item to the Right Click menu?
• Is it possible to move the Task bar?
• How can I configure NT to display a thumbnail of bitmaps as the icon instead of the Paint icon?
• Can I remove one of the startup folders on the Start Menu?
• How can I clear the Run history?
• How can I remove the Documents menu?
• How do I disable the context menu for the Start button?
• How do I change the Network Neighborhood icon?
• How do I change the Recycle Bin icons?
• How do I change the Briefcase icon?
• How can I get rid of the arrow over the shortcuts?
• I have deleted the Recycle bin how can I recreate it?
• I have deleted Internet Explorer from the desktop how can I recreate it?
• How can I add a shortcut to launch a screensaver on the desktop?
• How do I delete/rename the Inbox icon?
• I have deleted the Inbox icon, how can I recreate it?
• How can I stop and start Explorer (the shell)?
• How do I enable the mouse snap-to?
• How do I enable X Windows-Style auto-raise?
• How do I remove a template from the New menu?
• I don't have the new item on my desktop context menu.
• How do I remove the Favorites branch of the Start menu?
• How do I disable the logoff buttons?
• How do I stop the default Shortcut to text added to new shortcuts?
• How do I modify the shortcut arrow?
• How can I set the default view for all drives/folders?
• How can I stop my environment changes being saved when I logoff?
• How can I enable Hi-Colour icons?
• How can I configure the wallpaper to stretch across the screen?
• How can I configure dialog box content to be shown while dragging windows?
• How can I configure Font smoothing?
• How can I modify the grace timeout for password protected screensavers?
• How can I minimize all open windows?
• How can I configure logoff to show on the Start menu in Windows 2000?
• How can I configure Control Panel to cascade on the Start menu in Windows 2000?
• How can I remove the Scheduled Tasks icon from My Computer?
• How can I configure the Administrative Tools to show on the Start menu?
• How can I recreate 'My Briefcase' if I deleted it?
• How do I use My Briefcase?
• How can I avoid having to click 'Show Files' in 2000's Explorer all the time?
• How do I add the Dial Up Networking to the Start Menu?
• How do I add the Printers Settings applet to the Start Menu?
• How can I remove an item from the New context menu?
• How can I check for dead shortcuts on my system?
• How can I add a Encrypt/Decrypt option to the context menu?
• How can I add a Copy to Folder option to the context menu?
• How can I add a Move to Folder option to the context menu?



Exchange/Windows Messaging

• The Outlook/Exchange client takes a long time to start.
• How can I stop Outlook dialing my Internet Account on Startup?
• How do I install Exchange?
• How do I enable the Exchange Active Server Pages?
• How do I use the Exchange Optimizer utility?
• How can I convert mail system X to Exchange?
• How can I create shortcut on the desktop with the "to" field completed?
• NT Server hangs at shutdown if User Manager is running.
• How can I send a mail message from the command line?
• What files does Exchange use?
• How can I change the location of my mail file in Outlook 98?
• How can I reduce the size of my mail file?
• I have a bad message in my POP3 mail box using TELNET
• How can I send mail to a SMTP server using Telnet?
• Is there a list of known Exchange Directory and Information store problems?
• How do I install Exchange Server 5.5?
• How do I run the Exchange Optimizer?
• What Service Packs are available for Exchange?
• How can I retrieve mail from a POP3 mailbox and forward it to Exchange server?
• How do I upgrade from Exchange 5.0 to 5.5?
• How do I uninstall Exchange?
• How do I install a duplicate Exchange server?
• How do I connect Exchange sites?
• Exchange Security Knowledge Base list.
• How do I configure Exchange Directory Replication?
• How do I monitor an Exchange link?
• How do I delete a server from an Exchange site?
• How do I setup an Exchange forward?
• How do I configure a X.400 Exchange connector?
• How do I allow a user to administer Exchange?
• How do I grant permission for people to create top level public folders?
• How do I create public folders?
• How do I connect my Exchange server to a SMTP server?
• How do I connect my Exchange server to a NEWS feed?
• What web sites have good Exchange information?
• How do I download to Exchange from multiple POP3 mail boxes?
• How do I install the Key Management Server?
• How do I manage the Certificate Authority of Key Management Server?
• How do I enable advanced security for a user?
• How do I automatically create an Exchange mailbox for all members of the domain?
• How do I avoid having to enter the Key Management password?
• I archived some .pst files to a CD-ROM but unable to load the files.
• How can I limit Exchange mailbox size?
• How can I limit message sizes in Exchange?
• How can I undelete mail in Outlook?
• What workflow software is available for Exchange server?
• How do you add an additional Global Address Book or another view to the global address book?
• How do I delete a bad Schedule + message?
• How do I link Exchange 5.5 and the Windows 2000 Active Directory?
• What is the upgrade to large table option in Outlook?
• How can I disable the Journal in Outlook?
• Internet Mail Server hangs on start-up, ID 7022, why?
• How can I search my Exchange stores for virus infected messages?
• How do I create an Outlook vCard?
• How can I configure Outlook to be the default mail client?
• How do I install a digital signature in Outlook?
• How do I create a distribution list in Outlook 2000?
• How can I add a disclaimer to each outgoing mail at server level?
• How I can I block mail with certain attachments or certain words at server level?
• How can I automatically compress all outbound mail to save on bandwidth?
• Unix users can't talk to an Exchange box News server without requiring authentication domain\user, why?
• Does the Exchange News server support mode stream?
• How can I fax from Exchange server?
• How can I limit the number of recipients for a message?
• My outlook .pst file is corrupt what can I do?
• Where can I get Exchange Server 2000?
• How can I encrypt email at server level?
• How can I stop the Exchange SMTP service performing reverse lookups?
• How can I move an Outlook Personal Address Book on a Mac to a PC?



File Systems

• How can a FAT partition be converted to an NTFS partition?
• How can a NTFS partition be converted to a FAT partition?
• How do I run HPFS under NT 4.0?
• How do I compress a directory?
• How do I uncompress a directory?
• Is there an NTFS defragmentation tool available?
• Can I undelete a file in NT?
• Does NT support FAT32?
• Can you read a NTFS partition from DOS?
• How do you delete a NTFS partition?
• Is it possible to repartition a disk without losing data?
• What is the biggest disk NT can use?
• Can I disable 8.3 name creation on a NTFS?
• How can I stop NT from generating LFN's (Long File Names) on a FAT partition?
• I can't create any files on the root of a FAT partition.
• How do LFN's work?
• How do I change access permissions on a directory?
• How can I change access permissions from the command line?
• I have a CHKDSK scheduled to start next reboot, but I want to stop it.
• My NTFS drive is corrupt, how do I recover?
• How can I delete a file without it going to the recycle bin?
• How can I change the serial number of a disk?
• How can I backup the Master Boot Record?
• How do I restore the Master Boot Record?
• What CD-ROM file systems can NT read?
• How do I disable 8.3 name creation on VFAT?
• How do I create a Volume Set?
• How do I extend a Volume Set?
• How do I delete a Volume Set?
• What is the maximum number of characters a filename can be?
• How can I stop chkdsk at boot time from checking volume x?
• How can I compress files/directories from the command line?
• What protections can be set on files/directories on a NTFS partition?
• How can I take ownership of files?
• How can I view the permissions a user has on a file from the command line?
• How can I tell the total amount of space used by a folder (including sub folders)?
• There are files beginning with $ at the root of my NTFS drive, can I delete them?
• What file system do Iomega ZIP disks use?
• What cluster size does a FAT/NTFS partition use?
• How much free space do I need to convert a FAT partition to NTFS?
• NT becomes unresponsive during an NTFS disk operation such as a dir.
• I have missing space on my NTFS partitions (Alternate Data Streams).
• How can I change the Volume ID of a disk?
• How do I read NTFS 5.0 partitions from Windows NT 4.0?
• How do share and file system protections interact?
• How can I backup/restore my Master Boot Record?
• How do I convert an NTFS partition to NTFS 5.0? - Windows 2000 only
• I cannot compress files on an NTFS partition.
• How can I modify the CHKDSK timer?
• How can I view the current owner of a file?
• How can I view/defrag pagefile fragmentation?
• I get a disk maintenance message during setup.
• Where is Disk Administrator in Windows 2000? - Windows 2000 only
• How do I convert a basic disk to dynamic? - Windows 2000 only
• How do I delete a volume in Windows 2000? - Windows 2000 only
• How do I import a foreign volume in Windows 2000? - Windows 2000 only
• How can I wipe the Master Boot Record?
• How can I cancel a scheduled NTFS conversion?
• What is the Encrypted File System (EFS)?
• How do I encrypt/decrypt a file?
• What do I encrypt/decrypt a file from the command line?
• How can a user request an EFS recovery certificate?
• How can I add a user as an EFS recovery agent for a domain?
• How do I delete an orphaned share?
• How can I check who last opened a file?
• I've increased the size of a hardware RAID volume but NT does not see the size increase, what can I do?
• I'm unable to use the Encrypted File System under Windows 2000 as I'm a member of a 4.0 domain.
• How do I enable per volume/user disk space quotas on NTFS 5.0?
• How do I view current quota entries?
• How do I add a new user quota entry?
• What are reparse points?
• What are directory junctions?
• What are Mount points?
• What do I add a Mount point?
• What do I remove a Mount point?
• What do I create a Mount point from the command line?
• What is Native Structured Storage?
• How can I backup my local Encrypted File System recovery key?
• How can I restore my local Encrypted File System recovery key?
• How can I perform a CHKDSK  on an NTFS 5.0 partition from NT 4.0?
• How do I create a unix-like hardlink on NTFS?
• Is there an alternative to the linkd utility supplied with the Windows 2000 Resource Kit?
• The " Data in Remote Storage" indicator is not correct, what can I do?
• What is the Remote Storage System (RSS)?
• How do I install the Remote Storage subsystem?
• How do I configure the Remote Storage subsystem?
• How do I force a Remote Storage scan?
• How can I tell which files have been moved to remote storage?
• How can I disable remote storage for a volume?



Group Policy

• What is Group Policy?
• How can I force GPO updates to take effect?
• How can I enable the old NTCONFIG.POL to be used by Windows 2000 clients?
• How can I add additional templates to a Group Policy Object?
• How can I apply a group policy to a security group?
• Password policies assigned to an OU/site GPO do not work.
• How can I convert a NT 4.0 .pol file to a Windows 2000 group policy object?



Hardware

• How do I change the letter associated with a drive?
• How can I get NT to recognize my second harddisk?
• How do I install a HP scanner?
• How do I install dual screens?
• How much memory can NT support?
• How much memory do I need for NT?
• I cannot see my CD-ROM drive from NT?
• What are the IRQ's used for?
• How Many CPU's does NT support?
• Is there a list of hardware NT supports?
• Can I test my hardware to see if it is compatible with NT?
• Can I test my SCSI devices?
• How do I disable mouse detection on a COM port (for UPS usage)?
• Where can I get a driver for x?
• My U.S. Robotics 56K modem only connects at 19200.
• Can I use the IDE interface on my sound card?
• Does NT support Plug and Play?
• How do I install UPS?
• How do I give my tape drive a letter so it is visible from explorer?
• How can I force NT to use a mouse on a given port?
• How can I view which resources devices are using under NT?
• When I disconnect one of my devices I get errors when I boot NT, how can I stop them?
• How can I tell if I am using the Compaq Hardware Abstraction Layer?
• How do stop a dual monitor Matrox Millenium system splitting dialog boxes?
• How can I suppress the error message generated if my ZIP drive is not connected?
• Does Windows NT 4.0 support USB?
• Why can't I hot swap my PCMCIA card with Windows NT 4.0?
• How do I install a ZIP drive under NT?
• How do I enable Bus Mastering in Windows NT?
• I said no to a PNPISA device now I want to install it.
• How do I perform unattended installations on machines with AGP graphics cards?
• Does NT support DVD drives?
• How can I check the amount of physical RAM in my machine?
• How can I safely disable a device?
• How can I make NT see more than 8 units on SCSI?
• Does Windows support the Promise Ultra ATA/66?
• How do I enable Hibernate on my machine?
• How do I enable/disable passwords when resuming from hibernate/standby?
• How can I put my machine in 'standby' mode?
• Does the new Microsoft IntelliPoint software 3.0 software install on NT/Windows 2000?
• Does the new Microsoft IntelliType Pro software install on NT/Windows 2000?
• My PNP PCI cards do not all work in Windows NT.
• How do I enable bus mastering (DMA) in Windows 2000?
• How do I set the DVD region in Windows 2000?
• How do I reset the DVD region count?
• How do I disable bus mastering on the 3COM 3C590 card?



Installation

• How do I install NT Workstation 4.0?
• How do I install NT Server?
• I want to install DOS and Windows NT, how should I do this?
• Installation hangs when detecting the hardware.
• Is it possible to install NT without using boot disks or temp files?
• Does NT have to be installed on the C drive?
• There is a file \Support\Deptools\<system>\ROLLBACK.EXE. What is it?
• I have NT installed, how do I install DOS?
• How do I convert NT Workstation to NT Server?
• I have bought a new disk, how do I move NT to this new disk?
• Can I upgrade from Windows95 to NT 4.0?
• How do I remove NT from a FAT partition?
• How do I remove NT from a NTFS partition?
• How do I install the Iomega Parallel Disk Drive?
• How do I install at tape drive on NT Server?
• How do I install the NEC 4x4 CD changer?
• What are symbol files, and do I need them?
• How do I install NT and Linux?
• How do I install NT over the network?
• Is it possible to use Disk Duplication to Distribute Windows NT?
• How do I perform an unattended installation?
• Is it possible to specify unique items during an unattended install?
• How do I automatically install applications as part of the unattended installation?
• Install detects the wrong video card and locks the installation.
• How do I upgrade from NT 3.51 to NT 4.0?
• When I use an unattended installation, how do I avoid the Yes at the license agreement?
• I have NT installed, how do I install Windows95?
• How do I remove Windows95/Dos from my NT system?
• I can't create a NTFS partition over 4GB during installation.
• I cannot upgrade my 4.0 NT installation with the NT 4.0 upgrade CD.
• How do I create the NT installation disks?
• How can I use a Network card that is not one of those shown with Network Client Administrator?
• How can I make domain users members of local Admin group during an unattended install?
• I have problems running a program as part of the unattended installation?
• I have Windows NT installed, how do I install Windows 98?
• I have Windows 98 installed, how do I install NT?
• I have Windows NT 5.0 installed but when I try to install Windows NT 4.0 the install fails.
• I want to install Windows 98 and NT, what file system should I use?
• How do I manually install SCSI drivers before the autodetect of installation?
• During installation of Windows NT Server 5.0 the type of server cannot be set. - Windows 2000 only
• How do I delete the recycle bin as part of an unattended installation.
• During an unattended installation I am prompted for an IP address if 0 is specified.
• How do I map a network drive during an unattended installation?
• How can I install Windows 2000 on a machine with less than 64MB of memory? - Windows 2000 only
• How do I disable the Installation of Exchange during installation?
• My evaluation period has expired on my NT installation, why?
• How do I install on a disk larger than 8GB?
• How can I stop the installation of My Briefcase during NT installation?
• How can I control which accessories are installed during an unattended installation?
• How do I use SmartDrv?
• How can I upgrade a NFR NT installation to full Retail?
• How can I stop IE 2.0 being installed as part of installation?
• How can I remove the Linux LILO Boot Manager?
• How can I recreate the Windows NT installation disks?
• I have Windows 98 installed on C: with FAT32, how do I install NT?
• How can I stop the 'Welcome to Windows NT' screen during setup?
• I receive an error message "The System is not fully installed", what can I do?
• How do I add a Network Install tab to Windows NT 4.0?
• How can I disable the 'Configure Server Wizard' in Windows 2000?
• How do I install the Remote Installation Service?
• How do I move the distribution point for Remote Installation Services?
• How do I create a bootable Remote Installation Service client disk?
• What operating systems can I clone?
• How can I configure the Remote Installation Service options?
• How can I install using the Remote Installation Service disk?
• How do I create a new Remote Installation Service image?
• How do I create a bootable Windows 2000 installation CD-ROM?
• Where is Setup Manager in Windows 2000?
• What is the Microsoft Installer Package format?
• How do I create a MSI file from a legacy application?
• How can I publish an MSI file?
• How can I run programs during the GUI phase of 2000 installation?
• How can I use an unattended answer script when installing through a bootable CD-ROM?
• Underscores (_) in my computer names are changing to dashes (-) in Windows 2000.
• How to setup NT Server 4.0 on greater then 4gig Hard Drive without Partition Magic or Atapi.sys.
• How can I specify an alternate HAL during Windows 2000 installation?
• Getting a Thinkpad OEM installed version of NT to occupy only one partition.
• How can I test if my installation can be upgraded to Windows 2000?
• What switches are available for Windows 2000 installation?
• How do I install Windows 2000?
• How do I deploy old applications in Windows 2000 via ZAP files?
• What are the upgrade paths for Windows 2000?
• Some BackOffice 4.5 components do not install on Windows 2000.
• I'm unable to upgrade Windows 9x to Windows 2000 in a dual boot environment.
• How can I configure extra Plug and Play drivers for a Windows 2000 installation?
• Unsigned drivers are stopping my unattended installations.
• What are the directories I can have under $OEM$ for an unattended installation in Windows 2000?
• DontDisplayLastUserName setting is lost in upgrade from NT 4.0 to Windows 2000.
• How do I enable ACPI on my machine/change the HAL?
• How do I disable/enable ACPI on my machine during installation?
• The Administrator password I set during unattended installation is ignored.



Internet Explorer 4.0/5.0

• How can I remove the Active Desktop?
• How can I get past the "Active Desktop Recovery" page?
• What keyboard commands can I use with Internet Explorer 4.0?
• How can I create a keyboard shortcut to a web site?
• How can I customize folders with web view enabled?
• How can I change the icons in the Quick Launch toolbar?
• I have lost Show Desktop/View Channels from the Quick Launch bar, help!
• How do I change the default Search Engine?
• How do I remove the Internet Explorer icon from the desktop?
• How can I browse off-line?
• How can I reclaim wasted space by Microsoft's Internet E-mail readers?
• I cannot specify a download directory when I download a file.
• Internet Explorer opens .EXE files instead of Downloading them.
• How can I change the default start page?
• I have forgotten the content advisor password.
• Where can I download IE 5.0 beta?
• How do I clear Internet Explorers History?
• How can I modify IE's toolbar background?
• How can I restore the IE animated logo?
• Are there any Easter Eggs in Internet Explorer 5.0?
• How can I stop users accessing local drives via Internet Explorer?
• What additional restrictions are available in Internet Explorer IE4.01 SP2 and above?
• How can I configure proxy settings in Internet Explorer 5.0?
• How can I install Internet Explorer 4.0 without adding the IE icon to the desktop?
• How do I use the Internet Explorer 5.0 repair tool?
• I have forgotten the content advisor password under Windows 9x/IE 5.0.
• The tab key does not select the right hand pane in a IE5 help search.
• How do I turn off Internet Explorer AutoComplete?
• Where can I get the patch for the IE 5.0 DHTML problem?
• I get an error when I try and install Internet Explorer 4.0 using Active Setup.
• How do I set an Internet Explorer favorite icon for my web site?
• How can I detect if Windows Update is installed on a machine?
• Internet Explorer Admin Kit version of IE 5.0 replaces the 128 bit encryption on Windows 2000.
• How can I start Internet Explorer without the toolbars?



Internet Information Server

• What is IIS?
• How do I install Internet Information Server?
• What is Internet Service Manager?
• What is Index Server?
• What are Active Server Pages?
• How can I configure the Connection Limit?
• How do I change the default file name?
• How can I enable browsers to view the contents of directories on the server?
• How can I configure the FTP welcome message?
• How do I configure a virtual server?
• How can I administer my IIS server using a web browser?
• How can I configure FTP to use Directory Annotation?
• Only the first line of the Directory Annotation is shown.
• How can I configure the amount of IIS Cache?
• How do I create a virtual directory?
• How to install FrontPage Extensions on Beta 2? - Windows 2000 only
• What fixes are available for IIS?
• How do I specify more than one default document?
• How can I move my IIS server to another machine?
• Front Page Search Component always returns No Documents Found running IIS4 and FP 98exts, why?
• How to stop the NT4 Option Pack/Windows 2000 SMTP service from advertising 8bitmime?
• How do I enable Index Server in Windows 2000?
• How do I create a new Index Server catalog?
• I receive an Index Server error 'Query Is Too Expensive', why?
• I receive error 'The catalog is corrupt' when performing an Index Server search, what can I do?
• How can I stop hidden files etc. being returned by Index Server queries?
• How can I control the amount of resource used by the Index service? - Windows 2000
• How can I stress test my IIS server?
• How can I change the number of threads IIS uses?
• How can I limit bandwidth/processor usage for IIS?
• How do I enable FTP resume?
• Statistics Server will not run on IIS 5.0?
• How can I host multiple web sites on a single IP address?
• How can I allow non administrators to publish to a FrontPage web site?
• How can I disable command shell from within IIS?
• How can I disable parent paths in IIS?
• How do I configure Index Server catalogs?



License

• How is NT Licensed?
• How can I view what licenses I have installed/used?
• How do I install extra licenses?
• How do I convert from Per Server to Per Seat?
• How can I reset the License Information?
• How can I run the License Manager software on a NT Workstation?



Macintosh

• How do I add the services for Macintosh?
• How can I read a Macintosh disk from Windows NT?
• Does NT RAS support AppleTalk?
• Can NT act as an AppleTalk client?
• How can I make a Macintosh PPP connection to Windows NT RAS?
• I am unable to write to the Microsoft UAM folder from the Macintosh?
• Is there an Outlook (Exchange Server) client for Macintosh?
• What configuration is needed for Mac's to work with Proxy Server 2.0?
• I am unable to connect to the server using the Mac Outlook client, why?
• My Mac hangs if I connect to an NT share and don't have full permissions for the directory root.
• Large file copies to/from Macintosh crash NT Server, what can I do?



MS-SQL Server

• How do I install SQL Server 6.5?
• How do I register a SQL Server with SQL Enterprise Manager?
• How can stop and start the SQL services?
• How do I modify the sa password for SQL?
• How do I visually edit/view data in a SQL database?
• I am getting a message 'dbprocess dead or not enabled' running my query.
• How can I add/amend/delete columns?
• I am getting a blue screen / completely hung machine / server restart on my SQL Server/client.
• Where are the cascade update/delete functions in SQL Server?
• How can I issue a SQL command that uses a variable for the tablename, columns etc?
• Why does my transaction-log fill up when I use fast-bcp?
• Why can't I backup/restore my SQL Server database to the network?
• Can I do a SQL backup to a tape drive on another server?
• I have a query that seems to lock other users out of the system.
• Should I apply SQL SP4?
• How do I transfer data from another DBMS/format to SQL Server?
• Why can't I get at a network file when I run a program from xp_cmdshell?
• Is MS SQL Server Y2K compliant?
• How can I change the owner of an object in SQL?
• I've just changed NT domain for my SQL Server/clients and am unable to connect.
• Are there any "easter eggs" in SQL Server?
• How do I encrypt fields in SQL Server?
• What tools are available to produce entity relationship diagrams for SQL Server?
• Where is the SQL Server FAQ?
• Which SQL net-lib is the fastest?
• I'm having trouble installing SQL Server.
• I am missing the whole of MSDB, or just some tables - how do I create them?
• Why do my device sizes appear as negative values in SQL EM?
• How do I do row-level locking on SQL Server?
• How many bytes can I fit on a page in SQL Server and why?
• I am getting a gpf/registry error installing SQL Server - what is happening?
• How do I change the sort-order or character set for a SQL Server database?
• What SQL servicepack am I running?
• My SQL Server database has been marked "suspect" - what can I do?
• How do I remove the tempdb database from master?
• What are the changes/differences between vX and vY of SQL Server?
• How can I speed up SQL Server applications running over slow links?
• How can I fix a corruption in a system table?
• Why can't I connect Enterprise Manager to my local copy of SQL Server?
• What is the limit on the number of tables in a query in SQL Server?
• I'm doing a transfer using the SQL EM transfer tool, and not only is it not transferring the objects.
• What registry entries does SQL Server use?
• How can I view the SQL Server log?
• How can I upgrade the 120-day evaluation version to the full SQL version?
• I'm not seeing anything in the current activity screen in SQL EM.
• How can I output records/messages to a flat file from inside a SQL Server TSQL script?
• My SQL Server database is showing as "recovering".
• I am getting a SQL Server error message "login failed".
• Can I run SQL Server on the same machine as Oracle, Exchange etc.?
• Why do my SQL Server identity values get out of synch causing gaps/duplicates etc.?
• How can I restrict access to my SQL Server so that it only allows certain machines to connect?
• How can I restrict access to my SQL Server so that it only allows certain programs to connect?
• How does SQL Server clear up orphaned connections?
• Why does the SQL Server Database Maintenance Wizard warn about databases greater than 400Mb?
• Why does my SQL Server log show that it's still full? - I have truncated it.
• How do I connect to SQL Server from a non-microsoft machine?
• How can I completely uninstall SQL Server?
• What does dbcc traceon(208) mean in SQL Server?
• How do I install SQL Mail?
• I've got a problem/query with the beta of SQL Server 7.0. Where can I get help?
• Why do I have problems revoking permissions on some tables with SQL Server?
• What hardware/software can I run SQL Server on?
• Why is a SQL Server restore (LOAD DATABASE) so much slower than a dump database?
• What are the *.DMP files that appear in the SQL Server log directory?
• Can I do an NT defrag on a SQL Server .DAT device/file?
• Can I compress a SQL Server .DAT device/file?
• Why can't I install SP4 for SQL Server to my Win95 machine like the readme says I can?
• I'm getting an error 1117 in SQL Server. Can I rebuild the extents somehow?
• Why can't I get at a network file when I run a program with xp_cmdshell from SQL Server?
• I am having problems with SQL Server running bcp from xp_cmdshell.
• How do I store/retrieve text and image data in SQL Server?
• How can I amend the system tables in SQL Server?
• I am having problems installing a SQL Service pack.
• How can I move a SQL Server device from one disk to another, or rename it?
• How can I recover a SQL Server database when all I have left is the .DAT device?
• How can I re-install SQL Server without losing any data under a new version of NT I have installed?
• How can I install SQL Server client tools in unattended mode?
• How can I access data across two separate databases in SQL Server?
• How can I transfer SQL Server data between an Intel box and an Alpha?
• I can't run SQL Server Enterprise Manager.
• I've put tempdb in ram and now I can't restart my SQL Server.
• How do I transfer data between SQL Server databases / across servers?
• What packages are available to do source control on SQL Server SP's, DDL etc.?
• Where can I get the ANSI92 SQL information from.
• How do I connect to SQL Server through a firewall?
• I'm getting a sort failed 1501 message on SQL Server - what's going on?
• I'm getting a 1112 error on SQL Server - what's going on?
• Why do I get the message WARNING: Process being freed while holding Dataserver semaphore in SQL Server.
• What are good SQL Server books? And other sources of reference.
• Where can I get SQL Server hot-fixes from?
• How can I create a user-defined function in SQL Server?
• How can I pass an array of values to a SQL Server stored-procedure?
• How can I delete duplicate rows from a SQL Server table?
• My SQL Server errorlog is filling up with entries. How can I switch or truncate it?
• Which sort-order should I choose for my SQL Server for the fastest performance?
• Why is my application locking up in SQL Server?
• Where can I get the SQL Server Programmers Toolkit?
• I'm getting an error 80004005 message connecting to SQL Server - what's going on?
• Is it safe to clear down the msdb..sysbackuphistory table in SQL Server?
• I'm having problems getting more than x connections from a 16-bit client to SQL Server
• How can I restrict the number of rows returned to my query in SQL Server?
• I can't use a tape-drive with SQL Server, but it works ok with NT Backup. Why?
• SQL Mail keeps hanging - meaning I have to restart SQL Server to clear it.
• How can I convert a string to "proper" case in SQL Server?
• Where can I get Embedded SQL for SQL Server?
• Does SQL Server support Unicode?
• Where can I download SQL Server utilities, service packs etc.?
• How can I disble the dial-up remote network prompt with the SQL Server GUI tools?
• Error message : Failed to obtain TransactionDispenserInterface: XACT_E_TMNOTAVAILABLE.
• Should I amend the SQL Server "Backup Buffer Size"?
• What is SQLHDTST.EXE for SQL Server and where do I get it?
• How can I install the 32-bit SQL Server client for NT or Windows 9x?
• I am getting a message GetOverLappedResult() from a SQL Server query.
• What does the SQL Server error message Lazywriter: WARNING, couldn't find slot, 8/8, scanned 8 mean?
• I have a corrupt SQL Server table that I can't drop. What can I do?
• Why can't I BCP a Unix file into SQL Server? I get UNEXPECTED EOF messages.
• What can't I do with SQL Enterprise Manager under Win9x?
• I am getting a message "Protocol error in TDS Datastream" from a SQL Server query.
• Why is SQL Server slower than Access/FoxPro/DBase etc.
• Can I turn SQL Server logging off?
• What tools are available to debug stored-procedures under SQL Server?
• Why do I get an error "Error: 702, Severity: 20, State: 1" running a SQL Server query?
• What do the bufwait and writelog errors in SQL Server mean?
• Who are Microsoft Product Support Services?
• What is a "SQL Server MVP" and how do I become one?
• I'm getting an access denied or CreateFile message when connecting to SQL Server.
• How can I automate the scripting of a database/objects in SQL Server?
• Why is the date I get via select getdate() wrong in SQL Server?
• Where is the pointer to master stored in SQL Server? How can I move the master database?
• Why do I see page faults/sec above 0 when I have a dedicated SQL Server machine?
• How do I configure a connection to use tcp-ip sockets with SQL Server?
• How can I do a crosstab function using standard TSQL in SQL Server?
• How can I run an external (non-SQL) program/dll etc. from within a TSQL SQL Server script?
• What specification hardware do I need to run SQL Server for good performance?
• How can I stop a SQL Server process?
• I get an ODBC error.
• I've forgotten the sa password for SQL Server - what can I do?
• Why does my SQL Server code sometimes respond slower than normal when I haven't changed anything?
• Should I apply SP5? Will it cause more problems than it fixes?
• Do I really need 166Mhz Pentium processors to run SQL Server 7.0?
• Does SQL Server run under Win2000/NT5?
• How do I change the name of SQL Server?
• Why has my tempdb in SQL Server filled up?
• Mail messages are stuck in my outbox with SQL Mail.
• I am getting an error "Msg 2503, Level 16, State 1 Table Corrupt" on my SQL Server - what can I do?
• I am getting an error 2521 on my SQL Server - what can I do?
• I am getting an error 605 on SQL Server - what can I do?
• I get an error #610 - Maximum number of databases that may be accessed by a transaction is x.
• I'm getting a "bad token" error message from SQL Server - what causes this?
• Why do I get slow or no connections to SQL Server using IPX from my Win3x and Win9x clients?
• I'm getting the following error with SQL 7 regarding DTS inability to transform data.
• With SQL Server should I get more processors or faster processors?
• How can I get ISQL.EXE to return a DOS errorlevel for me to test?
• Does SQL Server have any built-in functions to work with julian dates?
• Why can I connect to SQL Server with the tcp-ip sockets netlib and not named-pipes
• Should I apply NT 4.0 SP4 to my SQL Server system?
• Are there any resources or tools to aid in an Oracle PL/SQL to SQL Server TSQL conversion.
• What is a reproduction (repro) script that I need to produce for a SQL Server bug?
• Do SQL Service Packs have to be applied in order or can I just apply the latest one?
• Is there an Access upsizing wizard to SQL Server 7.0?
• Why can't I see master, msdb etc. in SQL 7 EM? Also I can't see the system tables in user databases.
• What versions of SQL 7 are there and what are the differences?
• When SQL Executive starts I get the error id 109.
• What tools are available to stress/benchmark SQL Server?
• Why can't I stop/start SQL from SQL Enterprise Manager?
• Should I use tempdb in ram?
• Does SQL 7 support tempdb in ram?
• I am getting an error 4409 selecting on a view ever since I applied SP5 to SQL 6.5.
• I am getting an error 603 on database recovery in a SQL 6.0 system.
• Why do I get an error "SQL Server Assertion : File:<xxx.c> Line=yyy Failed Assertion='zzz'?
• How can I overwrite expired backups on a disk device to save on space and still keep a rolling x days there?
• Should I set "boost priority" to 1 or "SMP" to -1 on SQL Server?
• What are all the dbcc commands for SQL Server?
• How can I see how many objects are actually open in SQL Server?
• How can I get the hardware spec of a SQL Server remotely?
• How can I tell what columns in my SQL Server database are identity columns?
• I get an errot trying to load a trace file into the SQL 7 Profiler/Index Tuning Wizard.
• How do I install the SQL Server Internet Connector Software?
• Can I use a Worm/MO/CD-Rom jukebox with SQL Server?
• When I run the MDAC setup routine that comes with SQL Server SP5(a) why does it re-invoke the SP setup?
• How can I replace/change/delete characters in a SQL Server column?
• Does SQL Server support row numbers like Oracle does?
• When I do a SQL Server trace I see sp_cursoropen and sp_cursorfetch commands being sent
• Does SQL 7 support db-lib?
• Why do I get a 6.5 group in my SQL 7.0 MMC list of servers?
• Can I run SQL 6.5 and SQL 7.0 on the same machine?
• How can I check whether SQL 6.5 or SQl 7.0 is installed without connecting to SQL and logging on?
• I'm running a stored-proc from VB. Why does it return control before the SP has finished?
• Can I install SQL on a Terminal Server machine?
• How can I report a SQL Server bug to Microsoft?
• Why do I get the SQL Server error "Msg 8412 - Schemas differ" when doing a LOAD TABLE?
• Why do I get an error message when I try to run SQL 7 EM - "MMC - Snap-in failed to initialize"?
• Why is the week number returned by SQL Server wrong?
• How can I un-install a SQL Server servicepack and go back to the original version?
• How can I transfer database diagrams from one SQL 7 server to another?
• Why is SQL Server 7 slower than 6.5 at running some of my sp's?
• How can I modify the SQL 7 unattended install script?
• Is there an Access upsizing wizard to SQL Server 7.0?
• Do I really need a 166Mhz Pentium processor to run SQL Server 7.0?
• Why do I get an error 'Bad pointer 0xABCDEF encountered while remapping stored procedure' in SQL Server?
• Why does sp_processmail fail with 'Supplied datatype for set_user is not allowed, expecting 'varchar''?
• How can I pad an integer value in SQL Server with zeroes?
• Where can I get a JDBC driver for SQL Server?
• Why is SQL Server better/worse than Oracle?
• A query produces this error in SQL 7 'Internal Query Processor Error'.
• Any known issues with IE5 and SQL Server 7.0?
• How can I programmatically get the next free device number (vdevno) in SQL 6.5 and below?
• How can I get random numbers from SQL Server? Using rand() I always get the same sequence.
• What is the precedence of the SET commands, database options, session options etc. in SQL Server?
• Why am I seeing entries in sysindexes (or sp_helpindex) for indexes I have not created?
• I'm getting #deleted entries in resultsets from ODBC since installing SQL 7, why?
• How can I use SQL 7's HDQ facilities to get at NT domain or Exchange information?
• How can I tell if my code is ANSI-92 compliant?
• How can I automate the scripting/transfer of a database/objects in SQL Server?
• If I lose my data file (MDF) in SQL 7 I can't backup the log to recover to a point in time - why not?
• What does the SQL Server error message "sort: bob write not complete after xx seconds." mean?
• How can I run a DTS package from within SQL Server - e.g. a stored-procedure?
• Where can I get Embedded SQL for SQL Server?
• How can I get file information using SQL Server?
• My SQL Server database has been marked "loading" - what can I do?
• How can I connect to SQL Server from a Macintosh?
• I am getting problems with ODBC apps since upgrading to SQL 6.5 SP5a or installing SQL 7.
• How do I configure multi-protocol net-lib to force encryption of packets in SQL Server?
• How can I ORDER BY different fields based on a variable in SQL Server?
• Can I upgrade SQL 4.x to 7.0 directly?
• How can I programmatically kick off a SQL dump and get the stats on how far through it is back dynamically?
• Where does the list of SQL Server's come from in registration/dialog boxes?
• Can I add comments to SQL Server's schema like I can with Access?
• How can I pass an array of values to a SQL Server stored-procedure?
• How does SQL Server clear up orphaned connections?
• How do I configure the debugger in Visual Studio to work with SQL 7?
• How can I connect from Delphi to SQL 7?
• Why does my copy of SQL Server say it is the 120 day eval edition when it is the full commercial copy?
• Why do I get a "variable is not declared" inside my EXEC statement?
• What is the equivalent of the IIF command in SQL Server?
• What does the red zig-zag line next to a server name in SQL Enterprise Manager mean?
• Why do I get the error 'An unknown full-text failure (80004005)'?
• Why does the tcp-ip net-lib not appear as an option in SQL Setup?
• How much longer will MS support SQL 6.5 for?
• How can I tell whether a table is a system (Microsoft) table in SQL 7?
• Where can I get SQL 7.0 SP1?
• Why do I get "SQL Server has run out of locks" error message with SQL 7 - I thought it dynamically allocated them?
• How do I configure the client query time-out for SQL Server?
• How can I migrate from Access to SQL Server?
• What does "bufdiscard: WARNING, page xx (dbid n, bp 0xzzzzzzzz) has stat0x10080(), skipping" mean?
• Can I replicate/connect/whatever to SQL Server over the Internet?
• How can I get ISQL.EXE to return a DOS errorlevel for me to test?
• What programming languages can I write an extended stored-procedure in?
• Does SQL Server 7.0 support XML?
• Where can I get details on the layout of the TDS protocol that SQL Server uses to talk to clients?
• Why can't I use a GO in a stored-procedure?
• Can SQL Server backup to a tape unit on another server?
• How can I restore a single table in SQL 7?
• How can I calculate someone's age in SQL Server?
• Where can I get the ANSI92 SQL information from.
• Why do I get arithmetic overflows and 'string truncated' errors with SQL 7? I didn't with 6.5.
• Why do I get an "UNEXPECTED EOF" message in BCP?
• Should I use char or varchar? What are the advantages?
• How can I clear SQL Server's procedure cache?
• What registry entries does SQL Server's client use?
• Why do I get NULL when adding/concatenating a NULL value with SQL 7? I didn't with 6.5.
• How can I remove unwanted carriage-returns and line-feeds from a SQL table?
• Is there a DATE function for SQL Server? I don't want to hold the time.
• How can I run a DTS package from within SQL Server - e.g. a stored-procedure?
• Are there any examples of heterogeneous data queries from SQL 7 to other sources?
• Why am I getting a message 'The Enterprise Edition server component cannot be installed on Windows NT Server using this CD.' installing SQL 7?
• Can I load a SQL 6.5 dump or device file into SQL 7?
• How do I know which version of MDAC I am running?
• Does SQL Server have memory leaks? How can I tell?
• Can I install SQL 7 and MSDE on the same machine?
• I am trying to upgrade MSDE to full SQL Server and getting an error 'You cannot install a version which is older (7.00.623) than the version on your machine (7.00.677)
• Can I create SQL Server databases on network drives?
• Should I apply NT 4.0 SP5 to my SQL Server system?
• I can't see the SQL performance counters in PerfMon. What could be wrong?
• How do I connect to SQL Server from PERL?
• Where does SQL server store the permissions on tables?
• Why can't I use RCMD.EXE via xp_cmdshell from SQL Server?
• I have a corrupt log file - can I rebuild it?
• How can I recover data from a SQL table that is corrupt with a bad page/pointer?
• How can I clear a table and reset the identity back to 0?
• Why would I get a message "Retrying row fetch:rowoffset entry n out of range (pg% obj%, db %)" from SQL Server?
• How can I restrict the number of rows returned to my query in SQL Server?
• Why can't I shrink my database any smaller than xxx Mb?
• What does sp_sdidebug do?
• Should I upgrade to SQL 7.0? What are the known bugs?
• What happened to the gui for column level permissions in SQL 7?
• Under SQL 6.5 a user of ISQL/W or other tools could only see the databases they had permission to in the drop down boxes, not under 7.0, why?
• Why does my ODBC v2 application not work with SQL 7? Why do I get a gpf in VBDB300.DLL?
• Should I apply SP1 for SQL 7? Are there any known issues?
• Why do I get an error in sqlsspi.c?
• What is the equivalent of an Oracle synonym in SQL Server?
• Does SQL Server support tape-loaders?
• Does SQL Server support before and after (pre and post) triggers? What about row vs set triggers?
• Where can I get examples of XP code for SQL Server?
• I can run some SQL code or a DTS package myself fine, but when I run it using the SQL Scheduler it doesn't work - why not?
• How can e-mail with SQL Server without using an MS-Mail or Exchange server?
• How can I transfer DTS packages from one SQL 7 server to another?
• As a user of Digital/Compaq Alpha technology how does MS dropping support affect SQL Server?
• How can I check with SQL whether a table is already there or not?
• What does a wait type of CXPacket mean?
• Why do I get an error - 'DTS Wizard Error - CoCreateInstance Class not Registered'?
• How can I insert the output of a dbcc command into a SQL Server table?
• Why do I get weird messages using SQL 7's MMC on Windows 2000 RC1?
• What does a wait type of CXPacket or Exchange mean?
• When would I use dbcc gaminit in SQL Server?
• I've overallocated memory for SQL Server and now it won't start - what can I do?
• I have filled the model database's log and now SQL won't start with a 1105 error - what can I do?
• I'm installing SQL Server and am getting a problem with ODBC
• Why do I only get 255 characters back in a column in Query Analyzer?
• How can I find duplicate rows in SQL Server?
• How can I get a count for all tables in a database?
• Why do I get an error "CANNOT GENERATE SSPI CONTEXT"?
• How can I see what line a stored-procedure is on?
• How can I list all available SQL Servers in my application?
• How can I access Exchange stores from SQL Server?
• Why does ISQL/W gpf when I move the mouse pointer with an Intellimouse.
• How can I tell if a service is running from SQL?
• What's happened to SQL_PRESERVE_CURSORS in SQL 7.0?
• Why does only one cpu get used with my SQL 6.5 system for an extremely complex/long running query?
• How can I get on a beta program for new versions of SQL/OLAP/MSEQ etc?
• How can I do a case-sensitive comparison on a SQL Server installed with a case-insensitive sort-order?
• How can I configure SQL Server to listen on another net-lib? How can I tell what net-libs are being used?
• Why do I get an error message "Not enough server storage is available to process this request"?
• Why won't my log shrink in SQL 7?
• How can I use Lotus Notes for SQL Mail?
• Why do I get invalid rows returned containing hyphens when my where clause doesn't specify them?
• Why is the week number returned by SQL Server wrong?
• How can I get something added to the SQL Server wishlist?
• In SQL 6.5 why does passing a 256 byte character string to an SP expecting a TEXT field produce a NULL when checked?
• How can I clear SQL Server's procedure cache?
• How can I turn an IP address held as a string to the four separate integers?
• How can I re-install just the MMC for SQL Server?
• I need to move SQL Server to a new NT server - what are my options?
• I'm getting an error message - "Cannot Load DLL 'SDI' Reason 126 ( The specified Module Cannot be found)" when doing a stored-procedure debug on SQL Server. Or breakpoints just don't fire.
• Where can I get more info on the spt_values table?
• Where can I get a diagram of the SQL 7 system tables?
• SQL Server hangs and becomes unresponsive - what can I do?
• I'm having trouble with SQL Server unattended install, what could be wrong?
• How can I change the default location for database files that SQL creates?
• How can I tell if a column for a table already exists?
• How can I programmatically create a DSN?
• What is the dllhost.exe process on my machine that seems to use a lot of CPU?
• What is the maximum number of rows in a SQL table? What other size limitations are there?
• Are SQL Server userid's and passwords passed in clear on the network?
• When I change a table definition it often invalidates any views on that table. How can I fix this without re-creating the view?
• How can I script my database schema?
• How does a client talk to SQL Server? What is a net-lib? What network protocols are used? What net-libs support NT authentication/encryption?
• I am getting a "cfgchar" problem installing SQL Server 6.5 SP5?
• How can I tell if a stored procedure was created with the ANSI NULLS setting on?
• Does SQL Server have an 'ON ERROR RESUME' type function in TSQL to match the VB facility?
• Why do I get the error 'Cannot use file <logfile> because it was originally formatted with a different sector size
• What is the maximum number of rows in a SQL table? What other size limitations are there?
• What does the red lightning bolt next to a server in SQL EM mean?
• Why can't I backup/restore my SQL Server database to JAZ/ZIP drive from SQL EM?
• How can I compare that the contents of two tables are identical?
• How can I decrypt a SQL Server stored-procedure?
• How do I drop the index related to a primary key? DROP INDEX doesn't work..
• How can I get the current time in GMT rather than local time?
• What do MS mean by Internal vs External fragmentation in SQL Server?
• How do I know whether SQL Server is in per-seat or per-server mode? How can I change it? How can I add licenses?
• How can I list all databases on an SQL Server?
• How can I list all user tables on an SQL Server?
• How can I resolve the error 'An error 1069 - (The service did not start due to a logon failure)' for SQL Server?
• SQL Server only runs under NT. What cheap/free database runs under Linux?
• Why could the SQL version switch utility not work?
• How can I read/write to a flat file from inside a SQL Server TSQL script/stored-procedure/trigger?
• Why am I getting gpf's/hangs running SQL tools under Windows 9x - I don't get the same problems with Windows NT clients?
• What can I do about handling blocking and deadlocks in SQL Server?
• How can I install SQL 7.0 Desktop Edition from the Back Office 4.5 CD's?
• Why am I getting an error "The RAID set for database <xxx> is missing member number <x>. Backup or restore operation terminating abnormally"?
• Does SQL Server Enterprise Edition perform better than Standard edition?
• I am getting an error where only 10 users can connect. I have more licenses than this - what is going on?
• I can't see the SQL performance counters on the second node in my cluster? I can see the NT ones ones.
• When might I want to use a surrogate key?
• How can I run some SQL code every time SQL Server starts?
• Why am I being blocked by spid -1? I am not able to kill it and have to restart SQL Server to get around it.
• Why does the new 'TOP' command in SQL 7 not work? I get a syntax error. Also ALTER TABLE and other SQL 7 only commands.
• Where can I get SP2 beta for SQL 7.0?
• How can I make sure the SQL Server agent auto-starts when I start SQL Server?
• What conferences covering SQL Server are coming up?
• I'm having trouble installing SQL Server on Win9x
• How can I select random rows from a SQL Server table?
• Can I do a SQL Server backup to a tape drive on another server?
• Why do I get an error 'Msg 602, Level 21, State 3. Could not find row in Sysindexes for dbid 'x', object 'yyyyyyyy',index 'z'.' when running a SQL Server query?
• I am getting an error 603 restoring a database ever since I applied SP5 to SQL 6.5?
• What issues are there with SQL 7's DTS function and Oracle.
• What is the Microsoft Loopback adapter and why do I need it for SQL Server?
• Where can I get an OLE-DB/ODBC/JDBC driver to connect SQL Server to product xyz?
• I have a SQL Server process that shows as being in SPINLOOP. What does this mean?
• Now that SQL 7.0 is released can I still buy SQL 6.5?
• How can I convert a SQL date/time to just date?



