... please wait while loading ...

To view the complete site without permanently having to scroll, your browser-window should be maximized to support your screen-resolution of .
AZ Consulting und Development
Software Development

facebook google

  53.504.206 Nedstat Basic - Kostenlose web site statistiken Persönliche Homepage webseite Zähler
Kostenlose Zähler
In memoriam C-BIT Information-Center Hannover (2.241/1075+2.241/1076 - no longer active)
Sicherheitshinweis: Wir weisen vorsorglich darauf hin, dass wir bei der Anmeldung saemtliche automatisch uebermittelten Parameter wie IP-Adresse und/oder Einwahlrufnummer speichern, um uns und unsere Kunden vor Missbrauch zu schuetzen. Selbstverstaendlich werden wir bei Bedarf umgehend strafrechtliche Massnahmen ergreifen, um einen vorliegenden Missbrauch zu ahnden.

Windows NT FAQ

What's New

One months of additions are listed here.

Monday 7 June

Thursday 3 June

Wednesday 2 June

Tuesday 1 June

Monday 31 May

Contents


Core

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Registry

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Service Packs and Hotfixes

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Windows 2000 (NT 5.0)

upsection.gif (909 bytes)uptotop.gif (949 bytes)

File Systems

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Distributed File System

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Network

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Active Directory

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Domains

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Terminal Server

upsection.gif (909 bytes)uptotop.gif (949 bytes)

RAS

upsection.gif (909 bytes)uptotop.gif (949 bytes)

TCP/IP

upsection.gif (909 bytes)uptotop.gif (949 bytes)

DHCP

upsection.gif (909 bytes)uptotop.gif (949 bytes)

DNS

upsection.gif (909 bytes)uptotop.gif (949 bytes)

WINS

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Exchange/Windows Messaging

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Internet Information Server

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Proxy Server 2.0

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Internet Explorer 4.0/5.0

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Installation

upsection.gif (909 bytes)uptotop.gif (949 bytes)

License

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Windows 95/98 as a client

upsection.gif (909 bytes)uptotop.gif (949 bytes)

MS-SQL Server

upsection.gif (909 bytes)uptotop.gif (949 bytes)

NetWare

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Macintosh

upsection.gif (909 bytes)uptotop.gif (949 bytes)

RAID

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Performance

upsection.gif (909 bytes)uptotop.gif (949 bytes)

System Information

upsection.gif (909 bytes)uptotop.gif (949 bytes)

MultiMedia

upsection.gif (909 bytes)uptotop.gif (949 bytes)

User Configuration

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Environment - Desktop

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Environment - Command Prompt

upsection.gif (909 bytes)uptotop.gif (949 bytes)

System Configuration

upsection.gif (909 bytes)uptotop.gif (949 bytes)

System Policy

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Security

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Backups

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Recovery

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Problem Solving

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Printing

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Support

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Training

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Utilities

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Compatibility

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Hardware

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Windows Scripting Host

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Batch Files

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Various

upsection.gif (909 bytes)uptotop.gif (949 bytes)

Impressum

upsection.gif (909 bytes)uptotop.gif (949 bytes)


Q. What are the differences between NT Workstation and NT Server?

A. See table Below

  Workstation Server
Connection to other clients 10 Unlimited
Connection to other networks Unlimited Unlimited
Multiprocessing 2 CPUs 4 CPUs
RAS 1 connection 255 connections
Directory Replication Import Import and Export
Macintosh Services No Yes
Logon Validation No Yes
Disk Fault Tolerance No Yes
Network Peer-to-peer Server

Q. What does NT stand for?

A. NT actually stands for Northern Telecom but Microsoft licensed it and in the Windows sense stands for New Technology. Its also interesting to note its heritage
RSX -> VMS -> ELN -> NT all major designs of David Cutler
Also VMS +1 letter = WNT (Windows NT) :-) (aka HAL and IBM in 2001)


Q. What is the NT Boot Process?

A. Firstly the files required for NT to boot are

  • Ntldr - This is a hidden, read-only system file that loads the operating system
  • Boot.ini - This is read-only system file, used to build the Boot Loader Operating System Selection menu on Intel x86-based computers
  • Bootsect.dos - This is a hidden file loaded by Ntldr if another operating system is selected
  • Ntdetect.com - This is a hidden, read-only system file used to examine the hardware available and to build a hardware list.
  • Ntbootdd.sys - This file is only used by systems that boot from a SCSI disk.

The common Boot sequence files are

  • Ntoskrnl.exe - The Windows NT kernel
  • System - This file is a collection of system configuration settings
  • Device drivers - These are files that support various device drivers
  • Hal.dll - Hardware Abstraction Layer software

The boot sequence is as follows

  1. Power on self test (POST) routines are run
  2. Master Boot Record is loaded into memory, and the program is run
  3. The Boot Sector from Active Partition is Loaded into Memory
  4. Ntldr is loaded and initialized from the boot sector
  5. Change the processor from real mode to 32-bit flat memory mode
  6. Ntldr starts the appropriate minifile system drivers. Minifile system drivers are built into Ntldr and can read FAT or NTFS
  7. Ntldr reads the Boot.ini file
  8. Ntldr loads the operating system selected, on of two things happen
    * If Windows NT is selected, Ntldr runs Ntdetect.com
    * For other operating system, Ntldr loads and runs Bootsect.dos and passes control to it. The Windows NT process ends here
  9. Ntdetect.com scans the computer hardware and sends the list to Ntldr for inclusion in HKEY_LOCAL_MACHINE\HARDWARE
  10. Ntldr then loads Ntoskrnl.exe, Hal.dll and the system hive
  11. Ntldr scans the System hive and loads the device drivers configured to start at boot time
  12. Ntldr passes control to Ntoskrnl.exe, at which point the boot process ends and the load phases begin

Q. What is Virtual Memory?

A. Virtual Memory makes up for the lack of RAM in computers by using space on the hard disk as memory, Virtual Memory. When the actual RAM fills up (actually its before the RAM fills) then virtual memory is created on the hard disk. When physical memory runs out, the Virtual Memory Manager chooses sections of memory that have not been recently used and are of low priority and writes them to the swap file. This process is hidden from applications, and applications views both virtual and actual memory as the same.

Each application that runs under Windows NT is given its own virtual address space of 4GB (2GB for the application, 2GB for the operating system).

The problem with Virtual Memory is that as it writes and reads to the hard disk, this is much slower than actual RAM. This is why if an NT system does not have enough memory it will run very slowly.


Q. What is the history of NT?

A. In the late 1980's the Windows environment was created to run on the Microsoft DOS operating system. Microsoft and IBM joined forces to create a DOS replacement that would run on the Intel platform that led to the creation of OS/2, and at the same time Microsoft was working on a more powerful operating system that would run on other processor platforms. The idea was that the new OS would be written in a high level language (such as C) so it would be more portable.

Microsoft hired Dave Cutler (who also designed Digital's VMS) to head the team for the New Technology Operating System (NT :-) ). Originally the new OS was to be called OS/2 NT.

In the early 1990's Microsoft released version 3.0 of its windows OS which gained a large user base, and it was at this point that Microsoft and IBM's split started as the two companies disagreed on the future of their OS's. IBM viewed Windows as a stepping stone to the superior OS/2, where as Microsoft wanted to expand Windows to compete with OS/2, so they split, IBM kept OS/2 and Microsoft change OS/2 NT to Windows NT.

Nt was once called OS/3, and OS/2 V3, I am informed by a alpha tester for IBM & MS, he had a set of 5.25 diskettes from Microsoft, and that's how he got them.

The first version of Windows NT (3.1) was released in 1993 and had the same GUI as the normal Windows Operating System, however it was a pure 32 bit OS, but provided the ability to also run older DOS and Windows apps, as well as character mode OS/2 1.3 programs.

For a detailed history have a look at http://windowsnt.miningco.com


Q. How do I install the SYMBOL files?

A. Symbol files are produced by the linker when a program is built, and are used to resolve global variables and function names in an executable.

  1. Create a directory on your machine called SYMBOLS
    mkdir c:\winnt\symbols
  2. Copy over the symbols from the NT installation CD ROM
    xcopy <CD-ROM>:\Support\Debug\i386 c:\winnt\symbols /s
  3. If you have any service pack symbols you should extract these to the same directory, e.g. for Service Pack 2
    SYM_400I -d c:\winnt\symbols

For more information see Microsoft Knowledge Base article Q148659


Q. What is Windows NT?

A. Windows NT (both the Workstation and Server) is a 32-bit Operating System. It is a preemptive, multi-tasking Operating System, which means that the Operating System controls allocation of CPU time, not the applications, stopping one application from hanging the OS. NT supports multiple CPU's giving true Multi-tasking, using symmetrical multiprocessing, meaning the processors share all tasks, as opposed to asymmetrical multiprocessing, where the OS uses one CPU and the applications another. NT is also a Fault Tolerant Operating System, with each 32bit application operating in its own Virtual Memory address space (4 GigaBytes) which means one application cannot interfere with another's memory space.

Unlike earlier version of Windows (such as Windows for Workgroups and Windows 95), NT is a complete Operating System, and not an addition to DOS.

NT supports different CPU's: Intel x86, IBM PowerPC (Not to be supported for NT5.0) and DEC Alpha.

NT's other main plus is its Security with a special NT file system (NTFS) that allows permissions to be set on a file and directory basis.


Q. What is the Registry?

A. Originally there were .ini files in Windows, however the problem with .ini files are many, e.g. size limitations, no standard layout, slow access, no network support etc. Windows 3.1 (yes Windows not Windows NT) had a registry which was stored in reg.dat and could be viewed using regedit.exe and was used for DDE, OLE and File Manager integration. In Windows NT the Registry is at the heart of NT and is where nearly all information is stored, and is split into a number of subtrees, each starting with HKEY_ to indicate that it is a handle that can be used by a program.

HKEY_LOCAL_MACHINE This contains information about the hardware configuration and installed software.
HKEY_CLASSES_ROOT This is just a link to HKEY_LOCAL_MACHINE\SOFTWARE\Classes and contains links between applications and file types as well as information about OLE.
HKEY_CURRENT_CONFIG Again this is a link to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current and contains information about the current configuration.
HKEY_CURRENT_USER This is a link to HKEY_USERS\<SID of User> and contains information about the currently logged on users such as environment, network connections, printers etc.
HKEY_USERS Contains information about actively loaded user profiles, including .default which is the default user profile.

Each of the subtrees has a number of keys, which in turn have a number of subkeys. Each key/subkey can have a number of values which has 3 parts

  • The name of the value, e.g. Wallpaper
  • The type of the value, e.g. REG_SZ (which is a text string)
  • The actual value of the value, e.g. "c:\winnt\savilltech.bmp"

To edit the registry there are two tools available, regedt32.exe and regedit.exe.Regedit.exe has better search facilities, but does not support all of the Windows NT registry value types. If you want to just have a look around the Registry:

  1. Start a registry editor (regedit.exe or regedt32.exe)
  2. In Regedt32.exe you can set the registry to read only mode which means you won't corrupt anything :-) (Options - Read Only Mode)
  3. Select the HKEY_USERS subkey
  4. Move to the .default - Control Panel - Desktop and you will see a number of values in the right hand pane.
  5. One of them is wallpaper and this is the background that is displayed before you logon.

Q. What files make up the registry, and where are they?

A. The files that make up the registry are stored in %systemroot%/system32/config directory and consist of

  • SAM - HKEY_LOCAL_MACHINE\SAM
  • SECURITY - HKEY_LOCAL_MACHINE\Security
  • software - HKEY_LOCAL_MACHINE\Software
  • system - HKEY_LOCAL_MACHINE\System & HKEY_CURRENT_CONFIG
  • default - HKEY_USERS\.DEFAULT
  • Ntuser.dat - HKEY_CURRENT_USER (this file is stored in %SystemRoot%\Profiles\%username%)

There are also other files with different extensions for some of them

  • .alt - Contains a backup copy of the HKEY_LOCAL_MACHINE\System hive. Only System has a .alt file
  • .log - A log of changes to the keys and values for the hive
  • .sav - A copy of the hive as it looks at the end of the text mode stage in setup

Q. How do I restrict access to the registry editor?

A. Using the registry editor (regedt32.exe)

  1. Highlight HKEY_USERS and Load Hive from the Registry menu.
  2. Browse to the users profile directory who you want to restrict the registry tools for and select NTUser.dat.
  3. When prompted for Key Name, input their UserID.
  4. Navigate to \Software\Microsoft\Windows\CurrentVersion\Policies.
  5. If no System sub-key exists, Add Key. Then Add Value of DisableRegistryTools (under the System key) using type REG_DWORD and set it to 1.
  6. Unload Hive from the Registry menu.

Q. What is the maximum registry size?

A. The maximum size is 102MB, however it is slightly more complicated than this.

The registry entry that controls the maximum size of the registry is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\RegistrySizeLimit. By default this entry will not exist so it will need to be created:

  1. Start the registry editor (regedit.exe)
  2. Move to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control key
  3. From the Edit menu, select New - DWord value and enter the name as RegistrySizeLimit
  4. Double click the new entry and enter a value in bytes (choose decimal as the type)

The minimum size is 4MB, and if anything less than this is entered in the registry then it will be forced up to 4MB. The maximum is 80% of the paged pool (which has a maximum size of 128MB, hence 102MB which is 80% of 128MB). If no entry is entered then the maximum size is 25% of the paged pool. The paged pool is an area of physical memory used for system data that can be written to disk when not in use.

An important point to note is that the RegistrySizeLimit is a maximum, not an allocation, and so setting a high value will not reserve the space, and it does not guarantee the space will be available.

This can also be configured using the System Control Panel applet, click on the Performance tab and the maximum registry size can be set there. You would then need to reboot.

For more information see Knowledge Base Article Q124594

There is another complication, during early boot, NTLDR loads some code, allocates working memory, and reads in parts of the registry. All of this has to fit in the first 16MB of memory regardless of how much memory is physically installed. The entire system file is read; enough memory is required to contain the whole file as stored on disk without regard to how much of it is useful.

Some problems

  • The registry contains wasted space (sometimes a LOT). Try saving the SYSTEM key from REGEDT32 and then comparing the saved file size with that of the SYSTEM hive in \%systemroot%\system32\config\. On one machine, I reduced the SYSTEM hive from 9,720 KB to 864 KB in this manner.
  • Creation of the LastKnownGood ControlSet (usually #2) soon after boot almost doubles the size of the file. Depending on circumstances, such as reclaimable space in the "gas", additions to the registry may require new space to be allocated beyond the end of the combined Current and LastKnownGood SYSTEM hive. Now after the next boot, another LastKnownGood is tacked onto the end of the file, adding about a third to its size. In my case, a registry with a "true" size of 4MB was thus inflated to 12MB and caused boot failure.

A number of ways to get rid of the excess space:

  • If FAT, merely boot from DOS floppy, then replace the SYSTEM file
  • If NTFS, boot from another NT partition and replace file in previous partition
  • Use REGBACK/REGREST from the NT reskit. [maybe easiest of all]
  • Run RDISK, shutdown, and repair the system. Make sure you use RDISK /s when using this to also backup the user database.
  • Use ERD Commander from Winternals Software

To turn this off use REGEDT32 to add the value "ReportBootOk:REG_SZ:0" [zero] to HKEY_Local_Machine\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon This will prevent creation of the LastKnownGood ControlSet. If a boot fails because the 16 MB limit with NTLDR is exceeded, no dump can be produced and MS will not solve the problem. This 16 MB problem will not be changed in NT 5.


Q. Should I use REGEDIT.EXE or REGEDT32.EXE?

A. You can use either for NT. REGEDIT does have a few limitations, the largest is that it does not support the full regedit data types such as REG_MULTI_SZ, so if you edit this type of data with REGEDIT it will change its type.

REGEDIT.EXE is based on the Windows95 version and has features that REGEDT32.EXE lacks (such as search). In general REGEDIT.EXE is nicer to work with. REGEDIT.EXE also shows your current position in the registry at the bottom of the window.


Q. How do I restrict access to a remote registry?

A. Access to a remote registry is controlled by the ACL on the key winreg.

  1. Start the registry editor (regedt32.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers
  3. Check for a key called winreg. If it does not exist create it (Edit -Add Key)
  4. Select the winreg key (by clicking on it)
  5. From the Security menu select permissions
  6. Click the Add button and give the user you want read access
  7. Once added, click on the user and select "Special Access"
  8. Double click on the user and you can select which actions the user can perform
  9. Click OK when finished

It is possible to set up certain keys to be accessible even if the user does not have access by editing the value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths\Machine (use regedt32). You can add paths to this list.


Q. How can I tell what changes are made to the registry?

A. Using the regedit.exe program it is possible to export portions of the registry. This feature can be used as follows:

  1. Start the registry editor (regedit.exe)
  2. Select the key you want to monitor
  3. From the Registry menu select "Export registry file"
  4. Enter a file name (notice if you want to export the whole registry just select the "Export Range All") and click OK
  5. Perform the change (install some software or change a system parameter)
  6. Rerun steps 1 to 4 using a different file name
  7. Run the two files through a comparison utility (for example windiff.exe)
  8. If you are using windiff, select Compare Files from the File menu and you will then be prompted to select the 2 files to compare.
  9. Once compared a summary will be displayed stating if there are differences, to view the changes double click on the message
  10. Press F8 to view the next change (or select next change from the view menu)
  11. You have now found what changed!

Q. How can I delete a registry value/key from the command line?

A. Using the Windows NT Resource Kit Supplement 2 utility REG.EXE you can delete a registry value from the command line or batch file, e.g.

reg delete HKLM\Software\test

Would delete the HKEY_LOCAL_MACHINE\Software\test value. When you enter the command you will be prompted if you really want to delete, enter Y. To avoid the confirmation add /f to the command, e.g.

reg delete HKLM\Software\test /f

A full list of the codes to be used with REG DELETE are as follows:

HKCR HKEY_CLASSES_ROOT
HKCU HKEY_CURRENT_USER
HKLM HKEY_LOCAL_MACHINE
HKU HKEY_USERS
HKCC HKEY_CURRENT_CONFIG

To delete a entry on a remote machine add the name of the machine, \\<machine name>, e.g.

reg delete HKLM\Software\test \\johnpc


Q. How can I audit changes to the registry?

A. Using the regedt32.exe utility it is possible to set auditing on certain parts of the registry. I should note that any type of auditing is very sensitive lately and you may want to add some sort of warning letting people know that their changes are being audited.

  1. Start the registry editor (regedt32.exe)
  2. Select the key you wish to audit (e.g. HKEY_LOCAL_MACHINE\Software)
  3. From the Security menu select Auditing
  4. Check the "Audit Permission on Existing Subkeys" if you want subkeys to also be audited
  5. Click the Add button and select the users you want to be audited, click Add and then click OK
  6. Once there are names in the "Names" box you can select which events to be audited, whether success or failure.
  7. When you have filled in all the information click OK

You will need to make sure that Auditing for File and Object access is enabled (use User Manager - Polices - Audit).

To view the information use Event Viewer and look at the Security information.


Q. How can I clean up/remove invalid entries from the registry?

A. Microsoft have released a utility called RegClean which will go through your machines registry and delete any unused/unnecessary keys. The current version is 4.1a and can be downloaded from http://support.microsoft.com/download/support/mslfiles/RegClean.exe .

Once downloaded just click on the Executable and it will check your registry, once the check is completed you will be given an option to fix errors "Fix Errors" button. You can click the Exit button to exit.

RegClean creates an uninstall file in the directory the image is located in, of the name

"Undo <machine name> <yyyymmdd> <hhmmss>.reg"
e.g. "Undo workstation 19980320 104323.reg"

To undo the changes just double click (or single depending on your config ;-) ) this file.

See http://support.microsoft.com/support/kb/articles/q147/7/69.asp for more information.


Q. I make changes to HKEY_LOCAL_MACHINE\HARDWARE but they are lost on reboot.

A. This is because HKEY_LOCAL_MACHINE\HARDWARE is recreated by the system at boot time and this means any settings such as ACL's are lost. The rest of HKLM (SOFTWARE, SYSTEM, SAM, SECURITY) is stored on disk, and is not recreated during system boot.


Q. What data types are available in the registry?

A. Below is a table of data types supported by Regedt32.exe, regedit.exe does not support REG_EXPAND_SZ or REG_MULTI_SZ

REG_BINARY This is raw binary data
REG_DWORD This is a double word (4 bytes). It can be displayed in binary, hexadecimal or decimal format
REG_EXPAND_SZ An expandable text string that contains a variable (for example %systemroot%)
REG_MULTI_SZ A multiple line string. Each "line" is separated by a null
REG_SZ A text string

Q. How can I automate updates to the registry?

A. There are 2 main methods you can use to create scripts that can be run to automate the updates. The first is to create a .reg file which can then be run using

regedit /s <reg file>

The format of the file is

REGEDIT4
[<key name>]
"<value name>"="<value>"
a string value
"<value name>"=hex:<value>
a binary value
"<value name>"=dword:<value>
a dword value

for example

REGEDIT4

[HKEY_USERS\.DEFAULT\Control Panel\Desktop]
"Wallpaper"="E:\\WINNT\\savtech.bmp"
"TileWallpaper"="0"

[HKEY_USERS\.DEFAULT\Control Panel\Colors]
"Background"="0 0 0"

Would set the default background and color before anyone logs on.

The second method is to user a Windows 95 style .inf file. These are run using the command

rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 <inf file>

The format of the file is as follows

[Version]
Signature = "$Windows NT$"
Provider=%Provider%

[Strings]
Provider="SavillTech Ltd"

[DefaultInstall]
AddReg = AddReg
DelReg = DelReg
UpdateInis = UpdateInis

[AddReg]
[DelReg]
[UpdateInis]

Below are the keys to be used

HKCR HKEY_CLASSES_ROOT
HKCU HKEY_CURRENT_USER
HKLM HKEY_LOCAL_MACHINE
HKU HKEY_USERS

The file below is an .inf file which performs the same as the .reg file described earlier

[Version]
Signature = "$Windows NT$"

[DefaultInstall]
AddReg = AddReg

[AddReg]
HKU,".DEFAULT\Control Panel\Colors","Background",0000000000,"0 0 0"
HKU,".DEFAULT\Control Panel\Desktop","Wallpaper",0000000000,"E:\WINNT\savtech.bmp"
HKU,".DEFAULT\Control Panel\Desktop","TileWallpaper",0000000000,"1"

INF files can be generated automatically using the SYSDIFF utility if you have a difference file (sysdiff /inf <name of difference file> <dir to create to>)


Q. How do I apply a .reg file without the success message?

A. To apply a .reg file (a registry information file) the normal method from the command prompt is to enter

C:\> regedit <registry file>.reg

This applies the change and gives a confirmation message:

"Information is <filename>.reg has been successfully entered into the registry"

If you would like to avoid this confirmation message and apply the change silently use the /s switch, e.g.

C:\> regedit /s <registry file>.reg


Q. How can I remotely modify the maximum registry size?

A. The maximum registry size is usually defined using the System properties control panel applet, Performance tab. When you change this value all it actually does is to update the registry entry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\RegistrySizeLimit

You could therefore modify this from the command line using a registry script. For example

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control]
"RegistrySizeLimit"="24000000"

Run using

C:\> regedit /s <reg name>

You could add this to a login script.

Alternatively run remotely by submitting with the AT command. The change will not take effect until the machine reboots. If you wanted the reboot to occur you could add a reboot using the Resource Kit SHUTDOWN.EXE utility (as explained in
Q. How can I configure the machine to reboot at a certain time?)


Q. I can't update DWORD values using REG.EXE.

A. There is a bug in REG.EXE supplied with the NT 4.0 resource kit. Download a fixed version from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/nt40/i386/reg_x86.exe


Q. How can I install a .inf file from the command line?

A. The normal method to install a .inf file is to right click on it and select Install from the context menu however it is also possible to install from the command line. The syntax is:

C:\> rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 .\<file>.inf


Q. How can I compress the registry?

A. The following procedure can be used to compact the registry files, but also to restore the 'repair disk data' when you messed up the registry:

1) As always, make sure you have a backup of you're system, including the registry

2) Run Start: "RDISK /S-". This automatically updates the repair info located under %systemroot%\repair. The registry data are reorganized and compressed.

3) Next step is to expand these files to a temporary location.

EXPAND %systemroot%\REPAIR\DEFAULT._ %temp%\DEFAULT
EXPAND %systemroot%\REPAIR\SAM._ %temp%\SAM
EXPAND %systemroot%\REPAIR\SECURITY._ %temp%\SECURITY
EXPAND %systemroot%\REPAIR\SOFTWARE._ %temp%\SOFTWARE
EXPAND %systemroot%\REPAIR\SYSTEM._ %temp%\SYSTEM

4) Check your %temp% folder and %systemroot%\system32\config to find the difference in size between the different files that make up the registry. Probably the SOFTWARE hive will have a remarkable difference. In my case it shrinked from over 10Mb to 3.5Mb.

5) The registry files in %systemroot%\system32\config should be replaced by the reorganized ones in your %temp% folder. You can do this by:

  • Booting to DOS or Win3.x/95/98 and simply replace the files (in case your system files are on a FAT partition).
  • Replacing these files while booting from a second Windows NT installation.
  • Or by using the MV command (move) from the Resource Kit to move these files at boot-time:
    MV /X /D %temp%\DEFAULT %systemroot%\SYSTEM32\CONFIG\DEFAULT
    MV /X /D %temp%\SAM %systemroot%\SYSTEM32\CONFIG\SAM
    MV /X /D %temp%\SECURITY %systemroot%\SYSTEM32\CONFIG\SECURITY
    MV /X /D %temp%\SOFTWARE %systemroot%\SYSTEM32\CONFIG\SOFTWARE
    MV /X /D %temp%\SYSTEM %systemroot%\SYSTEM32\CONFIG\SYSTEM

When I performed these steps I notices a serious performance gain during system startup.


Q. What service packs and fixes are available?

A. See table below. All directories are off of ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40. Just click on the file name for a direct FTP link For people in Europe ftp.sunet.se/pub3/vendor/microsoft/bussys/winnt/winnt-public/fixes may provide faster access.

There are also Microsoft BBS numbers where Service Packs can be downloaded from, e.g. for the UK it is 44 1734 270065, however the fixes tend to be a few days later than on the FTP site.

File Name Directory Description (Microsoft Article No.) Hotfixes
Sp1_400i.exe /ussp1/i386 Service Pack 1 PostSP1
Sp2_400i.exe /ussp2/i386 Service Pack 2 (around 14MB) PostSP2
Nt4sp3_i.exe /ussp3/i386 Service Pack 3 (around 18MB) PostSP3
NT4SP4I.EXE NA Service Pack 4 (around 33MB) PostSp4
SP5I386.EXE NA Service Pack 5 (around 34.5MB) PostSp5

Service Pack 1 Hotfixes /hotfixes-postsp1/

KRNL40I.EXE /32proc-fix Q140065
AFD40I.EXE /afd-fix Q140059
CDFS40I.EXE /cdfs-fix Q142687
NDIS40I.EXE /mcanet-fix Q156324
NDIS40I.EXE /ndis-fix Q142903
NTBCKUPI.EXE /NTBackup-fix  Q142671
NTVDM40I.EXE /ntvdm-fix Q134126
PCM40_I.EXE /pcmcia-fix Q108261
SCSIFIXI.EXE /scsi-fix Q171295
SPX40I.EXE /spx-fix Q153665
SYN40I.EXE /syn-attack Q142641
NTFS40I.EXE /toshiba-fix Q150815
STONE97I.EXE /winstone97 Q141375

Service Pack 2 Hotfixes /hotfixes-postsp2/

ALPHA40.EXE /Alpha-fix Q156410
DNS40I.EXE /dns-fix Q142047, Q162927
IISFIX.EXE /iis-fix Q163485, Q164059
KRNL40I.EXE /krnl-fix Q135707, **Q141239**
TCP40I.EXE /oob-fix Q143478
RAS40I.EXE /ras-fix Q161368
RPC40I.EXE /RPC-fix Q159176, Q162567
SECFIX_I.EXE /sec-fix Q143474
SERIALI.EXE /serial-fix Q163333
SETUPDDI.EXE /setupdd-fix Q143473
SFMSRVI.EXE /sfmsrv-fix Q161644
WTCP40I.EXE /TCPIP-fix Q163213

Service Pack 3 Hotfixes /hotfixes-postsp3/

2GCRASHI.EXE /2gcrash Q173277
ASPFIX.EXE /asp-fix Q165335
ATA-FIXI.EXE /atapi-fix Q183654
DNSFIX_I.EXE /dns-fix Q142047
EUROFIXI.EXE /euro-fix Q182005
ADMNFIXI.EXE /getadmin-fix Q146965
IDEFIX-I.EXE /ide-fix Q153296
IIS-FIXI.EXE /iis-fix Q143484
IIS4FIXI.EXE /iis4-fix Q169274
JOY-FIXI.EXE /joystick-fix Q177668
NDISFIXI.EXE /ndis-fix Q156655
NBTFIX-I.EXE /netbt-fix Q178205
PCMFIX-I.EXE /pcm-fix Q180532
PENTFIX.EXE /pent-fix Q163852
PPTPFIXI.EXE /pptp2-fix Q167040
PPTPFIXI.EXE /pptp3-fix Q189595
PRIVFIXI.EXE /priv-fix Q190288
PRNTFIXI.EXE /Prnt-fix Q181022
ROLL-UPI.EXE /roll-up Q147222
RRASFIXI.EXE /rras20-fix Q168469
RRASFIXI.EXE /rras30-fix Q189594
DCOMFIXI.EXE /SAG-fix  
SCSIFIXI.EXE /scsi-fix Q171295
SFM-FIXI.EXE /sfm-fix Q166571, Q170965, Q172511, Q177644, Q178364, Q180622, Q180716, Q180717, Q180718 & Q185722
CHARGENI.EXE /simptcp-fix Q154460
SNK-FIXI.EXE /snk-fix Q193233
SRVFIX-I.EXE /srv-fix Q180963
SSL-FIXI.EXE /ssl-fix Q148427
TAPI21FI.EXE /tapi21-fix Q179187
TEARFIXI.EXE /teardrop2-fix Q179129
Y2KFIXI.EXE  /Y2k-fix Q196548
WANFIX-I.EXE /wan-fix Q163251
WINSFIXI.EXE /winsupd-fix Q155701
Y2KFIXI.EXE /y2k-fix Q175093, Q180122, Q183123 & Q183125
ZIP-FIXI.EXE /zip-fix Q154094

A number of post Service Pack 3 hotfixes have been replaced by newer fixes and are not listed above, they can be found at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/archive . These include

  • dbclclick-fix
  • icmp-fix
  • java-fix
  • land-fix
  • lsa-fix
  • mdl-fix
  • oob-fix
  • pptp-fix

Service Pack 4 Hotfixes /hotfixes-postsp4/

A post Service Pack 4 hotfix rollup has been released and can be downloaded from:
http://www.microsoft.com/ntserver/nts/downloads/recommended/nt4postsp4hotfix/

Individual hotfixes are:

CLIKFIXI.EXE /Clik-fix Q195540
DISCFIXI.EXE /Disc-fix Q221331
GINAFIXI.EXE /Gina-fix Q214802
MSMQFIXI.EXE /MSMQ-fix Q230050
MSV-FIXI.EXE /Msv1-fix Q214840
NPRPCFXI.EXE /Nprpc-fix Q195733
SP4HFIXI.EXE /roll-up Q195734
RNR-FIXI.EXE /Rnr-fix Q214864, Q216091, Q217001
SCRNSAVI.EXE /Scrnsav-fix Q221991
SMSFIXI.EXE /Sms-fix Q196270
SMSSFIXI.EXE /Smss-fix Q218473
TCPIPFXI.EXE /Tcpip-fix Q195725
Y2KUPD.EXE /Y2KUPD Q218877, Q221120

Service Pack 5 Hotfixes /hotfixes-Postsp5/

RASFFIXI.EXE /RAS-fix Q230677
PWDFIXI.EXE /RASPassword-fix Q230681
RPWDFIXI.EXE /RRASPassword-fix Q233303
WINHLP-I.EXE /Winhlp32-fix NA

The file names above are for the Intel platform (hence the ending I), but they may also be available for Alpha and PPC, just substitute the I for a A(Alpha) or P(PPC).

I should note a health warning, "If it ain't broke, don't fix it" and I would tend to agree with this, so unless you have a problem, or require a new feature of a Service Pack think if you really want it. Also if you are going to apply it to a live system, try and test it first, as sometimes a Service Pack will introduce new problems.


Q. What are the Q numbers and how do I look them up?

A. The Q numbers relate to Microsoft Knowledge Base articles and can be viewed at http://support.microsoft.com/support/


Q. How do I install the Service Packs?

A. If you receive the Service Pack by downloading from a Microsoft FTP site, then copy the file to a temporary directory and then just enter the file name (e.g. Sp2_400i.exe). The file will be expanded and among the files created a file called UPDATE.EXE will be created. Just run this file. If there is no UPDATE.EXE, just .sym files you have downloaded the symbols version which is used for debugging NT, download the normal version (see above).

If you receive Service Packs via CD, if you just insert the CD (for SP2 and later) and an Internet Explorer page will be shown and you can just click on install for the Service Pack.


Q. How do I install the Hot fix?

A. Again copy the file to a temporary directory and run the file name. A few files will be created, one called HOTFIX.EXE. Run "HOTFIX /install" which will install the Hot Fix.

The newer Hot fixes (Java fix for Service Pack 3 onwards) you just double click on the downloaded file.


Q. How do I remove a Hot fix?

A. Use the command Hotfix /remove to remove a hotfix. Before you can do this you will need to expand the original hotfix file using the <hotfix> /x command.

To force the remove using the registry editor (regedt32) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\HOTFIX and delete the entry for the HOTFIX. Then use explorer to goto %SystemRoot%\HOTFIX\HF00?? and copy the backed up files back to their original location.


Q. How do I install Service Pack 3?

A. Before you install Service Pack 3 you must remove Internet Explorer 4.0 preview if installed:

  1. From Control Panel (Start - Settings - Control Panel) double click Add/Remove Programs
  2. Select "Microsoft Internet Explorer 4.0" and click Add/Remove
  3. Select Remove All
  4. You will have to reboot

Also before installing SP3 make sure you have an up to date Repair Disk (RDISK /S). To install Service Pack 3 download Nt4sp3_i.exe and follow the instructions below

  1. Double click nt4sp3_i.exe
  2. It will verify the file and then uncompress to a temporary area (you can make it uncompress without installing by typing nt4sp3_i /x)
  3. Click Next to install and click Yes to accept the license agreement
  4. Click Next and then select "Yes create uninstall"
  5. Click Next then Finish
  6. You will then have to reboot

Q. Emergency Repair Disk issues after installation of Service Pack 3.

A. Due to changes in Service Pack 3 the Emergency Repair Disk process has changed. The file setupdd.sys that is on the 2nd NT installation disk has been superseded by the one supplied with service pack 3. To extract the file from the Service Pack 3 executable, follow the instructions below:

  1. Copy nt4sp3_i.exe to a temporary area
  2. Uncompress the service pack
    nt4sp3_i /x
  3. Insert the second NT installation disk (do not use the originals, create a new set using winnt32 /ox)
  4. Set the file setupdd.sys to write enabled
    attrib -r a:\setupdd.sys
  5. Copy the new setupdd.sys to the 2nd installation disk
    copy setupdd.sys a:

This is discussed in the Service Pack 3 readme file, and also in knowledge base article Q146887.


Q. How do I remove the Java Hotfix for Service Pack 3?

A. Manually unpack the hotfix
javafixi /x
Then type
hotfix -y
And it will remove the hotfix.

This method may become the new standard for hot fixes.


Q. How do I install multiple Hotfixes at the same time?

A. When you extract the files in a hotfix, generally the following will be extracted

  • hotfix.exe
  • hotfix.inf
  • a number of executables/drivers/sys files etc (usually one file)

The hotfix.exe is the same executable for all the hotfixes, and the hotfix.inf is basically the same, the only difference is the files that are to be copied, e.g. tcpip.sys, and a description of the hotfix. To install multiple hotfixes at the same time all that is needed is to decompress the hotfix files and update the hotfix.inf with the information on which files to copy.

  1. Create a directory on a disk called hotfix
    md hotfix
  2. From the command line decompress the hotfixes you wish to install, note each time you decompress a hotfix a new hotfix.inf will overwrite the existing one so you may wish to backup the .inf files
    - <hotfix name> /x, e.g. javafixi /x
    - you will be asked where to extract the hot fix files to, enter the hotfix directory and click OK, e.g. d:\hotfix
    - copy the hotfix.inf file to the name of the hotfix, e.g.
    copy hotfix.inf javafix.inf
  3. You will now have a number of files in the hotfix directory, with hotfix.exe, hotfix.inf and all the versions of the .inf files you copied. You now need to merge the contents of the .inf files into one main hotfix.inf file.
    If the hotfix you extracted had file tcpip.sys (ignore the .dbg files) you need to update the hotfix.inf file to include the copying of this file. Since TCPIP.SYS lives in the system32/drivers directory, you would add the line TCPIP.SYS to the [Drivers.files] section of the hotfix.inf file, e.g.
    [Drivers.files]
    TCPIP.SYS

    You also need to add TCPIP.SYS to the [SourceDisksFiles] section, e.g.
    [SourceDisksFiles]
    TCPIP.SYS=1
  4. Finally you need to add a comment at the end of the hotfix.inf file with a description of the hotfix in the [strings] section with the Q number and a comment, e.g.
    [Strings]
    ..
    HOTFIX_NUMBER="Q143478"
    COMMENT="This fix corrects the port 139 OOB attack"

    For multiple comments and numbers use HOTFIX_NUMBER2, COMMENT2 etc.

The reason we copied the .inf files is that you can just cut and paste the hotfix specific information to the common hotfix.inf. When you decompressed a hotfix you will see which files were created, you could then search the .inf file for the file name and it would be in two places, the directory it belongs in and the [SourceDisksFiles] section. You could then go to the bottom of the file and cut and paste the HOTFIX_NUMBER and COMMENT and add to the end of HOTFIX.INF.

This is very hard to explain and an example is probably the best way to demonstrate this. Suppose you want to install

  • The java hotfix - javafixi.exe
  • The OOB data hotfix - oobfix_i.exe
  • The GetAdmin hotfix - admnfixi.exe

The procedure would be as follows

  1. Decompress the hotfixes to the hotfix directory and after each extraction backup the hotfix.inf file in the order admnfixi.exe - javafixi.exe - oobfix_i.exe
  2. Admnfixi.exe consists of ntkrnlmp.exe and ntoskrnl.exe, search admnfixi.inf (the copy we made) for the files and they appear as follows
    [Uniprocessor.Kernel.files]
    NTOSKRNL.EXE

    [Multiprocessor.Kernel.files]
    NTOSKRNL.EXE, NTKRNLMP.EXE

    [SourceDisksFiles]
    NTKRNLMP.EXE=1
    NTOSKRNL.EXE=1

    [Strings]
    HOTFIX_NUMBER="Q146965"
    COMMENT="This fix corrects GETADMIN problem"
  3. javafixi.exe consists of win32k.sys so search javafixi.inf for win32k.sys
    [MustReplace.System32.files]
    WIN32K.SYS

    [SourceDisksFiles]
    WIN32K.SYS=1

    [Strings]
    HOTFIX_NUMBER="Q123456"
    COMMENT="This fix corrects the problem with True Color adapter cards and Java"
  4. The current version of hotfix.inf already contains the information for the oobfix as it was the last installed, so the information for the above 2 must be added resulting in the changes being

    [MustReplace.System32.files]
    WIN32K.SYS

    [Drivers.files]
    TCPIP.SYS

    [Uniprocessor.Kernel.files]
    NTOSKRNL.EXE

    [Multiprocessor.Kernel.files]
    NTOSKRNL.EXE, NTKRNLMP.EXE

    [SourceDisksFiles]
    NTKRNLMP.EXE=1
    NTOSKRNL.EXE=1
    TCPIP.SYS=1
    WIN32K.SYS=1


    [Strings]
    ;; this part needs modifying, only one HOTFIX_NUMBER can be passed so created your own internal reference,
    ;; e.g. Q99999 and also the comments need a unique number at the end, e.g. comment1, comment2 otherwise
    ;; only the first comment will be entered

    HOTFIX_NUMBER="Q999999"
    COMMENT1="This fix corrects the port 139 OOB attack"
    COMMENT2="This fix corrects GETADMIN problem"
    COMMENT3="This fix corrects the problem with True Color adapter cards and Java"

To install just type

hotfix

from the directory created (i.e. hotfix), you will see a dialog copying the files (the ones you have specified in the hotfix.inf file :-) ), and the system will reboot. To see what hotfixes are installed:

  1. Start the Registry Editor (Regedit.exe)
  2. Look at the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix values

Q. How do I install Hotfixes the same time as I install Service Pack 3 onwards?

A. Update.exe that ships with Service Pack 3 checks for the existance of a hotfix subdirectory, and if in that directory the files hotfix.exe and hotfix.inf are present you are asked when running update.exe if you also want to install the hotfixes.

  1. Create a direrectory to hold the extracted Service Pack
    md servpack
  2. Extract the Service Pack
    nt4sp3_i /x
    You will be asked for a directory, enter the created directory, e.g. e:\servpack and click OK
  3. Create a hotfix subdirectory
    md hotfix
  4. Extract the hotfixes to this directory using the instructions in the previous FAQ
  5. Run UPDATE.EXE in the servpack directory and click Yes when asked to install Hotfixes

Q. I have installed Service Pack 3, now I cannot run Java programs.

A. Download the updated Java Virtual Machine from Microsoft at http://www.microsoft.com/java/download/dl_vmsp2.htm . Download build 1518 which works with IE3.01, IE 3.02 and IE 4.0 platform preview 1, do NOT install on IE 4.0 PP2 or the release version.

There is also a hotfix for Service Pack 3 available from Microsoft ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/java-fix/JAVAFIXI.EXE


Q. I have installed Service Pack 3, however the Policy Editor has not been updated.

A. This is caused by a mistake in the Service Pack 3 update.inf file. The entry for poledit.exe (the executable for the policy editor) is specified in the [MustReplace.system32.files] section whereas the file should actually be in the [SystemRoot.files].

To install the new Policy Editor perform the following

  1. Expand the service pack
    nt4sp3_i /x
  2. You will be asked for a directory, enter a path and click OK. A message "Extraction complete" will be displayed when completed
  3. Move to the directory the service pack was extracted to and copy the file poledit.exe to the %systemroot% directory
    copy poledit.exe %systemroot%

Alternatively you can update the update.inf fiile and move the location of poledit.exe from [MustReplace.system32.files] to [SystemRoot.files].


Q. How can I tell if I have the 128 bit version of Service Pack 3 installed?

A. The easiest way to tell this is to examine the secure channel dynamic link library (SCHANNEL.DLL):

  1. Start Explorer (Win + E or Start - Programs - Explorer)
  2. Move to %systemRoot%/system32 (where %systemRoot is the windows NT directory, e.g. d:\winnt)
  3. Right click on Schannel.dll and select properties
  4. Click the Version tab. The description will be one of the following:
    PCT / SSL Security Provider (U.S. and Canada for the 128 bit version.) if you have the 128 bit version
    or
    PCT / SSL Security Provider (Export Version) if you have the non-128 bit version
  5. Click OK when finished
  6. Close Explorer

Q. How do I install a service pack during a unattended installation?

A. There are various options, however all of them require for the service pack to be extracted to a directory, using

NT4SP3_I /x

and you then enter the directory where you want to extract to.

You could extract to a directory under the $OEM$ installation directory which would then be copied locally during the installation and you could add the line

".\UPDATE.EXE -U -Z"

to CMDLINES.TXT. This will increase the time of the text portion of the installation as the contents have to be copied over the network.

With Service Pack 4 you could just add and not need to expand the service pack first.

[Commands]
".\sp4\sp4i386.exe -z -u"

Simply create a folder called sp4 under $OEM$ and copy sp4i386.exe to it.

If using the above you should ensure you have the following in unattended.txt

[Unattended]
OemPreinstall=yes

An alternate method is to install from a network drive, this requires a bit more work:

  1. Create a directory on a network server and copy the extracted service pack to this directory. Setup a share on this directory called SP
  2. Create a batch file in the $OEM$ share of the installation area called SERVPACK.CMD with the following:
    net use z:\\<server>\SP /persistent:no /user:<domain name> \guest < password.txt
    z:\update.exe -u -z
  3. You need to create the password.txt file that contains the guest account password (usually blank) therefore perform the following:
    - type copy con password.txt
    - press ENTER once
    - press CTRL+Z to save the file
    If the password is not blank enter the password then press ENTER
  4. Copy the password.txt file to the $OEM$ directory
  5. Edit CMDLINES.TXT and add ".\SERVPACK.CMD" to the end

Q. What order should I apply the Hot fixes?

A. There is no specific order to apply post Service Pack 4 and Service Pack 5 hotfixes.

The Service Pack 3 hotfixes are, for the most part, cumulative. This means that the latest binary also includes fixes previously made to the same binary.

For example, the 01/09/98 version of Tcpip.sys (teardrop2-fix) also includes previous fixes to Tcpip.sys (such as land-fix, icmp-fix, and oob-fix).

When you apply multiple fixes, please install them in the following order to ensure a newer fix is not replaced by an older one.

  • oob-fix
  • asp-fix
  • java-fix
  • dns-fix
  • iis-fix
  • lsa-fix
  • dblclick-fix
  • icmp-fix
  • zip-fix
  • roll-up (or roll-up/cluster)
  • mdl-fix
  • getadmin-fix
  • roll-up/cluster
  • winsupd-fix
  • ndis-fix
  • scsi-fix
  • 2gcrash
  • simptcp-fix
  • ide-fix
  • wan-fix
  • land-fix
  • pent-fix (x86 only)
  • joystick-fix (x86 only)
  • SAG-fix
  • iis4-fix
  • pptp-fix
  • teardrop2-fix
  • tapi21-fix
  • pcm-fix
  • srv-fix
  • y2k-fix
  • euro-fix
  • atapi-fix
  • netbt-fix
  • prnt-fix
  • sfm-fix
  • pptp2-fix
  • rras20-fix
  • lsa2-fix
  • ssl-fix
  • priv-fix
  • pptp3-fix
  • rras30-fix

For the Microsoft version of the list please see ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/postsp3.txt


Q. I get an error message when I try to re-apply a hotfix after installing a service pack?

A. If when you try and reinstall a hotfix (after re-applying a service pack etc.) you get the error

Hotfix: The fix is already installed.
Hotfix: Internal consistency error: Invalid Tree pointer = <garbage characters displayed>.

you need to remove the hotfix before trying to reinstall.

To remove a hotfix you would usually use hotfix /r or hotfix -y (depending on the version, to check how use /? on the hotfix for the syntax) however there are situations where it will refuse to remove the hotfix:

Hotfix: Fix <name of hotfix> was not removed.

All the hotfix actually does when you install one is to check a registry entry so see if it already there, so to get round this problem we can go into the registry and remove the hotfixes corresponding entry.

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix
  3. Under this key will be a number of sub-keys with name of the Knowledge base article the hotfix is referenced by as the name, e.g. Q123456 (the True Colour adapter fix).
  4. To get more details about the hotfix, select the key (e.g. Q123456) and look at the "Fix Description" value.
  5. To remove NT's knowledge of the fix being installed select the specific hotfix you want to remove (e.g. Q123456) and select Delete from the Edit menu. Click Yes to the confirmation
  6. Close the registry editor.

The fix is still installed on the system, all you have done is removed NT's knowledge of its installation so you will now be able to re-install the hotfix in the normal way.


Q. When will Service Pack 4 be released and what's in it?

A. Service Pack 4 has now been released.

The contents of Service Pack 4 are here in the readme.txt file.

An extra file, Y2K, is available which is around 70MB and this contains updates to other components to make them Year 2000 compliant such as IE 4.0 Service Pack 1.

Bugs fixed in Service Pack 4 are as follows:

Service Pack 4

 Q109993 Winsock Application Causes 0x0000000A Blue Screen STOP Message
 Q112547 Dial-Up Networking Hangs After Failed Multilink Attempt
 Q123597 WinNT Err Msg: Error 614 Out of Buffers When Using RAS Script
 Q125020 NetBIOS SEND WAIT Call Returns Before RECEIVE is Sent
 Q129047 Synchronizing DNS Information in Registry with Boot Files
 Q129457 Anonymous Connections May Be Able to Obtain the Password Policy
 Q137565 System Error 53 When Connecting to a FQDN
 Q138791 SCSI Printing Devices Requiring Wide SCSI May Fail
 Q141496 DHCP Client Comment Disappears When Obtaining IP Address
 Q141708 Printing to LPD Printer Is Slow or Fails with Windows NT
 Q142026 Err: "Hidden Console of WOW VDM" Running 16-bit or MS-DOS App
 Q142047 Bad Network Packet May Cause Access Violation (AV) on DNS Server
 Q142615 Event Log Service Fails to Check Access to Security Log File
 Q142635 Cannot Change the Drive Letter of Removable Drives
 Q143160 Enterprise Server Stops During Print Spooling
 Q143478 Stop 0A in Tcpip.sys When Receiving Out Of Band (OOB) Data
 Q143484 IIS Services Stop with Large Client Requests
 Q146095 STOP: 0x0000000A or STOP: 0x0000001E in Tcpip.sys
 Q146965 GetAdmin Utility Grants Users Administrative Rights
 Q147222 Group of Hotfixes for Exchange 5.5 and IIS 4.0
 Q147706 How to Disable LM Authentication on Windows NT
 Q149658 TCP/IP Printing Causes File Cache to Grow
 Q150953 Nwuser.exe Send Function Truncates Messages to 38 Characters
 Q151677 NWLink SPX Ignores Allocation Number Sent By Peer
 Q151778 Huge Downlevel Print Job Causes File Cache to Grow
 Q151860 STOP 0x0A While Writing to the Middle of a Cached File
 Q152079 SNMP Traps Contain Invalid Agent ID Field
 Q152764 Garbled Characters Appear in Windows NT Print Queue
 Q152993 Raster Fonts Print Different on Windows NT 4.0 Than on 3.51
 Q153161 WinNT Systems Running RAS May Exhaust Available DHCP Leases
 Q153296 Write Cache on IDE/ATAPI Disks Is Not Flushed on Shut Down
 Q154087 Access Violation in LSASS.EXE Due to Incorrect Buffer Size
 Q154094 Using Iomega ATAPI Zip Drives with Windows NT
 Q154162 Memory Leak in Perfmon.exe Occurs Monitoring WINS Counters
 Q154174 Invalid ICMP Datagram Fragments Hang Windows NT, Windows 95
 Q154387 TAPISRV.EXE Thread Uses Excessive CPU Time
 Q154398 BDC Secure Channel May Fail if More Than 250 Computer Accounts
 Q154460 Denial of Service Attack Against WinNT Simple TCP/IP Services
 Q154475 Add Printer Wizard Printer Browse List Not in Alphabetical Order
 Q154552 NETSTAT Causes Memory Leak
 Q154694 New Policy Available to Hide Go To on Tools Menu
 Q154791 MS-DOS-based Applications May Not Find All Files
 Q154984 DNS Server May Not Recursively Resolve Some Names
 Q154985 DNS Registry Key Not Updated When Changing Zone Type
 Q154990 SETPASS May Change Password of Wrong User
 Q155495 Reference Counter Overflow in Security Descriptor Causes STOP
 Q155701 Invalid UDP Frames May Cause WINS to Terminate
 Q156655 Memory Leak and STOP Screens Using Intermediate NDIS Drivers
 Q157032 Services for Macintosh May Cause STOP 0x0A During High Load
 Q157123 Communicating with SNA Hosts May Cause STOP 0x0A in DLC.SYS
 Q157182 FPNW Causes STOP 0x50 When Connection Is Closed Twice
 Q157911 Deadlock in Service Control Manager During System Shut Down
 Q157913 Services Set to Interact With Desktop May Fail to Start
 Q158396 Explorer Hangs When Creating a New Folder On a MAC Volume
 Q158516 Access Violation in RPCRT4.DLL When Pickling Buffered RPC Data
 Q158548 Sysdiff Changes Dates on Files It Applies to Windows NT
 Q158581 Icon Position Not Stored When Using Roaming Profiles
 Q158682 Shortcuts Created Under Windows NT 4.0 Resolve to UNC Paths
 Q158706 Netmon Performance Counters Support a Maximum of Eight Adapters
 Q159310 Updated Version of Dns.exe Fixes Several Problems
 Q159595 Missing Uppercase "A" Character in the 1257 Font
 Q159599 WINS Consistency Checking May Not Start at Scheduled Time
 Q159839 Sysdiff Does Not Add Empty Directories
 Q159909 STOP 0x0000000A May Occur on Multiprocessor Systems
 Q160517 RRAS May Decrement Local Static Route Metric
 Q161968 NetBT Tears Down TCP Session with Many Concurrent File Transfers
 Q161969 LPR Printing Device Reports an Error If Printer Not Available
 Q162230 Fragmentation and Performance Issues with PPTP Connections
 Q163055 DHCP Client May Fail with WinNT 4.0 SP2 Multinetted DHCP Server
 Q163251 STOP 0xA Due to Buffer Overflow in NDISWAN.SYS
 Q163662 Running Multiple Instances of an Application Causes STOP x50
 Q163852 Invalid Operand with Locked CMPXCHG8B Instruction
 Q163855 STOP 0x0000001e May Occur in Srv.sys w/ Down Level Client
 Q164023 Fix for Gethostbyname() IP Address Order on Local Multihomed Mac
 Q164253 WinNT Err. Msg: Event ID 2018 When Srv.sys Is out of Memory
 Q164314 WinNT Err Msg: STOP 0x0000001E in Win32k.sys When Moving Mouse
 Q164438 FPNW Print Jobs Do Not Print or Errors Occur in FPNW Interface
 Q165005 Windows NT Slows Down Because of Land Attack
 Q165181 EISA Configuration Boot Code Is Replaced on Mirror Drives
 Q165387 Sharing Violation When Deleting a Folder
 Q165404 NTVDM AV on Servers with Exchange cc:Mail Connector
 Q165439 Parsing LMHOSTS with Invalid Entries Can Cause Stop 0x1E
 Q165664 RPC Encoding API "MesInqProcEncodingId" May Not Work
 Q165989 GetPeerName() Returns WSAENOTCONN After Select() Returns Success
 Q166571 Creating an SFM Volume on Large Partition Causes a Stop 0x24
 Q166822 Remote Password Change Works Incorrectly to Down-Level Server
 Q166846 Cannot Reconnect to TN3270 Server with Close Listen Sockets
 Q167038 RAS Clients Run Winsock and RPC Applications Slowly
 Q167040 PPTP Performance Update for Windows NT 4.0 Release Notes
 Q167110 WinNT Err. Msg: Stop 0x1E in FPNWSRV.SYS
 Q167395 RIP Routes May Expire Early When Running Windows NT 4.0 RIP
 Q167629 Predictable Query IDs Pose Security Risks for DNS Servers
 Q167703 Canon Bubble Jet BJC-4300 Does Not Support Ledger Paper
 Q167708 BootP Client Names Disappear in DHCP Manager
 Q167871 Error When Connecting to a Share on WinNT 4.0 NTFS Partition
 Q167969 Under Windows NT, Win16 Applications Opening MS-DOS Devices Fail
 Q168076 WINS Fails to Converge
 Q168662 DLC May Fail When Connecting Through an IBM 2210 Router
 Q168748 Java Applets Cause IE 3.02 to Stop Responding w/ SP3
 Q169020 32-bit Help Fails to Start When 16-bit Help Is Running
 Q169131 Print Setup Dialog Box May Take a Long Time to Display
 Q169274 TCP/IP Causes Time Wait States to Exceed Four Minutes
 Q169291 Using Scopes with Different Subnet Masks in a Superscope
 Q169404 NTFS Directory Corruption with Frequent File Creation
 Q169461 Access Violation in DNS.EXE Caused by Malicious Telnet Attack
 Q169608 Occasional File Corruption When Using Unbuffered I/O
 Q169822 DSMN RAS Dial-in Properties Deletes NetWare Compatibility
 Q169839 XFOR: Cannot Enable (Appletalk) MTA Service NT SP3
 Q169847 SNMP SysUpTime Counter Resets After 49.7 Days
 Q169888 User-Define Path Dropped When User and System Paths Too Large
 Q170057 Dr. Watson Dialog Box Stops Responding
 Q170509 Memory Leak in SERVICES.EXE Causes Performance Degradation
 Q170510 Double-Clicking the Mouse Button Acts as a Single Click
 Q170517 Cannot Log on Using IPX After Installing SP3 on Windows NT 4.0
 Q170518 DNS Admin Fails When Managing Large Number of Zones
 Q170534 Microsoft FTP Client Echoes Gateway Password on the Screen
 Q170566 Ntbackup.exe Log Has Additional Space at Beginning of Each Line
 Q170568 Seagate Tape Drive Light Stays Lit After Exiting NTBACKUP
 Q170572 Unable to Format a 1.44-MB Disk on an LS-120 After SP3
 Q170626 DDEML: Memory Leak in Global Shared Memory
 Q170753 Window Focus Set to Invoke Wrong 16-bit Application Through DDE
 Q170817 Windows NT Causes APC Smart UPS Battery to Discharge
 Q170880 Diskdump.sys Common Buffer Size Is Changed
 Q170965 SFM Time and Date Stamp Change Copying Between Volumes Locally
 Q171180 Non-Paged Pool Memory Leak in IRP Pool Tag
 Q171181 Deadlock in TCP/IP on Multiprocessor Computers
 Q171213 Copy to Removable Drive in Explorer May Fail After Media Swap
 Q171295 Fault Tolerant Systems May Encounter Problems with WinNT SP3
 Q171307 How to Disable SAP Broadcast for RPC Service
 Q171308 Explorer File Properties Dialog Version Tab Missing
 Q171386 Connectivity Delay with Multiple Redirectors Installed
 Q171458 Windows NT May Fail On Request to Open Large Files
 Q171564 TCP/IP Dead Gateway Detection Algorithm Updated for Windows NT
 Q171790 Time Incorrect After Restarting Multiprocessor System
 Q171940 MS-DOS Application I/O Operations Cause Floppy Drive Access
 Q171989 Windows NT Services for Macintosh May Not Start in Desired Zone
 Q171996 Winsock Function Calls Generate Non-Paged Pool Memory Leak
 Q171997 WINS Replication Does Not Start As Scheduled
 Q172003 Macintosh Change Password Fails on Down Trusted Domain PDC
 Q172030 WinNT Err Msg: Stop 0xA in TCPIP.SYS
 Q172122 Toshiba I586 Pro 230 MHz System and the National 307 Chip
 Q172147 Add Printer Wizard Hangs When Searching for Remote Printers
 Q172290 Routing and Remote Access "Out of Buffers" Event Logs
 Q172511 Stop 0x0000000A w/ Services for Macintosh & McAfee Anti-Virus
 Q172512 Routing and Remote Access Event ID 20100
 Q172613 Errors Connecting Through RAS When Password Expires
 Q172705 Explorer Access Violates When Viewing a File's Properties
 Q172762 Continuous Bhnt.sys Load and Unload Causes STOP 0xA and 0x7F
 Q172885 NetWare Print Server Names With Periods Truncated in Explorer
 Q172930 Removing Bypass Traverse Checking Causes Copy to Drop Streams
 Q172982 16-bit ShellExecute Fails if Application Exists in Long Path
 Q173059 Security Events Are Not Logged During Audit
 Q173277 No Memory.dmp File Created with RAM Above 1.7 GB
 Q173322 How to Disable Autochk During a Windows NT Reboot
 Q173385 System Policy Editor Will Not Allow More Than 255 Characters
 Q173523 IIS 3.0 Can Fail in Low Memory Conditions
 Q173525 WINS Client May Switch Primary and Secondary WINS Servers
 Q173526 "Serious Disk Error" When Saving Word 6.0 Document on Windows NT
 Q173533 WinNT Radius Client Sends Incomplete Accounting Information
 Q173676 Client Cannot Resolve MX Record via Microsoft DNS Server
 Q173753 Duplicate IP Addresses After Upgrading DHCP Clients to SP2
 Q173817 Savedump.exe Now Provides More Security to Memory.dmp
 Q173881 STOP 0x0000000A in Netbt.sys on a Multiprocessor Computer
 Q173941 Windows NT DNR Does Not Cache Short Names
 Q173993 Dialog Message Not Sent Correctly from 32-bit to 16-bit App
 Q173994 GetTextExtentPoint32W May Fail with Unicode Characters > 0x
 Q173997 Drive Letter Not Displayed in Error Message Box
 Q173998 Middle East/Thai Windows NT May Print Incorrect Characters
 Q174020 STOP 0x0000001E During Forced Shutdown and Program Exit
 Q174058 Delayed Worker Threads Causes a STOP 7A
 Q174076 Invalid Password Message When Strong Passwords Are Required
 Q174187 WinNT Does Not Display IBM PS/2 TrackPoint as the Mouse Driver
 Q174205 LSASS May Use a Large Amount of Memory on a Domain Controller
 Q174233 KeInitSystem Function Returns Uninitialized Stack on Alpha
 Q174234 Computer Hangs with Intensive 16-bit Code Running in a VDM
 Q174266 "Print Screen" from MS-DOS Application May Print Twice
 Q174333 Installing Win95 Print Drivers on WinNT 4.0 Asks for Wrong Disk
 Q174465 Bad SAP Packet Causes 0x0000000A In Afd.sys
 Q174478 Minimizing or Maximizing Does Not Redraw Window Properly
 Q174502 Fault Tolerant Recovery Does Not Reoccur After Shut Down
 Q174509 Stop 0x0000000A in Ndiswan.sys with Digiboard ISDN Board
 Q174510 Print Job Corruption Printing on Fast Hardware Across Slow Link
 Q174531 DirectDraw Fails Surface Creation with Large Dimensions
 Q174534 BitBlt May Not Work When Raster Operation Mode Is NOTSRCCOPY
 Q174535 Access Violation When TCMAPP Exceeds 16 Users
 Q174540 Extra Page Printed on Epson Stylus Color Printers
 Q174541 Publisher 3.0/4.0 Does Not Print Brick or Vertical Line Patterns
 Q174543 Enabling the Shift Lock Feature on Windows NT 4.0
 Q174555 STOP 0x0000001E When IIS Service Is Stopped
 Q174625 Environment Variables May Prevent Logging On
 Q174676 NetWare Authentication Failure When Logging On to NetWare Server
 Q174748 XADM: ESEUTIL /g Returns Error -1022
 Q174764 Memory Leak in Ntfs.sys
 Q174830 NMI Error Message on Blue Screen May Be Garbled
 Q174840 Disabling Buttons in the Windows NT Security Dialog Box
 Q174844 Spooler Service Causing Access Violation
 Q174869 WINS Client Sends Refresh Requests to Secondary WINS Server
 Q174871 Printer Shares Lost after Changing Server Name
 Q174927 Error Message During Setup of Noncritical Changes
 Q174929 No Response to ARP Causes Duplicate IP Addresses on Network
 Q174932 STOP 0x0000000A with Halmps.dll When Restarting
 Q175035 Diskless Workstations Cannot Find BOOTP Server with DHCP
 Q175048 CACLS Quits on Access Denied Errors with /c
 Q175093 User Manager Does Not Recognize February 2000 As a Leap Year
 Q175225 Disabling Context Menus Does Not Disable Key Combinations
 Q175266 Creating Many Partitions Causes Double Drive Letters
 Q175321 SNA Client Sessions Hang Until SNA Server Is Restarted
 Q175468 Effects of Machine Account Replication on a Domain
 Q175637 Poor Print Quality with Epson Stylus Pro XL ESC/P 2
 Q175641 LMCompatibilityLevel and Its Effects
 Q175643 CR Interpreted As CR/LF When Text Job Is Converted to PCL or PS
 Q175667 Error Message: Copy Profile Error
 Q175687 Win32k.sys Causes STOP 0x0000001e and 0x0000000a On SMP
 Q175738 Collate Feature May Not Work with PostScript Printing
 Q175745 Memory Leak When Using Win32 GetClipboardFormat API
 Q175877 CSNW Connection Leak When Running 16-bit Applications
 Q176081 Access Violation in Explorer.exe Removing a Share
 Q176082 RRAS Server Updates Link State Database but Not Route Table
 Q176087 LPRMON Status Strings Are No Longer Localized on German Version
 Q176209 RAS or RRAS Server Fails to Answer Incoming Calls
 Q176211 Console-mode Apps May Run Slowly on Multiprocessor Computers
 Q176319 Docfile Standard Marshalling Returns 0x800706f4
 Q176322 The Far East GetTextExtent API Fails with Null LPNFit
 Q176502 RAS Authentication Rechallenge Resets Compression Flag
 Q176922 Multiple IP Addresses Cause Dynamic Packet Filter to Fail
 Q176973 Stop 0x0000000A in Netbt.sys on BDC When WINS Server Shuts Down
 Q176976 Wrong Return Value from MkParseDisplayName
 Q176977 STOP 0x00000023 FAT_FILE_SYSTEM with Corrupted Floppy Disk
 Q177113 Incomplete Print Jobs Using JetDirect over SPX
 Q177125 User Cannot Log On to LAN Because of RAS Logon Failures
 Q177154 Access Control Causes Reverse Proxy to Fail
 Q177245 Multiprocessor Computer May Hang Because of Tcpip.sys
 Q177257 STOP 0x0000000A or Difficulty Recognizing IDE CD-ROM Drives
 Q177445 Use LoadLibraryEx When Loading Printer Drivers
 Q177471 EBCDIC Characters not Properly Converted to ANSI Characters
 Q177591 Service Pack Version Truncated in About Box
 Q177631 Comdlg32 Fails to Display Drives Mapped by SUBST Command
 Q177644 Commenting Macintosh File Changes Date and Time Stamp
 Q177647 Nonpaged Pool Size Incorrectly Displayed in Performance Monitor
 Q177650 Remote Shutdown Fails If User Is Logged On Without Rights
 Q177651 AT Command Handles Quotation Marks Differently
 Q177653 CRT Conflict with Getservbyname
 Q177654 Slow Network Performance Using NetBEUI Across Bridges
 Q177655 Negative Values in Performance Monitor Data
 Q177660 Access Violation Occurs in Sfmprint.exe on Busy Print Server
 Q177668 Calibration Does Not Change When You Calibrate Foot Pedals
 Q177670 RRAS Does Not Enforce Strong Encryption for DUN Clients
 Q177676 Stop 0x00000024 May Occur When Bypass Traverse Checking Disabled
 Q177677 TSR Applications Hang While Login.exe Is Running
 Q177680 With GSNW, WinNT Client Cannot See All Files on NetWare Server
 Q177684 Application Using SetOwner May Hang Windows NT User Interface
 Q177757 Dr. Watson Does Not Report Service Pack Number
 Q177868 SnmpMgrTrapListen API Returns ERROR_SERVICE_NOT_ACTIVE Error
 Q177906 Caching Does Not Work Under Reverse Proxying
 Q177983 Stop 0xA in Netbt.sys with Greater Than 64 Adapters
 Q178109 Roving Profiles for Windows 95 Clients Stop Working
 Q178110 FPNW Does Not Allow OS/2 Clients to Open Files
 Q178113 Specifying a Group Name in LMHOSTS File May Cause STOP 0xA
 Q178202 Fix for Loss of Data Records or Partial Records Written to Disk
 Q178205 Connecting to a Server is Slow over RAS Using LMHOSTS File
 Q178208 CrashOnAuditFail with Logon/Logoff Auditing Causes Blue Screen
 Q178302 XADM: Upgrade to Exchange 5.5 Fails If Virus Software Is Enabled
 Q178364 Macintosh Clients See Files on WinNT Server Constantly Moving
 Q178381 SNMP Leaks Memory If the OID Cannot Be Decoded
 Q178393 SQL Server Hangs When Sending a Message Using SQLMail
 Q178413 Windows NT System May Hang When Running a Filter Driver
 Q178414 Archive Bit Is Not Reset When a File Is Renamed
 Q178471 STOP 0XA Caused by Race Condition in VDM and Process Delete
 Q178546 CSNW Does Not Display Directory Name with Extended Characters
 Q178550 IP Address Conflict with Address 0.0.0.0
 Q178557 Dr. Watson May Display Message Box Even When Disabled
 Q178636 Directory Listing Not Correct When Using Russian Characters
 Q178723 Problems with "Run Only Allowed Windows Application"
 Q178741 Event Log Opening Problem Causes Services.exe Failure
 Q179092 NWLNKIPX Sends Broadcast RIPX Packets Over the Network
 Q179107 STOP 0x0000000A in Raspptpe.sys on a Windows NT PPTP Server
 Q179129 STOP 0x0000000A or 0x00000019 Due to Modified Teardrop Attack
 Q179147 Access Denied Starting Program
 Q179156 Updated TCP/IP Printing Options for Windows NT 4.0 SP3 and Later
 Q179157 Stop 0xA in Tcpip.sys When Source Routing Data Exceeds 18 Bytes
 Q179187 Problems Using TAPI 2.1
 Q179190 NWRDR May Send Excessive GetNearestServer Requests
 Q179433 Cache Manager May Cause Data Corruption on SMB Servers on FAT
 Q179553 Access Violation in PolEdit When Defining Allowed Windows Apps
 Q179741 STOP 0x0A Due to Duplicate Free in Afd.sys
 Q179827 Registry Handle Leak Causes Random Blue Screens
 Q179873 Files Open with UNC Path May Be Closed Prematurely
 Q179983 RDR Sessions on UNC Name Images May Log Off Prematurely
 Q179995 Memory Leak in FPNW Causes Windows NT Server to Hang
 Q180168 Novell Client 32 for Win95 Displays Duplicate Files on FPNW
 Q180356 NWConv Fails to Apply Correct Group Permissions
 Q180532 Xircom PC Card Fails to Function
 Q180622 STOP:0x0000001E with STATUS_INSUFFICIENT_RESOURCES in Sfmsrv.sys
 Q180648 Windows NT 4.0 Traps with a Stop 0x24 or Stop 0xA
 Q180716 SFM Fails to Accept Associations with Two-Character Extensions
 Q180717 SFM: File Date and Time Stamp Change with Get Info
 Q180718 SFM: Disconnect Macintosh Clients before Dismounting Volume
 Q180854 Access Violation in Winlogon with Third-Party Gina.dll
 Q180875 Russian Clients May Have File I/O Problems on an FPNW Server
 Q180963 Denial of Service Attack Causes Windows NT Systems to Restart
 Q181022 Err: Cannot Write to LPTx Printing to Parallel Port
 Q181120 Manual Dial Dialog Fails to Appear when Logging On
 Q181311 Data Corruption Occurs with Record Locking on FPNW Server
 Q181799 RPC/TCP Connection Attempt Made Only to First Address
 Q181859 Stop 0x0000000A When Using UltraBac to Back Up a SQL Server
 Q181928 Using POLEDIT to Save Policy Files on NetWare Servers May Fail
 Q182005 Euro Currency Not Available in Windows NT Character Sets
 Q182047 DHCP Server Performance Degraded by Large Number of Scopes
 Q182205 Clients Cannot Send Mail Attachments Through Modem Sharing
 Q182227 DNS Server Does Not Check for Delegations Before Forwarding
 Q182288 RPC May Cause System to Stop Responding during Shutdown
 Q182322 SNMP Appends Garbage to Data in Response to SNMP Get
 Q182333 Excessive Processor Usage on Print Servers
 Q182441 Full Synchronization from WinNT PDC to LanMan Server May Fail
 Q182444 NBF MaxFrameSize Calculated Incorrectly on Token Ring
 Q182540 WinNT x86 MPS HAL Can Fail To Map System Relative IRQs
 Q182644 DNR Sorts IP Address for Multihomed Hosts Before Returning List
 Q182781 Client Connections to Multihomed Server Not Load Balanced
 Q182816 WINS PriorityClassHigh Parameter Does Not Work After Restarting
 Q182817 CSNW: Unable to Rename File on NetWare Server
 Q182825 NET USE Returns Error 53 When Host Has 3 or more NICs
 Q182918 Account Lockout Event also Stored in Security Event Log on DC
 Q183054 Taking Ownership Remotely May Set Owner Incorrectly
 Q183069 Ensoniq PCI Sound Card Experiences Static When Disk Is Accessed
 Q183123 Find Files Displays Garbled Date if Year is 2000 or Greater
 Q183125 Shell Doc Property Dialog Custom Date Incorrect after Year 2000
 Q183283 IE Through Proxy Server to IIS May Stop on Page with Scripts
 Q183292 Print Preview Frequently Causes Access Violation in Spooler
 Q183335 Calling Card and Area Code Not Dialed Using Both TAPI Options
 Q183419 Memory Leak in Spoolss.exe Causes Performance Degradation
 Q183581 Out of Virtual Memory Messages During Windows NT Installation
 Q183651 Default Memory Settings for Lexmark Optra S 1250 Incorrect
 Q183652 Access Violation When More Than 200 Adapters Are Installed
 Q183653 Client Authentication Fails Connecting to Netscape Server
 Q183654 IBM DTTA-351010 10.1 GB Drive Capacity Is Inaccurate
 Q183656 XCOPY Returns "Invalid Parameter" When Using Date Switch
 Q183657 Unable to Insert OLE Objects into Application Documents
 Q183664 NDS Logon Scripts Do Not Execute Correctly
 Q183676 Window Position of Windisk.exe Causes Access Violation
 Q183677 Client Authentication with Personal Certificates Fail
 Q183699 Winsdmp.exe Inefficiently Dumps WINS Databases with Large ID
 Q183704 Hide Drives Policy in Common.adm Has No VALUEOFF Statement
 Q183705 RPC Mishandles Changes in the Number of IP Addresses
 Q183709 Printing from Xerox 3006 May Cause Paper Jams
 Q183718 CACLS Not Resolving Principle Names Correctly
 Q183749 Access Violation in INETINFO:TerminateExtension
 Q183755 More Than One Internal IP with Socks Enabled Causes Dr. Watson
 Q183812 Problems When a Connection over an ISDN Bridge Is Not Closed
 Q183819 DCOM over HTTP Method Calls May Hang for up to 15 Minutes
 Q183832 GetHostName() Must Support Alternate Computer Names
 Q183840 Stop 0xC000021A When Starting Task Manager with CTRL+ALT+DEL
 Q183859 Integrity Checking on Secure Channels with Domain Controllers
 Q183875 DHCP Server Leases Excluded Addresses if the Scope Is Expanded
 Q183886 Access Violation in LSASS When Logging on System
 Q183930 FIX: IP Is Mangled When Using UDP on Multihomed Computers
 Q184017 Administrators Can Display Contents of Service Account Passwords
 Q184026 NetDDE Causes Dr. Watson When Closing Incomplete Connections
 Q184072 HasOverlappedIoCompleted, GetOverlappedResult Give Wrong Value
 Q184101 Small Single and Double-Precision Values Are Rounded to Zero
 Q184132 Err Msg: Value Entered Does Not Match with the Specified Type
 Q184139 Stopping RPC Locator Service Causes Error 2186
 Q184213 SystemFileCacheInformation Can Be Changed Without Privilege
 Q184219 Access Violation in Microsoft TAPI Browser 2.0
 Q184228 Dr. Watson in Nwssvc.exe Deleting Queue and Printer from FPNW
 Q184229 Copying Files to a Macintosh Volume Changes Date and Time Stamp
 Q184232 DCOMCNFG Saves Incorrect Display Name in Services
 Q184278 Server in One Domain May Disconnect Client in Another Domain
 Q184288 GP Fault May Occur with IIS on Multi-processor System
 Q184344 Reconcile on DHCP Scope Does Not Work Correctly for BOOTP Client
 Q184350 WordPerfect Suite 6.0 Setup Fails with Multiple CD-ROMs
 Q184353 DHCP ALT+H Shortcut Key for HELP Is Not Available
 Q184414 Access Violation When Printing PostScript to SFM Print Server
 Q184537 Very Large Files Cause Performance Problems
 Q184538 Error Message: A Controller for This Domain Could Not Be Found
 Q184744 DHCP Server Leaks Registry Quota on Alpha Version of Windows NT
 Q184752 Xerox PCL Does Not Print Landscape
 Q184754 Several Threads Created in LRPC Running Stress Test in IIS
 Q184758 STOP 0x78 When NonPagedPoolSize > 7/8 of Physical Memory
 Q184794 STOP 0x50 May Be Caused by PPTP Registry Entries
 Q184832 Intermittent Name Conflicts with WINS Server
 Q184835 Explorer on Windows 95 DFS Client May Hang
 Q184836 Application Access Violates When Session Is Terminated
 Q184875 API Function BroadcastSystemMessage() Always Returns 1 (Success)
 Q184879 Windows NT Logon Dialog May Disappear
 Q184881 Reverse Lookups with BIND Earlier Than 4.8.3 Fail
 Q184891 Server.HTMLEncode Garbles Extended Characters
 Q184937 Session Between Multihomed Computers May End Unexpectedly
 Q184954 Computer Hangs While Booting with HP 6L Printer out of Paper
 Q184996 Incomplete List of NetWare Server Volumes with CSNW/GSNW
 Q184998 RDR May Read or Write from Wrong File If File Is Memory Mapped
 Q185051 Restarting Cluster Service Causes Services.exe to Crash
 Q185081 No Domain Controllers Found When Logging on Using RAS
 Q185137 Log Logical Record Request May Be Sent to Wrong Server
 Q185142 NetWare API Log Logical Record May Incorrectly Succeed
 Q185203 SPOOLSS Hangs When Printing a File With a Corrupted EMF Record
 Q185212 Cluster Server Does Not Support More than 900 Shares
 Q185219 IIS 4.0 with Multiple Certificates May Return Error
 Q185260 User Accounts May Get Locked out After Entering Wrong Password
 Q185300 STOP 0x24 in Ntfs.sys Function NTFSMoveFile()
 Q185323 Pool NonPaged Bytes Not Accurately Calculated for User Mode
 Q185349 Problems Remotely Accessing W3 or FTP Perfmon Counters
 Q185355 Printers Folder Displays Printer Error When Printer Is Busy
 Q185559 Negative Value in NtGdiFastPolyPolyline Causes Blue Screen
 Q185568 WlxCloseUserDesktop Function Unavailable for GINA Writers
 Q185571 Printing from Lotus Freelance 97 Produces Thin Horizontal Line
 Q185605 Stop Error Caused by Invalid Use of Private Video Driver Handle
 Q185624 Calls to NtQueryVolumeInformationFile May Cause Stop 0x0000001E
 Q185625 Windows NT Client Logon Fails with EnableSecuritySignature Set
 Q185668 IntelliMouse TrackBall Wheel Does Not Work with Service Pack 3
 Q185682 Bugcheck When IPX Is Bound to Only Ndiswan Adapter
 Q185722 SFM Rebuilds Indexes upon Restarting of Windows NT
 Q185723 Explorer File Copy from Windows 95 Share Fails
 Q185727 BUG: closesocket() Fails with 10038 After _open_osfhandle()
 Q185729 Computer Becomes Unresponsive During CGI Stress Test
 Q185734 DNS Server Access Violation in Dns!sendNbstatResponse Routine
 Q185735 Explorer Crashes When Dragging Lotus Notes Files over Toolbar
 Q185736 Applications May Appear Hung or Unresponsive on Windows NT 4.0
 Q185765 HP LaserJet 4Si Driver Unprintable Region is Incorrect
 Q185773 NTFS Corruption on Drives > 4 GB Using ExtendOEMPartition
 Q185787 STOP 0x0000002E on Alpha with ISA Sound Card
 Q185788 Windows NT Hangs on Boot on DEC Alpha Clustered Servers
 Q185791 STOP on DEC Miata and Rawhide Platforms Using Graphics Tablet
 Q185867 STOP 0x0000000A in Win32k.sys After Installing Korean Office 97
 Q185870 IIS: SQL Server Insert Error Regarding Column Name Mismatch
 Q185892 Unwanted Popup Message While Printing to an LPR Printer
 Q185944 Stop 0x7B After Installing Windows NT on an ALR Evolution-V ST
 Q185945 Access violation in win32k!HMMarkObjectDestroy in JPN and KOR NT
 Q186051 Archive Bit Is Not Set with File or Directory Rename
 Q186078 Name Resolution May Fail If NetBios Name Has ASCII Character
 Q186081 STOP 0x0000000A When Restoring Tape
 Q186101 FTP Client Does Not Show the Correct Transfer Size for Files
 Q186150 NetBEUI May Hang When Using Arcnet Under Heavy Network Traffic
 Q186158 Blue Screen When Shutting Down with RAS Connection Established
 Q186217 3C509 Is Not Autodetected During Setup on ThinkPad 760EL & XL
 Q186241 Dr. Watson May Cause CPU Usage to Spike
 Q186247 Users Are Unable to Print to Server
 Q186339 Adobe ATM 4.1 OpenType Fonts Not Showing up in Font Menu
 Q186357 RPC UseWinsockForIP is Only Applicable to UDP and IPX
 Q186416 System Hang Results from Large Number of Notify Syncs
 Q186434 Slow Network Default Profile Operation
 Q186439 Removing Server Service Results in Memory Leak
 Q186455 Mgmtapi.dll Opens Trap Socket in Exclusive Mode
 Q186463 Windows NT Replies to Address Mask Requests
 Q186473 You Can Delete All Records on a WINS Server Using SNMP
 Q186494 Event ID 517 Not Created When Security Log Is Cleared
 Q186495 WOW Leak Launching Many Instances of a 16-Bit Application
 Q186669 FPNW Logout.exe Incorrectly Reports Year After Jan. 1, 2000
 Q186743 International Characters Print Incorrectly in Schedule Plus
 Q186746 International Calling Codes Updated in Service Pack 4
 Q186770 Windows NT Hangs Trying to Access SuperDisk SLS-120 Disk Drive
 Q186805 Intermittent Stop 0xA in Srv.sys on Shutdown
 Q186820 DNS Server Returns Wrong Response When WINS Lookup Is Enabled
 Q186860 Update Memory Settings and Add Exec Paper Size to Sharp Models
 Q186873 Netbios Delays Sending/Receiving Packets When Session Is Lost
 Q186904 MPROUTER Access Violation on Invalid Radius Response
 Q186905 Radius Client Uses 100 Percent CPU on Invalid Response
 Q186929 LowercaseFiles Registry Key Has Added Functionality
 Q186963 Incorrect Dimensions in Executive Form with Mannesmann Driver
 Q187277 The FTP PORT Command Fails in IIS 3.0
 Q187302 Stop 0x00000040 in NetBT Protocol
 Q187392 PATCH: Stop 0x0000000A in Wind32k.sys xxxDDETrackWindowDying
 Q187493 Some Netscape Client Certificates Rejected by IIS
 Q187508 FTP Server Fails to Respond If First Binding Does Not Work
 Q187518 Apps Using Beep API on Multiprocessor Systems May Crash
 Q187519 NTBackup Will Not Run from Command Line with Blank Space
 Q187520 Tandberg SL5 Tape Device Not Auto-Detected in Window NT 4.0
 Q187555 WINS Incorrect Version ID Assigned During Scavenging
 Q187576 Stop 0x0000000A May Occur in TCP/IP
 Q187577 STOP 0xA Because of Spin Lock in Sfmatalk.sys on DEC Alpha
 Q187615 Setup Hangs When System Includes More Than Two RAW Drives
 Q187669 Unable to Use NetBIOS Resources over SLIP
 Q187672 Access Violation in RAS Using Multilink
 Q187686 LookupAccountSid Causes Access Violation on Multihomed System
 Q187696 Changes to Calculator in Service Pack 4
 Q187705 Application Error in CorelWEB.GALLERY
 Q187708 Cannot Connect to SQL Virtual Server via Sockets in Cluster
 Q187709 Domain Name Resolver Caches Responses
 Q187769 Application Error in NTVDM Running cc:Mail Utilities
 Q187802 DHCP Assigns "Bad_Address" to "Host Unreachable"
 Q187830 Performance Decrease Transmitting Data over the Network
 Q187856 IIS: Limit SSL Message Size to 16 KB for Netscape
 Q187884 CoCreateInstance on Multiple Threads Causes Hangs or Failures
 Q187936 Application May Hang Calling LogonUser() API
 Q187939 IPX May Not Work When Packet Size Is Larger Than Receive Buffer
 Q187940 Input Filters over IPX WAN Routing May Fail to Filter Packets
 Q187941 An Explanation of the New CHKDSK /C and /I Switches
 Q187947 100 Percent CPU System Handle Problem
 Q187964 MGI PhotoSuite May Paste Screenshots as Garbage or an AV Occurs
 Q187999 "Access Denied" w/ Personalization & Membership Authentication
 Q188000 Cannot Enter Stand-Alone Dieresis Character on Swiss Keyboards
 Q188027 Performance, Audit Logging, and Fixes to the DHCP Service
 Q188303 Random Stop 0x50 Errors on Cirrus Video Adapters
 Q188312 Lexmark Optra E+ Unprintable Region Is Incorrect
 Q188315 Stop Error Message in Sfmsrv.sys
 Q188414 Random Stop 0x0000000A When Running IPX over Token Ring
 Q188424 Multilayered Display Driver Produces Black Line in Word
 Q188571 STOP 0x0000000A in Netbt.sys Caused by Invalid DNS Record
 Q188652 Error Replicating Registry Keys
 Q188700 Screensaver Password Works Even if Account Is Locked Out
 Q188806 "::$DATA" Data Stream Name of a File May Return Source
 Q188838 Task Manager CPU Usage Only Displays Eight Processors
 Q188879 RPC Endpoint Mapper Will Not Register All Interfaces
 Q188896 Access Violation in Explorer.exe Changing Share Permissions
 Q189010 SBS: RAS Leases Six Addresses from DHCP
 Q189011 Using Performance Monitor Remotely Causes Access Violation
 Q189012 Clicking Default Scope Does Not Open Active Lease Window
 Q189013 Atapi.sys Does Not Support Multiple Logical Devices
 Q189032 Floating Point Arguments Won't Pass Between NT RPC and IBM RPC
 Q189061 Repeated Regsavekey/Regrestorekey Actions Corrupt Registry Hive
 Q189080 TCP Connection May Drop When Transferring Large Amounts of Data
 Q189114 NetDDE Refuses Incoming WM_DDE_INITIATEs from Windows 95
 Q189119 UserEnv Returns Corrupted Profile for All Failures
 Q189171 WinSock Applications May Fail or Stop Responding
 Q189225 LMMIB2 Unable to "Walk" from .1.3.6.1.4.1.77.1.4.4
 Q189245 Lmmib2.dll Does Not Support All Objects
 Q189262 FTP Passive Mode May Terminate Session
 Q189276 ODBC Causes Access Violation in 16-Bit Winsock
 Q189283 No More Than About 570 Reservations Visible in a DHCP Scope
 Q189290 Loss of Desktop After Logon When Using a Filter Gina.dll
 Q189291 Hang in Winlogon on Workstation Locked Dialog Box
 Q189395 Support for Canadian ACNOR Keyboard
 Q189462 Only Partial Pages Displayed or Error "The Connection Was Reset"
 Q189471 WpuOpenCurrentThread Does Not Work
 Q189522 Network Drive Letters in PATH Statement Causes Excessive Traffic
 Q189579 F11 and F12 Keys Do Not Function in MS-DOS Applications
 Q189606 Browser Service Fails to Start or Stop Button Is Unavailable
 Q189612 Access Violation Occurs in Windows NT Explorer (Explorer.exe)
 Q189756 PerfMon Percentage of Registry Quota in Use Displayed Wrong
 Q189988 CMPXCHG8B CPUs in Non-Intel/AMD x86 Compatibles Not Supported
 Q190009 Client Cert. Mapping Only Works w/First Page on Proxy Connection
 Q190010 Logging Performs Unwanted Flushes of Log Data Buffer
 Q190011 Perl Script Mappings Converted to Uppercase During Upgrade
 Q190015 Setting LogonMethod to Batch Causes "Parameter is Incorrect"
 Q190288 SecHole Lets Non-administrative Users Gain Debug Level Access
 Q190354 Unattended Setup of MSCS with -JOIN Parameter Requires Input
 Q190449 Corrupted SAM Hangs Windows NT Server
 Q190506 WINS Replication Problem Events 4262, 4261, and 1c Replication
 Q190552 WinNT 4.0 DHCP Client Modified to meet RFC 2131
 Q190791 STATUS_CANT_WAIT Returned from an NTCreateFile Call
 Q190834 SCSI Adapter Is No Longer Visible from SCSI Adapters Utility
 Q190928 Poledit Spin Boxes Limit Max Value to 9999
 Q190931 Snmptrap.exe Ignores SNMP Trap PDU Greater Than 4,096 Bytes
 Q190932 SNMP Service Ignores SNMP Trap PDU Greater Than 4,096 Bytes
 Q191088 Printer Prompts for Paper with Dutch Workstations
 Q191098 Large File Copy Operation Causes Available Bytes to Drop
 Q191284 STOP 0x0000001E in Netbt.sys
 Q191285 Services for Macintosh Index Corruption on Large Volumes
 Q191309 ALT+Numeric Keypad Problem When CHCP Command is Used
 Q191362 FPNW Pass-Through Authentication from Trusted Domain May Fail
 Q191387 Unable to Run 16-bit Apps If FILES= Is Greater Than 255
 Q191418 Arcs Print Incorrectly with EMF on PCL Printers
 Q191419 GP Fault or Access Violation When Buffer Too Small
 Q191428 WINS Replication Fails If More Than 30 Partners Are Configured
 Q191614 Able to Commit More Memory Than Is Available
 Q191634 Group Policies Cause Excessive \PIPE\samr Connections on PDC
 Q191689 Incorrect Font Characteristics May Be Used on Imported Graphics
 Q191751 Smoothing Fonts Disabled Using ETO_GLYPHINDEX
 Q191756 Stop 0x1E Switching Between System Menus in Application Window
 Q191767 LogicalDisk Partition Missing in Performance Monitor
 Q191768 Date of Print Job May Be Displayed Incorrectly in Print Queue
 Q191775 WINS Service Fails to Start With More Than 99 PNG Entries
 Q191830 Memory Leak Due to Repeated Logon/Logoff May Corrupt Profiles
 Q191832 Access Violation in Hangul Version of Lotus Organizer 97
 Q191834 Network Problems That Occur When Logging Off May Corrupt Profile
 Q191850 Convert Reports Cannot Create Elementary File System Structures
 Q191852 Bhnetb.dll Leaks Memory in Winlogon.exe Process with NetMon
 Q191896 Printing to NT LPD Server from SUN OS 4.1.4 May Not Process C/R
 Q191915 Screen Saver Time-out is Limited to 60 Minutes
 Q191992 NdrConvert Causes Access Violation in RPC Client on WinNT 4.0
 Q192051 LDAP Does Not Authenticate on French WinNT Due to Encryption
 Q192056 Point and Print Functionality with More Than 20 Driver Files
 Q192104 Windows NT Does Not Start If Primary Partition Is Above 2 GB
 Q192126 Add Workstation Fails with RestrictAnonymous
 Q192127 BUG: RpcTestCancel() Always Returns Error Code 5
 Q192132 STA Threads Lose Thread Token
 Q192229 Login Script Group Membership Mapping on BDC Fail If PDC Is Down
 Q192266 Sockets-based Child Processes Are Not Stopped
 Q192267 Various STOP Errors When Opening Files on Novell NetWare Servers
 Q192293 IIS Stops ODBC Logging after Failing to Communicate with SQL
 Q192409 Open Files Can Cause Kernel to Report INSUFFICIENT_RESOURCES
 Q192453 MoveFile API from Windows 95 with Invalid UNC Causes STOP 0xa
 Q192457 Downloaded File May Be Saved in Incorrect Folder with IE
 Q192460 Matrox Video Driver Causes STOP 0x00000050
 Q192547 WINSADMIN Writes Invalid SP Time to Registry
 Q192690 Search: Unable to Connect to Catalog Server via Search MMC
 Q192736 STOP 0x0000000A Blue Screen on Alpha AXP
 Q192749 Multiple SSL Connections May Cause Error Starting Security Sys
 Q192774 Stop 0x0000000A in Tcpip.sys Processing an ICMP Packet
 Q192786 Event ID 11 Changed to an Informational Message
 Q193056 Problems in Date/Time after Choosing February 29 in a Leap Year
 Q193064 Pressing Cancel Button in Date/Time Utility Changes Date
 Q193090 Inetmib1.dll Causes Memory Leak in Winlogon.exe Process
 Q193106 Filesystem Filter Drivers may Unload Unexpectedly
 Q193121 Cannot Connect to DFS Leaf a Second Time if Server is NetWare
 Q193157 TCP/IP Does Not Allow MAC Addresses to Change Dynamically
 Q193169 Script Mappings Are Not Removed from the Registry after Migration
 Q193206 Acquiring SNMP Info For OSPF in RRAS Hangs
 Q193209 Gethostbyname Not Working Correctly with Only DUN Installed
 Q193233 Rpcss.exe Consumes 100% CPU Due to RPC Spoofing Attack
 Q193271 Cannot Create Virtual Directory in Administrator Program
 Q193371 WINS/DHCP Admin Show Expiration Dates 2000 - 2009 with One Digit
 Q193436 DHCP Client Shuts Down After Two Declines
 Q193499 Multiple RRAS Client Disconnects Cause Increased CPU Usage
 Q193525 Access Violation Occurs When Viewing Web Sharing Tab
 Q193526 W3SVC Counters Fail after a Successful Install
 Q193528 Internet Service Manager Does Not Allow Wildcard Redirections
 Q193529 Modem Sharing Clients Cause Stop 0x000001E on SBS
 Q193530 Access Violation in WINSCL When Using CR or SDB Parameter
 Q193532 Stop 0x0000000A When Running Executable from Floppy Disk
 Q193548 Stop 0x0000002E Using Qlogic Driver Version 2.29
 Q193596 RASMAN Registry Values Cannot Be Set Higher Than 0xFF
 Q193613 ADSI Paths Greater than 80 Characters Causes Access Violation
 Q193614 Viewing Computer from MMC Causes Access Violation to Occur
 Q193646 Event ID 10005 from DCOM After Installing IIS
 Q193654 Services Continue to Run After Shutdown Initiated
 Q193655 Multiple Entries for AUTOCHK Abort in System Log
 Q193686 SMTP Services Do Not Start Automatically After One Is Stopped
 Q193687 Invalid Handle Exception Error During SMTP Server Maintenance
 Q193688 HTMLA: Object Already Exists When Creating New Web Sites
 Q193689 IIS Security: Mapping IDC Reveals Paths for Web Directories
 Q193779 Cluster Server Drive Letters Do Not Update Using Disk Admin
 Q193781 Cache Manager May Cause Data Corruption
 Q193793 ":$DATA" Data Stream Name Returns Source of a Remote File
 Q193806 CSNW Error 85, Local Device Already in Use
 Q193812 Extended Characters in URL Translated into UTF-8 Characters
 Q193891 HTTP Through Firewall and "Bypass Proxy for Local Intranet"
 Q193899 Event ID 1008, 4005 with Missing TCP/IP Performance Counters
 Q194130 SNMP Edit Box Drops a Character When Writing to the Registry
 Q194133 Remote Shell (RSH) Commands Hang w/ Multiple Sessions Running
 Q194193 STOP 0xA in Sfmatalk.sys When Copying Files on an SFM Volume
 Q194194 DNS Fails with Error 1201 If Secondary Zone File Not Specified
 Q194200 Cannot Change WinNT Passwords from Exchange and Outlook Clients
 Q194228 Rule Containing Multiple Clauses Only Functions Properly Once
 Q194322 T/R NIC May Fail Windows Hardware Quality Lab (WHQL) Test
 Q194336 ERROR: Destroyed NTFS Directory
 Q194340 Access Violation when Using Rcp.exe to Copy to Unix
 Q194341 Simple TCP/IP Services Can Be Driven to 100% CPU
 Q194393 New Window From Here Option in MMC May Cause Fatal Error
 Q194424 DHCP Server May Fail to Record Lease
 Q194429 TCPIP Timewaitstate may not remain in 2*msl
 Q194431 Applications May be able to "Listen" on TCP or UDP Ports.
 Q194465 PPTP May Refuse Connections When VPNs Are Free

Service Pack 3

 Q135707 Programs Run at Priority Level 15 May Cause Computer to Hang
 Q139506 Connections to Share-Level Server May Fail
 Q140419 Name Release Notifications Not Sent to WINS on Shut Down
 Q140967 Changing Password in User Manager Does Not Permit Logon
 Q141189 BUG: Wrong Error Code on NetBIOS Call When Using NWNBLNK
 Q141381 Retail SP3 Clients Cannot Connect to SP3 Beta 1 Servers
 Q142047 Bad Network Packet May Cause Access Violation (AV) on DNS Server
 Q142609 Corruption Problem When Running DPMI Application
 Q143470 Run Logon Scripts Synchronously Not Applied to New Users
 Q143472 FPNW Blue Screens Accessing or Creating Folders with Long Paths
 Q143473 Unattended Setup Stops Unexpectedly
 Q147012 Activating /W Switch to Prevent Rebooting in WinNT
 Q149538 System Restarts Every 5 Hours if Workstation to Server Upgrade
 Q151926 Delayed WinLogon When Drive Mapped to Local Share
 Q152273 DHCP Server May Give Out Duplicate IP Addresses
 Q153220 DHCP Manager Error "No More Data Is Available"
 Q154710 Cannot View Long File Names on Network in 16-Bit Programs
 Q154939 CreateQueueJobAndFile Fails w/ Queues Other Than Print Queue
 Q156410 STOP 0x1E or 0x50 Error on Multiprocessor DEC Alpha Computer
 Q157077 Netstat Slow to List Large Numbers of Connections
 Q157745 Command Extensions Cause Access Violation in Cmd.exe
 Q158433 Re-creating Admin Shares Causes Exception Error
 Q158548 Sysdiff Changes Dates on Files It Applies to WinNT
 Q159060 Mouse Cursor Freezes or Fails with Microsoft IntelliMouse
 Q159176 XADM: Store Stops Responding with High CPU Usage
 Q159330 Map.exe Does Not Set Environment Variables Correctly
 Q159998 Error Message: Error Access Is Denied
 Q160386 Incorrect MediaType Parameter on IBM PCMCIA Token Ring Card
 Q160405 Video Memory Not Correctly Detected on Dell Latitude Laptops
 Q161038 Winsock Apps Fail on First Attempt at NetBIOS Name Resolution
 Q161368 Service Pack 2 May Cause Loss of Connectivity in Remote Access
 Q161432 WINS Static Entries Overwritten by Duplicate Group Names
 Q161644 STOP 0x0000000A Sfmsrv.sys When Copying File to Mac Volume
 Q161714 IPX Doesn't Function Correctly over Token Ring Source Routing
 Q161830 Message from Unix Using Smbclient w/ Long Username Crashes
 Q161838 Programs That Lock 0 Bytes at Byte 0 Lock Entire File
 Q162077 Stop: 0x0000000A when Selecting NDS Map Objects
 Q162096 SET: Drivers Fail to Load When I/O Address Is Above 0xFFF
 Q162189 Macintosh Clients May Hang Temporarily with Multiple Mac Volumes
 Q162396 Problem with DHCP Decline Feature in Service Pack 2
 Q162404 Service Pack 5 Breaks Microsoft Mail Shared Using FPNW
 Q162471 Windows NT 4.0 May Not Recognize SCSI Devices Using Nonzero LUNs
 Q162563 WINS Restore Fails on Windows NT Server 4.0
 Q162566 FPNW Causes Incomplete Display When Executed from Windows 95
 Q162567 Telnet to Port 135 Causes 100 Percent CPU Usage
 Q162616 Extra Form Feed with Passthrough Functions to Text Only Driver
 Q162657 Choosing Default Domain Name for RAS Client Authentication
 Q162774 Policy Editor Crashes When Using Large Custom ADM Files
 Q162775 Access Violation in SPOOLSS when Printing to a Serial Printer
 Q162778 WINS May Report Database Corruption w/ More Than 100 Owners
 Q162881 RIP Table Sent While Shutting Down When Silent RIP Set
 Q162926 STOP: 0x0x0000000A After Call to GlobalAddAtom()
 Q162927 Telnetting to Port 53 May Crash DNS Service
 Q163129 RAS Client Fails to Connect to Service Pack 2 Using NetBEUI
 Q163143 STOP: 0x0000001E with Status C000009A
 Q163196 New Windows NT PING.EXE Prevents Hanging Other TCP/IP Stacks
 Q163202 Limit of the Number of Simultaneously Open Root Storage Files
 Q163203 Remote Access Autodial Manager may fail for second user logon
 Q163213 WebSTONE Benchmark of IIS May Show Poor Results for MP Systems
 Q163214 RAS Script with Set IPADDR May Fail with 3Com Defender Add-on
 Q163261 DEC ALPHA WinNT 4.0 Servers w/ SP2 Fail to Lease DHCP Addresses
 Q163267 Delay While Establishing SPX II Connection
 Q163318 Helpfile Word Lists May Be Rebuilt After Daylight Savings Change
 Q163333 Autosynch Compatible COM Applications May Fail w/ FIFO Enabled
 Q163383 Failure to Obtain IP Address Via DHCP on Token Ring w/ SP2
 Q163431 16-Bit Application Stops Responding When Run on WinNT 4.0
 Q163508 STOP 0xA in Ntfs.sys During Reboot
 Q163512 Error: The Mapi Spooler has Shut Down Unexpectedly
 Q163525 Delay When Saving Word 7.0 File to Windows NT 4.0 Server
 Q163538 NTBackup Does Not Properly Eject Tapes on DLT Tape Devices
 Q163614 HP LaserJet Series II Prints Extra Small Stripes or Points
 Q163616 Cannot Unlock Workstation If Password Change Cancelled
 Q163620 STOP 0x50 in Rdr.sys If Pathname Too Long in SMB
 Q163672 Windows NT 4.0 Setup Fails on ThinkPad 535
 Q163687 Winsock Applications May Timeout or Fail with an Error
 Q163700 IIS Access Violation for Polygon with More Than 100 Vertices
 Q163714 ATDISK Finds the Same Disk Twice on SunDisk PCMCIA ATA Adapter
 Q163725 NDIS Driver Fails To Check Functional Address
 Q163790 RPC Service Stops Responding on UDP Port 135
 Q163872 Sysdiff Cannot Delete Files
 Q163873 Czech Keyboard Layout Has Wrong Mapping
 Q163874 Pressing CTRL+ALT+DEL When Logging On Can Cause Blue Screen
 Q163875 Group Policies Not Applied If DC Name Is More Than 13 Characters
 Q163876 CSNW Clients Cannot Delete Print Jobs on NetWare Print Queue
 Q163880 COPY Command Causes File Cache to Grow
 Q163881 Windows NT Does not Display Some Fonts
 Q163883 NetBT (tag=Nbt8) Corrupts Pool with WinNT 4.0 SP2 Installed
 Q163891 Microsoft Excel 97 Causes a Windows NT Access Violation
 Q163892 A Service May Not Set Hooks on 32-bit GUI Applications
 Q163936 CLOCK Hangs and Consumes 90% CPU When Set to Digital Display
 Q163969 Event 552: DNS Was Unable to Serve a Client Request
 Q164014 Slow Exchange Client Logons Due to Deadlock in LSASS
 Q164121 Corel Fonts Unavailable Outside of English Locale
 Q164133 Logon Allowed When Access Denied to Mandatory User Profile
 Q164138 Files in Macintosh Volume Disappear from Macintosh Clients
 Q164159 Verify Reports Errors When Restoring a Tape Backup
 Q164161 NTBACKUP Fails to Back up Microsoft Exchange Server Data
 Q164201 Access Violation Installing IIS
 Q164211 FPNW Doesn't Convert the Long File Names Correctly
 Q164260 Compressing and Uncompressing Files Cause File Cache to Grow
 Q164309 Windows NT Client: Primary/Secondary WINS Servers Switch
 Q164322 Memory Leak in NetQueryDisplayInformation API
 Q164350 NEC IDE CD-ROM Drive CDR-1400C Cannot Play Audio CDs
 Q164352 Stop 0x00000050 in Tcpip.sys Caused by Winsock Applications
 Q164391 WinNT 4.0 SP2 Atapi Claims IRQ for Unused IDE Channel
 Q164410 CHGPASS and SETPASS Do Not Prompt For Typing Correction
 Q164432 Accented Greek Characters Are Not Being Created
 Q164462 Conner 4 mm DAT Tape Devices Fail After About 30 Seconds
 Q164491 Stop: 0x0000000A in Rdr.sys When Mailslot Message > 512 Bytes
 Q164507 Any User Can Log on to FTP Server with Disabled Anonymous Logon
 Q164542 MGET to an IBM Host FTP Server Returns Garbage Characters
 Q164546 SCSI Driver Description Truncated in Control Panel
 Q164595 Duplicate Route Not Removed After Second Redirection
 Q164600 4 mm DAT Driver Reports DEC TZ9L Supports Setmarks
 Q164606 Deferred Reconnections to Password Shares May Not Work
 Q164630 RPC over NetBEUI Fails from WinNT 4.0 RAS to WinNT 4.0 RAS
 Q164631 Scavenging WINS Database Removes Static Entries
 Q164639 SNA Windows 95 Fails Logon If Password Change Required
 Q164702 WINDISK crashes during initialization when Compaq ATAPI PD/CD
 Q164758 Remote Procedure Call (RPC) Service Access Violation
 Q164806 CHKNTFS Does Not Exclude FAT Partitions from AUTOCHK on Boot
 Q164812 Computer Name Truncated When Name Resolution Attempted
 Q164821 DHCP Server Service May Stop Responding
 Q164826 Direct Draw Programs May Hang NT 4.0 with S3 968 Video Chipset
 Q164904 Stop 0x0000000A in NETBT.SYS After Applying Service Pack 2
 Q164928 Not All Objects Are Displayed When Browsing NDS Trees
 Q164938 Event Logging Frozen While Doing Heavy Logging; Services CPU Peg
 Q164982 Lack of Secondary Address May Cause DNS Service to Hang
 Q164987 Hard-coded Socket of 451 Causes LANtegrity Software to Fail
 Q165004 NTVDM Support for Compaq Financial Keyboard Scan Codes
 Q165245 DDE Client Experiences Intermittent DDE Disconnects
 Q165314 Grace Logon Remaining Is Not Decremented When Logging to BDC
 Q165388 Invalid Directory Returned When Attempting to Access FPNW
 Q165427 Convlog.exe May Cause Access Violation
 Q165443 NDS Login Script Fails When Checking "If Member Of"
 Q165456 STOP 0x0000000A in Ntoskrnl.exe
 Q165483 RasEnumEntries() API Leaks Memory
 Q165813 16-bit Applications Cause Access Violation in NTDLL.DLL
 Q165814 Stop: 0x0000001E When Opening My Computer
 Q165816 STOP 0x0000000A in HAL.DLL on Multiprocessor Computers
 Q165818 Truncation of Backup Log In Eastern Europe or Russian NT 4.0
 Q165946 RasEnumEntries Return Incorrect Number of Phonebook Entries
 Q165950 Unable to Change Font Cartridge Selection
 Q165989 GetPeerName() Returns WSAENOTCONN After Select() Returns Success
 Q166043 DHCPAdmin Incorrectly Writes the BootFileTable in the Registry
 Q166148 RasSetEntryProperties() Fails to Set Options in Service Pack 2
 Q166158 Access Violation Occurs in SPOOLSS.EXE
 Q166159 Connecting to Windows Network resources from multi-homed machine
 Q166183 FPNW Server Returns Error When User Opens More Than 256 Files
 Q166186 OS/2 with TCP\IP May Refuse Socket Connections from Windows NT
 Q166197 NBTSTAT Error when Using >25 Dialout Devices with RAS
 Q166222 Dlc.sys Sends Frame Reject (FRMR) and Drops Connection
 Q166224 SNA Server 802.2 Connection Fails to Reactivate
 Q166226 Backup of Local Registry Does Not Work With NTBACKUP.EXE /b
 Q166257 Applications Using OpenGl Cause Access Violation in OPENGL.DLL
 Q166265 Printing To A Postscript Printer May Cause A STOP 0x0000003b
 Q166266 STOP 0x0000000A Using OpenNT Commands and Utilities
 Q166267 Office Shortcut Bar Fonts Appear as Non-Cyrillic on Russian NT
 Q166311 Memory Leak Retrieving OLE Property Values with Service Pack 2
 Q166334 OpenGL Access Violation on Windows NT Version 4.0
 Q166421 FPNW Returns Time Stamp with 60 Seconds to Clients
 Q166423 Access Violation in SERVICES.EXE in EVENTLOG.DLL
 Q166475 NWLNKSPX Retransmission Problem Over a Slow Link
 Q166478 Logon Rights Are Not Audited
 Q166482 DUMPCHK.EXE Incorrectly Reports Some Dump Files as Invalid
 Q166686 RASDIAL Error w/English Text on Non-English Version of Windows NT
 4.0
 Q166696 NT 4 Err Msg: "The INF OEMNADDI is missing the referenced file"
 Q166823 Cannot Connect To AT&T Advanced Server VMS or OSF Print Share
 Q166834 Lost Record Locks from MS-DOS-based Program to NetWare Server
 Q166842 CSNW & GSNW Won't Display NetWare Servers via a SAP Seed Server
 Q166846 Cannot Reconnect to TN3270 Server with Close Listen Sockets
 Q166874 No Crashdump and Compaq Systems with Smart-2/P (PCI) Controller
 Q166963 Cannot Communicate with Computer Running NWLink IPX/SPX
 Q166964 Incorrect File Listing on NetWare Server with DIR /TC Command
 Q167009 Description of DHCP Server Service Has a Misspelled Word
 Q167010 Access Violation in CMD.EXE Processing Batch File Script Argument
 Q167026 Windows NT 4.0 DNS Server Stops Responding To Queries
 Q167038 RAS Clients Run Winsock and RPC Applications Slowly
 Q167044 Request From Perfmon Counter Can Cause Excessive Page Faults
 Q167110 NT 4.0 RAS client slows over time due to lack of resources
 Q167129 Stop 0x7A or System Lockup in NTBACKUP With MINIQIC
 Q167130 Fatal System Error in NDIS.SYS Allocating Map Registers
 Q167362 STOP 0x00000050 in SRV.SYS When Shutting Down Computer

Service Pack 2

 Q108261: Windows NT Hangs on Shutdown with Certain PCMCIA Devices
 Q140059: Stop 0xA in Afd When Browsing IIS
 Q140065: Multi-Processor Systems Randomly Restart or Stop Responding
 Q141375: Winstone 97 May Fail on Windows NT 4.0
 Q142634: Multiple Processes Are Able to Open the Same Winsock Port
 Q142641: Internet Server Unavailable Because of Malicious SYN Attacks
 Q142648: STOP 0x00000024 in Ntfs.sys
 Q142656: Internet Explorer 3.0 on RISC Computer Cannot Connect to Host
 Q142671: Backup Fails on Certain Directories Due to Lack of Permissions
 Q142675: CSNW Sends Packets Greater Than Negotiated Maximum Packet Size
 Q142686: First Line of Print Job Lost When Printing Using Lpdsvc
 Q142687: Windows NT 4.0 Not Able to Read Some Compact Discs
 Q142847: Bugcheck 0x1e Caused by Isotp.sys Driver
 Q142872: Length of PDC Name May Affect Performance on a Domain
 Q142903: Windows NT Ndis.sys and Netflx3.sys Performance Improvement
 Q146336: Joystick in Windows NT 4.0 Does Not Work Properly
 Q147363: AlphaServer Hangs on Install of Windows NT Version 4.0
 Q147497: Matrox Video Driver May Fail on Alpha-based Computers
 Q147552: Backup Always Reports Time as PM
 Q148378: Setup of RAS with Multiple Modems Gives Slow Performance
 Q148525: Removable Media Does Not Eject if Formatted in NTFS
 Q148602: Running SNA Server 2.11 on the Windows NT 4.0
 Q150815: Windows NT May Fail to Boot on Toshiba Portable Computers
 Q153665: SPX Data Stream Type Header May Reset Unexpectedly
 Q154556: Delegation Requires a Stop and Restart of the DNS Server Service
 Q154620: Windows NT 4.0 DNS Server Loses the Forwarders Settings
 Q154784: Windows NT Operating System SNMP OID Incorrect
 Q155883: NT 4.0 Breaks SNA Server 2.x Server Communication Over IP
 Q156091: Access Violation with Long NDS Context in CSNW/GSNW
 Q156095: Replace Command with Space Character in the Path Does Not Work
 Q156276: Cmd.exe Does Not Support UNC Names as the Current Directory
 Q156324: Device Failure Message with Microchannel Network Adapter
 Q156520: Logon Validation Fails Using Domain Name Server (DNS)
 Q156578: Cannot Cancel Print Job on Windows NT 3.51 Shared Printer
 Q156735: WOW Applications Stack Fault When Launched by a Service
 Q156746: Print Jobs Are Deleted When Printer Is Resumed After Restart
 Q156750: AddGroupNameResponse Frame from WinNT May Cause WFWG to Hang
 Q156884: Problems Saving Event Viewer Log from Windows NT 4.0 to 3.51
 Q156958: Serial Service Won't Stop with Serial Printer Installed
 Q157279: Nwrdr.sys Fails Reading File with Execute Only Attribute
 Q157289: Memory Leak Using RegConnectRegistry API
 Q157494: PPC 4.0 Cirrus Driver Fails to Redraw & Fill Objects Correctly
 Q157621: Personal Groups Not Visible If %Systemroot% Is Read-Only
 Q157673: Policy Not Updated on Workstation
 Q158142: WM_DDE_EXECUTE API Causes a Memory Leak in the WOW Subsystem
 Q158387: RAS Server Cannot Use DHCP to Assign Addresses w/ PPTP Filtering
 Q158587: 16-Bit Named Pipe File Open Leads to WOW Access Violation
 Q158682: Shortcuts Created Under NT 4.0 Resolve to UNC Paths
 Q158707: DDE Destroy Window Code May Stop 0x0000001e in Windows NT 4.0
 Q158796: Macintosh Clients Connected to WinNT Server Appear to Hang
 Q158981: IBM Thinkpads 760ED and 760ELD May Hang During Shutdown
 Q159053: NTFS Stream Limitation in Windows NT 4.0
 Q159066: A Client Crash May Prevent an NTFS Volume Dismount
 Q159071: NTFS Does Not Prevent a File Deletion During Rename
 Q159072: An Account That Still Has System Access May Be Deleted
 Q159073: Screen Corruption on Dell Laptops Using Cirrus Video
 Q159075: Compression Is Not Supported on Quantum 4000DLT
 Q159076: Windows NT 4.0 May Hang or Crash in Win32k.sys During Setup.
 Q159085: Windows NT Kernel Crashes While Processing WM_NCCREATE
 Q159090: Delphi 2.00 and 2.01 Users Encounter Error 998
 Q159091: German Time Zone Results in Incorrect Log Times
 Q159092: Mouse Buttons Not Swapped on German Windows NT 4.0
 Q159093: Windows NT Muldiv() Function Returns Incorrect Value
 Q159095: STOP 0x0000001E in Win32k.sys When Exiting Applications
 Q159098: WinNT 4.0 Resource Kit Utility "Remote Console" Client Fails
 Q159105: Cannot Open Truncated File Names from Compact Discs
 Q159107: Access Violaion in AddAtom Inside Kernel32.dll
 Q159108: SMP Full Duplex Adapter Configuration May Cause a Blue Screen
 Q159109: ExitWindowsEx Does Not Work With NEC Power Switch Service
 Q159110: CDFS Does Not Complete IRPs Correctly
 Q159111: Multiprocessor Computer Hangs Under Stress Using Halsp.dll
 Q159119: NTFS Generates Cross-Linked Files
 Q159127: Bugcheck in Windows NT While Running POSIX Applications
 Q159129: OpenGL Access Violation with Invalid OpenGL Context
 Q159137: Moving Files Can Corrupt NTFS Partition
 Q159141: CDFS Incorrectly Creates Short File Names for Some Files
 Q159144: Dongle May Not Function Under Windows NT 4.0
 Q159203: Unattended Install Prompts for New IP if Zero Is in Address
 Q159204: IoCompletionPort Causes Blue Screen Error
 Q159205: SFM File Type and Creator Properties Invalid
 Q159206: Reactivation of Paused Print Queues Deletes Print Jobs
 Q159309: Windows NT 4.0 RAS Not Releasing Static IP Addresses
 Q159352: RPC over NetBIOS Programs Can't Call from Server to RAS Client
 Q159447: Applications Testing for Directory Existence Fail
 Q159449: DNS Server Glue Data Is Deleted
 Q159450: Second Recursive Query Sent from DNS Server Is Broken
 Q159594: Missing Eastern Europe FontSubstitutes in Registry
 Q159910: Memory Corruption on a Windows NT Alpha Platform
 Q159970: Slow List of Folders and Files with CSNW
 Q159971: SetTimer() API Causes Memory Leak in the WOW Subsystem
 Q159972: WinNT 4.0 May Not Return Valid Response for SMB Search Command
 Q160015: 2D Vector Performance on WinNT 4.0 Slower Than on 3.51
 Q160055: Warning Event ID 4010 Generated on Windows NT LPD Server
 Q160189: CSNW Cannot See More Than 32 Volumes Per Server
 Q160190: RasSetEntryProperties Does Not Save a Full Path Script Name
 Q160354: Mouse and Keyboard Can Disappear when Replacing Drivers
 Q160370: Stop Screen 0x00000050 Caused by Fs_rec.sys
 Q160372: Intermittent File Corruption when Compiling on NTFS Partition
 Q160373: Adaptec Aic78xx Does Not Issue Multiple Tagged Commands
 Q160377: File Size Data Does Not Remain Consistent After Defrag on NTFS
 Q160392: Systems with 4 GB or More of RAM Cannot Boot Windows NT 4.0
 Q160398: Cannot Read Files Greater than 4 GB
 Q160404: Madge EISA Stops Responding on Alpha in Windows NT 4.0
 Q160405: Video Memory Not Correctly Detected on Dell Latitude Laptops
 Q160420: Changing Colors on Cirrus Logic Cards to 65k Can Cause Stop
 Q160459: DNS Delegations May Fail
 Q160470: Stop 0x0000000a IPX Sends Browser an Incomplete Datagram
 Q160493: NWLNKRIP Data Structures Corruption when Using a Demand Dial NIC
 Q160494: DNS Zone Transfer Fails After WINS Record Added
 Q160497: Cache File Entries Disappear
 Q160508: Unnecessary DNS Zone Transfers
 Q160518: Zone Files in Multiples of 4 KB May Cause Access Violation
 Q160583: Windows NT 4.0 with More Than 4 Processors May Stall & Reboot
 Q160601: Bad Parameters Sent to Win32k.sys May Cause Stop Message
 Q160603: No Output from DBMON Using OutputDebugString While Debugging
 Q160604: Access Violation in security!SspQueryContextAttributesW
 Q160606: Performance Enhancements for SQL Server Under Windows NT
 Q160610: READ_REGISTER_ULONG Doesn't Preserve ULONG Semantics on Alpha
 Q160649: STOP 0x0000000A in Ntoskrnl.exe at Logon to Windows NT 4.0
 Q160650: Blue Screen When Closing Kernel Mode Handles from User Mode
 Q160651: OpenGL May Cause an Exception 0xc0000090
 Q160653: NTFS Fails Assertion Under High Stress During Transfer
 Q160657: 16-bit Version of Visual Basic 4 May Hang Windows NT 4.0
 Q160658: Stop C0000021A Using MoveFileEx MOVEFILE_DELAY_UNTIL_REBOOT
 Q160670: FPSCR is Not Being Saved Across Thread Context Switches
 Q160671: Stop 0x0000007F May Occur on Compaq SystemPro
 Q160678: Possible Access Violation in Win32k.sys Under High Stress
 Q160702: Event 2006 Errors in Xcopy from WinNT 4.0 to OS/2 3.0 Client
 Q160732: FIX: SQL Server 6.5 Service Pack 2 Fixlist (Part 2 of 2)
 Q160791: Excel Charts Lose Color When Pasted into Word
 Q160840: Sharing Violation When Accessing User Profiles
 Q160894: Incoming Fax Jobs Do Not Appear in Print Queue
 Q160964: 0x0000001e When Printing Certain Documents from Windows NT 4.0
 Q161201: NTBackup.exe from WinNT 3.51 SP5 Causes Verify Errors
 Q161802: Stop 0x0000000A During Create File SMB
 Q161990: How to Enable Strong Password Functionality in Windows NT
 Q162157: Cyberbit Unicode Font Does Not Return Correct Charset
 Q163055: DHCP Client May fail with NT 4.0 SP2 Multinetted DHCP Server
 Q163736: Access Violation in DNS Manager when deleting cached domain
 Q163772: Nested "for" Loops Using the '~' Operators Does not Work
 Q163773: Brief 3.0 in NTVDM Consumes 100% Processor
 Q163837: SNMP query to Windows NT returns same value for NTS and NTW

Service Pack 1

 Q78303: Intermittent File Corruption Problem
 Q142653: STOP Message Occurs Calling GetThreadContext/SetThreadContext
 Q142654: Winsock Memory Access Violation in Ws2help.dll Or Msafd.dll
 Q142655: Stop Message Appears After Deleting ProductOption Registry Key
 Q142656: Internet Explorer 3.0 on RISC Computer Cannot Connect to Host
 Q142657: Data Corruption on Windows NT 4.0
 Q142658: Internet Information Server Runs Out of Memory
 Q149903: File Manager Performs a Move Instead of a Copy
 Q156832: STOP Message when IBM Warp Client Connects to Windows NT 4.0 

Q. When should I reapply a Service Pack?

A. You should reapply any Service Pack (and subsequent hotfixes) whenever you add any system utilities/services or hardware/software. A good rule of thumb is if the computer says "Changes have been made you must shutdown and restart your computer" reapply your service pack before the reboot.

The only problem is once you reinstall a service pack, unless you uninstall then reinstall, you will lose the ability to uninstall it.


Q. What is Option Pack 4?

A. Due to a lot of public pressure, Microsoft agreed to no longer include any new functionality in Service Packs, but would rather produce a separate add-on which would update various option components.

Option Pack 4 is the first of these (to keep in step with Service Pack 4) and can be downloaded from http://www.microsoft.com/windows/downloads/contents/updates/nt40ptpk/default.asp or is supplied as part of MSDN. The download is about 27MB.

If you download from the web you have to download a special program, download.exe, which you then run which downloads or installs the software.

Included in Option Pack 4 are:

  • Internet Information Server 4.0 (which used the new Microsoft Management Console which is standard in NT 5.0)
  • Microsoft Transaction Server 2.0 (this is tied in with IIS)
  • Microsoft Message Queue Server 1.0
  • Internet Connection Services for Microsoft RAS
  • Certificate Server
  • Site Server Express
  • SMTP Server
  • Message Queue Server

More information can be found at http://www.microsoft.com/NTServer/Basics/WhatNew.asp

To install the Option Pack you must be running Service Pack 3 or above (I tested with Service Pack 4 and you get warnings that it has not been tested on Service Pack 4 but it works fine) and you must have Internet Explorer 4.01 or above.

Once you start the installation you should click Next to the introduction screen and you will then have two options

  1. Upgrade Only
  2. Upgrade Plus

If you select Upgrade Only then only existing components on the system will be upgrade to Option Pack 4 version, clicking Upgrade Plus allows you to install extra software.

If you select Upgrade Plus you can then choose which components to install. Items such as IIS have sub-components such as NNTP server (news) which you can optionally install.

Depending on the components you selected you will be asked some minor questions and then the machine will reboot.


Q. How can I tell which version Service Pack I have installed?

A. When a Service Pack is installed using the normal method (e.g. not just copying the files to a build location) the service pack version is entered into the registry value CSDVersion which is under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion.

The value is of the formal "Service Pack n", e.g. "Service Pack 4" but can have extra information if it is a beta or release candidate, e.g. "Service Pack 4, RC 1.99".

To check this from the command line you could use the REG.EXE Resource Kit supplement 2 utility:

C:\>reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion"
REG_SZ CSDVersion Service Pack 4, RC 1.99

Make sure you put the value in double quotes (").

An alternative is to just run WINVER.EXE which will tell you your current build and Service Pack version. You can also use WINMSD.EXE or Help/About in Explorer.


Q. I receive an error trying to install Service Pack 4 for NT 4.0.

A. If when installing Service Pack 4 you receive the error:

"Service Pack Setup Error. You do not have permissions to update Windows NT. Please contact your system administrator."

it may be caused by the update.exe image being in the wrong directory.

If you have expanded the service pack using nt4sp4i.exe /x it will create a subdirectory, update, which will include the files

  • Update.exe
  • Update.inf
  • Update.nvt

When running update.exe it must be in the update subdirectory. If not you should move the image accordingly.


Q. Setupdd.sys is missing in Service Pack 4/5.

A. Setupdd.sys is included on the Service Pack 4/5 CD and in the Y2K download version of Service Pack 4 but not the normal version.

This file is needed to replace the one on the second Windows NT installation disk to repair a system that has Service Pack 3 or above. To create a set of NT installations disks insert the NT installation CD-ROM and type winnt32 /ox.

You can download SETUPDD.SYS here.


Q. Important steps for installing Service Pack 4.

A. Service Pack 4 makes some permanent changes to the registry and so before installing you should perform the following steps to facilitate a Service Pack uninstall in the event of a problem. Before installing the service pack make sure you have performed the installation on a test server and as with another "fix" don't install unless you need a fix supplied by the Service Pack or have been instructed to install it by a Microsoft support engineer. If it ain't broke, don't fix it.

  1. Perform a full backup of all files and the registry using NTBACKUP or another backup program
  2. Create an up-to-date Emergency Repair Disk and store safely
    RDISK /s
  3. Reboot your system and check the Event Viewer (Start - Programs - Administrative Tools - Event Viewer) and check for any errors. Fix before proceeding. If you make any changes fixing the problems go back to step 2 and recreate another ERD.
  4. Copy your old Uninstall directory to a backup location
    C:\> md %systemroot%\$ntservicepackuninstallback$
    C:\> copy %systemroot%\$ntservicepackuninstall$ %systemroot%\$ntservicepackuninstallback$
  5. Run the resource kit utility SRVINFO.EXE (if available) and keep a copy of the output
  6. Disable any non-essential third-party drivers/services not required for starting the system. Contact the manufacturers to see if updated versions are available.
  7. Check you have enough disk space, you will need 80MB if you select to create an uninstall directory, 40MB if not
  8. Close all active debugging sessions or remote control sessions and any other non-essential applications before starting the upgrade

Q. Uninstalling Service Pack 4.

A. As was explained in "Q. Important steps for installing Service Pack 4.", Service Pack 4 makes some changes to registry which can't be undone. Because of this, in the event of a Service Pack 4 uninstall the following files are left unrestored

  • samsrv.dll
  • samlib.dll
  • winlogon.exe
  • lsasrv.dll
  • services.exe
  • msv1_0.dll

Additionally the files below are also not restored:

Crypt32.dll, Comctl32.dll, Schannel.dll, Cryptdlg.dll, Pstorerc.dll, Psbase.dll, Pstores.exe, Pstorec.dll, Cryptext.dll, Cryptui.dll, Mssign32.dll, Wintrust.dll, Softpub.dll, Mssip32.dll, Mscat32.dll, Initpki.dll, Cryptnet.dll, Xenroll.dll, Dssig.dll, Sigres.exe, Dssbase.dll, Reaenh.dll (128 bit security only), Rsabase.dll, Certmgr.msc, and Syske.exe.

To uninstall the Service Pack either start the Add/Remove programs control panel applet (Start - Settings - Control Panel - Add/Remove programs), select "Windows NT Service Pack 4" and click Remove, or, move to the %systemroot%\$NtServicePackUninstall$\spuninst directory and run spuninst.exe.

If you wanted to completely uninstall the service pack, undoing the registry changes and restoring all original files you would need to restore the %systemroot% directory from a back and repair the registry using the ERD disk you created. Alternatively you could uninstall as normal then use the ERD to repair the registry and replace the six files that the uninstall does not fix.


Q. How can I tell who installed/uninstalled Service Pack 4?

A. When Service Pack 4 is installed or uninstalled an Event is written to the System Event Log. The Event ID is 4353 so you could just create a filter (View - Filter Events) to view only Event ID 4353. It gives information of the person and time it was actioned.

The messages are

Windows NT Service Pack 4 was installed (Service Pack 3 was previously installed).

or

Windows NT Service Pack 4 was uninstalled. Restoring Windows NT to Service Pack 3.

Event 4353


Q. Service Pack 4 unattended installation switches.

A. The following switches can be used with UPDATE.EXE program supplied with Service Pack 4

-u Unattended mode
-f Force all apps to close at shutdown
-n Do not create an uninstall directory 
-o Overwrite OEM files without asking
-z Do not reboot when installation is complete
-q Quiet mode - no user interaction

Q. New Event Logs in Windows NT 4.0 Service Pack 4.

A. Service Pack 4 adds 4 new Event log messages to the System Event Log:

  • Event 6005 is logged at boot time noting that the Event Log service was started.
    The Event log service was started.
  • Event 6006 is logged at shut down time when the Event Log service is stopped
    The Event log service was stopped.
  • Event 6008 is logged as a dirty shutdown.
    The previous system shutdown at 07:51 on 15/02/99 was unexpected.
  • Event 6009 is logged during every boot and indicates the operating system version, build number, service pack level, and other pertinent information about the system.
    Microsoft (R) Windows NT (R) 4.0 1381 Service Pack 4 Uniprocessor Free.

These can all be viewed using the Event Viewer which is located in the Administrative Tools program folder.


Q. When will Service Pack 5 for NT 4.0 be released?

A. Service Pack 5 is now released and expect SP6 to follow!


Q. I receive an error that setup.log cannot be found when installing a service pack.

A. If when you try and install a service pack you receive one of the following errors:

Service Pack Setup could not find the Setup.log file in your repair directory

or

Service Pack Setup cannot open or modify your SETUP.LOG file

The problem is either

  • SETUP.LOG in the %systemroot%\repair directory is missing or damaged
  • The folder in which Windows NT was installed has been renamed (although this is unsupported by Microsoft)

If the file SETUP.LOG in the %systemroot%\repair is missing then you can copy it off your Emergency repair disk however if this is not an option you could copy from another machine but you may need to update the first few number of lines in the file (I copied a setup.log file from a NT Server Terminal Server installation to an NT Workstation and installed Service Pack 5 with no problems after changing the device and directory! This is not a supported method though).

Below is an example of the first lines of setup.log

[Paths]
TargetDirectory="\WINNT"
TargetDevice="\Device\Harddisk0\partition2"
SystemPartitionDirectory="\"
SystemPartition="\Device\Harddisk0\partition1"
[Signature]
Version="WinNt4.0"
[Files.SystemPartition]
ntldr="ntldr","2a36b"
NTDETECT.COM="NTDETECT.COM","b69e"
[Files.WinNt]
\WINNT\Help\31users.hlp="31users.hlp","12bfc"
... etc.

If you copy from another machine you may need to update the TargetDirectory and also the TargetDevice (which is where the %systemroot% is located and can be compared against the boot.ini file) and SystemPartition (which is the active partition, starting from 1, e.g. C:, this should not need to be changed).

If the TargetDirectory is different you should perform a global replace in the file from the old name, e.g. WINTSRV to the new name, e.g. WINNT.

If you do have a setup.log file in the repair directory and still get problems installing check that its format matches that given above.

If you don't have any SETUP.LOG files I have an example one you can download and modify from an NT Workstation installation (but don't mail me asking for support) but the correct procedure is outlined at http://support.microsoft.com/support/kb/articles/Q173/3/84.asp which involves reinstalling NT over your existing installation.


Q. What is new in Windows NT 5.0?

A. NT 5.0 is the next major release of NT. It is expected to include the following new features:

  • New X.500-style directory services called Active Directory. In the active Directory, domain controllers store the entire directory database for their domain. This directory information can be structured to create a hierarchical directory system.
  • Active Directory uses DNS as a locator service and supports LDAP queries.
  • Distributed File System. DFS, which was an add-on for NT4, enables multiple volumes on different machines (even not Windows NT!) to appear as a single logical volume.
  • Support for more than one monitor using new API commands (note that not all video cards are supported).
  • Kerberos security, which is a MIT developed security protocol and is used for distributed security within a domain tree and is based on passwords and private-key encryption.
  • 64 bit memory support (more than 4 gigs of memory supported, 32 gigs on 64 bit processors) on Alpha processors.
  • Support for Plug and Play based on ACPI.
  • Common device driver model, so new drivers can work on both Windows NT and Windows 98.
  • Built in Disk Quota software - per user/per volume only.
  • Encrypting File System - file encryption on a per file or per folder basis (like compression at present)

For more information on what's new please goto http://www.microsoft.com/NTServer/Basics/Future/WindowsNT5/Features.asp


information on Windows NT 5.0?

A. Below is a list of useful links at Microsoft


Q. How do I get the Microsoft Windows 2000 Beta?

A. Windows 2000 is currently in beta test. The technical beta program is closed and is not accepting additional requests at this time. The Windows 2000 beta is not generally available at present for free. If you want this beta, there are five approaches you can consider taking:-

  1. Send email to [email protected] The Technical beta is closed, and email to this account is unlikely to get you onto the beta. If you do send email, remember you need to justify why MS should send you the beta. Given that the Technical Beta is closed, this approach is unlikely to get you a beta copy.
  2. Take out a subscription to MSDN (Microsoft Developers Network) Professional or Universal levels. MSDN Subscriptions offer comprehensive, timely, and convenient access to Microsoft Visual Tools, essential technical programming information, Microsoft operating systems, software development kits (SDKs), device driver kits (DDKs), Microsoft Office, BackOffice Test Platform, etc. See http://www.microsoft.com/msdn/join/subscriptions.htm for more details including pricing.
  3. Microsoft has said that there will be a wider consumer preview of Windows 2000 now that Beta 3 has shipped. http://www.microsoft.com/windows/preview/
  4. Take the Microsoft Official Curriculum course 1264, NT 5.0 First Look.
  5. Purchase Technet Plus which includes beta products.
  6. Order the Hardware evaluation Kit. For more details on this, see http://www.microsoft.com/hwtest/hctcd/

Q. What is Windows 2000?

A. Microsoft have renamed NT 5.0 to Windows 2000 in an attempt to simplify the product lines. Below is an extract from the Microsoft press release:

Four products to make up initial Windows 2000 offerings, all "Built on NT Technology".

The company has decided to rename the next release of the Windows NT® line of operating systems—formerly known as Windows NT 5.0—as Windows 2000. Now that millions of people use the Windows NT operating systems every day, Microsoft has decided to rename its next releases to reflect their shift into the mainstream market and to help customers understand the products. All currently released operating systems will retain their names.

The company has also expanded the Windows server line to meet customer demand for solutions that are more powerful than Windows NT Server Enterprise Edition and for lower cost clustering alternatives for branch-office servers.

"Windows NT was first released five years ago as a specialized operating system for technical and business needs. Today it has proven its value as the preferred technology for all users who want industry-leading cost-effectiveness, rich security features and demonstrated scalability," said Jim Allchin, senior vice president at Microsoft. "The Windows NT kernel will be the basis for all of Microsoft's PC operating systems from consumer products to the highest-performance servers."

Windows 2000 ProfessionalThe Windows 2000 line, which Microsoft will begin to roll out in 1999, will include four products. Windows 2000 Professional is a desktop operating system aimed at businesses of all sizes. Microsoft designed Windows 2000 Professional as the easiest Windows yet, with high-level security and significant enhancements for mobile users. The operating system is also designed to provide industrial-strength reliability and help companies lower their total cost of ownership with improved manageability.