MultiMedia

• How do I disable CD AutoPlay?
• How do I install a Joystick in NT?
• How do I change my Soundcards Settings (IRQ)?
• Does NT 4.0 support Direct X?
• Does NT have a speaker driver?
• How do I install my SoundBlaster Sound Card?
• How do I install a WaveBlaster card?
• I have lost the speaker icon from my task bar.
• How can I get my PCI based sound card to work under Windows 2000?
• How can I check my machines DirectX support?



NetWare

• What about Netware?
• What are Client Services for Netware?
• What are Gateway Services for Netware?
• How do I install Gateway Services for Netware?
• How do I attach to a NetWare 3.12 Server?
• How do I attach to a NetWare 4.1 Server?
• What are File and Print Services for Netware?
• What is Directory Service Manager?
• What is Migration Tool for Netware?
• What are the NT equivalents of NetWare Rights?
• NWCONVE.EXE is not migrating your users and groups.
• I have very slow performance saving documents to a FPNW server.
• How can I disable the print separator page when printing to a NetWare print server?
• How can I stop my machine complaining about NWLNKRIP service not starting?
• NetWare migration tool cannot find the domain controller.
• How can I assign NetWare variables to NT variables?
• I get print banners and confirmations through CSNW even though they are deselected, what can I do?



Network

• How do I assign User Rights for a standalone server (not the PDC/BDC) in a domain?
• I can't FTP to my server, although the FTP service is running?
• How do I validate my NT Logon against a UNIX account?
• Can I synchronize the time of a NT Workstation with a NT Server?
• How can I send a message to all users?
• How do I change a Workstations Name?
• How do I stop the default admin shares from being created?
• How do I disconnect all network drives?
• How do I hide a machine from Network Browsers?
• How do I remote Boot NT?
• How can I get a list of users currently logged on?
• How do I configure NT to be a gateway to an ISP?
• How do I install the FTP server service?
• How do I get a list of all connections to my PC?
• How can I get the Ethernet address of my Network card?
• How can I configure the preferred Master Browser?
• Is it possible to protect against Telnet attacks?
• What Telnet Servers/Daemons are available for Windows NT?
• How do I install MSN under NT?
• What FireWall products are available for NT?
• How do I install the Remoteboot Service?
• How many connections can NT have?
• How can I secure a server that will be a Web Server on the Internet?
• How can I stop a user logging on more than once?
• How can I get information about my domain account?
• A machine is shown as Inactive in Server manager when it is not.
• How do I automatically FTP using NT?
• How can I change the time period used for displaying the password expiration message?
• How can I modify share permissions from the command line?
• How can I change the protocol binding order?
• What criteria are used to decide which machine will be the Master Browser?
• How can I get a list of MAC to IP addresses on the network?
• How can I control the list of connections shown when mapping a network drive?
• How do I grant users access to a network printer?
• How can I create a share on another machine over the network?
• I get errors accessing a Windows NT FTP Server from a non Internet Explorer browser.
• How can I view which machines are acting as browse masters?
• Is there any way to improve the performance of my modem internet connection?
• How can I remotely tell who is logged on at a machine?
• How do I remove a NT computer from a domain?
• How can I shutdown a number of machines without going to each machine?
• How can I close all network sessions/connections?
• How can I connect to a server using different user accounts?
• How do I set the comment for my machine that is displayed in Network Neighborhood?
• How can I define multiple NetBIOS names for a machine?
• How can I manage my NT domain over the net?
• How can I remotely manage services?
• Net.exe reference.
• How can I make net.exe use the next available drive letter?
• How can I check if servers can communicate via RPC's?
• How can I reduce the delay when using multiple redirectors?
• How can a DOS machine connect to an NT domain?
• Where are Windows 2000 network connections stored in the registry?
• How do I install the loopback adapter in Windows 2000?
• How can I turn off/on connection ghosting?
• How can I map to an FTP server as a drive?
• How can I create a browse election log file?
• How do I enable the telnet server in Windows 2000?
• How do I enable plain text passwords with the telnet server in Windows 2000?
• What is REXEC?
• What REXEC daemons (REXECD) are available for NT/2000?
• How do I add a network place in Windows 2000?
• What are the NetBIOS suffixes (16th character)?
• How can I stop UNC shares automatically being added to My Network Places?
• Where do I get netdiag.exe and what is it?



Performance

• How do I move my pagefile?
• How big and where should my Pagefile be?
• Users complain server response is slow, but when I use the server everything is fine.
• Is there a RAM disk in NT4.0?
• How can I monitor disk performance?
• How can I tell if I need a faster CPU?
• I need to run a number of 16 bit apps, what is the best way to do this?
• How can I run an Application at a higher priority?
• How can I monitor processes that start after I start the Performance monitor?
• How can I view information in the Event Log from the command line?
• Is there anything to help diagnose performance problems?
• Is there anyway to output performance logs directly to a comma separated file?
• How can I control the amount of memory NT uses for file caching?
• How can I stop Windows NT System Code and Drivers being paged?
• How can I change the size of the pagefile?
• How can I remotely change the size of a pagefile?
• Performance Monitor is not listing all possible objects and counters.
• How do I enable disk counters in Performance Monitor in Windows 2000?



Printing

• How do I create a queue to a Network Printer?
• How do I delete a network port (e.g. LPT3:)?
• How do I configure my print jobs to wait until out of hours?
• How can I disable the Printer PopUp message?
• How do I change the Print Spool location?
• How do I enable Print Auditing?
• How do I enable drag and drop printing?
• How do I configure a Print Separator Page?
• How can I restrict which users can install local printer drivers?
• How many printers can be on one NT Server?
• How can I print to an ascii text file?
• How do I set security on a printer?
• I get the error "The print processor is unknown" when installing a printer.
• Where in the registry is the default printer set?
• When I try to print to a parallel device I receive error: System could not find the file.
• How can I allow members of the Printer Operators group to Add Printers?
• How can I configure NT as a print server for UNIX systems?
• How can I audit the no. of pages printed by any particular user on an NT network?
• How do I create a custom page size for a printer?
• The additional NetBIOS name of my server does not work for print services.
• How can I stop print jobs writing to the System Log?
• How do I create a queue to a Network Printer in Windows 2000?
• How can I view print jobs from the command line?
• How can I delete a print job from the command line?
• How can I add a printer to the send to context option?
• Sharing printers between Unix and NT.
• How can I set the default printer from the command prompt?
• How can I maintain printer information for my domain?
• What are the printer improvements in SP6 for NT 4.0?
• How can I add a printer from the command line?
• How can a printer be listed in the Active Directory?
• How can I print from the command window/use lpt1 etc?
• How can I check/replace incompatible Windows 2000 printer drivers?
• How can I administer printers via the web?



Problem Solving

• I have installed Office 97 now I can no longer use Desktop Themes.
• I cannot delete a file called AUX.BAT or COM1!
• The AT command does not work!
• I can't format a disk/ create an Emergency Repair disk?
• When I change CD's/access the floppy drive NT crashes.
• After a new installation of NT, I can logon but no shell starts.
• I have a Matrox Millenium graphics card and the windows blink and flash when moved.
• When I start NT I get NTDETECT twice.
• My desktop disappears after a crash.
• I have installed a second CPU, however NT will not recognize it.
• I reinstalled NT, now I cannot logon.
• I have Windows 95 installed, and I am trying to start the NT installation but it fails.
• An Application keeps starting every time I start NT.
• Each time I start NT I get a file delete sharing violation?
• Sometimes when I run a program or Control Panel applet it says "no disk in drive a:".
• When I try and create an Emergency Repair Disk I get an error that files are missing.
• I have installed Service Pack 3, now I cannot run Java programs.
• Every time I start NT, explorer is started showing the system32 directory.
• I have removed my IDE CD-ROM drive, now NT will not boot.
• I get the error, The procedure entry point WNetEnumCachedPasswords could not be located.
• What information is shown in the Blue Screen of Death (BSOD) ?
• I have created my own service, however on logoff the application stops.
• I can't install any software.
• I get an error "This application is not supported by Windows NT".
• I have installed IE 4.0 now my shortcut icons are corrupt.
• I have lost access to the root of the boot partition, now I can't logon.
• I receive the error: The procedure entry point WNetEnumCachedPasswords could not be located.
• How can I perform a kernel debug?
• How do I configure remote debugging?
• I get the error "Not enough server storage is available to process this command".
• I can't delete a directory called con.
• I get an error when I try to export a profile other than Administrator.
• I have chosen a screen resolution that has corrupted display and now I can't restore it
• I get error "Boot record signature AA55 not found (1079 found)".
• When I boot up NT, it pauses for about 30 seconds on the blue screen.
• I receive a RDISK error, disk is full.
• My Shortcuts try and resolve to UNC paths?
• When I select a hyperlink or open a channel system32 folder opens?
• When I try and use WinAT I get a Dr Watson error.
• Drive mappings are being created by themselves.
• I can't create a partition over 1GB on an Adaptec 2940 SCSI controller.
• I get a STOP 0x00000078 error.
• A file Testdir.tmp is created on a shared volume which cannot be deleted.
• How can I replace an in use NT system file?
• I removed my folder association and cannot open any folders!
• The batch file I schedule to run does not work with the /every switch.
• I have a volume of type Unknown in Disk Administrator.
• I am unable to use Start from the command line with files with spaces in.
• I am not offered the option to install from an INF context menu.
• How can I deallocate corrupt Memory?
• I am unable to run certain 16 bit applications.
• I have a service stopping NT from booting.
• If I run winfile d: it starts Explorer?
• I have problems with tips after Service Pack 4.
• After installing Service Pack 4 my ATAPI/IDE ZIP drive is not available.
• Disk power management does not work after Service Pack 4.
• I get error: Your password must be at least 0 characters long.
• What is Remote Explorer?
• When I try and edit the default domain controller policy the local policy is shown, why?
• My desktop icons are corrupt, what can I do?
• How can I kill an orphaned process?
• I have lost my executable association.
• How can I save the BSOD information?
• Why do I get the message 'Initialization of USER32.dll or KERNEL32.dll' failed?
• Users are unable to logon to my Small Business Server even though I have enough licenses.
• How can I use path names longer than 255 characters?
• I get error 'Setup was unable to copy the following file CDROM.SYS', why?
• Logon scripts are hanging/looping, why?
• The NTVDM and WOW subsystems cannot start correctly, what can I do?
• What does message/error/event X mean?
• When I double click on a MSI file it has no association, what can I do?
• I am unable to stop a process from Task Manager even though I'm an Administrator, what can I do?
• I am unable to run CHKDSK, it cannot lock or open volume for direct access.
• I get a Blue-Screen of Death during setup, help!
• After uninstalling Windows 98 I am unable to boot NT.
• My last known good configuration is missing or corrupt and I can't boot NT.
• When I start Explorer I get a Dr Watson error, what can I do?
• I get an error after installing IE 4.0 SP2 on a Terminal Server.
• I get error 'Program will not fit in memory', what's the cause?
• After installing SP4/SP5 on NT 4.0 daylight saving is automatically enabled.
• I've installed a Promise Ultra IDE card but NT/2000 will no longer work.
• Some entries are missing from the Add/Remove programs control panel applet.
• The default source path for my Windows 2000 installation is not correct.
• What keys are available during startup of Windows 2000 to troubleshoot?
• Installation of Windows 2000 hangs at the 'Setup is inspecting your computer', what can I do?
• What logs are available to troubleshoot Windows 2000 installation problems?
• Why are my AT and SOON commands not working properly?
• I get error 'CAPI: The install program could not open the signature file' when installing SP5 hotfixes.
• I get an event log, Crash Dump is Disabled, why?
• I'm getting a BSOD at startup with error C0000135.
• I'm unable to install Outlook 98, IE 5.0, error about log file command line.
• NT 3.51 daylight saving update.
• The SUBST command is not working correctly in Windows 2000.
• I'm unable to install the Command Console on a mirror in Windows 2000.
• I'm receiving Event ID 3013.
• I don't get sound on DOS games under NT.
• I get an error event 1501 trying to start the Event Log service.
• How can I configure a service to automatically restart if it stops?
• I've disabled ACPI in my BIOS now Windows 2000 will not boot.
• How to I upgrade/downgrade to a multi-processor system in Windows 2000?
• My machine BSOD's whenever I try to watch a DVD, what can I do?
• I get 'Error occurred getting driver list from inf file. Err=0' when starting the SCSI control panel applet.
• Where are the Dr Watson logs in Windows 2000?
• I get a BSOD of death, SYSTEM_LICENSE_VIOLATION, what did I do?
• I can't install Office 2000 on Windows 2000.
• I'm missing the Windows 2000 Advanced menu option on startup.
• I can't access the information in memory.dmp as a normal user.
• I cannot delete a file named con or nul.
• How do I change the system disk on a Windows 2000 system?
• I get an IRPStackSize event log every time I start Windows 2000.
• Global.exe does not work with DNS domain names.
• I'm unable to upgrade my Windows 2000 evaluation version to the full edition using a Windows 2000 upgrade CD.
• I can't load the basicdc.inf using the Security Configuration and Template editor or get errors in event log if I implement it?
• I'm unable to view/delete pagefile.sys using the recovery console.
• I get error messages when I try to eject/format/label a removable disk.
• I'm getting a large number of event 2022 event logs.
• I'm missing the 'Computers Near Me' My Network Places group.



Proxy Server 2.0

• What is Proxy Server 2.0?
• How do I install Proxy Server 2.0?
• How do I install the client for the WinSock Service?
• How do I remove the client WinSock Service?
• How can I bypass the client Winsock?
• How do I configure an Internet Browser to use the Web Proxy service?
• How do I manage the Proxy Server?
• How can I configure the Proxy server to automatically dial out to the ISP when needed?
• How can I stop and start the Proxy services?
• How can I use the Web based Proxy Server Administration software?
• Which port does WinSock use?
• How can I configure the RAS Autodisconnect?
• How do I ban the Dilbert Zone using Proxy Server? :-)
• How do I install Proxy Server 2.0 on Windows 2000?
• How can I create custom error messages for Proxy Server?
• Audio and Video are unavailable in NetMeeting via Proxy server, why?
• How can I use Chat behind a Proxy server?



RAID

• Does NT Workstation support RAID?
• What RAID levels does NT Server Support?
• How do I create a Stripe Set with Parity?
• How do I recreate a broken Stripe Set?
• How do I remove a Stripe Set?
• Can NT be on a Stripe Set?
• How do I create a Mirror Set (RAID 1)?
• How do I break a Mirror Set?
• How do I repair a broken Mirror Set?
• Can I install NT on a stripe set?
• I am unable to boot using on the Mirror disk.
• I have reinstalled NT now I have lost all RAID/volume sets.
• How do I create a RAID 5 set in Windows 2000?
• How do I delete a RAID 5 set in Windows 2000?
• How do I regenerate a RAID 5 set in Windows 2000?
• How do I create a mirror set (RAID 1) in Windows 2000?
• How do I break a mirror set (RAID 1) in Windows 2000?



RAS

• How do I connect two Workstations using RAS?
• Is it possible to dial an ISP using the command line?
• How can I stop the RAS connections closing when I logoff?
• How can I create a RAS Connection Script?
• How can I debug the RAS Connection Script?
• How do I configure RAS to connect to a leased line?
• How can I disable RAS AutoDial?
• RAS tries to dial out even on local resources.
• I have connected via RAS to a server however I can only see resources on the machine I connect to.
• How do I force the Logon Using Dialup Networking to be checked by default on the logon screen?
• Where are the RAS phone book entries and settings stored?
• How can I change the number of rings that RAS server waits for before answering?
• How can I configure how long RAS Server waits before calling back a user when callback is enabled?
• Whenever I connect via RAS I cannot connect to local machines on my LAN.
• How can I disable the "Save Password" option in dial-up networking?
• How can I set the number of Authentication Retries for Dial-Up connections?
• How can I set the Authentication Time-out for Dial-Up connections?
• Enabling 128-bit RAS Data Encryption.
• Why does my RAS client have the wrong subnet mask, etc.?
• How long is the lease on the IP address when issued to a RAS client from DHCP?
• How can I disconnect users from the RAS server?
• How can I disable the modem speaker when dialling?
• How can I limit RAS callers to see only the machine they connect to rather than the whole network?
• How do I install the Windows 98 Virtual Private Network adapter?
• How do I install the Point To Point Tunneling Server?
• How do I install the Windows NT Virtual Private Network client?
• How can I remove the dial-up networking icon from My Computer?
• I've connected two computers using two 56K modems but I never connect at more than 33Kb, why?
• My modem is not supported by RAS, what can I do?
• I get error 'There is no answer' from the PPTP server, why?
• DEVICE.LOG does not capture modem commands, what can I do?
• How do I create a dial-up connection in Windows 2000?
• When loading a program, I get the error message "RASMAN.DLL failed to load".
• How can I enable 4.0 RAS servers in a Windows 2000 domain?
• How can I disable 4.0 RAS servers in a Windows 2000 domain?
• How can I get the Dial-Up Networking information in Windows 2000?



Recovery

• How do I create an Emergency Repair Disk?
• How do I create a NT Boot Disk?
• I get the error "Can't find NTLDR"
• How do I recover a lost administrator password?
• I have set a drive to no access, now no-one can access it.
• If I copy a file with Explorer or from the command line, the permissions get lost.
• How can I get my taskbar back?
• I get the error "NTOSKRNL.EXE missing or corrupt" on bootup.
• How do I configure Directory Replication?
• How do I remotely create an Emergency Repair Disk?
• How do I promote a Backup Domain Controller to the Primary Domain Controller?
• How do I reinstate my old PDC back into the Domain as the PDC?
• What tuning can be performed on Directory Replication?
• I am unable to perform a repair without a CD-ROM drive?
• Changing the Administrator password if you have forgotten it.
• Where is RDISK in Windows 2000?
• How do I install the Recovery Console?
• How do I create a bootable CD-ROM containing ERD Commander/Professional?
• How do I enable kernel only crash dumps?
• What's the difference between manual and fast recovery in Windows 2000?
• I've deleted NTBOOTDD.SYS and can't find it anywhere.



Registry

• What is the Registry?
• What files make up the registry, and where are they?
• How do I restrict access to the registry editor?
• What is the maximum registry size?
• Should I use REGEDIT.EXE or REGEDT32.EXE?
• How do I restrict access to a remote registry?
• How can I tell what changes are made to the registry?
• How can I delete a registry value/key from the command line?
• How can I audit changes to the registry?
• How can I clean up/remove invalid entries from the registry?
• I make changes to HKEY_LOCAL_MACHINE\HARDWARE but they are lost on reboot.
• What data types are available in the registry?
• How can I automate updates to the registry?
• How do I apply a .reg file without the success message?
• How can I remotely modify the maximum registry size?
• I can't update DWORD values using REG.EXE.
• How can I install a .inf file from the command line?
• How can I compress the registry?
• Access to the registry tools has been stopped, is there any way to get access?
• Where does Windows 2000 store the last key accessed?
• What's new in the Windows 2000 version of RegEdit?
• How do I add a DWORD value from a .INF file?



Security

• How do I enable auditing?
• How do I view/clear the security log?
• Where can I get more information on the Event Viewer?
• Where can I get information on NT security problems?
• How can I restore the default permissions to the NT structure?
• How can I copy files and keep their security and permissions?
• How do I enable auditing on certain files/directories?
• How do I use the System Key functionality of Service Pack 3?
• How do I remove the System Key functionality of Service Pack 3?
• How can I configure the system to stop when the security log is full?
• How can I clear the pagefile at shutdown?
• How do I enable strong password filtering?
• How do I set what happens during a crash?
• How can I configure the system to automatically reboot in the event of a crash?
• How do I enable auditing on the SAM?
• How can I enable strong protection on shared system objects?
• How can I restrict access to objects from Anonymous accounts?
• How do I enable SMB signing?
• How do I disable LanManager challenge/response in NT?
• How can I check the security of my passwords?
• A description of Permissions in NT.
• How can I restrict guest access to Event logs?
• How can I enable auditing of base objects?
• How can I configure my system to be C2 compliant?
• How can I enforce an Internet access control policy?
• What does System Key actually protect my passwords from?
• What is a SID (Security ID)?
• What security mailing lists exist for keeping up to date?
• How can one protect against password hackers that use sniffers like l0pht?
• How can one detect that users have cracked a password?
• How is information enumerated through NULL session access, Remote Procedure Calls and IPC$?
• How do I use the Security Configuration and Analysis snap-in?
• What is Kerberos?
• How is the shared key used by Kerberos distributed?
• How is the long term key between a client and the KDC distributed?
• How can I change the ticket lifetime used by Kerberos?
• What is PKI?
• What is a digital signature and how does it work?
• What are secret keys?



Service Packs and Hotfixes

• Service Packs and Hot fixes
• What are the Q numbers and how do I look them up?
• How do I install the Service Packs?
• How do I install the Hot fix?
• How do I remove a Hot fix?
• How do I install Service Pack 3?
• Emergency Repair Disk issues after installation of Service Pack 3.
• How do I remove the Java Hotfix for Service Pack 3?
• How do I install multiple Hotfixes at the same time?
• How do I install Hotfixes the same time as I install Service Pack 3 onwards?
• I have installed Service Pack 3, now I cannot run Java programs.
• I have installed Service Pack 3, however the Policy Editor has not been updated.
• How can I tell if I have the 128 bit version of Service Pack 3 installed?
• How do I install a service pack during a unattended installation?
• What order should I apply the Hot fixes?
• I get an error message when I try to re-apply a hotfix after installing a service pack?
• When should I reapply a Service Pack?
• What is Option Pack 4?
• How can I tell which version Service Pack I have installed?
• I receive an error trying to install Service Pack 4 for NT 4.0.
• Setupdd.sys is missing in Service Pack 4.
• Important steps for installing Service Pack 4.
• Uninstalling Service Pack 4.
• How can I tell who installed/uninstalled Service Pack 4?
• Service Pack 4 unattended installation switches.
• New Event Logs in Windows NT 4.0 Service Pack 4.
• When will Service Pack 6 for NT 4.0 be released?
• I receive an error that setup.log cannot be found when installing a service pack.
• How can I perform a function in a logon script depending on machines Service Pack version?
• How can I check if I have SP6 or SP6a installed?
• Is there a script that will reinstall a service pack and hotfixes then reboot?
• How do I expand a service pack/hotfix without installing?



Support

• What Newsgroups are good for NT information?
• Where can I get more information?



System Configuration

• How do I decrease the boot delay?
• Where do I load ANSI.SYS?
• How can I configure the local machine to perform a task at a set time?
• How do I change the Organization name on NT?
• How do I change the default location NT expects to find NT software for installation(i.e. CD)
• How can I remove the Shut Down button from the login screen?
• How can I Parse/Not Parse autoexec.bat?
• How do I add a path statement in NT?
• Can I change the default Windows Background?
• How do I change the Start menu items under the line?
• How can I restore the old Program Manager?
• Is there a way to start NT in "Dos" mode?
• How can I disable "Lock Workstation" when I press Ctrl-Alt-Del?
• How can I make NT powerdown on shutdown?
• How do I enable Ctrl-Esc to start Task Manager?
• How can I allow non-Administrators to issue AT commands?
• How do I control Access to Floppy Drives/CD-ROM drives?
• I have DOS, Windows95 and NT installed, and want them all to show on the boot menu.
• How do I remove an App from Control Panel?
• How do I assign a drive letter to a removable drive?
• How do I configure a default Screen Saver if no one logs on?
• How do I configure the default screen saver to be the Open GL Text Saver?
• How can I create a new hardware profile?
• I have entries on the Remove software list that don't work, how can I remove them?
• How can I disable Dr. Watson?
• How do I create a network share?
• How do I connect to a network share?
• How do I configure the boot menu to show forever?
• How can I configure the machine to reboot at a certain time?
• How can I configure Explorer to start with drive x: ?
• How can I decrease the time my machine takes to shutdown/reboot?
• How can I change the startup order of the services?
• How can I configure the system so that certain commands run at boot up time?
• What are the .cpl files in the system32 directory?
• How can I create a non-network hardware configuration?
• How can I remove the option "Press Spacebar for last known good config"?
• How can I disable the OS2/POSIX subsystems?
• How can I run a control panel applet from the command line?
• How can I configure a program/batch file to run every x minutes?
• What registry keys do the Control Panel applets update?
• How can I run a script at shutdown time?
• How can I create my own tips to be shown when NT starts?
• How can I change the location of the event logs?
• How can I configure the default Internet Browser?
• How can I change the alert for low disk space on a partition?
• Is it possible to delete/rename the Administrator account?
• How can I tell NT how much secondary cache (L2) is installed?
• What switches can be used in boot.ini?
• How can I change the default editor used for editing batch files?
• What are the default protections on an NTFS boot partition?
• How do I configure the default keyboard layout during login?
• How can I add my own information to General tab of the System Control Panel applet?
• How can I change the program associated with a file extension?
• How do I set a process to use a certain processor?
• I have duplicate entries on my boot menu.
• How can I stop a service from the command line?
• How can I add the printer panel to the Start menu?
• How can I hide the Administrative Tools on the Start menu?
• How do I restrict access to the floppy drive?
• How do I enable AutoLogon?
• How do I disable AutoLogon?
• How do I add a warning Logon message?
• How do I stop the last logon name being displayed?
• How can I stop people logging on to the server?
• Users fail to logon at a server.
• How do I enable NumLock automatically?
• How do I limit the number of simultaneous logons?
• %SystemRoot% is not expanded when I use it in a command.
• How can I disable the Win key?
• How do I set the number of Cached logons a machine stores?
• How can I configure the system to run a program at logon time?
• How can I install the Policy Editor on a Workstation?
• How can I delete the "My Computer" icon?
• How do I disable the file delete confirmation?
• How can I switch the time between 24 hour and 12 hour?
• How can I suppress boot Error Messages?
• How can I enable/disable the Ctrl-Alt-Del to enter logon information? - Windows 2000 only
• How can I stop the last username to logon from being displayed?
• The screen saver can only be configured to start up to 60 minutes.
• I have lost the ADMIN$ share.
• How can I configure Notepad to wrap?
• How do I modify the login timer for profiles?
• How do I change the location for temporary files?
• How do I modify system variables?
• How do I disable the ability to change password?
• How do I stop a process on a remote machine?
• How do I install the Security Configuration Editor?
• How can I get the cool UI effects to work on my P166 computer? - Windows 2000 only
• How do I increase the number of Page Table Entries on my system?
• How can I change the short date format from yy to yyyy?
• How do I enable fast reboot on 4.0 SP4 and above?
• How can I create a program alias?
• How can I share my clipbook with other machines?
• How can I stop tips showing on startup?
• How can I configure Outlook Express to be the default News reader?
• How can I modify the My Computer text to show logged on username and machine name?
• How do I enable live scrolling on Word 97?
• A useful tip for navigating in Explorer and the Registry Editor.
• How can I automatically kill hung processes when I logoff?
• How can I change the Info Tip for icons? - Windows 2000 only
• How can I control who can eject ZIP disks? - Windows 2000
• How can I configure monitor power off for the logon screen? - Windows 2000
• What are the problems with workstations having the same SID?
• How can I disable daylight saving time changes?
• How can I improve I/O performance?
• How can I configure the Windows 2000 System File Checker?
• How to I install an Enterprise Certificate Authority?
• How do I create a Certificate Trust List for the domain?
• How can I lock a workstation from the command line?
• How do I create a default association for files with no extension?
• How do I create a default association for files with an unknown extension?
• How do I set DLL files to use their own icon rather than the standard?
• How can I make Explorer show the extension of known file types?
• What are Super Hidden Files?
• How can I view Super Hidden Files?
• After upgrading from NT 4.0 to Windows 2000 the timeout in boot.ini has been reset to 30.
• How can I force a check of protected system files in Windows 2000?
• How can I disable the DLL cache in Windows 2000?
• I can't add or remove Accessories on a Windows 2000 professional machine.
• How can I remove a device driver?
• How do I remove the resource kit time service?
• How can I configure event log wrapping in Windows 2000?
• What are offline folders?
• How do I set a folder as available/not available offline?
• How do I configure a shared folder as automatically available offline?
• How do I enable my computer to support offline folders/files?
• How can I configure the time service in Windows 2000?
• How can I configure Administrative Alerts in Windows 2000?
• How can I tell if my Windows 2000 installation is registered?
• How do I enable TAPI 2.1 support?
• Configuring Dual fault tolerant mirrored drives.
• What order are environment variables processed during logon?
• How can I change the display order for the hardware profile list at startup?
• How can I change the screen tip for a shortcut?
• How can I enable network lockout for the Administrator account?
• How can I remotely reboot, logout, shutdown a machine?
• Where is the 'ODBC Data Sources' control panel applet in Windows 2000?
• How do I view/create saved Directory Service, DNS and File Replication Service event logs?
• How can I change the icon for drive letters?
• How can I stop the Infotips being displayed for icons and drives?
• How can I enable the Windows 2000 System File Checker to cache ALL DLL's?
• How can I move the DLL cache?
• How can I disable the Start menu program scroll?
• How can I restrict network browsing to users local workgroup/domain?
• How can I stop users browsing computers in their local workgroup/domain?
• How can I hide ALL desktop icons?
• How do I upgrade my Windows 2000 installation to 128-bit encryption?
• How can a user request a certificate via the web?



System Information

• How can I tell the role of my NT machine?
• How can I tell who has which files open on a machine?
• How do I view all the applications/processes on the system?
• Where can I get information about my machine?
• How can I tell when NT was last started?
• I have lost my NT Installation Key number, how can I find it out?
• How can I get detailed system information from the command prompt?
• How can I tell when NT was installed?
• How can I tell if my NT installation is a 120 day evaluation or full?
• How can I check what type of NT installation I have?
• How can I tell if my NT installation is a "Not For Resale" installation?
• Where is time zone information stored in NT/2000?
• How can I tell which process has file X open?
• How can I tell which DLL's and API calls a program makes?



System Policy

• How do System Policies work?
• How do I modify a Policy?
• How do I create my own Policy template?
• Where can I get information on Profiles and Policies?
• How can I control the Policy updates?
• How can I implement locally based system policies?



TCP/IP

• What is TCP/IP
• How do I install TCP/IP
• Is there a way to trace TCP/IP traffic using NT?
• I do not have a network card, but would like to install TCP/IP.
• I have installed TCP/IP, what steps should I use to verify the setup is correct?
• How can I trace the route the TCP/IP packets take?
• What is the subnet mask?
• What diagnostic utilities are there for TCP/IP?
• What is routing and how is it configured?
• What is ARP?
• My Network is not connected to the Internet, can I use any IP address?
• How can I increase the time entries are kept in the ARP cache?
• What other registry entries are there for TCP/IP?
• How can I configure more than 6 IP addresses?
• What are the common TCP ports?
• How can I perform a migration to DHCP?
• How do I assign multiple IP addresses to a single NIC?
• How do I install the Network Monitor Utility?
• How do I perform a network trace using NetMon?
• Nothing shows up on my NETMON trace, why?
• What is the NETMON agent?
• How do I install the Network Monitor agent?
• How do I monitor traffic for an agent?
• How do I filter captured packets?
• What is IPv6?
• How will IPv6 addresses be written?
• What is the IPv6 header format?
• I am unable to install TCP/IP, why?
• What switches can be used with PING?
• How can I modify TCP retransmission timeout?
• How can I disable media-sense for TCP/IP?
• How can I check who owns subnet x?
• How can I disable APIPA?
• What is quality of server (QOS)?
• How do I install QOS support in Windows 2000?
• How do I configure QOS in Windows 2000?
• How can I change the account used for the QOS service?
• Is IP version 6 available for NT/Windows 2000/95/98?
• What is IPSec?
• How do I enable IPSec on a machine?
• How do I define IPSec policy for a group policy object?
• How do I enable IPSec traffic through a firewall?
• How can I troubleshoot IPSec?
• How can I manage/create IP Security policies?
• How can I change the authentication method used for IPSec by a policy?
• How can I install a certificate for use by IPSec?



Terminal Server

• What is Terminal Server?
• How do I install Windows NT 4.0 Terminal Server Edition?
• How do I enable Terminal Server under Windows 2000?
• How do I install Windows NT/95 based Terminal Server clients?
• How do I install Windows for Workgroups based Terminal Server clients?
• How do I connect to a Terminal Server from WFW/9x/NT/2000?
• How do I close a Terminal Server connection?
• How do I install applications for use with Terminal Server?
• I can't install Office 97 SR2 on Terminal Server.
• How do I install Citrix Metaframe?
• How do I create Citrix Metaframe client media?
• How do I install the ICA DOS client?
• How do install Backup Exec 7.X on TSE?
• Can I use normal Service Packs on Windows NT Terminal Server Edition?
• Can I use normal Hot fixes on Windows NT Terminal Server Edition?
• I've reached 40 - 45 users and additional users can't log onto Terminal Server?
• How do I configure a CE based Terminal Server client?
• I am having troubles getting the ICA DOS client to work.
• Where can I download updates for MetaFrame?
• What Service Packs are available for Windows NT Terminal Server Edition?
• How do I send a message to a Terminal Server client?
• How do I locate machines that are running Terminal Server?
• How can I check if a user is logged on via Terminal Server?
• Mouse movement is jerky in Terminal Server sessions.
• Does MetaFrame run on Windows 2000?
• How can I switch a session between window and full screen?
• How can I remote control another terminal server session in Windows 2000?
• What user environment extensions does the Windows 2000 terminal server component add?
• How do I install Active Desktop on Terminal Server?
• How do I enable client computers to logon to a Terminal Server?



Training

• Where can I go for Training in Microsoft Products?
• Where can I get more information about becoming a MCSE?



User Configuration

• How do I create a captive account?
• Where should Login Scripts go?
• What should be in the Login Script?
• Are there any utilities that help with login scripts?
• Is there a way of performing operations depending on a users group membership?
• How do I limit the disk space for a User?
• What variables are available for use with a User?
• Can I add user accounts from a database?
• Is there a utility that shows who is currently logged on?
• How can I change environment variables from the command line?
• How can I hide drive x from users?
• How do I make the shell start before the logon script finishes?
• How can I find out which groups a user is in?
• I can no longer see items in the common groups from the Start Menu.
• How do I configure a user so they can change the system time?
• How do I add a user?
• How do I configure roaming profiles?
• How can I configure each user to have a different screen resolution?
• How can I create a list of all User Accounts?
• How can I add a user from the command line?
• How can I move users from one machine to another?
• How can I configure a user to logoff at a certain time?
• How can I grant User Rights from the command line?
• How can I configure the system so all users share a common favourites folder?
• How can I change the local Administrator passwords on machines without going to them?
• How do I change my password?
• How can I configure default settings for new users?
• How can I tell which User has which SID?
• How can I configure NT to not allow users to login if their mandatory profile is unavailable?
• How do I automatically logoff clients after n minutes of inactivity?
• How can I modify the size of icons on the desktop?
• How can I disable Alt-Tab?
• How can I configure the Alt-Tab display?
• How can I edit the list of connections listed in Explorer when I map a connection?
• How can I exclude the Temporary Internet Files folder from the user profile?
• How can I stop the programs in my start-up folders running when I log on?
• I can't delete user x.
• How can I stop users from being able to map/disconnect network drives?
• How can I disable a whole group of users?
• How can I remove a user from a group from the command prompt?
• How can I remove the : from the time?
• How can I rename a user from the command prompt?
• Roaming profiles are not saved to the server.
• I have made user shares hidden now connection fails.
• How can I disable the Display control panel applet?
• How can I disable elements of the Display control panel applet?
• How do I debug roaming profiles?
• How can I copy a user profile?
• What are the differences between NT and 9x profiles?
• When I log off all my home directory files are deleted.
• How can I delete a local profile?
• Copy profile locally problems.
• Defining the profile area to use for a user.
• How can I view which local groups on a trusting domain a user belongs to?
• How do I limit user profile space?
• I can't logoff as my user profile quota is over the limit.
• How do I grant user rights in Windows 2000? - Windows 2000 only
• How can I logoff from the command prompt?
• Where is User Manager for Domains in Windows 2000? - Windows 2000 only
• How do I administer domain users in Windows 2000? - Windows 2000 only
• How do I remove the Goto menu from Explorer?
• How do I rename a global group?
• Global groups over 20 characters create problems, why?
• How can I disable the "Logon Using Dial-Up Networking" at logon time?
• How can I stop a user closing the login script before it completes?
• How can I configure a screen saver using a System Policy?
• How can I tell at what time I logged on?
• How can I stop certain folders being replicated as part of the user profile?
• How can I generate a list of last user logon times for a domain?
• How can I stop users creating persistent connections?
• How can I map a drive/port for all new users on a machine without scripts etc?
• I'm not given a warning if logged on using cached credentials in Windows 2000.
• How do I manually delegate authority in Windows 2000?
• How do I delegate authority in Windows 2000 using the Wizard?



Utilities

• Where can I find the resource kit?
• How do I run an application as a service?
• How can I shutdown a computer remotely?
• Where can I find a Unix su (substitute user) like utility?
• I'm running NT on Alpha - Can I run INTEL programs?
• What is TWEAKUI?
• What else is good?
• Do Windows 95 Powertoys work in NT?
• Is there a X-terminal for NT?
• Where is File Manager?
• Where do I get Themes for NT?
• Where can I get UNIX tools for NT?
• How can I fix/replace/copy files on an NTFS partition from outside Windows NT?
• What are the "Windows NT Support Tools"?
• How do I load the RKILLSRV.EXE?
• Where is File Manager in Windows 2000?
• What is the Microsoft Management Console (MMC)?
• How do I create a custom MMC configuration?
• Where is X from NT 4.0 in Windows 2000?
• How can I synchronize accounts between NT and Unix?
• How can I add Open with Run Dialog to the context menu?
• What is MSINFO32.EXE?
• How can I uninstall IIS 4.0 and Option Pack 4?
• How can I run a program as another user in Windows 2000?
• Where is SCOPY in Windows 2000?



Various

• What is SAMBA?
• Why does the disk spanning function of PKZIP (command line version) not work under NT?
• What virus killers are available for NT 4.0?
• Does NT support the LS120 (adrive)?
• Is NT year 2000 compliant?
• What does x stand for?
• What are the shortcuts available with the "Win" key?
• How can I open a file with an application, other than the one it is associated with?
• How do I change the icon associated with a short cut?
• Is it possible to map a drive letter to a directory?
• What keyboard shortcuts are available?
• How do I schedule commands?
• What are the long path names in the boot.ini file?
• How can I execute a batch file using WINAT with Administrator Permissions?
• I have 95 and NT installed, how can I configure the applications to run on both?
• How can I stop and start services from the command line?
• How do I delete a Service?
• What is USER.DMP?
• How in Notepad can I save a file without the .txt extension?
• How can I move shares and their contents from one machine to another?
• How do I create a shortcut on the desktop to a directory/disk?
• How can I create a spare set of Windows95 disks?
• What FAX software is available for Windows NT?
• How can I delete files that are over x days old?
• How can I speed up the performance of my OS/2 applications?
• How can I install a font from the command line/batch file?
• Information about Time Zones and daylight saving.
• What are the ErrorControl, Start and Type values under the Services subkeys?
• How do I type the Euro (€) symbol?
• What is the Melissa/Papa virus?
• How can I show the context menu without the right mouse button?
• How can I check if a Virus warning is real or a hoax?
• What DO those smileys mean :-)?
• What DO those acronyms mean in mail messages <NIFOC> <HHOJ>?
• How do you edit the list of local and toll numbers for a dialing location?
• What is ExploreZip.worm and what should I do?
• How can I move a dialog/window using just the keyboard?
• How can I extract files from a CAB file?
• Where is USRMGR.EXE in NT Workstation?
• What are the Event Viewer login codes?
• What is Opportunist locking?
• How can I convert a binary number to hexadecimal?
• What switches can be used with explorer.exe?
• Where are files in the Recycle bin actually stored?
• My recycle bin is corrupt?
• What is the bubbleboy virus?
• What is the OEM version of NT/2000?
• How can I check DLL versions on my system?
• How can I talk to a serial (COM) port from the command line/batch file?



Windows 2000 (NT 5.0)

• What is new in Windows 2000?
• Where can I get more information on Windows 2000?
• How do I get the Microsoft Windows 2000 Beta?
• What is Windows 2000?
• Getting the most out of NT 5.0 beta 2.
• What hardware is needed to run Windows 2000?
• Where is the Hardware Compatibility List for Windows 2000?
• When does Windows 2000 need rebooting?
• When will Windows 2000 be released?
• Is build 2195 the final version of Windows 2000?
• Where do I get updates for Windows 2000?



Windows 95/98 as a client

• How do I communicate with a Windows 95 client?
• How can I administer my domain from a Windows95 client?
• How do I force a 95 machine to logon to a domain?
• How do I enable Windows 9x machines to use Group policies?
• How do I enable Load Balancing on a Windows 95 machine?
• How can I stop a Windows 95 machine acting as a browse master or backup browser?
• Some of the Windows 95/98 clients do not show up in Network Neighborhood.
• How can I stop my Windows 9x clients entering a separate password when logging onto a domain?
• How do I enable profiles on a Windows 9x machine?
• How do I enable roaming profiles for Windows 9x machines?
• Can Windows NT and Windows 9x share a roaming profile?
• How do I install the Windows 9x Policy Editor?
• How can I stop Windows 9x profiles being copied to the home directory?
• How do I implement local system policies on Windows 9x?
• I have lost my Windows 98 installation key, how can I find it?
• How do I install the Windows 9x directory services client?
• A user has forgotten the local Windows 9x password, how can it be reset?
• How do I enable remote registry editing for Windows 9x clients?
• How do I connect a Windows 95 to NT using a null modem cable?
• My Windows 9x clients cannot see shares over 12 characters.
• How do I enable NTLM 2.0 support in Windows 98?
• How can I fool a program into thinking my Windows 9x installation is Windows 3.11?



Windows Scripting Host

• What is the Windows Scripting Host?
• Where can I get the Windows Scripting Host?
• How do I install the Windows Scripting Host software?
• Where can I get more information on WSH?
• How do I create a new user in NT using ADSI?
• How do I run a windows script from the command line?
• How do I run a DOS command in WSH?
• How do I rename a file using WSH?



WINS

• What is WINS?
• How does WINS work?
• How do I set up WINS?
• What is a WINS Proxy Agent?
• How do I configure WINS static entries for a non-WINS client?
• How do I configure WINS to work with DHCP?
• How can I compress my WINS database?
• WINS Automatic Backup does not run every 3 hours.
• WINS Log files are created in incorrect locations.
• WINS server is not being queried for entries in LMHOSTS after Service Pack 4.
• My WINS clients have stopped registering/querying the WINS server.



---

Q. What is the Active Directory?

A. The Active Directory is Microsoft's implementation of a 'Directory Service' and a directory service is basically something that stores data in an organized format and has the mechanisms needed to publish and access the data.

Active Directory is not a Microsoft innovation, but rather an implementation of an existing model (X.500), an existing communication mechanism (LDAP) and an existing location technology (DNS), and each of these are covered in the FAQ.

Before the details of Active Directory are considered, it is important to have an overview of what it is trying to achieve. A directory in its most basic sense is just a container for other information, such as a telephone directory has various entries, and each entry has values. An example would be a name, address and telephone number that would make up a single entry in the directory.

Name: John Savill
Address: 2 SavTech Way, (yeah right :-))
London
Tel: 353 3523
E-mail: john@serverfaq.com

In a large directory these entries may be grouped by location or by their type, e.g. lawyers, pest control, etc, or both which would lead to a hierarchy of each type of person in each location. The actual telephone directory would be a directory service as it contains not only the data but also a means to access and use it. The telephone operator would also constitute a directory service as it has access to the data and presents it to you where you can request data and an answer to your query is given.

Active Directory is a type of Directory Service, it holds information about all resources on the network and clients can query the Active Directory for information about any aspect of the network. Active Directory has a number of powerful features:

• Information is stored in a secure form - each object in the Active Directory has an Access Control List (ACL) which has a list of resources that may access it and to what degree.
• A flexible mechanism for queries based on a global catalog that is generated by the Active Directory. Any client that supports Active Directory can query the catalog.
• Replication of the directory to all Domain Controllers in the domain means easier accessibility, higher availability and fault tolerance
• Extensible design means new object types can be added to the directory or existing objects built on. For example a salary attribute could be added the user object.
• Communication can be carried out over a number of protocols due to its X.500 foundation. These include LDAP version 2 and 3, and the HTTP
• Domain Naming System (DNS) used for the naming and location of domain controllers rather that NetBIOS names
• Information is partitioned in the Directory by domain to avoid replicating excessive amounts of information

The last point regarding partitioning the information in the Directory into different stores does not mean that the Active Directory cannot be queried for information from other domains. Global catalogs are used which contain information about every object in the enterprise forest allowing forest wide searches.

---

Q. A number of Active Directory descriptions.

A. Below are some definitions for the active directory:

ONE SENTENCE SUMMARY OF DNS AND ACTIVE DIRECTORY:

A dns server is used by a client to provide the address of the client's nearest domain controller, which has a copy of Active Directory, which the client then uses to locate whatever object it's looking for.

ONE PARAGRAPH SUMMARY OF DNS AND ACTIVE DIRECTORY:

First a client contacts a dns (domain name system) server which looks up the client's domain, and provides him with the address of the closest dc in that domain. The client proceeds to contact the dc which can then authenticate him. Once authenticated, the client can search Active Directory (a database on the dc) to find objects the client is looking for, like an address for mail, a file, printer, or list of users in a group, etc. If the client cannot contact a dns server, it won't be able to find its domain controller, since only the dns server has the address of it.

ONE PAGE SUMMARY OF DNS AND ACTIVE DIRECTORY:

When dcpromo is performed on a W2K machine named, say, "fido" for the first time creating a new domain, say, "narnia", dcpromo creates two different kinds of "domains". First it creates a domain on the dns server, in our example: "narnia.extest.microsoft.com". This will be found on the extest dns servers, which are in exlab's minilab in bldg 43. Exlab maintains these as community dns servers to save testers the trouble of installing a dns server every time they want to install W2K. Simplified a little, the dns domain on the extest master dns servers looks like this:

extest.microsoft.com
    narnia.extest.microsoft.com
        bigthud dc 172.30.224.34
        blackie dc 172.20.32.13
        etc. (this is very approximate, but functionally identical)

Clients contact the dns server and it looks up the client's domain. Looking for "narnia" the dns server also discovers "bigthud" and "blackie", both dc's of "narnia". Let's say "bigthud" is the closest dc to the client. The dns server would send the client the address of the dc "bigthud", namely, 172.30.224.34. The client connects and accesses the Active Directory domain database stored on "bigthud" to find objects (like printers, file servers, users, groups, organizational units, etc) in the "narnia" domain. "bigthud" also stores links to other domains in the tree "com". Thus, the client can search a whole tree of domains.

If the search needs to go beyond the client's tree of domains, then a version of Active Directory listing the objects in the whole forest is also available. It is called the Global Catalog. The GC can be kept on any dcs in the forest you may choose, or all, but it does not have to be kept on all.

GC is a shorthand way to access an object ANYWHERE in the forest, but it only provides a few of its attributes, you have to go to the domain AD (always on a dc in that domain) to get the whole object. The GC can be configured to provide whatever object attributes you choose, too, not just a rigid default set of them.

To help in creating objects in AD, the dc also keeps a copy of the classes and hierarchy of classes for the whole forest, too. For example, if we had a class of "baseball players", and a derived class "pitchers" (which is just a player with a few records added of strikeouts and no-hitters, etc) then the class structure would be kept in AD in the part called the "Schema". If we then created an actual group of players we would use our Schema classes to make the players as objects (instances of the classes) in Active Directory. We can also add more classes, eg: "football players" and "quarterbacks" to the Schema, and we call that freedom an "extensible Schema".

The schema is a part of the W2K "configuration namespace" kept on all dcs in a forest. A namespace is a range of labels you put on things, eg: a supermarket "aisle" namespace: aisle=cookies, shelf=top, item=oreo. The configuration namespace in W2K consists of a number of defined items such as physical locations, W2k "sites" (a site is a child of a forest, and can contain machines from any domain, only condition being that all machines in a site have fast reliable net connections for dc replication), and "subnets" which are IP address groupings assigned to sites which help further speed up AD replication amongst dc's, eg: "your dc rocks if it's in the IP subnet and W2K site where its friends are".

Active Directory employs LDAP (Lightweight Directory Access Protocol, a standard Internet protocol that many applications use) to access its records. Why? Because its records are STORED on the dc in "LDAP distinguished name format". But what is LDAP distinguished name format? In the following LDAP distinguished name format example "fred" is a user in the "programming" organizational unit in "narnia" domain in "extest" domain in "microsoft" domain in "com" domain:

cn=fred,ou=programming,dc=narnia,dc=extest,dc=microsoft,dc=com

where cn stands for common name, ou stands for organizational unit, and dc in this case stands for "domain component", NOT domain controller. This is how "fred" appears in Active Directory, and a client such as an administrator can access attributes about fred using that syntax, assuming the client has security permissions to do so.

The client's actions are straightforward, as long as the client talks LDAP to Active Directory. However, an action may be done from a client running an application that uses a different name format. To support this, there are two other name formats that can be used (with a little translating) to access Active Directory:

1. "LDAP URL":
Example:
LDAP://server1.narnia.extest.microsoft.com/cn=fred,ou=programming,dc=narni a,dc=extest,dc=microsoft,dc=com.

2. "Active Directory Canonical name":
Example:
narnia.extest.microsoft.com/programming/fred. This last one, "Active Directory Canonical name" is what you'll see in user interfaces in W2K.

---

Q. What is X.500 and LDAP?

A. X.500 is the most common protocol that is used for Directory Management and there are currently 2 main standards, the 1988 and 1993 standards with the 1993 standard providing a number of advances over the older standard. The Windows NT 5.0 implementation of its Directory Services is derived from the 1993 X.500 standard as described below.

The X.500 model uses a hierarchical approach to the objects in the name space with a root at the top of the namespace with children coming off of it. Domains in Windows 2000 are DNS names, for example savilltech.com is a domain name, legal.savilltech.com is a child domain of savilltech.com. Child domains are covered elsewhere.



The example shows a root of the directory service and then a number of children. In this case the first layer or children represent countries, however there are no rules and you may break these down however you want. Imagine each country as a child domain of the root, for example usa.root.com and england.root.com. Each child domain can then be broken into a number of organizations. These organizations can be broken down further into organizational units and various privileges/policies can be applied to each Organization unit. Each Organizational Unit has a number of objects such as users, computers, groups etc.

While the directory service is based on X.500, the access mechanism actually uses LDAP (Lightweight Directory Access Protocol) which solves a number of problems with X.500.

X.500 is part of the OSI model however this does not translate well into a TCP/IP protocol environment so LDAP uses TCP/IP for its communication medium. LDAP cuts down on the functions available with a full X.500 implementation making a leaner faster directory service while keeping the overall structure of X.500.

LDAP is actually the mechanism used to communicate with the Active Directory and performs basic read, write, and modify operations.

More on X.500 can be found at http://www.salford.ac.uk/its024/X500.htm

---

Q. What is the Global Catalog?

A. The Global Catalog contains an entry for every object in the enterprise forest (the term forest is explained later) but contains only a few properties of each object. The entire forest shares a global catalog with multiple servers holding copies. Searches in the whole enterprise forest can only be done on the properties in the Catalog where as searches in the users own domain tree can be for any property. Only Directory Services (or Domain Controllers) can be configured to hold a copy of the Global Catalog.

Do not configure too many global catalogs in each domain, as you will waste network bandwidth with the replication. One global catalog server per domain in each physical location is sufficient, however NT will set servers as Global Catalogs as it thinks are necessary so there should be no need for you to modify this unless you notice slow query response times.

Since full searches involve querying the whole domain tree rather that the global catalog, grouping the enterprise into a single tree will improve your searches as it will allow you to query on items not in the global catalog, thus a larger search criteria.

---

Q. How do I configure a server as a Global Catalog?

A. To configure a Windows 2000 domain controller as a global catalog server perform the following:

1. Start the Active Directory Sites and Services Manager (Start - Programs - Administrative Tools - Active Directory Sites and Services Manager)
2. Select the sites branch.
3. Select the site that owns the server, expand the servers branch and the server in question
4. Right click on "NTDS Settings" and choose Properties
5. Check or uncheck the "Global Catalog Box". Click Apply then OK



---

Q. What is the Schema?

A. The Schema is a blueprint of all objects in the domain and when first created a default Schema exists which contains definitions for users, computers, domains etc. Because of this, you can only have one schema per domain as you cannot have multiple definitions of the same object.

The default schema definition is defined in the SCHEMA.INI file that also contains the initial structure for the NTDS.DIT (storage for the Directory data). This file is located in the %systemroot%\ntds directory. This file is a plain ASCII format file and can be typed out.

---

Q. What is a domain tree?

A. In Windows 2000 one domain can be a child of another domain, e.g. child.domain.com is a child of domain.com (a child domain always has the complete domain name of the parent in it), and a child domain and its parent share a two way transitive trust.

When you have a domain as a child of another, a domain tree is formed. A domain tree has to have a contiguous name space.


Notice in the second diagram the lack of contiguous names means they are not part of the tree

The name of the tree is the root domain name, so in the example the tree would be referred to as root.com. Since the domains are DNS names and inherit the parent part of the name, if a part of the tree is renamed, then all of its children will implicitly also be renamed, for example if parent ntfaq.com of sales.ntfaq.com was renamed to backoffice.com the child would be renamed to sales.backoffice.com. This is not actually currently possible though.

Domain trees can currently only be created during the server to Domain Controller promotion process with DCPROMO.EXE, this may change in the future.

There are a number of advantages in placing domains in a tree. The first and most useful is that all members of a tree have kerberos transitive trusts with its parent and all its children. These transitive trusts also mean that any user or group in a domain tree can be granted access to any object in the entire tree. This also means that a single network logon can be used at any workstation in the domain tree.

---

Q. What is a domain forest?

A. You may have a number of separate domain trees in your organization that you would like to share resources and this can be accomplished by joining trees to form a forest.

A forest is a collection of trees that do not have to form a contiguous name space (however each tree still has to be contiguous). This may be useful if your company has multiple root dns addresses.



As can be seen from the example, the two root domains are joined via a transitive, two-way Kerberos trusts as in the trust created between a child and its parent. Forests always contain the entire domain tree of each domain and it is not possible to create a forest containing only parts of a domain tree.

Forests are created during the server to Domain Controller promotion process with DCPROMO and can currently not be created at any other time, this will change in the next version.

You are not limited to only 2 domain trees in a forest, you can add as many trees as you want and all domains within the forest will be able to grant access to objects for any user within the forest. Again this cuts back on having to manually manage the trust relationships. The effect of creating a forest is the following:

• All trees have a common Global Catalog containing specific information about every object in the forest
• The trees all contain a common schema. Microsoft has not yet confirmed the action if 2 trees have difference schemas before they are joined. I assume the changes will be merged
• Searches in a forest will perform a deep search of the entire tree of the domain the request is initiated from and use the Global Catalog entries for the rest of the forest

You may of course choose not to join trees to become a forest and may instead create normal trusts between individual elements of the tree's.

---

Q. What is a Kerberos trust?

A. Windows NT 4.0 trust relationships are not transitive so if domain2 trusts domain1, and domain3 trusts domain2, domain3 does not trust domain1.



This is not the case with the trust relationships used to connect members of a tree/forest in Windows 2000, trust relationships used in a tree are two-way, transitive Kerberos trusts which means any domain in a tree implicitly trusts every other domain in the tree/forest. This removes the need for time-consuming administration of the trusts as they are created automatically when a domain joins a tree.

Kerberos is the primary security protocol for Windows NT. Kerberos verifies both the identity of the user and the integrity of the session data. The Kerberos services are installed on each domain controller, and a Kerberos client is installed on each Windows NT workstation and server. A user's initial Kerberos authentication provides the user a single logon to enterprise resources. Kerberos is not a Microsoft protocol and is based on version 5.0 of Kerberos. For more information see IETF RFCs (Requests For Comments) 1510 and 1964. These documents are available on the web from http://www.isi.edu/rfc-editor/rfc.html.

---

Q. How do I create a new Active Directory Site?

A. Active Directory has the concept of sites which can be used to group servers into containers which mirror the physical topology of your network, and allow you to configure replication between domain controllers (among other things). A number of TCP/IP subnets can also be mapped to sites which the allow new servers to automatically join the correct site depending on their IP address and for clients to easily find a domain controller closest to them.

When you create the first domain controller a default site, Default-First-Site-Name is created to which the domain controller is assigned. Subsequent domain controllers are also added to this site however they can then be moved. This site can be renamed if you wish.

Sites are administered and created using the "Active Directory Sites and Services Manager" MMC snap-in. To create a new site perform the following:

1. Start the Active Directory Sites and Services MMC snap-in (Start - Programs - Administrative Tools - Active Directory Sites and Services Manager)
2. Right click on the Site branch and select New - Site from the displayed context menu
3. Enter a name for the site, e.g. NewYork. The name must be 63 characters or less and cannot contain . or space characters. You must also select a site link (by default there will only be one, DEFAULTIPSITELINK or type IP).
4. Click OK

Now the site is created you can assign various IP subnets to it as follows:

1. Start the Active Directory Sites and Services MMC snap-in (Start - Programs - Administrative Tools - Active Directory Sites and Services Manager)
2. Expand the Sites branch
3. Right click on Subnets and select New - Subnet
   
4. You used to have to enter the name of subnet of the form <network>/<bits masked>, e.g. 200.200.201.0/24 would be network 200.200.201.0 with subnet mask 255.255.255.0. This proved to complicated so you now just enter the address and mask. Select the Site to associate the subnet with, e.g. Australia.
   
5. Click OK

You now have a subnet linked to a site. You can assign multiple subnets to a site if you wish.

If you are confused about the bits masked in the subnet name it can be between 22 and 32 and is just the number of bits set in the subnet mask. The subnet mask is made up of 4 sets of 8 bits. To convert the subnet mask to bits you can use the illustration below.



Therefore the subnet mask 255.255.255.0 would be 11111111.11111111.11111111.00000000 in binary which therefore uses 8+8+8 bits (24) to define the subnet mask. A subnet mask of 255.255.252.0 would be 11111111.11111111.11111100.00000000 which is 8+8+6 or 22.

Once you have multiple sites defined new domain controllers created via DCPROMO will automatically join the site that matches their IP address. In the event of their not being a site for their IP subnet they will join the same site that authorized its promotion.

---

Q. How do I move a server to a different site?

A. If your sites and subnets are configured then new servers will automatically get added to the site that owns the subnet however you can also manually move a server to a different site:

1. Start the Active Directory Sites and Services MMC snap-in (Start - Programs - Administrative Tools - Active Directory Sites and Services Manager)
2. Expand the Sites container.
3. Expand the site that currently contains the server, expand the Servers container
4. Right click on the server and select Move from the context menu
   
5. You will be shown a list of all sites. Select the new target site and click OK

The move will take immediate effect.

---

Q. How can a server belong to more than one site?

A. By default a server will belong to one site however you may want to configure a server to belong to multiple sites.

Bear in mind sites are used for replication, for clients to find resources and to cut down on traffic on inter-site connections so just modifying the site membership may cause performance problems.

To configure a server to have multiple site membership perform the following:

1. Logon to the server who should join multiple sites
2. Start the registry editor (regedt32.exe not regedit.exe)
3. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesNetlogon\Parameters
4. Select "Add Value" from the Edit menu
5. Enter a name of SiteCoverage and of type REG_MULTI_SZ. Click OK
6. Enter the names of the sites to join, each on a new line, e.g.
   Australia
   London
   Press Shift-Enter to move to the next line. Click OK
7. Close the registry editor

The above does not create the objects in the Active Directory to evaluate the sites and these need to be added manually.

---

Q. How can I backup the Active Directory/System State?

A. The Active Directory is backed up using the NTBACKUP.EXE utility. The Active Directory is part of the machines System State which is defined as follows:

For all Windows 2000 machines the System State includes the registry, class registration database and the system boot files. For a Windows 2000 Server that is a certificate server it also contains the Certificate Services database. Finally for a Windows 2000 machine that is a domain controller it includes the Active Directory and the SYSVOL directory also.

To backup the System State using the Backup Wizard perform the following:

1. Start NTBACKUP.EXE
2. NTBACKUP.EXE will start in the Welcome screen. Click the 'Backup Wizard' button
3. Click Next to the introduction dialog
4. In the dialog that asks what to backup select 'Only back up the Distributed Service Set' and click Next
5. You should then continue as per normal by selecting the backup media etc.

If you don't want to use the wizard it can be manually backed up as follows:

1. Start NTBACKUP.EXE
2. Select the Backup tab
3. Check the 'System State' box (and any other drives)
   
4. Select the backup destination
5. Click 'Start Backup'
6. Confirm the backup description and click 'Start Backup'
7. The backup will then begin

To backup only the System State from the command line use the command

C:\> ntbackup backup systemstate /f d:\active.bkf

Of course this is the most basic backup to file and you can use more complex options.

---

Q. How can I restore the Active Directory?

A. The Active Directory cannot be restored to a domain controller while the Directory Service is running so to restore perform the following:

1. Reboot the computer
2. At the boot menu select "Windows 2000 Server" but do NOT press Enter. Press F8 for advanced options
   OS Loader V5.0
   
   Windows NT Advanced Options Menu
   Please select an option:
   
     Safe Mode
     Safe Mode with Networking
     Safe Mode with Command Prompt
   
     Enable Boot Logging
     Enable VGA Mode
     Last Known Good Configuration
     Directory Services Restore Mode (Windows NT domain controllers only)
     Debugging Mode
   
   Use | and | to move the highlight to your choice.
   Press Enter to choose.
3. Scroll down and select "Directory Services Restore Mode (Windows NT domain controllers only)"
4. Press Enter
5. You will be taken back to the boot menu and now press Enter to Windows 2000 Server (notice at the bottom of the screen in red the text 'Directory Services Restore Mode (Windows NT domain controllers only)' will be shown)

The computer will boot into a special safe mode and will not start the Directory Service. Be warned that during this time the machine will not act as a domain controller and will perform not perform authentication etc.