Microsoft offers the Windows 2000 Server as the ideal solution for small- to medium-sized enterprise application deployments, web servers, workgroups and branch offices. Windows 2000 Server will support new systems with up to two-way SMP; existing Windows NT Server 4.0 systems with up to four-way SMP can be upgraded to this product.

Windows 2000 Advanced Server is a more powerful departmental and application server that provides network operating system and Internet services. Supporting new systems with up to four-way SMP and large physical memories, this product is ideal for database-intensive work. In addition, Windows 2000 Server integrates clustering and load-balancing support to provide excellent system and application availability. Organizations with existing Windows NT 4.0 Enterprise Edition servers with up to eight-way SMP can install this product.

Windows 2000 Data ServerThe Windows 2000 line will also include the new Windows 2000 Datacenter Server, which is the most powerful server operating system ever offered by Microsoft. Windows 2000 Datacenter Server supports up to 16-way SMP and up to 64GB of physical memory, depending on system architecture. Like Windows 2000 Advanced Server, it provides both clustering and load balancing services as standard features. Microsoft designed this product especially for large data warehouses, econometric analysis, large-scale simulations in science and engineering, online transaction processing and server-consolidation projects.

Microsoft believes its new Windows 2000 name will help both its partners and customers. "The new name also serves our goal of making it simpler for customers to choose the right Windows products for their needs," said Brad Chase, vice president at Microsoft. "The new naming system eliminates customer confusion about whether 'NT' refers to client or server technology. Also, with our across-the-board improvements in ease of use, mobile support and total cost of ownership that provide benefits to so many users, 'NT' technology is no longer just for high-end workstations." Microsoft will use the tagline "Built on NT Technology" to help its customers through the naming transition.

The company believes that the Windows 2000 name and NT tagline will help people to identify which operating system will work best in their environment. And—as the name implies—Windows 2000 is ready for the next millennium.


Q. Getting the most out of NT 5.0 beta 2.

A. Windows NT Expert Thomas Lee has submitted these tips for getting the most out of NT 5.0 Beta 2.0. Dated 04/11/1998

Now that NT5 Beta 5 Beta 2 Workstation and Server have been in the field for some time, some experience in these releases has been gained. In these public newsgroups, we often see issues being repeated since later users have not seen the related posts.

To help in assisting new users, I've complied what I modestly called:

THOMAS'S TOP 10 FAQ TIPS FOR NT5 BETA 2

I've written both specific answers to the these noted problems, plus some general tips on how to get the most out of NT5 B2.

I can't get DHCP to work.

Two things to check: first that the DHCP server has been authorised and second that the subnet has been activated, To find out more about setting up a DHCP server, refer to the Walkthroughs.

In general, read the walkthroughs for all the functions before asking more questions in the newsgroups. But if you are unclear, certainly post!

CDR is broken in B2

This is a known issue. But please file a bug report on your details, especially including your exact hardware configuration.

In general, try to read the older messages - the last couple of weeks or so to see if the issue has come up. A lot of issues are repeated, and repeated, suggesting, to some, that newsgroups are write only.

So how do I create a domain - there was nothing in the setup about that!

In Windows 2000, the creation of a domain controller is not done during the installation of the OS. With Win2k, you install the OS first then you create a Domain Controller by DCPROMO.EXE either from the command prompt of from Start/Run. Prior to running DCPROMO.EXE, you must install and setup a DNS service. For more details on setting up a DC, see advsetup.txt on the CD.

In general, please read all the files in the root of the CD before asking further questions in the newsgroup please! [J.S. There is also an example in the FAQ Q. How do I promote a server to a domain controller?]

Beta 2 is does not support my <pick your hardware device>

First, check the HCL in \support\hcl.txt to see if this card is supported. If it is and it does not work, try the standard tricks: take card out, see what works. Check the IRQs, etc. IF all else fails, file a bug report.

If your device in NOT on the HCL, file a bug report explaining the details of your system, the precise way the card fails (BSOD, installs but fails, reduced functionality). Also try Win98 drivers if you can find them. Finally file a bug report.

In general, the HCL is your friend. Please consider consulting it prior to asking questions on the newsgroups. Also, Help is your other friend - check Help for configuration questions.

The Find dialog is broken.

The find/search dialog does work, it's just not user friendly. This is a bug, and is "fixed in later builds" - a common reply to bugs submitted regarding this dialog!

But file searching can be significantly improved by use if the index server. This does devour a lot of disk resources initially ( it content indexes your entire disk setup).

Once it has completed the first pass (which can take hours depending how much disk space you have and hot much horsepower your system has. Initial indexing is an ideal task to kick off at night, and come back to seeing complete in the morning. Once installed, it's efficient, and is very useful for searching. Development staff, developing HTML, Office documents, C Code, etc., will love the ability to search for specific strings in the myriad of .cpp, .htm, .shh, .asp files, etc! Check it out.

In general, for certain users, Index server is a real pal.

I can't work out how to do something in NT5 B2.

Try looking in the help. The server help, especially, has a lot of really great background information. Help is massively different, and better, in Windows 2000 than in NT4! The Help text include documentation on how to carry out most basic configuration tasks, back ground concepts (and much of it well written), and places to go for more information (e.g. web sites, books, RFCs, etc). Take a look - Help has gotten a whole lot better.

In general, Help is a friend.

Why is this wise guy always asking me to read the documentation?

Simple, really. A number of procedures will be new, and the details of these are documented. Secondly, the release notes document known issues, work arounds, etc.

Windows 2000 is a lot different from NT4. I'd like to find the 'This sure isn't Kansas any more Toto' quote from the Wizard of oz as the start-up sound. MS are aware and really have tried to document the key points. The walkthroughs make a great self paced self study tour of Windows 2000 - enjoy the ride.

In general: the product documentation is your friend.

Why that guy always saying 'file a bug report'

Why IS that guy always telling me to file a bug report??? Well, to put it bluntly: The product shipped as NT5 B2 is in beta test. It is not a final product. There are most likely thousands of bugs still remaining ranging from serious show stoppers to trivial things that simply will never get fixed (e.g. the titles on a dialog box). That is not abnormal for such a large product this far from shipping.

Win2000 is simply NOT ready go to ship today - MS need to find, and resolve, these bugs. If you find something wrong, it may just be simple user error but it may well be a bug. So if you think it's broken, tell MS.

You, as future users, can influence and have helped to shape the product as it evolves. MS has listened to the feedback and are incorporating it. With the NT team embark on the death march to Beta 3, if you don't tell MS, you may well have to live with the consequences - and condemn others.

MS have made it clear that Windows 2000 will not ship before it's ready. They have said they will ship when customers tell them it's ready. You are the customer - tell MS what you've found out and what you think.

In general: Make a difference. File a GOOD bug report.

OK, Cool, so how do I do it.

If you are on an internal beta, you will know how to do this - it was on the release notes accompanying your CD (and in email). Please follow directions, and discuss the issue on the internal newsgroups. Please read those groups.

If you are not on the technical beta, then go to ntbeta.microsoft.com. Fill in a short survey, and give them your email alias. You will then get a userid and password to enter the site. Go back, and with your password, you can drill down to a web tool to file a bug report. Spend a bit of time, if you can, to look at the site for more details on bug reporting. Oh, and the ntbeta.microsoft.com has not been renamed. Yet.

In general: The ntbeta.microsoft.com site is your friend.

How much do I need to tell MS about a bug. How good is good?

To some degree, the more you can provide, the better. Filing good bug reports means report as much as possible, including all your hardware, the exact nature of problem, and if possible precise steps to reproduce it.

In general, If MS can't reproduce it - it's not a bug.

Written by that guy who is always asking folks to read the documentation, use Help, and file good bug reports.

And for the humour impaired: this entire post is classified ":-) "


Q. What hardware is needed to run Windows 2000?

A. Below is a list of the minimum hardware needed to install Windows 2000.

  • 32-bit, Intel-based microprocessor computer (such as Pentium-compatible 166 MHz or higher) for both Windows NT Workstation and Windows NT Server.
  • VGA or higher resolution monitor
  • Keyboard
  • 32 MB of RAM minimum (Windows NT Server: 64 MB of RAM)
  • Hard disk space with a minimum of 300 MB of free disk space for Windows NT Workstation. (Server: a minimum of 400MB of free disk space on the partition that will contain the Windows NT system files). Several factors affect free disk space required by Windows NT 5.0 Setup, including disk cluster size, amount of RAM in the system, and the file system used (For example, NTFS uses a smaller disk cluster size than FAT file systems) and network compared to local installations (which requires less free space). Setup determines if you have sufficient disk space to successfully complete the installation with the optional components you have selected.
  • For CD-only installation, a bootable CD-ROM drive (so you can start Setup without using a floppy disk drive)
  • For floppy disk and CD installation, a high-density 3.5-inch disk drive as drive A and a CD-ROM drive
  • For network installation, one or more network adapters installed on your computer and access to the network share containing the Setup files.
  • A mouse or other pointing device

The minimum memory is the minimum memory and setup program performs a test to check you have that amount or the installation will not proceed (very annoying when I tried to install server on my portable which (then) only had 32MB of RAM). You can hack the txtsetup.sif files, however, to install either Server or Workstation on systems with less memory. There is no check on CPU type.

The 64bit Alpha processor continues to be supported, although memory requirements are slightly larger (eg 96MB for Server) than Intel systems. Support for archaic 1st generation systems such as the Jensen has been dropped for Windows 2000.

This information is also in the file setup.txt on the Windows 2000 (NT 5.0 Beta) CD-ROM.


Q. Where is the Hardware Compatibility List for Windows 2000?

A. The HCL for Windows 2000 is supplied on the CD in both text and HTML Help format. It can also be found at ftp://ftp.microsoft.com/services/whql/win2000hcl.txt.


Q. How can a FAT partition be converted to an NTFS partition?

A. From the command line enter the command convert d: /fs:ntfs . This command is one way only, and you cannot convert an NTFS partition to FAT. If the FAT partition is the system partition then the conversion will take place on the next reboot.

After the conversion File Permissions are set to Full Control for everyone, where as if you install directly to NTFS the permissions are set on a stricter basis.


Q. How can a NTFS partition be converted to a FAT partition?

A. A simple conversion is not possible, and the only course of action is to backup all the data on the drive, reformat the disk to FAT and then restore your data backup.


Q. How do I run HPFS under NT 4.0?

A. If you want NT support for HPFS, you can upgrade from 3.51 to 4.0 which will retain HPFS support. You can manually install the 3.51 driver under NT 4.0, however this is not supported by Microsoft.

  1. Copy the 3.51 pinball.sys to the NT 4.0 %SystemRoot%\system32\drivers directory.
  2. Start the registry editor (regedit.exe)
  3. Goto the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
  4. From the Edit menu, select "New Key"
  5. In the form entry box which appears, enter Pinball as the Key Name. Leave the class field blank, and click OK
  6. Highlight the new Pinball key in the editor's left panel and select New Dword from the Edit menu
  7. Enter a name of ErrorControl and click OK
  8. Double click ErrorControl and set to "0x1"
  9. Highlight Pinball again and select "New String" from the Edit menu with name "Group" click OK
  10. Double click Group and set to "Boot file system"
  11. Highlight Pinball again and select "New DWORD" from the Edit menu with name "Start" click OK
  12. Double click Start and set to "0x1"
  13. Highlight Pinball again and select "New DWORD" from the Edit menu with name "Type" click OK
  14. Double click Type and set to "0x2"
  15. Close the registry editor
  16. Reboot the machine

Q. How do I compress a directory?

A. Follow instructions below (this can only be done on an NTFS partition)

  1. Using Explorer or My Computer select a drive
  2. Right click on a directory and choose properties
  3. Select the "Compress" Check box and click "Apply"
  4. You will be asked if you want to compress subdirectories, click OK
  5. Click OK to exit

Q. How do I uncompress a directory?

A. Follow the same procedure above, but uncheck the compress box.


Q. Is there an NTFS defragmentation tool available?

A. There are a number available for NT that I know of.

Windows 2000 has a limited built in defragmentation tool which can be used as follows:

  1. Start the MMC (Start - Run - MMC)
  2. From the console menu select Add/Remove Snap-in
  3. Click Add
  4. Select "Disk Defragmenter" and click Add. Click Close
  5. Click OK to the main Add/Remove dialog
  6. Select the Disk Defragmenter option from Console Root
  7. Select a partition, Analyze and Defragment

Click for full size


Q. Can I undelete a file in NT?

A. It depends on the file system. NT has no undelete facility, however if the filesystem was FAT then boot into DOS and then use the dos undelete utility. With the NT Resource kit there is a utility called DiskProbe which allows a user to view the data on a disk, which could then be copied to another file. It is possible to search sectors for data using DiskProbe.

If the files are deleted on an NTFS partition booting using a DOS disk and using the undelete.exe program is not possible since DOS cannot read NTFS partitions. NTFS does not perform destructive deletes which means the actual data is left intact on the disk (until another file is written in its place) and so a new application from Executive Software, Network Undelete can be used to undelete files from NTFS partitions. A free 30-day version can be downloaded from http://www.networkundelete.com/.

Executive Software also have a free utility Emergency Undelete which can undelete locally deleted files, http://www.execsoft.com.

It is important that once any file is delete all activity on the machine is stopped to reduce the possibility of other files overwriting the data that wants to be recovered.


Q. Does NT support FAT32?

A. Native NT does not support FAT32. NT Internals have released a read-only FAT32 driver for Windows NT 4.0 from http://www.sysinternals.com/fat32.htm, or a full read/write version can be purchased from http://www.winternals.com.

Windows 2000 has full FAT 32(x) support with the following conditions:

  • Pre-existing FAT32(x) partitions up to 127GB will mount and be supported under Windows 2000.
  • Windows 2000 will only allow you to create new FAT32(x) volumes of 32gb or less.

Q. Can you read an NTFS partition from DOS?

A. Not with standard DOS, however there is a product called NTFSDos which enables a user to read from a NTFS partition. The homepage for this utility is http://www.sysinternals.com.


Q. How do you delete a NTFS partition?

A. You can boot off of the three NT installation disks and follow the instructions below:

  1. Read the license agreement and press F8
  2. Select the NTFS partition you wish to delete
  3. Press L to confirm
  4. Press F3 twice to exit the NT setup

Usually a NTFS partition can be deleted using FDISK (delete non-DOS partition), however this will not work if the NTFS partition is in the extended partition.

You can delete an NTFS partition using Disk Administrator, by selecting the partition and pressing DEL (as long as it is not the system/boot partition).

There is also a utility called delpart.exe that will delete a NTFS partition from a DOS bootup.


Q. Is it possible to repartition a disk without losing data?

A. There is no standard way in NT, however there is a 3rd party product called Partition Magic which will repartition FAT, NTFS and FAT32, however there is a bug in the product which makes the boot partition unbootable if it is repartitioned. A fix is available for this from their web site


Q. What is the biggest disk NT can use?

A. The simple answer to this question is that NT can view a maximum partition size of 2 terabytes (or 2,199,023,255,552 bytes), however there are limitations that restrict you well below this number.

FAT has internal limits of 4 GB due to thefact it uses 16-bit fields to store file sizes, 2^16 is 65,536 with a cluster size of 64 KB gives us the 4 GB.

HPFS uses 32bit fields and can therefore handle greater size disks, but the largest single file size is 4GB. HPFS allocates disk space in 512 byte sectors which can cause problems in Asian markets where sector sizes are typically 1024 bytes which means HPFS cannot be used.

NTFS uses 64-bits for all sizes, leading to a max size of..... 16 exabytes!!! (18,446,744,073,709,551,616 bytes), however NT could not handle a volume this big.

For IDE drives, the maximum is 136.9 GB, however for a standard IDE drive this is constrained to 528MB. The new EIDE drives can access much larger sizes.

It is important to note that the System partition (holding ntldr, boot.ini, etc.) MUST be entirely within the first 7.8Gb  of any disk (if this is the same as the boot partition this limit applies) This is due to the BIOS int 13H interface used by ntldr to bootstrap up to the point where it can drive the native HDD IDE or SCSI. int 13H presents a 24 bit parameter for cylinder/head/sector for a drive. If say by defragmentation the system are moved beyond this point you will not be able to boot the system.


Q. Can I disable 8.3 name creation on a NTFS?

A. From the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem, change the value NtfsDisable8dot3NameCreation from 0 to 1.

You may experience problems installing Office 97 if you disable 8.3 name creation and may have to re-enable it during the installation of the software.


Q. How can I stop NT from generating LFN's (Long File Names) on a FAT partition?

A. Using the registry editor change the value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\Win31FileSystem from 0 to 1 and only 8.3 file names will be created.

The reason for not wanting the LFN's to be created is that some 3rd party disk utilities that directly manipulate FAT can destroy the LFN's. Utilities such as SCANDISK and DEFRAG that come with DOS 6.x and above do not harm LFN's.


Q. I can't create any files on the root of a FAT partition.

A. The root of a FAT drive has a coded limit of 512 entries, so if you have exceeded this you will not be able to create any more files. I don't have this many! Remember Long File Names take up more than one entry, see the next FAQ for more information, so if you have many LFN's on the root this will drastically reduce the number of files you can have.


Q. How do LFN's work?

A. Long File Names are stored using a series of linked directory entries. A LFN will use one directory entry for its alias (the alias is the 8.3 name automatically generated), and a hidden secondary directory entry for every 13 characters in its name, so if you had a 200 character long file name, this would use 17 entries!

The alias is generated using the first six characters of the LFN, then a ~ and a number for the first 4 versions of a files with the same first six characters, e.g. for the file
john savills file.txt
the names generated would be johnsa~1.txt, johnsa~2 etc.

After the first 4 version of a file, only the first two characters of the file name are used, and the last 6 are generated, e.g. jo0E38~1.txt


Q. How do I change access permissions on a directory?

A. You can only set access permissions on an NTFS volume. Follow the instructions below:

  1. Start Explorer (Start - Programs - Explorer).
  2. Right click on a directory and select properties
  3. Click on the Security tab
  4. Click the permissions button
  5. Enter the information required
  6. Click OK, and then click OK again to exit

Q. How can I change access permissions from the command line?

A. A utility called CACLS.EXE comes as standard with NT, and can be used from the command prompt. Read the help with the CACLS.EXE program (cacls /?). To give user john read access to a directory called files enter:
CACLS files /e /p john:r
/e is used to edit the ACL instead of replacing it, therefore other permissions on the directory will be kept. /p sets permission for user:<permission>


Q. I have a CHKDSK scheduled to start next reboot, but I want to stop it.

A. If the command chkdsk /f /r (find bad sectors, recover information from bad sectors and fix errors on the disk) is run, on the next reboot the check disk is scheduled, however you may want to cancel this check disk. To do this perform the following:

  1. Run the Registry Editor (Regedt32.exe). You must use Regedt32 and not Regedit.exe
  2. Goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  3. Change the BootExecute value from:
    autocheck autochk * /r\DosDevice\<drive letter>:
    To:
    autocheck autochk *

Q. My NTFS drive is corrupt, how do I recover?

A. To restore an NTFS drive using the information below, it must have been created using Windows NT 4.0, if it was not created using NT 4.0 you should see Knowledge base article Q121517. To restore an NTFS partition you must locate the spare copy of the boot sector and copy it to the correct position on the drive. You need the NTdiskedit utility (you can also use Disk Probe that comes with the resource kit and instructions for Disk Probe can be found at http://support.microsoft.com/support/kb/articles/q153/9/73.asp or Norton disk edit) which is available from Microsoft Support Services.

  1. Using NTdiskedit for Windows NT 4.0, on the File menu, click Open.
  2. Type the Volume Name as
    \\.\PhysicaldriveX
    where X=the ordinal of the disk that appears in Disk
    Administrator)
  3. Click OK.
  4. On the Read menu, click Sectors. Select 0 for Starting Sectors and select 1 for Run Length. Click OK.
  5. On the View menu, click Partition Table. You should see a table that has four sections, Entry 0 through Entry 3. This refers to the order of partitions. If the partition in question is Partition 2 on the Disk, you need the data in Entry 1. If the Partition in question is the Partition 1 on the disk, you need the data from Entry 0 and so on.
  6. Write down the values of Starting Sector and Sectors.
    NOTE: all of the values you see will be in hexadecimal format. Do not convert to decimal.
  7. Using a Calculator (you can use the one from the Accessories group if one is available) that can add hexadecimal numbers, add the values for Starting Sector and Sectors, and subtract 1 from the sum. For example:
    STARTING SECTOR=Ox3F
    SECTORS=0x201c84 +
    ----------
    0x201CC3
    Less 1 0x1 -
    ----------
    Copy of NTFS bootsector=0x201CC2
  8. On the Read menu, click Sectors. In Starting Sectors, type the value from the equation above. Type 1 in Run Length. Click OK.
    You now should be at your copy of the NTFS bootsector. Visually inspect the boot sector for completeness, NTFS header at first line, text in the lower region (for example, "A kernel file is missing from the disk"), and so forth.
  9. Click Relocate Sectors. This is the Sector you are going to write the bootsector. This will be the value of your Starting Sector with the Run Length of 1. Click OK.
  10. Quit Ntdiskedit. Use Disk Administrator to assign a drive letter if not already assigned. Restart the computer; the file system should be recognized as NTFS.

Q. How can I delete a file without it going to the recycle bin?

A. When you delete the file, hold down the shift key.


Q. How can I change the serial number of a disk?

A. The serial number is located in the boot sector for a volume. For FAT drives its 4 bytes starting at offset 0x27; for NTFS drives its 8 bytes starting at offset 0x48. You'll need a sector-level editor to modify the number (like the Resource Kit's Diskprobe).


Q. How can I backup the Master Boot Record?

A. The Master boot record on the hard disk used to start the computer (the system partition) is the most critical sector so make sure this is the sector you backup. The boot partition is also very important (where %systemroot% resides). You need the DiskProbe utility that comes with the Resource Kit.

  1. Start DiskProbe
  2. From Drives, click Physical Drive, and click on the drive that is the system partition (from the Open Physical Drive dialog)
  3. The disk clicked will be displayed in the Handle 0 section. Click "Set Active" and then click Close
  4. From the sectors menu click Read. Accept the default sectors of "Starting Sector" 0, and "Number of Sectors" 1.
  5. From the File menu click "Save As" and enter a file name.

Q. How do I restore the Master Boot Record?

A. Follow the instructions below, however be very careful!!!

  1. Start DiskProbe
  2. From "File" click "Open" and select the file that the information was saved as
  3. From drives click Physical Drive and click the disk you want to replace the boot partition on
  4. In the Handle 0 box, clear the Read Only box and click "Set Active", then click Close
  5. From the sectors menu click write and set the starting sector to 0, and click "Write it"
  6. Verify and close DiskProbe
  7. Keep your fingers crossed :-)

Q. What CD-ROM file systems can NT read?

A. NT's primary file system is CDFS a read only file system, however it can read any file system that is ISO9660 compliant.


Q. How do I disable 8.3 name creation on VFAT?

A. Start the registry editor (regedit.exe) and set the value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\Win95TruncatedExtensions to 0.


Q. How do I create a Volume Set?

A. A volume set allows you to take all the unused space on one or more drives (up to 32 drives per volume set) and combine it into a single, large, system recognizable drive. To create a volume set:

  1. Logon as an Administrator and start Disk Administrator (Start - Programs - Administrative Tools - Disk Administrator).
  2. Click on the first free area of disk space, then hold down the Ctrl key and select all the other areas of unpartitioned space.
  3. Once all the parts are selected, from the Partition menu select "Create Volume Set".
  4. A dialog box will be displayed and you can choose the size of the partition to be created. Click OK
  5. Once created the areas that are part of a Volume Set will be shown in yellow.
  6. Close Disk Administrator (or select Commit Changes New)
  7. A confirmation dialog box will be displayed, confirm and a reboot will be required.
  8. Once the reboot has completed you can now format the volume. You should really format the Volume NTFS, as DOS and Windows95 clients will not be able to read it anyway!

The main problem with volume sets is that if one drive in the volume set fails, the entire volume set becomes unavailable.


Q. How do I extend a Volume Set?

A. Extending a volume set is very simple, however a reboot will be required

  1. Start Disk Administrator (Start - Programs - Administrative Tools - Disk Administrator)
  2. Click on the existing Volume Set and hold down the Ctrl key
  3. Click on the area (or areas) of free space to be added (a black border will be shown around them)
  4. Choose "Extend Volume Set" from the Partition menu, or right click on one of the selected areas and this option will be shown.
  5. A dialog box will be shown asking how large the drive should be. Click OK
  6. From the Partition menu, select "Commit changes now"
  7. Answer the further dialogs and reboot the server.

The reboot will take longer than normal as the new area added has to be formatted to the same file system as the rest of the volume set.

Note: Only NTFS Volume Sets can be extended.


Q. How do I delete a Volume Set?

A. When you delete a volume set all the data stored will be lost. To delete a volume set:

  1. Start Disk Administrator
  2. Click on part of the volume set
  3. Select Delete from the Partition menu
  4. Click Yes on the dialog box

Q. What is the maximum number of characters a file can be?

A. This depends on if the file is being created on a FAT or NTFS partition. The maximum file length on a NTFS partition is 256 characters, and 11 characters on FAT (8 character name, . , 3 character extension). NTFS filenames keep their case, whereas FAT filenames have no concept of case (however the case is ignored when performing a search etc on NTFS). There is the new VFAT which also has 256 character filenames.

NTFS filenames can contain any characters, including spaces, uppercase/lowercase except for the following

" * : / \ ? < > |

which are reserved for NT, however the file name must start with a letter or number.

VFAT filenames can also contain any characters except for the following

/ \ : | = ? " ; [ ] , ^

and once again the file name must start with a letter or number.

NTFS and VFAT also creates a 8.3 format file name, see Q. How to LFN's work?


Q. How can I stop chkdsk at boot time from checking volume x?

A. When NT boots it performs a check on all volumes to see if the dirty bit is set, and if it is a full chkdsk /f is run. To stop NT performing this dirty bit check you can exclude certain drives. The reason you may want to do this is for some type of removable drive, e.g. Iomega drives:

  1. Run the Registry Editor (Regedt32.exe). You must use Regedt32.exe and not Regedit.exe
  2. Goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  3. Change the BootExecute value from:
    autocheck autochk *
    to:
    autocheck autochk /k:x *

Where x is the drive letter, e.g. if you wanted to stop the check on drive f: you would type autocheck autochk /k:f *. To stop the check on multiple volumes just enter the drive names one after another, e.g. to stop the check on e: and g: autocheck autochk /k:eg *, you do not retype the /k each time.

If you are using NT 4.0 with Service Pack 2 or above, you can also use the CHKNTFS.EXE command which is also used to exclude drives from the check and updates the registry for you. The usage to disable a drive is

chkntfs /x <drive letter>:
e.g. chkntfs /x f: would exclude the check of drive f:

To set the system back to checking all drives just type

chkntfs /d


Q. How can I compress files/directories from the command line?

A. A utility is supplied with the resource kit called compact.exe which can be used to view and change the compression characteristics of a file/directory.


Q. What protections can be set on files/directories on a NTFS partition?

A. When you right click on a file in Explorer and select properties (or select Properties from the File menu) you are presented with a dialog box telling you information such as size, ownership etc. If the file/directory is on a NTFS partition there will be a security tab, and within that dialog, a permissions button. If you press that button you can grant access to users/groups on the resource at various levels.

There are six basic permissions

  • R - Read
  • W - Write
  • D - Delete
  • X - Execute
  • P - Change Permissions
  • O - Take Ownership

These can be assigned to a resource, however they are grouped for ease of use

  • No Access - User has no access to the resource
  • List - R User can view directory and filenames in directory
  • Read - RX User can read files in directory and execute programs
  • Add - WX User can add files to the directory, but cannot read or change the contents of the directory
  • Add & Read - RWX User has read and add permissions
  • Change - RWXD User has read, add, change contents and delete files
  • All - RWXDPO User can do anything she wants!

The permissions above can all be set on a directory, however this list is limited for a file, and permissions that can be set are only No Access, Read, Change and Full Control.

Another permission exists called "Special Access" (on a directory there will be two, one for files, one for directories), and from this you can set which of the basic permissions should be assigned.


Q. How can I take ownership of files?

A. Sometimes you may want to take ownership of files/directories, usually as someone has removed all access on a resource and can't see it. You would log on as the Administrator and take ownership. You cannot give ownership to someone else using standard NT functionality, only take ownership.

  1. Log on as Administrator or a member of the Admins group
  2. Start Explorer
  3. Right click on the file/directory and select properties
  4. Select the Security tab and click Ownership
  5. Click "Take Ownership" and then click Yes to the prompt

Q. How can I view the permissions a user has on a file from the command line?

A. A utility is supplied with the resource kit called perms.exe which can be used to view permissions on files/directories. The usage is

perms <domain>\<user> <file>
e.g. perms savilltech\savillj d:\file\john\file.dat

You can add /s to also show details of sub files/directories. The permissions shown equate to

R Read
W Write
X Execute
D Delete
P Change Permission
O Take Ownership
A All
None No Access
* User is the owner
# A group the member is a member of owns the file
? Permissions cannot be determined

To output to a file just add > filename.txt at the end, e.g.

perms <user> <file> > file.txt


Q. How can I tell the total amount of space used by a folder (including sub folders)?

A. There are two ways of doing this (there are more!), one using explorer and one from the command line. Using Explorer

  1. Start Explorer (Win key + E or Start - Programs - Explorer)
  2. Right click on the required folder and select properties
  3. Under the General tab a size will be displayed and this is the total size of the folder and all sub-folders and their contents.

From the command line you can just use the dir command with /s qualifier which also lists all sub-directories, e.g.
dir/s d:\savilltechhomepage
would list all files/folders in the savilltechhomepage directory and at the end the total size.


Q. There are files beginning with $ at the root of my NTFS drive, can I delete them?

A. NO!!! These files hold the information of your NTFS volume. Below is a table of all the files used by the file system:

$MFT Master File Table
$MFTMIRR A copy of the first 16 records of the MFT
$LOGFILE Log of changes made to the volume
$VOLUME Information about the volume, serial number, creation time, dirty flag
$ATTRDEF Attribute definitions
$BITMAP Contains drive cluster map
$BOOT Boot record of the drive
$BADCLUS A list of bad clusters on the drive
$QUOTA Quota information (used on NTFS 5.0)
$UPCASE Maps lowercase characters to uppercase version

If you want to have a look at any of these files use the command

dir /ah $mft

Its basically impossible to delete these files anyway as you can't remove the hidden flag and if you can't remove the hidden flag you can't delete it!


Q. What file system do Iomega ZIP disks use?

A. By default, the formatted ZIP disks are FAT, however you can format these with NTFS is you want. NTFS has a higher overhead than FAT on small volumes (an initial 2MB) which is why you don't have NTFS on 1.44 floppy disks.


Q. What cluster size does a FAT/NTFS partition use?

A. The default cluster size for a FAT partition is as follows:

Partition size Sectors per cluster Cluster size
<32MB 1 512 bytes
<64MB 2 1K
<128MB 4 2K
<255MB 8 4K
<511MB 16 8K
<1023MB 32 16K
<2047MB 64 32K
<4095MB 128 64K

This is why FAT volumes larger than 511MB are not recommended due to the amount of potentially wasted space due to the 16KB and above cluster size.

The default for NTFS is as follows:

Partition size Sectors per cluster Cluster size
<512MB 1 512 bytes (or hardware sector size if greater than 512 bytes)
<1024MB 2 1K
<2048MB 4 2K
<4096MB 8 4K
<8192MB 16 8K
<16384MB 32 16K
<32768MB 64 32K
>32768 MB 128 64K

NTFS better balances the trade off between disk defragmentation due to smaller cluster size and wasted space due to a large cluster size.

When formatting a drive you can change the cluster size using the /a:<size> switch, e.g.

format d: /a:1024 /fs:ntfs


Q. How much free space do I need to convert a FAT partition to NTFS?

A. The calculation below can be used for disks of a standard 512 bytes per sector:

  • Take the size of the partition and divide by 100. If this is less than 1,048,576 use 1,048,576, if greater than 4,194,304 use 4,194,304
  • Add to the number calculated above the size of the partition divided by 803
  • Add to the number calculated the total number of files and directories multiplied by 1280. You can work out the total number of files and directories using the dir /s command at the base of the partition, e.g.
    dir /s d:\
    Total Files Listed:
    3397 File(s)
    300,860,372 bytes
  • Add to the above 196096

To summarize:

Free space needed = (<size of partition in bytes>/100) + (<size of partition in bytes>/803) + (<no of files & directories> * 1280) + 196096

For more information see Knowledge Base article Q156560 at http://support.microsoft.com/support/kb/articles/q156/5/60.asp


Q. NT becomes unresponsive during an NTFS disk operation such as a dir.

A. When you perform a large NTFS disk operation such as a dir/s *.* or a ntbackup :\*.* NT can sometimes become unresponsive because NT updates NTFS files with a last access stamp and if viewing thousands of files the NTFS log file can become full and waits to be flushed to the hard disk, this can cause NT to become unresponsive. To stop NTFS updating the last access stamp perform the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
  3. From the Edit menu select New - DWORD value
  4. Enter a name of NtfsDisableLastAccessUpdate and click OK
  5. Double click the new value and set to 1. Click OK
  6. Close the registry editor
  7. Reboot the machine

This should improve the performance of your NTFS partitions.

Below is an example or a .reg file that can be used to automate this:

REGEDIT4
;
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
"NtfsDisableLastAccessUpdate"=dword:1


Q. I have missing space on my NTFS partitions (Alternate Data Streams).

A. Its possible to hide data from both explorer and the dir command within an NTFS file that you cannot see unless you know its stream name. NTFS allows multiple streams to a file in the form of <filename>:<stream name>, you can try it

  1. Start a console windows (cmd.exe)
  2. Run "notepad normal.txt" and enter some text and save. This has to be on an NTFS partition
  3. Now edit the file again but this time with a different stream "notepad normal.txt:hidden". You will be prompted to create a new file. Enter some text and save
  4. Perform a dir and you will see you still see only normal.txt with its original size.

You can have as many streams as you want. If you copy a file it keeps the streams, so copying normal.txt to john.txt, john.txt:hidden would exist. You cannot use streams from the command prompt as it does not allow : in files names except for drive letters.

Microsoft provide no way of detecting or deleting these streams. The two ways to delete are

  • Copy the file to a FAT partition and back again
  • - ren <file> temp.exe
    - cat temp.exe > <file>
    - del temp.exe

One application I have found to detect alternate data steams is by Frank Heyne and can be downloaded from http://www.heysoft.de/nt/ep-lads.htm.

Alternatively you can use Lizp which is downloadable from http://www.lizp.com. I have not used it in earnest, however what I have seen looks very good. An example use would be

Lizp NT use

Its also possible to write a function to enumerate every altstream in every file matching c:\winnt\*. To do this, let's define a function, we'll call it las, and it'll take one argument, the wild path. Then we could type
(las 'c:\winnt\*)
and we'd get what we wanted.

Here's such a function definition:

(sequence
 (define
 (las Dir)
 (filter
 '(lambda
 (o)
 (cdr o) )
 (mapcar
 '(lambda
 (FileInfo)
 (if
 (getfilesize
 (car FileInfo) )
 (cons
 (car FileInfo)
 (getaltstreams
 (car FileInfo) ) )
 (cons nil nil) ) )
 (dirlist Dir) ) ) )
 '(Enhanced with las) )

Even though you could type all this in at the prompt, on one long line, it's easier to save the code above to a file. Let's call the file las.lzp.

Now, from the Lizp prompt, you could type

(eval (load 'las.lzp))

and voila, you'll have a new function, las. Now try the thing above:

(las 'c:\winnt\*)

Suppose we think our Lizp should have this functionality always. Then type

(Compile (load 'las.lzp) 'Lizp_with_las.exe true)

and we'll have a new version of Lizp, called Lizp_with_las.exe.

Finally, suppose we wanted a GUI application which asked us for the wild path, and then displayed the alternate streams in a window. Save the following lines to a file, let's call it las_gui.lzp:

(local
 (Result)
 (setq Result
 (las
 (inputbox
 '((Wild path to check for Alt Streams)) ) ) )
 (messagebox
 (if Result Result
 '((No Alt Streams found in path.)) ) )
	(exit) )

Now, from Lizp_with_las' prompt, type

(Compile (load 'las_gui.lzp) 'Las.exe nil

and you'll have a new program, Las.exe, doing what we want. Note the last argument to the Compile function: the first time we compiled, we used "true", this last time we used "nil". This is because the first time we wanted the new program to create a console when run (because it was going to be our new Lizp interpreter). The second time we don't need a console.

Another way to delete these streams is to edit them in notepad and delete all the text. When you quit notepad NT tells you that the file is empty and will be deleted and you only have to confirm.

If you want to write your own programs to detect streams have a look at

Basically the only reliable way of handling streams is to use the BackupRead() function. The only "problem" is that BackupRead() requires SeRestorePrivilege/SeBackupPrivilege rights which most users will not have

BackupRead() actually does is to turn a file and its associated metadata (extended attributes, security data, alternate streams, links) into a stream of bytes. BackupWrite() converts it back.


Q. How can I change the Volume ID of a disk?

A. Windows NT provides functionality to change the volume name of a disk by using the command

label <drive>: <label name>

Windows NT does not provide built in functionality to change Volume ID's, however NT Internals has produced a free utility that can be downloaded from http://www.sysinternals.com/misc.htm called VolumeID which can change the volume ID of a FAT or NTFS volume. To view a drives current Volume ID you can just perform a dir <drive>: and the volume serial number is shown on the second line down, e.g.

Volume in drive E is system
Volume Serial Number is BC09-8AE4

To change enter the command

volumeid <drive letter>: xxxx-xxxx


Q. How do I read NTFS 5.0 partitions from Windows NT 4.0?

A. Service Pack 4 includes a read/write driver for NTFS 5.0 volumes (an updated ntfs.sys driver). More details will follow once Service Pack 4 is released, the non-disclosure agreement limits me from saying any more.


Q. How do share and file system protections interact?

A. In general when you have protections on a share or on a file/directory the privileges are added, for example if user John was a member of 2 groups, one with read access and another with change the user would have read and change access. The exception to this if a group has "no access" which means no mater what other group memberships there are, any user in that group will have no access.

The opposite is true when protections are set on the file system and on the share where the most restrictive policy is enforced, e.g. if the file has full control set for a user and the share only has read then the user will be limited to read-only privileges, likewise if the file had only read-only but the share had full the user would still be limited to read-only.

Share protections are only used when the file system is accessed through a network connection, if the user is using the partition locally then the share protections will be ignored.


Q. How can I backup/restore my Master Boot Record?

A. The Windows NT Resource kit supplies a utility DISKSAVE.EXE which enables a binary image of the Master Boot Record (MBR) or Boot Sector to be saved.

DISKSAVE has to be run from DOS and so you will need to create a bootable DOS disk and copy DISKSAVE.EXE to the disk. To create a DOS bootable disk just use the command

C:\> format a: /s

from a DOS machine (do not do it from a Windows NT command session).

Once you boot with the disk you will have a number of options:

F2 - Backup the Master Boot Record - This function will prompt for a path and filename to save the MBR image to. The path and filename are limited to 64 characters. The resulting file will be a binary image of the sector and will be 512 bytes in size. The MBR is always located at Cylinder 0, Side 0, Sector 1 of the boot disk.

F3 - Restore Master Boot Record - This function will prompt for a path and filename for the previously save Master Boot Record file. The only error checking is for the file size (must be 512 bytes). Copying and incorrect file to the MBR will permanently destroy the partition table information. In addition, the machine will not boot without a valid MBR. The Path/filename is limited to 64 characters.

F4 - Backup the Boot Sector - This function will prompt for a path and filename to save the Boot Sector image to. The path and filename are limited to 64 characters. The resulting file will be a binary image of the sector and will be 512 bytes in size. The function opens the partition table, searches for an active partition, then jumps to the starting location of that partition. The sector at that location is then saved under the filename the user entered. There are no checks to determine if the sector is a valid boot sector.

F5 - Restore Boot Sector - This function will prompt for a path and filename for the previously save Boot Sector file. The only error checking is for the file size (must be 512 bytes). Copying and incorrect file to the Boot Sector will permanently destroy Boot Sector information. In addition, the machine will not boot without a valid Boot Sector. The Path/filename is limited to 64 characters.

F6 - Disable FT on the Boot Drive - This function may be useful when Windows NT will not boot from a mirrored system drive. The function looks for the bootable (marked active) partition. It then checks to see if the SystemType byte has the high bit set. Windows NT sets the high bit of the SystemType byte if the partition is a member of a Fault Tolerant set. Disabling this bit has the same effect as breaking the mirror. There is no provision for re-enabling the bit once it has be disabled.


Q. How do I convert an NTFS partition to NTFS 5.0? - NT 5.0 only

A. Windows NT 5.0 introduces NTFS 5.0 which enables a number of new features. By default when you install Windows NT 5.0 it will automatically convert any NTFS 4.0 partitions to NTFS 5.0 (however this may change).

Service Pack 4 has an updated NTFS.SYS which can read NTFS 5.0 partitions so apply this to any systems that need to read Windows 2000 NTFS 5.0 partitions.

To check the version of an NTFS partition use the CHKNTFS.EXE utility.

C:\> chkntfs <drive>:
The type of the file system is NTFS 5.0.
or
The type of the file system is NTFS 4.0
<drive>: is not dirty

If the file system is not NTFS 5.0 and you want to upgrade it use the command

C:\> chkntfs /e <drive>:

The machine will need to be rebooted for the upgrade to take place.


Q. I cannot compress files on an NTFS partition.

A. If when you try and compress files on an NTFS partition using Explorer (right click on a file/directory, select properties and check the compress box) the option is not available or when you try from the command prompt using the command:

C:\> compact /c ntfaq.txt /s

you get the error

"The file system does not support compression"

the cause is normally that the cluster size of the NTFS partition is greater than 4096. To check the cluster size of your NTFS partition use the CHKDSK command, e.g.

C:\> chkdsk <disk>: /i /c

The /i /c are used to speed up the chkdsk and at the end of the display it will tell you the bytes in each allocation unit:

2048 bytes in each allocation unit.
1012032 total allocation units on disk.
572750 allocation units available on disk.

If this number is greater than 4096 you will need to backup all the data on the disk and then reformat the partition using any of the following methods:

  • Start Explorer, make sure the partition is not being used, right click on the partition and select format. Set the allocation unit size to 4,096 or less
  • Start Disk Administrator (Start - Programs - Administrative Tools - Disk Administrator), right click on the partition, select format and again set the unit size to 4,096 or less
  • Format from the command prompt
    C:\> format <drive>: /fs:ntfs /a:4096

Once reformatted you can then restore your backed up data.

To understand more about the 4,096 limit please read Knowledge base article Q171892 at http://support.microsoft.com/support/kb/articles/q171/8/92.asp


Q. How can I modify the CHKDSK timer?

A. Service Pack 4 introduces a new feature which before performing a chkdsk of a disk if its dirty bit is set a 30 second countdown timer is given allowing you to cancel to chkdsk from running.

If you want to modify this 30 second value perform the following:

  1. Start the registry editor
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  3. From the Edit menu select New - DWORD Value. Enter a name of AutoChkTimeOut and press ENTER
  4. Double click this new value and set to 0 to disable the timer, or the time in seconds you wish to be given to cancel the chkdsk.
  5. Close the registry editor

The change will take effect at the next reboot


Q. How can I view the current owner of a file?

A. The normal method would be to right click on the file in Explorer, select Properties, click the Security tab and click Ownership. This will then show the current owner and give the option to take ownership.

To view from the command line you can use the SUBINACL.EXE utility that is shipped with the Windows NT Resource Kit Supplement 2. To view the current owner use as follows:

C:\> subinacl /file <file name>
//++++
// D:\Documents\<file name>
//----
+ Owner = builtin\administrators
+ Primary Group= lnautd0001\domain users
+ System ACE count =0
+ Disc. ACE count =1
lnautd0001\saviljo ACCESS_ALLOWED_ACE_TYPE FILE_ALL_ACCESS

You could perform on *.* to list owners for all files in all subdirectories (no need for any /s switch).


Q. How can I view/defrag pagefile fragmentation?

A. System Internals has released PageDefrag, a free utility that shows fragmentation in the pagefile and then offers the option of defragmentation at boot time.

The utility can be downloaded from http://www.sysinternals.com/pagedfrg.htm. Once you download just unzip the file and run pagedfrg.exe. Below is a sample output.

Pagedfrg.exe

I understand that Executive Software's Diskeeper 4.0 can also defragment pagefiles however I have not seen it in action (http://www.diskeeper.com).


Q. I get a disk maintenance message during setup.

A. If during setup up get the message:

Setup has performed maintenance on your hard disk(s) that requires a reboot to take effect. You must reboot and restart Setup to continue.

Press F3 to reboot.

This is returned when the Autochk part of the installation was able to repair the partition, but will require a reboot.

For a FAT partition, this could include corruption of extended attributes was fixed, the dirty bit was cleared, orphaned long filename entry was fixed (or any other fixing of lfns), directory entry fixed, crosslinked files fixed, non-unique filename uniqued, or any other structural issues at all fixed. There will of course be other specific "fixing steps" that would cause this for NTFS, or other non-file system specific structures.

In short this is not a problem as long as the setup does not get stuck in a loop keep running this stage.


Q. Where is Disk Administrator in Windows 2000? - Windows 2000 only

A. As with every other Administration tool in Windows 2000, Disk Administrator has been replaced with a Microsoft Management Console (MMC) snap-in.

By default it is accessible via the Computer Management MMC snap-in

  1. Start the Computer Management MMC (Start - Programs - Administrative Tools - Computer Management)
  2. Select the Storage branch
  3. Select Disk Management
  4. Should look familiar

Disk Management MMC

Alternatively create your own MMC console

  1. Start the MMC (Start - Run - MMC)
  2. Select "Add/Remove Snap-in" from the Console menu
  3. Click Add
  4. Select Disk Management and click Add
  5. Select Local Computer and click Finish
  6. Click Close
  7. Click OK to the main dialog

You now have your own MMC with just the Disk Management. You could save by selecting "Save As" from the Console menu, enter "Disk Admin" as the name and click Save. You will now see under the Programs menu a new folder, My Administrative Tools with Disk Admin as a MMC snap-in.


Q. How do I convert a basic disk to dynamic? - Windows 2000 only

A. Windows 2000 introduces the idea of a dynamic disk needed for fault tolerant configurations. To convert perform the following:

  1. Start Computer Manager
  2. Expand Storage - Disk Management.
  3. Right click on the disk and select 'Upgrade to Dynamic Disk'
  4. Select the disks to upgrade and click OK
  5. A summary will be displayed.
  6. Click Upgrade
  7. Click Yes to the confirmation

Converting Basic disks to Dynamic disks don't require reboots - however any volumes contained on them after the conversion will generate a popup that basically says a re-boot is necessary before the volumes can be used. I generally say - NO, do not reboot - until all the volumes are identified and all the popups go away, then perform a single re-boot.

When you upgrade from basic to dynamic any existing partitions become simple volumes. Any existing mirrored, striped or spanned volumes sets created with NT 4.0 become dynamic mirrored, striped or spanned volumes respectively.

If you get a message that says you are out of space then you may not have enough unallocated free space at the end of the disk for the private region database that Dynamic disks use to keep volume information. To be Dynamic it needs about 1 MB of this space, sometime the space is not visible to the user in the GUI but it is still there.

You may not have the space if the partition(s) on the disk take up the entire disk and were created with Setup, an earlier version of NT or another OS. If partitions are created within Windows 2000 the space is reserved, partitions created with Setup will reserve the space in a later release.

To undo this conversion run Dmunroot.exe which will revert boot and system partition back to basic but all other volumes will be destroyed. Alternatively you should backup any data on the disk you wish to preserve, then delete all partitions - that should activate the menu choice "Revert to Basic Disk", the entire disk HAS to be unallocated or free space.


Q. How do I delete a volume in Windows 2000?

A. To delete a volume just perform the following, be warned you will lose any data on these volumes.

  1. Start the Computer Management MMC (Start - Programs - Administrative Tools - Computer Management)
  2. Expand the Storage branch and select 'Disk Management'
  3. Right click on the volume to be deleted and select 'Delete Volume..' from the context menu shown
  4. Click Yes to the confirmation

Q. How do I import a foreign volume in Windows 2000?

A. If you take a disk from another machine and place in a Windows 2000 box it will be shown as foreign and its partitions not available, however its partition information can be imported and volumes used. Any volumes that were part of a set will be deleted during the import phase unless the whole set of disks are imported.

  1. Start the Computer Management MMC (Start - Programs - Administrative Tools - Computer Management)
  2. Expand the Storage branch and select 'Disk Management'
  3. Right click on the volume to be imported and select 'Import Foreign Disks..' from the context menu shown
    Import foreign
  4. Click OK to the displayed dialog of the disk to import. If you imported multiple disks they will be grouped by the computer they were moved from and can be selected by clicking the 'Select Disk' button. If the disks imported are not dynamic they will all be imported regardless of you choices.
  5. A dialog will be shown showing the volumes to import. Click OK
    List of volumes to import
    Notice the partition that was part of a RAID 5 set is not usable.

The data on the imported volumes will now be accessible (you have to refresh in Explorer to see them (press F5)).


Q. How can I wipe the Master Boot Record?

A. The normal method is using the DOS FDISK command:

C:\> fdisk /mbr

however there are some cases where this does not work and a more direct method may be needed.

A program called DEBUG.EXE is supplied with DOS, Windows 9x and NT and can be used to run small Assembly language programs and just such a program can be used to wipe the MBR. Perform the following, but BE CAREFUL, this WILL wipe your MBR leaving your system unbootable and its data lost.

  1. Boot to 9x or DOS (this cannot be done from NT since direct disk access is not allowed)
  2. Start a command prompt
  3. Enter the following commands (in bold):
    C:\> debug
    -F 9000:0 L 200 0
    -a
    0C5A:0100 Mov dx,9000
    0C5A:0103 Mov es,dx
    0C5A:0105 Xor bx,bx
    0C5A:0107 Mov cx,0001
    0C5A:0109 Mov dx,0080
    0C5A:010A Mov ax,0301
    0C5A:010D Int 13
    0C5A:0110 Int 20
    <press Enter twice>
    -u 100 L 12   <check the code matches the above>
    -g    <executes>

    Program terminated normally
    -quit

You can now install a replacement MBR via a normal installation.

Thanks to Mark Minasi for giving permission to reproduce this Assembler code and a full explanation can be found in Windows NT Magazine Summer 1999 issue


Q. How can I cancel a scheduled NTFS conversion?

A. If you have scheduled a NTFS conversion for next reboot using the CONVERT command it can be canceled as follows:

  1. Start the registry editor (regedt32.exe NOT regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  3. Double click BootExecute
  4. Change from
    autoconv \DosDevices\x: /FS:NTFS
    to:
    autocheck autochk *
  5. Click OK
  6. Close the registry editor

Q. What is Distributed File System?

A. Distributed File System (or Dfs) is a new tool for NT server that was not completed in time for inclusion as part of NT 4.0, but is now available for download. It basically allows Administrators to simulate a single server share environment that actually exists over several servers, basically a link to a share on another server that looks like a subdirectory of the main server.

This allows a single view for all of the shares on your network, which could then simplify your backup procedures as you would just backup the root share, and Dfs would take care of actually gathering all the information from the other servers across the network.

You do not have to have a single tree (Dfs directory structures are called trees), but rather could have a separate tree for different purposes, i.e. one for each department, but each tree could have exactly the same structure (sales, info. etc).

For more information on DFS see http://www.microsoft.com/ntserver/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp


Q. Where can I get Dfs?

A. Dfs is available for download from Microsoft http://www.microsoft.com/ntserver/nts/downloads/winfeatures/NTSDistrFile/default.asp. Follow the instructions at the site and fill in the form about your site. The file you want for the I386 platform is dfs-v41-i386.exe.

Once downloaded just double click on the file, and agree to the license. It will then install files to your drive which you need to install.


Q. How do I install Dfs?

A. Follow the instructions below, you must have first downloaded and expanded the file dfs-v40-i386.exe:

  1. Right click on Network Neighborhood and select properties (or double click Network in the Control Panel)
  2. Click the services tab and click Add
  3. Click the "Have disk" button and when asked where enter %systemroot%/system32/dfs. Do not actually type %systemroot%, but rather what it points to, i.e. d:\winnt, so the full path would be d:\winnt\system32\dfs
  4. Click Enter and press OK for Dfs installation
  5. A dialog box will be shown, and click "New Share", and type the name of the required root, e.g. c:\dfsroot and click "Yes" to create the directory
  6. Select the "Shared As" and fill in required information and click OK
  7. Close the dialogs and reboot the machine

Q. How do I create a new folder as part of the Dfs?

A. Once Dfs is installed a new application, the Dfs Administrator, is created in the Administrative Tools folder. This app should be used to manage Dfs. To add a new area as part of the Dfs tree follow the procedures below:

  1. Start the Dfs Administrator application (Start - Programs - Administrative Tools - Dfs Administrator)
  2. Select "Add to Dfs" from the Dfs menu
  3. Enter the name of folder you want an existing share to be known as
  4. Next select what it should point to, you can either type the path, or use Browse.
  5. Click Add
  6. Close the Dfs Administrator

Q. How do I uninstall Dfs?

A. Follow the procedure below:

  1. Start the network control panel applet or right click on Network Neighborhood and select propertied
  2. Click the Services Tab
  3. Select "Distributed File System" and click remove
  4. You will be prompted to continue, click Yes
  5. A reboot will then be required

Q. How do I assign User Rights for a standalone server (not the PDC/BDC) in a domain?

A. In NT Workstation, User Manager/Policies/User Rights... assigns the privileges (e.g. the Shutdown or Log On Locally privilege) for the local machine. However, in NT Server the User Rights you assign with User Manager for Domains affect the Domain Controller(s). To modify privileges for the local machine, first choose Select Domain... from the User menu, and type in the name of the computer at the Domain prompt (you cannot browse the domain).


Q. I can't FTP to my server, although the FTP service is running?

A. Have you unchecked the "Allow only anonymous connections" option, but still receive a "530 User xyz cannot log in. Login failed." message? To log on to the FTP server with your domain account, it is not sufficient to specify your name at the User prompt. The FTP service checks local accounts only, even if the computer is participating in a domain. Use domainname\username instead, e.g. if the domain name was savilltech and the user was john, enter savilltech\john as the username.


Q. How do I validate my NT Logon against a UNIX account?

A. There is software to do this available at


Q. Can I synchronize the time of a NT Workstation with a NT Server?

A. Yes, enter the command

NET TIME \\<name of the server to set time to> /SET /YES

Please note that users will require "Change System Time" user right, via User Manager\User rights. There is a utility on the resource kit called TimeServ which runs the time synchronization as a service and works even when there are no logged on users.

Also see Q. How do I configure a user so it can change the system time?


Q. How can I send a message to all users?

A. Ensure the "Messenger" service is started (Control Panel - Services - Messenger - Auto). To send a message type:
c:> net send <machine name> "<message>"
Or instead of a machine name type * to broadcast to all stations

There are also various GUI utilities, and one of the best is NT Hail at http://www.geocities.com/SiliconValley/Bay/1999/NT_Hail.html


Q. How do I change a Workstations Name?

A. Follow the steps below

  1. Logon to the NT server and in Server Manager add the new computer name (Computer - Add to Domain)
  2. On the Workstation from Control Panel double click Network (or right click on Network Neighborhood and select properties)
  3. Click Change and type the new computer name
  4. Press OK and accept reboot
  5. The machine should then reboot with the new name
  6. On the NT server you should now delete the OLD computer name (select and press DEL)

Q. How do I stop the default admin shares from being created?

A. This can be done through the registry.

  1. Start the registry editor
  2. Move to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
  3. If you are using Workstation create a value (Edit - Add Value) called AutoShareWks (AutoShareServer for server) of type DWORD and press OK. It will ask for a value, type the number 0.
  4. Close the registry editor
  5. Reboot

This can also be done using the policy editor. Start the policy editor (poledit.exe), load the default computer profile, and expand the Windows NT Network tree, then Sharing and set "Create hidden drive shares" to blank for server/workstation.

There are a few other options though. The first is to use NTFS and set protections on the files so people may be able to connect to the share, but they will not be able to see anything. The second is to delete the shares each time you logon, this can be done through explorer, but it would be better to have a command file run each time with the lines
net share c$ /delete
and for all the other shares, however these shares are there for a reason so your machine can be administered by the servers, so if you delete them system managers may have something to say about it!


Q. How do I disconnect all network drives?

A. Use net use * /del /yes


Q. How do I hide a machine from Network Browsers?

A. Using the registry editor set the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters and set value Hidden from 0 to 1. You should then reboot. You can also type

net config server /hidden:yes

You can still connect to the computer, but it is not displayed on the browser.


Q. How do I remote Boot NT?

A. NT does not support remote boot. It is possible to reboot a machine from another computer using the Shutdown Manager that comes with the NT resource kit.

You could also reboot by using the shutdown.exe resource kit utility and specify another machine name.

C:\>shutdown \\<machine name> /r /y /c

Software such as PC Anywhere can also remotely reboot machines.


Q. How can I get a list of users currently logged on?

A. Use the net sessions command, however this will only work if you are an Administrator. You can also use control panel and choose server.

The resource kit utility, Net Watch, can also show current logged on users that are connected to the Netlogon share if you connect to the domain controller, however these connects terminate after a finite amount of time so will not necessarily show all users.


Q. How do I configure NT to be a gateway to an ISP?

A. Firstly the hardware required would be a network and a modem. The network card would be so the other clients in the network can communicate with the "to be" gateway, and the modem to connect to the gateway. Dial-up networking is not covered here, and you should first be confident with dial-up networking before attempting this.

  1. Start the registry editor (regedit.exe) and add a value of type DWORD called DisableOtherSrcPackets in the HKey_Local_Machine\System\CurrentControlSet\Services\RasArp\Parameters area, and set to a value of 0. This is so packets that are sent through the NT gateway, the original IP address stored in each packet is retained, i.e. of machine a is sending a packet through b, then the packet retains the IP address of a, rather then be automatically changed to b. Also change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter to a value of 1.
  2. On the gateway machine ensure TCP/IP is installed with a static IP address, and a correct subnet address (usually 255.0.0.0 for a class a, 255.255.0.0 for class b, and 255.255.255.0 for class c). Make sure the default gateway address is blank.
  3. Install Dial Up networking and configure for NT to dial out only. You will have to reboot
  4. Add a phonebook entry for your ISP as you would as normal, however uncheck the "Use default gateway".
  5. Enable the PC to be able to forward IP packets, by starting control panel, double click Network and choose the protocols tab. Select TCP/IP and then routing. Check the Enable IP Forwarding. You will need to reboot
  6. If when you connect to your ISP you are given an IP address, you will need to connect to your ISP, and then find out which IP address you are given. To get the address type
    IPCONFIG
    Look for a Wan adapter and write down the IP address. If you know your IP address before you connect you can forget this step.
  7. Add a route for the IP address used when connecting to the ISP (the one identified in step 6)
    route add 0.0.0.0 mask 0.0.0.0 <ip address> metric 2
  8. Configure all clients gateway as the network card IP address of the NT gateway.

This would enable the machines to send out IP packets to the internet, however the packets would have no way of finding there way back, as the ISP would not know to route them through the gateway, so you ISP will have to either a) have host entries for each of the machines or b) point to the gateway as another DNS.

Other things to check are as follows:

  • Make sure your ISP routes packets to you otherwise you will be able to send packets out but the replies will never be get to you
  • Make sure your local IP networks (each machine can ping each other) and that all PC's have a valid internet address. If you do not have internet addresses for each PC that have been assigned from InterNic then you will need something like Proxy Server instead.

Have a look at http://support.microsoft.com/support/ntserver/serviceware/nts40/e9mslcs1z.asp for more information.


Q. How do I install the FTP server service?

A. In prior version of NT, the FTP server service was installed as part of TCP/IP, however as of NT 4.0, it became part of IIS/PWS, so it needs to be installed manually. Before you install the FTP server, TCP/IP must be installed.

  1. In Control Panel, double-click Network.
  2. Click Services, click Add, and then click Microsoft Peer Web Services if you are using NT Workstation or click Microsoft Internet Information Server 2.0 if you are using NT Server.
  3. Click OK, and then type the path for the Windows NT source files. For example, if you are using the Windows NT CD-ROM in drive E, type the following line: E:\i386
  4. Click OK to start the Microsoft Peer Web Services Setup or Internet Information Server.
  5. The FTP Service is selected by default, but you should clear the check boxes for options you do not want to install.

Q. How do I get a list of all connections to my PC?

A. Use the command netstat -a


Q. How can I get the Ethernet address of my Network card?

A. Type ipconfig /all from a command box.


Q. How can I configure the preferred Master Browser?

A. On the NT server you want to be the preferred master browser change the registry setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster to True


Q. Is it possible to protect against Telnet attacks?

A. There was a recent well-known problem that a telnet client could connect to an NT machine on port 135, type 10 characters and it would hang NT. There is no simple way to protect NT from a certain port attack. It is possible to configure NT to only accept incoming packets from a set of configured ports, however you have to name the ports you want to accept input from:

  1. From Control Panel, Double click on Network
  2. Click the Protocols tab
  3. Select TCP/IP and click Properties
  4. Click Advanced (bottom right)
  5. Check the "Enable Security" and click configure
  6. For TCP select "Permit Only" and enable only the ports you want to work (e.g. Web Browser is 80, FTP 21)
  7. Exit
  8. Reboot NT

To protect against the port 135 attack, install the RPC hotfix for Service Pack 2.

Service Pack 3 and some its Hotfixes are also highly desirable, and address a number of Internet attack methods.


Q. What Telnet Servers/Daemons are available for Windows NT?

A. A Telnet Server on NT allows connection to an NT machine using a Telnet client from any hardware platform. Products are available from:


Q. How do I install MSN under NT?

A. The new MSN 2.0 only runs under Windows 95, however a version for NT 4.0 is being developed. In the mean time it is possible to use MSN to connect to the Internet, however you cannot read Mail

  1. Phone Microsoft and request for a manual Internet PPP access to be setup.
  2. Assuming RAS is already installed, select Add New phonebook entry
  3. Type in a name for the phone book entry, e.g. "MSN connection"
  4. Clear the "I know about phone book entries" and click Next
  5. Check "I am calling the Internet" and click Next
  6. Click Finish
  7. Select your new "MSN" and click Edit from More
  8. Click the Server tab, and select TCP/IP, Enable PPP LCP, and clear NetBEUI and IPX
  9. Click the TCP/IP settings box and check "Server assigned IP addresses" and "Use default gateway"
  10. Click OK and exit back to the main dial screen
  11. Select MSN and click Dial
  12. When prompted for username/password enter
    Username : MSN/<user name>
    Password : <MSN password>
    Domain : <blank>

Q. What FireWall products are available for NT?

A. Below are a selection of FireWall systems for NT:


Q. How do I install the Remoteboot Service?

A. Before installing the Remoteboot service you must have both the NetBEUI and DLC protocols installed. The remoteboot service will only run on NT server.

  1. Start Control Panel (Start - Settings - Control Panel)
  2. Double click the Network icon
  3. Click on the services tab and click Add
  4. Select "Remoteboot Service"
  5. Check the path where Remoteboot will be installed (by default %systemroot%\RPL)
  6. Click OK and complete the installation
  7. After installation has completed start Remoteboot Manager
  8. Click "Fix Security" from the Configuration menu, which will create the RPLUSER local group and assign the permissions to the RPL directory.

Q. How many connections can NT have?

A. NT workstation can have up to 10 concurrent connections, with one exception, Peer Web Services which allows unlimited concurrent connections.


Q. How can I secure a server that will be a Web Server on the Internet?

A. Below are points to be aware of


Q. How can I stop a user logging on more than once?

A. There is no way in NT to stop a user logging on more than once, however it is possible to restrict a workstation so that only a certain user can login, and with this method each user would be tied to one workstation and thus could only logon once.

  1. Logon to the Workstation as the Domain Administrator
  2. Start User Manager (Start - Administrative Tools - User Manager)
  3. Double click the Users group and select the Domain\Everyone and click remove
  4. Next click add and select the specific domain user and click Add
  5. Close User Manager
  6. Logoff and only that specific user will be able to logon (be careful that Administrators still include Domain\Administrators or you will not be able to logon)

This solution is far from ideal, and it may be plausible to write a login script that checked if a user was currently logged on and if so, logoff straight away (using the logout command line tool).


Q. How can I get information about my domain account?

A. From the command prompt type

net user <username> /domain

And all your user information will be displayed including last logon time, password change etc.


Q. A machine is shown as Inactive in Server manager when it is not.

A. Sometimes Server Manager fails to see a machine has become active, you can attempt to force it to see the machine by typing
net use \\<machine name>\IPC$
If this fails it may be the machine has been configured to be invisible to the network.


Q. How do I automatically FTP using NT?

A. I use a basic script to update my main site and the mirrors using two batch files. The first consists of a few lines:

d:
cd \savilltechhomepage
ftp -i -s:d:\savmanagement\goftp.bat

The -i suppresses the prompt when performing a multiple put, and the -s defines an input file for the FTP like:

open ftp.savilltech.com - the name of the FTP server
johnny
- username
secret
- password
cd /www
- remotely move to a base directory
lcd download
- locally change directory
cd download
- remotely move to a sub directory of the current directory
binary
- set mode to binary
put faqcomp.zip - send a file
cd ..
- move down a directory remotely
lcd ..
- move down a directory locally
cd ntfaq
lcd ntfaq
mput *.html
- send multiple files (this is why we needed -i)
close - close the connection


Q. How can I change the time period used for displaying the password expiration message?

A. Follow Instructions below:

  1. Start the Registry editor (regedit.exe)
  2. Goto the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  3. From the Edit Menu, click New - DWord
  4. Type the name PasswordExpiryWarning and press enter
  5. Double click on the new value you have created and set to the number of days prior to the expiration you want the message to appear.

Q. How can I modify share permissions from the command line?

A. The Windows NT resource kit ships with a utility called RMTSHARE.EXE that is used to modify permissions on shares, the syntax to grant access to a share is as follows

rmtshare \\<server name>\<share> /grant <username>:<permission>, e.g.
rmtshare \\bugsbunny\movies /grant savillj:f

Valid permissions are f for full, r for read, c for change and n for none. To revoke access to a share type

rmtshare \\<server name>\<share> /grant <username>, e.g.
rmtshare \\bugsbunny\movies /grant savillj

This would remove savillj's access to the share. To view share permissions enter:

rmtshare \\<server name>\<share> /users, e.g.
rmtshare \\bugsbunny\movies /grant

RMTSHARE.EXE also allows the creation and deletion of shares. Type rmtshare /? for help.


Q. How can I change the protocol binding order?

A. Network bindings are links that enable communication between the network adapter(s), protocols and services. If you have multiple protocols installed on a machine you can configure NT to try a certain protocol first for communication:

  1. Log on to the machine as a member of the Administrators group
  2. Start the Network control panel applet (Start - settings - control panel - network, or right click Network Neighborhood and select properties)
  3. Click the bindings tab
  4. Select "all services" from the drop down list of bindings
  5. Select the service you wish to change the binding order for by clicking its plus sign (usually you should change the workstation service as this is used for connecting to resources etc.)
  6. A list of all the protocols installed will be shown, and can be ordered by selecting the protocol and clicking "move up" or "move down".
  7. Click OK when finished, and you will have to reboot for the changes to take effect.