1. Start NTBACKUP.EXE
2. Select the Restore tab
3. Select the backup media and select "System State"
4. Click 'Start Restore'
5. Click OK to the confirmation

Once you have restored the backup reboot the computer and start in normal mode to start using the restored information. You may find a hang after the restore has completed and I found a 30 minute wait on some machines.

---

Q. What are the FSMO roles in Windows 2000?

A. In Windows 2000 all domain controllers are equal and through a process known as multi-master replication changes are replicated to all domain controllers in the domain. However in keeping with George Orwell's Animal Farm some Domain Controllers are more equal than others.

Multi-master replication resolves conflicts however in some situations it is better to stop the conflict before it happens and to this end there are five difference Flexible Single Master of Operations (FSMO) roles (formally known as Floating Single Master of Operations as the roles were originally going to be dynamically changeable) each managing an aspect of the domain/forest. These roles can be moved between domain controllers but not dynamically, they must be manually moved in the same manner as a BDC has to be manually promoted to a PDC.

There are two types of roles, some are per domain, some are per forest. Only a domain controller in the domain can hold a domain specific FSMO role, any domain controller in the forest can hold a forest FSMO role. Domain controllers cannot hold FSMO roles in other domains/forests.

These roles are assigned in different GUI ways or using the NTDSUTIL utility.

The five roles are defined below:

Role name	Description	Per domain/forest
Schema master	At the heart of the Active Directory is the schema which is like the blueprint of all objects/containers. Since the schema has to be the same throughout the entire forest only one machine can authorize modifications to the schema.	One per forest
Domain naming master	To add a domain to the forest its name has to be verifiably unique and so the Domain naming master FSMO's of the forest is contacted to authorize the domain name operation.	One per forest
RID master	Any domain controller can create new objects (such as a user, group, computer account) however after creating 512 user objects the domain controller must contact the domains RID master for another 512 RID's (it actually contacts when it has less than 100 RID's left, this means the RID master can be unavailable for short periods of time without causing object creation problems). This is to ensure each object has a unique RID. When a DC creates a security principal object it attaches a unique SID to the object. The SID is created using the domain SID and a relative ID (the RID). The RID master has to be available when attempting to move objects between domains with the resource kit movetree utility.	One per domain
PDC emulator	For backwards compatibility reasons one domain controller in each 2000 domain must emulate a PDC for the benefit of 4.0 and 3.5 domain controllers and clients.	One per domain
Infrastructure master	When a user and group are in different domains there can be a lag between changes to the user (e.g. name) and its display in the group. The infrastructure master of the groups domain is responsible for fixing up the group-to-user reference to reflect the rename. The infrastructure master performs is fixups locally and relies upon replication to bring all other replicas of the domain up to date.	One per domain

The PDC emulator also has some special roles even in native mode:

• failed authentication requests
• for downlevel clients who issue a change which would normally go to the PDC in a NT4.0 domain (password, etc).
• focus of best effort push of password changes an account lockouts.
• timeserver clients contact DC, DC contacts PDC emulator, PDC emulator contacts PDC on level up, PDC emulator root domain could use SNTP to contact an atomic internet clock.
• focus of group policies, if you edit or create group policy you will contact the PDC, if this one isn't there you will get the choice to select an other DC.

---

Q. How can I change the RID master FSMO?

A. The RID master is defined here.

To modify the role perform the following:

1. Start the Active Directory Users and Computers MMC snap-in on the Domain Controller (Start - Programs - Administrative Tools - Active Directory Users and Computers)
2. In the left hand pane right click on the domain and select 'Connect to Domain Controller'
3. Select the domain controller you wish to make the FSMO role owner and click OK.
   
4. Right click on the domain again and select 'Operations Masters' from the context menu
5. Select the 'RID Pool' tab
6. The current machine holding the RID master FSMO role will be shown. To change click 'Change..'
   
7. Click OK to the confirmation dialog.
8. A dialog confirming the role change will be displayed.

This can also be accomplished using the NTDSUTIL.EXE utility. Enter the commands it bold

C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server <server name>
server connections: quit
fsmo maintenance: transfer rid master

Click Yes to the role transfer dialog

Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na me,CN=Sites,CN=Configuration,DC=savilltech,DC=com

fsmo maintenance: quit
ntdsutil: quit

---

Q. How can I change the PDC emulator FSMO?

A. The PDC emulator is defined here.

To modify the role perform the following:

1. Start the Active Directory Users and Computers MMC snap-in on the Domain Controller (Start - Programs - Administrative Tools - Active Directory Users and Computers)
2. In the left hand pane right click on the domain and select 'Connect to Domain Controller'
3. Select the domain controller you wish to make the FSMO role owner and click OK.
   
4. Right click on the domain again and select 'Operations Masters' from the context menu
5. Select the 'PDC' tab
6. The current machine holding the PDC emulator FSMO role will be shown. To change click 'Change..'
   
7. Click OK to the confirmation dialog.
8. A dialog confirming the role change will be displayed.

This can also be accomplished using the NTDSUTIL.EXE utility. Enter the commands it bold

C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server <server name>
server connections: quit
fsmo maintenance: transfer pdc

Click Yes to the role transfer dialog

Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na me,CN=Sites,CN=Configuration,DC=savilltech,DC=com

fsmo maintenance: quit
ntdsutil: quit

---

Q. How can I change the Infrastructure master FSMO?

A. The Infrastructure master is defined here.

To modify the role perform the following:

1. Start the Active Directory Users and Computers MMC snap-in on the Domain Controller (Start - Programs - Administrative Tools - Active Directory Users and Computers)
2. In the left hand pane right click on the domain and select 'Connect to Domain Controller'
3. Select the domain controller you wish to make the FSMO role owner and click OK.
   
4. Right click on the domain again and select 'Operations Masters' from the context menu
5. Select the 'Infrastructure' tab
6. The current machine holding the Infrastructure FSMO role will be shown. To change click 'Change..'
   
7. Click OK to the confirmation dialog.
8. A dialog confirming the role change will be displayed.

This can also be accomplished using the NTDSUTIL.EXE utility. Enter the commands it bold

C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server <server name>
server connections: quit
fsmo maintenance: transfer infrastructure master

Click Yes to the role transfer dialog

Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na me,CN=Sites,CN=Configuration,DC=savilltech,DC=com

fsmo maintenance: quit
ntdsutil: quit

---

Q. How can I change the Domain naming master FSMO?

A. The Domain naming master is defined here.

To modify the role perform the following however make sure the machine is a global catalog:

1. Start the Active Directory Domains and Trusts MMC snap-in on the Domain Controller (Start - Programs - Administrative Tools - Active Directory Domains and Trusts)
2. In the left hand pane right click on 'Active Directory Domains and Trusts' and select 'Connect to Domain Controller' from the context menu
3. Enter the domain controller to connect to.
   
4. Right click on 'Active Directory Domains and Trusts' and select 'Operations Master' from the context menu
5. The current machine holding the Domain name operations FSMO role will be shown. To change click 'Change..'
   
6. Click OK to the confirmation dialog.
7. A dialog confirming the role change will be displayed.

This can also be accomplished using the NTDSUTIL.EXE utility. Enter the commands it bold

C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server <server name>
server connections: quit
fsmo maintenance: transfer domain naming master

Click Yes to the role transfer dialog

Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na me,CN=Sites,CN=Configuration,DC=savilltech,DC=com

fsmo maintenance: quit
ntdsutil: quit

---

Q. How can I change the Schema master FSMO?

A. The Schema master is defined here.

To modify the role perform you must use the 'Active Directory Schema Manager' and you must first register the .dll for the MMC snap-in

C:\> regsvr32 schmmgmt.dll

You can now start the Schema Manager via the Resource Kit Tools console or by creating a custom MMC and add the Active Directory Schema snap-in to it (Start - Run - MMC - Console menu - Add/Remove Snap-in - Add - Active Directory Schema - Add - Close - OK)

1. Start the Active Directory Schema MMC snap-in on the Domain Controller (using on of the methods above)
2. In the left hand pane right click on 'Active Directory Schema' and select 'Change Domain Controller' from the context menu
3. Enter the domain controller to connect to.
   
4. Right click on 'Active Directory Domains Schema' and select 'Operations Master' from the context menu
5. The current machine holding the Domain name operations FSMO role will be shown. To change click 'Change..'
   
   You can also set the registry to allow changes to the Schema by checking the Schema modification box. Also notice this machine is already the schema master.
6. Click OK to the confirmation dialog.
7. A dialog confirming the role change will be displayed.

To modify the role from the command line enter the commands in bold

C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server <server name>
server connections: quit
fsmo maintenance: transfer schema master

Click Yes to the role transfer dialog

Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na me,CN=Sites,CN=Configuration,DC=savilltech,DC=com

fsmo maintenance: quit
ntdsutil: quit

---

Q. What is Multi-master replication?

A. In a Windows 2000 domain, all domain controllers are equal which means changes can be made on ANY domain controller and each servers complete domain directory has to be kept up-to-date with each other through a process of multi-master replication.

Each time a change is made to the Active Directory the servers Update Sequence Number, or USN, where the change is implemented is incremented by one and this USN is also stored along with the change to the property of the object modified. These changes have to be replicated to all domain controllers in the domain and the Update Sequence Number provides the key to the multi-master replication.

Update Sequence Number increments are atomic in operation which means that the increment to the USN and the actual change occurs simultaneously, if one part fails the whole change fails which means its not possible for a change to be made without the USN to be incremented, which means changes will never be "lost". Each domain controller keeps track of the highest USN's of the other domain controllers that it replicates with so it can calculate which changes it needs to be replicated on each replication cycle.

At the start of the replication cycle each server checks its Update Sequence Number table and then queries the domain controllers it replicates with for their latest USN's. For example the table below represents the USN table for server A

DC B	DC C	DC D
54	23	53

Server A then queries the domain controllers for their current USN's and gets the following:

DC B	DC C	DC D
58	23	64

From this server A can calculate the changes it needs from each server:

DC B	DC C	DC D
55,56,57,58	Up-to-date	54-64

It would then query each server for the changes needed.

It is possible for multiple changes to the same property of an object to occur, and collisions are detected via a Property Version Number (PVN) which every property has. These work like the USN's and each time a property is modified, the PVN is incremented by one.

In the event of a modification to the same property of the same object then the change with the highest PVN takes precedence, and if the PVN's are the same for a property update then a collision has occurred. If the PVN's match then the time stamp is used to resolve any conflicts. Each change is time stamped and this highlights the need for the domain controllers time to be accurate with one-an-other. In the highly unlikely event that the PVN's match AND the time stamp is the same then a binary buffer comparison is carried out with the larger buffer size change taking precedence. Property Version Numbers are only incremented on original writes and not on replication writes (unlike USN's) and are not server specific but rather travels with the property.

A propagation-dampening scheme is also use to stop changes being repeatedly sent to other servers which already have the change and to this end each server keeps a table of up-to-date vectors which are the highest originating writes that are received from each controller and take the form of:

<the change>,<domain controller making the original change>,<USN of the change>

For example

<object savillj, property Password xxx>,Titanic,54

Domain controllers then also send this information with the USN's so they can calculate if they already have the change the other domain controllers are trying to replicate.

---

Q. How can I move objects within my Forest?

A. The Windows 2000 Resource Kit ships with the MOVETREE.EXE utility which can be used to move organization units, users or computers between domains in a single forest. This is useful for the consolidation of domains or to reflect organization restructuring.

Certain objects cannot be moved with MOVETREE such as Local and Domain Global groups and if the container they are in is moved these objects will be placed in an "orphan" container in the "LostAndFound" container in the source domain.

Associated data is not moved with MOVETREE such as policies, profiles, logon scripts and personal data. To accomplish the movement of these items you should write custom scripts using the 'Remote Administration Scripts'.

The syntax of MOVETREE is

MoveTree [/start | /continue | /check] [/s SrcDSA] [/d Dst] [/sdn SrcDN] [/ddn DstDN] [/u Domain\Username] [/p Password] [/quiet]

/start	Start a move tree operation with /check option by default. Instead, you could be able to use /startnocheck to start a move tree operation without any check.
/continue	Continue a failed move tree operation.
/check	Check the whole tree before actually move any object.
/s <SrcDSA>	Source server's fully qualified primary DNS name. Required
/d <DstDSA>	Destination server's fully qualified primary DNS name. Required
/sdn <SrcDN>	Source sub-tree's root DN. Required in Start and Check case. Optional in Continue case
/ddn <DstDN>	Destination sub-tree's root DN. RDN plus Destinaton Parent DN. Required
/u <Domain\UserName>	Domain Name and User Account Name. Optional
/p <Password>	Password. Optional
/quiet	Quiet Mode. Without Any Screen Output. Optional

You should first run in /check mode as this will perform a test without actually performing the move. Any errors will be displayed and also written to the file movetree.err in your current directory. If the test is OK run with the /start option.

An example use would be

C:\> movetree /check /s titanic.market.savilltech.com /d pluto.legal.savilltech.com /sdn OU=testing,DC=Market,DC=Savilltech,DC=COM /ddn OU=test2,DC=Legal,DC=Savilltech,DC=COM

This would move the OU testing from domain market.savilltech.com to test2 in domain legal.savilltech.com.

---

Q. How do I allow modifications to the Schema?

A. The Schema is extensible which means it can be changed but modifying the Schema is a dangerous task as it will affect the entire domain Forest (since a forest shares a common schema) and someone at Microsoft once said the following:

"If you find you have to change the schema find another way. If you still have to, look again. If after all that you find you still need to change the schema you better make sure your managers are fully aware of the implications"

That being said to allow modifications there are two ways.

If you want to use the GUI first register the .dll for the MMC snap-in (if you haven't all ready)

C:\> regsvr32 schmmgmt.dll

You can now start the Schema Manager via the Resource Kit Tools console or by creating a custom MMC and add the Active Directory Schema snap-in to it (Start - Run - MMC - Console menu - Add/Remove Snap-in - Add - Active Directory Schema - Add - Close - OK)

1. Start the Active Directory Schema MMC snap-in on the Domain Controller (using on of the methods above)
2. In the left hand pane right click on 'Active Directory Schema' and select 'Operations Master' from the context menu
3. The current machine holding the Domain name operations FSMO role will be shown.
   
   Check the "The Schema may be modified on this server" box.
4. Click OK to the confirmation dialog.

This can also be accomplished by directly editing the registry

1. Start the registry editor (regedit.exe)
2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
3. Double click on 'Schema Update Allowed' (of type REG_DWORD)
4. Set to 1.
5. Click OK
6. Close the registry editor

Other related FAQ items:

• Q. What is the Schema?
• Q. What are the FSMO roles in Windows 2000?

---

Q. What are Tombstone objects?

A. Because of the complex replication available in Windows 2000 and the Active Directory just deleting an object would result in it potentially being recreated at the next replication interval and so deleted objects are 'Tombstoned' instead. This basically marks them as deleted and applies to all objects.

Objects marked as tombstoned are actually deleted 60 days after their original tombstone status setting, however this time can be changed by modifying tombstonelifetime under cd=DirectoryServices,cn=WindowsNT,cn=Services,cn=Configuration,dc=DomainName however it is not advised.

---

Q. How do I switch my 2000 domain to native mode?

A. Windows 2000 domains have two modes, mixed and native. Mixed mode domains allow Windows NT 4.0 Backup Domain Controllers to participate in a Windows 2000 domain.

In native mode only 2000 based domain controllers can participate in the domain and 4.0 based Backup Domain Controllers will no longer be able to act as domain controllers. Also the switch to native mode allows use of the new "Universal" groups which unlike global groups can be nested inside each other. Older NetBIOS based clients will still be able to logon using the NetBIOS domain name even in native mode.

To perform the switch perform the following:

1. Start the Active Directory Domains and Trusts MMC snap-in
2. Right click on the domain you want to convert to native mode and select Properties
3. Select the General tab
   
4. Click the 'Change Mode' button
5. Click Yes to the confirmation
6. Click Apply to the main dialog
7. A success message will be displayed. Click OK
   
8. Reboot the machine (although I have been told a reboot is not needed).

You will need to check all other domain controllers in the domain and when the domain operation mode says "Native Mode" (instead of mixed mode) reboot them. This can take 15 minutes (or more if contact is not able to be made).

If a domain controller cannot be contacted (if on a remote site and only connects periodically) when you make the change the remote DC will switch mode the next time replication occurs.

---

Q. How can I force replication between two domain controllers in a site?

A. In Windows NT 4.0 replication between domain controllers could be forced using Server Manager. Replication can also be forced with Windows 2000 domain controllers as follows.

1. Start the Active Directory Sites and Services MMC snap-in
2. Expand the sites branch which will show the various sites
3. The default site 'Default-First-Site-Name' may be your only site. Expand the site containing the domain controllers
4. Expand the servers
5. Select the server who you want to replicate to and expand it
6. Double click on NTDS Settings for the server
7. Right click on the server you want to replicate from
8. Select 'Replicate Now' from the context menu
9. Replication will occur. Click OK to the confirmation dialog.


This would replicate from TITANIC to the VENUS domain controller

The replication is one way and if you want two way replication you will need to replicate in each direction.

---

Q. How can I change replication schedule between two domain controllers in a site?

A. By default domain controllers will replicate once an hour the schema/configuration information (see 'Q. How does replication work intra-site in Windows 2000?' for information on the type of replicated data) but this can be changed as follows. This is only for domain controllers in a single site, cross site replication is configured differently.

1. Start the Active Directory Sites and Services MMC snap-in
2. Expand the sites branch which will show the various sites
3. The default site 'Default-First-Site-Name' may be your only site. Expand the site containing the domain controllers
4. Expand the servers
5. Select the server who you want to configure replication to and expand it
6. Double click on NTDS Settings for the server
7. Right click on the server you want set replication from
8. Select 'Properties' from the context menu
9. Select the 'Active Directory Service connection' tab
10. Click the 'Change Schedule...' button
11. Modify the replication as required. Click OK
    
12. Click Apply then OK

This replication schedule is one way and would to be repeated for the other direction. Remember this is the minimum replication. Any changes made will cause a notification to be made after 5 minutes causing replication.

---

Q. Can I rename a site? - Windows 2000

A. Basically yes. When you install your first domain controller it creates a default site of Default-First-Site-Name which is not very helpful and can be changed as follows:

1. Start the Active Directory Sites and Services MMC snap-in (Start - Programs - Administrative Tools - Active Directory Sites and Services)
2. Expand the Sites branch
3. Right click on the site you wish to rename (e.g. Default-First-Site-Name) and select rename (or just select the site and press F2)
   
4. Enter the new name and press Enter

That's it!

---

Q. What DNS entries are added when a Windows 2000 domain is created?

A. Windows 2000 domains rely heavily on DNS entries however the entries are created automatically providing you have enable dynamic update on the relevant DNS zones. Below are explanations of what the entries are used for:

_ldap._tcp.<DNSDomainName>
Allows a client to localte a Windows 2000 domain controller in the domain named by <DNSDomainName>. A client searching for a DC in domain savilltech.com would query the DNS server for _ldap._tcp.savilltech.com

_ldap._tcp.<SiteName>._sites.<DNSDomainName>
This allows a client to find a Windows 2000 domain controller in the Domain and site specified, e.g. _ldap._tcp.london._sites.savilltech.com for a DC in the London site of savilltech.com

_ldap._tcp.pdc._ms-dcs.<DNSDomainName>
Allows a client to find the Primary Domain Controller (PDC) FSMO role holder of a mixed-mode domain. Only the PDC of the domain registers this record.

_ldap._tcp.gc._msdcs.<DNSTreeName>
Allows a client to find a Global Catalog (GC) server. Only domain controllers serving as GC servers for the tree will register this name. Should a server cease to be a GC it will deregister the record.

_ldap._tcp.<site>._sites.gc._msdcs.<DNSTreeName>
Allows a client to find a Global Catalog (GC) server in the specified site, e.g. _ldap._tcp.london._sites.gc._msdcs.savilltech.com.

_ldap._tcp.<DomainGuid>.domains._msdcs.<DNSTreeName>
Allows a client to find a domain controller in a domain based on its Globally Unique IDentifier (GUID). A GUID is a 128-bit (8 byte) number this is generated automatically for referencing objects in the Active Directory.

<DNSDomainName>
Allows clients to find a Domain Controller by a normal Host record.


Example DNS screen for a domain

---

Q. How can I manually defragment the Active Directory? - Windows 2000 only

A. By default Windows 2000 servers running directory services will perform a directory online defragmentation every 12 hours (by default) as part of the garbage collection process. This defragmentation only moves data around the database file (NTDS.DIT) and does not reduce its size.

To create a new, smaller NTDS.DIT and offline defragmentation must be performed as follows:

1. Backup the Active Directory (as seen in 'Q. How can I backup the Active Directory/System State?')
2. Reboot the server, select the OS option and press F8 for advanced options. Select the 'Directory Services Restore Mode' option and press Enter. Press Enter again to start the operating system.
3. Windows 2000 will start in safe mode with no directory service running. Logon using the Administrator account and password if the LOCAL SAM.
4. A dialog informing you are in safe mode will be displayed. Click OK
5. From the Start menu select Run and type
   CMD.EXE
6. A command window will be displayed. Type the words in red:
   C:\> ntdsutil
   ntdsutil: files
   file maintenance: info
   ....
   file maintenance: compact to c:\temp
7. The progress of the defragmentation will be shown. If successful type quit twice to return to the command prompt
8. Now replace the old NTDS.DIT with the new compressed version
   C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit
9. Restart the computer and boot as normal

Below is an example of the entire procedure

Microsoft Windows 2000 [Version 5.00.2031]
(C) Copyright 1985-1999 Microsoft Corp.

D:\>ntdsutil
ntdsutil: files
file maintenance: info

Drive Information:

C:\ FAT (Fixed Drive ) free(1.2 Gb) total(1.9 Gb)
D:\ NTFS (Fixed Drive ) free(152.4 Mb) total(1.9 Gb)

DS Path Information:

Database : D:\WINNT\NTDS\ntds.dit - 8.1 Mb
Backup dir : D:\WINNT\NTDS\dsadata.bak
Working dir: D:\WINNT\NTDS
Log dir : D:\WINNT\NTDS - 30.0 Mb total
res2.log - 10.0 Mb
res1.log - 10.0 Mb
edb.log - 10.0 Mb
file maintenance: compact to c:\temp
Opening database [Current].
Using Temporary Path: C:\
Executing Command: D:\WINNT\system32\esentutl.exe /d "D:\WINNT\NTDS\ntds.dit" /
/o /l"D:\WINNT\NTDS" /s"D:\WINNT\NTDS" /t"c:\temp\ntds.dit" /!10240 /p


Initiating DEFRAGMENTATION mode...
Database: D:\WINNT\NTDS\ntds.dit
Log files: D:\WINNT\NTDS
System files: D:\WINNT\NTDS
Temp. Database: c:\temp\ntds.dit

Defragmentation Status ( % complete )

0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................

Note:
It is recommended that you immediately perform a full backup
of this database. If you restore a backup made before the
defragmentation, the database will be rolled back to the state
it was in at the time of that backup.

Operation completed successfully in 17.896 seconds.


Spawned Process Exit code 0x0(0)

If compaction was successful you either need to
copy "c:\temp\ntds.dit" to "D:\WINNT\NTDS\ntds.dit"
or run:
D:\WINNT\system32\ntdsutil.exe files "set path DB \"c:\temp\"" quit quit
file maintenance: quit
ntdsutil: quit

D:\>copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit
Overwrite D:\WINNT\ntds\ntds.dit? (Yes/No/All): y
1 file(s) copied.

---

Q. How can I audit the Active Directory?

A. It is possible to configure auditing on the Active Directory to produce both successful and failed entries in the Directory Service event log.

To configure perform the following:

1. Start the 'Active Directory Users and Computers' MMC snap-in (Start - Programs - Administrative Tools - Active Directory Users and Computers)
2. From the View menu select 'Advanced Features'
3. Expand the domain, right click on the 'Domain Controllers' container and select Properties from the context menu
4. Select the 'Group Policy' tab
5. Select 'Default Domain Controllers Policy' and click Edit
6. Expand the Computer Configuration branch, the Windows Settings branch, Security Settings branch, and finally the Local Policies branch
7. Select 'Audit Policy'
8. In the right hand window it will show auditing levels
9. Double click 'Audit Directory Service Access'
10. Check the relevant boxes (e.g. Audit success, audit fail). Click OK
    
11. Close the Group Policy window
12. Click OK to the main Domain Controllers Properties dialog
13. Close the Active Directory and Users MMC snap-in

The logs can be viewed in the Security Log (using Event Viewer). The policy change may take a while to take effect as domain controllers poll for policy changes every five minutes. Other domain controllers in the enterprise receive the changes at this interval plus the time of replication.

---

Q. How can I automate a server upgrade to a Domain Controller during installation?

A. Its possible to run the DCPROMO.EXE utility automatically during an unattended installation using the following method:

The Dcpromo process can be scripted by using the dcpromo /answer:%path_to_answer_file% command. In the following example, the [DCInstall] section and parameters are added directly to the unattended answer file. The parameters for the DCInstall section are detailed in the Unattend.doc supplied with the resource kit but below are the main entries:

AdministratorPassword	The new password for the domain Administrator account
AutoConfigDNS	Indicates if the wizard should configure DNS
ChildName	Name of the child part of domain
CreateOrJoin	Specifies if the domain will join an existing forest or create a new one
DatabasePath	Location for the Active Directory database
DNSOnNetwork	Used when a new forest of domains is being installed and no DNS client is configured on the computer
DomainNetBiosName	NetBIOS name for the domain
IsLastDCInDomain	Only valid when demoting an existing domain controller to a member server
LogPath	Path for the DS logs
NewDomainDNSName	Name of the new tree or when a new forest is being created
ParentDomainDNSName	Specifies name of parent domain
Password	Password for username being used to promote server
RebootOnSuccess	Whether an automatic reboot should be performed
ReplicaDomainDNSName	Name of the domain to be replicated from
ReplicaOrMember	Specifies if a 3.51 or 4.0 BDC being upgraded should become a replica domain controller or be demoted to a regular member server.
ReplicaOrNewDomain	Specifies if this is a new DC in a new domain or if its a replica of existing domain
SiteName	Name of the site, by default this is "Default-First-Site"
SysVolPath	Path of SYSVOL
TreeOrChild	If this is a new tree of child of existing domain
UserDomain	Domain for the user being used in promotion
UserName	Name of user performing the upgrade

Because this process occurs after setup, the answer file created is named $winnt$.inf and is copied to the \system32 folder. Because the parameters are in this file, you must add the following text to the [GUIRunOnce] section of the unattended Setup answer file:

[GUIRunOnce] "DCpromo /answer:%systemroot%\system32\$winnt$.inf"

Once the Dcpromo process completes, password information is removed from the $winnt$.inf file. To make this process easier because the Run-once command does not execute until someone logs on to the computer, you can add the following text to the unattended answer file:

[GUIUnattended]
Autologon = yes ; automatically logs on the administrator account
AutoLogoncount = n ; number of times to perform auto-admin logon 

Easy :-) Don't use items like %systemroot% or %windir% etc as they are not understood during unattended installations.

You can just create a [DCInstall] section directly in your unattend.txt file and to avoid having multiple unattended setup files.

[DCInstall]
AdministratorPassword = cartman
CreateOrJoin = Create
DomainNetBiosName = savtech
NewDomainDNSName = savtech.com
RebootOnSuccess = Yes
ReplicaOrNewDomain = Domain
SiteName = "London"
TreeOrChild = Tree

The script above would create a new forest with domain savtech.com at the top with the created domain controller in site London. Default locations for the SYSVOL, logs and Active Directory files will be used. The new domain Administrator account password would be cartman (Southpark rules!).

You can of course use this outside of an unattended installation if you wish after you've installed by just typing:

DCPROMO /answer:<DCInstall answer filename>

A small dialog saying DCPROMO is running in unattended mode will be displayed and then it will reboot.

---

Q. How do I enable circular logging for the Active Directory?

A. Active Directory can record either sequential or circular logs, although sequential is the default and is preferred. Circular logs overwrite transactions at specific intervals, whereas sequential logs are never overwritten (but data in sequential log files whose transactions have been committed to the database are deleted during garbage collection intervals.) 

Sequential log files are not overwritten with new data. They grow until they reach a specified size. Once all the transactions in a log file are committed to the database, this log file is no longer needed. Active Directory’s garbage collection process deletes unnecessary log files every 12 hours (the default garbage collection interval). If your server never stays up longer than 12 hours between reboots, the old log files are never cleaned up and they take up more and more space on the disk (but you have bigger problems :-) ).

Some administrators prefer circular logging because it helps minimize the amount of logged data stored to the physical disk. Imagine circular logs as a donut with new data overwriting the oldest as needed. You must edit the registry to enable circular logging. 

1. Start regedt32.exe
2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
3. If the value CircularLogging does not exist select New - String value from the Edit menu and enter a name of CircularLogging
4. Double click CircularLoggin and set to 1 to enable (0 for disable and sequential log files)
5. Close the registry editor
6. Restart the directory service via a reboot for the change to take effect

---

Q. I can't add a 4.0 BDC to my Windows 2000.

A. A 4.0 BDC in a Windows 2000 is a supported configuration however a problem exists when the 4.0 BDC machine account tries to be created.

The Machine Account for This Computer either does not exist or is inaccessible.

If you attempt to add the computer account from an already installed Windows NT 4.0-based BDC using the Srvmgr tool, the following message occurs:

The Network Request is not supported.

The following error message is logged on the Windows 2000-based PDC:

Source: SAM
EVENT ID: 12298
DESCRIPTION:The Account "COMPUTER$" Cannot be converted to be a domain controller account as its object class attribute in the directory is not a computer or is not derived from computer. If this is caused by an attempt to install a pre Windows 2000 Domain, then you should recreate the account for the domain controller with the correct object class.

To workaround this problem use the SRVMGR tool that is shipped with Windows 2000 to create the account.

---

Q. I can't have spaces in my Windows 2000 NetBIOS domain name, why?

A. In a Windows NT 4.0 based domain a space is a legal character in the NetBIOS domain name. Windows 2000 domains are DNS based are therefore DNS names however a NetBIOS name is also given for backwards compatibility. DNS does not allow a space in a name and so to keep consistency Microsoft have now removed the space as a legal character in a 2000 NetBIOS domain name.

It can contain the following special characters:

   ! @ # $ % ^ & ( ) - _ ' { } . ~ 

The Following characters are not allowed:

   \ * + = | : ; " ? < > , 

---

Q. How can I create trusts from the command line in Windows 2000.

A. Windows 2000 Resource Kit ships with TRUSTDOM.EXE which enables trust relationships to be defined between Windows 2000 domains and one way relationships with 4.0 domains.

The trustdom syntax is:

C:\> trustdom [[domain[:dc],]target_domain[:dc]] [Options] 

The default switch is "-out." There are two methods a one-way trust is created:
• An outbound trust on the local/specified domain.
• An inbound trust on the specified target domain.

There are a number of other switches which can be listed with the /? switch.

See Knowledge Base article Q232050 (http://support.microsoft.com/support/kb/articles/Q232/0/50.ASP) for more information and examples.

---

Q. How can I modify the number of objects searched in Windows 2000?

A. By default Active Directory searches are limited to 10,000 objects in a search however this can be changed as your organization grows. This policy affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users & Computers, and dialog boxes used to set permissions for user or group objects in Active Directory. To change use either of the following two methods:

To set for a group policy object:

1. Start the Active Directory Users and Computers MMC snap-in (Start - Programs - Administrative Tools - Active Directory Users and Computers)
2. Right click on the container and select Properties
3. Select the Group Policy tab
4. Select the Group Policy Object and select Edit
5. Select the 'User Configuration' branch and expand Administrative Templates - Desktop - Active Directory
6. Double click on 'Maximum size of Active Directory searches'
7. Set to enabled and then set the number, e.g. 20000. Click Apply then OK
   
8. Close the Group Policy Editor

To set directly for a user via the registry:

1. Start the registry editor (regedit.exe)
2. Move to HKEY_CURRENT_USER\Software\Policies\Microsoft
3. From the Edit menu select New - Key
4. Enter a name of 'Windows' (don't type the quotes)
5. Move to the Windows key and from the Edit menu select New - Key
6. Enter a name of 'Directory UI' (don't type the quotes)
7. Move to the Directory UI key (you should now be at HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Directory UI)
8. From the Edit menu select New - DWORD value
9. Enter a name of 'QueryLimit' and press Enter
10. Double click the new value and set to the decimal value required, e.g. 20000. Click OK
11. Close the registry editor

The change for both methods will take effect at next logon for the user.

---

Q. I can't create an OU/child domain with the same name from a single parent, why?

A. While X.500 does all both an OU and child domain to share a common name this is not possible with Active Directory as it would cause problems with the relative distinguished name. If you attempt to create an OU where a child domain already exists with the same name you will get error:

Active Directory

Windows cannot create the object because: An attempt was made to add an object to the directory with a name that was already in use.
Name-related properties on this object might now be out of sync.
Contact your network administrator.

If you try and create the child domain and an OU already exists with the same name the error below will be displayed:

Active Directory Installation Failed

The operation failed because: The Directory Service failed to create the object CN=Sales, CN=Partitions, CN=Configuration, DC=Savilltech, DC=Com. Please check for possible system errors. "The directory service is busy"

There is no workaround to this and is a known restriction.

---

Q. How are objects named in the Active Directory?

A. There are a number of methods available to name objects in the Active Directory, the most popular of which is the Distinguished Name or DN. An excellent RFC exists for DN explanation at http://www.cis.ohio-state.edu/htbin/rfc/rfc1779.html but I'll run over the basics here.

Every object in the Active Directory has a distinguished name and it uniquely identifies the object in the directory service, for example:

/O=Internet/DC=COM/DC=SavillTech/CN=Users/CN=John Savill

This breaks down as follows:

• /O=Internet - Organization=Internet
• /DC=COM - Domain Component=COM
• /DC=SavillTech - Domain Component=SavillTech (put together is savilltech.com)
• /CN=Users - Common Names=Users
• /CN=John Savill - Common Names=John Savill

You could also see OU for Organizational Unit.

A Relative Distinguished Name (RDN) is also used which is also known as the friendly name, for example the RDN of the above for John Savill would be CN=John Savill, the RDN for the users container would be CN=Users.

Also supported are LDAP URL names which begin with LDAP:\\, a LDAP server then a DN (of sorts) identifying the object, e.g.

LDAP://titanic.savilltech.com/cn=JSavill,ou=Sales,dc=SavillTech,dc=com

Finally are LDAP Canonical names which are the LDAP name without the ou=,cn= etc which are used by many of the admin tools, for example:

savilltech.com/Sales/JSavill

Of course in actual fact objects are stored using a GUID (Globally Unique IDentifier) which as a 128 but number generated at object creation time and is stored in object attribute objectGUID and can NEVER change but lets not worry about that :-)

Finally we have the User Principal Name and SAM account name. The UPN is of the format <user>@<DNS domain name>, e.g.

jsavill@savilltech.com

The SAM name is the old 4.0 format and must be unique throughout the entire organization due to its single layer convention, e.g. savillj.

---

Q. How does replication work intra-site in Windows 2000?

A. Windows 2000 includes a component called the Knowledge Consistency Checker (KCC) which automatically manages the replication within a site.

A bi-directional ring topology is used intra-site using RPC (Remote Procedure Call) over TCP/IP without any kind of compression. This is because domain controllers within a site are thought to be on a fast network (as per the definition of a site) and the extra processing required to compress/uncompress is undesirable.

The KCC runs every 15 minutes adjusting the topology as needed and as new domain controllers are created they are automatically placed in the ring. You can view these links using the Active Directory Sites and Services MMC snap-in by expanding the site, expand the Servers container, expand the server and under the ‘NTDS Settings’ leaf are the created connection objects.

The rings are ordered by the domain controller's GUID (Globally Unique IDentifier) as a means to ensure convergence on a single topology as the KCC runs on all domain controllers.