Q. What criteria are used to decide which machine will be the Master Browser?

A. There are 5 roles a machine can have

  • Master Browser - This machine maintains the list of resources on the network and listens for announcements from other machines to add to the browse list.
  • Preferred Master Browser - A machine can be designated as the preferred master browser and when this machine starts it will force a browser election and will win unless one of the other machines is the PDC or also has the preferred master browser flag set.
  • Backup Browser - This type receives a copy of the browse list from the master browser, if it cannot find the Master Browser it will force an election.
  • Potential Browser - This does not receive a copy of the browse list, but can be promoted to a backup browser by the master browser, or actually become the master browser as the result of an election.
  • Non-Browser - A non-browser does not maintain a browse list.

When an election takes place, a number or criteria are used. Firstly the browser type

  • Preferred master
  • Master
  • Backup browser
  • Potential browser

If two machines have the same role then the operating system is used

  • Windows NT Server that is the PDC
  • Windows NT Server that is a BDC
  • Windows NT Server
  • Windows NT Workstation
  • Windows 95
  • Windows for Workgroups

If there is still a tie, the Windows NT version is used

  • 4.0
  • 3.51
  • 3.5
  • 3.1

To set a machine as a certain type of browser perform the following

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters
  3. Double click on MaintainServerList
  4. Set to
    No - for the computer to be a non-browser
    Yes - the computer will be a master or backup browser
    Auto - will be a master, backup or potential depending on the number of browser currently in action
  5. Click OK
  6. Close the registry editor and reboot

Q. How can I get a list of MAC to IP addresses on the network?

A. An easy way to get a list of MAC to IP addresses on the local subnet is to ping every host on the subnet and then check you ARP cache, however pinging every individual node would take ages and the entries only stay in the ARP cache for 2 minutes. An alternative is to ping the broadcast mask of your subnet which will ping every host on the local subnet (you can't ping the entire network as you only communicate directly with nodes on the same subnet, all other requests are via the gateway so you would just get a ARP entry for the gateway).

What is the broadcast mask? The broadcast mask is easy to calculate if the subnet mask is in the format 255.255.255.0 or 255.255.0.0 etc. (multiples of 8 bits). For example if the IP address was 134.189.23.42 and the subnet mask was 255.255.0.0 the broadcast mask would be 134.189.255.255, where 255 is in the subnet mask the number from the IP address is copied over, where 0 it is replaced with 255, basically the network id part is kept. If the subnet mask is not the basic 255.255 format, you should use the following, all you need is the IP address and the subnet mask

  1. For each bit set to 1 in the subnet mask, copy the corresponding but from the IP address to the broadcast mask
  2. For each bit set to 0 in the subnet mask, copy a 1 into the corresponding bit of the broadcast mask

for example, IP address 158.234.24.98 and subnet mask 255.255.248.0

Network

Host

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0
1 0 0 1 1 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 1 0 0 0 0 1 1 0 0 0 1 0
1 0 0 1 1 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1

Byte 1

Byte 2

Byte 3

Byte 4

The first row is the subnet mask 255.255.248.0, the second row the IP address 158.234.24.98 and the third row is the broadcast mask, 158.234.31.255.

To get the MAC to IP addresses, you would therefore perform the following

ping <broadcast mask>
arp -a

Voila, a list of IP addresses and their MAC address (you can add > filename to get the list to a file, e.g. arp -a > iptomac.lst). You could repeat this exercise on the various subnets of your organization.

Unfortunatly due to limitations in NT's implementation of PING the above will not work correctly so put the following into a file

REM arpping.bat
ping -n 1 -l 1 %1.%2
arp -a %1.%2

You can then call the batch file as follows:

C:\> for /l %i in (1,1,254) do arpping 160.82.220 %i

In this case it would generate a list of all MAC to IP addresses for 160.82.220.1 to 160.82.220.254. Again you could put this all in a file, redirect to a file and then search, e.g.

REM test.bat
for /l %%i in (1,1,254) do arpping.bat 160.82.220 %%i

Notice you have to use two %%. You could run as

C:\> test.bat > file.txt

Then search listing.txt for (example) dynamic

C:\> findstr dynamic file.txt
160.82.220.1 00-00-0c-60-8b-41 dynamic
160.82.220.9 00-60-97-4b-bf-4c dynamic
160.82.220.13 00-10-4b-49-94-e1 dynamic
160.82.220.17 00-80-5f-d8-a4-8b dynamic
160.82.220.22 00-a0-d1-02-a4-cf dynamic
160.82.220.25 00-60-08-75-0d-7a dynamic
160.82.220.26 00-10-4b-44-e4-73 dynamic
160.82.220.33 00-10-4b-44-d6-33 dynamic
160.82.220.34 00-10-4b-4e-67-6a dynamic
160.82.220.35 00-60-97-4b-c4-53 dynamic
160.82.220.39 00-10-4b-44-eb-ae dynamic
160.82.220.41 00-10-4b-49-7b-f7 dynamic
160.82.220.42 00-00-f8-21-7a-7f dynamic
160.82.220.43 08-00-20-88-82-57 dynamic
160.82.220.221 00-80-5f-88-d0-55 dynamic


Q. How can I control the list of connections shown when mapping a network drive?

A. When you map a network drive (Explorer - Tools - Map network drive), if you click the down arrow on the path, a list of previous connections will be shown. These are stored on the registry and can be edited

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Network\Persistent Connections
  3. You will notice in the left pane is a number of string values called a,b,c etc. For the connections you do not want shown, click on the entry and then either press the Del key and say yes to the confirmation or select delete from the edit menu.
  4. Once you have deleted entries you need to update which ones explorer will show by double clicking on order and remove the letters of the entries you deleted
  5. Click OK
  6. Close the registry editor

Q. How do I grant users access to a network printer?

A. The same way as files have security information, so do printers, and you need to set which users can perform actions on each network printer

  1. Logon as an Administrator
  2. Double click "My Computer" and then select printers
  3. Right click on the printer whose permissions you wish to change and select properties
  4. Click the security tag and select permissions
  5. You can now add users/groups and grant them the appropriate privilege
  6. Click OK when finished

Q. How can I create a share on another machine over the network?

A. From a Windows NT Server machine a share can be created by opening Server Manager, highlight the target system, select Computer, Shared Directories, and click on New Share.

The Windows NT Resource kit comes with a utility called RMTSHARE.EXE and this can be used to create shares on other machines providing you have sufficient privilege. The basic syntax is as follows

rmtshare \\<computer name>\"<share name to be created>"="<path>" /remark="<share description>"
e.g. rmtshare \\savillmain\miscfiles=d:\files\misc /remark="General files"

You only need to use double quotes around the share to be created and the path if there are spaces in the share/file name, e.g. if the share was to be called misc files instead of miscfiles it would have to be in quotes, e.g.

rmtshare \\savillmain\"misc files"="d:\my files\misc" /remark="With space share"

There is also a wizard to share and administer your NT server c:\%systemroot%\system32\wizmgr.exe.


Q. I get errors accessing a Windows NT FTP Server from a non Internet Explorer browser.

A. If you run the Microsoft FTP Server Service then you may find problems accessing an area other than the root from a non Internet Explorer browser. This is because most other FTP Servers use the UNIX type naming conventions and that is what browsers such as Netscape expect, however the Microsoft FTP service outputs using dos naming conventions. This can be resolved by forcing the FTP server service to use Unix conventions rather than dos

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ftpsvc\Parameters
  3. If the value MsdosDirOutput exists double click on it and set it to 0, click OK
  4. If it does not exist from the Edit menu select New - DWord value and enter the name MsdosDirOutput and click OK, then perform step 3

You will need to stop and start the FTP server service for this change to take effect (Start - Settings - Control Panel - Services - FTP Service - stop - start)


Q. How can I view which machines are acting as browse masters?

A. There are 2 utilities shipped with the NT resource kit (one GUI, on command line) which can be used to view current browse master status.

BROWMON.EXE - Select from the Diagnostics Resource Kit menu. The master browser will then be displayed for each domain. Double clicking on a machine will then list the other machines that are browsers and a subsequent double click on these machines will tell their status, e.g. backup browser.

BROWSTAT.EXE - Start a command session. There are a number of commands that can be used, however to get a general view enter the command
browstat status <domain name>
Browsing is active on domain.
Master browser name is: PDC
Master browser is running build 1381
2 backup servers retrieved from master PDC
\\PDC
\\WORKSTATION

As can be seen the master browser name is shown, as are backup servers.


Q. Is there any way to improve the performance of my modem internet connection?

A. By default, NT will use a Maximum Transmission Unit (MTU) (packet size) over the path to a remote host of 576. Problems can arise if the data is sent over routes etc that cannot handle data of this size and the packets get fragmented.

The parameter EnablePMTUDiscovery set to 1 forces NT to discover the maximum MTU of all connections that are not on the local subnet. To change this perform the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  3. From the Edit menu select New-DWord value
  4. Enter a name of EnablePMTUDiscovery and press enter
  5. Double click on this new value and set to 1 then click OK
  6. Close the registry editor and reboot the machine.

By discovering the Path MTU and limiting TCP segments to this size, TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs. Fragmentation adversely affects TCP throughput and network congestion.


Q. How can I remotely tell who is logged on at a machine?

A. The easiest way to do this is to use the NBTSTAT command. There are two ways to use this command depending on if you know the machines name or just its IP address. If you know the machines name enter the command

nbtstat -a <machine name>
e.g. nbtstat -a pdc

The output will be of the format:

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
PDC <00> UNIQUE Registered
PDC <20> UNIQUE Registered
SAVILLTECH <00> GROUP Registered
SAVILLTECH <1C> GROUP Registered
SAVILLTECH <1B> UNIQUE Registered
SAVILLTECH <1E> GROUP Registered
PDC <03> UNIQUE Registered
SAVILLJ <03> UNIQUE Registered
SAVILLTECH <1D> UNIQUE Registered
INet~Services <1C> GROUP Registered
..__MSBROWSE__.<01> GROUP Registered
IS~PDC.........<00> UNIQUE Registered

MAC Address=00-A0-24-B8-11-F3

The user name is the <03>.

If you only know the IP address use the command

nbtstat -A <IP address>
e.g. nbtstat -A 10.23.23.12

The output is the same and notice we just use a capital A instead of a lowercase a.

This will only work if the remote machine in question is running it's messenger service, otherwise the username is not returned.


Q. How do I remove a NT computer from a domain?

A. The first way would be to logon to the machine you wish to remove from the domain and start the Network Control Panel Applet (Start - Settings - Control Panel - Network or just right click on Network Neighborhood and select properties). Select the Identification tab and click Change. Just enter a different domain or workgroup, you will receive a notice welcoming you to the new domain/workgroup. The problem with this is the machine can still rejoin the domain as its account has not been removed from the domain.

To actually remove the computer account from the domain perform the following:

  1. Logon to the PDC as an Administrator
  2. Start Server Manager (Start - Programs - Administrative Tools - Server Manager)
  3. Select the machine you wish to remove and click Delete (or select "Remove from Domain" from the Computer menu)
  4. Click Yes to the confirmation

Alternatively you can remove a computer from the command line using the Resource Kit utility NETDOM

netdom /Domain:<domain> MEMBER <machine name> /delete
e.g. netdom /Domain:savilltech MEMBER kevinpc /delete

You can use this command from any machine workstation or server as long as you are logged on as an administrator. When you enter the command it will find the PDC and delete, the output is as follows:

Searching PDC for domain SAVILLTECH ...
Found PDC \\PDC
Member \\KEVINPC successfully deleted.


Q. How can I shutdown a number of machines without going to each machine?

A. I have a number of machines setup in my Lab and at the end of an entertaining evening of computing I don't want to have to goto each machine and shut them down so I wrote a small batch file that uses the shutdown.exe resource kit utility. Just enter the following into a file with a .bat extension:

rem Batch file to shutdown local machine and the PDC, BDC
shutdown \\pdc /t:2 /y /c
this shuts down a machine called PDC in 2 seconds, repeat with other machine names
shutdown \\bdc /t:2 /y /c this shuts down a machine called BDC in 2 seconds
shutdown /l /y /c /t:5 this line shuts down the local machine in 5 seconds

You can then just right click the file in explorer and drag onto the desktop, release and select "Create shortcut". Clicking this icon will then shutdown all the machines in the file.


Q. How can I close all network sessions/connections?

A. The command below will close all network sessions

net session /delete


Q. How can I connect to a server using different user accounts?

A. It is possible to specify a user account to use when connecting to a share using the /user switch, e.g.

C:\> net use k: \\server\share /user:domain\user

If you then attempt to connect to the server again with a different username an error will be given. A workaround is to connect to the server using its IP address rather than its NetBIOS name, e.g.

C:\> net use l: \\<ip address>\share /user:domain\user


Q. How do I set the comment for my machine that is displayed in Network Neighborhood?

A. There are 3 ways to set this, from the command line, edit the registry or via the GUI.

The easiest way is via the Server control panel applet

  1. Start the server control panel applet (Start - Settings - Control Panel - Server)
  2. Enter the new description of the machine in the Description field
  3. Click OK

An alternative method is from the command prompt using the "net config" command.

C:\> net config server /srvcomment:"machine comment"

Note that even if you are performing this on a workstation machine you still use "net config server" as this is a configuration on the server service of the machine.

Both of the methods shown update a single registry value so this can also be edited directly.

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
  3. Double click on srvcomment
  4. In the "Value data" box enter the new description and click OK
  5. Close the registry editor

You can remotely change the comment of other machines by using the NT Server utility "Server Manager". Double click on a machine and you will then be presented with the same dialog box as with the Server control panel applet. This has the advantage of allowing the Administrator to set a common description format.


Q. How can I define multiple NetBIOS names for a machine?

A. This would be useful if, for instance, you wanted to migrate a number of shares to a different machine and rather than having to switch all clients to the new machine instantly you could define the new machine to also answer to the old machines NetBIOS name and then slowly migrate the machines. To define extra names for a machine perform the following:

  1. Start the registry editor (regedt32.exe)
  2. Move to HKEY_Local_Machine\System\CurrentControlSet\Services\LanmanServer\Parameters
  3. From the Edit menu select "Add Value"
  4. Set the type to REG_SZ is you want one extra name or REG_MULTI_SZ if you want more than one and enter a name of OptionalNames. Click OK
  5. You will then be prompted for a value. Enter the other name (or names if type REG_MULTI_SZ, one on each line) you want it to be known as and click OK.
  6. Close the registry editor
  7. Reboot the machine

There is bug when using multiple NetBIOS names on print servers, see 'Q. The additional NetBIOS name of my server does not work for print services.'


Q. How can I manage my NT domain over the net?

A. Microsoft have released "Web Administrator 2.0 for Microsoft Windows NT Server" which allows you to use to manager the following via the web

  • Account Management
  • Ras Management
  • Share Management
  • Session Management
  • Server Management
  • Printer Management

The additional software required has to be installed on a server (though it does not have to be a domain controller) with

  • Service Pack 3 or later (it does not currently work with the beta versions of Service Pack 4)
  • Internet Information Server 4.0

Internet Information Server 4.0 is available as part of Option Pack 4 which can be obtained from http://www.microsoft.com/windows/downloads/contents/updates/nt40ptpk/default.asp or as part of MSDN. Option Pack 4 has its own requirement that Internet Explorer 4.0 be installed.

Once all the software is installed you can download the Web Admin tools from http://www.microsoft.com/ntserver/nts/downloads/management/NTSWebAdmin/default.asp

To begin the installation just execute the required executable and the installation wizard will begin.

Once the installation is complete you will be able to administer your domain by connecting to http://<the server name>/ntadmin/default.asp. For example if I had installed the software on titanic in the savilltech.com I would connect to http://titanic.savilltech.com/ntadmin/default.asp.

You will need Internet Explorer 4.0 or above to use the site and once connected you can perform a number of options. Below is an example of viewing/changing users.

NT Web Admin


Q. How can I remotely manage services?

A. The Windows NT Resource kit has two utilities, SC.EXE and NETSVC.EXE, which allow remote services to be managed. The resource kit has help on both on these but we will only look at NETSVC.EXE.

To view the services on a remote machine use

C:\> netsvc /query \\<server name> /list

To see the current state of a service use

C:\> netsvc <service name> \\<server> /query

You can then modify the state of the service using the /start, /stop, /pause and /continue switches, e.g.

C:\> netsvc <service name> \\<server> /stop


Q. Net.exe reference.

A. Below is a summary of all the net.exe usage methods.

net accounts

Used to modify user accounts. Specified on its own will give information about the current logon.

Options:

/forcelogoff:<minutes or no> Minutes until the user gets logged off after logon hours expire. No means a forced logoff will not occur
/lockoutthreshold:<number of failed attempts> This parameter allows you to configure the number of failed logon attempts before the account is locked. The range is 1 to 999.
/lockoutduration:<minutes>  This parameter specifies the number of minutes accounts remain locked before automatically becoming unlocked. The range is 1 to 99999.
/lockoutwindow:<minutes>   This parameter lets you configure the maximum number of minutes between two consecutive failed logon attempts before an account is locked. The range is 1 to 99999.
/minpwlen:<length> Minimum number of characters for the password. Default is 6, valid range is between 0 and 14
/maxpwage:<days> Maximum number of days a password is valid. Default is 90, valid range is between 0 and 49710
/minpwage:<days> Number of days that must occur before the password can be changed. Default is 0, valid range is between 0 and maxpwage
/uniquepw:<number> Password may not be reused for number attempts
/sync Forces a domain sync
/domain Performs any of the above actions on the domain controller

net computer

Used to add and remove computer accounts from the domain.

Options:

\\<computer name> Name of the computer to be added or removed
/add Add the specified computer
/del Removes the specified computer

net config server

Allows modifications to the server service. Entered with no parameters give details of the current configuration

Options:

/autodisconnect:<minutes> Number of minutes an account may be inactive before disconnection. Default is 15, valid range between 1 and 65535. -1 means never disconnected.
/srvcomment:"text" Set the comment for the machine
/hidden:<yes or no> Specified is the computer is hidden in the listing of computers

net config workstation

Allows modifications to the workstation service. Entered with no parameters give details of the current configuration

Options:

/charcount:<bytes> Number of bytes to be collected before data is sent. The default is 16, valid range is between 0 and 65535.
/chartime:<msec> Number of milliseconds NT waits before sending data. If charcount is also set whichever is satisfied first is used. Default is 250, valid range is between 0 and 65535000.
/charwait:<seconds> Number of seconds NT waits for a communications device to become available. Default is 3600, valid is between 0 and 65535.

net continue <service name>

Restarts the specified paused service.

net file

Lists any files that are open/locked via a network share.

Options:

id Identification of the file (given by entering net file on its own)
/close Close the specified lock

See Q. How can I tell who has which files open on a machine? for more details.

net group

Adds/modifies global groups on servers. Without parameters will list global groups.

Syntax:

net group <group name> [/command:"<text>"] [/domain]
net group <group name> [/add [/comment:"<text>"] or /delete] [/domain]
net group <group name> <user name> /add or /delete [/domain]

Options:

groupname Name of the global group
/comment:"<text>" Comment if a new global group is created. Up to 48 characters
/domain Performs the function on the primary domain controller
username Username to which apply the operation
/add Adds the specified user to the group or the group to the domain
/delete Removes a group from a domain or a user from a group

net localgroup

Performs actions on local groups. Same parameters as net group.

net name

Adds/removes a name to which messaging may be directed to. Running the command on its own will list all messaging names eligible on the machine.

Options:

name The messaging name to be added/removed
/add Add the name
/delete Remove the name

net pause <service name>

Used to pause a service from the command line.

net print

Used to list/modify print jobs.

Options:

\\computername Indicates the computer that hosts the printer queue
sharename Name of the printer queue
job The job number to modify
/hold Pauses a job on the print queue
/release Removes the hold status of a job on the print queue
/delete Deletes a job off of the print queue

net send

Sends a message to a computer, user or messaging name.

Options:

name Name of the user, computer or messaging name. Can also use * to send to everyone in the group
/domain:<domain name> All users in the current domain or the specified domain
/users To all users connected to the server
message The message to send

net session

Lists or disconnects sessions. Used with no options lists the current sessions.

Options:

\\<computer name> The computer of whose session to close
/delete Closes the session to the computer specified. Omitting a computer name will close all sessions

net share

Used to manage shares from the command line.

Syntax:

net share <sharename>=<drive>:\<directory> [/users=<number> or /unlimited] [/remark:"text"]
net share <sharename> [/users=<number> or /unlimited] [/remark:"text"]
net share <sharename or device name or drive and path> /delete

Options:

<sharename> Name of the share
<device name> Used to specify the printer name if specifying a printer share
<drive>:<path> Absolute path
/users:<number> Number of simultaneous connections to the share
/unlimited Unlimited usage
/remark:"<text>" Comment for the share
/delete Delete the specifed share

net start <service name>

Start the specified service

net statistics [workstation or service]

Gives information about either the server or workstation service.

net stop <service name>

Stops the specified service

net time

Used to synchronize the time of a computer.

Options:

\\<computer name> The name of the computer to which synchronize the time
/domain:<domain> Synchronize the time with the specified domain
/set Sets the time

net use

Connects or disconnects to a network share. Used with no qualifiers lists the current network mappings.

Syntax:

net use <device name> or * \\<computer name>\<share name> [password or *] [/user:[domain\user] /delete or [persistent:[yes or no]]
net use <device name> /home /delete or /persistent:[yes or no]

Options:

<device name> Name of the device to map to. Use * to use the next available device name
\\computer name The name of the computer controlling the resource
\sharename Name of the share
\volume Name of the volume if on a NetWare server
password Password to which to map
* Gives a prompt to which to enter the password
/user:<domain>\<user> Specifies the user to connect as
/home Connects to a users home directory
/delete Closes a connection
/persistent:[yes or no> Sets if the connection should be reconnected at next logon

net user

Used to add/create/modify user accounts

Syntax:

net user <username> [password or *] [/add] [options] [/domain]
net user <username] /delete /domain

username The name of the account
password Assigns or changes a password
* Gives a prompt for the password
/domain perform on a domain
/add Creates the account
/delete Removes the account
/active:[yes or no] Activates or deactivates the account
/comment:"<text>" Adds a descriptive comment
/counterycode.nnn nnn is the number operating system code. Use 0 for the operating systems default
/expires:<date or never> The expiry date of the account. Date format is mm,dd,yy or dd,mm,yy which is determined by the country code
/fullname:"<name>" The full name of the account
/homedir:<path> Path for the users home directory
/passwordchg:[yes or no] Used to specify if the user can modify the password
/passwordreq:[yes or no] Used to determine if the account needs a password
/profilepath:<path> Used to specify the profile path
/scriptpath:<path> Path of the logon script
/times:<times or all> Hours user may logon
/usercomment:"<text>" A comment for the account
/workstations:<machine names> Names the user may logon to. * means all.

net view

Lists shared resources on a domain. Used with no parameters lists all machine accounts in a domain.

Options:

\\computer name Specifies the computer whose resource should be viewed
/domain:<domain name> The domain to be used
/network:<NetWare network> A NetWare network to be used

Q. How can I make net.exe use the next available drive letter?

A. The normal syntax to map a network drive is

C:\> net use <drive letter>: \\<server>\<share>

however this can be modified to

C:\> net use * \\<server>\<share>

which will make the net use command utilize the next available drive letter.


Q. How can I check if servers can communicate via RPC's?

A. Exchange ships with RPINGS.EXE and RPINGC32.EXE which can be used to test RPC communication between two servers. These programs are located in the SERVER\SUPPORT\RPCPING directory of the Exchange CD. Test as follows:

  1. On one server start Command (CMD.EXE) and enter
    C:\> RPINGS
  2. On the other server run the RPINGC32.EXE utility
  3. You should then enter the name of the Exchange server to test communication with, e.g. NT4PDC
  4. Click Start

The connection will then be checked. Once complete close the RPINGC32.EXE utility by clicking Exit and on the target machine enter the sequence '@q'.

Below is an example of a successful test.

RPC Ping


Q. How can I reduce the delay when using multiple redirectors?

A. The MUP (Multiple UNC Provider) first establishes whether Distributed File System (Dfs) is in use and passes the request to DFS.

The delays come from two locations:

  1. The attempt to access the resource through DFS
  2. The MUP must wait and accept all responses from all redirectors before completing the request. Therefore, even if a resource is readily available and accessible over one redirector, the request must still be made over the other installed redirectors before the request completes.

Depending on the number of redirectors, protocols, and timer configurations for connectivity, these delays can exceed 13 seconds for each initial connection.

Service Pack 4 for Windows NT 4.0 has introduced an updated MUP.SYS giving better performance and a new registry entry which may speed up the initial connect to non-Windows UNC resources, DisableDFS. Perform the following change on each client:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup
  3. From the Edit menu select New - DWORD value
  4. Enter a name of 'DisableDFS' (don't enter the quotes) and press enter
  5. Double click the new value and set to 1. Click OK
  6. Close the registry editor
  7. Reboot the machine

Setting the DisableDFS value to 0 or deleting will set the machine back to its old behaviour.

If you have the Novell IntranetWare client also installed you must also perform the following before rebooting:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetwareWorkstation\NetworkProvider
  3. Double click DeviceName and change from '\Device\NetwareWorkstation' to '\Device\NetwareRedirector'. Click OK
  4. Close the registry editor

Knowledge base article Q171386 at http://support.microsoft.com/support/kb/articles/q171/3/86.asp has more information on this.


Q. How can a DOS machine connect to an NT domain?

A. Microsoft provide software to enable a DOS machine to participate on a network using a variety of protocols and to connect to a Windows NT domain.

NT Server ships with the "Network Client Administrator" which allows the creation of an installation disk set or a disk to allow Network based installation of a variety of clients, including a network client for DOS.

'Q. How do I install NT over the network?' has an example of creating a network installation disk, instead we will concentrate on creating an installation disk set.

  1. Start Network Client Administrator (Start - Programs - Administrative Tools - Network Client Administrator)
  2. Select "Make Installation Disk Set" and click Continue
  3. You will need to specify the location of the "clients" directory that is on the Windows NT Server CD-ROM (easiest to copy clients from the CD-ROM, enter the location in the path box and select Share Files". Click OK
  4. Select the client to install "Network Client v3.0 for MS-DOS and Windows". Select the destination and click OK.
  5. Insert the first disk and click OK to the dialog.
  6. Files will be copied to the disk

To install on a DOS machine you perform the following:

  1. Insert DISK 1
  2. Change to the disk drive, a:
  3. Run setup.exe
  4. Press ENTER to start the installation
  5. Select the installation target directory, by default C:\NET. Press Enter
  6. Select the network adapter from the displayed list or use a custom adapter by selecting "Network adapter now shown on list below". Press Enter. If you are using a custom disk the program looks for protocol.ini, on my test machine I specified the NDIS\WFW directory on the install disk as the DOS directory did not have all the necessary files.
  7. You now have the option of changing the setup, by default only IPX will be installed, select "Change Network Configuration" and you can remove protocols and add the Microsoft TCP/IP protocol. You can then change the TCP/IP settings to configure IP address/subnet mask etc. Make sure if you are not using TCP/IP to set "Disable Automatic Configuration" to 1.
  8. Restart the machine

When the machine reboots it will load all the network and protocol drivers and then attempt to logon to the network by issuing the

net start

command. You will then be asked for a username and password:

Type your user name, or press ENTER if it is ADMINISTRATOR:
Type your password:

You will be asked if you want to create a password file. If you select yes then you will no longer be asked for a password at start-up time, like an auto-logon but be aware it means anyone accessing your computer can logon as you.


Q. What is the Active Directory?

A. The Active Directory is Microsoft's implementation of a 'Directory Service' and a directory service is basically something that stores data in an organized format and has the mechanisms needed to publish and access the data.

Active Directory is not a Microsoft innovation, but rather an implementation of an existing model (X.500), an existing communication mechanism (LDAP) and an existing location technology (DNS), and each of these are covered in the FAQ.

Before the details of Active Directory are considered, it is important to have an overview of what it is trying to achieve. A directory in its most basic sense is just a container for other information, such as a telephone directory has various entries, and each entry has values. An example would be a name, address and telephone number that would make up a single entry in the directory.

Name: John Savill
Address: 2 SavTech Way, (yeah right :-))
London
Tel: 353 3523
E-mail: [email protected]

In a large directory these entries may be grouped by location or by their type, e.g. lawyers, pest control, etc, or both which would lead to a hierarchy of each type of person in each location. The actual telephone directory would be a directory service as it contains not only the data but also a means to access and use it. The telephone operator would also constitute a directory service as it has access to the data and presents it to you where you can request data and an answer to your query is given.

Active Directory is a type of Directory Service, it holds information about all resources on the network and clients can query the Active Directory for information about any aspect of the network. Active Directory has a number of powerful features:

  • Information is stored in a secure form - each object in the Active Directory has an Access Control List (ACL) which has a list of resources that may access it and to what degree.
  • A flexible mechanism for queries based on a global catalog that is generated by the Active Directory. Any client that supports Active Directory can query the catalog.
  • Replication of the directory to all Domain Controllers in the domain means easier accessibility, higher availability and fault tolerance
  • Extensible design means new object types can be added to the directory or existing objects built on. For example a salary attribute could be added the user object.
  • Communication can be carried out over a number of protocols due to its X.500 foundation. These include LDAP version 2 and 3, and the HTTP
  • Domain Naming System (DNS) used for the naming and location of domain controllers rather that NetBIOS names
  • Information is partitioned in the Directory by domain to avoid replicating excessive amounts of information

The last point regarding partitioning the information in the Directory into different stores does not mean that the Active Directory cannot be queried for information from other domains. Each domain maintains a list of other domains, the location of the global catalog for each of these domains and the Schema of the domain.


Q. A number of Active Directory descriptions.

A. Below are some definitions for the active directory:

ONE SENTENCE SUMMARY OF DNS AND ACTIVE DIRECTORY:

A dns server is used by a client to provide the address of the client's nearest domain controller, which has a copy of Active Directory, which the client then uses to locate whatever object it's looking for.

ONE PARAGRAPH SUMMARY OF DNS AND ACTIVE DIRECTORY:

First a client contacts a dns (domain name system) server which looks up the client's domain, and provides him with the address of the closest dc in that domain. The client proceeds to contact the dc which can then authenticate him. Once authenticated, the client can search Active Directory (a database on the dc) to find objects the client is looking for, like an address for mail, a file, printer, or list of users in a group, etc. If the client cannot contact a dns server, it won't be able to find its domain controller, since only the dns server has the address of it.

ONE PAGE SUMMARY OF DNS AND ACTIVE DIRECTORY:

When dcpromo is performed on a W2K machine named, say, "fido" for the first time creating a new domain, say, "narnia", dcpromo creates two different kinds of "domains". First it creates a domain on the dns server, in our example: "narnia.extest.microsoft.com". This will be found on the extest dns servers, which are in exlab's minilab in bldg 43. Exlab maintains these as community dns servers to save testers the trouble of installing a dns server every time they want to install W2K. Simplified a little, the dns domain on the extest master dns servers looks like this:

extest.microsoft.com
    narnia.extest.microsoft.com
        bigthud dc 172.30.224.34
        blackie dc 172.20.32.13
        etc. (this is very approximate, but functionally identical)

Clients contact the dns server and it looks up the client's domain. Looking for "narnia" the dns server also discovers "bigthud" and "blackie", both dc's of "narnia". Let's say "bigthud" is the closest dc to the client. The dns server would send the client the address of the dc "bigthud", namely, 172.30.224.34. The client connects and accesses the Active Directory domain database stored on "bigthud" to find objects (like printers, file servers, users, groups, organizational units, etc) in the "narnia" domain. "bigthud" also stores links to other domains in the tree "com". Thus, the client can search a whole tree of domains.

If the search needs to go beyond the client's tree of domains, then a version of Active Directory listing the objects in the whole forest is also available. It is called the Global Catalog. The GC can be kept on any dcs in the forest you may choose, or all, but it does not have to be kept on all.

GC is a shorthand way to access an object ANYWHERE in the forest, but it only provides a few of its attributes, you have to go to the domain AD (always on a dc in that domain) to get the whole object. The GC can be configured to provide whatever object attributes you choose, too, not just a rigid default set of them.

To help in creating objects in AD, the dc also keeps a copy of the classes and hierarchy of classes for the whole forest, too. For example, if we had a class of "baseball players", and a derived class "pitchers" (which is just a player with a few records added of strikeouts and no-hitters, etc) then the class structure would be kept in AD in the part called the "Schema". If we then created an actual group of players we would use our Schema classes to make the players as objects (instances of the classes) in Active Directory. We can also add more classes, eg: "football players" and "quarterbacks" to the Schema, and we call that freedom an "extensible Schema".

The schema is a part of the W2K "configuration namespace" kept on all dcs in a forest. A namespace is a range of labels you put on things, eg: a supermarket "aisle" namespace: aisle=cookies, shelf=top, item=oreo. The configuration namespace in W2K consists of a number of defined items such as physical locations, W2k "sites" (a site is a child of a forest, and can contain machines from any domain, only condition being that all machines in a site have fast reliable net connections for dc replication), and "subnets" which are IP address groupings assigned to sites which help further speed up AD replication amongst dc's, eg: "your dc rocks if it's in the IP subnet and W2K site where its friends are".

Active Directory employs LDAP (Lightweight Directory Access Protocol, a standard Internet protocol that many applications use) to access its records. Why? Because its records are STORED on the dc in "LDAP distinguished name format". But what is LDAP distinguished name format? In the following LDAP distinguished name format example "fred" is a user in the "programming" organizational unit in "narnia" domain in "extest" domain in "microsoft" domain in "com" domain:

cn=fred,ou=programming,dc=narnia,dc=extest,dc=microsoft,dc=com

where cn stands for common name, ou stands for organizational unit, and dc in this case stands for "domain component", NOT domain controller. This is how "fred" appears in Active Directory, and a client such as an administrator can access attributes about fred using that syntax, assuming the client has security permissions to do so.

The client's actions are straightforward, as long as the client talks LDAP to Active Directory. However, an action may be done from a client running an application that uses a different name format. To support this, there are two other name formats that can be used (with a little translating) to access Active Directory:

1. "LDAP URL":
Example:
LDAP://server1.narnia.extest.microsoft.com/cn=fred,ou=programming,dc=narni a,dc=extest,dc=microsoft,dc=com.

2. "Active Directory Canonical name":
Example:
narnia.extest.microsoft.com/programming/fred. This last one, "Active Directory Canonical name" is what you'll see in user interfaces in W2K.


Q. What is X.500 and LDAP?

A. X.500 is the most common protocol that is used for Directory Management and there are currently 2 main standards, the 1988 and 1993 standards with the 1993 standard providing a number of advances over the older standard. The Windows NT 5.0 implementation of its Directory Services is derived from the 1993 X.500 standard as described below.

The X.500 model uses a hierarchical approach to the objects in the name space with a root at the top of the namespace with children coming off of it. Domains in Windows 2000 are DNS names, for example savilltech.com is a domain name, legal.savilltech.com is a child domain of savilltech.com. Child domains are covered elsewhere.

X.500 structure

The example shows a root of the directory service and then a number of children. In this case the first layer or children represent countries, however there are no rules and you may break these down however you want. Imagine each country as a child domain of the root, for example usa.root.com and england.root.com. Each child domain can then be broken into a number of organizations. These organizations can be broken down further into organizational units and various privileges/policies can be applied to each Organization unit. Each Organizational Unit has a number of objects such as users, computers, groups etc.

While the directory service is based on X.500, the access mechanism actually uses LDAP (Lightweight Directory Access Protocol) which solves a number of problems with X.500.

X.500 is part of the OSI model however this does not translate well into a TCP/IP protocol environment so LDAP uses TCP/IP for its communication medium. LDAP cuts down on the functions available with a full X.500 implementation making a leaner faster directory service while keeping the overall structure of X.500.

LDAP is actually the mechanism used to communicate with the Active Directory and performs basic read, write, and modify operations.

More on X.500 can be found at http://www.salford.ac.uk/its024/X500.htm


Q. What is the Global Catalog?

A. The Global Catalog contains an entry for every object in the enterprise forest (the term forest is explained later) but contains only a few properties of each object. The entire forest shares a global catalog with multiple servers holding copies. Searches in the whole enterprise forest can only be done on the properties in the Catalog where as searches in the users own domain tree can be for any property. Only Directory Services (or Domain Controllers) can be configured to hold a copy of the Global Catalog.

Do not configure to many global catalogs in each domain, as you will waste network bandwidth with the replication. One global catalog server per domain in each physical location is sufficient, however NT will set servers as Global Catalogs as it thinks are necessary so there should be no need for you to modify this unless you notice slow query response times.

Since full searches involve querying the whole domain tree rather that the global catalog, grouping the enterprise into a single tree will improve your searches as it will allow you to query on items not in the global catalog, thus a larger search criteria.


Q. How do I configure a server as a Global Catalog?

A. To configure a Windows 2000 domain controller as a global catalog server perform the following:

  1. Start the Active Directory Sites and Services Manager (Start - Programs - Administrative Tools - Active Directory Sites and Services Manager)
  2. Select the sites branch.
  3. Select the site that owns the server, expand the servers branch and the server in question
  4. Right click on "NTDS Settings" and choose Properties
  5. Check or uncheck the "Global Catalog Box". Click Apply then OK

Global Catalog


Q. What is the Schema?

A. The Schema is a blueprint of all objects in the domain and when first created a default Schema exists which contains definitions for users, computers, domains etc. Because of this, you can only have one schema per domain as you cannot have multiple definitions of the same object.

The default schema definition is defined in the SCHEMA.INI file that also contains the initial structure for the NTDS.DIT (storage for the Directory data). This file is located in the %systemroot%\ntds directory. This file is a plain ASCII format file and can be typed out. You will also notice a file ntds.dit which is the storage location for the Active Directory.


Q. What is a domain tree?

A. In Windows 2000 one domain can be a child of another domain, e.g. child.domain.com is a child of domain.com (a child domain always has the complete domain name of the parent in it), and a child domain and its parent share a two way transitive trust.

When you have a domain as a child of another, a domain tree is formed. A domain tree has to have a contiguous name space.

Tree
Notice in the second diagram the lack of contiguous names means they are not part of the tree

The name of the tree is the root domain name, so in the example the tree would be referred to as root.com. Since the domains are DNS names and inherit the parent part of the name, if a part of the tree is renamed, then all of its children will implicitly also be renamed, for example if parent ntfaq.com of sales.ntfaq.com was renamed to backoffice.com the child would be renamed to sales.backoffice.com. This is not actually currently possible though.

Domain trees can currently only be created during the server to Domain Controller promotion process with DCPROMO.EXE, this may change in the future.

There are a number of advantages in placing domains in a tree. The first and most useful is that all members of a tree have kerberos transitive trusts with its parent and all its children. These transitive trusts also mean that any user or group in a domain tree can be granted access to any object in the entire tree. This also means that a single network logon can be used at any workstation in the domain tree.


Q. What is a domain forest?

A. You may have a number of separate domain trees in your organization that you would like to share resources and this can be accomplished by joining trees to form a forest.

A forest is a collection of trees that do not have to form a contiguous name space (however each tree still has to be contiguous). This may be useful if your company has multiple root dns addresses.

Forest

As can be seen from the example, the two root domains are joined via a transitive, two-way Kerberos trusts as in the trust created between a child and its parent. Forests always contain the entire domain tree of each domain and it is not possible to create a forest containing only parts of a domain tree.

Forests are created during the server to Domain Controller promotion process with DCPROMO and can currently not be created at any other time, this will change in the next version.

You are not limited to only 2 domain trees in a forest, you can add as many trees as you want and all domains within the forest will be able to grant access to objects for any user within the forest. Again this cuts back on having to manually manage the trust relationships. The effect of creating a forest is the following:

  • All trees have a common Global Catalog containing specific information about every object in the forest
  • The trees all contain a common schema. Microsoft has not yet confirmed the action if 2 trees have difference schemas before they are joined. I assume the changes will be merged
  • Searches in a forest will perform a deep search of the entire tree of the domain the request is initiated from and use the Global Catalog entries for the rest of the forest

You may of course choose not to join trees to become a forest and may instead create normal trusts between individual elements of the tree's.


Q. What is a Kerberos trust?

A. Windows NT 4.0 trust relationships are not transitive so if domain2 trusts domain1, and domain3 trusts domain2, domain3 does not trust domain1.

Transitive Trusts

This is not the case with the trust relationships used to connect members of a tree/forest in Windows 2000, trust relationships used in a tree are two-way, transitive Kerberos trusts which means any domain in a tree implicitly trusts every other domain in the tree/forest. This removes the need for time-consuming administration of the trusts as they are created automatically when a domain joins a tree.

Kerberos is the primary security protocol for Windows NT. Kerberos verifies both the identity of the user and the integrity of the session data. The Kerberos services are installed on each domain controller, and a Kerberos client is installed on each Windows NT workstation and server. A user's initial Kerberos authentication provides the user a single logon to enterprise resources. Kerberos is not a Microsoft protocol and is based on version 5.0 of Kerberos. For more information see IETF RFCs (Requests For Comments) 1510 and 1964. These documents are available on the web from http://www.isi.edu/rfc-editor/rfc.html.


Q. How do I create a new Active Directory Site?

A. Active Directory has the concept of sites which can be used to group servers into containers which mirror the physical topology of your network, and allow you to configure replication between domain controllers (among other things). A number of TCP/IP subnets can also be mapped to sites which the allow new servers to automatically join the correct site depending on their IP address and for clients to easily find a domain controller closest to them.

When you create the first domain controller a default site, Default-First-Site-Name is created to which the domain controller is assigned. Subsequent domain controllers are also added to this site however they can then be moved. This site can be renamed if you wish.

Sites are administered and created using the "Active Directory Sites and Services Manager" MMC snap-in. To create a new site perform the following:

  1. Start the Active Directory Sites and Services MMC snap-in (Start - Programs - Administrative Tools - Active Directory Sites and Services Manager)
  2. Right click on the Site branch and select New - Site from the displayed context menu
  3. Enter a name for the site, e.g. NewYork. The name must be 63 characters or less and cannot contain . or space characters. You must also select a site link (by default there will only be one, DEFAULTIPSITELINK or type IP).
  4. Click OK

Now the site is created you can assign various IP subnets to it as follows:

  1. Start the Active Directory Sites and Services MMC snap-in (Start - Programs - Administrative Tools - Active Directory Sites and Services Manager)
  2. Expand the Sites branch
  3. Right click on Subnets and select New - Subnet
    New subnet
  4. You must enter the name of subnet of the form <network>/<bits masked>, e.g. 200.200.201.0/24 would be network 200.200.201.0 with subnet mask 255.255.255.0. Select the Site to associate the subnet with, e.g. Australia.
    New subnet to site link
  5. Click OK

You now have a subnet linked to a site. You can assign multiple subnets to a site if you wish.

If you are confused about the bits masked in the subnet name it can be between 22 and 32 and is just the number of bits set in the subnet mask. The subnet mask is made up of 4 sets of 8 bits. To convert the subnet mask to bits you can use the illustration below.

Subnet mask

Therefore the subnet mask 255.255.255.0 would be 11111111.11111111.11111111.00000000 in binary which therefore uses 8+8+8 bits (24) to define the subnet mask. A subnet mask of 255.255.252.0 would be 11111111.11111111.11111100.00000000 which is 8+8+6 or 22.


Q. How do I move a server to a different site?

A. If your sites and subnets are configured then new servers will automatically get added to the site that owns the subnet however you can also manually move a server to a different site:

  1. Start the Active Directory Sites and Services MMC snap-in (Start - Programs - Administrative Tools - Active Directory Sites and Services Manager)
  2. Expand the Sites container.
  3. Expand the site that currently contains the server, expand the Servers container
  4. Right click on the server and select Move from the context menu
    Move server
  5. You will be shown a list of all sites. Select the new target site and click OK

The move will take immediate effect.


Q. How can a server belong to more than one site?

A. By default a server will belong to one site however you may want to configure a server to belong to multiple sites.

Bear in mind sites are used for replication, for clients to find resources and to cut down on traffic on inter-site connections so just modifying the site membership may cause performance problems.

To configure a server to have multiple site membership perform the following:

  1. Logon to the server who should join multiple sites
  2. Start the registry editor (regedt32.exe not regedit.exe)
  3. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesNetlogon\Parameters
  4. Select "Add Value" from the Edit menu
  5. Enter a name of SiteCoverage and of type REG_MULTI_SZ. Click OK
  6. Enter the names of the sites to join, each on a new line, e.g.
    Australia
    London
    Press Shift-Enter to move to the next line. Click OK
  7. Close the registry editor

The above does not create the objects in the Active Directory to evaluate the sites and these need to be added manually.


Q. How can I backup the Active Directory/System State?

A. The Active Directory is backed up using the NTBACKUP.EXE utility. The Active Directory is part of the machines System State which is defined as follows:

For all Windows 2000 machines the System State includes the registry, class registration database and the system boot files. For a Windows 2000 Server that is a certificate server it also contains the Certificate Services database. Finally for a Windows 2000 machine that is a domain controller it includes the Active Directory and the SYSVOL directory also.

To backup the System State using the Backup Wizard perform the following:

  1. Start NTBACKUP.EXE
  2. NTBACKUP.EXE will start in the Welcome screen. Click the 'Backup Wizard' button
  3. Click Next to the introduction dialog
  4. In the dialog that asks what to backup select 'Only back up the Distributed Service Set' and click Next
  5. You should then continue as per normal by selecting the backup media etc.

If you don't want to use the wizard it can be manually backed up as follows:

  1. Start NTBACKUP.EXE
  2. Select the Backup tab
  3. Check the 'System State' box (and any other drives)
    Active Directory Backup
  4. Select the backup destination
  5. Click 'Start Backup'
  6. Confirm the backup description and click 'Start Backup'
  7. The backup will then begin

To backup only the System State from the command line use the command

C:\> ntbackup backup systemstate /f d:\active.bkf

Of course this is the most basic backup to file and you can use more complex options.


Q. How can I restore the Active Directory?

A. The Active Directory cannot be restored to a domain controller while the Directory Service is running so to restore perform the following:

  1. Reboot the computer
  2. At the boot menu select "Windows 2000 Server" but do NOT press Enter. Press F8 for advanced options
    OS Loader V5.0

    Windows NT Advanced Options Menu
    Please select an option:

      Safe Mode
      Safe Mode with Networking
      Safe Mode with Command Prompt

      Enable Boot Logging
      Enable VGA Mode
      Last Known Good Configuration
      Directory Services Restore Mode (Windows NT domain controllers only)
      Debugging Mode

    Use | and | to move the highlight to your choice.
    Press Enter to choose.
  3. Scroll down and select "Directory Services Restore Mode (Windows NT domain controllers only)"
  4. Press Enter
  5. You will be taken back to the boot menu and now press Enter to Windows 2000 Server (notice at the bottom of the screen in red the text 'Directory Services Restore Mode (Windows NT domain controllers only)' will be shown)

The computer will boot into a special safe mode and will not start the Directory Service. Be warned that during this time the machine will not act as a domain controller and will perform not perform authentication etc.

  1. Start NTBACKUP.EXE
  2. Select the Restore tab
  3. Select the backup media and select "System State"
  4. Click 'Start Restore'
  5. Click OK to the confirmation

Once you have restored the backup reboot the computer and start in normal mode to start using the restored information. You may find a hang after the restore has completed and I found a 30 minute wait on some machines.


Q. What are the FSMO roles in Windows 2000?

A. In Windows 2000 all domain controllers are equal and through a process known as multi-master replication changes are replicated to all domain controllers in the domain. However in keeping with George Orwell's Animal Farm some Domain Controllers are more equal than others.

Multi-master replication resolves conflicts however in some situations it is better to stop the conflict before it happens and to this end there are five difference Flexible Single Master of Operations (FSMO) roles (formally known as Floating Single Master of Operations as the roles were originally going to be dynamically changeable) each managing an aspect of the domain/forest. These roles can be moved between domain controllers but not dynamically, they must be manually moved in the same manner as a BDC has to be manually promoted to a PDC.

There are two types of roles, some are per domain, some are per forest. Only a domain controller in the domain can hold a domain specific FSMO role, any domain controller in the forest can hold a forest FSMO role. Domain controllers cannot hold FSMO roles in other domains/forests.

These roles are assigned in different GUI ways or using the NTDSUTIL utility.

The five roles are defined below:

Role name Description Per domain/forest
Schema master At the heart of the Active Directory is the schema which is like the blueprint of all objects/containers. Since the schema has to be the same throughout the entire forest only one machine can authorize modifications to the schema. One per forest
Domain naming master To add a domain to the forest its name has to be verifiably unique and so the Domain naming master FSMO's of the forest is contacted to authorize the domain name operation. One per forest
RID master Any domain controller can create new objects (such as a user, group, computer account) however after creating 512 user objects the domain controller must contact the domains RID master for another 512 RID's (it actually contacts when it has less than 100 RID's left, this means the RID master can be unavailable for short periods of time without causing object creation problems). This is to ensure each object has a unique RID.
When a DC creates a security principal object it attaches a unique SID to the object. The SID is created using the domain SID and a relative ID (the RID).
The RID master has to be available when attempting to move objects between domains with the resource kit movetree utility.
One per domain
PDC emulator For backwards compatibility reasons one domain controller in each 2000 domain must emulate a PDC for the benefit of 4.0 and 3.5 domain controllers and clients. One per domain
Infrastructure master When a user and group are in different domains there can be a lag between changes to the user (e.g. name) and its display in the group. The infrastructure master of the groups domain is responsible for fixing up the group-to-user reference to reflect the rename. The infrastructure master performs is fixups locally and relies upon replication to bring all other replicas of the domain up to date. One per domain

Q. How can I change the RID master FSMO?

A. The RID master is defined here.

To modify the role perform the following:

  1. Start the Active Directory Users and Computers MMC snap-in on the Domain Controller (Start - Programs - Administrative Tools - Active Directory Users and Computers)
  2. In the left hand pane right click on the domain and select 'Connect to Domain Controller'
  3. Select the domain controller you wish to make the FSMO role owner and click OK.
    Change Domain Controller
  4. Right click on the domain again and select 'Operations Masters' from the context menu
  5. Select the 'RID Pool' tab
  6. The current machine holding the RID master FSMO role will be shown. To change click 'Change..'
    RID master
  7. Click OK to the confirmation dialog.
  8. A dialog confirming the role change will be displayed.

This can also be accomplished using the NTDSUTIL.EXE utility. Enter the commands it bold

C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server <server name>
server connections: quit
fsmo maintenance: transfer rid master

Click Yes to the role transfer dialog

Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na me,CN=Sites,CN=Configuration,DC=savilltech,DC=com

fsmo maintenance: quit
ntdsutil: quit


Q. How can I change the PDC emulator FSMO?

A. The PDC emulator is defined here.

To modify the role perform the following:

  1. Start the Active Directory Users and Computers MMC snap-in on the Domain Controller (Start - Programs - Administrative Tools - Active Directory Users and Computers)
  2. In the left hand pane right click on the domain and select 'Connect to Domain Controller'
  3. Select the domain controller you wish to make the FSMO role owner and click OK.
    Change Domain Controller
  4. Right click on the domain again and select 'Operations Masters' from the context menu
  5. Select the 'PDC' tab
  6. The current machine holding the PDC emulator FSMO role will be shown. To change click 'Change..'
    PDC Emulator
  7. Click OK to the confirmation dialog.
  8. A dialog confirming the role change will be displayed.

This can also be accomplished using the NTDSUTIL.EXE utility. Enter the commands it bold

C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server <server name>
server connections: quit
fsmo maintenance: transfer pdc

Click Yes to the role transfer dialog

Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na me,CN=Sites,CN=Configuration,DC=savilltech,DC=com

fsmo maintenance: quit
ntdsutil: quit


Q. How can I change the Infrastructure master FSMO?

A. The Infrastructure master is defined here.

To modify the role perform the following:

  1. Start the Active Directory Users and Computers MMC snap-in on the Domain Controller (Start - Programs - Administrative Tools - Active Directory Users and Computers)
  2. In the left hand pane right click on the domain and select 'Connect to Domain Controller'
  3. Select the domain controller you wish to make the FSMO role owner and click OK.
    Change Domain Controller
  4. Right click on the domain again and select 'Operations Masters' from the context menu
  5. Select the 'Infrastructure' tab
  6. The current machine holding the Infrastructure FSMO role will be shown. To change click 'Change..'
    Infrastructure FSMO
  7. Click OK to the confirmation dialog.
  8. A dialog confirming the role change will be displayed.

This can also be accomplished using the NTDSUTIL.EXE utility. Enter the commands it bold

C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server <server name>
server connections: quit
fsmo maintenance: transfer infrastructure master

Click Yes to the role transfer dialog

Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na me,CN=Sites,CN=Configuration,DC=savilltech,DC=com

fsmo maintenance: quit
ntdsutil: quit


Q. How can I change the Domain naming master FSMO?

A. The Domain naming master is defined here.

To modify the role perform the following however make sure the machine is a global catalog:

  1. Start the Active Directory Domains and Trusts MMC snap-in on the Domain Controller (Start - Programs - Administrative Tools - Active Directory Domains and Trusts)
  2. In the left hand pane right click on 'Active Directory Domains and Trusts' and select 'Connect to Domain Controller' from the context menu
  3. Enter the domain controller to connect to.
    Change DC
  4. Right click on 'Active Directory Domains and Trusts' and select 'Operations Master' from the context menu
  5. The current machine holding the Domain name operations FSMO role will be shown. To change click 'Change..'
    Operations master
  6. Click OK to the confirmation dialog.
  7. A dialog confirming the role change will be displayed.

This can also be accomplished using the NTDSUTIL.EXE utility. Enter the commands it bold

C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server <server name>
server connections: quit
fsmo maintenance: transfer domain naming master

Click Yes to the role transfer dialog

Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na me,CN=Sites,CN=Configuration,DC=savilltech,DC=com

fsmo maintenance: quit
ntdsutil: quit


Q. How can I change the Schema master FSMO?

A. The Schema master is defined here.

To modify the role perform you must use the 'Active Directory Schema Manager' and you must first register the .dll for the MMC snap-in

C:\> regsvr32 schmmgmt.dll

You can now start the Schema Manager via the Resource Kit Tools console or by creating a custom MMC and add the Active Directory Schema snap-in to it (Start - Run - MMC - Console menu - Add/Remove Snap-in - Add - Active Directory Schema - Add - Close - OK)

  1. Start the Active Directory Schema MMC snap-in on the Domain Controller (using on of the methods above)
  2. In the left hand pane right click on 'Active Directory Schema' and select 'Change Domain Controller' from the context menu
  3. Enter the domain controller to connect to.
    Change DC
  4. Right click on 'Active Directory Domains Schema' and select 'Operations Master' from the context menu
  5. The current machine holding the Domain name operations FSMO role will be shown. To change click 'Change..'
    Schema Master Change
    You can also set the registry to allow changes to the Schema by checking the Schema modification box. Also notice this machine is already the schema master.
  6. Click OK to the confirmation dialog.
  7. A dialog confirming the role change will be displayed.

To modify the role from the command line enter the commands in bold

C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server <server name>
server connections: quit
fsmo maintenance: transfer schema master

Click Yes to the role transfer dialog

Server "titanic" knows about 5 roles Schema - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com Domain - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Si tes,CN=Configuration,DC=savilltech,DC=com PDC - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com RID - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Name,CN=Sites ,CN=Configuration,DC=savilltech,DC=com Infrastructure - CN=NTDS Settings,CN=TITANIC,CN=Servers,CN=Default-First-Site-Na me,CN=Sites,CN=Configuration,DC=savilltech,DC=com

fsmo maintenance: quit
ntdsutil: quit


Q. What is Multi-master replication?

A. In a Windows 2000 domain, all domain controllers are equal which means changes can be made on ANY domain controller and each servers complete domain directory has to be kept up-to-date with each other through a process of multi-master replication.

Each time a change is made to the Active Directory the servers Update Sequence Number, or USN, where the change is implemented is incremented by one and this USN is also stored along with the change to the property of the object modified. These changes have to be replicated to all domain controllers in the domain and the Update Sequence Number provides the key to the multi-master replication.

Update Sequence Number increments are atomic in operation which means that the increment to the USN and the actual change occurs simultaneously, if one part fails the whole change fails which means its not possible for a change to be made without the USN to be incremented, which means changes will never be "lost". Each domain controller keeps track of the highest USN's of the other domain controllers that it replicates with so it can calculate which changes it needs to be replicated on each replication cycle.

At the start of the replication cycle each server checks its Update Sequence Number table and then queries the domain controllers it replicates with for their latest USN's. For example the table below represents the USN table for server A

DC B DC C DC D
54 23 53

Server A then queries the domain controllers for their current USN's and gets the following:

DC B DC C DC D
58 23 64

From this server A can calculate the changes it needs from each server:

DC B DC C DC D
55,56,57,58 Up-to-date 54-64

It would then query each server for the changes needed.

It is possible for multiple changes to the same property of an object to occur, and collisions are detected via a Property Version Number (PVN) which every property has. These work like the USN's and each time a property is modified, the PVN is incremented by one.

In the event of a modification to the same property of the same object then the change with the highest PVN takes precedence, and if the PVN's are the same for a property update then a collision has occurred. If the PVN's match then the time stamp is used to resolve any conflicts. Each change is time stamped and this highlights the need for the domain controllers time to be accurate with one-an-other. In the highly unlikely event that the PVN's match AND the time stamp is the same then a binary buffer comparison is carried out with the larger buffer size change taking precedence. Property Version Numbers are only incremented on original writes and not on replication writes (unlike USN's) and are not server specific but rather travels with the property.

A propagation-dampening scheme is also use to stop changes being repeatedly sent to other servers which already have the change and to this end each server keeps a table of up-to-date vectors which are the highest originating writes that are received from each controller and take the form of:

<the change>,<domain controller making the original change>,<USN of the change>

For example

<object savillj, property Password xxx>,Titanic,54

Domain controllers then also send this information with the USN's so they can calculate if they already have the change the other domain controllers are trying to replicate.


Q. How can I move objects within my Forest?

A. The Windows 2000 Resource Kit ships with the MOVETREE.EXE utility which can be used to move organization units, users or computers between domains in a single forest. This is useful for the consolidation of domains or to reflect organization restructuring.

Certain objects cannot be moved with MOVETREE such as Local and Domain Global groups and if the container they are in is moved these objects will be placed in an "orphan" container in the "LostAndFound" container in the source domain.

Associated data is not moved with MOVETREE such as policies, profiles, logon scripts and personal data. To accomplish the movement of these items you should write custom scripts using the 'Remote Administration Scripts'.

The syntax of MOVETREE is

MoveTree [/start | /continue | /check] [/s SrcDSA] [/d DstDSA] [/sdn SrcDN] [/ddn DstDN] [/u Domain\Username] [/p Password] [/quiet]

/start Start a move tree operation with /check option by default. Instead, you could be able to use /startnocheck to start a move tree operation without any check.
/continue Continue a failed move tree operation.
/check Check the whole tree before actually move any object.
/s <SrcDSA> Source server's fully qualified primary DNS name. Required
/d <DstDSA> Destination server's fully qualified primary DNS name. Required
/sdn <SrcDN> Source sub-tree's root DN. Required in Start and Check case. Optional in Continue case
/ddn <DstDN> Destination sub-tree's root DN. RDN plus Destinaton Parent DN. Required
/u <Domain\UserName> Domain Name and User Account Name. Optional
/p <Password> Password. Optional
/quiet Quiet Mode. Without Any Screen Output. Optional

You should first run in /check mode as this will perform a test without actually performing the move. Any errors will be displayed and also written to the file movetree.err in your current directory. If the test is OK run with the /start option.

An example use would be

C:\> movetree /check /s titanic.market.savilltech.com /d pluto.legal.savilltech.com /sdn OU=testing,DC=Market,DC=Savilltech,DC=COM /ddn OU=test2,DC=Legal,DC=Savilltech,DC=COM

This would move the OU testing from domain market.savilltech.com to test2 in domain legal.savilltech.com.


Q. How do I allow modifications to the Schema?

A. The Schema is extensible which means it can be changed but modifying the Schema is a dangerous task as it will affect the entire domain Forest (since a forest shares a common schema) and someone at Microsoft once said the following:

"If you find you have to change the schema find another way. If you still have to, look again. If after all that you find you still need to change the schema you better make sure your managers are fully aware of the implications"

That being said to allow modifications there are two ways.

If you want to use the GUI first register the .dll for the MMC snap-in (if you haven't all ready)

C:\> regsvr32 schmmgmt.dll

You can now start the Schema Manager via the Resource Kit Tools console or by creating a custom MMC and add the Active Directory Schema snap-in to it (Start - Run - MMC - Console menu - Add/Remove Snap-in - Add - Active Directory Schema - Add - Close - OK)

  1. Start the Active Directory Schema MMC snap-in on the Domain Controller (using on of the methods above)
  2. In the left hand pane right click on 'Active Directory Schema' and select 'Operations Master' from the context menu
  3. The current machine holding the Domain name operations FSMO role will be shown.
    Enable Schema Modification
    Check the "The Schema may be modified on this server" box.
  4. Click OK to the confirmation dialog.

This can also be accomplished by directly editing the registry

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
  3. Double click on 'Schema Update Allowed' (of type REG_DWORD)
  4. Set to 1.
  5. Click OK
  6. Close the registry editor

Other related FAQ items:


Q. What are Tombstone objects?

A. Because of the complex replication available in Windows 2000 and the Active Directory just deleting an object would result in it potentially being recreated at the next replication interval and so deleted objects are 'Tombstoned' instead. This basically marks them as deleted and applies to all objects.

Objects marked as tombstoned are actually deleted 60 days after their original tombstone status setting, however this time can be changed by modifying tombstonelifetime under cd=DirectoryServices,cn=WindowsNT,cn=Services,cn=Configuration,dc=DomainName however it is not advised.


Q. How do I switch my 2000 domain to native mode?

A. Windows 2000 domains have two modes, mixed and native. Mixed mode domains allow Windows NT 4.0 Backup Domain Controllers to participate in a Windows 2000 domain.

In native mode only 2000 based domain controllers can participate in the domain and 4.0 based Backup Domain Controllers will no longer be able to act as domain controllers. Also the switch to native mode allows use of the new "Universal" groups which unlike global groups can be nested inside each other. Older NetBIOS based clients will still be able to logon using the NetBIOS domain name even in native mode.

To perform the switch perform the following:

  1. Start the Active Directory Domains and Trusts MMC snap-in
  2. Right click on the domain you want to convert to native mode and select Properties
  3. Select the General tab
    Change Mode
  4. Click the 'Change Mode' button
  5. Click Yes to the confirmation
  6. Click Apply to the main dialog
  7. A success message will be displayed. Click OK
    Mode Switch
  8. Reboot the machine (although I have been told a reboot is not needed).

You will need to check all other domain controllers in the domain and when the domain operation mode says "Native Mode" (instead of mixed mode) reboot them. This can take 15 minutes (or more if contact is not able to be made).

If a domain controller cannot be contacted (if on a remote site and only connects periodically) when you make the change the remote DC will switch mode the next time replication occurs.


Q. How can I force replication between two domain controllers in a site?

A. In Windows NT 4.0 replication between domain controllers could be forced using Server Manager. Replication can also be forced with Windows 2000 domain controllers as follows.

  1. Start the Active Directory Sites and Services MMC snap-in
  2. Expand the sites branch which will show the various sites
  3. The default site 'Default-First-Site-Name' may be your only site. Expand the site containing the domain controllers
  4. Expand the servers
  5. Select the server who you want to replicate to and expand it
  6. Double click on NTDS Settings for the server
  7. Right click on the server you want to replicate from
  8. Select 'Replicate Now' from the context menu
  9. Replication will occur. Click OK to the confirmation dialog.

Force replication
This would replicate from TITANIC to the VENUS domain controller

The replication is one way and if you want two way replication you will need to replicate in each direction.


Q. How can I change replication schedule between two domain controllers in a site?

A. By default domain controllers will replicate once an hour but this can be changed as follows. This is only for domain controllers in a single site, cross site replication is configured differently.

  1. Start the Active Directory Sites and Services MMC snap-in
  2. Expand the sites branch which will show the various sites
  3. The default site 'Default-First-Site-Name' may be your only site. Expand the site containing the domain controllers
  4. Expand the servers
  5. Select the server who you want to configure replication to and expand it
  6. Double click on NTDS Settings for the server
  7. Right click on the server you want set replication from
  8. Select 'Properties' from the context menu
  9. Select the 'Active Directory Service connection' tab
  10. Click the 'Change Schedule...' button
  11. Modify the replication as required. Click OK
    Intersite replication
  12. Click Apply then OK

This replication schedule is one way and would to be repeated for the other direction.


Q. Can I rename a site? - Windows 2000

A. Basically yes. When you install your first domain controller it creates a default site of Default-First-Site-Name which is not very helpful and can be changed as follows:

  1. Start the Active Directory Sites and Services MMC snap-in (Start - Programs - Administrative Tools - Active Directory Sites and Services)
  2. Expand the Sites branch
  3. Right click on the site you wish to rename (e.g. Default-First-Site-Name) and select rename (or just select the site and press F2)
  4. Enter the new name and press Enter

That's it!


Q. What DNS entries are added when a Windows 2000 domain is created?

A. Windows 2000 domains rely heavily on DNS entries however the entries are created automatically providing you have enable dynamic update on the relevant DNS zones. Below are explanations of what the entries are used for:

_ldap._tcp.<DNSDomainName>
Allows a client to localte a Windows 2000 domain controller in the domain named by <DNSDomainName>. A client searching for a DC in domain savilltech.com would query the DNS server for _ldap._tcp.savilltech.com

_ldap._tcp.<SiteName>._sites.<DNSDomainName>
This allows a client to find a Windows 2000 domain controller in the Domain and site specified, e.g. _ldap._tcp.london._sites.savilltech.com for a DC in the London site of savilltech.com

_ldap._tcp.pdc._ms-dcs.<DNSDomainName>
Allows a client to find the Primary Domain Controller (PDC) FSMO role holder of a mixed-mode domain. Only the PDC of the domain registers this record.

_ldap._tcp.gc._msdcs.<DNSTreeName>
Allows a client to find a Global Catalog (GC) server. Only domain controllers serving as GC servers for the tree will register this name. Should a server cease to be a GC it will deregister the record.

_ldap._tcp.<site>._sites.gc._msdcs.<DNSTreeName>
Allows a client to find a Global Catalog (GC) server in the specified site, e.g. _ldap._tcp.london._sites.gc._msdcs.savilltech.com.

_ldap._tcp.<DomainGuid>.domains._msdcs.<DNSTreeName>
Allows a client to find a domain controller in a domain based on its Globally Unique IDentifier (GUID). A GUID is a 128-bit (8 byte) number this is generated automatically for referencing objects in the Active Directory.

<DNSDomainName>
Allows clients to find a Domain Controller by a normal Host record.


Example DNS screen for a domain


Q. How can I manually defragment the Active Directory? - Windows 2000 only

A. By default Windows 2000 servers running directory services will perform a directory online defragmentation every 12 hours (by default) as part of the garbage collection process. This defragmentation only moves data around the database file (NTDS.DIT) and does not reduce its size.

To create a new, smaller NTDS.DIT and offline defragmentation must be performed as follows:

  1. Backup the Active Directory (as seen in 'Q. How can I backup the Active Directory/System State?')
  2. Reboot the server, select the OS option and press F8 for advanced options. Select the 'Directory Services Restore Mode' option and press Enter. Press Enter again to start the operating system.
  3. Windows 2000 will start in safe mode with no directory service running. Logon using the Administrator account and password if the LOCAL SAM.
  4. A dialog informing you are in safe mode will be displayed. Click OK
  5. From the Start menu select Run and type
    CMD.EXE
  6. A command window will be displayed. Type the words in red:
    C:\> ntdsutil
    ntdsutil: files
    file maintenance: info
    ....
    file maintenance: compact to c:\temp
  7. The progress of the defragmentation will be shown. If successful type quit twice to return to the command prompt
  8. Now replace the old NTDS.DIT with the new compressed version
    C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit
  9. Restart the computer and boot as normal

Below is an example of the entire procedure

Microsoft Windows 2000 [Version 5.00.2031]
(C) Copyright 1985-1999 Microsoft Corp.

D:\>ntdsutil
ntdsutil: files
file maintenance: info

Drive Information:

C:\ FAT (Fixed Drive ) free(1.2 Gb) total(1.9 Gb)
D:\ NTFS (Fixed Drive ) free(152.4 Mb) total(1.9 Gb)

DS Path Information:

Database : D:\WINNT\NTDS\ntds.dit - 8.1 Mb
Backup dir : D:\WINNT\NTDS\dsadata.bak
Working dir: D:\WINNT\NTDS
Log dir : D:\WINNT\NTDS - 30.0 Mb total
res2.log - 10.0 Mb
res1.log - 10.0 Mb
edb.log - 10.0 Mb
file maintenance: compact to c:\temp
Opening database [Current].
Using Temporary Path: C:\
Executing Command: D:\WINNT\system32\esentutl.exe /d "D:\WINNT\NTDS\ntds.dit" /
/o /l"D:\WINNT\NTDS" /s"D:\WINNT\NTDS" /t"c:\temp\ntds.dit" /!10240 /p


Initiating DEFRAGMENTATION mode...
Database: D:\WINNT\NTDS\ntds.dit
Log files: D:\WINNT\NTDS
System files: D:\WINNT\NTDS
Temp. Database: c:\temp\ntds.dit

Defragmentation Status ( % complete )

0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................

Note:
It is recommended that you immediately perform a full backup
of this database. If you restore a backup made before the
defragmentation, the database will be rolled back to the state
it was in at the time of that backup.

Operation completed successfully in 17.896 seconds.


Spawned Process Exit code 0x0(0)

If compaction was successful you either need to
copy "c:\temp\ntds.dit" to "D:\WINNT\NTDS\ntds.dit"
or run:
D:\WINNT\system32\ntdsutil.exe files "set path DB \"c:\temp\"" quit quit
file maintenance: quit
ntdsutil: quit

D:\>copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit
Overwrite D:\WINNT\ntds\ntds.dit? (Yes/No/All): y
1 file(s) copied.


Q. How can I audit the Active Directory?

A. It is possible to configure auditing on the Active Directory to produce both successful and failed entries in the Directory Service event log.

To configure perform the following:

  1. Start the 'Active Directory Users and Computers' MMC snap-in (Start - Programs - Administrative Tools - Active Directory Users and Computers)
  2. From the View menu select 'Advanced Features'
  3. Expand the domain, right click on the 'Domain Controllers' container and select Properties from the context menu
  4. Select the 'Group Policy' tab
  5. Select 'Default Domain Controllers Policy' and click Edit
  6. Expand the Computer Configuration branch, the Windows Settings branch, Security Settings branch, and finally the Local Policies branch
  7. Select 'Audit Policy'
  8. In the right hand window it will show auditing levels
  9. Double click 'Audit Directory Service Access'
  10. Check the relevant boxes (e.g. Audit success, audit fail). Click OK
  11. Close the Group Policy window
  12. Click OK to the main Domain Controllers Properties dialog
  13. Close the Active Directory and Users MMC snap-in

The logs can be viewed in the Security Log (using Event Viewer). The policy change may take a while to take effect as domain controllers poll for policy changes every five minutes. Other domain controllers in the enterprise receive the changes at this interval plus the time of replication.


Q. How do I change Domain Names?

A. This is not so much a procedure but things to think about.

  1. NT stores both the textual name and the Security ID (SID) associated with the name, when you change the Domain name you only change the textual part and NOT the SID.
  2. All users should log off before starting the Domain Name change
  3. Break all trust relationships with other Domains
  4. If possible all BDC's should have the domain name changed and want to reboot. Say reboot later, and shutdown the machine and power it off.
  5. On the PDC run control panel, and change the Domain Name through Network Panel. The computer will prompt for a reboot and select "Reboot Now".
  6. Once the PDC is up let it stabilize for a few minutes then bring up each BDC with a minute gap, so it can validate with the PDC
  7. Re-create trust relationships with other Domains
  8. Move all clients to the new Domain, for Workstation see next FAQ.

A knowledge base article exists at http://support.microsoft.com/support/kb/articles/q178/0/09.asp.


Q. How do I move a Workstation to another Domain?

A. Logon to the Workstation locally as Administrator (i.e. name of machine) and goto Control Panel. Double click Network and click change. Enter the new Domain name and click OK. You will receive a message "Welcome to Domain x". Reboot the machine and you are part of the new domain.

If you wish to administer this box from the new domain you will need to add <Domain>\DomainAdmins to the local administrators group by connecting to the local user database via User Manager for Domains (i.e. \\computername)


Q. How many user accounts can I have in one Domain?

A. The real problem is that each user account and machine account takes up space in the SAM file, and the SAM file has to be memory resident. A user account takes up 1024 bytes of memory (a machine account half as much), so for each person (assuming they each had one machine) would be 1.5 KB. This would mean for a 10,000 user domain each PDC/BDC would need 15MB of memory just to store the SAM! Imagine a network with 100,000 people. This is one of the reasons you have multiple domains and then setup trust relationships.


Q. How to I change my server from Stand Alone to a PDC/BDC?

A. You cannot change the role of a NT server, you will need to reinstall NT.


Q. What is a PDC, BDC?

A. A PDC is a Primary Domain Controller, and a BDC is a Backup Domain Controller. You must install a PDC before any other domain servers. The Primary Domain Controller maintains the master copy of the directory database and validates users. A Backup Domain Controller contains a copy of the directory database and can validate users. If the PDC fails then a BDC can be promoted to a PDC. Possible data loss is user changes that have not yet been replicated from the PDC to the BDC. A PDC can be demoted to a BDC if one of the BDC's is promoted to the PDC.


Q. How many BDC's should I have?

A. Microsoft say one BDC for every two thousand users. This is fine considering a 486DX2 with 32MB of RAM can, on average, perform at least 10 logons per minute, however if everyone in your company arrives at 9:00 on the dot and log on (except for the helpful people who arrive half an hour late) there will be a surge of logon requests to deal with, resulting in large delays. To try and improve on this, it is possible to configure the Server service to throughput for Network Applications rather than File Applications. Remember the more powerful the processor, the more logons (for a Pentium 133, would be able to logon at least 30 people).


Q. How do I configure a Trust Relationship?

A. Domains by default are unable to communicate with other domains, which means somewhere in domain x cannot access any resource that is part of domain y. Before a trust relationship is configured

  • an administrator in x cannot give permission to any user of domain y for files or printers
  • a user of domain y cannot sit at a workstation that is part of domain x and logon

After a trust relationship is defined, say x trusts y the following happens

  • users of domain y can sit at a workstation that is part of domain x and logon to their own domain y (it will be displayed in the domain dropdown box)
  • an administrator of domain x can grant permission to any user of domain y to file and print resources
  • users of domain y are included in the Everyone group of domain x

In the example above x is the trusting domain, and y is the trusted domain. Also the above is a one-way trust relationship, i.e. while domain y users can use domain x resources, users of domain x cannot use domain y resources. A two-way relationship would allow each domain to access resources of the other (if given permission).

The basics of a trust relationship is to first configure domain y to allow domain x to trust it, and then configure domain x to trust domain y:

  1. Log onto domain y as Administrator
  2. Start User Manager for Domains (Start - Programs - Administrative Tools)
  3. Select "Trust Relationships" from the Policies menu
  4. Click the Add button to the Trusting Domains box
  5. Enter the name of the domain you want to be able to trust you, i.e. domain x
  6. You can type a password in the Initial Password and Confirm Password, however this is only used when the trust relationship is started. You can leave it blank Click OK to complete the addition
  7. Close the Trust Relationship dialog box
  8. Log off of domain y and logon onto domain x as Administrator
  9. Start User Manger for Domains, and choose "Trust Relationships" from the Policies menu
  10. Click the Add button to the Trusted Domains box
  11. Enter the name of domain y and the password if one was configured in step 6
  12. Click OK and close the User Manager for Domains application.
  13. Domain x now trusts domain y

Q. How do I terminate a Trust Relationship?

A. Firstly you have to stop domain x trusting domain y, then remove domain x's ability to trust domain y:

  1. Logon as Administrator to domain x
  2. Start User Manager for Domains, and click Trust Relationships from the Policies menu
  3. Select domain y from the Trusted Domains and click Remove and confirm
  4. Logoff, and logon to domain y as Administrator
  5. Start User Manager for Domains, and click Trust Relationships from the Policies menu
  6. Select domain x from the Trusting Domains and click Remove and confirm
  7. Exit

Q. How can I join a domain from the command line?

A. The NT Resource Kit Supplement 2 ships a new utility called NETDOM.EXE which can be used to not only join domains, but create computer account and trust relationships.

To join a domain there are 2 paths, the first is to just add the computer to the domain and create the computer account simultaneously which is OK if you are logged on as a domain administrator, if you are not a domain administrator the account needs to be added in advance and then you join the domain.

If you are logged on as a domain administrator then enter the command below to create the account and join the domain

netdom /domain:savilltech /user:savillj /password:nottelling member <computer name> /joindomain
where <computer name> is the name of your machine, e.g. johnstation

If you are not an administrator the domain admin people will have to add you an account first using either server manager or using NETDOM.EXE

netdom /domain:savilltech /user:savillj /password:nettelling member <computer name> /add

Once the account has been add the normal user could join the domain using the first command shown.


Q. How do I demote a PDC to a BDC?

A. Normally when you promote a BDC to the PDC, the existing PDC is automatically demoted to a BDC, but in the event that the PDC was taken off line and then a BDC promoted when the old PDC is restarted it will still think its the PDC and when it detects another PDC it will simply stop its own netlogon service.

To actually modify the machine to be a BDC the registry needs to be changed directly:

  1. Logon to the machine as an Administrator
  2. Start the registry editor (regedt32.exe)
  3. Move to HKEY_LOCAL_MACHINE\Security
  4. Select Permissions from the Security menu
  5. Select Administrators and change the access type to Full Control, check the "Replace Permission on Existing Subkeys" and click OK. Click Yes to the confirmations dialog box
  6. You can now navigate the Security menu, move down to Policy\PolSrvRo
  7. Double click on the default <no name> value and change the second digit (which should be 3 for a PDC) to a 2 (which means BDC). Click OK. E.g. 03000000 to 02000000.
  8. You should now reset the Security on the Security part of the registry using the same method as before but changing back to Special Access for Administrators. The permissions for Administrators should be
    - Write DAC
    - Read Control
  9. Restart the machine and it will come up as a BDC

To avoid having to set security perform the registry change from the system account by submitting the registry editor via the schedule service.

C:\> net start schedule (only if not already running)
C:\> at <time> /inter regedt32.exe
C:\> net stop schedule (only if you had to start it)


Q. How can I configure a BDC to automatically promote itself to a PDC if the PDC fails?

A. There is no way to do this, the assumption is that the PDC would be configured to write out the dump information and then reboot itself thus coming back online. You configure this behavior using the System Control Panel Applet - Startup/Shutdown tab.


Q. How do I rename a PDC/BDC?

A. To rename a Primary Domain Controller perform the following:

  1. Log onto the PDC as an Administrator
  2. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network)
  3. Click the Identification tab.
  4. Click the Change button and enter in the new computer name and click OK
  5. Restart the PDC for the name change to take effect.
  6. Once the machine has rebooted start Server Manager (Start - Programs - Administrative Tools - Server Manager), if the old name still appears as a Backup, or if there is no entry for the new name:
    - Create an entry for the new name. To do this, select Add to Domain in the Computer menu of Server Manager.
    - Add the new computer account as a "Windows NT Backup Domain Controller" (it will be added and displayed as a Primary).
    - Remove the old name by selecting the entry. To do this, select Remove from Domain on the Computer menu.

To Rename a Backup Domain Controller

  1. Log onto the PDC as an Administrator and in Server Manager (Start - Programs - Administrative Tools - Server Manager) add an account for the BDC's new name
  2. Log onto the BDC as an Administrator
  3. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network)
  4. Click the Identification tab.
  5. Click the Change button and enter in the new computer name and click OK
  6. Restart the BDC for the name change to take effect. The NETLOGON service will not yet start on this server.
  7. On the PDC, open Server Manager. Select the new BDC name and from the Computer menu, choose Synchronize With Primary. This will start the NETLOGON service.
  8. In Server Manager, select the old BDC name from the list and from the Computer menu, choose Remove From Domain.

Note: If the BDC begins to receive 7023 or 3210 errors after synching the domain in server manager, on the PDC choose the BDC and then synch that specific BDC with the PDC. After an event indicating that the synch is complete, restart the BDC.


Q. Can I move a BDC to another domain?

A. Normally no, the BDC shares a common SID with the PDC of the domain and so there is no way to move a BDC to another domain, you would need to reinstall the BDC.

System Internals have released NewSID 3.0 ( from http://www.sysinternals.com) which has a SID-synchronizing feature that let's you have one machine copy the SID of another. This makes it possible to move a BDC to a new domain. On the BDC start NewSID and click "Synchronize SID", enter the name of the PDC and click OK.


Q. Can I change a PDC/BDC into a stand-alone server?

A. No, the PDC/BDC registry is different from that of a stand alone server, again a reinstallation would be needed.


Q. Can I administer my domain from an NT Workstation?

A. Yes, if you install the NT Server client based Administration tools:

  1. Insert the NT Server CD-ROM into your NT Workstation
  2. Run the file <CD-ROM drive>:\clients\srvtools\winnt\setup.bat. This will detect you processor and install the correct images into the %SystemRoot%\System32 folder. You will have to press return.
  3. Remove the CD-ROM
  4. You now need to create shortcuts either on the desktop or start menu for the applications:
    - dhcpadmn.exe --- DHCP Manager
    - poledit.exe --- System Policy Editor
    - rasadmin.exe --- Remote Access Administrator
    - rplmgr.exe --- Remoteboot Manager
    - srvmgr.exe --- Server Manager
    - usrmgr.exe --- User Manager for Domains
    - winsadmn.exe --- WINS Manager

Q. In what order should I upgrade my PDC and BDC's from 3.51 to 4.0?

A. The two different versions can coexist happily so you can upgrade in order you want however the safest option may be the following schedule:

  1. Upgrade a BDC from 3.51 to 4.0
  2. Leave it for a week and check it is OK
  3. Promote the BDC to the PDC
  4. Leave for another week and check everything is OK
  5. Upgrade the other BDC's to 4.0
  6. Promote the old PDC back to the main PDC (the current PDC will automatically be demoted to a BDC)

Q. What tuning can I perform on PDC/BDC Synchronization?

A. There are several registry settings that can be configured for PDC/BDC Synchronization :

These are all values under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters

ChangeLogSize (REG_SZ) Default size for the Change Log. By default 64KB with a maximum of 4MB
Pulse This determines the gap in seconds between replication from the PDC to the BDC's. The lowest value is 60, and the max is 3600 (1 hour). The default is 300 (5 minutes). You may want to increase this time if the BDC's are over a slow WAN link.
PulseConcurrency The number of BDC's that the PDC sends pulses to concurrently. By default this is 10.
PulseMaximum The PDC performs a check that the BDC's are still there every so often. This is in seconds and once again the minimum is 60 and the maximum is 86,400.
Randomize The number of seconds a BDC waits after an announcement before answering. 1 by default.
ReplicationGovernor This is a percentage of the 128K blocks that are sent. If you had a slow link you may not want the PDC sending 128K blocks so you could change this to 25, meaning only 32K would be sent at a time. This will mean that the blocks are sent more frequently (25 would mean 4 times as often).
Update By default this is set to no, which means only changes are replicated. Setting this to Yes will cause everything to be replicated even if there is no change. This needs to be set on the import server.

Q. I cannot add a BDC over a WAN.

A. To add a BDC to a domain, the PDC has to be contactable. Therefore the first task is to check that communications are working.

If you are using TCP/IP then ensure you can PING the PDC,

ping <ip address of the PDC>

If this is OK then the problem is at the NetBIOS level. If you have WINS on the network ensure the BDC is configured to use the WINS server as when the PDC starts it will register the WINS name <domain><1Bh> which is used to identify the domain controller.

Alternatively the LMHOSTS file can be updated.

  1. Start Notepad
  2. Open the file <systemroot>\system32\drivers\etc\lmhosts
  3. Add a line with the following syntax
    <IP address> <machine name> #PRE #DOM:<domain name>
  4. Save the file

To use the lmhosts file during installation you should create the file on another machine and copy it over when the BDC is being installed.


Q. How can I synchronize the domain from the command line?

A. To force a domain synchronization use the command

net accounts /sync


Q. How can I force a client to validate its logon against a specific domain controller?

A. Before answering this it is best to understand what happens when a login occurs.

When a logon request is made to a domain, the workstation sends out a request to find a domain controller for the domain. The domain name is actually a NetBIOS name that is a 16-character name with the 16th character used by Microsoft networking services to identify the NetBIOS type.

The type used for a domain controller is <1C> and so the NetBIOS name for domain controller of domain "SAVILLTECH" would be "SAVILLTECH <1C>" The NetBIOS type has to be the 16th character, hence the name of the domain has to be filled with blanks to make its length up to 15 characters.

If the client is WINS enabled then a query for the resolution of "<domain name> <1C>" will be sent to the WINS server as defined in the clients TCP/IP properties. The WINS server will return up to 25 IP addresses that correspond to domain controllers of the requested domain, a \mailslot\net\ntlogon is broadcast to the local subnet and if the workstation receives a response then it will attempt logon with the local domain controller.

If WINS is not configured then it is possible to manually configure the LMHOSTS file on the Workstations to specify the Domain Controller. This file is located in the %systemroot%\system32\drivers\etc directory.

An example entry in LMHOSTS would be as follows

200.200.200.50 titanic #PRE #DOM:savilltech #savilltech domain controller

The above sets up IP address 200.200.200.50 to be host Titanic, which is the domain controller for savilltech and instructs the machine that this entry is to be preloaded into the cache.

To check the NetBIOS name cache you can use command nbtstat -c, which will show all the entries including their type. If WINS is not configured and there is no entry in LMHOSTS then the Workstation will send out a series of 3 broadcasts. In the situation where no response is received and WINS is configured to use DNS for WINS resolution a request to the DNS server will be sent and finally the HOSTS file checked. If all of this fails then an error "A domain controller for your domain could not be contacted.

To force a client to use a specific domain controller we need only do the following:

  1. Start the registry editor
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
  3. From the Edit menu select New - DWORD value
  4. Enter a name of NodeType and press ENTER
  5. Double click on the new value and set to 4 (this sets the network to an M-mode/mixed which means it will perform a broadcast before querying name servers for resolution). By default a system is 1 if no WINS servers are configured (B-node/broadcase) or 8 if at least one WINS server is configured (H-node/queries name resolution first then broadcasts)
  6. Double click on the EnableLMHOSTS value and set to 1. If it does not exist select New - DWORD value from the Edit menu and enter a name of EnableLMHOSTS
  7. Close the registry editor
  8. Reboot the machine

The machine is now configured to broadcase for a domain controller on a local subnet and then query a name server. If no domain controllers are found on the WINS server, or WINS is not used it will then search the LMHOSTS file. The next stage is to edit this file.

  1. Check for the LMHOSTS file
    C:\>dir %systemroot%\system32\drivers\etc\lmhosts
  2. If the file does not exist copy the sample host file
    C:\>copy %systemroot%\system32\drivers\etc\lmhosts.sam %systemroot%\system32\drivers\etc\lmhosts
    1 file(s) copied.
  3. Edit the file using edit.exe, don't use notepad.exe
    C:\>edit %systemroot%\system32\drivers\etc\lmhosts
  4. Goto the end of the comments and add a new line of the format
    <ip address> <name of DC> #PRE #DOM:<domain name> #<comment>
    e.g. 200.200.200.50 titanic #PRE #DOM:savilltech #savilltech domain controller
  5. Save the changes to the file and exit edit.exe
  6. Force the machine to reload the LMHOSTS file (or just reboot)
    C:\>NBTSTAT -R
    Note: The -R must be in capitals, the command is case sensitive
  7. Check the cache
    C:\>NBTSTAT -c
  8. At this point the configuration is complete and a reboot is advisable.

Service Pack 4 includes a new utility, SETPRFDC.EXE, which will direct a secure channel client to a preferred list of domain controllers.

The syntax is:

C:\> SETPRFDC <Domain Name> <DC1, DC2, ....., DCn>

SETPRFDC will try each DC in the list in order, until a secure channel is established. If DC1 does not respond, DC2 is tried, and so on. Once you run SETPRFDC on a WinNT 4.0, SP4 computer, the list is remembered until you change it. You can run SETPRFDC in batch, via the scheduler, or even in a logon script (for future logons). Don't forget to undo any LMHOSTS entries you might have set.


Q. How do I promote a server to a domain controller? - Windows 2000 only

A. Windows 2000 ships with a utility, DCPROMO.EXE, which is used to promote a stand-alone/member server to a domain controller and vice-versa.

In Windows 2000 domains are DNS names which means you can have a hierarchy of domains leading to parent-child domain relationships. The advantage of these parent-child relationships is that there have a bidirectional transitive trust which means that if domain b is a child of domain a, and domain c is a child of domain b, domain c implicitly trusts domain a. This is very different from the way trusts work in earlier versions of Windows NT.

Since Windows 2000 domains rely on DNS it is vital that DNS is correctly configured to enable the domain to be created (if you are creating a new top level domain). Information on configuring DNS for a domain can be found here.

A final pre-requisite is that an NTFS 5.0 volume is required to house the SYSVOL volume and so ensure you have at least one NTFS 5.0 volume (use CHKNTFS to check the versions of your partitions).

To upgrade a stand-alone/member server to a domain controller perform the following:

  1. Start the DCPROMO utility (Start - Run - DCPROMO)
  2. Click Next to the introduction screen
  3. You will have a choice to "New domain" or "Replica domain controller in existing domain". There is no concept of a BDC in NT 5.0 and all domain controllers are equal (more or less :-) ). Select New Domain and click Next
  4. A new concept is trees which enable the idea of child domains. If you are starting a new top level domain select "Create new domain tree", to create a child domain select "Create new child domain". Click Next
  5. If you selected to create a new domain tree you will be asked if you want to "Create a new forest of domain trees" or "put this new domain tree in an existing forest". Forests enable you to "join" a number of separate domain trees and again a transitive trust relationship is created between them. If this is your first NT 5.0 domain tree you should create a new forest. Click Next
  6. You will then be asked for the DNS name of your domain, e.g. savilltech.com is a valid domain name. It is important this matches information configured on the DNS server. Click Next
  7. You will then be asked for a NetBIOS domain name which by default will be the left most part of the DNS domain name (up to the first 15 characters), e.g. savilltech, however this can be changed. Click Next to continue.
  8. You will then have to provide a storage area for the Active Directory and the Active Directory log. Except the defaults and click Next
  9. Finally you must select an area on an NTFS 5.0 partition for the SYSVOL volume for storage of the servers public files, %systemroot%\SYSVOL by default. Click Next
  10. An option to weaken security for 4.0 RAS servers. Select your option and click Next
  11. A summary screen will be displayed and click Next to start the upgrade. It sets security and creates the Directory Server schema container. Information from the default directory service file and the old SAM is then read in if the machine is an upgraded PDC.
  12. You should then click Finish and reboot the machine.

You now have a Windows 2000 domain controller. Additional domain controllers (old BDC's) can be added by performing the above and selecting "Replica domain controller in existing domain" in step 3. It would then ask you the name of the domain to replica.


Q. How can I generate a list of all computer accounts in a domain?

A. The normal method under Windows NT 4.0 and earlier is to use Server Manager (Start - Programs - Administrative Tools - Server Manager) and computer accounts can be viewed/added/deleted.

Under Windows NT 5.0 this information can be viewed using the Active Directory MMC (Microsoft Management Console) snap-in and browse the domain/Computers group. Of course under Windows NT 5.0 and the Active Directory computers can also be created in Organisation Units so would not all be shown under this tree (as shown below the computer account in the law OU would not be listed in the Computers group).

Active Directory computer list

A more complete method is to use the Windows NT Resource Kit NETDOM.EXE utility (which runs under Windows NT 5.0) to generate the list, e.g.

C:\> netdom member
Searching PDC for domain SAVILLTECH ...
Found PDC \\TITANIC
Listing members of domain SAVILLTECH ...

Member 1 = \\ODIN
Member 2 = \\garfield

It is also possible to list other domains using a mixture of command line switches, e.g.

C:\> netdom /d:<domain name> [/u:<domain>\<user to which query> /p:<password] member

The information in the [] is only needed if your account does not have privileges in the requested domain.

The advantage of the command line tool is it lists all computer accounts, even those in OU's in the Active Directory.

An alternative method is to use the net view /domain:<domain> command which has the advantage that you can pipe the output to a file or another command, e.g.

C:\> net view /domain:savtech


Q. How can I verify my Windows 2000 domain creation? - Windows 2000 only

A. To verify the tcp/ip configuration is OK check for the ldap.tcp.<domain> service record, e.g. ldap.tcp.savilltech.com

C:\> nslookup
> set type=srv
> _ldap._tcp.savilltech.com
Server: [200.200.200.50]
Address: 200.200.200.50
_ldap._tcp.savilltech.com SRV service location:
priority=0
weight=0
port=389
svr hostname=titanic.savilltech.com
titanic.savilltech.com internet address=200.200.200.50

The ldap record used to be ldap.tcp.<domain> but was modified in build 1946 onwards. The underscore is necessary to definitively differentiate our unique names in the DNS namespace from internic registered domain names on the internet. In this way we can ensure that there will never be a DNS name clash. My understanding is that RFC 1034\1035 (may be wrong with these numbers as they may have been superceded) say that the underscore character is NOT a valid character to use in a DOMAIN NAME. All internet registered names should never contain the underscore. Now, RFC2181 states that the underscore is a valid label to use in DNS (as well as plenty of other characters too) so we the underscore is used to prevent possible clash with INTERNET names. This change was introduced in earlier builds of windows 2000. For a while DC's generated both styles of names in DNS to support both styles of clients (ie newer and older builds). Now that client code is changed to look for underscores, we have now retired the ldap.tcp names in favour of the _ldap.tcp names.

Also make sure the NetBIOS computer name is OK

C:\> net view \\<computer name>

Finally check the NetBIOS Domain name works

C:\> usrmgr <domain name>

The NetBIOS domain name is used for backwards compatibility. Use a 4.0 version of usrmgr.


Q. How can I configure multiple Logon Servers with LMHOSTS?

A. Service Pack 4 adds support for multiple domain controllers for a single domain to be configured in the LMHOSTS file (located in %systemroot%\system32\drivers\etc). Normally when a computer starts, the WINS server is queried for any [1C] entries, domain controllers, and it will return a list. This list is not geographically aware and you could be given a domain controller on the other side of the world.

An alternative is to specify a list of domain controllers in the LMHOSTS file (which is now checked before WINS is #PRE is in the entry) and have different LMHOSTS files in different regions.

Example entries in the file would be

200.200.200.50 titanic #PRE #DOM:SAVILLTECH
200.200.200.80 cuttysark #PRE #DOM:SAVILLTECH

You will need to ensure the computer is configured to use the LMHOSTS file

  1. Right click on Network Neighborhood and select Properties
  2. Select the Protocol's tab
  3. Select "TCP/IP Protocol" and click Properties
  4. Select "WINS address"
  5. Check the "Enable LMHOSTS Lookup" box
  6. Click Apply then OK
  7. You will need to restart the computer

Q. Are trust relationships kept when upgrading for a 4.0 domain to a Windows 2000 domain?

A. When a 4.0 PDC is upgrade to Windows 2000 all trust relationships are maintained.


Q. How are trust relationships administered in Windows 2000?

A. Instead of using User Manager as in NT 4.0, a new MMC snap-in, Active Directory Tree Manager is used. Although the host application is different the usage is exactly the same.

To view/add/remove perform the following:

  1. Start the Domain Tree Manager (Start - Programs - Administrative Programs - Domain Tree Management)
  2. Expand the root and right click on the domain
  3. Select Properties from the displayed context menu
  4. Select the Trusts tab and add/view as required.
  5. Click Apply then OK

Windows 2000 trusts
- Example of one domain that trusts ours

Obviously you should try and use the tree and forest concept rather than manual trust relationships with pure Windows 2000 domains. This is discussed in the Active Directory section (which will be added shortly).


Q. I can't promote a BDC to PDC.

A. If you receive an 'Access Denied' message when attempting to promote a BDC to the PDC it may be due to the fact the PDC has Service Pack 4 installed.

This is because Service Pack 4 upgraded the security mechanism used so you will either have to perform the promotion from a Service Pack 4 domain controller or upgrade the BDC in question to SP4.

Another reason for this error is trying to get a renamed and upgraded (3.51 to NT4) server to sync with the domain. The accounts database may have become out of date and thus couldn't be synchronised. NETLOGON may not even be startable.

The way round is to do a "connect as" from the PDC to the rogue BDC using an admin ID known to be good by the BDC before it was upgraded. Once the "connect as" (say to Cc) was accepted, the BDC would then accept the synchronise request from the PDC's Server Manager, restarting NETLOGON in the process.


Q. Unable to join a domain because of SMB signing, what can I do?

A. If the following error message is displayed when you attempt to add a computer running Windows NT to the domain:

"Unable to connect to the domain controller for this domain. Either the username or password entered is incorrect."

The error message is displayed even though networking is enabled and the correct administrator name and password credentials were supplied. The problem is that the PDC has SMB signing set to required and the client cannot communicate as it does not have SMB signing enabled.

Two options are possible. The first is to disable RequireSecuritySignature SMB signing on the domain controller as described in Q. How do I enable SMB signing? or install the machine into a workgroup, enable SMB signing then join the domain. Of course this would not work with BDC's.


Q. How can I create a child domain?

A. Windows 2000 allows the creation of a domain as a child of another domain. When two or more domains are joined in a parent-child relationship a domain tree is formed.

A child domain is created when executing the DCPROMO.EXE image and the parent domain must be accessible to create.

  1. Install Windows 2000 on the machine
  2. Ensure the machine has TCP/IP and DNS configured correctly
  3. Execute DCPROMO
  4. Click Next to continue the upgrade
  5. Select 'Domain controller for a new domain' and click Next
  6. Select 'Create a new child domain in an existing domain tree' and click Next
  7. Enter a Username, password and domain you will be using to join the domain tree. This account must reside in the parent domain a domain in the forest you are joining. Click Next
  8. Select the parent domain name by selecting Browse, e.g. savilltech.com. Enter the child domain (just the left most part), e.g. legal. The new complete name will be shown, e.g. legal.savilltech.com. Click Next
  9. If this is a new domain controller enter a NetBIOS name for backwards compatibility. By default it will be the left most 15 characters of the DNS domain name (up to the first .). If you are upgrading an existing DC then the NetBIOS name cannot be changed. Click Next
  10. Database and log locations will be shown. Click Next
  11. The System Volume area will be shown. Click Next
  12. An option to weaken security for 4.0 RAS servers. Select your option and click Next
  13. A summary will be shown. Click Next
  14. The new domain creation will begin
  15. Click Finish and reboot the machine

Instead of performing screenshots I've produced an animated GIF of the entire child domain creation (I was bored ;-) ). Click Refresh to make it start from the beginning, a gap of 2 seconds is shown between each screen.

Child domain creation


Q. How can I create a domain trust through a firewall?

A. When creating trust relationships communications between the two domains is carried out over a number of protocols with each protocol using different TCP/IP port. Below is a list of ports which need to be enabled on the firewall for a trust relationship:

  • PORT 135 (TCP or UDP) for Remote Procedure Call(RPC)Service
  • PORT 137 (UDP) for NetBIOS Name Service
  • PORT 138 (UDP) for NetBIOS datagram (Browsing)
  • PORT 139 (TCP) for NetBIOS session (NET USE)
  • ALL PORTS above 1024 for RPC Communication

You may use LMHOSTS for name resolution (which would have #pre #dom entries for the domain controllers) or WINS can be used which requires:

  • PORT 53 (TCP and UDP) for DNS
  • PORT 42 (TCP and UDP) for WINS Replication

Alternatively, a trust can be established through point-to-point tunnelling protocol (PPTP). For PPTP, the following ports must be enabled:

  • PORT (TCP) 1723 for PPTP
  • IP PROTOCOL 47 (GRE)

Also see the following knowledge base articles:

  • Q167128 SMS: Network Ports Used by Remote Helpdesk Functions
  • Q174395 Event ID 4202 Attempting WINS Replication across Router

Q. How can I check the browse masters for a domain?

A. The resource kit has a utility BROWSTAT.EXE which allows status of the browse service to be ascertained. To check browse masters for a domain use the following command:

C:\> browstat status <domain>

To check statistics for a single server use the command

C:\> browstat stats \\<server>


Q. How can I stop a remote master browser?

A. The resource kit utility BROWSTAT can be used to remotely stop a browse master with the following command:

C:\> BROWSTAT TICKLE <transport> <domain> | \\<server name>

Where <transport> is the Windows NT transport device name, and <domain> is the domain in which the master browser is located, and <server name> is the computer name of the master browser.

To check which transport use the command:

C:\> net config rdr
Workstation active on NetbiosSmb (000000000000) NetBT_Tcpip_{C2F....

The transport device is indicated by '<network service>_<NIC type>', where <network service> is the session-layer network service, and <NIC type> is the type of network interface card on your computer. The session-layer network services are NetBT for NetBIOS over TCP/IP, NwlnkNb for IPX, or Nbf for NetBEUI, e.g. NetBT_Tcpip.

C:\> browstat tickle NetBT_Tcpip_{C2F8C130-F2AF-11D2-B748-DAEDF5F58140} \\titanic


Q. How can I force a browser election?

A. The resource kit utility BROWSTAT can be used to force a browser election:

C:\> BROWSTAT ELECT <transport> <domain> | \\<server name>

Where <transport> is the Windows NT transport device name, and <domain> is the domain in which the master browser is located, and <server name> is the computer name of the master browser.

To check which transport use the command:

C:\> net config rdr
Workstation active on NetbiosSmb (000000000000) NetBT_Tcpip_{C2F....

The transport device is indicated by '<network service>_<NIC type>', where <network service> is the session-layer network service, and <NIC type> is the type of network interface card on your computer. The session-layer network services are NetBT for NetBIOS over TCP/IP, NwlnkNb for IPX, or Nbf for NetBEUI, e.g. NetBT_Tcpip.

C:\> browstat elect NetBT_Tcpip_{C2F8C130-F2AF-11D2-B748-DAEDF5F58140} savilltech


Q. What is Terminal Server?

A. Modern day PC users are used to having a system with large amounts of memory, disk and CPU power to run their applications. This is very different to UNIX and VMS environments where servers have all the memory, disks and CPU and users have "dumb" terminals which just send keystrokes to the server which in turn sends back screen updates.

There are a number of advantages with the UNIX/VMS approach. Most desktop computers are idle for most of the time with the CPU only 10% busy normally and a significant amount of memory spare, this is a waste of resources. A central server approach distributes resource's to sessions as needed, minimizing waste and ensuring resources are available when needed.

Installing applications and maintaining them on each desktop is very time consuming. A central server based install simplifies this significantly and lowers the Total Cost of Ownership (TCO).

Windows NT Terminal Server and Windows 2000 address this with client software for Windows 9x/NT and Windows for Workgroups machines that allow a window to be created which allows all processing and execution to be carried out on the server and the only task the local machine does is to pass back keyboard and mouse actions. The Terminal Server does all the computation and storage and passes back screen updates to the client.

Example
Here you can see an example Terminal Server session in its own windows, with its own Start menu and taskbar. All applications in this window are being run on the terminal server. The information shown in Explorer is the Servers drives, not the local machine.

Obviously Windows NT/95 are operating systems of their own and it may seem pointless running terminal server client on these machines however it could be used for application management, install Office 97 on the Terminal Server and all clients use Office via the Terminal Server connection. Imagine running Office 97 on a Windows for Workgroups machine!

Communication is via RDP (Remote Desktop Protocol) which was designed by Microsoft.

Windows Terminal Server is based on Citrix's WinFrame product and Citrix provide a bolt-on, MetaFrame, which adds functionality to Terminal Server including support for DOS, OS/2, Unix, Java and much more. http://www.citrix.com


Q. How do I install Windows NT 4.0 Terminal Server Edition?

A. The installation of Windows NT Terminal Server edition is the same as a normal Windows NT Server installation except during installation you will additional be asked:

  • The number of Terminal Server Desktops - This is the number of Windows Terminal Server clients that will be connected to the Terminal Server at any one time.
  • Internet Explorer 4.0 can be automatically installed at installation time (instead of IE 2.0)

Once installation is complete if IE 4.0 was selected it will be installed and configured and an additional reboot performed.

Due to the method applications need to be installed on Terminal Server (for use with clients) an upgrade of a Windows NT 4.0 server is not supported or advised.

It is also not advised to run backoffice applications on a Terminal Server due to the massive amounts of resources Terminal Server uses for its clients and as such Terminal Server is not part of the Backoffice suite of applications.

You will also notice that Terminal Server is supplied with Service Pack 3 installed, do NOT install a normal version of a service pack on Terminal Server, special service packs will be made available for Terminal Server installations.

Once install is complete you will notice 4 new tools under the Administrative Tools branch of the Programs Start menu

  • Terminal Server Administration
  • Terminal Server Client Creator
  • Terminal Server Connection Configuration
  • Terminal Server License Manager

These will be looked it in detail later in the Terminal Server section. You will also notice User Manager is modified to include a new 'Config' button for each user which allows Terminal Server settings to be configured.


Q. How do I enable Terminal Server under Windows 2000?

A. Windows 2000 has Terminal Server components built into the operating system and they can be installed at installation time or at a later time. To install the components perform the following:

  1. Start Control Panel (Start - Settings - Control Panel)
  2. Select Add/Remove Programs
  3. Select Configure Windows in the left hand pane
  4. Click the Components button
  5. Click Next at the wizard
  6. Check the "Terminal Services" and "Terminal Services Licencing" components. Click Next
  7. Warnings may be given about installed components, click Next
  8. You can select to install printer drivers. Click Next
  9. Files will be copied to the server
  10. Click Finish
  11. The machine will reboot

Once reboot is complete 4 new programs will be under the Administrative Tools branch of the Start menu

 

  • Terminal Server Administration
  • Terminal Server Client Creator
  • Terminal Server Connection Configuration
  • Terminal Server License Manager

Q. How do I install Windows NT/9x based Terminal Server clients?

A. Terminal Server has built in support for the following clients

  • Windows 95
  • Windows 98
  • Windows NT
  • Windows 2000
  • Windows for Workgroups

The first 4 all share a common piece of software and terminal server (both NT 4.0 and Windows 2000) ships with a utility to create it on a single floppy disk:

  1. Logon to the Terminal Server machine
  2. Select 'Terminal Server Client Creator' from the Administrative tools branch (Start - Programs - Administrative Tools - Terminal Server Client Creator)
  3. You will be shown a dialog box giving options for
    - Terminal Server Client for WFW
    - Terminal Server Client for Windows 95/NT Intel
    - Terminal Server Client for Windows 95/NT Alpha (I never knew 95 run on Alpha! ;-) ).
    Client Create
  4. Select the client (Terminal Server Client for Windows 95/NT Intel) and the destination drive (you can only select a floppy) and click OK
  5. You will be asked to insert a disk. Click OK
  6. The required files will then be copied to the disk
  7. Click OK once complete
  8. Close the dialog box

All the above does is copy the contents of %systemroot%\system32\clients\tsclient\win32\disks\disk1 to disk so you could directly copy or share this directory. There is also a net subdirectory of tsclient which also contains the clients with each client in its own subdirectory without the disk1 etc. folders, so you could share out this folder to allow access to all client installations. Sharing the net folder would be the prefered method.

To install the client perform the following:

  1. Either insert the disk created above or connect to a share containing its files
  2. Execute Setup.exe
  3. The Terminal Server client execution program will start and click Continue to the license agreement
  4. Enter username and company. Click OK. Click OK again to the confirmation
  5. Click 'I agree' to the license agreement
  6. Click the large setup button (you can change the installation folder at this point)
    Client Install
  7. You will be asked how you want the application installed, either for all users to have the same initial settings or just for you. Click Yes
  8. Files will be copied and a success message shown. Click OK.

A new folder "Terminal Server Client" has been added with 2 utilities and an uninstall option.


Q. How do I install Windows for Workgroups based Terminal Server clients?

A. Terminal Server has built in support for Windows for Workgroups but they must have TCP/IP 32b installed (this can be downloaded from Microsoft at http://support.microsoft.com/support/kb/articles/q111/6/82.asp). I found this out the hard way! TCP/IP can be installed using the Network setup icon in WFW. You may want to run MEMMAKER after installation of TCP/IP to "tidy" your memory, I had to, just choose Express.

To create floppy disks for Windows for Workgroups TS client installation perform the following:

  1. Logon to the Terminal Server machine
  2. Select 'Terminal Server Client Creator' from the Administrative tools branch (Start - Programs - Administrative Tools - Terminal Server Client Creator)
  3. You will be shown a dialog box giving options for
    - Terminal Server Client for WFW
    - Terminal Server Client for Windows 95/NT Intel
    - Terminal Server Client for Windows 95/NT Alpha
    Client Create
  4. Select the client (Terminal Server Client for WFW) and the destination drive (you can only select a floppy) and click OK
  5. You will be asked to insert a number of disks. Click OK
  6. The required files will then be copied to the disk
  7. Click OK once complete
  8. Close the dialog box

All the above does is copy the contents of %systemroot%\system32\clients\tsclient\win32\disks\disk1 to disk so you could directly copy or share this directory. There is also a net subdirectory of tsclient which also contains the clients with each client in its own subdirectory without the disk1 etc. folders, so you could share out this folder to allow access to all client installations. Sharing the net folder would be the prefered method.

To install the client perform the following:

  1. Either insert the disk created above or connect to a share containing its files
  2. Execute Setup.exe
  3. The Terminal Server client execution program will start. Click OK to the dialog.
  4. Enter username and company. Click OK. Click OK again to the confirmation
  5. Click 'I agree' to the license agreement
  6. Click the large setup button (you can change the installation folder at this point)
  7. You will be asked how you want the application installed, either for all users to have the same initial settings or just for you. Click Yes
  8. Files will be copied and a success message shown. Click OK.

A new program group "Terminal Server Client" has been added with 2 utilities and an uninstall option.

WFW
Windows 2000 3D Pinball on Windows for Workgroups 3.11, impressive :-)


Q. How do I connect to a Terminal Server from WFW/9x/NT/2000?

A. The first action is to install the client which is explained in 'Q. How do I install Windows NT/9x based clients?'.

Once the client is installed there are two methods to connect to a terminal server. The first is a very manual method and while simple may not be ideal for many normal users.

  1. Select "Terminal Server Client" from the "Terminal Server Client" programs folder
  2. From the dialog select the server (or enter a different server name or IP address) and select a screen resolution. (The WFW version is slightly different in look but functionally the same)
    Connecting
  3. Click Connect
  4. You will then have a window come up with a logon screen. Logon and you are now running a terminal server session!

Logon

You should be aware that pressing Ctrl-Alt-Del will bring up the Local security menu and not the remote. To bring up the remote security menu select "Windows NT Security" from the Start menu. You will notice you don't have a shutdown button (unless you are an Administrator) as this would shutdown the terminal server machine.

An alternative is to setup a shortcut to connections and this is accomplished using the "Client Connection Manager".

  1. Start Client Connection Manager (CCM) by selecting it from the Terminal Server Client programs branch of the start menu
  2. From the File menu select 'New Connection'
  3. Enter a description and the servername or IP address of the terminal server. Click Next
  4. You may select Automatic logon by checking the Autologon box and entering username, password and domain details. Click Next
  5. Select settings such as desktop size and speed settings. Click Next
  6. The next screen gives the option of either running a full desktop or a specific application. If you select a program you must enter the executables name and location and a working directory. Click Next
  7. You should now select an icon for the connection by clicking the 'Change Icon' button and the program group to house the shortcut (Terminal Server Client by default). Click Next
  8. A summary will be displayed, click Finish.
  9. A new icon will now be displayed in CCM as shown below.

Shortcut

You may create a shortcut to this on the desktop by right clicking on it and selecting 'Create shortcut on desktop'.

This shortcut actually calls the normal Terminal Server Client with a parameter of the configuration name, e.g.

"C:\Program Files\Terminal Server Client\MSTSC.EXE" "TS 1 Connect"

This may be useful for you to build into batch menus etc. The actual connection details are stored in the registry under the 'HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client' key. You could therefore dump out this registry key and import into other machines automating the shortcut installations. The only item not read in is the password if autologon was selected.

To dump out to file just select the registry key in REGEDIT.EXE, e.g. "TS 1 Connect", and select "Export Registry File" from the File menu. Enter a file name and click OK. You can then copy this .reg file to any machine and execute using

C:\> regedit /s <file>.reg


Q. How do I close a Terminal Server connection?

A. If you click Start from a Terminal Server session you will see two options if connected to a Windows NT 4.0 box

  • Disconnect
  • Logoff

Terminal Server disconnect

There is a major difference between the two.

If you select Logoff your session is logged off and your connection to the terminal server is closed and the connection slot you were using may be used by someone else.

If you select Disconnect you are not logged off, rather the session window closed but if you restart and logon as the same person it will remember all applications and their state. This may seem ideal but remember a Terminal Server has a finite number of allowed connections and a disconnected session constantly uses a connection stopping someone else from connecting.

A disconnected session remains active until one of the following:

  • You log back on as the same user then logoff
  • The idle timeout is reached and the session automatically logged off
  • An administrator forces your logoff using the Terminal Server Administration tool

If you connect to a Windows 2000 box you will see Disconnect and Shutdown, selecting Shutdown gives the option of logging off.


Q. How do I install applications for use with Terminal Server?

A. Installing applications on a terminal server has to be done in a special way to ensure it is usable by all users of the terminal server.

There are two modes in terminal server, Execute and Install. By default all users are logged on in Execute mode and this means they can run programs etc. When you want to install an Application for use by everyone the Administrator should change to Install mode.

The best way to install software is to use the Add/Remote programs control panel applet as this will automatically set the mode to Install during the installation and then back to Execute at the end. Alternatively you can manually change your mode to install by typing

C:\> change user /install

To change back to execute use

C:\> change user /execute

And to check you current mode use

C:\> change user /query

In this example we will use Add/Remove to install Winzip on a terminal server.

  1. Start the Add/Remove programs control panel applet (Start - Settings - Control Panel - Add/Remove Programs)
  2. Select the 'Install/Uninstall' tab and click 'Install'
  3. You will be told to insert the setup media, click Next
  4. The installation wizard will look for setup.exe on the CD or disk, it won't find it, select an alternate by clicking the 'Browse' button, and select the winzip.exe file. Click Next
  5. You will now be given the option to change your mode so all users can use the application. Select 'All users begin with common application settings.' and click Next
    User mode
  6. The install of the application will begin and you will notice your mode has been changed to Install if you typed 'change user /query'.
  7. Proceed to install the application as normal
  8. Once setup is complete click Next to the install dialog then Finish

All terminal server users will now have Winzip. An alternative would be to manually set the mode to install, install the software and set back to execute.


Q. I can't install Office 97 SR2 on Terminal Server.

A. If when you try and install Office 97 SR2 on a terminal server via the Add/Remove Programs control panel applet you get the error:

"Setup cannot register MSJET35.dll in the system registry because an older version is in use. Close all applications and try again"

this is because the Terminal Server License Service is using the file. To workaround this stop the licensing service

C:\> net stop "terminal server licensing"

Click Retry on the error dialog and install will continue.

Retry the MSJET35.DLL

Once installation is complete restart the service

C:\> net start "terminal server licensing"

Office 97 has now been installed for use by all your terminal server clients.


Q. How do I install Citrix Metaframe?

A. Citrix Metaframe is an add-on to Windows NT Terminal Server and although there is currently no version for Windows 2000 it is under development. To install perform the following:

  1. Logon as an Administrator on the Terminal Server box
  2. Insert the Citrix Metaframe CD and click the "MetaFrame Setup" button (or run setup.exe from the I386 directory on the CD-ROM)
  3. Click Next to the install wizard dialog
  4. Click Next to the copy files dialog
  5. The license dialog will then be shown. Click the "Add License Packs" button to add the basic MetaFrame license. Enter the serial number on the back of the CD and click OK. Click No to install other license packs. Click Next to the main license dialog
  6. Click Next to the ICA connections protocol dialog (these are the protocols that clients may connect over).
  7. You may select to install TAPI modems for connection, to configure click Add Modems. A list of installed modems will be shown, select the modem and click Close. Click Next to the main TAPI dialog
  8. Next the ability to access local drives on the client are displayed. By default the servers drives will be the same on the client, e.g. C: is C:, and the client drives will be visible starting from V: working downwards, e.g. local C: would be V:, local D: would be U:. Click Next
  9. You have the option to remap server drives so that clients would see their local drives as C:, D: etc and the servers drives will be changed to M:, N: etc. I would advise against this unless you are very confident of what you are doing. Click Next.
    Remap the server drives
  10. Finally the system will reboot. Click Finish

Once the machine has rebooted upon logon a new toolbar is added to your desktop which allows control of the MetaFrame environment.


Q. How do I create Citrix Metaframe client media?

A. MetaFrame ships with a utility, ICA Client Creator, which is in the MetaFrame Tools program group. It can also be started by clicking the client creator button on the MetaFrame toolbar, .

Once started the utility will check for the CD-ROM and give options to create a variety of clients:

Client Create

Select the client to install, the disk drive and whether to format the disks.

Alternativly all the clients are copied to the %systemroot%\system32\clients\ica directory, e.g. DOS is wfcdos, so share the directory and allow clients to map directory and install.


Q. How do I install the ICA DOS client?

A. You will first need to create the DOS ICA client installation disk as explained in 'Q. How do I create Citrix Metaframe client media?'.

The DOS machine will also need the ability to connect to the network as explained in 'Q. How can a DOS machine connect to an NT domain?'.

To install the client perform the following:

  1. At the DOS machine insert the created install disk (or map to a network share containing the wfcdos files)
  2. Run install.exe
  3. Select the installation target, C:\wfclient by default. Press Enter
  4. The client files will then be coped to the target directory

To run the client simply change to the wfclient directory (or add to the machines path variable) and run WFCLIENT.EXE.

When you run for the first time you will need to create a new entry, click Yes to create a new entry.

Enter connection details such as connection medium (Microsoft TCP/IP), server name/address.

You should then select the Entry and select Connect.


Q. How do install Backup Exec 7.X on TSE?

A. Be sure to disable Terminal Server Licensing before you start the installation.

  1. Go to Start -> Settings -> Control Panel
  2. Double-click on Services
  3. Mark Terminal Server Licensing and press stop.
  4. Install Backup Exec via Add/Remove programs
  5. Go back to Services and Start Terminal Server Licensing

Q. Can I use normal Service Packs on Windows NT Terminal Server Edition?

A. No, Terminal Server has modifications to its components meaning normal Service Pack's cannot be applied. Terminal Server Edition has Service Pack 3 built in and Service Pack 4 for terminal server was released April 1999.

In Windows 2000 this will not be the case as Terminal Server is just a component of the normal product.


Q. Can I use normal Hot fixes on Windows NT Terminal Server Edition?

A. It depends. Some components of Windows NT Terminal Server Edition are specially modified and some are not. You will need to check if the file you are replacing is specially modified for Terminal Server Edition:

Enter the command:

C:\> filever /v <filename>

-r--- W32i DRV ENU 4.0.1381.32772 shp 25,840 06-08-1998 atapi.sys
FileDescription ATAPI IDE Miniport Driver
OriginalFilenam atapi.sys
ProductName Microsoft(R) Windows NT(TM) Operating System
ProductVersion 4.00

VS_FIXEDFILEINFO:
Signature: feef04bd
FileVer: 00040000:05658004 (4.0:1381.32772)
ProdVer: 00040000:05658004 (4.0:1381.32772)

We are interested in the FileVer property. If the final number is greater than 32767 then the file was built for Terminal Server, you should therefore only apply a hotfix that is specially released for Terminal Server.

The actually bit value we are interested in is the 0x8000 bit. If set then it is modified for Terminal Server. Below is a file that is not specially modified for Terminal Server

Signature: feef04bd
FileVer: 00040000:05650004 (4.0:1381.4)
ProdVer: 00040000:05650004 (4.0:1381.4)

Special Terminal Server fixes can be found under ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40TSE

In Windows 2000 this will not be the case as Terminal Server is just a component of the normal product.


Q. I've reached 40 - 45 users and additional users can't log onto Terminal Server?

A. If you have more than 40 users you should increase the amount of PTEs (page table entries) on the system.

Microsoft says that you should increase this if you'll have more than 45 connections. But I've seen that this can be a problem with less users as well. TSE Memory Manager allocates 10,000 PTEs as default. TSE uses PTEs to map the location of physical memory pages. Each user who logs on to TSE requires a minimum of 200 PTEs.

If the PTE pool is exhausted, additional users will not be able to log on. The maximum allowed limit of PTEs are 50,000.

To change the number of PTE's on the system see Q. How do I increase the number of Page Table Entries on my system?


Q. How do I configure a CE based Terminal Server client?

A. One option for Terminal Server clients is to use a "thin" client which has no disks but an embedded operating system and one such device is a Windows CE based client. The advantage is the machine has zero maintenance apart from the initial configuration. The instructions below are for the Viewpoint series from http://www.boundless.com (many thanks for letting me have one to use).

When you first turn on the machine it will ask for certain details:

  1. The setup wizard will first display the product ID. Click Next
  2. Click Accept to the license agreement.
  3. You will be asked if you want to use DHCP or manual IP configuration. Click Next.
  4. If you selected manual IP configuration you will need to enter an IP address, subnet mask and a gateway. Click Next
  5. Enter DNS and WINS details. Click Next
  6. Select the Desktop resolution and click Next
  7. Click Finsh to complete

You will have no start bar, just a dialog asking for a connection to be made. You should configure sessions as you would a normal Terminal Server client by selecting the Configure tab.


Q. I am having troubles getting the ICA DOS client to work.

A. The ICA DOS client uses a LOT of memory and to get working I had to remove nearly every other process from memory, thankfully Citrix have now released a new 32 bit DOS client which can access more of your machines memory eliminating the memory problems.

It can be download from http://download.citrix.com and its usage is exactly the same as the old 16bit DOS client.


Q. Where can I download updates for MetaFrame?

A. These can be downloaded from http://www.citrix.com/support/ftpserve.htm.


Q. What Service Packs are available for Windows NT Terminal Server Edition?

A. Windows NT Terminal Server Edition is supplied with Service Pack 3 built in. The following Service Packs are available for Windows NT 4.0 Terminal Server Edition.

Service Pack 4 - http://www.microsoft.com/ntserver/terminalserver/downloads/recommended/tsesp4/ordercd.asp

Special hotfixes (when available) can be downloaded from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40TSE/hotfixes-postSP3


Q. How do I send a message to a Terminal Server client?

A. Terminal Server supports two methods of communicating with a Terminal Server client process.

The first is via the GUI:

  1. Start the Terminal Services Manager MMC snap-in (Start - Programs - Administrative Tools - Terminal Services Manager)
  2. Expand the domain - Server and a list of connected processes will be shown
  3. Right click on the process and select 'Send Message' from the context menu
    Message Send
  4. You can then enter a title for the message and a message text. Click OK

To send from the command line perform use the MSG command,

msg <user> [/time:<seconds>] [/w] [/server:<server name>] <message>

For example:

C:\> msg savillj /w Get off that computer John!

The /w switch will force the administrators session to pause until the user has clicked OK to the message.


Q. How do I locate machines that are running Terminal Server?

A. Starting the Terminal Services Manager MMC snap-in (Start - Programs - Administrative Tools - Terminal Services Manager) will list machines running the Terminal Server services by expanding the domain. It can also be done with the following command:

qappsrv [/address] [/domain:<domain name>] [/continue]

For example

C:\> qappsrv /address
Known Terminal servers Network Node Address
---------------------- ------- ------------
DEMO                          [ A024E34948]*

The /domain is optional unless you wish to query a domain other than the machines membership and /continue does not pause after each screen of information.


Q. How can I check if a user is logged on via Terminal Server?

A. Starting the Terminal Services Manager MMC snap-in (Start - Programs - Administrative Tools - Terminal Services Manager) will list user processes by machine but this may be cumbersome if a large number of terminal servers are running. It can also be done with the following command:

query user [<user name>] [/server:<server name>]

For example

C:\> query user
USERNAME   SESSIONNAME     ID  STATE   IDLE TIME   LOGON TIME
>administrator  console    0   Active          . 09/05/99 18:19
 savillj        rdp-tcp#1  1   Active         10 09/05/99 14:23

The above lists all users.

You can also check what the user is running with the QPROCESS command:

C:\> qprocess <user name>

To check who is running a certain program (e.g. winword.exe)

C:\> qprocess <process>

will list all users running the passed program.


Q. How do I connect two Workstations using RAS?

A. NT Workstation supports one inbound RAS connection so one NT station will be the RAS server, and one will be the client. The procedure below is what I did to connect two machines.

Server

If RAS is already installed

  1. Goto Control Panel, and double click Network
  2. Goto Services and click on “Remote Access Server”, and click Properties
  3. Click on the Port and click Configure
  4. Select “Dial Out and Receive” or just Receive
  5. Click Continue
  6. Select if user can access Just Computer or Entire Network for NetBEUI
  7. Click Continue and fill in details for TCP/IP, For this setup we will assume the dial in client will have a TCP/IP address so check the box “Allow clients to use preconfigured address”
  8. Click OK and then close
  9. You will then be prompted to restart the computer

If RAS is not already installed, goto “My Computer” and double click “Dial-up Networking”, it will then detect your modem and then take you to step 3 as above.

Client

This assumes RAS is not installed

  1. Goto “My Computer”, and double click “Dial-up Network”
  2. You will be asked for the NT CD, and it will install Modem and RAS
  3. It will then detect any modems, once the modem has been found click continue
  4. It will then say the phone book is empty and you should add an entry. Give a name and select “Next” (do not select “I know about modem properties” unless you do”)
  5. Select “I am calling the Internet” and click Next
  6. Enter the phone number and click Next, then click Finish
  7. Select the entry, and click More, select Edit Entry
  8. Goto server Tab, and check NetBEUI and TCP/IP. Click TCP/IP details and fill in then press OK. Finally click OK again.
  9. Select the PhoneBook entry and click Dial.
  10. The first time you connect you will have to supply a username, password and domain (select “save password” so this information does not have to be entered again).

Q. Is it possible to dial an ISP using the command line?

A. Yes, use RASPHONE -d <entry> or RASDIAL <entry>

To disconnect you can type RASPHONE -h <entry> or RASDIAL /disconnect.


Q. How can I stop the RAS connections closing when I logoff?

A. Perform the following:

  1. Start the registry editor (regedt32.exe, not regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  3. Create a new value called KeepRasConnections of type REG_SZ
  4. Set the new value to have a value of 1

Q. How can I create a RAS Connection Script?

A. It is possible to write a script that will run when you connect during a RAS connection to automate actions such as entering your username and password. To specify a script perform the following

  1. Double click on My Computer and start up the Dial-up Networking applet
  2. Select the phonebook entry and click More.
  3. From the More menu select "Edit entry and modem properties"
  4. Click the Script tab and select "Run this script"
  5. Click the "Edit script..." button and the SWITCH.INF file will be opened
  6. Go to the bottom of the file and create a new connection section and then select exit
  7. Answer Yes to save changes
  8. Click the "Refresh List" button and the new entry will now be displayed.
  9. Select the new entry you created and click OK.

An example addition to the SWITCH.INF would be

; the phonebook entry
[Savill1]
; send initial carriage return
COMMAND=<cr>
; wait for : (after username, may be different at your site) omit the U as it may be capitals. You could just have :
OK=<match>"sername:"
LOOP=<ignore>
; send username as entered in the connection dialog box, alternaticly you could just enter the username e.g. savillj<cr>
COMMAND=<username><cr>
; wait for : (after password this time, may be different at your site)
OK=<match>"assword:"
LOOP=<ignore>
; send the password entered in the connection dialog box, again you could just manually enter the password, e.g. password<cr>
COMMAND=<password><cr>
NoResponse
; send the "start ppp" command
COMMAND=ppp default<cr>
OK=<ignore>

In depth information on all of the commands can be found in the SWITCH.INF file.


Q. How can I debug the RAS Connection Script?

A. It is possible to create a log file of the connection by performing the following steps

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
  3. Double click on Logging
  4. Change the value data to 1 and click OK
  5. Close the registry editor
  6. Restart the computer

Each dial-up session will now be appended to the file %systemroot%/system32/RAS/device.log. To stop logging perform the steps above but set the value back to 0.


Q. How do I configure RAS to connect to a leased line?

A. The method will vary depending on your systems current setup, however assuming you have RAS already installed below are the actions needed to configure in your leased line. It is assumed the modems (at both ends) are configured correctly for leased line usage (&D0 for DTR override).

  1. Start the Modem control panel applet (start - settings - control panel - modems)
  2. Click Add
  3. Check the "Don't detect my modem, I will select it from a list" and click Next
  4. In the Manufacturers box select "Standard Modem Types" and in the Models area select "Dial-Up Networking Serial Cable between 2 PCs", click Next
  5. Select the port, e.g. COM1 and click Next
  6. You now have a modem setup ready for leased line use

You should now configure the RAS connection (server/client) in the normal way (use the RAS service properties).

  1. Right click on Network and select properties, click the services tab and select RAS, click Properties.
  2. Select the COM port and click Configure
  3. Select the connection type dial in/dial out/both and click OK. Click Continue
  4. You will be asked about NetBEUI client Access, select the desired and click OK
  5. If you selected server you will be prompted for TCP/IP access and also which IP addresses should be given, either by DHCP (if configured) or from a given pool of addresses. You can also check the box to allow a client to request a specific IP address
  6. Click Close in the Network dialog box, the bindings of the machine will be updated and you will be asked if you want to reboot. Click Yes

Once this has been done you may also want a phonebook entry for outgoing use as you would normally except under the Dialing section check the "Persistent connection" box.


Q. How can I disable RAS AutoDial?

A. The easiest way to do this is to disable the RAS AutoDial service:

  1. Start the services control panel applet (start - settings - control panel - services)
  2. Scroll down to "Remote Access AutoDial Manager" and select
  3. Click the Startup button and change the startup to Manual. Click OK
  4. If you want to stop if now just click the Stop button
  5. Click the Close button

To re-enable you would repeat the above but change the startup to automatic.


Q. RAS tries to dial out even on local resources.

A. Perform the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses (a better way to view these is to type "rasautou -s" from the command prompt)
  3. In the subkeys look from the local address (and name). If you find it select the key and select Delete from the Edit menu.
  4. Close the registry editor

You may also wish to add addresses to the disabled list:

  1. Start the registry editor (regedt32.exe not regedit.exe)
  2. Move to HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Control
  3. Double click on DisabledAddresses and add the address on a new line. Click OK when finished
  4. Close the registry editor

You will need to reboot the machine in both of the above cases.


Q. I have connected via RAS to a server however I can only see resources on the machine I connect to.

A. When you configure the RAS server you set for each protocol the scope of the connection, the server or the whole network. To change this perform the following:

  1. Start the Network Control Panel Applet (Right click on Network and select properties)
  2. Select the Service tab and select the Remote Access Service and click Properties
  3. Select the COM port and click the Network button
  4. Click the Configure button next to the protocol you wish to change access (e.g. TCP/IP)
  5. At the top check the "Entire network" button
  6. Click OK

Clients should now be able to view the entire network.


Q. How do I force the "Logon Using Dialup Networking" to be checked by default on the logon screen?

A. This can be accomplished with a registry change on each client machine.

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  3. From the Edit menu select New - String Value (REG_SZ type)
  4. Enter a name of RASForce
  5. Double click the new value and set to 1
  6. Close the Registry editor
  7. Reboot the machine

Q. Where are the RAS phone book entries and settings stored?

A. The actual phone book entries are stored in the file %systemroot%/system32/ras/rasphone.pbk (pbk - phone book). You could therefore copy this file to another machine to copy the phone book entries.

Another important file is %systemroot%/system32/ras/switch.inf which is used to create terminal login scripts (as discussed earlier in this section), and you may find phone book entries may refer to an entry in this file at the end of the entry:

DEVICE=switch
Type=Terminal

In this case, Type=Terminal means bring up a terminal window after connection so it does not use switch.inf,

DEVICE=switch
Type=Pipex

would cause the script "Pipex" (which is in switch.inf) to be run once a connection has been made. If these two lines are missing don't worry, it just means you don't need a terminal window once you have connected (probably means you are connecting to a Windows NT box). Usually if you connect to a non-NT machine you have to send it a username and password, along with the connection type (protocol), which is usually PPP on most modern systems, SLIP is an older option.

RAS information relating to phone book entries and outbound connections in the registry is actually stored under HKEY_CURRENT_USER\Software\Microsoft\RAS Phonebook, and contains details about redial attempts, display settings etc. Again you export this section of the registry to a reg file (using regedit.exe) and import into another machine to copy the machine specific settings.


Q. How can I change the number of rings that RAS server waits for before answering?

A. The normal method is to edit the file %systemroot%\system32\ras\modem.inf. Edit the file, find the sections relating to your modem and find the line

COMMAND_LISTEN=ATS0=1<cr>

Change the numeric value to the number of rings to answer after, e.g.

COMMAND_LISTEN=ATS0=10<cr>

would answer after 10 rings (you must really hate your users, don't we all :-) ). You must restart Windows NT for this change to take effect.

The above does not work if RAS is using any TAPI (Telephony Application Programming Interface )/Unimodem-based devices. If this is the case perform the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
  3. From the Edit menu select New - DWORD Value.
  4. Enter a name of NumberOfRings and press Enter
  5. Double click on this new value and set to the number of rings you want the RAS Server to wait before answering the phone (1-20). Any number greater than 20 and the default value of 1 is used. Click OK
  6. Close the registry editor

Q. How can I configure how long RAS Server waits before calling back a user when callback is enabled?

A. By default the RAS Server will wait 12 seconds before calling back a RAS client however this can be changed by editing the registry.

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP
  3. From the Edit menu select New - DWORD Value.
  4. Enter a name of DefaultCallbackDelay and press Enter
  5. Double click on this new value and set to the number of seconds you want the RAS Server to wait before dialing the client (1-255). Click OK
  6. Close the registry editor

Q. Whenever I connect via RAS I cannot connect to local machines on my LAN.

A. To enable WWW and FTP browsing when you connect via RAS you enable the "use default gateway on remote network" of the RAS options. This has the effect of when the connection is made a new route is added to the route list superseding the existing LAN routes so any traffic destined for a node outside your local subnet will attempt to be sent using the RAS route. This is because a metric is used to identify the number of hops needed and once connected to RAS it will have a metric 1 and existing routes will be bumped out to a metric of 2.

To solve this a persistent route can be manually added for your LAN's subnet and the associated subnet gateway. While not connected via RAS you can examine your route information using the ROUTE PRINT command:

If your network was 160.82.0.0 (your company has a class B address) and the gateway was 160.82.220.1 for your local subnet you can add a route for the LAN only and all addresses outside of 160.82.0.0 will be routed using the RAS gateway.

C:\>route -p add <ip network> mask <subnet mask> <local gateway for the route>
e.g. C:\>route -p add 160.82.0.0 mask 255.255.0.0 160.82.220.1

This would mean all addresses from 160.82.1.1 to 160.82.254.254 would be routed via 160.82.220.1 and anything else via the RAS gateway.

If you wanted to add a route for a single host (maybe your internet firewall which is on another subnet) use the following:

C:\>route -p add 192.168.248.8 mask 255.255.255.254 160.82.220.1

Notice the subnet mask of 255.255.255.254 which means only for this single host.

When connected via RAS you will still be able to access resources outside of your local subnet on the LAN with no problems.


Q. How can I disable the "Save Password" option in dial-up networking?

A. When you connect via RAS you can cache the password. If you feel this is a security problem then you can disable the option to enable the password to be saved.