There is an exception to the ring rule. There can never be more than 3 hops between any two domain controllers within the ring and so of there are 7 or more domain controllers extra links are added to protect the 3 hop rule.



Notice in the above two extra non-ring links have been added to enable no more than 3 hops to any domain controller.

These rings are for same naming context (domains) in a single site. If you had multiple domains in a site there would be rings for each domain within the site.

There is a second type of ring however which replicates schema and configuration information between the domain controllers and as this information is shared between all domains (its forest wide) there is only one ring for each site. This means if you had two domains in a site you would have 3 rings, one each for the two domains and one for the schema/configuration information. If you only have a single domain in a site the two rings are actually one and the same.



Any manual configuration of intra-site replication should not be needed and is not recommended by Microsoft. The only task you may ever find yourself performing is to add extra connection objects to reduce the hop count between domain controllers.

When a change is made to the naming context (domain) data the domain controller waits a configurable interval that is 5 minutes by default. The change is written to the domain controller’s local copy of the Active Directory, a timer is started that determines when the domain controller's replication partners should be notified of the change (the 5 minutes). When this interval elapses, the domain controller initiates a notification to each intra-site replication partner that it has changes that need to be propagated. In this 5 minutes changes can continue to be made to the local Active Directory enabling all changes to be grouped and sent after the 5 minutes.

If no changes are reported for a configurable period (as defined in the intra-site connection object schedule) a replication sequence will be initiated to ensure no changes have been missed.

There is a concept of urgent replication that can be triggered by the SAM or the LSA (Local Security Authority) and is initiated for the following events:

• Replicating a newly locked out account (useful for when you have fired someone)
• Changing an LSA secret (i.e. a trust account)
• The RID Manager state changes

Any of the above causes a notification to be sent within the site triggering immediate replication. As this uses notification this is only intra-site however you can modify site links to enable notification, as normally they will only replicated as per the schedule.

An exception to the multi-master normal replication is user passwords. As with any other attribute change the password can be changed at any domain controller however the change is then pushed to the PDC FSMO role holder on a best attempt basis. Any other domain controllers receive the password through normal replication.

The reason for this extra password work is that in the event of password validation failing the domain controller validating will pass the request to the PDC FSMO in case the password has been changed and it has now yet received via standard replication.

The schema/configuration data is replicated once an hour by default between domain controllers but can be changed as seen in 'Q. How can I change replication schedule between two domain controllers in a site?'.

---

Q. How can I change the intra-site replication interval in Windows 2000 for domain information?

A. As we saw in 'Q. How does replication work intra-site in Windows 2000?' replication for naming context data is replicated intra-site 5 minutes after the change is made to allow any further changes to be grouped and sent together. This 5 minute pause can be changed via the registry:

1. Start the registry editor (regedit.exe)
2. Move HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
3. Double click on ‘Replicator notify pause after modify (secs)’
4. Set to the number of seconds you wish for the pause. Click OK
5. Close the registry editor
6. Reboot

You will also notice another parameter, ‘Replicator notify pause between DSAs (secs)’ under the same registry key which determines the number of seconds to pause between notification of the Directory Service Agents. This parameter prevents simultaneous replies by the replication partners.

---

Q. How can I set the RPC port used for Intra-site replication?

A. By default the port used for the RPC replication is dynamically set as a secure measure. It may be desirable to set the port however (for the purposes of monitoring data etc.) and this can be enabled by performing the following registry change:

1. Start the registry editor (regedit.exe)
2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
3. From the Edit menu select New - DWORD value
4. Enter a name of 'TCP/IP Port' (don't enter the quotes) and press enter
5. Double click the new entry and set to the port you want it to use (make sure its not in use, e.g. 1352)
6. Close the registry editor
7. Reboot

After monitoring is complete be sure to remove this entry to regain the security of dynamic RPC port allocation.

---

Q. What tools are available to monitor/change replication?

A. The first tool you use is the Sites and Services MMC snap-in which enable the viewing/creation/deletion of connection objects however there are other tools available.

The Windows 2000 resource kit provides REPLMON.EXE and REPADMIN.EXE which are very useful.

Repadmin.exe is a command line tool which enables replication consistency to be checked, for a KCC recalculation etc. A good switch is /showreps which displays a list of replication partners. The invocation ID is the database GUID and will also show reason for problems.

D:\>repadmin /showreps
London\TITANIC
DSA Options : IS_GC
objectGuid : 221d9d34-540e-4a7b-bd26-054c11e2d1ad
invocationID: 221d9d34-540e-4a7b-bd26-054c11e2d1ad

==== INBOUND NEIGHBORS ======================================

CN=Schema,CN=Configuration,DC=savilltech,DC=com
London\TITUS via RPC
objectGuid: 2000eb93-cc24-4af7-9ad2-c52129c98c7a
Last attempt @ 1999-12-06 20:32.20 failed, result 8524:
Can't retrieve message string 8524 (0x214c), error 1815.
Last success @ 1999-09-17 20:53.45.
463 consecutive failure(s).
London\TRINITY via RPC
objectGuid: df3694d2-b4e9-4d9a-a560-3e8c26c48a89
Last attempt @ 1999-12-06 20:32.21 failed, result 8524:

Another neat option is /showmeta which will have all object information, version numbers etc.

C:\>repadmin /showmeta cn=garfield,DC=savtech,DC=com

45 entries.

Loc.USN Originating DSA Org.USN Org.Time/Date Ver At
tribute
======= =============== ======= ============= === ==
=======
99649 London\MORPHEUS 99649 1999-12-08 09:50.10 1 ob
jectClass
99649 London\MORPHEUS 99649 1999-12-08 09:50.10 1 cn

99650 London\MORPHEUS 99650 1999-12-08 09:50.10 1 de
scription
99649 London\MORPHEUS 99649 1999-12-08 09:50.10 1 gi
venName
99649 London\MORPHEUS 99649 1999-12-08 09:50.10 1 in
stanceType


Replmon.exe is a GUI tool used to display and monitor replication status on selected domain controllers.

---

Q. How do I remove a non-existent domain controller?

A. Windows 2000 tracks each domain controller in the metadata and if you just throw away a domain controller either by reinstallation or removal of the hardware without running DCPROMO to clean up its metadata its information will not be cleaned up and connection objects will not be removed.

You can remove a server from the metadata using the NTDSUTIL as follows (enter the commands in bold):

D:\>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: select operation target

The first step is to connect to a server. Here we do it by selecting a domain:

select operation target: connections
server connections: connect to domain savilltech.com
Binding to \\TITANIC.savilltech.com ...
Connected to \\TITANIC.savilltech.com using credentials of locally logged on user
server connections: quit

Next we have to select a site, then a server (the server we want to delete) then finally the domain the server is in (the order is not important)

select operation target: list sites
Found 2 site(s)
0 - CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=com
1 - CN=Kent,CN=Sites,CN=Configuration,DC=savilltech,DC=com
select operation target: select site 0
Site - CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=com
No current domain
No current server
No current Naming Context
select operation target: list servers in site
Found 4 server(s)
0 - CN=TITANIC,CN=Servers,CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=c
om
1 - CN=TITUS,CN=Servers,CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=com

2 - CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=
com
3 - CN=TRINITY,CN=Servers,CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=c
om
select operation target: select server 2
Site - CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=com
No current domain
Server - CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration,DC=savilltec
h,DC=com
DSA object - CN=NTDS Settings,CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,
CN=Configuration,DC=savilltech,DC=com
DNS host name - MORPHEUS.deleteme.savilltech.com
Computer object - CN=MORPHEUS,OU=Domain Controllers,DC=deleteme,DC=savil
ltech,DC=com
No current Naming Context
select operation target: list domains
Found 3 domain(s)
0 - DC=savilltech,DC=com
1 - DC=dev,DC=savilltech,DC=com
2 - DC=deleteme,DC=savilltech,DC=com
select operation target: select domain 0
Site - CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=com
Domain - DC=savilltech,DC=com
Server - CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration,DC=savilltec
h,DC=com
DSA object - CN=NTDS Settings,CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,
CN=Configuration,DC=savilltech,DC=com
DNS host name - MORPHEUS.deleteme.savilltech.com
Computer object - CN=MORPHEUS,OU=Domain Controllers,DC=deleteme,DC=savil
ltech,DC=com
No current Naming Context
select operation target: quit

The server we selected above will now be deleted.

metadata cleanup: remove selected server

Now click yes to the confirmation


"CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=com
" removed from server "\\TITANIC.savilltech.com"
metadata cleanup: quit
ntdsutil: quit
Disconnecting from \\TITANIC.savilltech.com ...

You should then delete the server from the Sites and Servers MMC snap-in (Start - Programs - Administrative Tools - Active Directory Sites and Services)

Expand the Sites branch, select the site, expand the Services container, right click on the server and select Delete. Click Yes to the confirmation.

---

Q. How do I remove a non-existent domain from the Active Directory?

A. As with domain controllers, Windows 2000 tracks each domain in the metadata and if you remove all the domain controller's for a domain and never select "This is the last domain controller in the domain" when running DCPROMO to demote to a normal server its information will not be cleaned up and its domain information will remain.

You can remove a domain from the metadata using the NTDSUTIL as follows (enter the commands in bold):

D:\>ntdsutil
ntdsutil: metadata cleanup
metadata cleanup: connections

Connect to a server (or domain) that knows about the domain to be deleted (the parent domain is good)

server connections: connect to server titanic
Binding to titanic ...
Connected to titanic using credentials of locally logged on user
server connections: quit
metadata cleanup: select operation target

Now we select to the domain we are going to delete

select operation target: list domains
Found 3 domain(s)
0 - DC=savilltech,DC=com
1 - DC=dev,DC=savilltech,DC=com
2 - DC=deleteme,DC=savilltech,DC=com
select operation target: select domain 2
Site - CN=London,CN=Sites,CN=Configuration,DC=savilltech,DC=com
Domain - DC=deleteme,DC=savilltech,DC=com
No current server
No current Naming Context
select operation target: quit
metadata cleanup: remove selected domain

Click Yes to the confirmation.


"DC=deleteme,DC=savilltech,DC=com" removed from server "titanic"
metadata cleanup: quit
ntdsutil: quit
Disconnecting from titanic ...

There are no further actions, all trace of the domain will now have been removed.

---

Q. How does Inter-site replication work in Windows 2000?

A. Sites can be linked using RPC over IP or SMTP. Once you define the site links, schedules, cost factors and any site link bridges (if appropriate) the Knowledge Consistency Checker can then create the connection objects providing the site links are transitive in nature.

There are some restrictions on the usage of SMTP however, it can be used to replicate the global catalog information, schema and configuration data, but it cannot replicate full domain name context data such as the data exchanged between domain controllers in the same domain. This is because some domain operations require the File Replication Server (FRS) such as the global policy which SMTP does not currently support.

Inter-site replication uses a spanning tree topology and as long as a replication route can be established between all sites in the enterprise forest the replication tree is complete. The actual links between sites are created manually by the Administrator and involves defining costs with each link (the cost relates the speed and/or reliability of the network) and a schedule of when replication can occur.

Site links are created and maintained using the Sites and Services MMC snap-in and by default you will have one site link, DEFAULTIPSITELINK to which your original site will be part of and further sites can be added during their creation (sites have to be part of a site link when created).

Replication data sent inter-site is compressed to between 10-15% of its original size! This is important as inter-site links are usually over slower WAN links.

Basically you only need to create links between sites as required and the KCC will take care of creating the required connection objects. Ignorance is bliss :-)

---

Q. How do I create a new site link?

A. After creating sites of IP subnets they need to be linked. By default an IP site link exists called DEFAULTIPSITELINK which new sites can be added to during the creation (or select any other existing site link). To create a a new site link perform the following:

1. Start the Sites and Services MMC snap-in (Start - Programs - Administrative Tools - Active Directory Sites and Services)
2. Expand the Sites container
3. Expand the 'Inter-Site Transports' leaf
4. Right click on the IP or SMTP protocol leaf (depending on the type of site link you wish to create) and select 'New Site Link'
5. Select the sites that should be part of the link. Enter a name for the link and click OK
   

Double clicking on an existing site link will allow other sites to be add/removed. It will also enable a cost to be allocated to the site link and a schedule to be configured.

---

Q. How do I disable site link transitivity?

A. By default all site links are bridged together making them all transitive in nature so the KCC (Knowledge Consistency Checker) can create connection objects between any domain controllers. Its possible to disable this site link transitivity and then manually bridge selected site links giving you more control.

1. Start the Sites and Services MMC snap-in (Start - Programs - Administrative Tools - Active Directory Sites and Services)
2. Expand the 'Sites' branch
3. Expand the 'Inter-Site Transports' branch
4. Right click on the protocol you wish to disable transitivity for (IP or SMTP) and select Properties
5. Unselect the 'Bridge all site links' and click Apply
   
6. Click OK

You now need to manually create site link bridges to enable connection objects to be created by the KCC.

---

Q. How do I create a site link bridge?

A. If you disabled site link transitivity you must manually bridge sites so replication can complete and the KCC can create the necessary connection objects.

1. Start the Active Directory Sites and Services MMC snap-in (Start - Programs - Administrative Programs - Sites and Services)
2. Expand the Sites branch
3. Expand the 'Inter-Site Transports' branch
4. Right click on the protocol you wish to create the bridge for (IP or SMTP) and select 'New Site Link Bridge'
5. Enter a name for the bridge and select the site links that will form the bridge
   
6. Click OK

Site link bridges are very important as imagine you had 3 sites, Kent, Liverpool and London and you have two site links, Liverpool-London and Kent-London. If site link transitivity is disabled then there is no way for Liverpool and Kent to talk. The site link bridge enables London to act as a router for communication between Liverpool and Kent.



---

Q. How do I specify a bridge head server?

A. In order to minimize bandwidth usage, communication between sites is carried out by a pair of servers (one from each site) and these bridgehead servers are dynamically chosen by the KCC (Knowledge Consistency Checker) however there may be some situations where you would prefer to nominate a specific domain controller from each site as it may have better network connectivity or act as the proxy server in a firewall environment.

These manually chosen servers are known as preferred bridgehead servers and its possible to select multiple preferred bridgehead servers for a site but only one is active at any one time. If the active preferred bridgehead servers fails then another preferred bridgehead server will become the active server. If no preferred bridgehead servers are available a normal Windows 2000 domain controller will become active for inter-site replication but this may cause problems if it lacks sufficient resources.

To nominate a server as a bridgehead server perform the following:

1. Start the Active Directory Sites and Services MMC snap-in (Start - Programs - Administrative Programs - Sites and Services)
2. Expand the Sites branch
3. Expand the site containing the server and select the Servers container
4. Right click on the server and select Properties
5. Select the protocol the server should act as a preferred bridgehead server for and click Add (IP or SMTP)
   
6. Click OK

At the next KCC run the connection objects will be changed to use the bridgehead server specified.

---

Q. How do I disable the KCC?

A. In 'Q. How does replication work intra-site in Windows 2000?' we saw how the KCC automatically creates and maintains the connection objects for intra and inter-site replication however these can be manually maintained if you wish by disabling the KCC, this is NOT recommended!

We use LDP.EXE for this change which is part of the support tools so make sure these are installed.

1. Start LDP.EXE
2. From the Connection menu select Connect
3. Enter the DNS name of a domain controller, leave the port as 389 (LDAP) and make sure the connectionless option is clear. Click OK
4. Some text will display in the right hand pane. Now select bind from the Connection menu. Enter an Administrator username, password and domain.
   
   Click OK
5. From the View menu select Tree
6. A dialog will prompt for the baseDN, this will include a site and your domain, for example in the London site of savtech.com I would enter:
   CN=London,CN=Sites,CN=Configuration,DC=SAVTECH,DC=COM
7. Expand the route and look for 'CN=NTDS Site Settings', double click on this and the results will be displayed in the right window. Look for options attribute, it should not be there and this is OK. If it is there and it is 0 this is fine, if not you should not proceed and should contact MS support.
8. In the right hand pane near the top will be text (like):
   Expanding base 'CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=savtech,DC=com'...
Result <0>: (null)
Matched DNs: 
Getting 1 entries:
>> Dn: CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=savtech,DC=com
9. Copy the '>> DN: CN=NTDS etc.' into clipboard (but not the DN: word), so in my example I would have:
   CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=savtech,DC=com
10. From the Browse menu select Modify
11. For the DN enter the string we copied in step 9. For attribute enter 'options' (no quote). In the Values box, type the appropriate value:
    To disable automatic intra-site topology generation, use value 1 (decimal)
    To disable automatic inter-site topology generation, use value 16 (decimal)
    To disable both intra-site and inter-site topology generation, use value 17 (decimal)
    
12. Set the operation to 'replace' and click Enter
13. Click Run
14. Click Close
15. The right hand pane of LDP.EXE should display:
    -----------
***Call Modify...
ldap_modify_s(ld, 'CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=savtech,DC=com',[1] attrs);
Modified "CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=savtech,DC=com".
-----------
16. Close LDP.EXE

To check if the has worked you can use Active Directory Replication Monitor (REPLMON.EXE) to generate a report on the site configuration. Included in this information is output similar to the following example: 

Site Name: London
---------------------------------------
Site Options : NTDSSETTINGS_OPT_IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED
Site Topology Generator: CN=NTDS Settings,CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration,DC=savtech,DC=com
Site Topology Renewal : 
Site Topology Failover :

• NTDSSETTINGS_OPT_IS_AUTO_TOPOLOGY_DISABLED means that intra-site topology management is disabled
• NTDSSETTINGS_OPT_IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED means that inter-site topology management is disabled

To undo the change and re-enable the KCC perform the above but set the value to 0. If KCC is fully enabled the output from the report will be (notice Site Options are blank):

Site Name: London
---------------------------------------
Site Options : 
Site Topology Generator: CN=NTDS Settings,CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration,DC=savtech,DC=com
Site Topology Renewal : 
Site Topology Failover :

To generate the report perform the following:

1. Start REPLMON.EXE
2. Right click on 'Monitored Services' in the left pane and select 'Add Monitored Server' from the context menu
3. Select 'Add the server explicitly by name' and click Next
4. Enter the server name and click Finish
5. Right click on the server (it will be under the site) and select 'Generate Status Report'
6. Enter a name and location for the log and click Save
7. Under the options ensure the following are selected (the others don't matter)
   - Server/DC Configuration Data
   - Extended Site Configuration
   
8. Click OK
9. Click OK once complete
10. Open the file you specified and at the bottom will be the site information (in the Enterprise Data section).

**************************************************************************
Enterprise Data
***************************************************************************

Globally Unique Identifiers (GUIDs) for each domain controller in the enterprise
NOTE: the absence of a GUID means that the server has been demoted.
--------------------------------------------------------------------------------

Site Name: London
---------------------------------------
Site Options : NTDSSETTINGS_OPT_IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED
Site Topology Generator: CN=NTDS Settings,CN=MORPHEUS,CN=Servers,CN=London,CN=Sites,CN=Configuration,DC=savtech,DC=com
Site Topology Renewal : 
Site Topology Failover : 

MORPHEUS
Server GUID (used for DNS) : DA644BE4-A8C9-47AF-AC4A-71F8DA4D50F0
Replication Database GUID (used to identify partner in replication): DA644BE4-A8C9-47AF-AC4A-71F8DA4D50F0
DSA Options : NTDSDSA_OPT_IS_GC
DSA Computer Path : CN=MORPHEUS,OU=Domain Controllers,DC=savtech,DC=com
DSA Schema Location : CN=Schema,CN=Configuration,DC=savtech,DC=com
DSA Mail Address : _IsmService@da644be4-a8c9-47af-ac4a-71f8da4d50f0._msdcs.savtech.com
DSA DNS Host Name : MORPHEUS.savtech.com
DSA BridgeHead Transports :  IP

---

Q. How can I change the NetBIOS name of my Windows 2000 domain?

A. Even though Windows 2000 names are DNS based, e.g. savilltech.com, a NetBIOS name is also specified during DCPROMO execution for backwards compatibility with older clients/domain controllers and is normally the left most part of the DNS name, e.g. savilltech, although it can be changed to a user specified name.

Once this NetBIOS name has been set during DCPROMO execution you cannot change it. The only way would be to demote all domain controllers and recreate the domain but you would lose all objects (although you could dump them out first and them import in again).

If you are upgrading a 4.0 domain then during the DCPROMO execution the NetBIOS name cannot be changed. You are stuck with the NetBIOS name of the 4.0 domain but you can of course have a totally different DNS name.

---

Q. How can I monitor when the Knowledge Consistency Checker (KCC) is run?

A. The KCC which manages the connection objects for inter and intra site replication runs periodically and ascertains if any new objects need creating or existing objects deleted.

If you want you can monitor exactly when its execution starts and finishes by performing the following actions:

1. Start the registry editor (Regedit.exe)
2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
3. Double click on '1 Knowledge Consistency Checker'
4. Set the value to 3 (or greater) and click OK
5. Close the registry editor (you don't need to restart the machine for this change to take effect)

With this value set to 3 or greater, the KCC will log extra events which you can view using the Event Viewer and viewing the 'Directory Service' branch.

Common and useful events are:

• events 1009 to signify the beginning of KCC check
• events1013 to signify the end of the KCC check
• events 1133 information about the KCC check
• events 1007 to signify the initialization of the KCC
• events 1015 to signify the stopping of the KCC



---

Q. What backup software is available for Windows NT?

A. Windows NT ships with NTBACKUP.EXE which is suitable for backing up most installations however its features are quite basic, for the larger more complex installations one of the following may be worth a look

• ADSM from http://www.storage.ibm.com/software/adsm/index.htm
• ARCserveIT from http://www.cai.com/arcserveit/
• Back Again II from http://www.cds-inc.com/
• Backup Exec from http://support.veritas.com/index_bottom_Product_Cat_Backup_Exec.htm
• Backup Express from www.syncsort.com
• EaseBackup from http://members.xoom.com/KieProgSoft/
• Legato NetWorker from http://www.legato.com/
• NovaBack+ from http://www.novastor.com
• OpenView OmniBack from http://www.hp.com
• Replica from http://www.stac.com/replica/
• Retrospect 5.0 from www.dantz.com
• UltraBac from http://www.ultrabac.com

---

Q. How do I add a tape drive?

A. Before you can add a tape drive you should first ensure that the correct SCSI driver is loaded for the card the tape drive is connected to. Once the SCSI driver is loaded you should perform the following

1. Start the Tape Devices control panel applet (Start - Settings - Control Panel - Tape Devices)
2. Click the detect button for NT to detect your tape drive. If this works goto step 5
3. If the drive could not be detected the click the drivers tab
4. Click the Add button and select your tape drive from the list or click the Have Disk button and select the location for the driver.
5. Click OK
6. Restart the computer

---

Q. What types of backup does NTBACKUP.EXE support?

A. NTBACKUP.EXE supports 5 different types of backups

• Normal backup - Backs up the files selected and marks them as backed up.
• Incremental backup - Backs up files that have changed since the last backup. Once the files have been backed up the files are marked as backed up.
• Differential backup - Same as above, backs up files that have changed since the last backup but does not mark the files as backed up
• Copy backup - Same as a normal backup but does not mark files as backed up
• Daily backup - Backs up selected files that have been modified on that day, the files are not marked as backed up

---

Q. What backup strategies are available?

A. The main backup strategy is on a weekly plan as follows

• Monday - Incremental backup
• Tuesday - Incremental backup
• Wednesday - Incremental backup
• Thursday - Incremental backup
• Friday - Normal backup

As you know an incremental backup only backs up those files that have changed since the last backup and then sets them as backed up so this type of backup should be quite fast. In the event of a failure you would have to first restore the normal backup and then any subsequent incremental backups.

An alternative would be as follows

• Monday - Differential backup
• Tuesday - Differential backup
• Wednesday - Differential backup
• Thursday - Differential backup
• Friday - Normal backup

Differential backups and incremental backups are the same except that differential does not mark the files as backed up, therefore files backed up on Monday will still be backed up on Tuesday etc. Therefore to restore the backup you would only need to restore the normal backup and the latest differential backup.

It is important to not just have on week's worth of tapes, you should have a tape rotation and have maybe 10 tapes and rotate on a fortnightly basis.

If you wanted an extra backup as a one off you would use a copy backup as this does a full backup but does not mark files as backed up and therefore would not interfere with other backup schemes in use.

---

Q. What options are available when using NTBACKUP.EXE?

A. Once you start NTBACKUP a list of all drives on the machine will be shown. You can either select a whole drive or double click on the drive and then select directories. Once you have selected the drives/directories click the Backup button.

When performing a backup there are a number of fields that should be completed.

• Current Tape - The name of the inserted tape is shown. You cannot edit this field
• Creation Date - Date the original backup set was created. You cannot edit this field
• Owner - The owner of the tape. You cannot edit this field
• Tape Name - A 32 character string describing the tape
• Operation Append/Replace - If you choose append the new saveset is added to the end of the tape. If you choose replace any information on the current tape is overwritten.
• Verify after backup - If selected once files are copied to tape they are verified against the file on disk
• Backup Local registry - Backs up the computers local registry, you cannot backup remote computers registry's.
• Restrict Access to Owner or Administrator - If you select this tape then the tape is made Secure. Only the owner of the tape or a member of the Administrator or Backup Operators group can access the tape.

---

Q. Can I run NTBACKUP from the command line?

A. NTBACKUP is fully usable from the command line using the format below

ntbackup <operation> <path> /a /b /d "text" /e /hc:<on/off> /l "<filename>" /r /t <backup type> /tape:n /v

The parameters have the following meanings

<operation>	This will be backup . If you wanted to eject a tape you could enter eject (but must also include the /tape parameter)
<path>	The list of drives and directories to be backed up. You may not enter file names or use the wildcard character. To backup multiple drives just put a space between them, e.g. ntbackup backup c: d: etc...
/a	Append backup sets to the end of the tape. If /a is omitted then the tape will be erased
/b	Backup the local registry
/d "text"	A description of the tape
/e	Logs only exceptions
/hc:<on/off>	If set /hc:on then hardware compression will be used, if /hc:off then no hardware compression will be used.
/l "<filename>"	Location and name for the logfile
/r	Restricts access (ignored if /a is set)
/missingtape	Specifies that a tape is missing from the backup set when the set spans several tapes. Each tape becomes a single unit as opposed to being part of the set.
/t <backup type>	The type of backup, normal, Incremental, Differential, Copy or Daily
/tape:n	Which tape drive to use (from 0 to 9). If omitted tape drive 0 is used
/v	Performs verification

---

Q. How do I schedule a backup?

A. Before a backup can be scheduled, you must ensure the scheduler service is running on the target machine, it does not have to be running on the issuing machine. For information on the schedule service see Q. How do I schedule commands?

Once the scheduler service has been started it is possible to submit a backup command using the ntbackup.exe image (image is a name for an executable)

at 22:00 /every:M,T,W,Th,F ntbackup backup d: /v /b

The command above would schedule a backup at 10:00 p.m. on weekdays of drive D: and the local registry with verification.

If you are having problems with the scheduling you may want to use the /interactive switch so in the event of a problem you can interact with the backup program.

---

Q. How do I restore a backup?

A. To restore a backup saveset is simple and will depend on what was backed up, however the basics are

1. Start NTBACKUP (Start - Administrative Tools - Backup)
2. Double click on the tape unit that has the backup saveset you want. Select the saveset
3. Check the Restore File Permissions if the saveset was backed up off of a NTFS volume
4. Click OK

---

Q. How do I backup open files?

A. Sometimes files can be corrupted as a backup program will try to backup an open file and when restored the file is corrupt. To stop NTBACKUP from backing up open files perform the following

1. Start the registry editor
2. Move to HKEY_CURRENT_USER\Software\Microsoft\Ntbackup\Backup Engine
3. Check "Backup files in use". If it is set to 1 double click on the value and set to 0. Click OK
4. Close the registry editor

If you do have "Backup files in use" set to 1 then you should also set the following parameter

HKEY_CURRENT_USER\Software\Microsoft\Ntbackup\User Interface\Skip open files

The values for this are

0 - Do not skip the file, wait till it can be backed up
1 - Skip files that are open/unreadable
2 - Wait for open files to close for Wait time (which is another registry value in seconds)

For more information have a look at Q159218 (http://support.microsoft.com/support/kb/articles/q159/2/18.asp)

To backup open files without corruption you should look at Open File Manager software from http://www.stbernard.com (yeah the advert with the cute dog!). You can download a 15 day free trial.

---

Q. What permissions do I need to perform a backup?

A. The operator performing the backup requires the "back up files and directories" user right. This can be given directly using user manager, or the preferred way is to make the user a member of either the Administrators group or the backup operators group.

---

Q. How do I backup the registry?

A. Most of the registry hives are open, making them unable to be copied in the normal way, however there are several methods available to you

• If you have a tape drive attached to NT, the NTBACKUP utility will perform a full backup of the registry if you select the "backup local registry" when performing the backup. Please note that NTBACKUP cannot backup registry's on remote machines.
• RDISK /S will backup the registry to the %SystemRoot%/repair directory. RDISK is no longer supplied in Windows 2000, please see Q. Where is RDISK in Windows 2000?
• REGBACK.EXE which comes with the resource kit will backup the open files that make up the registry, but not the unopened ones, these will need to be manually copied using xcopy.exe or scopy.exe. There is also a utility REGREST.EXE that can be used to restore the registry. To backup the registry to directory d:\regbackup:
  regback d:\regback
• REG.EXE is now supplied with the newer versions of the resource kit and with the BACKUP option, e.g. REG BACKUP you can backup certain sections of the registry to file.

NT does not automatically rename the old Registry to .DA0 as does Windows 95. However, you can use RDISK, the Emergency Recovery Disk utility, to generate fresh duplicates of the Registry, and use this script to keep three old versions on hand:

REM REGBACK.BAT note: change M: to home directory on LAN
REM pkzip25 is a product of PKWARE, see www.pkware.com for details
rdisk /s-
if exist m:regback.old del m:regback.old
ren m:regback.sav regback.old
ren m:regback.zip regback.sav
pkzip25 -lev=0 -add -attr=all m:regback %systemroot%\repair\*.*
exit

---

Q. How can I erase a tape using NTBackup that reports errors?

A. When NTBackup starts and when a tape is inserted a scan of the device is performed and if any errors are found one of the following messages will be displayed

• Tape Drive Error Detected.
• Tape Drive Not Responding.
• Bad Tape.

You will not be able to perform any actions on the tape including erasing it. It is possible to force NT to not check a tape when inserted using the /nopoll parameter, e.g.

c:\>ntbackup /nopoll

You will now be able to erase the tape within NTBackup. If you have multiple tape drives you may want to use the /tape:n parameter to instruct NTBackup to ignore a certain tape drive, otherwise no other parameters should be used.

Once you have erased the tape you should exit ntbackup and restart to use the tape (without specifying /nopoll).

---

Q. How can I remove a dead submitted Backup process?

A. If you submit a backup using the AT command (the schedule command) and the ntbackup program has a problem, you run Task Manager but are unable to kill the process as an error along the lines of you don't have authority to end the process will be shown. The only solution is to reboot the server.

If you had submitted the ntbackup command with the /interactive switch you would see some kind of error.

Rather than rebooting the server you can create a "special" version of task manager which will be able to kill the rogue NTBACKUP process. Simply submit task manager to start one minute in the future using the AT command or even better using the Resource Kit SOON.EXE utility:

C:\> soon 30 /interactive taskmgr

In 30 seconds task manager will be displayed and you will be able to kill the NTBACKUP process.

The AT syntax would be

C:\> at [\\<computer name>] <time in future> /interactive taskmgr

The \\<computer name> is optional and would start Task Manager on another machine.

An alternate method is as follows:

use the TLIST.EXE and the KILL.EXE provided in the Resource kit.

From the command prompt issue...
C:\> tlist -t | more

The output is .... <snip>

ATSVC.EXE (315)
  CMD.EXE (345)
    NTVDM.EXE (348)
    NTBACKUP.EXE (314)

(the PID will vary from system to system)
(the "-t" option is important. It provides a tree-like-output to determine which process is the parent and child process)

Use the KILL.EXE to end the parent process CMD.EXE and NTBACKUP.EXE
C:\> kill -f 345

By killing the parent process it DOES NOT kills the children process it created. Once you kill the CMD.EXE process you then need to kill the children processes that the CMD.EXE called.

Just don't kill the ATSVC.EXE process!!! If you do you no longer have the schedule service running, and you will have to restart it.

You must have Administrative privileges to run the KILL.EXE program.

You may find this better than fumbling with the AT command and waiting for it to start the TASKMGR as a system account.

If this is on a remote server where you can't get to the console load the RKILLSRV.EXE as a service on the remote machine, and use the RKILL.EXE on your local machine. Both programs are from the resource kit. You must have Administrative privileges on the target system to kill the processes.

RKILL.EXE syntax...
Usage : rkill /view \\servername
to get the process list on servername
Usage : rkill /kill \\servername pid
to kill process pid on servername
Usage : rkill /token \\servername
to get your remote security token on servername

Another useful use for this is as part of a scheduled NTBACKUP and to always run the command "kill.exe -f ntbackup.exe" first in the scheduled NTBackup-batch job. I've been told it works great but have never used myself. Basically if there is an old stray backup job running it will kill it first.

---

Q. What is a batch file?

A. A batch file is just a text file with a .bat or .cmd extension that adheres to a syntax and a set of valid commands/instructions. To run a batch file just enter the name of the file, you don't need to enter the .cmd or .bat extensions. In line with programming tradition the first batch file we write will output "Hello World".

1. Start Notepad
2. Enter the following contents
   @echo hello world
   Echo means output to the screen anything after it (the @ suppresses the command being printed to the screen, try it with and without the @). To stop commands from being displayed in the whole batch file have
   @echo off
   At the top of the batch file.
3. From the file menu select "Save As"
4. Enter a name of "<name>.cmd", make sure you enter the name in quotes or notepad will add .txt to the end!
5. Start a command session (run cmd.exe)
6. Enter the name of the batch file (no extension), e.g.
   testfile

---

Q. What commands can be used in a batch file?

A. Windows NT 4.0 introduced some extensions to cmd.exe, so to use these make sure HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions is set to 1. The following is a list of the more common commands you will use

call <batch file>	This is used to call one batch from inside another. The execution of the current batch file is suspended until the called batch file completes
exit	Used to stop batch file execution. If a batch file is called from inside another and exit is called both batch files are stopped
findstr <string> <filename(s)>	Used to find a string in a file. There are a number of parameters from this and is quite powerful
for	Standard for loop for /L %n IN (1,1,10) DO @ECHO %n Would print 1 to 10
goto <label>	Causes the execution of a program to skip to a given point. The actual label name must be preceded with a colon (:), e.g. goto label1 ... :label1 ...
if <condition> ..	The if statement has a great deal of functionality. Some of the more common ones are: if /i <string1> <compare> <string2> <command> The /i makes the comparison case insensitive and compare can be one of: EQU equal NEQ not equal LSS less than LEQ less than or equal GTR greater than GEQ greater than or equal if errorlevel if exist <file name>
rem <string>	A comment
start <window title> <command>	Starts a new command session and runs a given command. Unlike call the execution of the current batch file is not halted and continues

There are some extra utilities supplied with the NT Resource Kit which can be useful.

---

Q. How can I perform an action depending on the arrival of a file?

A. This is a common request as users on hosts have files FTP'd from a host and need to action it when it arrives. Below is a simple batch file to do this:

:filecheck
if exist e:\upload\file.txt goto actionfile
sleep 100
goto filecheck

:actionfile
...

This would check for file.txt every 100 seconds. The program sleep.exe is supplied with the resource kit so you would need the resource kit installed.

There may be a problem if the file is large and being created when its existance is checked for, for example if the file is being ftp'd and is still writing into it.

To get around this try to RENAME the file to itself, e.g.:

RENAME e:\upload\file.txt file.txt
if not errorlevel 0 goto actionfile

... or something like that. RENAME throws an error whether the file doesn't exist or whether it's not available to write to (because it's still being written to).

The errorlevel is the same, but the error message changes, if one cares to distinguish in the .BAT file.

---

Q. How can I access files on other machines?

A. You can use the UNC naming conventions, e.g. \\<server name>\<share name>\<dir>\<file>. Alternatively you could map the drive, access the file using a drive letter and then unmap the drive, e.g.

net use g: \\savilltech\filetosee
... g:\dir\file.txt
net use g: /d

---

Q. How can I send a message from a batch file?

A. Use the NET SEND command, e.g.

net send <machine> "<message>"

---

Q. The command I enter asks for input, can I automate the response?

A. Most commands have a switch to confirm an action however if a command requires a response when run, for instance a logon may want you to enter a password try the following:

echo <password> | logon savillj

This runs the command "logon savillj" and assuming it then asked for a password, the echo would then echo the password with a return thus entering your password for you.