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\Parameters
  3. From the Edit menu select New - DWORD value
  4. Enter a name of DisableSavePassword and press ENTER
  5. Double click the new value and set to 1

If you disable the "save password" make sure "redial on link failure" is not activated as one redial attempts as it does not save user information it will attempt to connect as Administrator which will not work (unless the ISP has very poor security :-) ).


Q. How can I set the number of Authentication Retries for Dial-Up connections?

A. By default after two unsuccessful authentication attempts the dial-up networking (DUN) component will hang up the line however this can be changed to between 0 and 10. 0 means the line will be hung up after the first attempt, 1 will allow one retry etc.

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters
  3. Double click on AuthenticateRetries and set to the required value. Click OK
  4. Close the registry editor
  5. Reboot the machine for the change to take effect (or stop and restart the RAS services)

Q. How can I set the Authentication Time-out for Dial-Up connections?

A. As well as changing the number of Authentication Retries that are allowed, the amount of time between each attempt can also be configured and after that time has elapsed it will count as a logon failure. This can be between 20 and 600 seconds.

  1. Start the registry editor
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters
  3. Double click on AuthenticateTime and set to the required value. Click OK
  4. Close the registry editor
  5. Reboot the machine for the change to take effect (or stop and restart the RAS services)

Q. Enabling 128-bit RAS Data Encryption.

A. Service Pack 3 (128 bit version) introduced the ability to use 128-bit RAS data encryption with a Windows NT 4.0 RAS server as opposed to the normal 40-bit encryption.

To enable this 128-bit encryption perform the following:

  1. Start the Network control panel applet (Start - Settings - Control Panel - Network)
  2. Select the services tab
  3. Select Remote Access Service and click Properties
  4. Click Network then Require Microsoft encrypted authentication
  5. Click Require data encryption and click OK
  6. Click continue and close the Network control panel applet
  7. Do not restart the computer at this point

It is now necessary to enable the 128-bit setting:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\COMPCP
  3. From the Edit menu select New - DWORD value
  4. Enter a name of ForceStrongEncryption and press Enter
  5. Double click the new value and set to 1. Click OK
  6. Close the registry editor
  7. Reboot the computer

After reboot is completed clients connecting via RAS or PPTP will have to authenticate using 128-bit key encryption. A number of event logs can be viewed using Event Viewer (Start - Programs - Administrative Tools - Event Viewer).

If a successful connection is made you will see the log:

Event ID: 20107
Source: RemoteAccess
Description: The user RAS connected to port COMx using strong encryption

If the connection was unsuccessful you will see entry

Event ID: 20077
Source: RemoteAccess
Description: An error occurred in the Point to Point Protocol module on port COMx. The remote computer does not support the required encryption type.

The client attempting connection would also receive a 629 error.


Q. Why does my RAS client have the wrong subnet mask, etc.?

A. The only parameter from DHCP that the RAS client uses is the IP address. Other parameters come as follows:

The subnet mask is that used by the NIC in the workstation, if fitted. IPCONFIG shows the mask as being the default mask for the class of IP address in use but this is irrelevant. MS used to display it as 0.0.0.0 which is clearly wrong, but the default is more subtly wrong. If there is no NIC in the client, then the subnet mask is irrelevant as all traffic is passed through the dial-up connection.

The default router is displayed as the same as the address of the client RAS interface. What is actually used as default router is the RAS server itself.

WINS server addresses and DNS server addresses for use by the client similarly do not come from the parameters set on the DHCP server but instead are those used by the RAS server itself.

Node Type is not taken from the DHCP parameters but can change on the RAS client depending on WINS information. If the RAS server has no WINS servers defined locally, a b-node Windows NT RAS client will remain a b-node client. If the RAS server has WINS servers defined locally, a b-node Windows NT RAS client will switch to h-node for the duration of the connection.

More information can be found in knowledge base article Q160699 at http://support.microsoft.com/support/kb/articles/q160/6/99.asp


Q. How long is the lease on the IP address when issued to a RAS client from DHCP?

A. When a RAS server is set to allocate IP addresses from DHCP, it grabs n+1 addresses when the service starts, (where n is the number of dial-up interfaces), and keeps them. Therefore, the lease time is largely irrelevant. When a client dials in, the RAS server issues one of these cached leases and the RAS server maintains the lease on behalf of the client. The RAS server only records the address of the DHCP server and the lease parameters. All other DHCP options are discarded.

You may notice that, if you use IPCONFIG or WINIPCFG on a RAS client to look at lease information, it has null dates (ie. Jan 1, 1980). When the client disconnects, the IP address will be released back to the RAS server, NOT back to the DHCP server. This causes a lot of confusion when people expect to get their IP addresses back to the DHCP server. These will only be released back to DHCP when the RAS service is stopped and then the lease expires in due course.

Thanks to Peter Smith


Q. How can I disconnect users from the RAS server?

A. It is possible to disconnect any user using the "Remote Access Admin" utility:

  1. Start the Remote Access Admin utility (Start - Programs - Administrative Tools - Remote Access Admin)
  2. Select the domain or server in the main window
  3. From the Users menu select 'Active Users'
  4. Select the account you wish to disconnect and click the 'Disconnect User' button.
  5. Click OK to the confirmation

If you also wanted to revoke the users dial-in permission check the 'Revoke Remote Access Permission' check box from the dialog.


Q. How can I disable the modem speaker when dialling?

A. Its possible to disable the modem speaker in a number of ways. The easiest method is to use the RAS properties:

  1. Double click 'My Computer'
  2. Double click "Dial-Up Networking'
  3. Select the Dial-up connection, click More and select 'Edit entry and modem properties'
  4. Select the Basic tab and at the bottom next to 'Dial using:' click Configure
  5. At the bottom of the Modem Configuration dialog is a 'Disable modem speaker' check box, check it and click OK
  6. Click OK to the main dialog and close all other dialogs

Disable speaker

An alternative (and you may try this if the above fails to work) is to edit the dial string and add the control sequence for your modem to disable the speaker, its normally M0 however this can vary.

  1. Start the Modem control panel applet (Start - Settings - Modems)
  2. Select the modem and click Properties
  3. Select the Connection tab
  4. Click the Advanced button and the bottom of the dialog
  5. In the 'Extra settings' box enter the command string to disable the speaker, e.g.
    M0
  6. Click OK to the dialogs

Q. How can I limit RAS callers to see only the machine they connect to rather than the whole network?

A. When you configure the RAS server, you set for each protocol the scope of the connection, the server or the whole network. To change this perform the following:

  1. Start the Network Control Panel Applet (Right click on Network and select properties)
  2. Select the Service tab and select the Remote Access Service and click Properties
  3. Select the COM port and click the Network button
  4. Click the Configure button next to the protocol you wish to change access (e.g. TCP/IP)
  5. At the top check the "This computer only" option
  6. Click OK

Clients should now be able to only view local RAS server connections.


Q. How do I install the Windows 98 Virtual Private Network adapter?

A. Windows 98 contains the Virtual Private Network as standard and to install perform the following:

  1. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network or right click on Network Neighborhood and select Properties)
  2. Select the Configuration tab
  3. Click Add
  4. Select Adapter and click Add
  5. Under Manufacturers select Microsoft and select "Microsoft Virtual Private Networking Adapter" in the Network Adapters box. Click OK
  6. You may be asked for the Windows 98 CD.
  7. Reboot the machine

Once the machine has rebooted to create a new VPN connection start the Dial-Up Networking software and double click the 'Make New Connection'.

Under the device select "Microsoft VPN Adapter", click Next and enter the host name or IP address of the VPN server.

To make a connection dial into the Internet then double click the VPN connection, enter a username and password and you are connected!


Q. How do I install the Point To Point Tunneling Server?

A. Windows NT Server contains the Point To Point Tunneling Protocol as standard and to install perform the following:

  1. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network or right click on Network Neighborhood and select Properties)
  2. Select the Protocols tab
  3. Click Add
  4. Select "Point To Point Tunneling Protocol"
  5. Click OK
  6. You will be asked for the installation media. Enter the location and click Continue. If RAS is not currently installed it will be installed at this point.
  7. You will be asked for the number of private networks and click OK
  8. The Add RAS Device dialog will be displayed. Select "VPN1 - RASPPTMPM" and click OK. By default the connection will be configured to receive calls only, to change click Configure. Keep clicking Add to add more VPN devices (VPN2 etc.) Click Continue when all VPN devices have been added.
  9. Select TCP/IP options for RAS if it was not already configured. Click OK
  10. Click Close to the Network dialog
  11. Reboot the machine

Once the machine has rebooted it will operate as a Virtual Private Network server. Make sure any users who want to logon to it have RAS dial in rights (as configured using User Manager).

If you experience any problems with protocols make sure that the RAS server has the protocols configured, e.g. TCP/IP correctly. This can be done by starting the Network Control panel applet, select Services, select RAS and click Configure. Select the VPN port and click Network. You can then configure TCP/IP etc., ensure there are no problems with addresses etc.

Extra VPN connections can also be configured by clicking Add and selecting VPN2, VPN3 etc. You can only have simultaneous VPN connections for the number of VPN devices on the server.


Q. How do I install the Windows NT Virtual Private Network client?

A. Windows NT contains the Virtual Private Network as standard and to install perform the following:

  1. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network or right click on Network Neighborhood and select Properties)
  2. Select the Protocols tab
  3. Click Add
  4. Select 'Point To Point Tunneling Protocol' and click OK
  5. You may be asked for the Windows NT CD.
  6. Select the number of virtual private networks and click OK
  7. The RAS setup dialog will be shown. Click Add
  8. Select 'VPN1 - RASPPTPM' and click OK
  9. Click Continue to the RAS dialog
  10. Click Close on the Network dialog
  11. Reboot the machine

Once the machine has rebooted to create a new VPN connection start the Dial-Up Networking software and double click New.

Under the device select "Microsoft VPN Adapter", and under Phone number the host name or IP address of the VPN server.

To make a connection dial into the Internet then select the VPN connection, enter a username and password and you are connected!

You can check PPP is working by using the IPCONFIG command

PPP adapter NdisWan4:
IP Address. . . . . . . . . : 200.200.200.16
Subnet Mask . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . : 200.200.200.16


Q. How can I remove the dial-up networking icon from My Computer?

A. The dial-up networking icon can be removed by editing the registry as follows:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace
  3. Select {a4d92740-67cd-11cf-96f2-00aa00a11dd9}
  4. This step is optional but from the Registry menu select "Export Registry File". Enter a name for the reg file which will be created. This file will allow you to automatically undo this if you wish.
  5. Press the Del key to delete the key.
  6. Click Yes to the deletion confirmation dialog
  7. Dial-up networking will no longer be visible from My Computer

To restore it using your reg file just double click on the reg file from Explorer and dial-up networking will be restored.


Q. I've connected two computers using two 56K modems but I never connect at more than 33Kb, why?

A. The problem is that your modems cannot send faster than 33.6k. The 56k technologies, such as X2, K56flex and the new standard V.90 are asymmetric - 56k from a service such as an ISP to you, and 33.6k (maximum negotiated rate, may be less) from you to an ISP.

Having one of your V.90 modems call the other won't create a connection faster than 33.6k since neither side can transmit faster than 33.6k. The 56Kb is possible because the line from your house to the telephone company switching office is analog, and that the rest of the path from the CO to the service (ISP) is 100% digital. At the service end, they specifically install digital modems designed to operate as the service end of V.90/X2/K56flex connection.

This means you would need on of the boxes the same kind of modem that an ISP would buy. You may find however that you can't get one of those without also having the digital phone circuit to connect it to.

If you need 56Kb look at ISDN. The easiest way to setup a system which can accept 56K V90 incoming connections is to get an ISDN2 or home highway and a 3COM Courier-I modem. The Courier-I can act as a standard and ISDN modem. It will also act in V90 mode as a server it it detects an incoming analogue call across the ISDN.


Q. What is TCP/IP

A. If you are viewing this page on the web then you are using TCP/IP now! TCP/IP is a suite of related protocols and utilities used for network communications. TCP/IP is actually two protocols, Internet Protocol (IP) and Transmission Control Protocol (TCP). There are many different implementations of TCP/IP however they all conform to a standard which means different implementations can communicate with each other.

Each machine that uses TCP/IP must have a unique TCP/IP address which is a 32 bit number, which is usually displayed in the dotted quad (or dotted decimal) format xxx.xxx.xxx.xxx, where xxx is a number from 0 to 255, for example the IP address 147.98.26.11 is shown in its 32 bit form, and how it breaks down into the dotted quad format

10010011

01100010

00011010

00001011

147

98

26

11

TCP/IP was originally used on ARPANET, a military network and grow to universities and is now used on virtually every computer system.


Q. How do I install TCP/IP

A. Below are the instructions on installing non-DHCP clients:

  1. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network)
  2. Click the Protocols tab and click Add
  3. Select TCP/IP Protocol and click OK
  4. You will be asked if there is a DHCP server on the Network, click NO for DHCP
  5. A number of files will be installed and the protocols will be re-binded, and you will be shown the TCP/IP configuration dialog
  6. Click the IP Address tab and enter the IP address and subnet mask. When you enter the IP address it will guess the subnet mask (however you may want to configure a subnet mask different from the Default).
  7. You can also configure DNS servers by clicking on the DNS tab and enter a Domain name (e.g. Savilltech.com) and a host name
  8. Click OK when finished and you have to reboot the machine

Q. Is there a way to trace TCP/IP traffic using NT?

A. As part of the Systems Management Server there is a Network Monitor module which enables the entire network to be monitored, also traffic over a modem. There is a limited version of this with NT 4.0 server, however only communications between the server and other computers can be monitored. The Network Monitor Service has to be installed (Control Panel - Network - Services - Add).


Q. I do not have a network card, but would like to install TCP/IP.

A. Microsoft provide a Loopback adapter that can be used for the testing of TCP/IP. To install the Loopback adapter perform the following actions:

  1. Start the Control Panel (Start - Settings - Control Panel)
  2. Double click on the Network icon
  3. Click on the Adapters tab, and click Add
  4. Select MS Loopback Adapter and click OK
  5. You will then need to configure TCP/IP as normal

Q. I have installed TCP/IP, what steps should I use to verify the setup is correct?

A. Follow the steps below:

  1. From a command prompt type
    ipconfig /all
    This will show information such as IP address, subnet mask and the physical address. Check the IP address and subnet mask are what you expect.
  2. Next there is a special IP address that is used for loopback testing 127.0.0.1, so try and ping this
    ping 127.0.0.1
    You should get 4 lines of
    Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
    Pinging 127.0.0.1 does not send any traffic out on the network. If this does not work it means the TCP/IP stack is not loaded correctly so go back and check your configuration
  3. Next try and ping your own IP address, once again this will not send any traffic out on the Network, but it just confirms the software
    ping 200.200.200.53
    Once again you should get 4 reply messages. If this does not work, but the loopback did, you probably have typed the IP address wrong, go back and check your configuration.
  4. Try and ping the gateway.
    ping 200.200.200.1
    This is the first traffic going out over the network. The gateway should be on your subnet. If you fail to ping the gateway, check the gateway is up, and that your network is correctly connected.
  5. Ping something on the other side of the gateway, i.e. something not own your subnet
    ping 158.234.26.46
    If this does not work then the gateway may not be functioning correctly.
  6. If all of the above worked, than Name Resolution should be tested by pinging by name, this will test the HOSTS and/or DNS. If your machine name was john, and the domain savilltech.com, you would ping john.savilltech.com
    ping john.savilltech.com
    If this does not work, check in the Network Settings - Protocols - TCP/IP that the domain name is correct, also check the hosts file and the DNS.
  7. Next try and ping a name outside the network
    ping ftp.microsoft.com
    If this does not work then check with your ISP (Internet Service Provider)
  8. If all of the above works then get down to the serious stuff and start surfing! :-)

Q. How can I trace the route the TCP/IP packets take?

A. In general TCP/IP packets will not always take the same route to a destination, however the start of the journey is likely to be the same, i.e. to your gateway, to the firewall etc. The command to use is tracert and the syntax is as follows

c:\tracert <host name or IP address>,e.g.
c:\tracert news.savilltech.com
Tracing route to news.savilltech.com [200.200.8.55]
over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms 200.200.24.1 200.200.200.24.1 is the gateway
2 <10 ms 10ms <10 ms 200.200.255.81
3 30 ms 10 ms 10 ms news.savilltech.com [200.200.8.55]

Trace complete

The first column is the hop count, the next 3 columns show the time taken for the cumulative round-trip times (in milliseconds), the 4th column is the hostname if the IP address was resolved, and the last column is the IP address of the host. It is really like a street map telling each turn to take. An important thing to note is to look for looping routes, so host a goes to b then c then back to a, as this indicates a problem usually.

Tracert will not always work with some FireWalls for hosts outside the FireWall.


Q. What is the subnet mask?

A. As has been shown the IP address consists of 4 octets and is usually displayed in the format 200.200.200.5, however this address on its own does not mean much and a subnet mask is required to show which part of the IP address is the Network ID, and which part the Host ID. Imagine the Network ID as the road name, and Host ID as the house number, so with "54 Grove Street", 54 would be the Host ID, and Grove Street the Network ID. The subnet mask shows which part of the IP address is the Network ID, and which part is the Host ID.

For example, with an address of 200.200.200.5, and a subnet mask of 255.255.255.0, the Network ID is 200.200.200, and the Host ID is 5. This is calculated using the following:

IP Address 11001000 11001000 11001000 00000101
Subnet Mask 11111111 11111111 11111111 00000000
Network ID 11001000 11001000 11001000 00000000
Host ID 00000000 00000000 00000000 00000101

 What happens is a bitwise AND operation between the IP address and the subnet mask, e.g.

1 AND 1=1
1 AND 0=0
0 AND 1=0
0 AND 0=0

There are default subnet masks depending on the class of the IP address as follows:

Class A : 001.xxx.xxx.xxx to 126.xxx.xxx.xxx uses subnet mask 255.0.0.0 as default
Class B : 128.xxx.xxx.xxx to 191.xxx.xxx.xxx uses subnet mask 255.255.0.0 as default
Class C : 192.xxx.xxx.xxx to 224.xxx.xxx.xxx uses subnet mask 255.255.255.0 as default

Where's 127.xxx.xxx.xxx ??? This is a reserved address that is used for testing purposes. If you ping 127.0.0.1 you will ping yourself :-)

The subnet mask is used when two hosts communicate. If the two hosts are on the same network then host a will talk directly to host b, however if host b is on a different network then host a will have to communicate via a gateway, and the way host a can tell if it is on the same network is using the subnet mask. For example

Host A 200.200.200.5
Host B 200.200.200.9
Host C 200.200.199.6
Subnet Mask 255.255.255.0

If Host A communicates with Host B, they are both have Network ID 200.200.200 so Host A communicates directly to Host B. If Host A communicates with Host C they are on different networks, 200.200.200 and 200.200.199 respectively so Host A would send via a gateway.


Q. What diagnostic utilities are there for TCP/IP?

A. We have already seen PING and TRACERT, and below is a full list

  • arp - This displays and modifies the IP to physical address translation tables used by the ARP (Address Resolution Protocol).
  • finger - Displays information about a user on a specified system that is running the finger service
  • hostname - Displays the name of the current host
  • ipconfig - Displays information about the current TCP/IP configuration, including details about DNS servers etc. Can also be used to renew and release DHCP address leases.
  • nbtstat - Displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP)
  • netstat - Displays protocol statistics and current TCP/IP connections
  • ping - Used to check if a destination host is receiving TCP/IP packets
  • route - Used to maintain and display routing tables
  • tracert - Used to view the route packets take to a destination host

For more information on these commands just enter the command with a -?, e.g. netstat -?


Q. What is routing and how is it configured?

A. When host a wants to send to host b, if they are on the same local network then the IP protocol resolves the IP address to a physical address using ARP (Address Resolution Protocol), and the physical address (e.g. 00-05-f3-43-d3-3e) of the source and destination hosts are added to the IP datagram to form a frame, and using the frame, the two hosts can communicate directly with each other.

If the 2 hosts are not on the same local network, then they cannot communicate directly with each other, and instead have to go through a router. You have probably already come across a router when you install TCP/IP, as the default gateway is just a router that you have chosen to use as a means of communicating with hosts outside your local network if no specific route is known. A router can be a Windows NT computer with 2 or more network cards (one card for connection to each separate local network) or it can be a physical hardware device, such as Cisco routers.

Assuming our two hosts are not on the same local network, host A will check its routing table for a router that connects to the local network of host B. If it does not find a match then the data packets will be send to the "default gateway". In most cases, there will not be one router that connects straight to the intended recipient, rather the router will know of another route to pass on your packet, which will then goto another router etc.

For example:

Host A - 200.200.200.5
Host B - 200.200.199.6
Subnet Mask - 255.255.255.0
Router - 200.200.200.2 and 200.200.199.2
Host A's routing table - Network 200.200.199.0 use router 200.200.200.2

In this example, Host A would deduce that Host B is on a separate network, as its Network ID is 200.200.199. Host A would then check its routing table and see that it knows for network 200.200.199 (the zero means all) it should send to 200.200.200.2. The router would receive the packets and then forward them to network 200.200.199.

What actually happens is each router will have its own routing table that will point to other routes.

To actually configure a route, you use the route command, for example to configure a root for network 200.200.199 to use router 200.200.200.2 you would type

route -p add 200.200.199.0 mask 255.255.255.0 200.200.200.2

The -p makes the addition permanent, otherwise it will be lost with a reboot.

To view your existing information type route print.


Q. What is ARP?

A. ARP stands for Address Resolution Protocol and was touched on in the previous question as a means of resolving a IP address to an actual physical network card address.

All network cards have a unique 48 bit address, that is written as six hexadecimal pairs, e.g. 00-A0-24-7A-01-48, and this address is hard coded into the network card. You can view your network cards hardware address by typing

ipconfig /all
.
Ethernet adapter Elnk31:

Description . . . . . . . . : ELNK3 Ethernet Adapter.
Physical Address. . . . . . : 00-A0-24-7A-01-48
DHCP Enabled. . . . . . . . : No
IP Address. . . . . . . . . : 200.200.200.5
Subnet Mask . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . : 200.200.200.1
Primary WINS Server . . . . : 200.200.50.23
Secondary WINS Server . . . : 200.200.40.190

As discussed in the Subnet question, if a packets destination is on the same local network as the senders, then the sender needs to resolve the destinations IP address into a physical hardware address, otherwise the sender needs to resolve the routers IP address into a physical hardware address. When a NT machines TCP/IP component starts, it broadcasts an ARP message with its IP to hardware address pair. The basic order of events for sending to a host on the local network is as follows:

  1. ARP checks the local ARP cache for an entry for destinations IP address. If a match is found, then the hardware address of the destination is added to the frame header and the frame sent.
  2. If a match is not found, then an ARP request broadcast is sent to the local network (remember it knows the destination is on the local network by working out the Network ID from the IP address and the subnet mask). The ARP request contains the senders IP address and hardware address, the IP address that is being queried and is sent to 255.255.255.255 (everyone, but it won't get routed).
  3. When the destination host receives the broadcast, it sends a ARP reply with its hardware address and IP address.
  4. When the source receives the ARP reply, it will update its ARP cache and then create a frame and send it.

If you are sending to a destination not on your local network, then the process is similar except the sender will resolve the routes IP address instead.

To inspect your machines ARP cache, type:
arp -a

and a list of IP address to hardware address pairs will be shown. Try pinging a host on your local network and then displaying the ARP cache again and you will see an entry for the host, also try pinging a host outside your local network and check the ARP cache and an entry for the router will have been added. You will notice that the word dynamic is listed with the records, and this is because they were added as needed and are volatile, hence will be lost on reboot. In fact the entries will be lost quicker than this! If an entry is not used again within 2 minutes then it will be deleted from the cache. If it is used within 2 minutes, it will not be deleted for a further 10 minutes, unless used again and then it would be ten minutes from when used :-).

You may wish to add static entries for some hosts (to save time with the ARP requests) and the format is
arp -s <IP address> <hardware address>, e.g.
arp -s 200.200.200.5 00-A0-24-7A-01-48


Q. My Network is not connected to the Internet, can I use any IP address?

A. The basic answer would be Yes, however it is advisable to use one of the following ranges which are reserved for use by private networks:

10.0.0.0 - 10.255.255.255 this is a single class A network
172.16.0.0 - 172.31.255.255 this is a group of 16 contiguous class B networks
192.168.0.0 - 192.168.255.255 this is a contiguous group of 256 class C networks

The addresses above are detailed in RFC 1918 (Request for comment). The advantage of these addresses is that they are automatically filtered out by routers, thus protecting the internet. Obviously if you did one day want to part of your network on the internet you would need to apply for a range of IP addresses (from Internic or from your ISP).


Q. How can I increase the time entries are kept in the ARP cache?

A. The default 2 minutes can be changed by performing the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  3. From the Edit menu select New - DWord value and enter a name of ArpCacheLife, click OK
  4. Double click the new value and set to the new value in seconds and click OK
  5. Close the registry editor
  6. Reboot

Q. What other registry entries are there for TCP/IP?

A. There is a whole knowledge base article on them that may be useful at http://support.microsoft.com/support/kb/articles/q120/6/42.asp .


Q. How can I configure more than 6 IP addresses?

A. Using the TCP/IP configuration GUI you are limited to 6 IP addresses however more can be added by directly editing the registry:

  1. Log on as an Administrator
  2. Start the registry editor (regedt32.exe)
  3. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and scroll down to the service for your adapter card (Look at the adapters tab on the Network Control panel applet). For example the Etherlink 3 card is Elnk3, however you want the first occurrence so goto Elnk31.
  4. Move to the Parameters\TCPIP subkey
  5. Double click the IPAddress value. Enter in additional IP addresses separated by a new line
    IPAddress.gif (4020 bytes)
  6. When finished click OK
  7. Next edit the SubnetMask and again add an entry for each IP address added (in the same order). Click OK when finished.
  8. Close the registry editor
  9. Reboot the machine

Q. What are the common TCP ports?

A. Below is a list of the most common TCP ports.

Keyword Port Description
echo 7 Echo
systat 11 Active Users
qotd 17 Quote of the day
msp 18 Message Send Protocol
ftp-data 20 File Transfer (Data Channel)
ftp 21 File Transfer (Control)
telnet 23 Telnet
smtp 25 Simple Mail Transfer
name 42 TCP Nameserver
bootps 67 Bootstrap Protocol Servre
bootpc 68 Bootstrap Protocol Client
tftp 69 Trival File Transfer
gopher 70 Gopher
finger 79 Finger
www 80 World Wide Web
kerberos 88 Kerberos
pop 109 TCP post office
nntp 119 USENET
nfs 2049 Network File System

Q. How can I perform a migration to DHCP?

A. There are only a few basic registry entries that define a client as a DHCP client so an easy way to migrate clients to DHCP is to create a registry script that sets the required values via logon script. You should obviously be careful that there is no overlap between the addresses in the DHCP address pool and those statically assigned.

The DHCP service needs to be configured to start at system startup.Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP\ and change the value entry Start from 1 to 2.

TCPIP parameters are defined to each NIC (Network Interface Card).

The following is an example registry script you may consider using. If you are unsure of the card service goto HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\1 and write down the data for the value entry ServiceName

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<card service>\Parameters\Tcpip]
"EnableDHCP"=dword:00000001
"IPInterfaceContext"=dword:00000001
"IPInterfaceContextMax"=dword:00000001

You should then add something into the logon script to detect the NIC installed into the computer, run the reg script and request an IP address, e.g.

if reg=elpc575 (for the 3com575tx) goto dhcp
..
..
..
:dhcp
regedit /s NIC_dhcp.reg
ipconfig /renew
net send %computername% Congrats Your computer has been configured for DHCP!
endif

A quick way to find out which network card you are using is on you LAN you will have various types of NIC.

For instance you may have the 3c89d, netflx3,3c575tx for instance for the Neflx3 driver, when the install takes place on the NT 4.0 it adds a registry key in the HKEY_LOCAL_MACHINE\systems\Current control set\system\services\cpqNF31 with the parameters:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CpqNF31\Parameters\Tcpip]
"EnableDHCP"=dword:00000000.

You have to find out what the key name is because it is different for each NIC then you can run kix32.exe and use the arguement:

EXISTKEY (
"Key"
)

Checks for the existence of a registry key.

Parameters
Key - Identifies the key you want to check the existence of.

Returns
0 the key specified exists (Note : this is different from the way the EXIST function works...)
>0 the key does not exist, returncode represents an errorcode

$ReturnCode=ExistKey(
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CpqNF31" )

If $ReturnCode=0
? "Key exists...."
Endif

...to detemine if the key exist and then execute accordingly for that specific card.

You may also set the value IPAddress=0.0.0.0 and value SubnetMask=0.0.0.0 for the card service however they will be ignored anyway. Fill in the IPAddress and SubnetMask with 0.0.0.0. Blanking out or deleting the values won't work. Restart the workstation to complete the change.

This can also be done using Windows Scripting Host

From MS SupportOnline Article ID: Q197424

'-----------------------------------------------------------------------
 ' The following script reads the registry value name IPAddress to
 ' determine which registry entries need to be changed to enable DHCP.
 ' This sample checks the first 11 network bindings for TCP/IP, which is
 ' typically sufficient in most environments.
 ' ----------------------------------------------------------------------
 Dim WSHShell, NList, N, IPAddress, IPMask, IPValue, RegLoc
 Set WSHShell = WScript.CreateObject("WScript.Shell")

 NList = array("0000","0001","0002","0003","0004","0005","0006", _
 "0007","0008","0009","0010")

 On Error Resume Next
 RegLoc = "HKLM\System\CurrentControlSet\Services\Class\NetTrans\"

 For Each N In NList
 IPValue = "" 'Resets variable
 IPAddress = RegLoc & N & "\IPAddress"
 IPMask = RegLoc & N & "\IPMask"
 IPValue = WSHShell.RegRead(IPAddress)
 If (IPValue <> "") and (IPValue <> "0.0.0.0") then
 WSHShell.RegWrite IPAddress,"0.0.0.0"
 WSHShell.RegWrite IPMASK,"0.0.0.0"
 end If
 Next

 WScript.Quit ' Tells the script to stop and exit.

Q. How do I assign multiple IP addresses to a single NIC?

A. It is possible to assign more than one IP address to a single NIC (Network Interface Card). To configure extra IP addresses under NT 4.0 perform the following:

  1. Right click on Network Neighborhood and select Properties (if you are unable to do this start the Network Control Panel applet via control panel)
  2. Select the Protocols tab
  3. Select 'TCP/IP Protocol' and click the Properties button
  4. Select the 'IP Address' tab and you will see your normal IP address. Click the Advanced button at the bottom of the dialog
  5. Select the Adapted and click Add under the IP addresses section
  6. Enter the new IP address and subnet mask. Click Add
    Add IP address
  7. Click OK to the advanced dialog
  8. Click Apply then OK to the TCP/IP dialog
  9. Close all other dialogs
  10. Reboot the computer

Under Windows 2000 the procedure is the same except to get the TCP/IP protocol properties you need to:

  1. Right click on "My Network Places" and select Properties
  2. Right click on "Local Area Connection" and select Properties
  3. Select "Internet Protocol (TCP/IP) and select Properties
  4. The procedure is then as above except the reboot is not necessary

Q. How do I install the Network Monitor Utility?

A. Windows NT Server ships with a limited version of the Network Monitor utility which allows you to monitor only traffic to and from the installed box. The full SMS version allows promiscuous monitoring of the network.

To install the basic NT version:

  1. Start the Network Control Panel applet (Start - Settings - Control Panel - Network)
  2. Select the Services tab
  3. Click Add
  4. Select "Network Monitor Tools and Agent". Click OK
  5. Click OK to the main dialog
  6. The protocols will be rebound and you will need to reboot the machine

The SMS 1.2 version can be installed as part of a full SMS installation by selecting "Install Admin Tools" option and clicking Custom to add the network monitor. It can also be installed directly from the SMS\nmext directory on the SMS 1.2 CD-ROM:

  1. Insert the SMS 1.2 CD-ROM
  2. Move to SMS\nmext\disk1
  3. Run setup.exe
  4. Select the installation directory (C:\nm by default). Click Continue
  5. Files will then be copied
  6. You will have to set a Network Monitor passwords for capturing and viewing captures (or click No Password).
  7. Enter your name and click OK
  8. If the Network Monitor Agent is not installed it will being up the Network control panel applet where you must select the Services tab, click Add and select "Network Monitor Agent". Click OK
  9. Reboot the machine

SMS 2.0 version instructions will be added shortly.


Q. How do I perform a network trace using NetMon?

A. To start Network Monitor select "Network Monitor" from the "Network Analysis Tools" Start menu Programs folder. Once started you will be presented with the initial trace dialog which is split into 4 main windows.

Network Monitor

Initially the trace will be for all hosts to all hosts however you will probably want to refine this using a filter as follows:

  1. From the Capture menu select Filter (or press F8)
  2. You will see and Address Pair entry of *ANY <--> *ANY. Select this line
  3. Click the Line button in the Edit area
  4. You will be shown a list of addresses the computer knows about, you may add new ones by clicking the "Edit Addresses" button.
  5. Select the host for station1 and station2 and the direction and click OK
  6. Click OK to the main dialog. You should see the *ANY <--> *ANY line has changed to the two nodes, e.g. LNTLL2 <--> LNPCSW0030

You are now ready to start the search by selecting Start from the Capture menu (or click F10). Once you have collected the data you require stop the search by selecting Stop from the Capture menu (or click F11). An alternative is to select Stop + View data which will stop the trace and show the captured data.

The normal method to display captured data is to select "Display Captured Data" from the Capture menu or click F12. A new dialog will be shown will all frames sent between the selected hosts. For more detail about a frame just double click it. It will then give the full frame information and content.

Example frame capture

Notice you can actually see the data that was sent and full IP and TCP headers can also be inspected. If you start another search it will ask if you want to save the current captured data. You can also manually save by selecting "Save As" from the File menu.


Q. Nothing shows up on my NETMON trace, why?

A. Netmon is capable of capturing data on all adapters including RAS adapters and by default it will trace the adapter with the lowest MAC address, which would be 000000000000 for a RAS device and thus the default.

To change the adapter used perform the following:

  1. Within Netmon select Networks from the Capture menu
  2. Select the correct local adapter (the MAC address will be non-zero)
    Choosing the "network"
  3. Click OK

Restart your capture. You could check your cards MAC address (if you had several) using the IPCONFIG /ALL command.


Q. What is the NETMON agent?

A. In some situations you may want to monitor traffic for a certain machine but are unable to actually use that machine to perform the network monitor (maybe because of physical location).

The Network Monitor agent is installed on the machine whose traffic you wish to monitor and then you can "connect" to it from a machine running the Network Monitor application and capture its traffic.

The Network Monitor agent runs as a service and needs to be started on the machine whose traffic you wish to capture.


Q. How do I install the Network Monitor agent?

A. The Network Monitor agent is supplied with both Windows NT Workstation and Windows NT Server and is installed as follows:

  1. Logon to the machine
  2. Start the Network Control Panel applet (Start - Settings - Control Panel - Network)
  3. Select the Services tab
  4. Click Add
  5. Select "Network Monitor Agent" and click OK
  6. It may ask for the location of the files, enter the location, e.g. d:\i386 and click OK
  7. Click Close to the main location
  8. Click Yes to reboot the machine

Once the reboot has completed you need to configure the Network Monitor so it starts automatically

  1. Start the Services control panel applet (Start - Settings - Control Panel - Services)
  2. Select "Network Monitor Agent"
  3. Click Start
  4. Click Start-up
  5. Select Automatic. Click OK

To start the Network Monitor Service from the command line use the command

C:\> net start nmagent


Q. How do I monitor traffic for an agent?

A. To monitor traffic from an agent perform the following:

  1. Start Network Monitor (Start - Programs - Network Analysis Tools - Network Monitor)
  2. Select Networks from the Capture menu
  3. Select Node Name of Remote
  4. Click Connect
  5. Enter the machine name of the Agent (or IP address), a comment and how often you want the status updated.
    Network Monitor Agent
    Click Connect
  6. A connection will be made

If the connection fails ensure the Network Monitor Agent is running on the remote machine and that you have local Administrator rights on it.

You can now perform captures as per normal. To switch back to local just select Networks from the Capture menu and select one of the Local node options.


Q. How do I filter captured packets?

A. Once you have captured data it is possible to apply a filter to view only certain type of packets:

  1. Once you have displayed your captured data select Filter from the Display menu
  2. You can select the protocol to monitor by selecting the Protocol==Any line and click Edit - Operator
  3. A new dialog will be displayed with 3 tabs, Address, Protocol and Property. You can click Disable All to disable the protocols and then selectively add the one you require, e.g. DNS
    Network filter
  4. From the Property tab you can select certain matches for each protocol to refine even further.
  5. Click OK to close the dialog
  6. Click OK to the main filter dialog

The data displayed will now be that which matches the specified criteria. Do disable the filter just select "Disable Filter" from the Filter menu.


Q. What is IPv6?

A. IPv6 is the next verions of the Internet Protocol, version 6.0 hence IPv6.

Current computers use IP version 4.0 which despite being created in the mid-1970's has done very well however it has reached its limit and is about to run out of addresses and is not the most bandwidth friendly protocol so its time for an upgrade.

Below are the 4 main reasons that IP version 4.0 needs an upgrade:

  • Address space limitation - Basically there are not many IP addresses left and with everything from watches having IP addresses we need more
  • Performance - IP has a very strict header format which can waste a great deal of bandwidth
  • Security - The next version of IP has excellent security measures which up to now have had to be handled by higher layers
  • Autoconfigure - IP configuration is quite complex and which DHCP moves to improve this the next version allows a computer to just plug into the network and go

Current IP addresses consist of 32 bits, represented as 4 bytes, dotted-quad format, e.g. 200.200.200.202. IP version 6 uses 128 bits for addresses!

IPv6 is defined in the following RFC's (Request for Comments)

  • RFC 1287 - Towards the Future Internet Architecture
  • RFC 1454 - Comparison of Proposals for Next Version of IP
  • RFC 2373 - IPv6 Addressing Architecture
  • RFC 2374 - IPv6 Global Unicast Address Format
  • RFC 2460 - IPv6 Specification

Q. How will IPv6 addresses be written?

A. Since IPv6 address's are 128-bit and hence four times longer than an IPv4 address, addresses are expressed as:

X:X:X:X:X:X:X:X

where each X is a 4-digit hexadecimal integer (16 bits) and each digit is 4 bits and so can be between 0 and F (F is 15 in hexadecimal) and so examples of valid addresses would be

FEDC:BA98:7654:3210:FEDC:BA98:7654:3210
1080:0:0:0:8:800:200C:417A

Notice in the second address you can leave off any leading zeros, but you must have at least one numeral in each part. For example :0800: can be written as :800:.

Obviously you may have a large sequence of zero's in the address and so it is possible to have a single gap by writing :: which will fill the gap with zero's, for example

1080:0:0:0:8:800:200C:417A

may be written as

1080::8:800:200C:417A

0:0:0:0:0:0:0:1 the loopback address (the same as 127.0.0.1 in IPv6) can be written as ::1.

A third format is available, when dealing with a mixed environment of IPv4 and IPv6 nodes is

x:x:x:x:x:x:d.d.d.d

where the 'x's are the hexadecimal values of the six high-order 16-bit pieces of the address, and the 'd's are the decimal values of the four low-order 8-bit pieces of the address (standard IPv4 representation). Examples:

0:0:0:0:0:0:13.1.68.3
0:0:0:0:0:FFFF:129.144.52.38

or in compressed form:

::13.1.68.3
::FFFF:129.144.52.38

The subnet mask is now replaced by a number appended to the network address specifying the number of bits making up the network part (CIDR notation), e.g. ipv6-address/prefix-length:

12AB:0000:0000:CD30:0000:0000:0000:0000/60
12AB:0000:0000:CD30::/60

Means the first 60 bits make up the network part of the address.

When writing both a node address and a prefix of that node address (e.g., the node's subnet prefix), the two can combined as follows:

the node address 11AC:0:0:CA20:123:4567:89AB:CDEF
and its subnet number 11AC:0:0:CA20::/60

can be abbreviated as 11AC:0:0:CA20:123:4567:89AB:CDEF/60


Q. What is the IPv6 header format?

A. Below is the specification for the header format of IPv6:

Version  Traffic Class Flow Label
Payload Length  Next Header Hop Limit
Source Address
Destination Address

Version - 4-bit Internet Protocol version number.

Traffic Class - 8-bit traffic class field

Flow Label - 20-bit flow label

Payload Length -16-bit unsigned integer. Length of the IPv6 payload, i.e., the rest of the packet following this IPv6 header, in octets. (Note that any present are considered part of the payload, i.e., included in the length count.)

Next Header - 8-bit selector. Identifies the type of header immediately following the IPv6 header. Uses the same values as the IPv4 Protocol field [RFC-1700 et seq.].

Hop Limit - 8-bit unsigned integer. Decremented by 1 by each node that forwards the packet. The packet is discarded if Hop Limit is decremented to zero.

Source Address - 128-bit address of the originator of the packet.

Destination Address - 128-bit address of the intended recipient of the packet (possibly not the ultimate recipient, if a Routing header is present).

Notice that the IPv6 header has far less fields than the IPv4 header and IPv6 introduces a number of extension headers as defined in RFC 2460.


Q. I am unable to install TCP/IP, why?

A. If you are trying to reinstall TCP/IP after previously uninstalling it the problem may be due to certain TCP/IP registry values not being removed correctly.

To manually remove perform the following:

  1. Start the registry editor (regedt32.exe)
  2. Select the key you want to delete.
  3. Select the 'Security' menu and select 'Owner...'. (The 'Owner' dialog box appears.)
    Click 'Take Ownership'.
  4. Select the 'Security' menu and select 'Permissions...'. (The 'Registry Key Permissions' dialog box appears.)
  5. In the 'Name' list box, select 'Everyone'.
  6. Select 'Full Control' from the 'Type of Access' drop-down list box.
  7. Select the 'Replace Permission on Existing Subkeys' check box.
  8. Click 'OK'.
  9. Repeat steps 2 to 8 for all registry keys to be deleted
  10. Reboot the computer so that Registry changes are recognized by Windows NT.

An alternative which avoids having to change security is to start regedt32.exe under the System account by submitting it via the schedule service

C:\> net start schedule (only if not already running)
C:\> at <time> /inter regedt32.exe
C:\> net stop schedule (only if you had to start it)

Once the computer has rebooted restart REGEDT32.EXE and ensure all of the following are deleted (these are the keys whose security you must set)

Connectivity Utilities:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\NetBT
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Tcpip
  • HKEY_LOCAL_MACHINE\Software\Microsoft\TcpipCU
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lmhosts
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\'NetDriver'x\Parameters\Tcpip (where 'x' is the number of the network adapter).
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

SNMP Service:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent
  • HKEY_LOCAL_MACHINE\Software\Microsoft\SNMP
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP

TCP/IP Network Printing Support:

 

  • HKEY_LOCAL_MACHINE\Software\Microsoft\LPDSVC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\TcpPrint
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LPDSVC

FTP Server Service:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\FTPSVC
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC

Simple TCP/IP Services:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\SimpTcp
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SimpTcp

DHCP Server Service:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\DhcpMibAgent
  • HKEY_LOCAL_MACHINE\Software\Microsoft\DhcpServer
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DhcpServer

WINS Server Service:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Wins HKEY_LOCAL_MACHINE\Software\Microsoft\WinsMibAgent
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wins

Windows sockets:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2

It may also be necessary to remove the following keys:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\Legacy_DHCP
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\Legacy_Lmhosts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\Legacy_LPDSVC
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\Legacy_NetBT
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\Legacy_TCPIP
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Linkage\Bind
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Linkage\Bind

Q. What switches can be used with PING?

A. PING is used to test TCP/IP connectivity with another host and gives information about the length of time test data takes to be sent to the host and a reply received.

Its most basic use is as follows:

C:\>ping <IP address or hostname>

Pinging 160.82.52.11 with 32 bytes of data:

Reply from 160.82.52.11: bytes=32 time=10ms TTL=252
Reply from 160.82.52.11: bytes=32 time<10ms TTL=252
Reply from 160.82.52.11: bytes=32 time<10ms TTL=252
Reply from 160.82.52.11: bytes=32 time<10ms TTL=252

From the above you can see it send 32 bytes to host 160.82.52.11 and each time a reply was received in 10ms or less, this shows a good connection.

PING does have a number of option parameters to accomplish different objectives.

ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]] [-w timeout] destination-list

-t Ping the specifed host until interrupted.
-a Resolve addresses to hostnames.
-n count Number of echo requests to send.
-l size Send buffer size.
-f Set Don't Fragment flag in packet.
-i TTL Time To Live.
-v TOS Type Of Service.
-r count Record route for count hops.
-s count Timestamp for count hops.
-j host-list Loose source route along host-list.
-k host-list Strict source route along host-list.
-w timeout Timeout in milliseconds to wait for each reply.

In Windows 2000 you can press Ctrl-Break when running the -t option for a list of statisitics. Press Ctrl-C to actually stop the ping.

It can be useful to have a small batch file ping various hosts and terminal servers at regular intervals to ensure all are still present (although there are commercial software packages that do this). A simple command like:

C:\>ping -f -n 1 -l 1 148.32.43.23

Pinging 148.32.43.23 with 1 bytes of data:

Reply from 148.32.43.23: bytes=1 time<10ms TTL=128

pings a host once with one byte of data.

You should be aware that PING works by sending ICMP echo packets and some routers etc may filter these out meaning a PING will not work.


Q. How can I modify TCP retransmission timeout?

A. Service Pack 5 adds a new registry entry, InitialRtt, which allows the retransmission time to be modified. The range is 0 - 65535 milliseconds and can be set as follows:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  3. From the Edit menu select New - DWORD value
  4. Enter a name of InitialRtt and press Enter
  5. Double click the new value and set to the number of milliseconds for the timeout, e.g. 5000 for 5 seconds (the old default was 3 seconds). Click OK
  6. Close the registry editor
  7. Restart the machine for the change to take effect

This parameter controls the initial retransmission timeout used by TCP on each new connection. It applies to the connection request (SYN) and to the first data segment(s) sent on each connection.

Care should be used when adjusting this value. Setting it to large values will dramatically increase the amount of time that it takes for a TCP connection attempt to fail, if the target IP address does not exist.

For instance, the default value is 3,000, or 3 seconds. By default, a connection request is retried 2 times. The total time-out is (3+6+12) seconds, or 21 seconds.

If this registry value is set to 6,000 (6 seconds), the total timeout will be (6+12+24) seconds, or 42 seconds. During this time, an application can appear to stop responding (hang).


Q. What is DHCP?

A. DHCP stands for Dynamic Host Configuration Protocol and is used to automatically configure a host during boot up on a TCP/IP network and also to change settings while the host is attached.

This means that you can store all the available IP addresses in a central database along with information such as the subnet mask, gateways, DNS servers etc.

The basics behind DHCP is the clients are configured to use DHCP instead of being given a static IP address. When the client boots up it sends out a BOOTP request for an IP address. A DHCP server then offers an IP address that has not been assigned from its database, which is then leased to the client for a pre-defined time period.

If the DHCP client is Windows 2000 and no offer is made and IP auto configuration has not been disabled the client will attempt to find and use an IP address not currently in use otherwise TCP/IP will be disabled.


Q. How do I install the DHCP Server Service?

A. The DHCP server service can only be install on a NT Server.

  1. Start the Network Control Applet by clicking on Network from Control Panel (Start - Settings - Control Panel) or right click on Network Neighborhood and select Properties
  2. Click on the Services tab and click Add
  3. Select "Microsoft DHCP Server" and click OK
  4. You will be prompted to insert the NT Server installation CD or say where the i386 directory is
  5. A warning that all local adapters must use a static IP address and click OK
  6. Click Close and select Yes to reboot

Under Windows 2000 to install perform the following:

  1. Start the Add/Remove Programs Control Panel applet (Start - Settings - Control Panel - Add/Remove Programs)
  2. In the left hand pane click 'Add/Remove Windows Components"
  3. Click the 'Components' button to start the Components wizard
  4. Click Next
  5. Select 'Networking Services' and click Details
  6. Check the 'Dynamic Host Configuration Protocol (DHCP)' option and click OK
  7. Click Next and the relevant files and services will be configured.
  8. Click Finish when all operations have completed
  9. Click Close to the Add/Remove Programs dialog

Q. How do I configure DHCP Server Service?

A. The DHCP Server Service is configured using "DHCP Manager" that is installed after the installation of the DHCP Server Service.

  1. Start DHCP Manager (Start - Programs - Administrative Tools - DHCP Manager)
  2. Double click "*Local Machine*"
  3. From the Scope menu select Create
  4. A dialog will be shown and following should be entered
    - Start Address, e.g. 200.200.200.10
    - End Address, e.g. 200.200.200.100
    this would mean the address 200.200.200.10 to 200.200.200.100 would be available
    - Subnet Mask, e.g. 255.255.255.0
    - Exclusion - start and end, e.g. 200.200.200.20 and 200.200.200.30, would mean available addresses would 200.200.200.10-200.200.200.20 and 200.200.200.30-200.200.200.100
    - Exclusion - just start is a single address, e.g. 200.200.200.56
    - Set lease duration, by default 3 days, however can be set to unlimited
    - Name - this is the name of the scope, e.g. "subnet 200.200.200"
    - Comment - anything you want
  5. Click OK
  6. A message that the Scope has been added, but is not active, would you like it to be active, click Yes.

Usually items such as DNS servers, WINS server etc will be configured on a global scale and this is also done using Server Manager

  1. Select the Scope, and select Global from the "DHCP Options" menu
  2. Select "06 DNS Servers" and click Add
  3. Click Value button
  4. Click Edit Array at the bottom
  5. Enter the IP address and click ADD, continue adding until all added
  6. Click OK to close the Edit Array dialog
  7. Select "15 Domain name" and click Add
  8. Select it and edit the string at the bottom, e.g. savilltech.com
  9. Click OK to exit

Q. How do I configure a client to use DHCP?

A. For NT workstation and Windows95 follow the instructions below:

  1. Start the Network Control Applet by clicking on Network from Control Panel (Start - Settings - Control Panel) or right click on Network Neighborhood and select Properties
  2. Click on the Protocol tab
  3. Select TCP/IP and click Properties
  4. Select "Obtain an IP address from a DHCP Service". DHCP settings will only override IP address and subnet mask locally configured. If you have configured DNS, WINS etc locally then the DHCP configuration will not overwrite it.

Q. How can I compress my DHCP database?

A. NT Server ships with a utility called JETPACK.EXE which can be used to compact DHCP and WINS databases. To compact your DHCP database perform the following:

  1. Start a command prompt (cmd.exe)
  2. Enter the following commands
    cd %SystemRoot%\SYSTEM32\DHCP
    e.g. cd d:\winnt\system32\dhcp
    net stop DHCPSERVER
    jetpack DHCP.MDB TMP.MDB
    net start DHCPSERVER

Note: While you stop the DHCP service, clients using DHCP to receive a TCP/IP address will not be able to start this protocol and may hang.

Jetpack actually compacts DHCP.MDB into TMP.MDB, then deletes DHCP.MDB and copies TMP.MDB to DHCP.MDB! Simple :-)

For more information, see Knowledge base article Q145881 at http://support.microsoft.com/support/kb/articles/q145/8/81.asp


Q. How can a DHCP client find its IP address?

A. Depending on the client:

Windows NT machine - type ipconfig from the command prompt
Windows 95 machine - run winipcfg.exe


Q. How can I move a DHCP database from one server to another?

A. Perform the steps below on the server that currently hosts the DHCP Server service. Be warned that while doing this no DHCP clients will be able to start TCP/IP so this should be done outside working hours.

  1. Log on as an Administrator and stop DHCP (Start - Settings - Control Panel - Services - Microsoft DHCP server - Stop).
  2. You also need to stop DHCP from starting again after a reboot so start the Services Control Panel applet and select Microsoft DHCP Server and click Startup. From the startup choose disabled and click OK.
  3. Copy the DHCP directory tree %systemroot%\system32\DHCP to a temporary storage area for use later.
  4. Start the registry editor (regedt32.exe)
  5. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer \Configuration
  6. From the Registry menu, click Save Key. Create a name for this key, for example dhcpcfg.bck
  7. Close the registry editor

Optionally if you want to remove DHCP from the source machine totally delete the DHCP directory (%systemroot%\system32\dhcp) and then delete the DHCP Service (Start - Settings - Network - Services - Microsoft DHCP Server - Remove)

On the new DHCP server perform the following

  1. Log on as an Administrator
  2. If the server does not have the DHCP server service installed, install it (Start - Settings - Control Panel - Network - Services - Add - DHCP Server)
  3. Stop the DHCP service (Start - Settings - Control Panel - Services - Microsoft DHCP server - Stop).
  4. Delete the contents of %systemroot%\system32\dhcp
  5. Copy the backed up DHCP directory tree from the storage area to %systemroot%/system32/dhcp, but rename the file system.mdb to system.src. You may not have this file if you are using NT 4.0, skip this step.
  6. Start the registry editor (regedt32.exe)
  7. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Configuration and select it
  8. From the registry menu select restore
  9. Located the file dhcpcgf.bck you saved from the original machine and click open
  10. Click Yes to the warning
  11. Close the registry editor
  12. Reboot the machine

Q. How do I create a DHCP Relay Agent?

A. If you have routers separating some of your DHCP clients from the DHCP server you may have problems if they are not RFC compliant. This can be solved by placing a DHCP relay agent on the local network area which is not actually a DHCP server which communicates on behalf of the DHCP Server. The DHCP Relay Agent must be a Windows NT Server computer.

  1. On the NT Server log on as an Administrator
  2. Start the Network control panel applet (Start - Settings - Control Panel - Network)
  3. Click the Services tab and click Add
  4. Select "DHCP Relay Agent" and click OK
  5. Type the path of the files (e.g. d:\i386) and click OK
  6. You will be asked if you wish to add IP address to the DHCP servers list, click Yes
  7. Click the DHCP relay tab and click Add
  8. In the DHCP Server field enter the IP address of the DHCP Server and click Add
  9. Click OK
  10. Restart the computer

Q. How can I stop the DHCP Relay Agent?

A. All you have to do is stop the DHCP Relay Agent service:

  1. Log on as an Administrator
  2. Start the Services control panel applet (Start - Settings - Control Panel - Network)
  3. Select "DHCP Relay Agent"
  4. Click the startup button
  5. Click the disabled and click OK
  6. Close the control panel applet
  7. You can reboot or just stop the service

Q. How can I backup the DHCP database?

A. The DHCP database backs itself up automatically every 60 minutes to the %SystemRoot%\System32\Dhcp\Backup\Jet directory. This interval can be changed:

  1. Start the registry editor
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\BackupInterval
  3. Double click on BackupInterval and set to the number of minutes you want the backup to be performed. Click OK
  4. Close the registry editor
  5. Stop and restart the DHCP server service (Start - Settings - Control Panel - Services - DHCP Server - Start and Stop)

You could backup the %SystemRoot%\System32\Dhcp\Backup\Jet directory if you wish.


Q. How can I restore the DHCP database?

A. Perform one of the following:

  1. When the DHCP Server service starts, if an error is detected in the database it will automatically restore the backup version
  2. Edit the registry and set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\RestoreFlag to 1, restart the DHCP Server service, this will restore the backed up version and set RestoreFlag back to the default 0
  3. Stop the DHCP Server service, copy the files from %SystemRoot%\System32\Dhcp\Backup\Jet to %SystemRoot%\System32\Dhcp and then start the DHCP Server service.

Q. How do I reserve a specific address for a particular machine?

A. Before performing this you will need to know the hardware address of the machine and this can be found by entering the command

ipconfig /all

Look for the line

Physical Address. . . . . . : 00-60-97-A4-20-86

Now at the DHCP server perform the following

  1. Log on as an Administrator
  2. Start the DHCP Server management software (Start - Programs - Administrative Tools - DHCP Manager)
  3. Double click on the DHCP server, e.g. *Local Machine*
  4. Select the light bulb and from the Scope menu select "Add Reservations"
  5. In the Add Reserved Clients dialog box you should enter the IP address you wish to reserve and in the "Unique Identifier" box enter the hardware address of the client machine (got from the ipconfig /all). Do not enter the hyphens, e.g.
    006097A42086
    Also enter a name for the machine (and a comment if you wish) and click Add
  6. Click close when you have added all the reservations

Q. What registry settings control the DHCP log in Windows 2000?

A. DHCP has always had auditing abilities for DHCP however these abilities have been expanded in 2000 to reduce problems CAUSED by the log files. These improvements will stop log files filling to take up whole partitions and cause system problems.

The following keys are all located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters

Value Name Type Description
DhcpLogFilePath REG_SZ The partition and directory for the audit logs to be written to. Make sure you write the entire path
DhcpLogMinSpaceOnDisk REG_DWORD If free space falls below this number (in megabytes) audit logging is stopped
DhcpLogDiskSpaceCheckInterval REG_DWORD Number of times the audit log is written to before checking for free disk space
DhcpLogFileMaxSize REG_DWORD Maximum size in megabytes the logs can grow to. By default it is 7.

Q. How do I authorize a DHCP server in Windows 2000?

A. Any user running Windows 2000 server could install the DHCP server service causing potential problems and so Windows 2000 adds the concept of authorizing the servers with the Active Directory before they can service client requests. If the server is not authorized in the Active Directory then the DHCP service will not be started.

To Authorize a server perform the following:

  1. Logon as a member of the Enterprise Administrators group
  2. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools - DHCP)
  3. Select the DHCP root, right click and select 'Browse authorized servers'
  4. A list of authorized DHCP servers will be displayed. Click Add
  5. Enter the name or IP address of the DHCP server and click OK.
  6. Click Close

The red arrow over the DHCP server should now change to a green one if you select refresh (it may take a few minutes).


Q. How do I create a DHCP scope in Windows 2000?

A. A DHCP scope is a range of addresses that can be assigned to clients and can also optionally provide information about DNS servers, WINS etc.

DHCP scopes are configured using the DHCP MMC snap-in as follows:

  1. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools - DHCP)
  2. Right click on the server and select New - Scope from the context menu
  3. The scope creation wizard will be started, click Next
  4. Enter a name and comment for the scope. Click Next
  5. Enter the address range to use, for example from 200.200.200.1 to 200.200.200.15 (remember the host part cannot be 0). Also enter the subnet mask as either the number of bits used or the actual mask, e.g. 24 is the same as 255.255.255.0. Click Next
  6. You can specify addresses to be excluded either by range, e.g. 200.200.200.5 to 200.200.200.7 and click Add, or just enter a Start address and click Add, e.g. 200.200.200.12 to exclude a single address. Click Next
  7. You can now configure the lease time for the address. Setting too large will mean you will lose the use of addresses if the client machine is inactive for long periods of time, too short and you will generate unnecessary traffic renewing the address. The default 8 days is fine. Click Next
  8. The wizard gives the option to configure the most common DHCP options. Select Yes and click Next
  9. Enter the address of the gateway, and click Add. You can enter several. Click Next when all are entered.
  10. Enter the DNS domain, e.g. savilltech.com and the DNS server addresses. Click Next
  11. Enter the WINS server addresses and click Add. Click Next
  12. You will then be asked if you wish to activate the scope. Select your answer and click Next
  13. Click Finish to the wizard

The new scope will now be listed and the status as either Active or Inactive.

If you selected to not activate the scope it can be manually activated by right clicking on the scope, select 'All Tasks' and select Activate. The activation is immediate. Likewise you can deactivate by selecting deactivate

Useful links:


Q. How do I configure DHCP scope options in Windows 2000?

A. When you create a scope the more common options such as DNS and WINS servers can be configured but many more options are available.

  1. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools - DHCP)
  2. Expand the server
  3. Expand the scope whose options you wish to modify
  4. Select the 'Scope Options' branch and in the right hand window you will see the currently configured options.
  5. Right click on 'Scope Options' and select 'Configure Options'
  6. Select the Basic tab and you can configure other options by checking its box and entering the details. For example a Time Server, check '004 Time Server', enter an IP address and click Add.
  7. Click Apply. Click OK

The new option(s) will now show in the right hand window. You can change existing options by performing the above and selecting an item already configured and change the details in the Data entry area.


Q. How can I view DHCP address leases in Windows 2000?

A. When a client is offered and accepts an IP address a 'lease' is created for x amount of days. To view current leases perform the following:

  1. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools - DHCP)
  2. Expand the server
  3. Expand the scope whose leases you wish to view
  4. Select the 'Address Leases' branch and in the right hand window you will see the current lease details.

It will give details of the IP address, client name and the lease expiration date. Expired leases are also shown for approximately one day but have a dimmed icon. This grace period protects a client lease in the event of the client and server being in different time zones, clocks not synced or simply offline.


Q. How do I change the DHCP address lease time in Windows 2000?

A. To modify the DHCP lease duration from the normal 8 days perform the following:

  1. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools - DHCP)
  2. Expand the server
  3. Right click the scope whose lease time you wish to change and select Properties
  4. Select the General tab
  5. At the bottom of the window you can select lease duration either Unlimited or a finite time.
  6. Click Apply then OK


Q. How do I install the DNS Service?

A. The DNS Service can only be installed on NT Server and is installed as follows:

  1. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network)
  2. Click the Services tab and click Add
  3. Select "Microsoft DNS Server" and click OK
  4. The software will be installed and the machine will then reboot

Q. How do I configure a domain on the DNS Server?

A. A new application has been added to the Administrative Tools group, DNS Manager, to configure the domain follow the procedures below:

  1. Start the DNS Manager (Start - Programs - Administrative Tools - DNS Manager)
  2. From the DNS menu, select New Server and enter the IP address of the DNS Server, e.g. 200.200.200.3, and click OK
  3. The server will now be displayed with a CACHE sub part
  4. Next we want to add the domain, e.g. savilltech.com, from the DNS menu, select New Zone
  5. Select Primary and click Next
  6. Enter the name, e.g. savilltech.com, and then press tab, and it will fill in the Zone File Name and click Next
  7. Click Finish
  8. Next a zone for reverse lookups has to be created, so select New Zone from the DNS menu
  9. Select Primary and click Next, enter the name of the first 3 parts of the domain IP + in-addr.arpa, e.g. if the domain was 158.234.26, the entry would be 26.234.158.in-addr.arpa, in my example it would be 200.200.200.in-addr.arpa, click tab for the file name to be filled and click Next, then click Finish
  10. Add a record for the DNS server, by right clicking on the domain and select "New Record"
  11. Enter the name of the machine, e.g. BUGSBUNNY (I had a strange upbringing :-) ), and enter and IP address, e.g. 200.200.200.3 and click OK
  12. If you click F5 and examine the 200.200.200.in-addr.arpa a record has been added for BUGSBUNNY there as well

Q. How do I add a record to the DNS?

A. To add a record, for example TAZ with IP address 200.200.200.4 perform the following

  1. Start the DNS Manager (Start - Programs - Administrative Tools - DNS Manager)
  2. Double click on the name of the DNS server to display the list of zones
  3. Right click on the domain, and select New Record
  4. Enter the name, e.g. TAZ and enter IP address. Select the record type. For adding a new host accept the default, record type A.
  5. If you have the Reverse Arpa zone configured and want the PTR record automatically added, make sure the Create Associated PTR record is checked
  6. Click OK

Q. How do I configure a client to use the DNS?

A. For an NT machine (and Windows 95) perform the following:

  1. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network)
  2. Select the Protocols tab
  3. Select TCP/IP and select Properties
  4. Click the DNS tab
  5. Make sure the machines name is entered in the first box, and the domain name, e.g. savilltech.com in the Domain box
  6. In the DNS Server part click Add, and in the dialog box enter the IP address of the DNS Server and click Add
  7. In the Domain Suffix Search Order part, click Add and enter the domain, e.g. savilltech.com and then click Add
  8. Finally click OK

To test, you can start a command prompt and enter

nslookup <host name>
e.g. nslookup taz

The IP address of Taz will be displayed. Also try the reverse translation by entering

nslookup <ipaddress>
e.g. nslookup 200.200.200.4

The name Taz will be displayed.


Q. How do I change the IP address of a DNS server?

A. The information below assumes you have already changed the IP address of the machine ( Start - Settings - Control Panel - Network - Protocols - TCP/IP - Properties) and have rebooted. The scenario below assumes the old IP address was 200.200.200.3 and the new is 200.200.200.8

  1. We need to configure a second IP address for the network card
    - Start the Network Control Panel Applet ( Start - Settings - Control Panel - Network)
    - Click on the Protocol tab
    - Select TCP/IP and click Properties
    - Click Advanced and click Add
    - Enter the old IP address, e.g. 200.200.200.3 and click Add
    - Click OK until you are back at the Control Panel
    - Reboot
  2. Start the DNS Manager (Start - Programs - Administrative Tools - DNS Manager)
    - Right click the "Server List" and select New Server
    - Enter the new IP address, e.g. 200.200.200.8 and click OK
    - Select the old IP address, e.g. 200.200.200.3 and right click
    - Select "Delete Server" from the context menu and click Yes to confirm
  3. While in the DNS Manager, update the record for this server
    - Select the IP address of the DNS server, e.g. 200.200.200.8, select the domain name, e.g. SAVILLTECH.COM
    - Double click the entry for the server and update the IP address, i.e. it would have had 200.200.200.3 to bugsbunny, change to 200.200.200.8
    - Click OK
  4. Now we will delete the secondary IP address we added
    - Start the Network Control Panel Applet ( Start - Settings - Control Panel - Network)
    - Click on the Protocol tab
    - Select TCP/IP and click Properties
    - Click Advanced and select the address, e.g. 200.200.200.3 and click Remove
    - Click OK until back at control panel
    - You will need to reboot at some point to remove the 200.200.200.3 from being active

Update all the clients to use the new DNS server IP address.

The above procedure is the most complete way, however it should still work if you only perform steps 2 and 3.


Q. How can I configure DNS to use a WINS server?

A. Is is possible to configure the DNS to use a WINS server to resolve the host name of a Fully Qualified Domain Name (FQDN).

  1. Start DNS manager (Start - Programs - Administrative Tools - DNS Manager)
  2. Right click on the zone you wish to communicate with the WINS server and select properties
  3. Click the "WINS Lookup" tab
  4. Select the "Use WINS Resolution" check box and then enter the WINS server IP address and click ADD
  5. Click OK when finished

Q. Where in the registry are the entries for the DNS servers located?

A. The entries for the DNS servers are stored in the registry in the location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters under the NameServer value, Each entry should be separated by a space. Using the Resource Kit utility REG.EXE the command to change would be as follows

reg update HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\NameServer="158.234.8.70 158.234.8.100" \\<machine name>

where 158.234.8.70 and 158.234.8.100 were the addresses of the DNS servers you wanted to configure. Note it sets the value, it does not append so ensure you enter in the existing DNS servers as well as the new ones.

This may be useful for granting users access to the internet by remotely updating their registry to know which DNS servers to use.


Q. I receive error message "No More Endpoints".

A. This can be caused by installing DNS on a machine that has previous settings contained in the %systemroot%\system32\dns directory. To correct perform the following.

  1. Stop the Microsoft DNS server using the Services control panel applet ( Start - settings - control panel - services). Select Microsoft DNS and select stop
  2. Backup any zone files from the %systemroot%\system32\dns directory that you may want
  3. Remove the DNS server by right clicking on network neighborhood and selecting properties. Click the services tab, select DNS and click Remove
  4. Delete all files in the %systemroot%\system32\dns
  5. Reinstall DNS server using the services tab of the network control panel applet

Q. How do I configure DNS for an NT 5.0 domain? - NT 5.0 only

A. Windows NT 5.0 domains rely on DNS and require Dynamic DNS which is an update to the basic DNS specification and details can be found in RFC 2136 that can be viewed at ftp://ftp.isi.edu/in-notes/rfc2136.txt.

Another major update in DNS 5.0 is the addition of service (SRV) records and these have already been seen as a mechanism for publishing the ldap server, ldap.tcp.<domain> and it is through these records that domains can be looked up through the DNS service.

You could perform this on a separate NT 5.0 machine, the domain controller and the DNS server will probably not be the same machine, it just has to exist before upgrading the server to a domain controller. To install DNS 5.0 on the server perform the following:

  1. Start the Install/Remove Programs Control Panel Applet (Start - Settings - Control Panel - Add/Remove Programs)
  2. Click the "Configure Windows" left hand pane
  3. Click the "Components" button that is displayed
  4. Select "Networking Options" and click Details
  5. Select "Microsoft DNS Server" and click OK
  6. Click Next

You then need to configure the DNS service

  1. Start the "DNS Management" MMC snap-in (Start - Programs - Administrative Tools - DNS Management)
  2. It will detect this is the first time it has been run and start the configuration applet. Click Next
  3. It will detect there are no root servers so select "This is the first DNS server on this network" and click Next
  4. Check "Yes, add a forward lookup zone" and click Next. This zone is used for the storage of host name to IP addresses
  5. You should now select the zone type, Select "Standard Primary" and click Next. "Active Directory Integrated" stores the DNS database in the Active Directory however there is no Active Directory at this point. This option can be set later
  6. Enter the name of the zone, e.g. savilltech.com and click Next
  7. Select "New File" and click Next. If you had an existing .dns file you may import this
  8. Check "Yes, add a reverse lookup zone" and click Next. The reverse lookup zone is used to find the IP address from a host name. When you create a host record a PTR record can also be selected to be created and this adds a record in the reverse lookup zone
  9. Again select "Standard Primary" and click Next
  10. Enter the first parts of your subnet, e.g. 200.200.200.0 (subnet will be filled in for you). If you subnet mask was 255.255.0.0 you would enter the first 2 parts of you IP address, if 255.255.255.0 you would enter the first 3. Click Next
  11. Again Check "New File" and click Next
  12. A summary will be displayed and click Finish to complete the installation

Now the basic zone is configured the required entries for the domain need to be added

  1. Start the "DNS Management" MMC snap-in (Start - Programs - Administrative Tools - DNS Management)
  2. Expand the DNS server, expand the "Forward Lookup Zones", select the domain, e.g. savilltech.com
  3. Right click on the domain and select New - Host from the context menu
  4. Leave the Host name blank and enter the IP address of the domain controller (to be) and click "Add Host"

The final stage is to configure the zones to be dynamic update enabled which allows hosts to add records in the DNS server.

  1. Start the "DNS Management" MMC snap-in (Start - Programs - Administrative Tools - DNS Management)
  2. Expand the DNS server, expand the "Forward Lookup Zones", select the domain, e.g. savilltech.com
  3. Right click on the domain and select Properties from the context menu
  4. Select "Allow Updates" from the "Dynamic update" drop down box
  5. Click Apply then OK
  6. Now expand the "Reverse Lookup Zones" and select the reverse lookup zone, e.g. "200.200.200.x Subnet"
  7. Select the zone and right click the zone and select Properties from the context menu
  8. Again select "Allow Updates" from the "Dynamic update" drop down box
  9. Click Apply then OK

DNS is now configured for a domain and you can create the domain.


Q. How do I configure Active Directory integrated DNS? - NT 5.0 only

A. It is possible to configure DNS servers that are also domain controllers to store the contents of the DNS database in the Active Directory which will then be replicated to all domain controllers in the domain. The option to store the DNS database in the Active Directory is not available on DNS servers that are not domain controllers.

  1. Start the "DNS Management" MMC snap-in (Start - Programs - Administrative Tools - DNS Management)
  2. Expand the DNS server, expand the "Forward Lookup Zones", select the domain, e.g. savilltech.com
  3. Right click on the domain and select Properties from the context menu
  4. Under Type click Change
  5. Select "Active Directory integrated primary" and click OK
  6. Click OK to "Are you sure you want this zone to become an Active Directory integrated primary"
  7. Click Apply then OK

Q. Setting a secondary DNS server as primary results in errors.

A. If you have a secondary DNS server configured to duplicate all entries from another DNS server you may experience a problem if you try and set it as a primary DNS server, which results in the service not starting and an error to the effect of the data being wrong:

Event ID: 7023
The MS DNS Server service terminated with the following error:
The data is invalid.

Event ID: 130
DNS Server zone zone name has invalid or corrupted registry data.
Delete its registry data and recreate with DNSAdmin.

Event ID: 133 DNS
Server secondary zone zone name, had no master IP addresses in registry.
Secondary zones require masters.

The DNS Manager forgets to set the correct value for the DNS Type in the registry (secondary is remaining), but it is erasing the address of the primary DNS, where the data came from. To correct this perform the following:

  1. Start the registry editor (regedit.exe)
  2. Move to, locate the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dns\Zones\< zonename >, where < zonename> is the domain (e.g. savilltech.com)
  3. Double click on the TYPE value and change from 2 to 1.
  4. Close the registry editor

You should now be able to successfully start the DNS service

C:\> net start dns

The TYPE value can have one of two values,

0x1 specifies Primary zone
0x2 specifies secondary zone

A fix for this can be downloaded from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/ hotfixes-postSP3/dns-fix


Q. How do I turn off Dynamic DNS? - Windows 2000 only

A. By default, the TCP/IP stack in NT 5.0 Beta 2 (and later builds) attempts to register it's Host (A) record with it's DNS server. This makes sense in an all NT (Windows 2000) environment. But if you are using a static, legacy DNS server, the DNS guys might not like all the 'errors' this shows up on their server since the DNS servers will not understand these "updates".

You will get errors such as:

  • Dnsapi
  • Failed to register network adapter with settings
  • Sent update to server

To make the clients stop attempting to publish their DNS names/addresses to the DNS server perform the following:

  1. Log on to each client as Administrator
  2. Start the registry editor (regedit.exe)
  3. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  4. From the Edit menu select New - DWORD value
  5. Enter a name of DisableDynamicUpdate and press Enter
  6. Double click on the new value and set to 1. Click OK

If you have multiple adapters in the machine you may not want to disable for all so instead of setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableDynamicUpdate to 1, set as 0 and then move to the sub key Interfaces\<interface name> and create the DisableDynamicUpdate value there and set to 1.

If you needed to perform this on a large number of machines you should create a reg script or set from the login script.


Q. How do I configure a forwarder on DNS 5.0? - Windows 2000 only

A. If you create a DNS server on your network but are not the main DNS server, i.e. your company has a central main DNS server, you will want to forward queries your DNS server cannot service to that DNS server.

This is because only certain servers in your network will have access to DNS servers outside your network (due to firewalls etc) and thus your (departmental?) DNS server cannot access the DNS servers higher up in the DNS hierarchy. To configure a forward perform the following:

  1. Start the DNS Management MMC snap-in (Start - Programs - Administrative Tools - DNS Management)
  2. Right click on the DNS server and select Properties
  3. Select the "Forwarders" tab
  4. Check the "Enable forwarder(s)" box
  5. Enter the IP address of the DNS server and click Add
  6. Click OK
  7. Close the DNS Management snap-in

Setting a Forward

If you are missing the forwarder tab see Q. I am missing the forwarder and Root Hints tabs in DNS 5.0


Q. I am missing the forwarder and Root Hints tabs in DNS 5.0. - Windows 2000 only

A. This is caused if your server thinks it is the root server in the domain, and will hence have a "." zone. To enable the forwarder you need to delete this zone from your server:

  1. Start the DNS Management MMC snap-in (Start - Programs - Administrative Tools - DNS Management)
  2. Expand the server, expand Forward Lookup Zones and select "."
  3. Right click and select Delete
  4. Click Yes to the confirmation
  5. Stop and Start the DNS manager and the tabs are available

Delete the dot zone


Q. How do I enable DNS round robin resolution?

A. Recent Windows NT service packs introduced LocalNetPriority which tries to return Host resources that are local to the requestor instead of using round robin however round robin can be enabled as follows:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
  3. From the Edit menu select New - DWORD Value
  4. Enter a name of LocalNetPriority and press Enter
  5. Double click the new value and set to 0 to disable LocalNetPriority and re-enable round robin. Click OK
  6. Close the registry editor
  7. Stop and restart the DNS service

Q. What is WINS?

A. WINS stands for Windows Internet Name Service. WINS is a NetBIOS Name Server that registers your NetBIOS names and resolves into IP addresses.

If you're using NetBIOS over TCP/IP you will need to have WINS running so that each can find out the correct IP address of the other to communicate.

Need to browse over an interdomain network? WINS!


Q. How does WINS work?

A. Once your machine is configured to point at a WINS server (and maybe a second backup WINS server);

  1. Upon startup, registers your NetBIOS name with WINS. This dynamic update means that you will ALWAYS get the name/IP mapping that is current.
    If there is already a machine out there with the same name, a request is sent to it by WINS. If it doesn't respond, you get the OK. If it is out there and alive, you get a negative name acknowledgment.
  2. Need to talk with machine XXX? Send a NetBIOS name query to the WINS server. (no broadcasts! no LMHOSTS!)
  3. If WINS finds a match, it will respond with the correct TCP/IP address of the target machine.

Q. How do I set up WINS?

A. WINS is a server service.
Go to Control Panel->Network->Services and install the Windows Internet Name Service.

If you have any non-WINS clients, add them in as static name->IP mappings.
Configure a WINS Proxy Agent if needed.
Configure WINS support on your DHCP server.

NT Workstation TCP/IP->Properties->WINS add the IP address of the WINS server (and your secondary if you have one).


Q. What is a WINS Proxy Agent?

A. If you have non-WINS machines on your subnet and want them to be visible participants, you will want a Proxy Agent to be active within this subnet.
A WINS Proxy Agent is a WINS client that allows non-WINS clients to participate, by listening for broadcast name requests and then forwards them to a WINS server. It then returns the result to the requesting client.

Use a Registry Editor (e.g. regedt32.exe) to open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters and set the EnableProxy parameter to 1.


Q. How do I configure WINS static entries for a non-WINS client?

A. Go into WINS Manager (under Admin Tools)
Mappings->Static Mappings->Add Mappings enter the NAME and IP ADDRESS of the machine in question. Under TYPE usually you'll just enter as Unique. Now click ADD.


Q. How do I configure WINS to work with DHCP?

A. If the computer is a DHCP client, then at the DHCP server, go into DHCP Administrator (Admin Tools) and add two new SCOPE options:

  1. 044 WINS/NBNS Servers - add the address of WINS server(s)
  2. 046 WINS/NBT Node - configure as 0x8 (H-Node)

Q. How can I compress my WINS database?

A. NT Server ships with a utility called JETPACK.EXE which can be used to compact DHCP and WINS databases. To compact your WINS database perform the following:

  1. Start a command prompt (cmd.exe)
  2. Enter the following commands
    cd %SystemRoot%\SYSTEM32\WINS
    e.g. cd d:\winnt\system32\wins
    net stop WINS
    jetpack WINS.MDB TMP.MDB
    net start WINS

Note: While you stop the WINS service, clients using WINS to resolve addresses will fail unless another mechanism of name resolution is in place.

Jetpack actually compacts WINS.MDB into TMP.MDB, then deletes WINS.MDB and copies TMP.MDB to WINS.MDB.

For more information, see Knowledge base article Q145881 at http://support.microsoft.com/support/kb/articles/q145/8/81.asp


Q. WINS Automatic Backup does not run every 3 hours.

A. By default WINS backup will actually take place every 24 to 27 hours after the last backup completed.

To work around this perform the following:

  1. Create a batch file that stops and starts the WINS service, e.g. WINSRSTR.BAT
    @net stop wins
    @net start wins
    exit
  2. Configure Wins to backup the database on exit
  3. Schedule the WINSRSTR.BAT to run at whenever you want the database backed up, e.g.
    C:\> at 22:00 cmd /c "%systemroot%\winsrsrt.bat"

Q. WINS Log files are created in incorrect locations.

A. The WINS service creates a number of log files, J50.log or J50.chk, in the %systemroot%\system32\WINS directory. This is normal.

If these files are being created in other directories then it may cause a problem and stop the WINS service from starting. The log files can be created in different directories from one of the following reasons:

  • JETPACK.EXE is being run from the wrong directory. Perform running JETPACK you should always set the default directory to be %systemroot%\system32\WINS. If you don't and instead use the command
    C:\> C:\winnt\system32\jetpack.exe c:\winnt\system32\wins\wins.mdb tmp.mdb
    then the logs will be created in the wrong directory. For the correct way to perform JETPACK please see:
    Q. How can I compress my WINS database?
  • The "Enable Logging" check box in WINS Administrator is not selected. This will result in the log files being created in the %systemroot%\system32 directory.

If your system now has the log files in the wrong place and the WINS service will not start just copy the log files to the %systemroot%\system32\WINS directory and restart the service

C:\> net start wins

If the WINS service is running it will lock the file and you will not be able to delete them so you should perform the following:

  1. Stop the wins service
    C:\> net stop wins
  2. Backup the WINS data using the Backup Database function in the WINS manager
  3. Remove the files that are in the wrong directory and restore the data back to the directory
  4. Run JETPACK
  5. Restart the wins service
    C:\> net start wins
  6. Turn on Logging Enabled (WINS Manager - Server - Configuration - Advanced)

Q. WINS server is not being queried for entries in LMHOSTS after Service Pack 4.

A. Before Service Pack 4 a resolution request was always passed to a WINS server and only if no entry was found the LMHOSTS file checked.

Under Service Pack 4 any entry in the LMHOSTS file that has the #PRE qualifier (preloaded) will be used and the WINS server not queried. Therefore if you have incorrect entries in your LMHOSTS file it will prevent the WINS server from being queried so you should therefore edit the file %systemroot%\system32\drivers\etc\lmhosts (e.g. d:\winnt\system32\drivers\etc\lmhosts) and remove the offending entries.


Q. The Outlook/Exchange client takes a long time to start.

A. Sometimes the protocol binding for Exchange can be wrong if more than one protocol is installed, for example if you have NetBEUI and TCP/IP installed, and you connect to the Exchange server via TCP/IP, you need to ensure TCP/IP is first in the binding order, otherwise Exchange will attempt to communicate via NetBEUI initially. To check/set perform the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Exchange Provider
  3. In the right hand pane, double click Rpc_Binding_Order
  4. A dialog box will be shown containing a text string of the installed protocols separated by commas. You can move items, for example, you may want to move ncacn_ip_tcp (TCP/IP) to the front if you connect over TCP/IP. Make sure you keep them separated by commas!
  5. Click OK
  6. Close the registry editor
  7. Stop and start Exchange/Outlook

Q. How can I stop Outlook dialing my Internet Account on Startup?

A. Perform the following:

  1. Start the Mail Control Panel Applet (Start - Settings - Control Panel - Mail)
  2. Click the Services tab
  3. Select "Internet E-mail" service and click properties
  4. Click the connection tab
  5. Check the "Work Offline and use Remote Mail"
  6. Close the dialog boxes
  7. Reboot the machine

Q. How do I install Exchange?

A. The following instructions are to install Exchange 5.0

  1. Insert the Exchange CD-ROM into the computer
  2. Run <CD-ROM>\setup\i386\setup.exe (Start - Run)
  3. You may want to change the destination folder by clicking the "Change Directory" button
  4. Click the Custom Button
  5. Select the components you wish to install, you will only be able to install the Active Server Page extensions if you have IIS 3.0 with ASP installed.
  6. Click OK to continue
  7. Select your licensing method and click OK, check the "I agree" box and click OK
  8. Assuming this is the first Exchange server, click the "Create new site" and you should enter the organization and site name, click OK
  9. You need to select the Exchange admin account, by default the account you are currently logged on as will be displayed, however it is a good idea to have a separate Exchange Admin account (make sure it has "Log on as a service" and "Restore files and directories" rights). Enter the password for the account selected and click OK
  10. Once the installation is completed you will be asked if you want to run the optimizer utility, click "run optimizer" or exit.

It is a good idea to have a large pagefile.sys when running Exchange, a good size would be the amount of memory plus 100.


Q. How do I enable the Exchange Active Server Pages?

A. This functionality is new in 5.0, and enables a user to view their exchange mailbox from an Internet browser, such as Internet Explorer or Netscape. Before the Exchange Active Server Pages extension can be installed, there are two pre-requisites

  • Must have Internet Information Server (IIS) 3.0 installed
  • Must have the Active Server Pages add-on for IIS 3.0 installed

NT Server 4.0 ships with IIS 2.0, therefore assuming you have not upgraded your system since then you will need to perform the following

  1. The upgrade to IIS 3.0 is part of Service Pack 3 for NT 4.0, therefore you should install this service pack
  2. Once the machine has rebooted install the Active Server Pages extensions (these are included on the Service Pack 3 CD-ROM, \winnt400\Iis30\Asp\I386\Asp.exe)
  3. Run the Exchange setup program and select Add/Remove components
  4. Check the box "Active Server Components" and click continue
  5. The setup program will then continue as normal

Once this has finished, you will be able to connect to your Exchange mailbox by entering the URL

http://<Exchange server>/exchange

You then need to enter you Exchange alias and then click the "click here" text.


Q. How do I use the Exchange Optimizer utility?

A. After you install Exchange you are prompted to run the Exchange Optimizer utility, however it can also be run afterwards:

  1. From the Microsoft Exchange folder choose Microsoft Exchange Optimizer
  2. A dialog will be shown asking permission to stop the Exchange services, click Next
  3. Next the user and server configuration dialog will be shown and you should enter details of the number of users and how the server will be configured. Also a Limit memory option is available, by default Exchange will use as much memory as it needs, however if you have other apps running on the server you may wish to limit the memory Exchange can use, the minimum is 24MB, but you are recommended to use a limit of 32MB. Click Next to continue
  4. The application will then test your disks to decide where best to place the Exchange database files and then click Next
  5. A dialog will be shown with the new recommended file locations and click Next
  6. If files are being relocated then make sure the box on the new dialog is checked and click Next
  7. Finally click Finish

Q. How can I convert mail system X to Exchange?

A. Exchange is supplied with a migration wizard which can convert the following mail systems to Exchange

  • MsMail for PC Networks
  • Lotus cc:Mail
  • Novell Groupwise
  • Collabra Share

The wizard is in the Microsoft Exchange folder and below is an example of converting a MsMail Postoffice

  1. Start the Migration Wizard (Start - Programs - Microsoft Exchange - Microsoft Exchange Migration Wizard)
  2. Select MsMail for PC Networks and click Next
  3. Click Next to the dialog box that explains how MsMail and Exchange can coexist
  4. Enter the Path to the MsMail post office and the Administrator account name and password for the Postoffice, then click Next
  5. Select "One step Migration" and click Next
  6. Select the type of information you want to import and click Next
  7. Click "Select All" to migrate all users and click Next
  8. Enter the name of the Exchange server to store the new accounts and messages. Click Next
  9. You will now need to select the type of access for the shares MS Mail folders, the common one is "Author access: read, create, edit items" and click Next
  10. Select the recipient container and template (optional), click Next
  11. Finally choose the type of passwords to create for the new Windows NT accounts that will be created from the MS Mail mailboxes. In a multi domain environment you must select the domain for the new accounts. Click Next to begin the conversion.
  12. A process box will be displayed showing the progress, once completed a dialog will be displayed and click OK to complete.

Q. How can I create shortcut on the desktop with the "to" field completed?

A. As you may be aware, if you enter the command
exchng32 /n
This creates a blank new message, however it is not possible to specify a qualifier containing information to the content. A workaround to this is the following

  1. Start Exchange/Outlook and create a new message
  2. Fill in information for the to: field, cc: field etc.
  3. Instead of sending select Save As from the file menu
  4. Select the Save As type as "Message Format" and enter a file name and location (the default extension is .msg). Click Save
  5. Start Explorer (Win Key + E, or Start - Programs - Explorer)
  6. Move to the directory you saved the Message Format file to and right click on the file
  7. While holding down the right mouse button drag to the desktop and release the button, from the context menu displayed select "Create shortcut here"

If you now double click on the desktop message icon it will create a new message which you can edit and then send with information already filled in!


Q. NT Server hangs at shutdown if User Manager is running.

A. This is caused by an Exchange dll file which is used by User Manager, to fix this perform the following

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UMAddOns
  3. Click on Mailumx and click the DEL key
  4. Click yes to the confirmation

Q. How can I send a mail message from the command line?

A. You need to use the MAPISEND.EXE utility that is supplied with the Exchange Resource kit. The resource kit can be downloaded from http://www.microsoft.com/msdownload/exchange/rkintel/rkintel.htm and you need to download the AdminNT part.

Once downloaded double click on the zip file and it will expand to a specified location. Copy the MAPISEND.EXE from the restored path (i386\admin\mapisend) to an area of your choice. The usage is simple as long as the exchange client is installed on the computer already (outlook is also OK).

mapisend -u "<profile>" -p <anything> -r <recipient> -s "<subject>" -t <text file containing the message>
e.g. mapisend -u "john savill" -p anything -r [email protected] -s "Test message" -t c:\message\mail4.txt

This is just an example usage, and you may not be sure what you profile name is so instead of using -u and -p, use just -i and this allows interactive login and will also allow you to create a profile which you can then use in future. The full list of switches are

-u Profile name (user mailbox) of sender
-p Login password
-i Interactive login (prompts for profile and password)
-r Recipient(s) (multiples must be separated by ';' and
must not be ambiguous in default address book.)
-c Specifies mail copy list (cc: list)
-s Subject line
-m Specifies contents of the mail message, this is ignored if -t is specified
-t Specifies text file for contents of the mail message
-f Path and file name(s) to attach to message
-v Generates an 8 line summary of the sent message

In all cases if the passing parameter is more than one word it should be enclosed in quotes.


Q. What files does Exchange use?

A. Below is a list of the more common files used by Exchange

File Directory Use
Priv.pat Pub.pat Mdbdata Patch files, safe to delete if no backup is taking place and no startup recovery is in operation
Dir.pat DsaData Patch files, as above
Dlv.log Snd.log Dlvxxxxx.log Sndxxxxx.log Mdbdata These are created when Sending and Delivering diagnostics logging for either the private and public information stores are set. These can be deleted at any time. Dlv.log and Snd.log are the most recent logs created.
PUB.EDB PRIV.EDB MDBdata Information store
DIR.EDB DSAdata Directory information
EDB.LOG   Transaction Log
EDB00nn.LOG   Previous Transaction Logs
EDB.CHK   Check Point file
RES1.LOG RES2.LOG   Emergency logs for when disk is full
TEMP.EDB   In progress transaction

Q. How can I change the location of my mail file in Outlook 98?

A. Your messages are stored in a .pst file, and by default this is kept in your personal profile space (%systemroot%/Profiles/<user name>/Application Data/Microsoft/Outlook). This is fine unless you use roaming files which mean you mail file is stored on a central server taking up space.

Fortunately moving you mail file is easy.

  1. Start Outlook if it is running
  2. Move to you profile area and move your .pst file to another location (e.g. c:\savillj\outlook). Make sure the .pst file is no longer under your profile
  3. Start Outlook. It will give an error "The file <filename> could not be found". Click OK
  4. You can now browse to where you moved the file to. Select the .pst file and click Open.
  5. Outlook will then start as normal.

What this actually does is update one registry key, HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\14780fd532f9d11181cc00600851c569\001e6700 and its value is the name and location of the .pst file.


Q. How can I reduce the size of my mail file?

A. When you delete files from your mail file the space is usually not cleared away and your mail file may actually grow! To reclaim the wasted space you can "compact" the mail database. The information below is for Outlook 98 but previous versions have similar functions.

  1. Start Outlook 98
  2. From the view menu select "Folder List"
  3. In the folder list pane right click on the root folder (Personal Folders) and select Properties from the context menu
  4. Click the Advanced button from the Personal Folders Properties dialog box
  5. Click the "Compact Now" button. The database will now be compacted
  6. Click OK to all dialog boxes to return to Outlook 98

If you find the mail file has not been substantially reduced in size it may be there is no redundant information or you may need to run the compaction a couple more times as sometimes the process does not work 100%.


Q. I have a bad message in my POP3 mail box , how can I remove it/read POP using TELNET?

A. It is possible to connect to a POP3 mailbox using Telnet so you should connect via telnet and delete the problem message.

  1. Telnet to the pop3 mail server on port 110
    C:\> telnet <pop3 mail server> 110
    e.g. telnet pop.savilltech.com 110 (this does not exist so don't bother!)
    Once you connet you will get a +OK prompt
  2. Tell the pop3 server your username (the name you usually logon as)
    user john
  3. Now tell the server your password
    pass password
  4. You will now be logged in and to see how many messages you have enter the word STAT which will tell you the number and size of the messages.
  5. To get a list of each message type LIST.
  6. To view the contents of a message use
    retr <message number>
    or to view just the header type
    top <message number> 0
  7. Once you find the problem just delete it using the DELE comamdn
    dele <message number>
  8. Finally to exit just type QUIT

This is obviously useful in a number of scerios and you could use it just to read you mail if you did not have access to a mail client.

Below is an example of the above in action.

Reading a POP mailbox using Telnet


Q. How can I send mail to a SMTP server using Telnet?

A. As with POP3, SMTP messages can also be sent using telnet by connecting to port 25 on the SMTP server, e.g.

C:\> telnet smtp.savilltech.com 25

Once connected you optionally announce to the server who you are (this is needed for some SMTP servers)

helo <domain>
e.g. helo savilltech.com

vrfy <user account>
e.g. vrfy john

Once you are verified you can commence to write an e-mail message. The first command is mail and you specify who it is from, e.g.

mail from:<[email protected]>

The address has to be in <>. Next you have to specify who will be receiving the message using rcpt, e.g.

rcpt to:<[email protected]>

The from and to have been completed you can start the body of the message using the data command. You have to create the header information in the first lines of the message. Once you have completed the message enter a '.' on a blank link and the message will be sent. Below is an example creating a message.

Telnet SMTP send

As you can see I entered a from, date, to and a subject and then entered the body of the text. Make sure you don't make a mistake as if you backspace this is enterpreted as a bad character and will be rejected. If a message is rejected a rejection will be send to the address specified in the "mail from:<...>" and for this reason you should only ever put your e-mail address. Although I have used a different address as a joke you should NEVER do this.

Below is how the message looks when received in Outlook 98:

Bill loves me :-)

The above shows how easy it is to send a message and make it look from a different address but if you examined the header you would easily see it was sent from a different mail server and rumble its a fake (and a very bad one)!

I shall be adding future entries describing how to STOP people sending mail from your server (as they probably can at the moment).

For full information on SMTP and the commands you can use see Request For Comments 821.


Q. Is there a list of known Exchange Directory and Information store problems?

A. An excellent collection has been compiled and is located at http://support.microsoft.com/support/exchange/content/whitepapers/dsis.asp


Q. How do I install Exchange Server 5.5?

A. These instructions are to install the first Exchange Server in the Enterprise

Before you install Exchange Server 5.5, two accounts need to be decided on. The first account is the account that you log on as when you perform the installation of Exchange as this account will be automatically granted the Exchange Administrator permission.

The second account needs to be created and this will be used as the service account for running the Exchange Server services. Any name can be used, the most obvious would be "Exchange Service". To create this account perform the following:

  1. Start User Manager (Start - Programs - Administrative Tools - User Manager for Domains)
  2. From the User menu select New User
  3. Enter a name of "Exchange Service" with a password.
  4. Make sure you clear "User Must Change Password At Next Logon" and "Account Disabled", and check "User Cannot Change Password" and "Password Never Expires" is set
  5. Close User Manager

Under Windows 2000 this would be set using the Active Directory Users and Computers MMC snap-in, expand the domain, right click on Users and select New - Users. Enter Exchange Service, click Next and then select the options as in step 4 and click Finish. I found under Windows 2000 I had to make the Exchange Service account a member of the local Administrators group on the server Exchange is being installed on.

Also before installing make sure you have a complete backup of your system.

Now you can start the installation.

  1. Logon to the server as the account you want to be the Exchange Administrator
  2. Insert the Exchange Server 5.5 CD-ROM
  3. Run Launch.exe off the CD-ROM if it does not start automatically.
  4. Select "Setup Server and Components"
  5. Select "Microsoft Exchange Server 5.5"
  6. The Exchange server Setup will then run. Click "Accept" to the license agreement.
  7. Select the installation type, typical, complete/custom or minimum. Click Complete/Custom. You could also change the installation directory if you wish by clicking "Change Directory".
  8. Select the components to install. Click Continue.
  9. Enter the CD-Key and click OK.
  10. Click OK to the Product ID dialog.
  11. Check the "I agree that" licensing dialog box and click OK.
  12. As this is the first Exchange server select the "Create a new site". Enter an Organization Name and a site name, e.g. SavillTech and London. Click OK.
  13. Click Yes to create a new site.
  14. You should then select the user account that you created as the Exchange Service account by clicking browse and enter the password you set. Click OK
  15. The rights 'Log on as a service', 'Restore files and directories' and 'Act as part of the operating system' will be granted to the Exchange Service account. Click OK to the notification dialog box.
  16. Files will then be copied.

Once Installation is complete you should run the Microsoft Exchange Performance Optimizer (Start - Programs - Microsoft Exchange - Microsoft Exchange Optimizer). You will be given the option to run this automatically if installation is successful.


Q. How do I run the Exchange Optimizer?

A. Exchange ships with a utility that allows the program to gather information about the computer and make changes to the Exchange configuration to enhance performance. These performance enhancements are primarily gained by moving the files that make up Exchange to different physical disk drives.

  1. Start the Exchange Optimizer (either as part of the installation of Exchange or from the Exchange sub menu of Programs)
  2. Chose options for the server (see diagram below). You can always run this again at a later time if the configuration scaling changes.
  3. Disk analysis runs, click Next
  4. Recommended file moves displayed. Adjust or accept and click Next
  5. Select whether the optimizer should copy files automatically (by checking the "Move files automatically" box and click Next
  6. Services will then be restarted. Check the "Do not restart these services" if its not convenient. Click Finish
  7. Parameters will then be saved the were calculated by the optimizer, services stopped, files moved then services started again.

Exchange Optimizer


Q. What Service Packs are available for Exchange?

A. Below is a list of the service packs available:

Exchange 5.5

Service Pack 2 from ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/Sp2/Server/

Files to download:

SP2_550A.EXE Server update for Alpha
SP2_550I.EXE Server update for Intel
SP2_55CA.EXE Chat server update for Alpha
SP2_55CI.EXE Chat server update for Intel
SP2_55DC.EXE Documentation
SP2_55FO.EXE HTML Form Converter 
SP2_55SS.EXE Server support files (cluster,KMS,etc)
SP2_55XA.EXE Exchange connector installation(Alpha)
SP2_55XI.EXE Exchange connector installation(Intel)
SP2S550A.EXE Server symbols for Alpha
SP2S550I.EXE Server symbols for Intel
SP2S55CA.EXE Chat server symbols for Alpha
SP2S55CI.EXE Chat server symbols for Intel
SP2_55RE.EXE Readme and HTML file

 

Service Pack 1 from ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/SP1/Server/

Files to download:

SP1_550A.EXE Server update for Alpha
SP1_550I.EXE Server update for Intel
SP1_55CA.EXE Chat server update for Alpha
SP1_55CI.EXE Chat server update for Intel
SP1_55DC.EXE Documentation
SP1_55FO.EXE HTML Form Converter
SP1_55SS.EXE Server support files (cluster,KMS,etc)
SP1_55XC.EXE Exchange connector installation
SP1S550A.EXE Server symbols for Alpha
SP1S550I.EXE Server symbols for Intel
SP1S55CA.EXE Chat server symbols for Alpha
SP1S55CI.EXE Chat server symbols for Intel
SP1_55RE.EXE Readme and HTML file

Hotfixes post Service Pack 1

PSP1STRI.EXE Store Fix

Exchange 5.0

Service Pack 1 from ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.0/Sp1/Server/

Files to download:

SP1_500A.EXE Server update for Alpha
SP1_500I.EXE Server update for Inter
SP1S500A.EXE Server symbols for Alpha
SP1S500I.EXE Server symbols for Intel

Service Pack 2 from ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.0/Sp2/Server/

Files to download:

SP2_500A.EXE Server update for Alpha
SP2_500I.EXE Server update for Inter
SP2S500A.EXE Server symbols for Alpha
SP2S500I.EXE Server symbols for Intel

Q. How can I retrieve mail from a POP3 mailbox and forward it to Exchange server?

A. If your ISP does not support ETRN, then you have to use a third party utility to retrieve the mail from a POP3 mailbox. One of these utilities is Mail essentials Small Business (http://www.gficomms.com). For one mailbox this is a freeware utility.

A more complete listing of utilities can be found on http://www.slipstick.com


Q. How do I upgrade from Exchange 5.0 to 5.5?

A. The Exchange 5.5 upgrade process actually performs a database upgrade before it actually copies any of the code of 5.5 to the server. This allows for a complete rollback in case the upgrade of the database fails. Below are the steps in performing the upgrade

  1. Start the setup.exe program as per a normal installation
  2. It will detect the existing installation and you will be asked if you want to Upgrade or Remove the existing installation. Click Upgrade
  3. A confirmation that the database will be reformatted is displayed. Click OK
  4. You will be shown the Database Upgrade Options. By default the Fault Tolerant Option is selected however this does require extra disk space as it makes a copy of the database and if the Fault Tolerant Option is not selected, you may not have enough drive space for this method. You may want to change the default location for the Fault Tolerant Upgrade temp files from the C:\TEMP location to a location on the database drive. Click OK to continue.
  5. The upgrade will progress. First the database will be upgraded (this may take up to 40 minutes per GB of original database). Next the code will be copied to the server, and finally the registry will be modified, the services installed, and other system changes will take place.
  6. The Exchange Services will then be re-started
  7. As with a normal installation, once completed you will be asked if you wish to run the optimizer utility.

Q. How do I uninstall Exchange?

A. To uninstall Exchange perform the following. Be aware you will lost all information.

  1. Run Exchange setup (setup.exe)
  2. Click "Remove All"
  3. Click "Yes" to the dialog box
  4. Click "Yes" to remove the shared components
  5. The files will then be removed
  6. Click OK to the remove complete confirmation

Q. How do I install a duplicate Exchange server?

A. With the concepts of sites in Exchange, it is possible to install multiple Exchange services in a site which will replicate to one another. Duplicates servers in a site provide fault-tolerance and load balancing. To install a duplicate server in a site perform the following. Servers within a site don't have to be in the same domain but should be connected by a fast connection, 128KB is the normal definition of a fast link.

  1. Logon as an Administrator of the domain currently hosting the Exchange service. If you logon as an account that does not have administrative rights on the current Exchange server you will be unable to add a duplicate server.
  2. Run Exchange's setup.exe
  3. Click Accept to the license agreement
  4. Setup will search for the installed components (such as IIS and ASP)
  5. Select the installation type. Click Custom/Complete Select the options and click OK
  6. Enter the product code number (xxx - xxxxxxx) and click OK
  7. Click OK to the displayed Product-ID that is generated by the setup program
  8. Check the "I agree that" for the licensing and click OK
  9. Select "Join an existing site" and enter the name the name of a server in the site you wish to join, e.g. Mars and click OK
  10. You will be shown details of the Exchange server on that site, including ORG name and site. Click Yes
    Exchange Site
  11. The service account currently used for the original Exchange Server will be shown, just enter its password (if this is on its own domain you should create a new service account for fault tolerant reasons (i.e. main domain controller not available)). Click OK
  12. Files will then be copied, services installed, registry updated and then the relevant services will be started. Once the Directory Service has started replication will occur between the sites. Once complete the other Exchange services will start
  13. Click OK to the replication dialogue box.
  14. You can then proceed to run Optimizer optionally as normal

You now have a duplicate Exchange server in the specified site.


Q. How do I connect Exchange sites?

A. If you configure multiple sites by installing new servers and entering a different site name (but the same organizational name) you can connect the sites using Exchanges built-in site connector. To connect sites using the built-in connector they must be able to communicate via RPC calls and to test this see Q. How can I check if servers can communicate via RPC's?. Many routes actually filter out RPC's so it is important you perform this test.

To add a connector between sites perform the following:

  1. Start the Exchange Administrator program on one of the servers (Start - Programs - Microsoft Exchange - Microsoft Exchange Administrator)
  2. You may need to choose a Exchange server to connect to
  3. Expand the server, expand the site name and finally expand Configuration
  4. Select Connections
  5. From the File menu select 'New Other' - 'Site Connector'
  6. Enter the name of the server that maintains the site you wish to connect to and click OK
  7. Information about the site that is hosted by the server and optional information can be entered. Once all details have been entered click OK. Information you may have to enter is in the Override tab which allows you to enter logon information for the connection if the sites are not in the same domain or part of a trust relationship.
  8. If there is no connection for vice-versa you will be asked if such a connection should be created

The connection will now be visible under the Connections tab.


Q. Exchange Security Knowledge Base list.

A. Below is a list of useful Knowledge Base articles.

1) How to install Exchange 5.5 with support for V1 and V3 Certificates for SMIME and Public/ Private Key encryption (Signing and Sealing Mail Messages). This uses the CA version 1.0 (Certificate Authority) in IIS 4.0 that comes in the NT 4.0 Option Pack. This requires the Updated CA Server. See these KB's.

Q192044 Setting Up X509v3 Certs on Exch 5.5 SP1 KMS with Local CertSrv
Q184695 Readme Notes for Certificate Server Update

2) How to setup SSL/TLS between between Exchange Server 5.0 /5.5 and Internet Email Clients, POP3, IMAP4, NNTP, HTTP, SMTP.

Q175439 XFOR: Enabling SSL For Exchange Server

3) How to setup SSL/TLS between Exchange Server and other SMTP (non-exchange) host. This requires enabling SSL for the SMTP protocol first. See Q175439 for instructions, but select SMTP as the Protocol to be used in Key Manger.

Q174755 XFOR: Connecting IMS to IMS with SASL

4) When you use Microsoft Outlook Express to connect to Microsoft Exchange Server, version 5.0 with Service Pack 1 installed, the Information Store may stop responding (crash). Fixed in the Latest Service Pack.

Q166627 XCLN: Outlook Express Crashes Store When SSL Is Used

5) When trying to access a mailbox in Internet Explorer version 3.02 when the WWW Service for the Internet Information Server (IIS) computer is configured to use Windows (NTLM) authentication only, you may receive the following error message: The Login Request was Denied. Fix is to upgrade to IE 4.0 or use Registry Entry.

Q173307 XWEB: "The Login Request was Denied" Error Message

6) If you configure the Internet Mail Service on two Microsoft Exchange Server computers to use Secure Sockets Layer (SSL) without authentication, you may receive a non-delivery report (NDR) when you attempt to send mail from one server to another through the Internet Mail Service. The text of the NDR includes a 505 error and indicates that authentication is required for the message to be delivered. Fixed in the Latest Service Pack for 5.5.

Q181481 XFOR: Non-Delivery Report When Using SSL Without Authentication

7) On July 17, 1998 Microsoft released an updated version of Schannel.dll. This latest version provides the following benefits: Updates the SChannel.dll used by IIS and Exchange Server for Encryption. See article for Details.

Q148427 Generic SSL (PCT/TLS) Updates for IIS and MS Internet Products
Q181937 Latest SGC-Enabled Schannel.dll Breaks IIS 3.0 Key Manager [iis]

8) Microsoft Proxy Server is designed to work well with other servers like Microsoft Exchange Server. Most Windows Sockets server applications are able to use the server proxy feature while installed on or behind the Proxy Server. Certain additional advanced settings may be required, based on your particular internal server configuration.

Q181420 How to Configure Exchange or Other SMTP with Proxy Server
Q187652 Accessing Data Published Behind MS Proxy Server 2.0
Q178532 Configuring Exchange Internet Protocols with Proxy Server
Q177153 Additional Proxy Server 2.0 Configurations [proxysvr]

9) This article discusses the known TCP/IP ports (TCP and/or UDP) that are used by services within Microsoft Windows NT version 4.0 and Microsoft Exchange Server version 5.0 and 5.5.

Q150543 WinNT, Terminal Server, & Exchange Services Use TCP/IP Ports [crossnet]

10) Microsoft Exchange Server versions 5.0 and 5.5 support a variety of Internet-focused protocols, including POP3, HTTP, LDAP, and NNTP. This article explains the different authentication forms for each protocol.

Q175440 Protocol Authentication on Exchange Server [exchange]


Q. How do I configure Exchange Directory Replication?

A. Once you have connected sites by a connector, be it Exchange, X.400 or Dynamic RAS, no data will be replicated until you configure the directory replication. You must have defined connections between the sites before Directory Replication can be configured.

To configure Directory Replication perform the following:

  1. Start the Exchange Administrator Program (Start - Programs - Microsoft Exchange - Microsoft Exchange Administrator)
  2. Expand the tree and expand the site, e.g. Operations, select Configuration then select Directory Replication
  3. From the File menu select 'New Other' and select 'Directory Replication Connector'
  4. The first dialog allows you to select (from a dropdown) the remote site name (only sites that are connected via a connector will be shown). You should enter the name of an Exchange server in the selected site. You also should leave the defaults of "Configure both sites". Click OK
  5. The general tab of the Directory Replicator will be displayed. You may enter an Administrative note if you wish. You may click the Schedule tab to select how often Directory Replication takes place. Selecting Always means changes will be replicated as they happen, this is OK if you don't care about bandwidth usage. Click OK.

The Directory Replicator between the sites is now configured and can be modified by double clicking on the replicator as part of the Directory Replication folder.


Q. How do I monitor an Exchange link?

A. It is possible to install link connectors which can be configured to perform a number of actions in the event of a link failure.

  1. Start the Exchange Administrator program
  2. Select the Monitors folder of the Configuration folder of the site
  3. From the File menu select 'New Other' - 'Link Monitor'
  4. Under the General tab you must enter a Directory Name which is a 64 character name identifying the monitor, a Display Name which will be shown in the Exchange Administrator application, a log file specified and how often the link should be checked (polled).
    Exchange Monitor
  5. Under the Notification tab you can add notification methods such as an e-mail, start a process or write an event log by clicking the 'New' button. You will also have the opportunity to test the method specified by clicking the Test button. Click OK to the notification dialog box.
  6. Under Servers you should select the Servers to Monitor in the left hand box and click Add, they will then be shown in the 'Monitor Server' area.
  7. The Recipients tab is used with non-Exchange servers that support "mail bounce" whereby a mail is sent to the server and a reply is expected back.
  8. The Bounce tab allows the times considered reasonable for a round trip.
  9. Once happy click OK

Q. How do I delete a server from an Exchange site?

A. If you have multiple servers in a site and a server no longer exists you can delete it from the Exchange Administrator program by performing the following:

  1. Start the Exchange Administrator Program
  2. Expand the site name, e.g. Legal, expand Configuration then Servers
  3. Select the server you wish to delete and press the DEL key
  4. A check will be performed that the server can't be found
  5. Once the server is not found accept any of the dialogs

The server will now be removed.


Q. How do I setup an Exchange forward?

A. A forward can be configured in a number of places. The first place is at the Exchange server:

  1. Start the Exchange Administrator program
  2. Select the Recipients folder of the site, e.g. Operations\Recipients
  3. From the File menu select 'New Custom Recipient'
  4. Select 'Internet Address' (to forward to an Internet address) and click OK
  5. Enter the E-mail address, e.g. [email protected] and click OK
  6. You will then be shown the normal recipient dialog where you can enter a name etc. The option to set an NT account will not be shown. Once you have entered all details click OK

People will now be able to send mail to this person and it will be forwarded accordingly.

You could also in Exchange Administrator setup a Custom Recipient (as above), then in the Delivery Options for your mailbox set an Alternate Recipient which points to the Custom Recipient that you just created. Select the "Deliver messages to both recipient and alternate recipient" checkbox. In the properties for the custom recipient you can select the option to hide it from the address list.

Other options that can be done at the client end include

  • Use the "Inbox Assistant"
  • Use the "Out Of Office" Assistant
  • Use the Rules Wizard

Q. How do I configure a X.400 Exchange connector?

A. Aside from the native Exchange Connector, the X.400 connector is the most common Exchange connector, allowing Exchange to connector to non-Exchange systems. While X.400 suffers a 20% drop in performance in comparison to the native Exchange connector it is still impressive.

X.400 is a common standard and Exchanges implementation is based on the 1988 standard. X.400 operates on the MTA stack and has to be installed before installing a X.400 connector. MTA stacks are available for TCP/IP, X.25 and TP4. It is available for RAS as well but that stack does not support X.400. In this walkthrough we will look at implementing X.400 over TCP/IP.

Only Exchange Enterprise edition has the X.400 connector and not the standard edition (also Enterprise has the SNADS and OV/VM(PROFS) connectors which standard does not have). If you only have standard edition and require X.400 connector you will need to upgrade.

The first step is to install the MTA transport stack

  1. Start the Exchange Administrator program
  2. Select 'New Other' - 'MTA Transport Stack' from the File menu
  3. Select "TCP/IP MTA Transport Stack" from the list and the local server and click OK
  4. A dialog for the configuration of MTA will be shown. You can leave the OSI information blank. Under the Connectors tab leave blank. Make sure you enter a display and directory name. Click OK

If you find you don't have a number of MTA stacks check you installed the X.400 connector at installation time. Re-run setup and click Add/Remove. Select Exchange Server and click Change Options. Check the "X.400 Connector" box and click OK. Click Continue. You will now be able to install the TCP/IP MTA stack.

Now the MTA stack is installed you can install the actual X.400 connector and configure it accordingly.

  1. Start the Exchange Administrator program
  2. Select the Connections container of the required site to add the connection too
  3. Select 'New Other' - 'X.400 Connector' from the File menu
  4. Accept the default "TCP/IP X.400 Connector" and click OK
  5. The X.400 configuration dialog will be displayed. Under the General tab enter a display and directory name (this can be any string of text). You should enter the remote MTA name (and a password if required) which is used to identify the Message Transfer Agent on the other host/site.
  6. Click the Schedule tab to configure replication settings
  7. Select the Stack tab to enter the IP address of name of the system to connect to. Again you can leave the OSI information blank.
  8. Use the Override tab to specify a different local MTA name/password
  9. Connected sites is only used when connecting Exchange sites via X.400.
  10. If you don't enter anything under Connected Sites you must configure an address space under the "Address Space" tab
  11. Delivery Restrictions and Advanced all along other non-essential settings to be set
  12. Once all information is entered click OK

You now have a functionality one-way X.400 link. You would now need to repeat the above for the opposite directory.


Q. How do I allow a user to administer Exchange?

A. When Exchange is installed the user who performs the installation is granted Exchange Administrator rights. To grant additional users the ability to administer Exchange perform the following:

  1. Logon as an Exchange administrator
  2. Start the Exchange Administrator program
  3. Select the site whose permissions you wish to modify
  4. From the File menu select Properties
  5. Click the Permissions tab
  6. Click Add and select the user (or group) to whom you wish to grant Exchange Admin rights
  7. Once usrs have been selected click OK. You now choose the role, e.g. "Permissions Admin" and click OK

The user (or group) will now have the granted rights to Exchange. You may want to create a group, e.g. Exchange Admins, grant this access in Exchange, then Add/Remove users to this group.


Q. How do I grant permission for people to create top level public folders?

A. By default all users can create top level folders however this can be changed if you would like to restrict this

  1. Start the Exchange Administrator program
  2. Expand the site and select Configuration
  3. Select "Information Store Site Configuration" and select Properties from the File menu
  4. Select the "Top Level Folder Creation" tab
  5. You will notice that under "Allowed to create top level folders" All is selected by default. Change this to list and click the Modify button
  6. You will be shown a list of Exchange mail boxes, select the ones that should be allowed to create top-level folders and click OK
  7. Click Apply then OK

Exchange top level creation
- Setting top level folder creation access

Alternatively you could have left is as All and modified the list of people who should not be able to create top-level folders.

If people are still logged in they will be able to continue to create top-level folders until they close Outlook/Exchange and restart it.


Q. How do I create public folders?

A. Public folders are administered/created using the 32-bit Exchange clients such as Exchange and Outlook.

To create a top-level public folder perform the following:

  1. Start the Exchange client
  2. From the View menu select "Folder List" if not already enabled
  3. Expand "Public Folders" and double click on "All Public Folders"
  4. From the File menu select New - Folder
  5. In the dialog enter a name and click OK
  6. You can also have an optional shortcut created on the Outlook bar at this point by clicking Yes to the "Add shortcut to Outlook Bar" dialog (if you have the Outlook Bar visible)

To create non-top level folders just select the folder that you wish to be the parent and select New - Folder from the File menu. You will then be able to name the sub-folder as with above.


Q. How do I connect my Exchange server to a SMTP server?

A. Exchange Server 5.5 ships with the Internet Mail Service which allows Newsgroup feeds and, among other things, connections to a SMTP mailbox.

You will need a connection method to the SMTP mailbox, for example a RAS dial-up connection to an ISP. If you are connecting via a firewall make sure the ports used by POP and SMTP and not disallows (ports 25, 110 and 995).

Before doing any of this you should ensure DNS is correctly configured for you local domain (or this may be done by the ISP) by adding a MX record for the Exchange server in DNS (this is not needed if you are connecting via a RAS dial-up connection and just connecting to a specific host).

In this example we will connect to a SMTP mailbox at a ISP.

  1. Start the Exchange Administrator program
  2. Expand the root, select your site then expand that, expand Configuration and select the Connections container
  3. Select "New Other" - "Internet Mail Service" from the File menu
  4. Click Next to the introduction dialog
  5. Click Next to the dialog outlining the steps that should have been completed (DNS configuration etc)
  6. Select the Exchange server that will have the IMS installed and check the "Allow internet mail through a dial-up connection". Click Next
  7. Select a phone book entry and click Next
  8. Check the "Route all mail through a single host" and enter the TCP/IP address or hostname of the host, e.g. SMTP.DIAL.PIPEX.COM. Click Next
  9. Check the "All internet mail addresses" and click Next
  10. Next specify the name that should appended to the mailbox names, e.g. ntfaq.com. Click Next
  11. Select the mailbox to be used to send notification/non-delivery reports to. Click Next
  12. Enter the Exchange Service account password and click Next
  13. A number of changes will occur and an extra service added.

To configure items such as the dial-up account username and password double click on "Internet Mail Service" under Configuration\Connections, select the Dial-up Connections tab and click Logon Information. From this tab you can also configure time-out and how ofter to dial out.

If you have problems try applying Service Pack 1 which I found fixes a number of problems.


Q. How do I connect my Exchange server to a NEWS feed?

A. Exchange Server 5.5 has the ability to accept a news feed and publish to the Public Folders area. It can also be configured to post back any articles posted by your networks user to the appropriate news server.

  1. Start the Exchange Administrator tool
  2. Expand the sites, expand Configuration and select Connections
  3. From the File menu select "New Other" - "Newsfeed"
  4. Click Next to the welcome dialog
  5. Select the Exchange server to install from the drop down list and enter a USENET site name (you can except the default which will be <sitename>.<domain>, e.g. operations.savilltech.com. Click Next
  6. Select the type of newsfeed, inbound and output, inbound only or outbound only. You also need to specify the type of feed, push or pull. Push means you wait for incoming to be send to you, pull means at a scheduled interval you go and grab the news posts off of the news server. Click Next.
  7. Select the connection type, Lan or dial-up. If dial-up you will need to select a RAS phonebook entry and enter the connection username and password (if it supports CHAP) or make sure you have an automated script configured. Click Next
  8. Next select how often to connect to the news server, 15 minutes, 1 hour, 3 hours, 6 hours, 12 hours or 24 hours. You can change this to be more specific later if you wish. Click Next
  9. Enter the USENET site name, e.g. msnews.microsoft.com. Click Next
  10. Enter the IP address or hostname of the news server. Click Next
  11. If you require a password to connect to the news server enter it here otherwise leave it blank and click Next
  12. Click Next to the summary dialog
  13. Select an Internet News administrator by clicking the Change button and click Next
  14. Next you have to tell the configuration program where to get a list of newsgroups on the server. You can choose to import from a current file, download now or to configure it later. Click Next. If you select "Download Now" after you click Next it will connect (if via RAS it will dial out) and retrieve the news list. This could take a while depending on the news server.
  15. You will then be shown all the newsgroups available and you should select which branches you wish to download messages from as part of your feed. To select just click one and click Include, the icon for the newsgroup will change. When finished click Next
  16. Click Finish

It will now connect for the first time and get an initial feed for all newsgroups selected.

Exchange News feed
- Always download the Exchange Admin newsgroup :-), don't we all?

Clients will now be able to view via the Folders List in Outlook, Public Folders - All Public Folders - Internet Newsgroups - microsoft .....

Reading News

You can change any details but double clicking on the appropriate Newsfeed entry under Connections. For example click Schedule allows you to specify how often to connect at certain times of the day/days of the week.

If you are connecting via dial-up you can change the time-out parameter as follows:

  1. Start the Exchange Administrator program
  2. Select the site, then expand Configuration and select Protocols
  3. Double click on "NNTP (News) Site Defaults"
  4. Select the "Idle Time-out" tab
  5. Change the close idle connections value (between 10 and 32767) and click Apply then OK

Q. What web sites have good Exchange information?

A. Below are a list of some of the best sites I have found

Good Downloads are:


Q. How do I download to Exchange from multiple POP3 mail boxes?

A. Exchange does not really support the downloading of mail from POP3 since you would be asking a Server to act like a client. A 3rd party piece of software called PULLMAIL which can be downloaded from http://www.swsoft.co.uk/pullmail can be used to download from a POP3 mailbox and deposit in an Exchange mailbox. Using the command procedure below it can be made to download from multiple POP3 mailboxes and depost in the correct mailbox.

Enter the following into file getmail.cmd and save.

@ECHO OFF
TITLE GetMail

REM getmail.cmd 20-Aug-1997 Luke Brennan
REM
REM Get the POP3 mail in POP3 accounts and deposit into
REM EXCHANGE accounts
REM
REM uses the PULLMAIL program from -> http://www.swsoft.co.uk/pullmail
REM PULLMAIL specific Info/support -> [email protected]
REM general enquiries -> [email protected]
REM

SET POPUSERS=%SystemRoot%\POPUSERS.DAT
SET PARSEARG="eol=; tokens=1,2,3,4* delims=, "

REM RASPHONE -d OzEmail
For /F %PARSEARG% %%i in (%POPUSERS%) Do PULLMAIL %%i %%j %%k /to:%%l
REM RASPHONE -h OzEmail

REM
TITLE Command Prompt

The next step is to create the file that GETMAIL.CMD will read in, POPUSERS.DAT. Below is an example. GETMAIL.CMD expects to find the file in the %systemroot% directory (e.g. d:\winnt) however you can change that by altering the "SET POPUSERS=.." line.

POPusers.dat
; space or comma delimited file
; 1. ISP pop server 2. POP3 account 3. POP3 password 4. EXCHANGE username
;
savcom.demon.co.uk rita pass savillr
cello.cchs.usyd.edu.au brennan ###### LDB
savill.pipex.co.uk johnsavill pass savillj


Q. How do I install the Key Management Server?

A. Key Management Server allows secure e-mail via both signed and encrypted messages. To install perform the following:

  1. Log on the Exchange server as an Exchange Administrator
  2. Insert the Exchange Server 5.5 CD
  3. Run the Exchange SETUP.EXE
  4. Click Add/Remove
  5. Select "Microsoft Exchange Server" and click Change Option
  6. Check "Key Management Server" and click OK
  7. Click Continue
  8. Enter the site services account and password and click OK
  9. You now have an option for the special start password to be displayed (only once) and you need to securely store it and enter it every time you start, or select this to write to a floppy disk and a backup copy and click OK.
  10. If you selected write to disk you will be asked where to write to. By default it is A: however you can change this to a permanent drive. If you do permanently store it then anyone will be able to have the secure KM password.
  11. The setup will complete. You should now reinstall any service packs installed.

You will notice whether you choose to store the password a single file kmserver.pwd will be created with a single word in, for example:

SWOBRQSBQZPSPQC

The final step is to configure the Key Management service to start automatically at reboot time.

  1. Start the Services Control Panel applet (Start - Settings - Control Panel - Services)
  2. Select "Microsoft Exchange Key Management Server"
  3. Click Startup
  4. Select Automatic and click OK
  5. You can also choose to start now by clicking Start. You will have to enter the disk containing the password or manually enter the password.

Q. How do I manage the Certificate Authority of Key Management Server?

A. This is managed through the Exchange Administrator program as follows but make sure that the Microsoft Key Management service is running (Start - Settings - Control Panel - Services)

  1. Start the Exchange Administrator Program
  2. Expand the sites and select Configuration
  3. Double click on CA
  4. You will be asked for the password. If this is the first time enter "password" (lowercase, no quotes). You can also select for it to save the password for up to 5 minutes to avoid having to retype it in the short term. Click OK
  5. Once logged in various functions can be performed

To change your CA password perform the above then:

  1. Select the Administrators tab
  2. Click "Change My KM Server Password"
  3. Enter the current password and set a new one. Click OK
  4. Click OK to the main dialog

You can also add new KM administrators from the Administrators tab


Q. How do I enable advanced security for a user?

A. By default users do not have advanced security after GM server is installed. To enable for a user perform the following actions

  1. Start the Exchange Administrator program
  2. Select the site and select the Recipients container
  3. Double click on the mailbox who you want to enable advanced security for, e.g. Garfield
  4. Click the Security tab. You will be asked for your KM server password, only KM administrators can view the security tab, not just normal Exchange administrators. Enter the password and check the "Remember box" if you want to make multiple changes to mailboxes and don't want to retype the password everytime
  5. You will notice the current status is "Undefined". Click the "Enable Advanced Security" button
  6. A dialog will be shown with the temporary key or it will be mailed to the user depending on your options and configuration. Click OK

To allow the key to be sent via e-mail to the user perform the following:

  1. Start the Exchange Administrator Program
  2. Expand the sites and select Configuration
  3. Double click on CA
  4. Select the Enrollment tab
  5. Check the "Allow email to be sent to the user" box
  6. You can also change the welcome message that is sent by clicking "Edit Welcome Message"
  7. Click OK

Now notify the recipient to read their mail or give them the password and they should perform the following:

  1. Start the Outlook client
  2. Select Options from the Tools menu
  3. Select the Security tab
  4. In the "Secure email" area click "Change Settings"
  5. Click "Get a Digital ID" in the "Digital IDs" section
  6. Select "Set up Security for me on the Exchange Server" and click OK
  7. Enter the password and click OK
  8. Click OK to the confirmation dialog
  9. The client will then be sent a reply message. Open the message and click OK to all dialog boxes and then Yes to the installation of the Certificate.

Install Key
- Hmmm, looks like a year 2000 problem!

Options for which security to use, signing or encryption can be set using the Security tab of the clients Options dialog or on an individual message basis by clicking the Options button.


Q. How do I automatically create an Exchange mailbox for all members of the domain?

A. Exchange can import users from a comma-separated-file (CSV) of the format:

Obj-Class,Common-Name,Display-Name,Home-Server,Comment
Mailbox,Administrator,,~SERVER,Built-in account for administering the computer/domain
Mailbox,batman,Bruce Wayne,~SERVER,
Mailbox,denise,denise van outen,~SERVER,
Mailbox,Exchange Service,Exchange Service,~SERVER,
Mailbox,Guest,,~SERVER,Built-in account for guest access to the computer/domain
Mailbox,IUSR_ODIN,Internet Guest Account,~SERVER,Internet Server Anonymous Access
Mailbox,IWAM_ODIN,Web Application Manager account,~SERVER,Internet Server Web Application Manager identity Mailbox,krbtgt,,~SERVER,Key Distribution Center Service Account
Mailbox,MTS_ODIN,MTS_ODIN,~SERVER,Transaction Server system package administrator account

Exchange has the ability to generate this file from either a NT domain listing or a NetWare account list.

  1. Start the Exchange Administrator Program
  2. From the Tools menu select "Extract Windows NT Account List" (also notice the NetWare option)
  3. Select the domain and a domain controller and click the browse button to select a directory and filename for the output. Click OK
  4. A summary will be shown listing any errors encountered. Click OK

The file generated has ALL accounts in the domain (as can be seen in the example), for example Exchange service accounts, guest account, IIS accounts so you may want to edit the file generated and remove the lines for whom accounts should not be created.

Once the file has been edited to satisfaction perform the following:

  1. Start the Exchange Administrator Program
  2. From the Tools menu select "Directory Import"
  3. Select the Windows NT domain and the MS Exchange Server. You can also select the container however you should leave this as the default "Recipients"
  4. Click the "Import File" and enter the location and name of the .CSV file created earlier. You can also select to create a Windows NT account however since these accounts were generated by a domain listing its not needed. Click the Import button
  5. The file will be read in and mailboxes created. Again a summary will be displayed showing any errors.

Exchange Domain import
- Example Import from Domain file

Every member of your domain now has a mailbox on the Exchange server. In larger domains with multiple Exchange sites you may edit the file and import some people into one Exchange site and others into a different site depending on their geographical location.


Q. How do I avoid having to enter the Key Management password?

A. If you have the Key Management Server installed each time you start the KM service you have to either insert a disk with the password on or manually enter it depending on your configuration.

It is possible to configure the service to look on the hard disk although this is not recommended due to security reasons however on development systems this may be OK.

  1. Create a directory on your local harddisk (or you could use an existing directory)
  2. Copy the file kmserver.pwd from the floppy disk created to the local directory, e.g. d:\exchsrvr
  3. Start the registry editor (regedit.exe)
  4. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\KMServer
  5. Double click on MasterPasswordPath
  6. Change from A:\ to the directory, e.g. d:\exchsrvr. Click OK
  7. Close the registry editor

Next time the service is started it will look for the password file on the local harddisk and not prompt for a disk to be entered.


Q. I archived some .pst files to a CD-ROM but unable to load the files.

A. When Outlook opens a PST file it needs write access so you will be unable to load a file from a read-only media such as a CD-ROM drive.

To resolve simply copy the file to a writeable media and read accordingly.

Messages can be send to a .pst file by using Outlooks archive function. To open with Outlook 98 select File - Open - Personal Folders File.


Q. How can I limit Exchange mailbox size?

A. Exchange comes built in with the ability to limit and notify of quota violations.

To set the limits perform the following:

  1. Start the Exchange Administrator Program
  2. Expand the organisation, then the site and then the servers branch
  3. Expand the server whose quota's you wish to set, select "Private Information Store". Select Properties from the file menu
  4. Select the general tab
  5. You can set a policy for the keeping of deleted items (this is useful if you have users who delete mail they wanted to keep and will save you having to fish out a backup. Be careful of setting the "Don't permanently delete items until the store has been backed up" as if backups are not often this could affect performance badly.
  6. The bottom half of the dialog allows you to set actions for quotas, namely
    - A warning to be issued, e.g. 900 KB
    - Stop the user sending mail, e.g. 1100 KB
    - Stop the user receiving mail, e.g. 1500 KB
  7. Click Apply then click OK

Exchange Quotas

Individual limits can be set for users by double clicking on them under the Recipients branch and selecting the "Limits" tab. Under "Information Store storage limits" sections unselect the "Use information store defaults" and set explicit values for the user. Useful for your own mailbox ;-)

Now the values for the warning have been configured you must tell the system how often to warn the mailbox owner.

  1. Start the Exchange Administrator Utility
  2. Expand the organisation and site
  3. Expand Configuration
  4. Double click on the "Information Store Site Configuration"
  5. Select the "Storage Warnings" tab
  6. Select the warning level, either never, always (which is every 15 minutes) or at Selected Times.
  7. Click Apply then OK

If a client exceeds the limit they will be given warnings to the effect of

Quota gone bad :-)

If the client does not have the helpful Office Assists enabled they will just get a normal dialog box.

A message from the "System Administrator" with the conditions of the mailbox quotas will also be sent:

Your mailbox has exceeded one or more size limits set by your administrator.
Your mailbox size is 1518 KB.

Mailbox size limits:
You will receive a warning when your mailbox reaches 900 KB.
You cannot send mail when your mailbox reaches 1100 KB.
You cannot send or receive mail when your mailbox reaches 1500 KB.

You may not be able to send or receive new mail until you reduce your mailbox size. To make more space available, delete any items that you are no longer using or move them to your personal folder file (.pst). Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit. You must empty the Deleted Items folder after deleting items or the space will not be freed.

See client Help for more information.


Q. How can I limit message sizes in Exchange?

A. Maximum size limits can be set on the Message Transfer Agent (MTA) for inter server traffic by selecting the General tab of the MTA configuration dialog of the server. The message would then be returned to sender in the event of the message being to large however for the people on the same server this limit is not used.

Limits can also be set on a per user basis for all traffic:

  1. Start the Exchange Administrator Program
  2. Expand the Organisation and select the Recipients branch
  3. Select the user and select Properties from the File menu
  4. Select the Limits tab
  5. Its then possible to set outgoing and incoming maximum message sizes
  6. Click Apply then OK

Limit size
- Setting the maximum outgoing size to 2MB


Q. How can I undelete mail in Outlook?

A. When you delete an item from the Outlook client (and its been removed from the Deleted Items folder) it is actually kept on the Exchange server for a set amount of time (Exchange Server 5.5 and above only), obviously this only applies if the mail is from an Exchange server, if you use Outlook to download from POP3, IMAP etc this does not work. Mail and can be recovered as follows:

  1. Start the Outlook client
  2. Select the "Deleted Items folder"
  3. Select "Recover Deleted Items" from the Tools menu
  4. Select the message and click the "Recover selected message" button
  5. Close the dialog
  6. The message will be added to the "Deleted Items" folder

Message Recover

To change the number of days Exchange stores deleted items for perform the following:

  1. Start the Exchange Administrator Program (Start - Programs - Microsoft Exchange - Exchange Administrator Program)
  2. Expand the Org, site, Configuration, Servers and select the server
  3. Select Private Information Store and select Properties from the File menu
  4. Select the General tab
  5. Under "Item Recovery" select the number of days to keep deleted items for. You can also select to not delete items until the store has been backed up
  6. Click OK
  7. Close the Exchange Administrator Program
Keep Exchange messages

Q. What workflow software is available for Exchange server?

A. Workflow software is a tool to manage and automate business processes such as order processing, purchasing, support and sales.

Using Microsoft Exchange Server or an SMTP/POP3 server and third party workflow software, you can easily implement powerful workflow applications that will streamline and decrease the cost of a business process.

There are several third party workflow packages available for Exchange server. A few of them are

For a complete list please go to http://www.exchangesoftware.com/ or for more information on workflow, go to http://www.workflowsoftware.com.


Q. How do you add an additional Global Address Book or another view to the global address book?

A. This would be useful so, for example, you could separate out vendors email addresses (internet mail) from your actual post office users.

This can not be done easily.

You would have to create Address Book Views. This would divide GAL any way you wanted based on criteria that you provide.

But you have to assign search rights to everyone and if you make one mistake, NO ONE will be able to see anything of Address lists

Here is the procedure for setting up Container Level Search Control using Address Book Views. This allows you to create virtual Exchange Server organizations within a single Exchange Server organization or site. This is useful if you have multiple companies or departments within one Exchange Server organization and you want to prevent these companies or departments from viewing the mailboxes of other companies or departments in the Global Address List.

To set up Container Level Search Control using Address Book Views, perform the following steps:

  1. Set up an anonymous account in the properties of the DS Site Configuration object in the Exchange Administrator program. This can be any Windows NT account.
  2. Open User Manager for Domains and create Global Groups for each department or company (depending on how you wish to separate the organization). Add the respective Windows NT User Accounts to each Global Group. These will be needed for step 4.
  3. Set up an Address Book View. You can use any name for the Display and Directory names. Click the Group By tab in the properties for the new Address Book View, and choose either Company or Department for the Group items by: field (this depends on how you wish to separate the organization).
  4. Open the newly created Address Book View so that you can see the separate companies or departments listed below it. Open the properties of each of these, click the Permissions tab, and add the respective Global Group created in step 2 to the Windows NT accounts with permissions with a role of Search.
  5. In the Exchange Administrator program, click Tools then Options. Click the Permissions tab. Ensure that the two check boxes that read "Show Permissions Page for all objects" and "Display Rights for Roles on Permissions page" are checked.
  6. Open the properties of the Organization object and click the Properties tab. Add the Search right to the Exchange Service Account.