You can also echo a return using

echo.|cmd.exe

---

Q. How can I pass parameters to a batch file?

A. When you call a batch file you may enter data after the command which the batch file refers to as %1, %2 etc, for example the batch file hello.bat

@echo hello %1 boy

Would output

hello john boy

if called as "hello.bat john" (you don't need to enter .bat extension, I just use it here as I used bad file names :-) )

You can actually modify the passed parameter in the following ways

Parameter	Description
%1	The normal parameter.
%~f1	expands %1 to a fully qualified path name. If you only passed a file name from the current directory it would expand to the drive/directory as well
%~d1	extracts the drive letter from %1.
%~p1	extracts the path from %1
%~n1	extracts the file name from %1 without the extension
%~x1	extracts the file extension from %1
%~s1	changes the meaning of n and x options to reference the short name. You would therefore use %~sn1 for the short file name, or %~sx1 for the short extension

You can combine some of the above as follows

Parameter	Description
%~dp1	expands %1 to a drive letter and path only.
%~sp1	for short path
%~nx1	expands %1 to a file name and extension only.

To see all of these in actions put this into a batch file testing.bat

@echo off
echo fully qualified name %~f1
echo drive %~d1
echo path %~p1
echo file name %~n1
echo file extension %~x1
echo short file name %~sn1
echo short file extension %~sx1
echo drive and directory %~dp1
echo file name and extension %~nx1

Run the file with a long file name, for example the batch file run on file c:\temp\longfilename.long would produce output

fully qualified name c:\TEMP\longfilename.long
drive c:
path \TEMP\
file name longfilename
file extension .long
short file name LONGFI~1
short file extension .LON
drive and directory c:\TEMP\
file name and extension longfilename.long

Obviously all the above also work on the second, third parameter etc, and you just substitute 1 for the parameter, e.g. %~f2 for the second parameters fully qualified path name.

Within a batch file %0 holds information about the file when it is run and that the command extensions can also be used with it (e.g. %~dp0 will give the drive and path of the batch file).

---

Q. How can I stop my batch files outputing the command to screen as it runs it?

A. This is stopped by just placing

@echo off

at the top of your batch file. To stop a single command being output to the screen just put @ in front of the command.

---

Q. How do I call a batch file from within another batch file?

A. It is possible to just enter the name of the batch file in a batch file which will run the called batch file however once completed it will not pass control back to the calling batch file leaving the rest of the calling batch file unrun. For example suppose we had the batch files

calling.bat


@echo off
echo Calling bat here
called.bat
echo Back to Calling bat

called.bat

@echo off
echo called bat here

If you then run calling.bat you would not get the line "Back to Calling bat" displayed as after called.bat terminates it does not return to calling.bat. To call a batch file and have it return to the calling batch file once completed use call . For example if calling.bat was modified to have "call called.bat" instead of "called.bat" the line "Back to Calling bat" would be displayed as once called.bat was completed control would return to calling.bat.


---

Q. .bat files have lost their association.

A. This is easily fixed. Enter the commands:

ftype batfile="%1" %*
assoc .bat=batfile

---

Q. How do I search files for a string from a batch file/command line?

A. There is the basic find command which allows you to search one file at a time for string, however findstr is far more versatile. The command has the following switches

FINDSTR [/B] [/E] [/L] [/R] [/S] [/I] [/X] [/V] [/N] [/M] [/O] [/F:file] [/C:string] [/G:file] [strings] [[drive:][path]filename[ ...]]

Parameters	Meaning
/b	Match pattern if at the start of a line
/e	Match pattern if at the end of a line
/l	Search literally
/r	Use text as a regular expression (default)
/s	Search current directory and all sub-directories
/i	Ignore case
/x	Selects lines that are an exact match
/v	Selects lines that do not match
/n	Displays the line number before the matched line
/m	Displays only the matching file names
/o	Displays the offset of the match before the matched line
/g:<file>	Gets the search string from the specified file. /g:argument.txt
/c:"<string>"	Use text as a literal. /c:"string"
/f:<file>	Gets the file list from the specified file. /f:filelist.txt
strings	The search string (in double quotes if multiple words)
files	Files to be searched


Use spaces to separate multiple search strings unless /c is used

findstr "Windows NT FAQ" ntfaq.html - searchs for Windows, NT or FAQ in ntfaq.html
findstr /c:"Windows NT FAQ" ntfaq.html - searchs for "Windows NT FAQ" in ntfaq.htm

Q. Environment settings set by a batch file are not working.

A. When you execute a batch file (or any other DOS command without a pif setting) the _DEFAULT.PIF file in the %systemroot% directory is used. If, as in my case, it has the "Close on Exit" setting enabled, this causes the batch process to close. Change this as follows:

1. Start Explorer
2. Move to your %systemroot% directory, e.g. d:\winnt
3. Right click on _default.pif
4. Select the Program tab
5. Unselect "Close on exit"
6. Click Apply then click OK

---

Q. How can I perform an operation on every machine on the network that is running?

A. Normally a logon script can be used but if you wish to run a command/copy a file to every current machine now you can use the following.

C:\> net view > list.txt

This outputs a list of all current machines to the file list.txt. We can then parse that file to perform an operation, e.g. to copy files:

C:\> FOR /F " tokens=1 " %i in (list.txt) do copy quaropts.dat "%i\C$\program files\navnt"

If you placed the above into a file you would need to user two %%, e.g.

FOR /F " tokens=1 " %%i in (list.txt) do copy quaropts.dat "%%i\C$\program files\navnt"

Its possible to not use the temporary file at all by changing the FOR command to the following:

FOR /F " tokens=1 " %i in ('net view') do copy quaropts.dat "%i\C$\program files\navnt"

---

Q. How can you send a programs output to a NULL device?

A. If you wish to suppress a programs output you can use the NULL device (as you would use UNIX's /dev/null). For example to make a program output to the NULL device instead of the screen use:

C:\> program.exe > nul

If you wanted to blank a file you can also use NUL

C:\> copy nul file.name

---

Q. How can I change colour within a batch file?

A. You can use the Windows NT Workstation 4.0 Color command to set the Command Prompt window colors. For example:

C:\> color 06

sets the colour to yellow on black. The first part is background colour, the second the foreground and are:

0	Black
1	Blue
2	Green
3	Aqua
4	Red
5	Purple
6	Yellow
7	White
8	Gray
9	Light Blue
A	Light Green
B	Light Aqua
C	Light Red
D	Light Purple
E	Light Yellow
F	Bright White

So color 2F would be bright white on Green..

---

Q. How can I call a subroutine in a batch file?

A. An easy way to do this is to have the batch file call itself recursively and pass itself a couple of parameters, like so:

@echo off
if (%1)==(Recurse) goto Recurse
goto Begin

:Begin
echo Batch file begins.
call %0 Recurse test
goto End

:Recurse
echo This is a recursive call.
echo The parameters received were "%1" and "%2".
goto Clean-End

:End
echo Finished.

:Clean-End

Be careful! Recursive batch files can be dangerous, especially if your subroutine fires off another program.

Other methods:

:Begin

echo start subroutine
call :Subroutine
echo finished subroutine
goto End

:Subroutine
echo In subroutine
goto :EOF
:End

From Rob Warner and Ian Hamilton (both sent the same idea):

For NT .cmd files, the following is possible

@echo off
call :Begin
echo Finished.
goto :eof

:Begin
echo Batch file begins.
call :recurse Recurse test
goto :eof

:Recurse
echo This is a recursive call.
echo The parameters received were "%1" and "%2".
goto :eof

Note the syntax for calling subroutines (with parameters) and the special construct for returning (goto :eof).

---

Q. How do I enter freehand comments in my batch file without using 'rem'?

A. When NT batch file processing encounters the goto command, it ignores any lines in the batch file until it finds the appropriate goto label:

@echo off
goto Begin

BATCHFILE.BAT v1.01 - does what batch files do
written 09/09/1999 by Joe Programmer

MODIFICATION HISTORY:

v1.00 09/04/1999 jp
initial version

v1.02 09/09/1999 jp
converted all dates in comments to four-digit
years for Y2K compliance

:Begin
<...>

:End

Thanks to Royce Williams for this one.

Another way from Noel Casey:

A further method for freehand comments in batch files is to use a double colon ::

This works in NT4 and W95

Example

@echo off
echo Hello
echo.

:: This is equivalent to rem at the begining of line
rem This is an equivalent statement to the line above
:: This looks and reads better than rem
:: Thats all
echo Bye!

 

---

Q. Does application x work with NT 4.0?

A. See the list below

• PCPlus V3.0 works, but you cannot use the wordsheet editor that comes with it.
• WordPerfect 6.1 works, but 'Draw' returns peculiar anomalies. In earlier versions of WP it include 'PTR.EXE' which was a kind of printer driver program. In NT drivers edited with PTR add some mysterious control codes that cause the printer to print additional blank pages. The distribution driver with WP61 does not do this.
• Quake does NOT work under NT, however there is a version called WinQuake that does.

---

Q. Does game x work with NT 4.0?

A. See http://www.ntgamepalace.iscool.net for an extensive lists of games that work with NT4.0, and tips to make them work.

---

Q. Does NT run 16bit applications?

A. There is no definitive answer. NT does not allow an application to directly access hardware, so any application that directly tries to access hardware would cause a violation, also private device drivers are not supported (such as a VXD). A VXD is usually a .386 file.

Besides direct hardware access, some 16 bit apps will not run under NT because they use a 16 bit API function call that either has no 32 bit equivalent, or the 32 bit equivalent has a completely different function call (different number/types of arguments) and NT can't convert the 16 bit version to the 32 bit version. If either of these things occur, NT will halt execution of the 16 bit app and throw some sort of error similar to the one it throws when direct hardware access occurs. This doesn't happen very often, but it seems that NT 4.0 has more problems with 16 bit code than NT 3.51 due to the 16 bit to 32 bit conversion process.

As a side note, this conversion of 16 bit code to 32 bit code is one of the reasons that NT will run 16 bit code slower than Win95 given all other things held equal. This has nothing to do with the Pentium Pro's problem with 16 bit code, it is an NT problem.

NTVDM simulates MD-DOS environment for MD-DOS-based applications. Applications that run in user mode do not have direct access to hardware. The VDDs intercept the applications' h/w calls and interact with the Windows NT 32-bit device driver. This process is transparent to the application.

---

Q. Will NT 3.51 drivers work with NT 4.0?

A. Standard NT drivers will automatically be upgraded from the NT CD. 3rd party drivers may not work and the supplier should be contacted. In particular Video drivers and Printer drivers were moved for NT4.0 from Win32 to the NT executive to improve performance and reduce memory use (basically moved from Ring 3 - user mode to Ring 0 - kernel mode). This does have the effect that a graphics driver could crash NT.

---

Q. How can I fool a program into thinking my NT installation is actually Windows 95?

A. Windows NT 4.0 ships a utility called IMAGECFG.EXE in the support\debug folder of the Windows NT 4.0 CD-ROM (it does not ship with Windows 2000).

Also in the support\debug folder are the files

• setwin95.cmd - to set the system in Windows 95 mode
• setnt351.cmd - to set the system in Windows NT 3.51 mode

To run you just run imagecfg with one of the the files. Type imagecfg /? for more information.

---

Q. How can I fool a program into thinking my Windows 2000 installation is actually Windows NT/95/98?

A. Windows 2000 provides a utility called APCOMPAT.EXE which can fool a program into thinking it is running on Windows NT (service pack 3,4 or 5), Windows 95 or Windows 98. The syntax of the command is as follows:

apcompat [-?] [-v version name] [-x program path] [-d] [-t] [-g] [-k]

Parameters:

-?	Displays the syntax for the command line parameters.
-v <version name>	Specifies the name of the operating system you want to return to the specified program.
	1	Returns the version WindowsNT4 SP3
	2	Returns the version WindowsNT4 SP4
	3	Returns the version WindowsNT4 SP5
	4	Returns the version Windows98
	5	Returns the version Windows95
-x <program path>	Specifies the path and name of the executable (.exe) file for the program you want to run.
-d	Disables the Heap Manager for the portion of memory reserved for the specified program
-t	Uses \Temp for the Temp folder when running the specified program
-g	Corrects disk space detection.
-k	Stores the specified Application Compatibility settings

The tool is part of the Windows 2000 support tools and is documented in the w2rksupp.chm HTML Help file. You can run APCOMPAT.EXE with no qualifiers which will launch a GUI version allowing you to make choices on screen. It can be found in support.cab in the support\tools folder of your CD.



---

Q. Is BackOffice Server Windows 2000 compatible?

A. BackOffice Server and its components such as Exchange, SQL will work on Windows 2000 however specific service pack's/fixes are required for the products to enable full functionality.

A list of fixes needed are listed at http://www.microsoft.com/backofficeserver/prodinfo/win2000sps.htm.

---

Q. How do I get the RIO 500 player to work on Windows 2000?

A. I bought one of these and wasted ages trying to get it to work until I found some great instructions at http://sites.netscape.net/richij/rio500-win2000.html. The instructions show you how to use a special USB driver and a special version of the Audio software.

An alternative method which I've since found is to use the same USB driver (http://www.ntfaq.com/ntfaq/download/riousb.zip) and extract to a directory. Attach the RIO500 via USB and power it on. When it asks for a driver specify the location you extracted the ZIP to.

To actually copy the MP3 files to the RIO500 you can use RealJukeBox (http://www.realjukebox.com) which has a RIO500 add-on which is great. If you have trouble installing the add-on (maybe due to a firewall) just extract rio500.dll from http://www.ntfaq.com/ntfaq/download/rio500.zip to the Plug-in's directory of Real Jukebox (C:\Program Files\Real\RealJukebox\plugins), restart the software and you should be able to add it as a device (Options - Preferences - Portable players/storage - Add) and copy away. Its very cool :-)



---

Q. What are the differences between NT Workstation and NT Server?

A. See table Below

	Workstation	Server
Connection to other clients	10	Unlimited
Connection to other networks	Unlimited	Unlimited
Multiprocessing	2 CPUs	4 CPUs
RAS	1 connection	256 connections
Directory Replication	Import	Import and Export
Macintosh Services	No	Yes
Logon Validation	No	Yes
Disk Fault Tolerance	No	Yes
Network	Peer-to-peer	Server

---

Q. What does NT stand for?

A. NT actually stands for Northern Telecom but Microsoft licensed it and in the Windows sense stands for New Technology. Its also interesting to note its heritage
RSX -> VMS -> ELN -> NT all major designs of David Cutler
Also VMS +1 letter = WNT (Windows NT) :-) (aka HAL and IBM in 2001)

---

Q. What is the NT Boot Process?

A. Firstly the files required for NT to boot are

• Ntldr - This is a hidden, read-only system file that loads the operating system
• Boot.ini - This is read-only system file, used to build the Boot Loader Operating System Selection menu on Intel x86-based computers
• Bootsect.dos - This is a hidden file loaded by Ntldr if another operating system is selected
• Ntdetect.com - This is a hidden, read-only system file used to examine the hardware available and to build a hardware list.
• Ntbootdd.sys - This file is only used by systems that boot from a SCSI disk.

The common Boot sequence files are

• Ntoskrnl.exe - The Windows NT kernel
• System - This file is a collection of system configuration settings
• Device drivers - These are files that support various device drivers
• Hal.dll - Hardware Abstraction Layer software

The boot sequence is as follows

1. Power on self test (POST) routines are run
2. Master Boot Record is loaded into memory, and the program is run
3. The Boot Sector from Active Partition is Loaded into Memory
4. Ntldr is loaded and initialized from the boot sector
5. Change the processor from real mode to 32-bit flat memory mode
6. Ntldr starts the appropriate minifile system drivers. Minifile system drivers are built into Ntldr and can read FAT or NTFS
7. Ntldr reads the Boot.ini file
8. Ntldr loads the operating system selected, on of two things happen
   * If Windows NT is selected, Ntldr runs Ntdetect.com
   * For other operating system, Ntldr loads and runs Bootsect.dos and passes control to it. The Windows NT process ends here
9. Ntdetect.com scans the computer hardware and sends the list to Ntldr for inclusion in HKEY_LOCAL_MACHINE\HARDWARE
10. Ntldr then loads Ntoskrnl.exe, Hal.dll and the system hive
11. Ntldr scans the System hive and loads the device drivers configured to start at boot time
12. Ntldr passes control to Ntoskrnl.exe, at which point the boot process ends and the load phases begin

---

Q. What is Virtual Memory?

A. Virtual Memory makes up for the lack of RAM in computers by using space on the hard disk as memory, Virtual Memory. When the actual RAM fills up (actually its before the RAM fills) then virtual memory is created on the hard disk. When physical memory runs out, the Virtual Memory Manager chooses sections of memory that have not been recently used and are of low priority and writes them to the swap file. This process is hidden from applications, and applications views both virtual and actual memory as the same.

Each application that runs under Windows NT is given its own virtual address space of 4GB (2GB for the application, 2GB for the operating system).

The problem with Virtual Memory is that as it writes and reads to the hard disk, this is much slower than actual RAM. This is why if an NT system does not have enough memory it will run very slowly.

---

Q. What is the history of NT?

A. In the late 1980's the Windows environment was created to run on the Microsoft DOS operating system. Microsoft and IBM joined forces to create a DOS replacement that would run on the Intel platform that led to the creation of OS/2, and at the same time Microsoft was working on a more powerful operating system that would run on other processor platforms. The idea was that the new OS would be written in a high level language (such as C) so it would be more portable.

Microsoft hired Dave Cutler (who also designed Digital's VMS) to head the team for the New Technology Operating System (NT :-) ). Originally the new OS was to be called OS/2 NT.

In the early 1990's Microsoft released version 3.0 of its windows OS which gained a large user base, and it was at this point that Microsoft and IBM's split started as the two companies disagreed on the future of their OS's. IBM viewed Windows as a stepping stone to the superior OS/2, where as Microsoft wanted to expand Windows to compete with OS/2, so they split, IBM kept OS/2 and Microsoft change OS/2 NT to Windows NT.

Nt was once called OS/3, and OS/2 V3, I am informed by a alpha tester for IBM & MS, he had a set of 5.25 diskettes from Microsoft, and that's how he got them.

The first version of Windows NT (3.1) was released in 1993 and had the same GUI as the normal Windows Operating System, however it was a pure 32 bit OS, but provided the ability to also run older DOS and Windows apps, as well as character mode OS/2 1.3 programs.

For a detailed history have a look at http://windowsnt.miningco.com

---

Q. How do I install the SYMBOL files?

A. Symbol files are produced by the linker when a program is built, and are used to resolve global variables and function names in an executable.

1. Create a directory on your machine called SYMBOLS
   mkdir c:\winnt\symbols
2. Copy over the symbols from the NT installation CD ROM
   xcopy <CD-ROM>:\Support\Debug\i386 c:\winnt\symbols /s
3. If you have any service pack symbols you should extract these to the same directory, e.g. for Service Pack 2
   SYM_400I -d c:\winnt\symbols

For more information see Microsoft Knowledge Base article Q148659

---

Q. What is Windows NT?

A. Windows NT (both the Workstation and Server) is a 32-bit Operating System. It is a preemptive, multi-tasking Operating System, which means that the Operating System controls allocation of CPU time, not the applications, stopping one application from hanging the OS. NT supports multiple CPU's giving true Multi-tasking, using symmetrical multiprocessing, meaning the processors share all tasks, as opposed to asymmetrical multiprocessing, where the OS uses one CPU and the applications another. NT is also a Fault Tolerant Operating System, with each 32bit application operating in its own Virtual Memory address space (4 GigaBytes) which means one application cannot interfere with another's memory space.

Unlike earlier version of Windows (such as Windows for Workgroups and Windows 95), NT is a complete Operating System, and not an addition to DOS.

NT supports different CPU's: Intel x86, IBM PowerPC (Not to be supported for NT5.0) and DEC Alpha.

NT's other main plus is its Security with a special NT file system (NTFS) that allows permissions to be set on a file and directory basis.

---

Q. What is DHCP?

A. DHCP stands for Dynamic Host Configuration Protocol and is used to automatically configure a host during boot up on a TCP/IP network and also to change settings while the host is attached.

This means that you can store all the available IP addresses in a central database along with information such as the subnet mask, gateways, DNS servers etc.

The basics behind DHCP is the clients are configured to use DHCP instead of being given a static IP address. When the client boots up it sends out a BOOTP request for an IP address. A DHCP server then offers an IP address that has not been assigned from its database, which is then leased to the client for a pre-defined time period.



If the DHCP client is Windows 2000 and no offer is made and IP auto configuration has not been disabled the client will attempt to find and use an IP address not currently in use otherwise TCP/IP will be disabled.

---

Q. How do I install the DHCP Server Service?

A. The DHCP server service can only be install on a NT Server.

1. Start the Network Control Applet by clicking on Network from Control Panel (Start - Settings - Control Panel) or right click on Network Neighborhood and select Properties
2. Click on the Services tab and click Add
3. Select "Microsoft DHCP Server" and click OK
4. You will be prompted to insert the NT Server installation CD or say where the i386 directory is
5. A warning that all local adapters must use a static IP address and click OK
6. Click Close and select Yes to reboot

Under Windows 2000 to install perform the following:

1. Start the Add/Remove Programs Control Panel applet (Start - Settings - Control Panel - Add/Remove Programs)
2. In the left hand pane click 'Add/Remove Windows Components"
3. Click the 'Components' button to start the Components wizard
4. Click Next
5. Select 'Networking Services' and click Details
6. Check the 'Dynamic Host Configuration Protocol (DHCP)' option and click OK
7. Click Next and the relevant files and services will be configured.
8. Click Finish when all operations have completed
9. Click Close to the Add/Remove Programs dialog

---

Q. How do I configure DHCP Server Service?

A. The DHCP Server Service is configured using "DHCP Manager" that is installed after the installation of the DHCP Server Service.

1. Start DHCP Manager (Start - Programs - Administrative Tools - DHCP Manager)
2. Double click "*Local Machine*"
3. From the Scope menu select Create
4. A dialog will be shown and following should be entered
   - Start Address, e.g. 200.200.200.10
   - End Address, e.g. 200.200.200.100
   this would mean the address 200.200.200.10 to 200.200.200.100 would be available
   - Subnet Mask, e.g. 255.255.255.0
   - Exclusion - start and end, e.g. 200.200.200.20 and 200.200.200.30, would mean available addresses would 200.200.200.10-200.200.200.20 and 200.200.200.30-200.200.200.100
   - Exclusion - just start is a single address, e.g. 200.200.200.56
   - Set lease duration, by default 3 days, however can be set to unlimited
   - Name - this is the name of the scope, e.g. "subnet 200.200.200"
   - Comment - anything you want
5. Click OK
6. A message that the Scope has been added, but is not active, would you like it to be active, click Yes.

Usually items such as DNS servers, WINS server etc will be configured on a global scale and this is also done using DHCP Manager

1. Select the Scope, and select Global from the "DHCP Options" menu
2. Select "06 DNS Servers" and click Add
3. Click Value button
4. Click Edit Array at the bottom
5. Enter the IP address and click ADD, continue adding until all added
6. Click OK to close the Edit Array dialog
7. Select "15 Domain name" and click Add
8. Select it and edit the string at the bottom, e.g. savilltech.com
9. Click OK to exit

---

Q. How do I configure a client to use DHCP?

A. For NT workstation and Windows95 follow the instructions below:

1. Start the Network Control Applet by clicking on Network from Control Panel (Start - Settings - Control Panel) or right click on Network Neighborhood and select Properties
2. Click on the Protocol tab
3. Select TCP/IP and click Properties
4. Select "Obtain an IP address from a DHCP Service". DHCP settings will only override IP address and subnet mask locally configured. If you have configured DNS, WINS etc locally then the DHCP configuration will not overwrite it.

For Windows 98:

1. Start the Network Control Applet by clicking on Network from Control Panel (Start - Settings - Control Panel) or right click on Network Neighborhood and select Properties
2. Select 'TCP/IP -> Adapter' and click Properties
3. Select the 'IP address' tab
4. Select "Obtain an IP address automatically".

For a Windows 2000 machine perform the following:

1. Right click on 'My Network Places' and select Properties
2. Right click on 'Local Area Connection' and select Properties
3. Select 'Internet Protocol (TCP/IP)' and click Properties
4. Select 'Obtain an IP address automatically" (and repeat for DNS) and click OK

---

Q. How can I compress my DHCP database?

A. NT Server ships with a utility called JETPACK.EXE which can be used to compact DHCP and WINS databases. To compact your DHCP database perform the following:

1. Start a command prompt (cmd.exe)
2. Enter the following commands
   cd %SystemRoot%\SYSTEM32\DHCP
   e.g. cd d:\winnt\system32\dhcp
   net stop DHCPSERVER
   jetpack DHCP.MDB TMP.MDB
   net start DHCPSERVER

Note: While you stop the DHCP service, clients using DHCP to receive a TCP/IP address will not be able to start this protocol and may hang.

Jetpack actually compacts DHCP.MDB into TMP.MDB, then deletes DHCP.MDB and copies TMP.MDB to DHCP.MDB! Simple :-)

For more information, see Knowledge base article Q145881 at http://support.microsoft.com/support/kb/articles/q145/8/81.asp

---

Q. How can a DHCP client find its IP address?

A. Depending on the client:

Windows NT machine - type ipconfig from the command prompt
Windows 95 machine - run winipcfg.exe

---

Q. How can I move a DHCP database from one server to another?

A. Perform the steps below on the server that currently hosts the DHCP Server service. Be warned that while doing this no DHCP clients will be able to start TCP/IP so this should be done outside working hours.

1. Log on as an Administrator and stop DHCP (Start - Settings - Control Panel - Services - Microsoft DHCP server - Stop).
2. You also need to stop DHCP from starting again after a reboot so start the Services Control Panel applet and select Microsoft DHCP Server and click Startup. From the startup choose disabled and click OK.
3. Copy the DHCP directory tree %systemroot%\system32\DHCP to a temporary storage area for use later.
4. Start the registry editor (regedt32.exe)
5. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer \Configuration
6. From the Registry menu, click Save Key. Create a name for this key, for example dhcpcfg.bck
7. Close the registry editor

Optionally if you want to remove DHCP from the source machine totally delete the DHCP directory (%systemroot%\system32\dhcp) and then delete the DHCP Service (Start - Settings - Network - Services - Microsoft DHCP Server - Remove)

On the new DHCP server perform the following

1. Log on as an Administrator
2. If the server does not have the DHCP server service installed, install it (Start - Settings - Control Panel - Network - Services - Add - DHCP Server)
3. Stop the DHCP service (Start - Settings - Control Panel - Services - Microsoft DHCP server - Stop).
4. Delete the contents of %systemroot%\system32\dhcp
5. Copy the backed up DHCP directory tree from the storage area to %systemroot%/system32/dhcp, but rename the file system.mdb to system.src. You may not have this file if you are using NT 4.0, skip this step.
6. Start the registry editor (regedt32.exe)
7. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Configuration and select it
8. From the registry menu select restore
9. Located the file dhcpcgf.bck you saved from the original machine and click open
10. Click Yes to the warning
11. Close the registry editor
12. Reboot the machine

---

Q. How do I create a DHCP Relay Agent?

A. If you have routers separating some of your DHCP clients from the DHCP server you may have problems if they are not RFC compliant. This can be solved by placing a DHCP relay agent on the local network area which is not actually a DHCP server which communicates on behalf of the DHCP Server. The DHCP Relay Agent must be a Windows NT Server computer.

1. On the NT Server log on as an Administrator
2. Start the Network control panel applet (Start - Settings - Control Panel - Network)
3. Click the Services tab and click Add
4. Select "DHCP Relay Agent" and click OK
5. Type the path of the files (e.g. d:\i386) and click OK
6. You will be asked if you wish to add IP address to the DHCP servers list, click Yes
7. Click the DHCP relay tab and click Add
8. In the DHCP Server field enter the IP address of the DHCP Server and click Add
9. Click OK
10. Restart the computer

---

Q. How can I stop the DHCP Relay Agent?

A. All you have to do is stop the DHCP Relay Agent service:

1. Log on as an Administrator
2. Start the Services control panel applet (Start - Settings - Control Panel - Network)
3. Select "DHCP Relay Agent"
4. Click the startup button
5. Click the disabled and click OK
6. Close the control panel applet
7. You can reboot or just stop the service

---

Q. How can I backup the DHCP database?

A. The DHCP database backs itself up automatically every 60 minutes to the %SystemRoot%\System32\Dhcp\Backup\Jet directory. This interval can be changed:

1. Start the registry editor
2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\BackupInterval
3. Double click on BackupInterval and set to the number of minutes you want the backup to be performed. Click OK
4. Close the registry editor
5. Stop and restart the DHCP server service (Start - Settings - Control Panel - Services - DHCP Server - Start and Stop)

You could backup the %SystemRoot%\System32\Dhcp\Backup\Jet directory if you wish.

---

Q. How can I restore the DHCP database?

A. Perform one of the following:

1. When the DHCP Server service starts, if an error is detected in the database it will automatically restore the backup version
2. Edit the registry and set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\RestoreFlag to 1, restart the DHCP Server service, this will restore the backed up version and set RestoreFlag back to the default 0
3. Stop the DHCP Server service, copy the files from %SystemRoot%\System32\Dhcp\Backup\Jet to %SystemRoot%\System32\Dhcp and then start the DHCP Server service.

---

Q. How do I reserve a specific address for a particular machine?

A. Before performing this you will need to know the hardware address of the machine and this can be found by entering the command

ipconfig /all

Look for the line

Physical Address. . . . . . : 00-60-97-A4-20-86

Now at the DHCP server perform the following

1. Log on as an Administrator
2. Start the DHCP Server management software (Start - Programs - Administrative Tools - DHCP Manager)
3. Double click on the DHCP server, e.g. *Local Machine*
4. Select the light bulb and from the Scope menu select "Add Reservations"
5. In the Add Reserved Clients dialog box you should enter the IP address you wish to reserve and in the "Unique Identifier" box enter the hardware address of the client machine (got from the ipconfig /all). Do not enter the hyphens, e.g.
   006097A42086
   Also enter a name for the machine (and a comment if you wish) and click Add
6. Click close when you have added all the reservations

---

Q. What registry settings control the DHCP log in Windows 2000?

A. DHCP has always had auditing abilities for DHCP however these abilities have been expanded in 2000 to reduce problems CAUSED by the log files. These improvements will stop log files filling to take up whole partitions and cause system problems.

The following keys are all located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters

Value Name	Type	Description
DhcpLogFilePath	REG_SZ	The partition and directory for the audit logs to be written to. Make sure you write the entire path
DhcpLogMinSpaceOnDisk	REG_DWORD	If free space falls below this number (in megabytes) audit logging is stopped
DhcpLogDiskSpaceCheckInterval	REG_DWORD	Number of times the audit log is written to before checking for free disk space
DhcpLogFileMaxSize	REG_DWORD	Maximum size in megabytes the logs can grow to. By default it is 7.

---

Q. How do I authorize a DHCP server in Windows 2000?

A. Any user running Windows 2000 server could install the DHCP server service causing potential problems and so Windows 2000 adds the concept of authorizing the servers with the Active Directory before they can service client requests. If the server is not authorized in the Active Directory then the DHCP service will not be started.

To Authorize a server perform the following:

1. Logon as a member of the Enterprise Administrators group
2. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools - DHCP)
3. Select the DHCP root, right click and select 'Browse authorized servers'
4. A list of authorized DHCP servers will be displayed. Click Add
5. Enter the name or IP address of the DHCP server and click OK.
6. Click Close

The red arrow over the DHCP server should now change to a green one if you select refresh (it may take a few minutes).

---

Q. How do I create a DHCP scope in Windows 2000?

A. A DHCP scope is a range of addresses that can be assigned to clients and can also optionally provide information about DNS servers, WINS etc.

DHCP scopes are configured using the DHCP MMC snap-in as follows:

1. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools - DHCP)
2. Right click on the server and select New - Scope from the context menu
3. The scope creation wizard will be started, click Next
4. Enter a name and comment for the scope. Click Next
5. Enter the address range to use, for example from 200.200.200.1 to 200.200.200.15 (remember the host part cannot be 0). Also enter the subnet mask as either the number of bits used or the actual mask, e.g. 24 is the same as 255.255.255.0. Click Next
   
6. You can specify addresses to be excluded either by range, e.g. 200.200.200.5 to 200.200.200.7 and click Add, or just enter a Start address and click Add, e.g. 200.200.200.12 to exclude a single address. Click Next
   
7. You can now configure the lease time for the address. Setting too large will mean you will lose the use of addresses if the client machine is inactive for long periods of time, too short and you will generate unnecessary traffic renewing the address. The default 8 days is fine. Click Next
8. The wizard gives the option to configure the most common DHCP options. Select Yes and click Next
9. Enter the address of the gateway, and click Add. You can enter several. Click Next when all are entered.
10. Enter the DNS domain, e.g. savilltech.com and the DNS server addresses. Click Next
    
11. Enter the WINS server addresses and click Add. Click Next
12. You will then be asked if you wish to activate the scope. Select your answer and click Next
13. Click Finish to the wizard

The new scope will now be listed and the status as either Active or Inactive.

If you selected to not activate the scope it can be manually activated by right clicking on the scope, select 'All Tasks' and select Activate. The activation is immediate. Likewise you can deactivate by selecting deactivate

Useful links:

• Q. How do I install the DHCP Server Service?
• Q. How do I authorize a DHCP server in Windows 2000?

---

Q. How do I configure DHCP scope options in Windows 2000?

A. When you create a scope the more common options such as DNS and WINS servers can be configured but many more options are available.

1. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools - DHCP)
2. Expand the server
3. Expand the scope whose options you wish to modify
4. Select the 'Scope Options' branch and in the right hand window you will see the currently configured options.
5. Right click on 'Scope Options' and select 'Configure Options'
6. Select the Basic tab and you can configure other options by checking its box and entering the details. For example a Time Server, check '004 Time Server', enter an IP address and click Add.
   
7. Click Apply. Click OK

The new option(s) will now show in the right hand window. You can change existing options by performing the above and selecting an item already configured and change the details in the Data entry area.

• Q. How do I install the DHCP Server Service?
• Q. How do I authorize a DHCP server in Windows 2000?
• Q. How do I create a DHCP scope in Windows 2000?

---

Q. How can I view DHCP address leases in Windows 2000?

A. When a client is offered and accepts an IP address a 'lease' is created for x amount of days. To view current leases perform the following:

1. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools - DHCP)
2. Expand the server
3. Expand the scope whose leases you wish to view
4. Select the 'Address Leases' branch and in the right hand window you will see the current lease details.

It will give details of the IP address, client name and the lease expiration date. Expired leases are also shown for approximately one day but have a dimmed icon. This grace period protects a client lease in the event of the client and server being in different time zones, clocks not synced or simply offline.

---

Q. How do I change the DHCP address lease time in Windows 2000?

A. To modify the DHCP lease duration from the normal 8 days perform the following:

1. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools - DHCP)
2. Expand the server
3. Right click the scope whose lease time you wish to change and select Properties
4. Select the General tab
5. At the bottom of the window you can select lease duration either Unlimited or a finite time.
6. Click Apply then OK



---

Q. My Windows 2000 DHCP client has an IP address not in any scopes, how?

A. Microsoft have tried to make Windows 2000 as easy to setup on a small network as possible and by default and machines installed are setup to use DHCP. On a very small network you may not have a DHCP server and rather than the machines failing to initialize TCP/IP Microsoft has added code so that the machines will use an address not in use on the local network in the class B address range 169.254.x.x. This IP address range is reserved for internal use only and so should not clash with any "real" IP addresses on your network. The MacOS uses the same address range for its DHCP clients when a DHCP server cannot be contacted as does Windows 98 Second Edition.

This DHCP address allocation uses conflict detection via a NetBIOS naming broadcast over DHCP so each machine gets an IP address from the 169.254.x.x range which is not in use. The actual address initially chosed in random.

If any of your machines have a 169.254.x.x address it just means they could not contact a DHCP server so check your network connectivity.

This automatic IP addressing is known as Automatic Private IP Addressing (APIPA).

---

Q. What is Distributed File System?

A. Distributed File System (or Dfs) is a new tool for NT server that was not completed in time for inclusion as part of NT 4.0, but is now available for download. It basically allows Administrators to simulate a single server share environment that actually exists over several servers, basically a link to a share on another server that looks like a subdirectory of the main server.

This allows a single view for all of the shares on your network, which could then simplify your backup procedures as you would just backup the root share, and Dfs would take care of actually gathering all the information from the other servers across the network.

You do not have to have a single tree (Dfs directory structures are called trees), but rather could have a separate tree for different purposes, i.e. one for each department, but each tree could have exactly the same structure (sales, info. etc).

For more information on DFS see http://www.microsoft.com/ntserver/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp

---

Q. Where can I get Dfs?

A. Dfs is available for download from Microsoft http://www.microsoft.com/ntserver/nts/downloads/winfeatures/NTSDistrFile/default.asp. Follow the instructions at the site and fill in the form about your site. The file you want for the I386 platform is dfs-v41-i386.exe.

Once downloaded just double click on the file, and agree to the license. It will then install files to your drive which you need to install.

Windows 2000 has Dfs built-in as a core component.

---

Q. How do I install Dfs?

A. Follow the instructions below, you must have first downloaded and expanded the file dfs-v40-i386.exe:

1. Right click on Network Neighborhood and select properties (or double click Network in the Control Panel)
2. Click the services tab and click Add
3. Click the "Have disk" button and when asked where enter %systemroot%/system32/dfs. Do not actually type %systemroot%, but rather what it points to, i.e. d:\winnt, so the full path would be d:\winnt\system32\dfs
4. Click Enter and press OK for Dfs installation
5. A dialog box will be shown, and click "New Share", and type the name of the required root, e.g. c:\dfsroot and click "Yes" to create the directory
6. Select the "Shared As" and fill in required information and click OK
7. Close the dialogs and reboot the machine

Windows 2000 does not require you to install Dfs, it is built into the operating system, all it requires is configuration.

---

Q. How do I create a new folder as part of the Dfs?

A. Once Dfs is installed a new application, the Dfs Administrator, is created in the Administrative Tools folder. This app should be used to manage Dfs. To add a new area as part of the Dfs tree follow the procedures below:

1. Start the Dfs Administrator application (Start - Programs - Administrative Tools - Dfs Administrator)
2. Select "Add to Dfs" from the Dfs menu
3. Enter the name of folder you want an existing share to be known as
4. Next select what it should point to, you can either type the path, or use Browse.
5. Click Add
6. Close the Dfs Administrator

---

Q. How do I uninstall Dfs?

A. Follow the procedure below:

1. Start the network control panel applet or right click on Network Neighborhood and select propertied
2. Click the Services Tab
3. Select "Distributed File System" and click remove
4. You will be prompted to continue, click Yes
5. A reboot will then be required

---

Q. How do I create a Dfs root volume in Windows 2000?

A. Windows 2000 currently supports one Dfs root per server however this will be expanded in future versions of the operating system/service packs.

The Distributed File System has its own DFS Microsoft Management Console snap-in which has a shortcut on the Administrative Tools folder.

To create a new Dfs root perform the following:

1. Start the Distributed File System MMC snap-in (Start - Programs - Administrative Tools - Distributed File System)
2. Right click on the Distributed File System root and select ‘New Dfs Root…’
   
3. The Dfs root creation wizard will be started, click Next to the introduction screen

4. The next screen gives the option of a fault-tolerant Dfs root which uses the Active Directory to store the information or a standalone Dfs root if the Active Directory is not available or not wanted. Select ‘Create a domain Dfs root’ and click Next
   
   Select a domain to use. A list of available domains will be displayed and the current domain will be selected as the current choice. Click Next. This screen is not displayed if you are not creating a fault-tolerant Dfs root.
5. You will need to select a server to host the Dfs root (a domain member if fault tolerant) and must be running the Dfs service. The current server will be selected but can be changed by typing a domain name or click Browse. Click Next
6. The next stage is to select a share to act as the Dfs root. A list of existing shares will be displayed or you can select to create a new share by entering a share name and location. Click Next
   
7. Each Dfs root requires a unique name and will, by default, be the name of the share although you can change this. You can also select to add the new Dfs root to the current console. Click Next
8. A summary screen will be displayed showing the domain, server, share and Dfs root name. Click Finish to create the Dfs root
9. Once complete a success message will be displayed. Click OK

---

Q. How can I add a replica Dfs root volume in Windows 2000?

A. If your Dfs root was created as a fault-tolerant Dfs root you may add other Dfs servers as part of the Dfs root replica set.

To add a new Dfs root replica member perform the following:

1. Start the Distributed File System MMC snap-in (Start - Programs - Administrative Tools - Distributed File System)
2. Right click on the root you wish to add a replica to and select ‘New Root Replica’
3. You will be asked for a server that will host a copy of the Dfs root. Click Next
4. As when creating the original you need to either select an existing share or create a new folder and share. Click Finish
5. Click OK to the success confirmation

These root replicas will all contain the Dfs root information by utilitizing and replicating via the Active Directory. You can actually see the Dfs information using the Active Directory Users and Computers snap-in, select Advanced Features view, System, Dfs.

---

Q. How can I add a child node to Dfs in Windows 2000?

A. Once your Dfs root is created the next step is to populate with child nodes/leafs which actually link to information.

To add a new Dfs child node or Dfs link as its now called perform the following:

1. Start the Distributed File System MMC snap-in (Start - Programs - Administrative Tools - Distributed File System)
2. Right click on the root you wish to add a replica to and select ‘New Dfs Link’
3. You will need to enter a location and name for the child node, a UNC for the destination and a comment. You can also select the amount of time clients cache the request.
   
4. Click OK

Any subdirectories of the child leaf will also be published to the Dfs with the parent directory, for example if a share, ntfaq, was added as a child node to Dfs, any subdirectories of that share would be viewable on the Dfs tree as children of the documents Dfs entry.

---

Q. How can I add a replica child node to Dfs in Windows 2000?

A. The Windows 2000 version of Dfs allows child replica sets to be created in which a single Dfs leaf points to multiple shares on different servers the File Replication Service will keep the contents of all shares in sync with each other. This allows fault tolerance AND load balancing.

Members of a node replica set must:

1. All be members of the domain
2. Use NTFS 5.0
3. Must be on different servers. You cannot replicate between shares on the same server.

To add a new Dfs child replica member perform the following:

1. Ensure an up-to-date copy of the resource to which a new replica member is to be added is placed in the new share which will join the set
2. Start the Distributed File System MMC snap-in (Start - Programs - Administrative Tools - Distributed File System)
3. Right click on the child node you wish to add a replica to and select ‘New Replica’
4. You will need to enter the UNC of the new share and you have the option for
   - Manual replication
   - Automatic replication
   ’Manual replication’ is useful if the contents are read-only documents which do not often change. Joint replication will replicate the contents of the shares with all members in the replica set. Click OK
5. The replication set topology dialog will be shown. Check replication has been enabled and click OK
   

Multi-master replication is used except on the first replication path where the contents of the Primary server is copied to the other members. Any content currently in the other shares is moved to a NtFrs-PreExisting subdirectory (but a checksum is performed and if the files match with the primary servers share they are moved back into the main directory to save network bandwidth in copying them from the Primary server).

Replication is every 15 minutes by default.

---

Q. How do I install the DNS Service?

A. The DNS Service can only be installed on NT/2000 Server and is installed as follows under NT 4.0:

1. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network)
2. Click the Services tab and click Add
3. Select "Microsoft DNS Server" and click OK
4. The software will be installed and the machine will then reboot

For Windows 2000 perform the following:

1. Start the Add/Remove Programs control panel applet (Start - Settings - Control Panel - Add/Remove Programs)
2. Click the 'Add/Remove Windows Components' button
3. Select 'Networking Services' and click Details
4. Check the 'Domain Name System (DNS)' box and click OK
5. Click Next to all other dialogs

---

Q. How do I configure a domain on the DNS Server?

A. A new application has been added to the Administrative Tools group, DNS Manager, to configure the domain follow the procedures below for NT 4:

1. Start the DNS Manager (Start - Programs - Administrative Tools - DNS Manager)
2. From the DNS menu, select New Server and enter the IP address of the DNS Server, e.g. 200.200.200.3, and click OK
3. The server will now be displayed with a CACHE sub part
4. Next we want to add the domain, e.g. savilltech.com, from the DNS menu, select New Zone
5. Select Primary and click Next
6. Enter the name, e.g. savilltech.com, and then press tab, and it will fill in the Zone File Name and click Next
7. Click Finish
8. Next a zone for reverse lookups has to be created, so select New Zone from the DNS menu
9. Select Primary and click Next, enter the name of the first 3 parts of the domain IP + in-addr.arpa, e.g. if the domain was 158.234.26, the entry would be 26.234.158.in-addr.arpa, in my example it would be 200.200.200.in-addr.arpa, click tab for the file name to be filled and click Next, then click Finish
10. Add a record for the DNS server, by right clicking on the domain and select "New Record"
11. Enter the name of the machine, e.g. BUGSBUNNY (I had a strange upbringing :-) ), and enter and IP address, e.g. 200.200.200.3 and click OK
12. If you click F5 and examine the 200.200.200.in-addr.arpa a record has been added for BUGSBUNNY there as well

For Windows 2000 the procedure is similar but has a few changes:

1. Start the DNS MMC snap-in (Start - Programs - Administrative Tools - MMC)
2. Right click on the DNS server and select 'Configure the server'
3. Click Next to the welcome screen
4. Select Yes to create a forward lookup zone and click Next
5. Select the type of zone. Active Directory integrated will only be available if the DNS server is also a domain controller. Select the type and click Next
6. Enter the name for the zone, e.g. savilltech.com and click Next
7. Select to create a new file and click Next
8. Select Yes to create a reverse zone and click Next
9. Again select the type, Active Directory integrated, standard or secondary and click Next
10. Enter the Network ID (the first parts of your IP address) and click Next
11. Select to create a new file and click Next
12. Click Finish to create the zone

---

Q. How do I add a record to the DNS?

A. To add a record, for example TAZ with IP address 200.200.200.4 perform the following on NT 4.0:

1. Start the DNS Manager (Start - Programs - Administrative Tools - DNS Manager)
2. Double click on the name of the DNS server to display the list of zones
3. Right click on the domain, and select New Record
4. Enter the name, e.g. TAZ and enter IP address. Select the record type. For adding a new host accept the default, record type A.
5. If you have the Reverse Arpa zone configured and want the PTR record automatically added, make sure the Create Associated PTR record is checked
6. Click OK

The procedure is basically the same on Windows 2000:

1. Start the DNS MMC snap-in (Start - Programs - Administrative Tools - DNS)
2. Expand 'Forward Lookup Zones' and select the DNS domain you wish to add a record to
3. Right click on the DNS domain zone and select 'New Host' from the context menu
4. Enter the name and IP address for the record and if you want a reverse pointer to be created.
   
5. Click Add Host

---

Q. How do I configure a client to use the DNS?

A. Once you have DNS servers configured the clients (and servers) need to be configured to contact them to resolve hostnames to IP addresses (and in some cases IP addresses to hostnames).

If you are using DHCP then DNS can be configured as part of the scope options for DHCP and do not need to be set at each client machine. Only if using static IP addresses do you need to manually set DNS information.

For an NT machine (and Windows 95) perform the following:

1. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network)
2. Select the Protocols tab
3. Select TCP/IP and select Properties
4. Click the DNS tab
5. Make sure the machines name is entered in the first box, and the domain name, e.g. savilltech.com in the Domain box
6. In the DNS Server part click Add, and in the dialog box enter the IP address of the DNS Server and click Add
7. In the Domain Suffix Search Order part, click Add and enter the domain, e.g. savilltech.com and then click Add
8. Finally click OK

For a Windows 2000 machine perform the following:

1. Right click on 'My Network Places' and select Properties
2. Right click on 'Local Area Connection' and select Properties
3. Select 'Internet Protocol (TCP/IP)' and click Properties
4. Enter the DNS information and click OK
   

To test, you can start a command prompt and enter

nslookup <host name>
e.g. nslookup taz

The IP address of Taz will be displayed. Also try the reverse translation by entering

nslookup <ipaddress>
e.g. nslookup 200.200.200.4

The name Taz will be displayed.

---

Q. How do I change the IP address of a DNS server?

A. The information below assumes you have already changed the IP address of the machine ( Start - Settings - Control Panel - Network - Protocols - TCP/IP - Properties) and have rebooted. The scenario below assumes the old IP address was 200.200.200.3 and the new is 200.200.200.8

1. We need to configure a second IP address for the network card
   - Start the Network Control Panel Applet ( Start - Settings - Control Panel - Network)
   - Click on the Protocol tab
   - Select TCP/IP and click Properties
   - Click Advanced and click Add
   - Enter the old IP address, e.g. 200.200.200.3 and click Add
   - Click OK until you are back at the Control Panel
   - Reboot
2. Start the DNS Manager (Start - Programs - Administrative Tools - DNS Manager)
   - Right click the "Server List" and select New Server
   - Enter the new IP address, e.g. 200.200.200.8 and click OK
   - Select the old IP address, e.g. 200.200.200.3 and right click
   - Select "Delete Server" from the context menu and click Yes to confirm
3. While in the DNS Manager, update the record for this server
   - Select the IP address of the DNS server, e.g. 200.200.200.8, select the domain name, e.g. SAVILLTECH.COM
   - Double click the entry for the server and update the IP address, i.e. it would have had 200.200.200.3 to bugsbunny, change to 200.200.200.8
   - Click OK
4. Now we will delete the secondary IP address we added
   - Start the Network Control Panel Applet ( Start - Settings - Control Panel - Network)
   - Click on the Protocol tab
   - Select TCP/IP and click Properties
   - Click Advanced and select the address, e.g. 200.200.200.3 and click Remove
   - Click OK until back at control panel
   - You will need to reboot at some point to remove the 200.200.200.3 from being active

Update all the clients to use the new DNS server IP address.

The above procedure is the most complete way, however it should still work if you only perform steps 2 and 3.

---

Q. How can I configure DNS to use a WINS server?

A. Is is possible to configure the DNS to use a WINS server to resolve the host name of a Fully Qualified Domain Name (FQDN).

1. Start DNS manager (Start - Programs - Administrative Tools - DNS Manager)
2. Right click on the zone you wish to communicate with the WINS server and select properties
3. Click the "WINS Lookup" tab
4. Select the "Use WINS Resolution" check box and then enter the WINS server IP address and click ADD
5. Click OK when finished

---

Q. Where in the registry are the entries for the DNS servers located?

A. The entries for the DNS servers are stored in the registry in the location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters under the NameServer value, Each entry should be separated by a space. Using the Resource Kit utility REG.EXE the command to change would be as follows

reg update HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\NameServer="158.234.8.70 158.234.8.100" \\<machine name>

where 158.234.8.70 and 158.234.8.100 were the addresses of the DNS servers you wanted to configure. Note it sets the value, it does not append so ensure you enter in the existing DNS servers as well as the new ones.

This may be useful for granting users access to the internet by remotely updating their registry to know which DNS servers to use.

---

Q. I receive error message "No More Endpoints".

A. This can be caused by installing DNS on a machine that has previous settings contained in the %systemroot%\system32\dns directory. To correct perform the following.

1. Stop the Microsoft DNS server using the Services control panel applet ( Start - settings - control panel - services). Select Microsoft DNS and select stop
2. Backup any zone files from the %systemroot%\system32\dns directory that you may want
3. Remove the DNS server by right clicking on network neighborhood and selecting properties. Click the services tab, select DNS and click Remove
4. Delete all files in the %systemroot%\system32\dns
5. Reinstall DNS server using the services tab of the network control panel applet

---

Q. How do I configure DNS for a Windows 2000 domain?

A. Windows 2000 domains rely on DNS and require Dynamic DNS which is an update to the basic DNS specification and details can be found in RFC 2136 that can be viewed at ftp://ftp.isi.edu/in-notes/rfc2136.txt.

Another major update in DNS 5.0 is the addition of service (SRV) records and these have already been seen as a mechanism for publishing the ldap server, _ldap._tcp.<domain> and it is through these records that domains can be looked up through the DNS service.

You could perform this on a separate Windows 2000 machine, the domain controller and the DNS server will probably not be the same machine, it just has to exist before upgrading the server to a domain controller. To install DNS 5.0 on the server perform the following:

1. Start the Install/Remove Programs Control Panel Applet (Start - Settings - Control Panel - Add/Remove Programs)
2. Click the "Configure Windows" left hand pane
3. Click the "Components" button that is displayed
4. Select "Networking Options" and click Details
5. Select "Microsoft DNS Server" and click OK
6. Click Next

Before actually configuring the DNS service modify the TCP/IP properties of the machine to use itself as the DNS server:

1. Right click on 'My Network Places' and select Properties
2. Right click on the 'Local Area Connection' and select Properties
3. Select 'Internet Protocol (TCP/IP)' and click Properties button
4. Under the DNS section select 'Use the following DNS server addresses:' and enter the machines IP address
5. You can also click advanced, select the DNS tab and ensure the DNS suffix for the connection is the DNS domain you are about to create. Click OK
6. Click OK to all dialogs to close all windows

Now check the computers primary suffix is set

1. Right click on 'My Computer' and select Properties
2. Select the 'Network Identification' tab and click the Properties button
3. Click the More button
4. Ensure 'Primary DNS suffix of this computer' is set to the DNS domain you are about to create and click OK
   
5. Click OK to all dialogs to close all windows
6. Click Yes to restart the computer

If you don't do this first, your NS records for the zones will simply list the computer name, followed by a ".", rather than the FQDN of your NS and this may cause problems. You can forgo this step and the NS records will be updated after the machine becomes a DC, but I've heard of some problems with this approach.

You then need to configure the DNS service

1. Start the "DNS Management" MMC snap-in (Start - Programs - Administrative Tools - DNS Management)
2. Right click on the root and select 'Configure Server' and this will start the configuration applet. Click Next
3. It will detect there are no root servers so select "This is the first DNS server on this network" and click Next
4. Check "Yes, add a forward lookup zone" and click Next. This zone is used for the storage of host name to IP addresses
5. You should now select the zone type, Select "Standard Primary" and click Next. "Active Directory Integrated" stores the DNS database in the Active Directory however there is no Active Directory at this point. This option can be set later
6. Enter the name of the zone, e.g. savilltech.com and click Next
7. Select "New File" and click Next. If you had an existing .dns file you may import this
8. Check "Yes, add a reverse lookup zone" and click Next. The reverse lookup zone is used to find the host name from a IP address. When you create a host record a PTR record can also be selected to be created and this adds a record in the reverse lookup zone
9. Again select "Standard Primary" and click Next
10. Enter the first parts of your subnet, e.g. 200.200.200.0 (subnet will be filled in for you). If you subnet mask was 255.255.0.0 you would enter the first 2 parts of you IP address, if 255.255.255.0 you would enter the first 3. Click Next
11. Again Check "New File" and click Next
12. A summary will be displayed and click Finish to complete the installation

The final stage is to configure the zones to be dynamic update enabled which allows hosts to add records in the DNS server.

1. Start the "DNS Management" MMC snap-in (Start - Programs - Administrative Tools - DNS Management)
2. Expand the DNS server, expand the "Forward Lookup Zones", select the domain, e.g. savilltech.com
3. Right click on the domain and select Properties from the context menu
4. Select "Yes" from the "Allow dynamic updates?" drop down box
5. Click Apply then OK
6. Now expand the "Reverse Lookup Zones" and select the reverse lookup zone, e.g. "200.200.200.x Subnet"
7. Select the zone and right click the zone and select Properties from the context menu
8. Again select "Yes" from the "Allow dynamic updates?" drop down box
9. Click Apply then OK

DNS is now configured for a domain and you can create the domain.

To ensure all entries are correctly entered enter the command below in a command window (cmd.exe)

C:\> ipconfig /registerdns

---

Q. How do I configure Active Directory integrated DNS? - Windows 2000 only

A. It is possible to configure DNS servers that are also domain controllers to store the contents of the DNS database in the Active Directory which will then be replicated to all domain controllers in the domain. The option to store the DNS database in the Active Directory is not available on DNS servers that are not domain controllers.

1. Start the "DNS Management" MMC snap-in (Start - Programs - Administrative Tools - DNS Management)
2. Expand the DNS server, expand the "Forward Lookup Zones", select the domain, e.g. savilltech.com
3. Right click on the domain and select Properties from the context menu
4. Under Type click Change
5. Select "Active Directory-integrated" and click OK
6. Click OK to "Are you sure you want this zone to become an Active Directory-integrated"
7. Click Apply then OK

---

Q. Setting a secondary DNS server as primary results in errors.

A. If you have a secondary DNS server configured to duplicate all entries from another DNS server you may experience a problem if you try and set it as a primary DNS server, which results in the service not starting and an error to the effect of the data being wrong:

Event ID: 7023
The MS DNS Server service terminated with the following error:
The data is invalid.

Event ID: 130
DNS Server zone zone name has invalid or corrupted registry data.
Delete its registry data and recreate with DNSAdmin.

Event ID: 133 DNS
Server secondary zone zone name, had no master IP addresses in registry.
Secondary zones require masters.

The DNS Manager forgets to set the correct value for the DNS Type in the registry (secondary is remaining), but it is erasing the address of the primary DNS, where the data came from. To correct this perform the following:

1. Start the registry editor (regedit.exe)
2. Move to, locate the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dns\Zones\< zonename >, where < zonename> is the domain (e.g. savilltech.com)
3. Double click on the TYPE value and change from 2 to 1.
4. Close the registry editor

You should now be able to successfully start the DNS service

C:\> net start dns

The TYPE value can have one of two values,

0x1 specifies Primary zone
0x2 specifies secondary zone

A fix for this can be downloaded from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/ hotfixes-postSP3/dns-fix

---

Q. How do I turn off Dynamic DNS? - Windows 2000 only

A. By default, the TCP/IP stack in NT 5.0 Beta 2 (and later builds) attempts to register it's Host (A) record with it's DNS server. This makes sense in an all NT (Windows 2000) environment. But if you are using a static, legacy DNS server, the DNS guys might not like all the 'errors' this shows up on their server since the DNS servers will not understand these "updates".

You will get errors such as:

• Dnsapi
• Failed to register network adapter with settings
• Sent update to server

To make the clients stop attempting to publish their DNS names/addresses to the DNS server perform the following:

1. Log on to each client as Administrator
2. Start the registry editor (regedit.exe)
3. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
4. From the Edit menu select New - DWORD value
5. Enter a name of DisableDynamicUpdate and press Enter
6. Double click on the new value and set to 1. Click OK

If you have multiple adapters in the machine you may not want to disable for all so instead of setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableDynamicUpdate to 1, set as 0 and then move to the sub key Interfaces\<interface name> and create the DisableDynamicUpdate value there and set to 1.

If you needed to perform this on a large number of machines you should create a reg script or set from the login script.

---

Q. How do I configure a forwarder on DNS 5.0? - Windows 2000 only

A. If you create a DNS server on your network but are not the main DNS server, i.e. your company has a central main DNS server, you will want to forward queries your DNS server cannot service to that DNS server.

This is because only certain servers in your network will have access to DNS servers outside your network (due to firewalls etc) and thus your (departmental?) DNS server cannot access the DNS servers higher up in the DNS hierarchy. To configure a forward perform the following:

1. Start the DNS Management MMC snap-in (Start - Programs - Administrative Tools - DNS Management)
2. Right click on the DNS server and select Properties
3. Select the "Forwarders" tab
4. Check the "Enable forwarder(s)" box
5. Enter the IP address of the DNS server and click Add
6. Click OK
7. Close the DNS Management snap-in



If you are missing the forwarder tab or its not available see Q. I am missing the forwarder and Root Hints tabs in DNS 5.0

---

Q. I am missing the forwarder and Root Hints tabs in DNS 5.0. - Windows 2000 only

A. This is caused if your server thinks it is the root server in the domain, and will hence have a "." zone. To enable the forwarder you need to delete this zone from your server:

1. Start the DNS Management MMC snap-in (Start - Programs - Administrative Tools - DNS Management)
2. Expand the server, expand Forward Lookup Zones and select "."
3. Right click and select Delete
4. Click Yes to the confirmation
5. Stop and Start the DNS manager and the tabs are available



This can also be done from the command line using:

C:\> dnscmd /ZoneDelete . /DsDel

The /DsDel is required if the zone is Active Directory integrated

---

Q. How do I enable DNS round robin resolution?

A. Recent Windows NT service packs introduced LocalNetPriority which tries to return Host resources that are local to the requestor instead of using round robin however round robin can be enabled as follows:

1. Start the registry editor (regedit.exe)
2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
3. From the Edit menu select New - DWORD Value
4. Enter a name of LocalNetPriority and press Enter
5. Double click the new value and set to 0 to disable LocalNetPriority and re-enable round robin. Click OK
6. Close the registry editor
7. Stop and restart the DNS service

---

Q. DNS resolution of a valid domain fails on NT.

A. if you are running NT4 DNS with either SP4 or SP5 installed you may  find a domain that resolves on Unix DNS servers server times out when you do an NSLOOKUP on NT.

This is a known bug and a Quick Fix Engineering patch for NT bug 267085 is available from Microsoft support or wait for SP6 to come out.

---

Q. How can I force a Windows 2000 domain controller to re-register its DNS entries?

A. To re-register the domain controller DNS entries perform one of the following:

1. Stopping  & start the netlogon service which will reregister all SRV records in
   the netlogon.dns file.
2. Netdiag /fix will also do this.
3. Ipconfig /registerdns

---

Q. I'm getting DNS zone transfer messages in the event log, is someone hacking me?

A. No, don't panic, it just means someone is listing the content of a zone and this is fine since you are making the information publicly available anyway. To do this list see 'Q. How do I perform a DNS zone transfer?'

If you want to stop people performing zone transfers start the Microsoft DNS Manager, select the Zone, go into the Properties for the zone and select the Notify tab. Check the "Only Allow Access for Secondaries included on the notify list".

A typical event log is shown below:



---

Q. How do I perform a DNS zone transfer?

A. To list the content of a DNS zone perform the following commands (remember this does not actually remove any information from the host DNS server, it only lists it)

C:\>nslookup
Default Server: adm1.srv.uk.deuba.com
Address: 10.142.10.2

> set q=ns                Sets the query type to name servers
> db.com                  The name of the DNS zone you wish to list
Server: adm1.srv.uk.deuba.com
Address: 10.142.10.2

db.com nameserver = ns1.eur.deuba.com
db.com nameserver = ns2.eur.deuba.com
db.com nameserver = ns1.uk.deuba.com
db.com nameserver = ns2.uk.deuba.com
ns1.eur.deuba.com internet address = 10.70.136.140
ns2.eur.deuba.com internet address = 10.70.137.140
ns1.uk.deuba.com internet address = 10.141.39.181
ns2.uk.deuba.com internet address = 10.140.8.12
> server ns1.eur.deuba.com      Set the server to be one of those listed
Default Server: ns1.eur.deuba.com
Address: 10.70.136.140

> ls -d db.com                  List out the zone
[ns1.eur.deuba.com]
db.com. SOA ns1.eur.deuba.com hostmaster.ose.eur.deub
a.com. (1999091500 3600 1800 604800 1800)
db.com. NS ns1.uk.deuba.com
db.com. NS ns2.uk.deuba.com
db.com. NS ns1.eur.deuba.com
db.com. NS ns2.eur.deuba.com
db.com. A 10.141.44.112
db.com. MX 10 bmr1-e1.srv.uk.deuba.com
testxyz CNAME ns2.eur.deuba.com
atwork CNAME clust1v2.srv.uk.deuba.com
search.atwork CNAME homepage.mev.eur.deuba.com
phone.atwork CNAME nerys.x500.esb.eur.deuba.com
www2 A 38.163.212.70
www3 CNAME nyc00pah11.na.deuba.com
infohost.herold A 193.150.167.33
pmg NS ns1.eur.deuba.com
pmg NS ns2.eur.deuba.com
mgam CNAME clust1v2.srv.uk.deuba.com
it.mgam CNAME clust1v2.srv.uk.deuba.com
iis.mgam CNAME clust1v2.srv.uk.deuba.com
etsg.mgam CNAME clust1v2.srv.uk.deuba.com

Thats it, you have now listed out all the records in the zone.

---

Q. How can I stop DNS Cache pollution?

A. DNS cache pollution can occur if Directory Naming Service (DNS) "spoofing" has been encountered. The term "spoofing" describes the sending of non-secure data in response to a DNS query. It can be used to redirect queries to a rogue DNS server and can be malicious in nature.

Windows NT DNS can be configured to filter out responses to unsecured records by performing the following:

1. Start the registry editor (regedit.exe)
2. Move to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
3. From the edit menu select New - DWORD value
4. Double click the new value and set to 1. Click OK

The following is taken from Knowledge base article Q198409 which helps understand this more:

"Examples: DNS server makes MX query for domain.samples.microsoft.com to samples.microsoft.com's DNS server. The samples.microsoft.com DNS server responds but includes A record for A.ROOT-SERVERS.NET giving its own address. The rogue DNS server has then gotten itself set up as a root server in your DNS server's cache. Less malicious, but more common, are referral responses (or direct responses from BIND, see WriteAuthorityNs for discussion) that contain records for the DNS of an ISP: Authority section:

new.samples.microsoft.com NS ns.new.samples.microsoft.com.
new.samples.microsoft.com NS ns.isp.samples.microsoft.com.

Additional section:

ns.new.samples.microsoft.com. A 1.1.1.1
ns.isp.samples.microsoft.com. A 2.2.2.2

NOTE: The address record for the ISP happens to be old\stale. If SecureResponses is on, records that are not in a subtree of the zone queried are eliminated. For example, in the example above, the samples.microsoft.com. DNS server was queried, so the all the samples.microsoft.com records are secure, but the ns.isp.microsoft.com. A record is not in the sample .microsoft.com. subtree, and is not cached or returned by the DNS server."

---

Q. How can I enable my web site to be accessible as ntfaq.com instead of www.ntfaq.com?

A. We are all used to entering www.<domain> for a web site, such as www.serverfaq.com, however www is just a normal DNS host record and if you want your site to be accessible as just <domain>, e.g. yahoo.com just create a blank host record.

In Windows 2000 to create a blank host record for the domain perform the following:

1. Start the DNS MMC snap-in (Start - Programs - Administrative Tools - DNS)
2. Expand the server - forward lookup zones - DNS domain
3. Right click on the domain and select 'New Host'
4. Leave the name blank and just enter the IP address (check the create associated pointer record box)
   
5. Click Add Host

A new host record will be listed of the form:

(same as parent folder) Host <ip address>

To do this on NT 4.0 for the domain ntfaq.com at address W.X.Y.Z, do the following:

1. Stop the DNS service:
   C:\> net stop dns
2. Edit the file ntfaq.com.dns (found at %systemroot%\system32\dns\*.dns)
3. Find a record that looks like:
   www IN A W.X.Y.Z
4. Add the following record below:
   @ IN A W.X.Y.Z
5. Save the file
6. Restart DNS Service
   C:\> net start DNS

---

Q. How can set the primary DNS suffix in Windows 2000?

A. In Windows NT 4.0 you set the primary DNS suffix using the domain field in the DNS tab of TCP/IP properties.

In Windows 2000 this is performed as follows:

1. Right click on My Computer and select Properties
2. Select the Network tab
3. Click the Properties button
4. Click the More button
5. Enter the Primary DNS suffix and click OK
   
6. Click OK to the prompt informing you will need to reboot the computer
7. Close all dialogs
8. Reboot the computer

This is very important on domain controllers before configuring DNS as without this configured the created DNS records will not have the fully qualified host name.

---

Q. How do I create a caching-only DNS server?

A. Normally a DNS server holds records about various DNS zones which are replicated between other DNS servers (via the Active Directory in a AD enabled zone).

Caching-only DNS servers don't actually host any zones and are not authoritative for any domains but rather just cache results from queries asked them by clients. If a client asks it to resolve www.savilltech.com it will a zone holding DNS server to resolve it and cache the answer so if another client asks it to resolve the same record it can answer from its cache. This is similar in a way to a proxy server that caches popular web pages.

These are useful for sites connected via a WAN with a local caching-only DNS server saving on network traffic.

To configure a caching only DNS server perform the following:

1. Ensure the machine has a static IP address
2. Install the DNS service as per normal (Start - Settings - Control Panel - Add/Remove Software - Add/Remove Windows Components - Components - Networking Services - Details - Domain Name System (DNS) - OK - Next - Finish)
3. Start the DNS MMC (Start - Programs - Administrative Tools - DNS)
4. From the Action menu select 'Connect To Computer...'
5. In the Select Target Computer window enable 'The following computer:' and enter the name of a DNS server you want to cache.
   
6. Click OK

The machine will now start to gather a cache of host-IP mappings.

To clear the cache right click on the actual server name (not the server it is caching from) and select 'Clear Cache' from the context menu.

---

Q. How do I change Domain Names?

A. This is not so much a procedure but things to think about.

1. NT stores both the textual name and the Security ID (SID) associated with the name, when you change the Domain name you only change the textual part and NOT the SID.
2. All users should log off before starting the Domain Name change
3. Break all trust relationships with other Domains
4. If possible all BDC's should have the domain name changed and want to reboot. Say reboot later, and shutdown the machine and power it off.
5. On the PDC run control panel, and change the Domain Name through Network Panel. The computer will prompt for a reboot and select "Reboot Now".
6. Once the PDC is up let it stabilize for a few minutes then bring up each BDC with a minute gap, so it can validate with the PDC
7. Re-create trust relationships with other Domains
8. Move all clients to the new Domain, for Workstation see next FAQ.

A knowledge base article exists at http://support.microsoft.com/support/kb/articles/q178/0/09.asp.

---

Q. How do I move a Workstation to another Domain?

A. Logon to the Workstation locally as Administrator (i.e. name of machine) and goto Control Panel. Double click Network and click change. Enter the new Domain name and click OK. You will receive a message "Welcome to Domain x". Reboot the machine and you are part of the new domain.

If you wish to administer this box from the new domain you will need to add <Domain>\DomainAdmins to the local administrators group by connecting to the local user database via User Manager for Domains (i.e. \\computername)

---

Q. How many user accounts can I have in one Domain?

A. The real problem is that each user account and machine account takes up space in the SAM file, and the SAM file has to be memory resident. A user account takes up 1024 bytes of memory (a machine account half as much), so for each person (assuming they each had one machine) would be 1.5 KB. This would mean for a 10,000 user domain each PDC/BDC would need 15MB of memory just to store the SAM! Imagine a network with 100,000 people. This is one of the reasons you have multiple domains and then setup trust relationships.

---

Q. How to I change my server from Stand Alone to a PDC/BDC?

A. You cannot change the role of a NT server, you will need to reinstall NT.

As an alternative, you can use a 3rd party utility called U-Promote, http://u-tools.com/UTools/UPromote.asp however this works by making registry changes that would render your system unsupportable by Microsoft and may lead to problems later in the servers life time, for example moving to Windows 2000.

In Windows 2000 you can promote a server to a domain controller by using DCPROMO.EXE.

---

Q. What is a PDC, BDC?

A. A PDC is a Primary Domain Controller, and a BDC is a Backup Domain Controller. You must install a PDC before any other domain servers. The Primary Domain Controller maintains the master copy of the directory database and validates users. A Backup Domain Controller contains a copy of the directory database and can validate users. If the PDC fails then a BDC can be promoted to a PDC. Possible data loss is user changes that have not yet been replicated from the PDC to the BDC. A PDC can be demoted to a BDC if one of the BDC's is promoted to the PDC.

---

Q. How many BDC's should I have?

A. Microsoft say one BDC for every two thousand users. This is fine considering a 486DX2 with 32MB of RAM can, on average, perform at least 10 logons per minute, however if everyone in your company arrives at 9:00 on the dot and log on (except for the helpful people who arrive half an hour late) there will be a surge of logon requests to deal with, resulting in large delays. To try and improve on this, it is possible to configure the Server service to throughput for Network Applications rather than File Applications. Remember the more powerful the processor, the more logons (for a Pentium 133, would be able to logon at least 30 people).

---

Q. How do I configure a Trust Relationship?

A. Domains by default are unable to communicate with other domains, which means somewhere in domain x cannot access any resource that is part of domain y. Before a trust relationship is configured

• an administrator in x cannot give permission to any user of domain y for files or printers
• a user of domain y cannot sit at a workstation that is part of domain x and logon

After a trust relationship is defined, say x trusts y the following happens

• users of domain y can sit at a workstation that is part of domain x and logon to their own domain y (it will be displayed in the domain dropdown box)
• an administrator of domain x can grant permission to any user of domain y to file and print resources
• users of domain y are included in the Everyone group of domain x

In the example above x is the trusting domain, and y is the trusted domain. Also the above is a one-way trust relationship, i.e. while domain y users can use domain x resources, users of domain x cannot use domain y resources. A two-way relationship would allow each domain to access resources of the other (if given permission).

The basics of a trust relationship is to first configure domain y to allow domain x to trust it, and then configure domain x to trust domain y:

1. Log onto domain y as Administrator
2. Start User Manager for Domains (Start - Programs - Administrative Tools)
3. Select "Trust Relationships" from the Policies menu
4. Click the Add button to the Trusting Domains box
5. Enter the name of the domain you want to be able to trust you, i.e. domain x
6. You can type a password in the Initial Password and Confirm Password, however this is only used when the trust relationship is started. You can leave it blank Click OK to complete the addition
7. Close the Trust Relationship dialog box
8. Log off of domain y and logon onto domain x as Administrator
9. Start User Manger for Domains, and choose "Trust Relationships" from the Policies menu
10. Click the Add button to the Trusted Domains box
11. Enter the name of domain y and the password if one was configured in step 6
12. Click OK and close the User Manager for Domains application.
13. Domain x now trusts domain y

---

Q. How do I terminate a Trust Relationship?

A. Firstly you have to stop domain x trusting domain y, then remove domain x's ability to trust domain y:

1. Logon as Administrator to domain x
2. Start User Manager for Domains, and click Trust Relationships from the Policies menu
3. Select domain y from the Trusted Domains and click Remove and confirm
4. Logoff, and logon to domain y as Administrator
5. Start User Manager for Domains, and click Trust Relationships from the Policies menu
6. Select domain x from the Trusting Domains and click Remove and confirm
7. Exit

---

Q. How can I join a domain from the command line?

A. The NT Resource Kit Supplement 2 ships a new utility called NETDOM.EXE which can be used to not only join domains, but create computer account and trust relationships.

To join a domain there are 2 paths, the first is to just add the computer to the domain and create the computer account simultaneously which is OK if you are logged on as a domain administrator, if you are not a domain administrator the account needs to be added in advance and then you join the domain.

If you are logged on as a domain administrator then enter the command below to create the account and join the domain

netdom /domain:savilltech /user:savillj /password:nottelling member <computer name> /joindomain
where <computer name> is the name of your machine, e.g. johnstation

If you are not an administrator the domain admin people will have to add you an account first using either server manager or using NETDOM.EXE

netdom /domain:savilltech /user:savillj /password:nettelling member <computer name> /add

Once the account has been add the normal user could join the domain using the first command shown.

---

Q. How do I demote a PDC to a BDC?

A. Normally when you promote a BDC to the PDC, the existing PDC is automatically demoted to a BDC, but in the event that the PDC was taken off line and then a BDC promoted when the old PDC is restarted it will still think its the PDC and when it detects another PDC it will simply stop its own netlogon service.

To actually modify the machine to be a BDC the registry needs to be changed directly:

1. Logon to the machine as an Administrator
2. Start the registry editor (regedt32.exe)
3. Move to HKEY_LOCAL_MACHINE\Security
4. Select Permissions from the Security menu
5. Select Administrators and change the access type to Full Control, check the "Replace Permission on Existing Subkeys" and click OK. Click Yes to the confirmations dialog box
6. You can now navigate the Security menu, move down to Policy\PolSrvRo
7. Double click on the default <no name> value and change the second digit (which should be 3 for a PDC) to a 2 (which means BDC). Click OK. E.g. 03000000 to 02000000.
8. You should now reset the Security on the Security part of the registry using the same method as before but changing back to Special Access for Administrators. The permissions for Administrators should be
   - Write DAC
   - Read Control
9. Restart the machine and it will come up as a BDC

To avoid having to set security perform the registry change from the system account by submitting the registry editor via the schedule service.

C:\> net start schedule (only if not already running)
C:\> at <time> /inter regedt32.exe
C:\> net stop schedule (only if you had to start it)

---

Q. How can I configure a BDC to automatically promote itself to a PDC if the PDC fails?

A. There is no way to do this, the assumption is that the PDC would be configured to write out the dump information and then reboot itself thus coming back online. You configure this behavior using the System Control Panel Applet - Startup/Shutdown tab.

---

Q. How do I rename a PDC/BDC?

A. To rename a Primary Domain Controller perform the following:

1. Log onto the PDC as an Administrator
2. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network)
3. Click the Identification tab.
4. Click the Change button and enter in the new computer name and click OK
5. Restart the PDC for the name change to take effect.
6. Once the machine has rebooted start Server Manager (Start - Programs - Administrative Tools - Server Manager), if the old name still appears as a Backup, or if there is no entry for the new name:
   - Create an entry for the new name. To do this, select Add to Domain in the Computer menu of Server Manager.
   - Add the new computer account as a "Windows NT Backup Domain Controller" (it will be added and displayed as a Primary).
   - Remove the old name by selecting the entry. To do this, select Remove from Domain on the Computer menu.

To Rename a Backup Domain Controller

1. Log onto the PDC as an Administrator and in Server Manager (Start - Programs - Administrative Tools - Server Manager) add an account for the BDC's new name
2. Log onto the BDC as an Administrator
3. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network)
4. Click the Identification tab.
5. Click the Change button and enter in the new computer name and click OK
6. Restart the BDC for the name change to take effect. The NETLOGON service will not yet start on this server.
7. On the PDC, open Server Manager. Select the new BDC name and from the Computer menu, choose Synchronize With Primary. This will start the NETLOGON service.
8. In Server Manager, select the old BDC name from the list and from the Computer menu, choose Remove From Domain.

Note: If the BDC begins to receive 7023 or 3210 errors after synching the domain in server manager, on the PDC choose the BDC and then synch that specific BDC with the PDC. After an event indicating that the synch is complete, restart the BDC.

---

Q. Can I move a BDC to another domain?

A. Normally no, the BDC shares a common SID with the PDC of the domain and so there is no way to move a BDC to another domain, you would need to reinstall the BDC.

System Internals have released NewSID 3.0 ( from http://www.sysinternals.com) which has a SID-synchronizing feature that let's you have one machine copy the SID of another. This makes it possible to move a BDC to a new domain. On the BDC start NewSID and click "Synchronize SID", enter the name of the PDC and click OK.

---

Q. Can I change a PDC/BDC into a stand-alone server?

A. No, the PDC/BDC registry is different from that of a stand alone server, again a reinstallation would be needed.

As an alternative, you can use a 3rd party utility called U-Promote, http://u-tools.com/UTools/UPromote.asp however this works by making registry changes that would render your system unsupportable by Microsoft and may lead to problems later in the servers life time, for example moving to Windows 2000.

In Windows 2000 you can change a domain controller to a normal server by running DCPROMO.EXE.

---

Q. Can I administer my domain from an NT Workstation?

A. Yes, if you install the NT Server client based Administration tools:

1. Insert the NT Server CD-ROM into your NT Workstation
2. Run the file <CD-ROM drive>:\clients\srvtools\winnt\setup.bat. This will detect you processor and install the correct images into the %SystemRoot%\System32 folder. You will have to press return.
3. Remove the CD-ROM
4. You now need to create shortcuts either on the desktop or start menu for the applications:
   - dhcpadmn.exe --- DHCP Manager
   - poledit.exe --- System Policy Editor
   - rasadmin.exe --- Remote Access Administrator
   - rplmgr.exe --- Remoteboot Manager
   - srvmgr.exe --- Server Manager
   - usrmgr.exe --- User Manager for Domains
   - winsadmn.exe --- WINS Manager

---

Q. In what order should I upgrade my PDC and BDC's from 3.51 to 4.0?

A. The two different versions can coexist happily so you can upgrade in order you want however the safest option may be the following schedule:

1. Upgrade a BDC from 3.51 to 4.0
2. Leave it for a week and check it is OK
3. Promote the BDC to the PDC
4. Leave for another week and check everything is OK
5. Upgrade the other BDC's to 4.0
6. Promote the old PDC back to the main PDC (the current PDC will automatically be demoted to a BDC)

---

Q. What tuning can I perform on PDC/BDC Synchronization?

A. There are several registry settings that can be configured for PDC/BDC Synchronization :

These are all values under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters

ChangeLogSize (REG_SZ)	Default size for the Change Log. By default 64KB with a maximum of 4MB
Pulse	This determines the gap in seconds between replication from the PDC to the BDC's. The lowest value is 60, and the max is 3600 (1 hour). The default is 300 (5 minutes). You may want to increase this time if the BDC's are over a slow WAN link.
PulseConcurrency	The number of BDC's that the PDC sends pulses to concurrently. By default this is 10.
PulseMaximum	The PDC performs a check that the BDC's are still there every so often. This is in seconds and once again the minimum is 60 and the maximum is 86,400.
Randomize	The number of seconds a BDC waits after an announcement before answering. 1 by default.
ReplicationGovernor	This is a percentage of the 128K blocks that are sent. If you had a slow link you may not want the PDC sending 128K blocks so you could change this to 25, meaning only 32K would be sent at a time. This will mean that the blocks are sent more frequently (25 would mean 4 times as often).
Update	By default this is set to no, which means only changes are replicated. Setting this to Yes will cause everything to be replicated even if there is no change. This needs to be set on the import server.

---

Q. I cannot add a BDC over a WAN.

A. To add a BDC to a domain, the PDC has to be contactable. Therefore the first task is to check that communications are working.

If you are using TCP/IP then ensure you can PING the PDC,

ping <ip address of the PDC>

If this is OK then the problem is at the NetBIOS level. If you have WINS on the network ensure the BDC is configured to use the WINS server as when the PDC starts it will register the WINS name <domain><1Bh> which is used to identify the domain controller.

Alternatively the LMHOSTS file can be updated.

1. Start Notepad
2. Open the file <systemroot>\system32\drivers\etc\lmhosts
3. Add a line with the following syntax
   <IP address> <machine name> #PRE #DOM:<domain name>
4. Save the file

To use the lmhosts file during installation you should create the file on another machine and copy it over when the BDC is being installed.

---

Q. How can I synchronize the domain from the command line?

A. To force a domain synchronization use the command

net accounts /sync

---

Q. How can I force a client to validate its logon against a specific domain controller?

A. Before answering this it is best to understand what happens when a login occurs.

When a logon request is made to a domain, the workstation sends out a request to find a domain controller for the domain. The domain name is actually a NetBIOS name that is a 16-character name with the 16th character used by Microsoft networking services to identify the NetBIOS type.

The type used for a domain controller is <1C> and so the NetBIOS name for domain controller of domain "SAVILLTECH" would be "SAVILLTECH <1C>" The NetBIOS type has to be the 16th character, hence the name of the domain has to be filled with blanks to make its length up to 15 characters.

If the client is WINS enabled then a query for the resolution of "<domain name> <1C>" will be sent to the WINS server as defined in the clients TCP/IP properties. The WINS server will return up to 25 IP addresses that correspond to domain controllers of the requested domain, a \mailslot\net\ntlogon is broadcast to the local subnet and if the workstation receives a response then it will attempt logon with the local domain controller.

If WINS is not configured then it is possible to manually configure the LMHOSTS file on the Workstations to specify the Domain Controller. This file is located in the %systemroot%\system32\drivers\etc directory.

An example entry in LMHOSTS would be as follows

200.200.200.50 titanic #PRE #DOM:savilltech #savilltech domain controller

The above sets up IP address 200.200.200.50 to be host Titanic, which is the domain controller for savilltech and instructs the machine that this entry is to be preloaded into the cache.

To check the NetBIOS name cache you can use command nbtstat -c, which will show all the entries including their type. If WINS is not configured and there is no entry in LMHOSTS then the Workstation will send out a series of 3 broadcasts. In the situation where no response is received and WINS is configured to use DNS for WINS resolution a request to the DNS server will be sent and finally the HOSTS file checked. If all of this fails then an error "A domain controller for your domain could not be contacted.

To force a client to use a specific domain controller we need only do the following:

1. Start the registry editor
2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
3. From the Edit menu select New - DWORD value
4. Enter a name of NodeType and press ENTER
5. Double click on the new value and set to 4 (this sets the network to an M-mode/mixed which means it will perform a broadcast before querying name servers for resolution). By default a system is 1 if no WINS servers are configured (B-node/broadcase) or 8 if at least one WINS server is configured (H-node/queries name resolution first then broadcasts)
6. Double click on the EnableLMHOSTS value and set to 1. If it does not exist select New - DWORD value from the Edit menu and enter a name of EnableLMHOSTS
7. Close the registry editor
8. Reboot the machine

The machine is now configured to broadcase for a domain controller on a local subnet and then query a name server. If no domain controllers are found on the WINS server, or WINS is not used it will then search the LMHOSTS file. The next stage is to edit this file.

1. Check for the LMHOSTS file
   C:\>dir %systemroot%\system32\drivers\etc\lmhosts
2. If the file does not exist copy the sample host file
   C:\>copy %systemroot%\system32\drivers\etc\lmhosts.sam %systemroot%\system32\drivers\etc\lmhosts
   1 file(s) copied.
3. Edit the file using edit.exe, don't use notepad.exe
   C:\>edit %systemroot%\system32\drivers\etc\lmhosts
4. Goto the end of the comments and add a new line of the format
   <ip address> <name of DC> #PRE #DOM:<domain name> #<comment>
   e.g. 200.200.200.50 titanic #PRE #DOM:savilltech #savilltech domain controller
5. Save the changes to the file and exit edit.exe
6. Force the machine to reload the LMHOSTS file (or just reboot)
   C:\>NBTSTAT -R
   Note: The -R must be in capitals, the command is case sensitive
7. Check the cache
   C:\>NBTSTAT -c
8. At this point the configuration is complete and a reboot is advisable.

Service Pack 4 includes a new utility, SETPRFDC.EXE, which will direct a secure channel client to a preferred list of domain controllers.

The syntax is:

C:\> SETPRFDC <Domain Name> <DC1, DC2, ....., DCn>

SETPRFDC will try each DC in the list in order, until a secure channel is established. If DC1 does not respond, DC2 is tried, and so on. Once you run SETPRFDC on a WinNT 4.0, SP4 computer, the list is remembered until you change it. You can run SETPRFDC in batch, via the scheduler, or even in a logon script (for future logons). Don't forget to undo any LMHOSTS entries you might have set.

---

Q. How do I promote a server to a domain controller? - Windows 2000 only

A. Windows 2000 ships with a utility, DCPROMO.EXE, which is used to promote a stand-alone/member server to a domain controller and vice-versa.

In Windows 2000 domains are DNS names which means you can have a hierarchy of domains leading to parent-child domain relationships. The advantage of these parent-child relationships is that there have a bidirectional transitive trust which means that if domain b is a child of domain a, and domain c is a child of domain b, domain c implicitly trusts domain a. This is very different from the way trusts work in earlier versions of Windows NT.

Since Windows 2000 domains rely on DNS it is vital that DNS is correctly configured to enable the domain to be created (if you are creating a new top level domain). Information on configuring DNS for a domain can be found here.

A final pre-requisite is that an NTFS 5.0 volume is required to house the SYSVOL volume and so ensure you have at least one NTFS 5.0 volume (use CHKNTFS to check the versions of your partitions).

To upgrade a stand-alone/member server to a domain controller perform the following:

1. Start the DCPROMO utility (Start - Run - DCPROMO)
2. Click Next to the introduction screen
3. You will have a choice to "New domain" or "Replica domain controller in existing domain". There is no concept of a BDC in NT 5.0 and all domain controllers are equal (more or less :-) ). Select New Domain and click Next
4. A new concept is trees which enable the idea of child domains. If you are starting a new top level domain select "Create new domain tree", to create a child domain select "Create new child domain". Click Next
5. If you selected to create a new domain tree you will be asked if you want to "Create a new forest of domain trees" or "put this new domain tree in an existing forest". Forests enable you to "join" a number of separate domain trees and again a transitive trust relationship is created between them. If this is your first NT 5.0 domain tree you should create a new forest. Click Next
6. You will then be asked for the DNS name of your domain, e.g. savilltech.com is a valid domain name. It is important this matches information configured on the DNS server. Click Next
7. You will then be asked for a NetBIOS domain name which by default will be the left most part of the DNS domain name (up to the first 15 characters), e.g. savilltech, however this can be changed. Click Next to continue.
8. You will then have to provide a storage area for the Active Directory and the Active Directory log. Except the defaults and click Next
9. Finally you must select an area on an NTFS 5.0 partition for the SYSVOL volume for storage of the servers public files, %systemroot%\SYSVOL by default. Click Next
10. An option to weaken security for pre-Windows 2000 services such as a 4.0 RAS server. Select your option and click Next
11. You will be asked for an Administrator password to be used in Directory Server restore mode. Click Next
12. A summary screen will be displayed and click Next to start the upgrade. It sets security and creates the Directory Server schema container. Information from the default directory service file and the old SAM is then read in if the machine is an upgraded PDC.
13. You should then click Finish and reboot the machine.

You now have a Windows 2000 domain controller. Additional domain controllers (old BDC's) can be added by performing the above and selecting "Replica domain controller in existing domain" in step 3. It would then ask you the name of the domain to replica.

---

Q. How can I generate a list of all computer accounts in a domain?

A. The normal method under Windows NT 4.0 and earlier is to use Server Manager (Start - Programs - Administrative Tools - Server Manager) and computer accounts can be viewed/added/deleted.

Under Windows NT 5.0 this information can be viewed using the Active Directory MMC (Microsoft Management Console) snap-in and browse the domain/Computers group. Of course under Windows NT 5.0 and the Active Directory computers can also be created in Organisation Units so would not all be shown under this tree (as shown below the computer account in the law OU would not be listed in the Computers group).



A more complete method is to use the Windows NT Resource Kit NETDOM.EXE utility (which runs under Windows NT 5.0) to generate the list, e.g.

C:\> netdom member
Searching PDC for domain SAVILLTECH ...
Found PDC \\TITANIC
Listing members of domain SAVILLTECH ...

Member 1 = \\ODIN
Member 2 = \\garfield

It is also possible to list other domains using a mixture of command line switches, e.g.

C:\> netdom /d:<domain name> [/u:<domain>\<user to which query> /p:<password] member

The information in the [] is only needed if your account does not have privileges in the requested domain.

The advantage of the command line tool is it lists all computer accounts, even those in OU's in the Active Directory.

An alternative method is to use the net view /domain:<domain> command which has the advantage that you can pipe the output to a file or another command, e.g.

C:\> net view /domain:savtech

---

Q. How can I verify my Windows 2000 domain creation? - Windows 2000 only

A. To verify the tcp/ip configuration is OK check for the ldap.tcp.<domain> service record, e.g. ldap.tcp.savilltech.com

C:\> nslookup
> set type=srv
> _ldap._tcp.savilltech.com
Server: [200.200.200.50]
Address: 200.200.200.50
_ldap._tcp.savilltech.com SRV service location:
priority=0
weight=0
port=389
svr hostname=titanic.savilltech.com
titanic.savilltech.com internet address=200.200.200.50

The ldap record used to be ldap.tcp.<domain> but was modified in build 1946 onwards. The underscore is necessary to definitively differentiate our unique names in the DNS namespace from internic registered domain names on the internet. In this way we can ensure that there will never be a DNS name clash. My understanding is that RFC 1034\1035 (may be wrong with these numbers as they may have been superceded) say that the underscore character is NOT a valid character to use in a DOMAIN NAME. All internet registered names should never contain the underscore. Now, RFC2181 states that the underscore is a valid label to use in DNS (as well as plenty of other characters too) so we the underscore is used to prevent possible clash with INTERNET names. This change was introduced in earlier builds of windows 2000. For a while DC's generated both styles of names in DNS to support both styles of clients (ie newer and older builds). Now that client code is changed to look for underscores, we have now retired the ldap.tcp names in favour of the _ldap.tcp names.

Also make sure the NetBIOS computer name is OK

C:\> net view \\<computer name>

Finally check the NetBIOS Domain name works

C:\> usrmgr <domain name>

The NetBIOS domain name is used for backwards compatibility. Use a 4.0 version of usrmgr.

---

Q. How can I configure multiple Logon Servers with LMHOSTS?

A. Service Pack 4 adds support for multiple domain controllers for a single domain to be configured in the LMHOSTS file (located in %systemroot%\system32\drivers\etc). Normally when a computer starts, the WINS server is queried for any [1C] entries, domain controllers, and it will return a list. This list is not geographically aware and you could be given a domain controller on the other side of the world.

An alternative is to specify a list of domain controllers in the LMHOSTS file (which is now checked before WINS is #PRE is in the entry) and have different LMHOSTS files in different regions.

Example entries in the file would be

200.200.200.50 titanic #PRE #DOM:SAVILLTECH
200.200.200.80 cuttysark #PRE #DOM:SAVILLTECH

You will need to ensure the computer is configured to use the LMHOSTS file

1. Right click on Network Neighborhood and select Properties
2. Select the Protocol's tab
3. Select "TCP/IP Protocol" and click Properties
4. Select "WINS address"
5. Check the "Enable LMHOSTS Lookup" box
6. Click Apply then OK
7. You will need to restart the computer

---

Q. Are trust relationships kept when upgrading for a 4.0 domain to a Windows 2000 domain?

A. When a 4.0 PDC is upgrade to Windows 2000 all trust relationships are maintained.

---

Q. How are trust relationships administered in Windows 2000?

A. Instead of using User Manager as in NT 4.0, a new MMC snap-in, Active Directory Tree Manager is used. Although the host application is different the usage is exactly the same.

To view/add/remove perform the following:

1. Start the Domain Tree Manager (Start - Programs - Administrative Programs - Domain Tree Management)
2. Expand the root and right click on the domain
3. Select Properties from the displayed context menu
4. Select the Trusts tab and add/view as required.
5. Click Apply then OK


- Example of one domain that trusts ours

Obviously you should try and use the tree and forest concept rather than manual trust relationships with pure Windows 2000 domains. This is discussed in the Active Directory section (which will be added shortly).

---

Q. I can't promote a BDC to PDC.

A. If you receive an 'Access Denied' message when attempting to promote a BDC to the PDC it may be due to the fact the PDC has Service Pack 4 installed.

This is because Service Pack 4 upgraded the security mechanism used so you will either have to perform the promotion from a Service Pack 4 domain controller or upgrade the BDC in question to SP4.

Another reason for this error is trying to get a renamed and upgraded (3.51 to NT4) server to sync with the domain. The accounts database may have become out of date and thus couldn't be synchronised. NETLOGON may not even be startable.

The way round is to do a "connect as" from the PDC to the rogue BDC using an admin ID known to be good by the BDC before it was upgraded. Once the "connect as" (say to Cc) was accepted, the BDC would then accept the synchronise request from the PDC's Server Manager, restarting NETLOGON in the process.

---

Q. Unable to join a domain because of SMB signing, what can I do?

A. If the following error message is displayed when you attempt to add a computer running Windows NT to the domain:

"Unable to connect to the domain controller for this domain. Either the username or password entered is incorrect."

The error message is displayed even though networking is enabled and the correct administrator name and password credentials were supplied. The problem is that the PDC has SMB signing set to required and the client cannot communicate as it does not have SMB signing enabled.

Two options are possible. The first is to disable RequireSecuritySignature SMB signing on the domain controller as described in Q. How do I enable SMB signing? or install the machine into a workgroup, enable SMB signing then join the domain. Of course this would not work with BDC's.

---

Q. How can I create a child domain?

A. Windows 2000 allows the creation of a domain as a child of another domain. When two or more domains are joined in a parent-child relationship a domain tree is formed.

A child domain is created when executing the DCPROMO.EXE image and the parent domain must be accessible to create.

1. Install Windows 2000 on the machine
2. Ensure the machine has TCP/IP and DNS configured correctly
3. Execute DCPROMO
4. Click Next to continue the upgrade
5. Select 'Domain controller for a new domain' and click Next
6. Select 'Create a new child domain in an existing domain tree' and click Next
7. Enter a Username, password and domain you will be using to join the domain tree. This account must reside in the parent domain a domain in the forest you are joining. Click Next
8. Select the parent domain name by selecting Browse, e.g. savilltech.com. Enter the child domain (just the left most part), e.g. legal. The new complete name will be shown, e.g. legal.savilltech.com. Click Next
9. If this is a new domain controller enter a NetBIOS name for backwards compatibility. By default it will be the left most 15 characters of the DNS domain name (up to the first .). If you are upgrading an existing DC then the NetBIOS name cannot be changed. Click Next
10. Database and log locations will be shown. Click Next
11. The System Volume area will be shown. Click Next
12. An option to weaken security for 4.0 RAS servers. Select your option and click Next
13. A summary will be shown. Click Next
14. The new domain creation will begin
15. Click Finish and reboot the machine

Instead of performing screenshots I've produced an animated GIF of the entire child domain creation (I was bored ;-) ). Click Refresh to make it start from the beginning, a gap of 2 seconds is shown between each screen.



---

Q. How can I create a domain trust through a firewall?

A. When creating trust relationships communications between the two domains is carried out over a number of protocols with each protocol using different TCP/IP port. Below is a list of ports which need to be enabled on the firewall for a trust relationship:

• PORT 135 (TCP or UDP) for Remote Procedure Call(RPC)Service
• PORT 137 (UDP) for NetBIOS Name Service
• PORT 138 (UDP) for NetBIOS datagram (Browsing)
• PORT 139 (TCP) for NetBIOS session (NET USE)
• ALL PORTS above 1024 for RPC Communication

You may use LMHOSTS for name resolution (which would have #pre #dom entries for the domain controllers) or WINS can be used which requires:

• PORT 53 (TCP and UDP) for DNS
• PORT 42 (TCP and UDP) for WINS Replication

Alternatively, a trust can be established through point-to-point tunneling protocol (PPTP). For PPTP, the following ports must be enabled:

• PORT (TCP) 1723 for PPTP
• IP PROTOCOL 47 (GRE)

If you only wish to perform management through a firewall and/or RRAS you can only allow TCP any-139, TCP 139-any and UPD 138-138 through the firewall. Also allow UDP 137-137 to the WINS Servers. This allows all the remote management tools to run from the management NT Workstations.

Also see the following knowledge base articles:

• Q167128 SMS: Network Ports Used by Remote Helpdesk Functions
• Q174395 Event ID 4202 Attempting WINS Replication across Router

---

Q. How can I check the browse masters for a domain?

A. The resource kit has a utility BROWSTAT.EXE which allows status of the browse service to be ascertained. To check browse masters for a domain use the following command:

C:\> browstat status <domain>

To check statistics for a single server use the command

C:\> browstat stats \\<server>

---

Q. How can I stop a remote master browser?

A. The resource kit utility BROWSTAT can be used to remotely stop a browse master with the following command:

C:\> BROWSTAT TICKLE <transport> <domain> | \\<server name>

Where <transport> is the Windows NT transport device name, and <domain> is the domain in which the master browser is located, and <server name> is the computer name of the master browser.

To check which transport use the command:

C:\> net config rdr
Workstation active on NetbiosSmb (000000000000) NetBT_Tcpip_{C2F....

The transport device is indicated by '<network service>_<NIC type>', where <network service> is the session-layer network service, and <NIC type> is the type of network interface card on your computer. The session-layer network services are NetBT for NetBIOS over TCP/IP, NwlnkNb for IPX, or Nbf for NetBEUI, e.g. NetBT_Tcpip.

C:\> browstat tickle NetBT_Tcpip_{C2F8C130-F2AF-11D2-B748-DAEDF5F58140} \\titanic

---

Q. How can I force a browser election?

A. The resource kit utility BROWSTAT can be used to force a browser election:

C:\> BROWSTAT ELECT <transport> <domain> | \\<server name>

Where <transport> is the Windows NT transport device name, and <domain> is the domain in which the master browser is located, and <server name> is the computer name of the master browser.

To check which transport use the command:

C:\> net config rdr
Workstation active on NetbiosSmb (000000000000) NetBT_Tcpip_{C2F....

The transport device is indicated by '<network service>_<NIC type>', where <network service> is the session-layer network service, and <NIC type> is the type of network interface card on your computer. The session-layer network services are NetBT for NetBIOS over TCP/IP, NwlnkNb for IPX, or Nbf for NetBEUI, e.g. NetBT_Tcpip.

C:\> browstat elect NetBT_Tcpip_{C2F8C130-F2AF-11D2-B748-DAEDF5F58140} savilltech

---

Q. How can I modify the domain refresh interval?

A. Windows refreshes the domain list whenever the machine is locked for more than two minutes (120 seconds). This can lead to a delay while it does this until the user gets control of the system again.

You can modify the amount of time it waits until refreshing by performing the following:

1. Start the registry editor (regedit.exe)
2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
3. Double click on DcacheMinInterval (or if it does not exist create of type REG_DWORD)
4. Modify between 120-86400 seconds
5. Click OK
6. Close the registry editor
7. Restart the computer

---

Q. How is the list of cached domains stored?

A. When you logon a list of known (trusted) domains are displayed that you may logon to.

You can view these entries by performing the following:

1. Start the registry editor (regedit.exe)
2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DomainCache
3. You will be able to see all known domains
4. Close the registry editor

There is no point editing this list as it will be recreated the next time the machine is started/locked.

---

Q. How can I disable trust password changes?

A. After a trust is established using a defined password it is changed automatically every seven days. If this password change is missed two cycles running then the trust is broken. This also applies to machines in a domain who have a secure channel with the domain controller and change their passwords every 7 days on NT 4.0 and for Windows 2000 every 30 days.

To disable the trust password changes perform the following change on the domain controllers/workstations:

1. Start the registry editor (regedit.exe)
2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. Double click on DisablePasswordChange
4. Set to 1
5. Click OK
6. Close the registry editor

Another option to stop the computer account password changes is to refuse the change at the domain controller:

1. Start the registry editor (regedit.exe)
2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. From the Edit menu select New - DWORD value
4. Enter a name of RefusePasswordChange
5. Double click on the new value and set to 1
6. Click OK
7. Close the registry editor

---

Q. How can I change the password change for computer/trust accounts?

A. The default interval for password changes for a computer/trust account can be modified as follows:

1. Start the registry editor (regedit.exe)
2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. From the Edit menu select New - DWORD value
4. Enter a name of MaximumPasswordAge
5. Double click the new value and set to the number of days
6. Click OK
7. Close the registry editor

In NT 4.0 this value is only available for machines with Service Pack 4 and for all versions of Windows 2000. Values can be in the range of 1 to 1,000,000.

---

Q. The list of domains in the logon box is not updated, what can I do?

A. The list of trusted domains should be updated whenever a trust relationship is terminated or created but this is not always the case.

To clear the machines cache of domains perform the following:

1. Start the registry editor (regedit.exe)
2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
3. Delete the DCache and DCacheUpdate values
4. Close the registry editor
5. Restart the computer

---

Q. Is it possible to administer a 4.0 domain from a Windows 2000 machine?

A. Many utilities used to administer an NT 4.0 domain do not come with Windows 2000 or work in a different way, however you could copy over the NT 4.0 administration utilities to a Windows 2000 machine and administer the domain with no adverse effects.

Have a look at 'Can I administer my domain from an NT Workstation?' which gives you a quick way to install the tools.

---

Q. How can I configure the command prompt?

A. When you are in a cmd.exe session, it is possible to change the prompt to display other information, such as time, date, OS version etc. To change the prompt just use

prompt <text>
e.g. prompt johns prompt

While basic text will work it is not very helpful, and below is a list of all the codes you can use

$A	& Ampersand
$B	| Pipe
$C	( Open parenthesis
$D	Current date
$E	Escape code (ASCII code 27)
$F	) Close parenthesis
$G	> greater-than sign
$H	Backspace (erases previous character)
$L	< Less-than sig
$N	Current drive
$P	Current drive with path
$Q	= Equal sign
$S	Space
$T	Current time
$V	Windows NT version number
$_	Carriage return and linefeed
$$	$ sign

If you have command extensions, you can also use

$+ Zero or more + characters depending on the depth of the PUSHD directory stack
$M Displays the remote name associated with the current drive letter

---

Q. How do I enable/disable command extensions?

A. When you use CMD.EXE, there are various extensions which are enabled by default. To enable/disable perform the following

1. Start the registry editor (regedit.exe)
2. Move to HKEY_CURRENT_USER\Software\Microsoft\Command Processor
3. Double click on EnableExtensions
4. Set to 1 for them to be enabled, or set to 0 for extensions to be disabled
5. Click OK

You can also enable/disable them for a specific command session by using the appropriate qualifier to cmd.exe

cmd /y disables command extensions for this cmd session
cmd /x enables command extensions for this cmd session

---

Q. What commands can be used to configure the command window?

A. The commands below may be useful:

mode con lines=n - Where n is the number of lines to keep (if n is larger than can fit on the screen a scroll bar will be added)
mode con cols=n - Where n is the number of columns to show (again a scroll bar will be added)

---

Q. How can I configure a scroll bar on my command window?

A. It is possible to increase the line buffer for the command windows above the normal 25. To change the "history" perform the following:

• Start a command session (cmd.exe)
• Right click on the title bar and select Properties
• Click the Layout tab
• In the "Screen Buffer Size" section increase the Height value
• Click OK
• You will be asked "Apply properties to current windows only" or "Save properties for future windows with same title". Select the later and click OK

You will now see a scroll bar on side of your command window. You would also have seen under the properties you can change the default starting location for command windows.

What the above actually does is create HKEY_CURRENT_USER\Console\E:_WINNT_System32_cmd.exe key with a value ScreenBufferSize where the first part is the buffer height in hexadecimal.

---

Q. How do I cut/paste information in a command box?

A. To copy the entire contents of a command window, you can maximize the window (Alt - Enter) and press the Print Scrn button. Alternatively:

1. Right click the title bar
2. Select Mark from the Edit Menu
3. Click the left mouse button at the start of the text you wish to copy, and drag until the end of the selection
4. Press Enter to copy the select, or right click the menu again, and select copy from the Edit menu
5. To paste right click the menu bar, and select paste from the edit menu.

Alternatively you can enable QuickEdit mode by right clicking on the title bar and selecting properties. Select the options tab and check the "QuickEdit Mode" box. Now you can select text with the left mouse button and just press Enter to copy into the clipboard.

When QuickEdit is turned on, you also can paste into the command box by right clicking with the mouse.

In either mode you can paste by pressing Alt + Enter then E then P.

---

Q. How do I enable Tab to complete file names?

A. NT has this functionality built in, however by default it is disabled. To enable perform the following

1. Start the registry editor (regedit.exe)
2. Move to HKEY_CURRENT_USER\Software\Microsoft\Command Processor
3. Double click on the value CompletionChar
4. Make sure the base is Hexadecimal and then set the value to 9 and click OK
5. Close the registry editor
6. Start a new CMD.EXE session and the change will have taken effect

---

Q. How do I create a shortcut from the command prompt?

A. There is a utility supplied with the Windows NT Server Resource Kit Version 4.0 Supplement One (phew) called shortcut.exe which can be used to create .lnk files. The application is quite powerful, and allows you to specify not only the resource to link to, but also an icon etc. An example is shown below

shortcut -t "d:\program files\johnsapp\test.exe" -n "Johns App.lnk" -i "d:\program files\johnicon\icon1.ico" -x 0 -d "e:\johns\data"

What does it mean?

-t this is the location of the resource to be linked to
-n the name of the link file to be created
-i the icon file
-x the icon index to use in the icon file
-d the starting directory for the application once started

You can copy shortcut.exe off of the CD with the resource kit, and it is located in <processor>\desktop (e.g. i386\desktop). There are no other files needed, just shortcut.exe.

---

Q. How can I redirect the output from a command to a file?

A. The most basic use is as follows:

<command> ><file name>
e.g., dir/s >list.txt

However with this errors still get output to the screen, to rectify this use the 2> for the errors, e.g.

<command> ><file name> 2><error file>
e.g. dir/s >list.txt 2>error.txt

If you want the errors and output to goto the same file use the following

<command> ><file name> 2>&1

---

Q. How can I get a list of commands I have entered in a command session?

A. You can press the up and down arrow keys when in a command session to display your old commands (same as the old DOSKEY software), however if you press the F7 key a list of all the commands entered will be displayed and you can then select the command