NOTE: Before changing the rights of the Exchange Service Account, make sure that at least one other Windows NT account or group has at least the Permissions Admin Role on the Organization object.

After you perform these steps, you should be able to log on to an Exchange Sever mailbox. Open the Address Book and choose "Show Names from the:" Global Address List. You should only see mailboxes and/or custom recipients from the Address Book View that your mailbox is associated with.

This will not work for any mailbox whose associated Windows NT account has permissions on objects that give them inherited rights to the Address Book Views. These mailboxes will still be able to view the complete Global Address List.


Q. How do I delete a bad Schedule + message?

A. When users free busy information that is not being published to the Schedule+ Free Busy public folder server correctly or free busy information shows free even though a user has appointments you may need to remove the "stuck" or corrupted messages in the Schedule+ Free Busy hidden public folder.

To resolve this use mdbvu32 to remove the corrupt message. Mdbvu32.exe is on the Exchange Server CD in the support/utils directory.

  1. Logon as Exchange Service Account
  2. Create a TEST mailbox with Service Account as NT account on the same server as the Schedule+ Free Busy folder. To find the Schedule+ Free Busy HOME SERVER open the Exchange Administrator program, expand Organization object, Expand Folders Object, Expand System, Folder ObjectExpand Schedule+ Free Busy Object. Beneath the Schedule+ Free Busy object will list SITES where free busy information is being replicated from - Choose the object of YOUR site (not a replicated site). Choose File Properties of the Site Object for the Schedule+ Free Busy. At the bottom of this dialog box (General Tab) HOME SERVER will be listed
  3. Create a profile for the TEST Mailbox in Step 2.

MDBVU32 STEPS

  1. Start the MDB Viewer by double-clicking the executable file Mdbvu32.exe from CD
  2. The MAPILogonEx dialog box will appear click OK.
  3. The Choose Profile dialog box should appear. Select the TEST mailbox profile you created in the prior steps. Click OK. NOTE: If the Choose Profile dialog box does not appear, you are most likely already logged on to a profile. Exit and Log Off the client and profile, and re-attempt step 3.
  4. On the MDB Viewer Test Application menu, click MDB, and then select the OpenMessageStore option.
  5. In the Select Message Store To Open dialog box, select the PUBLIC FOLDER item and click the Open button.(Open Mode should default to Best Access. Leave as default.)
  6. From the MDB Viewer Test Application menu, click the MDB menu item, and click Open Root Folder.
    NOTE: 3 MAPI_E_CALL_FAILED dialog boxes will appear. Choose OK to each of these.
  7. From the Child Folders list box, double-click NON_IPM_SUBTREE. You will now see the SCHEDULE+ FREE BUSY folder.
  8. Double-Click the SCHEDULE+ FREE BUSY object.NOTE: 3 MAPI_E_CALL_FAILED dialog boxes will appear. Choose OK to each of these.
  9. A list of SITES will appear in the Child Folder box. (same sites mentioned in determining HOME SERVER) Example: EX:/o=Organization/ou=Site
  10. Double-click YOUR Site (not a replicated site)
    NOTE: If you cannot read the full name of the site double click each one one at time to see the full name at the top of the next screen. If you've selected the incorrect site choose CLOSE to go back to the list of SITES.
  11. Once the correct site is double-clicked a list of the SCHEDULE+ FREE BUSY messages will appear in the CENTER "Messages In Folder" list box.
  12. Scroll to the RIGHT & DOWN to see user names. Each users should only have 1 item(message). Normally when this problem occurs the user will have 2 items(messages) listed.
  13. Once the message(s) are located for the problem user select the message or messages (using the shift key for multiple messages) so that it becomes highlighted.
  14. Locate the Operations Available drop down box (located below the Messages In Folder dialog box).
  15. 15. Use the drop down and choose lpFld --> DeleteMessages() ON SELECTED MSGS
  16. Once the lpFld --> DeleteMessages() ON SELECTED MSGS is selected. Click the CALL FUNCTION button.
    NOTE: The messages may still be listed in the Messages in Folder list box - this screen will not refresh unless you choose the CLOSE button and come back to it.
  17. Next Exit out of Mdbvu32.exe by choosing CLOSE 4 times which will get you back to the MDB Viewer Test Application dialog box. Choose Session from the Menu Option and then choose Exit.
  18. Have the user who's free busy is not being published logon to their client and make an appointment (this will cause free busy information to be published to the SCHEDULE+ FREE BUSY hidden public folder)
  19. Exit and logoff of the client then check the Free Busy times of the > user by creating a new meeting request. The free busy information should now be visible.

If the information is still not visible go back to step 1 on using mdbvu32 to look at the schedule+ free busy information again check to make sure that 2 messages don't exist. If they do follow steps to remove and complete the process again.


Q. How do I link Exchange 5.5 and the Windows 2000 Active Directory?

A. The latest beta of Windows 2000 ships with the Microsoft Active Directory Connector (ADC) which replicates a hierarchy of directory objects between the Exchange Server 5.5 directory and the Windows 2000 Active Directory.

But first a potential problem:

Protocol 389 is used for LDAP communication but if you are running Windows 2000 and Exchange 5.5 on the same computer then you may find Exchange has problems starting the LDAP directory service and thus stopping you creating the connection.

To get around this change the port the Exchange LDAP service uses by double clicking LDAP under <Org>\<Site>\Configuration\Protocols and change the protocol, e.g. to 1020. Restart the Exchange Directory service for the change to take effect.

Exchange 5.5 with Service Pack 3 allows you to change the port used by LDAP SSL.

Also if you install Exchange 5.5 on a 2000 domain controller you must make the Exchange Server account a member of the local Server Operators group.

Back to ADC :-)

The software is under the VALUADD\MGMT\ADC directory of the Windows 2000 CD. To install perform the following on the Windows 2000 domain controller:

  1. Run setup.exe from the VALUADD\MGMT\ADC directory
  2. Click Next to the install wizard
  3. Select both the connector service and management components. Click Next
  4. You will be asked where to install. Accept the default and click Next
  5. Enter the Exchange Service account and click Next The account will be granted the 'Audit' right. Click OK
  6. Files will be copied and click Finish once completed

A new icon 'Active Directory Connector Management' will have been added to the 'Administrative Tools' branch.

Now we need to setup a connection agreement between the Exchange Server and the Active Directory:

  1. Start the ADC Management MMC snap-in (Start - Programs - Administrative Tools - Active Directory Connector Management)
  2. Right click on the Active Directory Connector (<machine name>) branch and select 'New - Connection Agreement'
  3. Under the General tab enter a name and select the replication directory:
    - Two-way
    - From Exchange to Windows
    - From Windows to Exchange
  4. Select the 'Connections' tab and fill in connection information as shown below:
    ADC Connector
    Notice I have both on the same machine however you will probably have different Exchange and Domain Controller machines.
  5. Select the Schedule tab to select how often and when to replicate
  6. Select the Deletion tab to control how deletions are handled, either delete from both directories when deleted from one or just note the deletion to a log file.
  7. Under the 'From Exchange' and 'From Windows' tab select the items to replicate.
  8. Click OK
  9. The Exchange Schema will be modified and its directory service will be stopped and restarted.

Now changes will be replicated between the Exchange and Windows 2000 directory services.


Q. What is the upgrade to large table option in Outlook?

A. Microsoft Outlook 98 has a feature, "Allow upgrade to large tables," for Personal Folder (.pst) files. This feature increases the limit on the number of folders per file and the number of messages per folder in a .pst file. The limit has been increased from approximately 16,000 folders per file and messages per folder to approximately 64,000. This upgrade is permanent and cannot be undone.

To enable the upgrade on the Internet Mail Only version of Outlook 98 perform the following:

  1. Start Outlook
  2. Right-click the Folder List, and select Properties on the context menu.
  3. Click the Advanced button.
  4. Click "Allow upgrade to large tables."
  5. Click OK and OK.

To enable on the Corporate Workgroup version:

  1. Start Outlook
  2. On the Tools menu, click Services.
  3. Click to select the Personal Folders service, and click Properties.
  4. On the General tab, click "Allow upgrade to large tables."
  5. Click OK.

Q. How can I disable the Journal in Outlook?

A. The Journal function in Outlook can be used to track document changes and openings, mail actions, meetings and task management however it can take up a large amount of space if not archived regularly.

If you don't want the features of the Journal it can be disabled as follows:

  1. Start Outlook
  2. Select Options from the Tools menu
  3. Select the Preferences tab and click 'Journal Options'
  4. Unselect all boxes and click OK
    Disable the journal
  5. Click OK to the main dialog

No records will be written to the journal now.

If you want to delete all current Journal information select the Journal branch, right click on each entry type, for example Microsoft Word, and select Delete from the context menu.


Q. Internet Mail Server hangs on start-up, ID 7022, why?

A. A FAQ reader recently brought this to my attention who after changing RAS in the network applet to only dial out and rebooting the server the NT event viewer showed an error message saying that The Internet Mail Server hung on start up ID7022. This occurs even if you install Exchange server to NT4 where RAS incoming call handling is disabled. The RAS setting was changed and the event was still generated.

This was resolved by re-enabling the Incoming and outgoing dial access in RAS-> Network -> control applet. In Control panel -> Services selecting RAS Connection manager and setting it to start up as automatic and RAS Access Server and setting it to start up as automatic.


Q. How can I search my Exchange stores for virus infected messages?

A. After the problems with the recent Melissa virus, Microsoft have produced a utility which can search your Exchange store for messages which have been infected with a virus and clean them. This will not in any way prevent the virus from being introduced into the email system, you should ensure you are running anti-virus software to prevent the virus infecting your message stores.

The utility can be downloaded for Exchange 5.5 and 5.0 for both Intel and Alpha

Exchange 5.5 Intel  ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.5/ISSCAN/ISSCANI.EXE
Exchange 5.5 Alpha ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.5/ISSCAN/ISSCANA.EXE
Exchange 5.0 Intel ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.0/ISSCAN/ISSCANI.EXE
Exchange 5.0 Alpha ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/ENG/Exchg5.0/ISSCAN/ISSCANA.EXE

Once downloaded the self extracting file produces two files, ISSCAN.EXE and the symbol file ISSCAN.DBG. Once you copy the files to the server running Exchange it is used as follows (you don't need to copy the .dbg file)

For Exchange 5.5

  1. Logon as an Administrator
  2. Stop the Microsoft Exchange Server Information Store server (via Control Panel - Services)
  3. Enter the command below from the command prompt (cmd.exe)
    C:\> ISSCAN -fix {-pri | -pub} -test badmessage, badattach [-c <criteria file>]
    Where the -fix parameter instructs ISSCAN to remove the messages or attachments found. Without the -fix parameter, ISSCAN will record all the messages and attachments it finds in a log file.
    The -pri or -pub parameter instructs ISSCAN to scan either the private or public information store (priv.edb or pub.edb).
    The -test badmessage parameter deletes messages from the message table determined to be bad. The -test badattach parameter deletes attachments from the attachment table determined to be bad.
    The -c <criteria file> is optionally and allows you to specify which messages ISSCAN will search for. If not used the Melissa virus will be searched for. The format of the criteria file is supplied in the readme file for ISSCAN which can be downloaded from here.

ISSCAN will create a report called either isscan.pri or isscan.pub, depending on whether you are scanning a private store or public store. This report will include the attachment's filename that is deleted, and the sender of a message that is deleted. You can then use this information to determine the users computers who may need extra attention.

This utility is very powerful and can be very constructive or destructive depending on how it is used. Please use with caution and consider every action twice before implementing. There is no undo so restoring a backup is the alternative if a problem occurs. It is recommended that you do not use this utility until a known good backup is secured.


Q. How do I create an Outlook vCard?

A. Microsoft Outlook supports the use of vCards, the Internet standard for creating and sharing virtual business cards. In Outlook, as well as other e-mail applications and personal information managers, you can save a contact as a vCard or save vCards sent in e-mail messages.

To create a vCard to be attached to all outgoing messages perform the following under Outlook 98 and Outlook 2000:

  1. Create a new contact in Contacts of what you want your expanded vCard to look like. Remember this will go to everyone you send mail to so don't include personal information such as home number, address unless you really want to!
  2. From the Tools menu select Options
  3. Select the 'Mail Format' tab
  4. Click the 'Signature Picker..' button
  5. Click New to create a new signature
  6. Enter a name for the signature and click Next
  7. Enter text to be displayed and click 'New vCard from Contact'
  8. Select the contact and click Add. Click OK
  9. Select the new vCard from the dropdown list and click OK
  10. Click OK to the Signature Picker
  11. Click OK to the main options dialog

All outgoing mail will now have your signature and vCard attached.


Q. How can I configure Outlook to be the default mail client?

A. Outlook 98 and Outlook 2000 will prompt you when starting to set as the default mail client if they are not already configured as such however if you checked the "Don't ask me this again" box you cannot display this dialog.

To force Outlook 98 and 2000 to check type the following:

C:\> "c:\program files\microsoft office\office\outlook.exe" /checkclient

Click Yes to the

"Outlook is not currently your default manager for Mail and News.
Would you like to register Outlook as the default manager?"

displayed message.

Clicking Yes updates the following registry entries which you can also manually update (and will need to for older Outlook clients such as Outlook 97)

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail
  3. Double click the (Default) value and set to "Microsoft Outlook" (don't type the quotes)
  4. Move to HKEY_CLASSES_ROOT\mailto
  5. Double click the (Default) value and set to "URL:MailTo Protocol" (don't type the quotes)
  6. Double click the EditFlags value and set to 02 00 00 00
  7. Double click the URL Protocol value and clear
  8. Move to the DefaultIcon folder (HKEY_CLASSES_ROOT\mailto\DefaultIcon)
  9. Double click the (Default) value and set to
    "C:\Program Files\Microsoft Office\Office\outllib.dll",-12
  10. Move to HKEY_CLASSES_ROOT\mailto\shell\open\command
  11. Doucle click (Default) and change to
    "C:\Program Files\Microsoft Office\Office\outlook.exe" -c IPM.Note /m "%1"
    Alternate values (such as Lotus Notes) are:
    "C:\Program Files\notes\notes.exe"=C:\WINNT\notes.ini %1
  12. Reboot the computer

Q. How do I install a digital signature in Outlook?

A. A Digital ID, also known as a digital certificate, is the electronic equivalent to a passport or membership card. It is a credential, issued by a trusted authority, that you can present electronically to prove your identity or your right to access information. There are a number of authorities who can grant these certificates, VeriSign is the Microsoft preferred certificate provider.

To request a digital certificate perform the following:

  1. Start Microsoft Outlook
  2. Choose "Options..." from the Tools menu.
  3. Select the "Security" tab.
  4. Click on the "Get a Digital ID..." button at the bottom of the security options window.
  5. From the Microsoft web page that is displayed, click on VeriSign's "Enrol Now" icon.
  6. Fill out the enrolment form with your identifying and billing information.
  7. You will receive an email from VeriSign to corroborate your email address. Follow the instructions in this email to download and install your Digital ID on your computer's hard drive

You can now configure Outlook via the Tools - Options - Security to attach a digital signature to every outgoing message or it can be manually added to messages individually. More information on this can be found at http://www.verisign.com/securemail/outlook98/outlook.html.

If you have multiple machines with Outlook you can install your digital certificate on them by exporting the digital certificate and then importing on the others as follows:

On the machine with the certificate installed perform the following:

  1. Start Outlook
  2. From the Tools menu select Options
  3. Select the Security tab
  4. Click the 'Import/Export Digital ID..' button
  5. Select the 'Export your digital ID to a file'
  6. Under Digital ID click Select and choose your certificate
  7. Select an area to save to and enter a password
  8. Click OK

On the other machines copy the digital ID file created and perform the following:

  1. Start Outlook
  2. From the Tools menu select Options
  3. Select the Security tab
  4. Click the 'Import/Export Digital ID..' button
  5. Select the 'Import existing digital ID from a file'
  6. Select the file the digital ID was saved to
  7. Enter the password for the ID
  8. Enter the Digital ID name, e.g. John Savill
  9. Click OK

Q. How do I create a distribution list in Outlook 2000?

A. Outlook 2000 introduces the ability to create distribution list and populate with people from your contacts list. To create a distribution list perform the following:

  1. Start Outlook 2000
  2. From the Tools menu select 'Address Book'
  3. In the 'Show Names from the' list, click Contacts.
  4. Select 'New Entry' from the File menu
  5. Under the entry type select 'New Distribution List'
  6. Under the 'Put this Entry' select 'In the Contacts'. Click OK

The empty distribution list will now be shown. To add members perform the following:

  1. In the name box type the name for the distribution list
  2. Click the 'Select Members' button to add people to the list
  3. Click Save and Close

Distribution lists can be identified as they are shown in bold.


Q. How can I add a disclaimer to each outgoing mail at server level?

A. You can't do this in Exchange server. You would have to use a third party application such as EMail Essentials for Exchange. To setup a disclaimer in Mail Essentials perform the following:

  1. Start-up the Mail essentials configuration
  2. Go to the disclaimer tab
  3. Switch on disclaimer and enter disclaimer text.

All outgoing mail will now include the disclaimer at the bottom.


Q. How I can I block mail with certain attachments or certain words at server level?

A. You can't do this in Exchange server. You would have to use a third party application such as EMail Essentials for Exchange or Mimesweeper.

To setup a the content checking feature in Mail Essentials;

  1. Start-up the Mail essentials configuration
  2. Go to the content checking tab
  3. Now you can enter:
    a. types of attachments that must be blocked
    b. mails with particular words/phrases in the subject that must be blocked
    c. mails with particular words/phrases in the body that must be blocked
  4. Any mail that is blocked is quarantined in the moderator client.

Administrators/supervisors can then check the mail and either approve or reject it.


Q. How can I automatically compress all outbound mail to save on bandwidth?

A. You would have to use a third party product to do this. Two of these are

1. Mail essentials (http://www.gficomms.com)
2. Max compression (http://www.centralhouse.com)


Q. What is IIS?

A. Internet Information Server (IIS) is a World Wide Web server, a Gopher server and an FTP server all rolled into one. IIS means that you can publish WWW pages and extend into the realm of ASP (Active Server Pages) whereby JAVA or VBscript (server side scripts) can generate the pages on the fly. IIS has fun things like application development environment (FrontPage), integrated full-text searching (Index Server), multimedia streaming (NetShow), and site management extensions.


Q. How do I install Internet Information Server?

A. IIS 2.0 is supplied with Windows NT Server 4.0. It can be installed at the time you installed NT 4.0 by checking the "Install Microsoft Internet Information Server" box, alternatively it can be installed at a later time by performing the following

  1. Insert the NT 4.0 Server CD-ROM
  2. Run <CD-ROM>:\I386\Inetsrv\Inetstp.exe
  3. Close all currently programs and click OK to start the installation
  4. Select the services you want to install and click OK
  5. You will be asked for the publishing directories for FTP,WWW and Gopher. You can change or accept the defaults. Click OK to continue the installation
  6. If you selected to install ODBC drivers a dialog box showing SQL Server driver, click OK to continue
  7. A message will be displayed that the installation has finished. Click OK

Internet Information Server 3.0 is supplied on the Service Pack 2 CD-ROM and as part of Service Pack 3. It is supplied as an upgrade, so you must already have IIS 2.0 installed before applying the service pack.

Internet Information Server 4.0 is now supplied with Option Pack 4 and IIS 5.0 with Windows 2000!


Q. What is Internet Service Manager?

A. If you look under Programs->Microsoft Internet Server, you will find the Internet Service Manager. ISM is used to configure and monitor IIS. With ISM you can define user connections and user logon and authentication, the home directory location for each IIS service, logging and security.


Q. What is Index Server?

A. It gives the ability to perform full-text searches and retrieve information from a Web browser. It can search HTML, text, and all Microsoft Office documents.

When started, it builds an index of the virtual roots and subdirectories on your Web server. You can select which directories and file types can be skipped.

The index is updated automatically whenever a file is added, deleted, or changed on the server.


Q. What are Active Server Pages?

A. ASP is server-side scripting. You can use ASP to create and run dynamic, interactive, Web applications. When your scripts run on the server, the SERVER does all the work involved in generating the HTML pages.


Q. How can I configure the Connection Limit?

A. This is configured using the Internet Service Manager and can be between 1 and 32,767

  1. Start the Internet Service Manager ( Start - Programs - Microsoft Internet Server)
  2. Double click on the computer whose connection limit you wish to configure
  3. Select the Service tab
  4. Enter the number of connection you want in the Maximum Connections field
  5. Click OK
  6. Stop and start the service whose limit you changed
  7. Close the Internet Service Manager

Q. How do I change the default file name?

A. The default file name is the file searched for if only a directory name is specified and can be changed by performing the following:

  1. Start the Internet Service Manager ( Start - Programs - Microsoft Internet Server)
  2. Double click on the computer name of the web server you wish to modify the default file name
  3. Click the directories tab
  4. At the bottom of the screen is a "Enable default document" check box, select this
  5. In the field enter a file name, e.g. index.htm.
  6. Click OK
  7. Stop and start the server you just updated
  8. Close the Internet Service Manager

Q. How can I enable browsers to view the contents of directories on the server?

A. By default if you select a directory on a server and no default file name exists then an error is returned. It is possible to change this behavior to instead of an error a directory listing is displayed

  1. Start the Internet Service Manager ( Start - Programs - Microsoft Internet Server)
  2. Double click on the computer name of the web server you wish to modify
  3. Click the directories tab
  4. Select the "Directory Browsing Allowed" box
  5. Click OK
  6. Close the Internet Service Manager

You can only set this for the whole site, not on a per directory basis. If you want to set this on a directory basis enable the directory browsing and make sure the default file name exists in directories you do not want people to be able to browse.


Q. How can I configure the FTP welcome message?

A. Using the IIS admin utility a welcome, end and connect refused message can be displayed

  1. Start the Internet Service Manager ( Start - Programs - Microsoft Internet Server)
  2. Select the FTP service on the machine you wish to configure
  3. From the properties menu select Service Properties
  4. Click the Messages tab
  5. Enter text in the "Welcome Message", "Exit Message" and "Maximum connections" fields.
  6. Click the Apply button then click OK
  7. Stop and restart the FTP service
  8. Close the Internet Service Manager

Q. How do I configure a virtual server?

A. It is possible using Windows NT to bind multiple IP addresses to one network card and for each IP address it is possible to run a virtual domain server. The procedure below will add an IP address, add the new IP address as a domain and setup the new IIS virtual server.

To bind an additional IP address to your network card perform the following:

  1. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network)
  2. Select the Protocols tab
  3. Select TCP/IP and click Properties
  4. On the "IP Address" tab click the Advanced button
  5. In the IP Address section click Add
  6. Enter the additional IP address and subnet mask you want the machine to respond to and click Add
  7. Click OK until you leave the network control panel applet
  8. Reboot the machine

You now need to configure the DNS server to respond to the new name.com with the new IP address

  1. Start the DNS Manager
  2. (Start - Programs - Administrative Tools - DNS Manager)
  3. From the DNS menu, select New Server and enter the IP address of the DNS Server, e.g. 200.200.200.3, and click OK
  4. The server will now be displayed with a CACHE sub part
  5. Next we want to add the domain, e.g. savilltech.com, from the DNS menu, select New Zone
  6. Select Primary and click Next
  7. Enter the name, e.g. savilltech.com, and then press tab, and it will fill in the Zone File Name and click Next
  8. Click Finish
  9. Next a zone for reverse lookups has to be created, so select New Zone from the DNS menu
  10. Select Primary and click Next, enter the name of the first 3 parts of the domain IP + in-addr.arpa, e.g. if the domain was 158.234.26, the entry would be 26.234.158.in-addr.arpa, in my example it would be 200.200.200.in-addr.arpa, click tab for the file name to be filled and click Next, then click Finish
  11. From the DNS menu select new Host, enter the machine name and IP address, also select the create associated PTR record. Click Add and then Done.
  12. Next create the www.<domain>.com record. From the DNS menu select new record
  13. Select record type of CNAME, enter a alias name of www, and the actual host name, e.g. server.shadow.com. Click OK
  14. Exit the DNS server

Next update the IIS server to support the new domain

  1. Start the Internet Service Manager (Start - Programs - Microsoft Internet Server)
  2. Double click on the Computer name of the web server which will display the properties
  3. Click the Directories tab
  4. Click the Add button
  5. Enter the directory name and select the Home directory check box. Next check the "Virtual Server" box and enter the IP address you added in the first step. Click OK
  6. Click OK to close

You will now be able to browse to this domain. Under Windows 2000 (IIS 5.0)

  1. Start the Internet Service Manager (Start - Programs - Administrative Tools - Internet Services Manager)
  2. Right click on the computer and select New - Web site
  3. Click Next to the intro wizard
  4. Enter a description and click Next
  5. Select the IP address you added and click Next
  6. Enter the path for the root directory and click Next
  7. Select Permissions. Click Next
  8. Click Finish to complete the creation.

Q. How can I administer my IIS server using a web browser?

A. IIS comes with a built in HTML version of Internet Service Manager, with an address of <server name>/iisadmin/default.htm. It does have to be installed.

To check if its installed start the browser and move to the \iisadmin\default.htm and if you see the Internet Server Manager page but with no graphics, e.g.

IIS11.gif (17394 bytes)

To install perform the following:

  1. Log on to the IIS server as an Administrator
  2. Start the Internet Information Server Setup (Start - Programs - Microsoft Internet Server - Internet Information Server Setup)
  3. Click OK to the first dialog and then select Add/Remove
  4. Enter the location of the setup files and click OK (e.g. d:\i386\inetsrv if d: is your NT install CD-ROM)
  5. In the options shown select the "Internet Service Manager (HTML)" and click OK
  6. The installation will continue
  7. You should now reapply your service pack if you installed from the NT installation CD. If you have IE 4.0 installed you will get a warning, click Run Program, when prompted during the installation click "No to All" for replacing newer files. Finally once the machine has finished rebooting you should run the command
    regsvr32 rsabase.dll
    Click OK to the completion box

If your default file name is not default.htm you may have a few navigation problems, if you do just enter default.htm after any directory name.

Once you connect using a browser to the iisadmin area you may have to enter a username and password depending on the browser you use, and you can then perform actions to administer the site.


Q. How can I configure FTP to use Directory Annotation?

A. Follow the procedure below:

  1. Log on to the IIS server machine as an Administrator
  2. Start the registry editor (regedit.exe)
  3. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msftpsvc\Parameters
  4. From the Edit menu select New - DWord value
  5. Enter the name AnnotateDirectories and press Enter
  6. Double click on the new value and set the value to 1
  7. You should now stop and restart the WWW server service

You now need to create a file called ~ftpsvc~.ckm in each directory where you wish the annotation. The file is just a normal ASCII format file.


Q. Only the first line of the Directory Annotation is shown.

A. This is caused if you have no welcome message. Simply add a welcome message as described in Q. How can I configure the FTP welcome message?


Q. How can I configure the amount of IIS Cache?

A. By default InetInfo, the process responsible for WWW, FTP and Gopher uses a 3MB of cache for all of the services. This cache is used to store files in memory providing faster access than from disk. To change the amount of memory available for the cache perform the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\InetInfo\Parameters
  3. From the Edit menu select New - DWord value
  4. Enter a name of MemoryCacheSize and click Enter
  5. Double click the new value and set to the amount of memory you wish to use for the cache in bytes, e.g. 5000000 for 5MB and click OK
  6. Close the registry editor
  7. Stop and start all IIS services

If you wish to disable caching set the value to 0 however this could have a serious effect on performance.


Q. How do I create a virtual directory?

A. Before we describe how to create a virtual directory, it is first important to understand what a virtual directory is. For those who remember DOS, there was a command called join which allowed you to treat a different disk as a directory on the current drive. A Virtual directory is the same kind of thing, you can treat a directory or disk as a subdirectory of your web site.

For example your default web area may be c:\InetPub\wwwroot and this may be http://www.savilltech.com . If you had a subdirectory off of wwwroot called ntfaq, e.g. (c:\InetPub\wwwroot\ntfaq) you could access this as http://www.savilltech.com/ntfaq. What if I had run out of space on c: and wanted the FAQ to be on d:? You would create a virtual directory called ntfaq which would point to d:\pages\ntfaq and this procedure of creating a virtual directory is shown below.

  1. Start the Internet Service Manager (Start - Programs - Microsoft Internet Server)
  2. Double click on the Computer name of the web server which will display the properties
  3. Click the Directories tab
  4. Click the Add button which will display the Directory Propertices box.
  5. In the directory type the name of the disk and directory you want the new area to point to (or click Browse to select a directory).
  6. Next select the "Virtual Directory" check box and enter the alias you want the directory to be seen as, e.g. ntfaq
  7. Click OK
  8. Click OK again and then close the Internet Service Manager application

 


Q. How to install FrontPage Extensions on Beta 2? - NT5 only

A. The FrontPage Extensions are not installed during the Beta 2 NT/IIS setup.  To install the extensions, perform the following steps:

  1. Completely remove any previous FrontPage or FrontPage Extensions installations from the server. This can be accomplished using the Add/Remove Programs control panel applet
  2. Open a command prompt and change directory to SYSTEM32
    C:\> cd %systemroot%\system32
  3. Type
    C:\> sysocmgr /i:fp.inf /n /x
    this will start the Windows NT setup for the FrontPage Extensions
  4. Ensure that the FrontPage 99 extensions are selected and click "Next"
  5. Select the location of your NT 5.0 I386 structure and click OK.
  6. The files will then be installed.

Frontpage 99

Contributed by Thomas Lee


Q. What fixes are available for IIS?

A. Microsoft have released the first NT Option Pack QFE (Quick Fix Engineering) Update but this actually only updates IIS 4.0 at this time.

The update includes every hotfix made to IIS from its release. This is a cumulative hotfix and you should only install this if you are experiencing specific problems with IIS. The new intent is about every month or so or when appropriate release a new fix pack. The value add here is not waiting for such a long period of time between service packs. Customers who are experiencing problems don't need to hunt down individual hotfixes any more they just download this update and get everything.

The uninstall is very clean, so if something goes wrong, remove the fix. Something new here is in letting customers know what DLL's are being replaced up front. Upon installation of the update, the file iis_hotfix.htm is dropped in the users \inetsrv directory. This file will contain all of the information about the fix and should make it very easy for PSS to determine what version of IIS the customer is using.

Download from : http://www.microsoft.com/windows/downloads/contents/updates/ntopqfe/default.asp


Q. How do I specify more than one default document?

A. When you select a web site directory, e.g. http://www.ntfaq.com/games a default document is looked for, e.g. default.htm and this filename can be changed. With IIS 2.0 and 3.0 the default document is changed as follows:

  1. Start the Internet Service Manager
  2. Double click on the computer and select the web service
  3. Select the Directories tab
  4. At the bottom of the window is the default document, by default default.htm. You can specify multiple default documents by separating them with a comma, e.g.
    default.htm, default.asp, index.htm, index.html
    which will cause the IIS service to search for the documents in that order and displayed when found.
  5. Click Apply then OK

With IIS 4.0 and IIS 5.0 (both via the MMC interface) the change is performed as follows:

  1. Start the Internet Service Manager (Start - Programs - Administrative Tools - Internet Services Manager)
  2. Expand the computer and select the web site
  3. Right click on it and select Properties
  4. Select the Documents tab
  5. Check the "Enable Default Document" box and click Add to add a new default name and the order of the search can be changed by clicking the up and down arrows.
  6. Click Apply then OK

Default Document


Q. How can I move my IIS server to another machine?

A. In the %systemroot%\system32\inetsrv directory there is a program called "iissync". This program will transfer over all your IIS settings to the new computer, including certificates, virtual domains, and for the most part, everything you need. Just open a dos prompt, and run "iissync \\newcomputername" and wait a bit.


Q. Front Page Search Component always returns No Documents Found running IIS4 and FP 98exts, why?

A. If Index Server is installed on IIS4, Front Page will default to use that as it's search engine.

If no catalog has been built with Index Server for that web, the search component will return "No Documents Found". Either index the site using Index Server, or in the frontpg.ini file (found in %systemroot%, e.g. d:\winnt) add "NoIndexServer=1" which defaults Front Page to use it's built in search engine instead of Index Server.


Q. How to stop the NT4 Option Pack/Windows 2000 SMTP service from advertising 8bitmime?

A. Start a telnet session with the SMTP service (port 25) and enter "EHLO server-name". Note the presence of the keyword "8bitmime".

To disable the advertising of 8bitmime perform the following:

  1. Stop the SMTP service (use the Internet Information Services MMC snap-in, select SMTP Service, right click and select Stop)
  2. Make a copy of the file %systemroot%\System32\Inetsrv\metabase.bin file
    C:\> copy %systemroot%\System32\Inetsrv\metabase.bin %systemroot%\System32\Inetsrv\metabase.backup
  3. Start a command window (cmd.exe)
  4. Insert the option pack 4 CD or the Windows 2000 installation CD (depending on what you are running)
  5. Change directory to the I386 area on the option pack 4 CD or if 2000 extract the mdutil.ex_ file from the I386 directory to a temp area
    C:\> expand mdutil.ex_ c:\temp\mdutil.exe
  6. Type the following command (after moving to the temp area if Windows 2000)
    C:\> mdutil SET -path:smtpsvc -prop:36865 -utype:UT_SERVER -dtype:DWORD -attrib:INHERIT -value:0
  7. The following will be displayed:
    36865 : [IS] (DWORD) 0x0={0}
    You're adding (or changing) a property's value. The property's ID number is 36865, and you are setting the value to 0.
  8. Use the IIS MMC to start the SMTP service.

If you now telnet to the SMTP service you will notice the 8bitmime is no longer advertised.

To reverse the process, repeat steps 1 through 4, reenter the data in step 5, but this time, change the "-value:0" to "-value:1".


Q. How do I enable Index Server in Windows 2000?

A. Index Server is installed by default if you install IIS on Windows 2000. To enable perform the following:

  1. Start the Computer Management MMC snap-in on the IIS server (Start - Programs - Administrative Tools - Computer Management)
  2. Expand the Server Applications and Services branch
  3. Right click on 'Indexing Service' and select Start
  4. Click Yes to the dialog asking if it should be started whenever the computer is started

That's all, you can now configure Index Server.

By default web sites are enabled for Index Server to change right click on the site in the Internet Services Manager MMC snap-in, select Properties, select the 'Home Directory' and check/uncheck 'Index this resource'.


Q. How do I create a new Index Server catalog?

A. Index Server stores its information in catalog's and you can create multiple catalogs to store different groups of information such as web sites, directories etc.

  1. Start the Computer Management MMC snap-in on the IIS server (Start - Programs - Administrative Tools - Computer Management)
  2. Expand the Server Applications and Services branch
  3. Right click on 'Indexing Service' and select New - Catalog
  4. Enter a name for the Catalog and a location
  5. Click OK
  6. You will need to stop and restart the Index Server process for the catalog to take effect

Once added you must configure the directories that need to be indexed:

  1. Again in the Computer Management MMC, expand the catalog added, right click on Directories and select New - Directory
  2. Enter the directory and select 'Yes' to Index. Click OK
  3. The change will take effect straight away

Q. I receive an Index Server error 'Query Is Too Expensive', why?

A. If the content index is out of date, and you are executing queries that must be enumerated, you will get the above error message. To fix this problem wait until the index is up-to-date (it can be monitored through the Computer Management MMC snap-in in 2000) and perform the following steps:

  1. Edit the .idq file for the query and add the line
    CiForceUseCi=FALSE
  2. Start the registry editor (regedit.exe)
  3. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex
  4. Double click MaxQueryExecutionTime and set to a higher value. Click OK
  5. Double click MaxRestrictionNodes and set to a higher value. Click OK
  6. Stop and start the Index Server service

Q. I receive error 'The catalog is corrupt' when performing an Index Server search, what can I do?

A. Index Server catalogs can be caused by unsafe computer shutdowns, system crashes, or applications that write to or lock the catalog files while Index Server is active.

Normally, Index Server attempts to fix any corruption automatically; however, sometimes it is necessary to manually fix the corruption.

To do manually fix the corruption, stop and restart the Content Index service, For Index 1.x, stop and restart the World Wide Web service, under Windows 2000 start the Computer Management MMC snap-in, expand 'Server Applications and Services', right click on 'Indexing Service' and stop then start.  This normally causes Index Server to rebuild the catalog.

If this does not work, stop Index Server again, locate the Catalog.wci folder, and delete the contents of the folder. This manually deletes the catalog. When you restart Index Server, the catalog is re-created.

This can also occur when a file is unfilterable and the Filter Retries is set to a number greater than 4. When this happens, the information that the filter process sends to the Content Index Service (CISVS) causes the CISVS to report that the in-memory catalog information is corrupt, even though the data on the drive is fine.

To correct set retry value to 4 or less:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex
  3. Double click FilterRetries
  4. Change to 4 or below and click OK
  5. Restart Index Server

Q. How can I stop hidden files etc. being returned by Index Server queries?

A. It is not possible to exclude an unreadable root or other file that is physically located below a readable root. A workaround is to append to the user’s restriction. For example, FrontPage roots can be removed by setting the CiRestriction in the .Idq file to the following:

CiRestriction=(%UserRestriction%) &! #vpath *-vti_*.

Its also possible to exclude certain files and combine, for example:

CiRestriction=%if FreeText eq on% $contents "%CiRestriction%" &! #vpath *\_vti_*. &! #filename *.|(txt|,hhc|,hlp|,htx|,tmp|) %else% %CiRestriction% &! #vpath *\_vti_*. &! #filename *.|(txt|,hhc|,hlp|,htx|,tmp|) %endif%

This will exclude the FrontPage specific files and any .txt, .hhc, .hlp, .htx and .tmp files.


Q. How can I control the amount of resource used by the Index service? - Windows 2000

A. Left unchecked the Index service can grab most of the CPU time leaving a computer almost unusable. To configure the service to more reasonable levels perform the following:

  1. Start the Computer Management MMC snap-in (Start - Programs - Administrative Tools - Computer Management)
  2. Expand the 'Server Applications and Services' branch
  3. Right click on 'Indexing Service' and select Stop
  4. Right click again and select 'Tune Performance' from the 'All Tasks' context menu item
  5. You can now alter the use of Index server and consequently the allotted resources
  6. Click OK
  7. Right click and select Start

Q. How can I stress test my IIS server?

A. Microsoft have a tool called 'Homer' (obviously watch the Simpsons to much!) which can be used to stress test all aspects of an IIS server.

"Microsoft Homer is a web stress tool that is designed to realistically simulate multiple browsers requesting pages from a web application. It was developed by web testers. We have made the tool as easy to use as possible by masking some of the complexities of web server testing. This makes the tool desirable for anyone interested in gathering performance data on their web site."

It can be downloaded from http://homer.rte.microsoft.com/ along with tutorials and more information. You can also download the Replay tool which is used to reproduce request traffic as closely as possible. It is a simulation tool that can work in conjunction with stress tools such as Microsoft Homer.


Q. What is Proxy Server 2.0?

A. A Proxy Server is a system that sits between the client applications (such as Internet Explorer) and the connection to the Internet (Server) and intercepts the requests to the server to see if it can action them itself, this improves performance by filtering requests that go out to the Internet.

The Proxy Server can cache files it downloads from the Internet for a client, using this method if someone else asks for the same page the Proxy Server can send back the version its holding in its cache rather than sending a request out on the Internet. Proxy servers can also act as a fire wall by filtering IP traffic by port or IP address.

Proxy Server 2.0 performs the above but also has extra functions such as Winsock proxy for use by Winsock based clients such as Windows 95 etc. to enable IP type access even if the local network protocol used is, for example, IPX. It does this by replacing the winsock on the client machines. It can also be used to hide your networks TCP/IP configuration by allowing you to have any TCP/IP addresses on your Intranet as only the Proxy Servers IP address is used on the Internet.

Proxy Server 2.0 also has the Sock's proxy service for non-winsock type clients such as UNIX based machines.


Q. How do I install Proxy Server 2.0?

A. Before you install Proxy Server 2.0 make sure your system meets the following pre-requisites

  • The machine in Windows NT Server 4.0
  • The server has at least 2 NIC's (Network Interface Card's). You may have one network card connected to your network and the second adapter could be a modem or ISDN port. The server can have only one nic, but it will then function as an 'optional' proxy, in that clients don't have to go through it to gain access, but will use it as a caching proxy server.
  • You are logged in as an Administrator account
  • TCP/IP is installed and configured
  • Service Pack 3 is installed
  • Internet Information Server 3.0 is installed and configured
  • You have an NTFS partition if you are going to use Proxy caching

Once your system meets the criteria above you can start the installation:

  1. Insert the Proxy Server 2.0 installation CD
  2. Start the Proxy Server 2.0 setup program (setup.exe from the MSPROXY directory)
  3. Click Continue to the first dialog box
  4. Write down the displayed Product ID and click OK
  5. To change the installation directory click the "Change Folder" button and move to the directory you wish to install to, e.g. e:\msp, click OK. To start the installation click the large button
  6. Select the installation options you require, all are selected by default. Click Continue
  7. The next dialog box is the caching dialog box. Check the "Enable Caching" box and select a partition and the size (only NTFS partitions are selectable). Click Set and click OK
  8. The next step is to configure the LAT (Local Address Table). This is used to specify which addresses are on your local network as well as which ones should not be used on the Internet. Enter an address range and click Add, e.g. 200.200.200.1 to 200.200.200.255. When you have entered all the addresses click "Construct Table". Except the defaults and click OK. Click OK on the LAT dialog.
  9. Now we have to configure the Client installation part of Proxy server. By default the current machine will be selected as the Computer name. You can also configure an automatic configuration script by checking the "Configure Web browsers to use Automatic Configuration". Click OK
  10. Finally you need to choose if you will use Access Control on the Winsock Proxy service and the Web Proxy service. By default both are enabled. Click OK
  11. The Proxy server files will then be copied to the machine.
  12. Click OK the the Packet Filtering dialog.
  13. Click OK to the Proxy server installation complete box.

Q. How do I install the client for the WinSock Service?

A. There are two methods, the easiest is to use the Web based installation method. Before you start this, make sure the IIS server has default.htm as one of the default document types

  1. Start up the browser
  2. Connect to server as http://<server>/MSProxy
  3. Select the link on the line "Install the WinSock Proxy 2.0 client for Microsoft Proxy Server version 2.0."
  4. Select "Run this program from its current location" and click OK to the dialog box displayed
  5. Click Continue to the WinSock Proxy Client installation software
  6. Select the installation directory and click the large installation button
  7. Click "Restart Windows Now"

Alternatively you can run the setup manually by connecting to the Mspclnt share on the server and running the Setup.exe. The installation is as above.

Once the machine has rebooted, confirm the installation is OK by performing the following:

  1. Start the WSP Client Control Panel applet (Start - Settings - Control Panel - WSP Client)
  2. Check the proxy server is in the Server Name box
  3. Click the Update Now button. A message will be displayed. Click OK.
  4. Click the Don't Restart Windows Now button.
  5. Close the Control Panel

Q. How do I remove the client WinSock Service?

A. Just run the Uninstall program from the Microsoft Proxy Client group.


Q. How can I bypass the client Winsock?

A. There may be a scenario where the machine is taken to different locations (such as a portable taken home) and in this situation you do not want to use the WinSock Proxy client. Rather then uninstalling every time you take the machine home, you can disable it:

  1. Start the WSP Client Control Panel applet (Start - Settings - Control Panel - WSP Client)
  2. Uncheck the "Enable WinSock Proxy Client"
    {short description of image}
  3. Click OK
  4. Click "Restart Computer Now"

Once the computer has restarted it will no longer use the Proxy WinSock. To re-enable perform the above but check the "Enable WinSock Proxy Client".


Q. How do I configure an Internet Browser to use the Web Proxy service?

A. This procedure is basically the same for all browsers:

Internet Explorer 4.0

  1. From the View menu select Internet Options
  2. Click the connection tab
  3. Check the "Access the Internet using a proxy server" box
  4. Click the Advanced button and enter in the address of the proxy server in the HTTP address box, and the port (usually 80). If all protocols use the same proxy server check the "Use the same proxy server for all protocols". Click OK
  5. You will probably want to check the "Bypass proxy server for local (Intranet) addresses"
  6. Click Apply then click OK

Netscape Navigator 4.0

  1. Select Preferences from the Edit menu
  2. Expand the Advanced category and select Proxies
  3. Check the "Manual proxy configuration" and click View
  4. Enter the name of the proxy server and its port for all protocols you wish to use a proxy server for. Click OK
  5. Click OK to end the configuration

Mosaic 3.0

  1. Select Preferences from the Options menu item from the View menu
  2. Click the Proxy tab
  3. Enter the proxy server in the format http://<server>:<port>, e.g. http://proxy:80
  4. Click Apply then click OK

You need to make sure all clients are allowed to use the proxy server:

  1. Start the ISM
  2. Double click on the computer name of the Proxy Server next to the Web Proxy service
  3. Select the Permissions tab
  4. Select WWW from the protocols list
  5. Click Edit and add all users/groups who are allowed to access the proxy server and thus the rest of the internet. Click OK
  6. Click Apply then OK

Q. How do I manage the Proxy Server?

A. Proxy Server uses the Microsoft Internet Service Manager (ISM) as its management interface, so to manage your proxy server just start the ISM (Start - Programs - Microsoft Proxy Service - Internet Service Manager). In the example below we will examine which clients are currently using the Web Proxy service

  1. Start the ISM
  2. Double click on the computer name of the Proxy Server next to the Web Proxy service
  3. Select the Service tab
  4. Click the "Current Sessions" button
  5. You will see a list of connections. Click the Refresh button to get an update. As you can see you can also select the WinSock and Sock's Proxy service by clicking its select area.
  6. Click Close when finished.

Proxy Server Internet Service Manager

You use the Internet Service Manager to stop/start/pause/continue the Proxy services. If you select a service, for example the Web Proxy Service, if it was running the Stop and Pause buttons would become active and you could then stop or pause the service and its State would change.

Double clicking on the services brings up their options. You can also hide certain types of services from the display, as shown in the diagram I have hidden FTP and Gopher services by unclicking their icons.


Q. How can I configure the Proxy server to automatically dial out to the ISP when needed?

A. This is configured via the Internet Service Manager, however before Proxy Server is configured we need to ensure the correct RAS services are running.

  1. Start the Services control panel applet (Start - Settings - Control Panel - Services)
  2. Select "Remote Access Autodial Manager" and click Startup
  3. Set to Disabled and click OK
  4. Select "Remote Access Connection Manager" and click Startup
  5. Set to Automatic and click OK
  6. Close the Services Control Panel applet

You need to make sure before you proceed that you have a phonebook entry for your ISP, if not you should add one before you proceed.

The WINS client has to be disabled for the Remote Access WAN Wrappers

  1. Start the Network Control Panel Applet (Start - Settings - Control Panel - Network, or right click on Network Neighborhood and select Properties)
  2. Click the the Bindings tab
  3. Select Show Bindings for "all adapters"
  4. You may have several "Remote Access WAN Wrapper". For each of these perform the following
    Expand it. If there is a "WINS Client(TCP/IP)" select it and click Disable
  5. Click OK
  6. Your machines bindings will be updated and you should click Yes to restart your computer

You can now configure the Proxy Services to autodial

  1. Start the Internet Service Manager (Start - Programs - Microsoft Proxy Service - Internet Service Manager)
  2. Double click on a computer name next to either the Socks, WinSock or Web Proxy service
  3. Click the "Auto Dial" button
  4. Select the Configuration tab and check the "Enable dialing for Winsock and SOCKS proxy" if you want the server to automatically dial for either of these. Check the "Enable dialing for Web proxy primary route" if you want dialing for the Web Proxy service.
  5. You can also select the hours that the autodial is valid for
    Note: The connection will not hangup outside these hours, it will just no initiate a new connection
  6. Click the Credentials tab
  7. Select the Phonebook entry and enter any username/password details required. I would advise creating a connection script if you have to enter logon information in a terminal window during the connection, see Q. How can I create a RAS Connection Script?
  8. Click Apply then click OK

You should now stop and start all services that will use autodial.

Any client request that cannot be locally handled will now cause the Proxy server to dial out to the internet.


Q. How can I stop and start the Proxy services?

A. There are several options available to you. The easiest is to use the Internet Service Manager, just select the service and click the stop/start button.

You can also stop the services from the command line using

net stop/start w3svc for the Web Proxy service
net stop/start wspsvc for the WinSock Proxy service
net stop/start spsvc for the Socks Proxy service

Q. How can I use the Web based Proxy Server Administration software?

A. This can be downloaded from http://backoffice.microsoft.com/downtrial/moreinfo/proxyadmin.asp and on the Intel platform will download watx86r.exe to your machine. Before you download you really need IE4.0 to get the most from it.

To install follow the procedures below

  1. Log onto the Proxy Server as an Administrator
  2. Active the installation program (double click on it from Explorer)
  3. Click Yes to the installation dialog box
  4. Click Continue
  5. Specify the installation directory, by default it is c:\msp\msp-htm. Click Yes to create the folder and click OK
  6. Click the large installation button
  7. The installation will then stop certain IIS services and perform the installation
  8. If you have no SSL key you will be asked if you want to continue click Continue
  9. Click OK to the next box asking about Internet Publishing
  10. The IIS services will then be started again
  11. Click OK to the Installation Completed Box

To administer the Proxy server from a browser you would connect to http://<proxy server name>/PrxAdmin. You then click the large graphic and enter in an Admin username, password and domain.

You can then perform all the normal functions via the interface.

Proxy Web Admin


Q. Which port does WinSock use?

A. Proxy Server 2.0 uses UDP port 1745, Proxy Server 1.0 used 9321.


Q. How can I configure the RAS Autodisconnect?

A. You may have RAS Autodisconnect configured but it does not disconnect after the assigned time, the following may be to blame

  1. A WinSock client is currently connected to the Internet
  2. A Web Proxy client (a web browser) is open and connected to the internet that has a refresh tag
  3. If active caching if configured on the proxy server it may be performing page fetches
  4. Other TCP/IP traffic from the internet, e.g. router messages from the ISP (ICMP and IGMP messages)

To actually change the idle timeout perform the following:

  1. Open Dial Up Networking dialog box (My Computer - Dial-Up Networking)
  2. Select User Preferences from the More button menu
  3. Disable the autodial by location by removing the check box next to "New Location"
  4. Set the idle seconds in the "Idle seconds before hanging up:" box. Click OK
  5. Choose Logon Preferences from the More button menu
  6. Set the "Idle seconds before hanging up" to be the same as that defined in User Preferences. Click OK
  7. Disable the Remote Access AutoDial Manager as explained in Q. How can I configure the Proxy server to automatically dial out to the ISP when needed?
  8. Also you can open the rasphone.pbk (in %systemroot%/system32/ras) and edit it.
  9. Find IdelDisconnectSeconds in the section of the connection you use and set to the number of seconds to disconnect (same as in Logon Preferences).
  10. If OverridePref is present set to 4, if this does not exist do not create it.
  11. Save the file

Q. How do I ban the Dilbert Zone using Proxy Server? :-)

A. Proxy Server allows you to ban certain sites and IP addresses from being visible. To ban a site (such as the Dilbert Zone which gets you listed in the "Pointy Haired Boss Index") perform the following:

  1. Start the Internet Service Manager (Start - Programs - Proxy Server - Microsoft Management Console)
  2. Expand Internet Information Server
  3. Select the server
  4. Double click on Web Proxy
  5. Select the Service tab
  6. Click the Security button
  7. Select the "Domain Filters" tab
  8. Select "Enable filtering"
  9. Select Granted by default for all sites and click Add to creation excetions, either IP address, group of IP addresses or domain (e.g. www.dilbert.com). Click OK
  10. Click OK to all the dialogs
  11. Close the Internet Service Manager

Clients trying to access a banned site will recive the error shown:

Ban Dilbert (not really)

I'd just like to say I love the dilbert zone, I read it everyday. DILBERT


Q. How do I install Proxy Server 2.0 on Windows 2000?

A. Microsoft have released a Proxy Server installation add-on which has to be used to install Proxy Server 2.0 on Windows 2000/ NT 5.0 beta. The file is called msp2x86a.exe and can be downloaded from http://www.microsoft.com/proxy/default.asp.

To install perform the following:

  1. Close any Microsoft Management Console's prior to running the Update Wizard.
  2. Run the wizard, msp2x86a.exe
  3. Click Yes to the license agreement
  4. Insert the Back Office 4.0 CD 3 and click Continue
  5. The installation will then continue as per normal.

If you are upgrading a Windows NT Server 4.0 system, on which Proxy Server 2.0 is already installed, to a Windows NT Server 5.0 system, then after installing Windows NT 5.0 Beta 2, do the following:

  1. Close any Microsoft Management Console's prior to running the Update Wizard.
  2. Run the wizard, msp2x86a.exe
  3. Click Yes to the license agreement
  4. Insert the Back Office 4.0 CD 3 and click Continue
  5. The installation will then continue as per normal.
  6. When running the Upgrade Wizard you will be given only the option to do a fresh install although you already have a Proxy server installed , you should select this option and proceed with setup. Your previous configuration will be properly retained.

To uninstall Microsoft Proxy Server 2.0, use the Uninstall command on the Proxy menu. Running uninstall via Add/Remove Programs in Control Panel will fail because it searches for the installation files in the (now deleted) temporary location created by the wizard. Always backup your server before performing any actions described above.


Q. How can I create custom error messages for Proxy Server?

A. When a client receives a error from a proxy server (such as a page is not allowed) these error pages can be customised to display anything you require.

Simply place a page named as the error number (example ERROR 10060=10060.htm) in the directory C:\msp\ErrorHtmls and then Stop and Start Msproxy for it to load the new error message.


Q. Audio and Video are unavailable in NetMeeting via Proxy server, why?

A. This behavior can occur if you connect to the Internet through a proxy server using Microsoft Proxy Server version 2.0, and you have Microsoft Winsock version 2.0 installed on your computer.

To resolve this perform the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Audio\NacObject
  3. From the Edit menu select New - DWORD value
  4. Enter a name of "DisableWinsock2" (don't type the quotes). Press Enter
  5. Double click the new value and set to 1. Click OK
  6. Close the registry editor

Also check if the ports for sending audio and video are enabled (usually ports 1503, 1720 and 1731).

Also port 389 is used for ILS (Internet Locator Server) by NetMeeting 2.0 and port 522 for ULS (User Location Server) used by NetMeeting 1.0.

To connect to a directory server, the directory server must be functioning properly. NetMeeting directory services require either port 389 or port 522. To verify that the directory server is functioning properly, use Telnet to connect over these ports.

In summary to enable NetMeeting access through a firewall:

  • Pass through primary TCP connections on ports 522, 389, 1503, 1720 and 1731.
  • Pass through secondary UDP connections on dynamically assigned ports (1024-65535).

Q. How can I use Chat behind a Proxy server?

A. If you have packet filtering enabled Internet Relay Chat (IRC) may pause for long periods of time or fail to connect. This is caused by the Identd (Identification Protocol) being filtered out. To resolve perform the following:

  1. Open the Winsock Proxy Service Properties, and select the Service tab.
  2. Under the Shared Services section, select Security. Choose Add and select the Identd filter from the list of predefined filters.

This will allow Identd traffic to pass through instead of being discarded by the proxy packet filter driver.

Microsoft Chat uses the standard chat port (#6667).


Q. How can I remove the Active Desktop?

A. You can turn off the Active Desktop without removing it by performing the following:

  1. Right click on the desktop
  2. Select "Active Desktop"
  3. Unselect "View as Web Page" (by clicking it)

To actually remove Active Desktop completely while leaving the browser intact:

  1. Start the Add/Remove Programs control panel applet (start - settings - control panel - add/remove programs)
  2. Select "Microsoft Internet Explorer 4.0" and click the Add/Remove button
  3. Click the "Remove the Windows Desktop Update component, but keep the Internet Explorer 4.0 Web browser" option and click OK
  4. A dialog box explaining the change will be shown and you should click the "Restart Windows" button
  5. Once restarted the active desktop will have been removed

Q. How can I get past the "Active Desktop Recovery" page?

A. This can usually be fixed by deleting the desktop.htt file:

  1. Start explorer
  2. Move to %systemroot%\Profiles\<your username>\Application Data\Microsoft\Internet Explorer
  3. Select Desktop.htt and delete (it is a hidden file so you will need to change the view first View - Folder Options - View)
  4. Close Explorer
  5. Right click on the desktop and choose Refresh

Q. What keyboard commands can I use with Internet Explorer 4.0?

A. Below is a list of common keyboard commands:

Alt + Left Arrow (or backspace) Go Back
Alt + Right Arrow Go Forward
Tab Move to next Hyperlink
Shift - Tab Move to previous Hyperlink
Enter Move to page referenced by Hyperlink
Down Arrow Scroll down
Page Down Scroll down in greater jump
End Move to bottom of document
Up Arrow Scroll up
Page Up Scroll up in greater jump
Home Move to top of document
F5 Refresh
Ctrl - F5 Refresh not from cache
Esc Stop download
F11 Full screen/normal toggle

Q. How can I create a keyboard shortcut to a web site?

A. It is possible to create your own keyboard shortcuts with a Ctrl + Alt + <letter> combination as follows:

  1. Start Internet Explorer
  2. Select "Organize Favorites" from the Favorites menu
  3. Right click on the link and choose Properties
  4. In the Shortcut key dialog box type the combination, any combination of Ctrl, Shift, Alt and a key that is not used
  5. Click OK

You can also use the above to create a keyboard shortcut to a desktop item by right clicking on the shortcut and choosing properties.


Q. How can I customize folders with web view enabled?

A. If you have installed the Windows Desktop Update and have the view as web page enabled ( view - as web page) you can customize the folder (view - customize this folder) and then select the type (background picture or a whole HTML file) or you can change the default which is stored in a hidden HTML file (%systemroot%\web\folder.htt). You can then edit this file and change accordingly.

There is a line in folder.htt "HERE'S A GOOD PLACE TO ADD A FEW LINES OF YOUR OWN" which you can add your own links which will then appear on all folders.

There are 4 other templates you can edit:

  • controlp.htt - Control Panel
  • printers.htt - Printers
  • mycomp.htt - My Computer
  • safemode.htt - Safe Mode

As I said these are hidden so you will either need to remove the hidden attribute (attrib <file> -h) or just enter the name specifically in the edit utility you use to change these files. A word of warning, make a backup of these files before you break them :-).


Q. How can I change the icons in the Quick Launch toolbar?

A. The icons on the quick launch taskbar (Internet Explorer, Outlook Express, Show Desktop and Channels by default) are all stored in %systemroot%/profiles/<user>/Application Data/Microsoft/Internet Explorer/Quick Launch and to remove/add just add and remove the files from this directory using Explorer.

You can copy any shortcut to this directory and the update will be done straight away, no need to logoff/reboot. As you can see below I have added a shortcut for Word and Frontpage just by copying the shortcut to the Quick Launch directory, easy.

qcklanch.gif (2017 bytes)

An alternative method is to just drag a shortcut over the Quick Launch bar and it will add the shortcut for you.

All the files in this folder are shortcuts except for Show Desktop and View Channels. See the next FAQ for their contents.


Q. I have lost Show Desktop/View Channels from the Quick Launch bar, help!

A. As was discussed in the previous FAQ these icons are just files in the %systemroot%/profiles/<user>/Application Data/Microsoft/Internet Explorer/Quick Launch directory. To get the Show Desktop/View Channels icons back create the following files in the Quick Launch directory (or copy from another user)

For Show Desktop, create "Show Desktop.SCF" with the following content:
[Shell]
Command=2
IconFile=explorer.exe,3

[Taskbar]
Command=ToggleDesktop

For View Channels, create "View Channels.SCF" with the following content:
[Shell]
Command=3
IconFile=shdocvw.dll,-118

[IE]
Command=Channels


Q. How do I change the default Search Engine?

A. The URL for the Search Engine used with the Go - Search the Web is stored in the registry so this can easily be changed:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
  3. Double click on Search Page
  4. Change to the search page you want, e.g. http://www.altavista.digital.com and click OK
  5. Close the registry editor

Now when you select search you will be taken to this URL. If you want to change back to the default enter http://www.msn.com/access/allinone.htm


Q. How do I remove the Internet Explorer icon from the desktop?

A. This can be done from the advanced options of Internet Explorer:

  1. Start Internet Explorer
  2. From the View menu select Internet Options
  3. Click the Advanced tab
  4. Deselect "Show Internet Explorer on Desktop"
  5. Click OK
  6. Restart the machine

Q. How can I browse off-line?

A. As you may be aware when you connect to a site the information you view is cached locally to speed up future visits to the site (the cache size can be set View - Internet Options - General - Temporary Internet files - Settings). Its actually possible to view the web using only the cache when not connected, obviously you can only view sites that are stored in the cache. To work off line:

  1. Start Internet Explorer
  2. From the file menu select Work Offline

You can then enter URL's and link as normal but will receive an error if you attempt to link to a site that is not cached. To stop working Offline just deselect "Work Offline"


Q. How can I reclaim wasted space by Microsoft's Internet E-mail readers?

A. Microsoft's Internet E-mail clients (both Internet Mail under IE3 and Outlook Express under IE4) waste a large amount of disk space due to the method used to store mail. The reason behind this is to improve performance, however if you do want to reclaim some of the lost space perform the following:

  1. Select one of the folders, e.g. Inbox, Outbox, Sent Items
  2. Select Folder from the File menu and select "Compact all Folders"

Also set-up Outlook to automatically delete the "Deleted Items" folder contents

  1. Select Options from the Tools menu
  2. Select the General tab
  3. Check the "Empty messages from the 'Deleted Items' folder on exit" and click OK

Q. I cannot specify a download directory when I download a file.

A. When you download a file you are asked what to do, "Open this file from its current location" or "Save this file to disk". If you take the latter option you are asked for a storage location and you then click Save. Also on the selection screen is a "Always ask before opening this type of file", if you clear this check in future any downloads of this type will be downloaded to the Temporary Internet Files folder and opened by the program associated with the file type. To undo this perform the following:

  1. Double click on My Computer
  2. From the View menu select Folder Options
  3. Select the File Types tab
  4. Select the file type you have the problem with in the Registered File Types box and click Edit
  5. In the bottom right corner is a "Confirm open after Download". Check the box so there is a tick in it and click OK
  6. Click OK again to close the "Folder Options" dialog box
  7. Close My Computer

Q. Internet Explorer opens .EXE files instead of Downloading them.

A. As in the previous FAQ if you unselect "Always ask before opening this type of file" for an executable it updates the registry so you are not asked however this can be fixed:

  1. Start the registry editor (regedt32.exe)
  2. Move to HKEY_CLASSES_ROOT\exefile
  3. Double click on EditFlags
  4. Change the 3rd pair of numbers from 01 to 00, e.g. D8070100 to D8070000
  5. Close the registry editor

For files such as WAV, MOV and AVI (ActiveMovie files) you would modify the entry HKEY_CLASSES_ROOT\AMOVIE.ActiveMovieControl.2\EditFlags to be 00000000.


Q. How can I change the default start page?

A. When you first start Internet Explorer it loads a page, by default this is a Microsoft page (http://home.microsoft.com) however this can be changed:

  1. Start Internet Explorer
  2. Select Internet Options from the View menu
  3. Select the general tab
  4. In the first section "Home page" enter the page you wish to be displayed when you start Internet Explorer and click Apply, then OK. If you just want a blank page click the "Use Blank" button, again click Apply then OK.
  5. Close Internet Explorer

The above just updates registry entry "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page". You could create a registry script that updates a machines registry to set your page up as the clients Homepage. The REG script would have the following:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.ntfaq.com/"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://www.ntfaq.com/"

You would then setup a link on your page to the script and people would select "Open from current location". The official Microsoft image for this is

Click here to set NTFAQ as your home page. Choose OPEN FILE FROM THIS LOCATION.

(if you want it right click on it and select "Save Picture As").

I have set the above up so it sets http://www.ntfaq.com as your start page but I would advise against it ;-) If you wanted no start page, e.g. blank, set the value to "about:blank".

If you use Netscape use the following to change your default homepage

  1. Start Netscape
  2. From the Edit menu select Preferences
  3. Select the Navigator category
  4. Enter the required start start page in the Home Page box and click OK

It does not store the start page location in the registry, rather in a javascript file prefs.js, which is located in the Program Files\Netscape\Users\<Netscape Profile Name> directory. The line in the file is

user_pref("browser.startup.homepage", "http://www.ntfaq.com/");

however you should not edit this file.


Q. I have forgotten the content advisor password.

A. The password for the content advisor is stored in an encrypted form and decryption it, while possible, is to complicated for our purposes so we will instead just "reset" the password as if it had never been set.

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings\
  3. If this is a "Key" value select it and press DEL. Click OK to the confirmation.
  4. If there was not a value but was instead a sub-key ".default" move to this folder and delete the "Key" value.
  5. Restart IE and you should be able to set the password with Internet Options - Content.

Q. Where can I download IE 5.0?

A. IE 5.0 beta can be downloaded from http://www.microsoft.com/windows/ie/default.htm

Internet Explorer 5.0 does not ship with the Active Desktop so if you want Active Desktop you will need to have installed IE 4.0 Service Pack 2 with Active Desktop and upgrade to IE 5.0.


Q. How do I clear Internet Explorers History?

A. Internet Explorer keeps a history of the sites you visit and can be viewed by clicking the History button on the toolbar. If you wish to clear this History perform the following

IE 4

  1. Select "Internet Options" from the View menu
  2. In the History section click "Clear History" (you can also set the number of days to keep history for)
  3. Click Yes to the confirmation
  4. Click OK to close the Internet Options dialog box

IE 5

Same as above except Internet Options is under the Tools menu

The History files are actually stored under the directory %systemroot%\Profiles\<user name>\History\History however the permissions on the files are complex so deleting manually is not advised.


Q. How can I modify IE's toolbar background?

A. The picture behind the IE toolbar buttons can be set to any bitmap you wish. To do this perform the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar
  3. From the Edit menu select New - String Value
  4. Enter a name of BackBitmap and press Enter
  5. Double click the new value and set to the name and location, e.g. c:\images\savtech.bmp
  6. Close the registry editor
  7. Restart IE

Below is an example.

SavillTech IE


Q. How can I restore the IE animated logo?

A. Using the Internet Explorer Admin Kit it is possible to modify the small "E" logo in the top right hand corner of Internet Explorer (ISP's such as MSN do this). To restore to the default perform the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar
  3. Select BrandBitmap and click Delete. Confirm
  4. Select SmBrandBitmap and click Delete. Confirm
  5. Close the registry editor
  6. Restart the computer

Q. Are there any Easter Eggs in Internet Explorer 5.0?

A. There are two Easter eggs I know of for IE 5.0.

  1. Open up Notepad
  2. Type:
    <!-- introducing the Trident team -->
  3. Save the file as "test.htm" (make sure you add the quotes or .txt will be added to the end)
  4. Open up "test.htm" in IE5
  5. IE5 Easter Egg #1 is shown

Internet Explorer 5.0 Easter Egg

(Actually this Easter Egg also runs on IE4.01)

Number two:

  1. Start IE5
  2. From the Tools menu, Internet Options
  3. Select the General tab
  4. Click the Languages button
  5. Click 'Add'
  6. Type: "ie-ee" (without the quotes) and click 'OK'
  7. Move "User Defined [ie-ee]" to the TOP of the list. Click OK
  8. Click OK to the main dialog
  9. Click on the Search icon (to pull up the side search menu), notice the new Search options :-)
  10. Select 'Previous Searches'

To remove ie-ee just start the Languages dialog again, select ie-ee and click Remove.


Q. How can I stop users accessing local drives via Internet Explorer?

A. If you type "C:" (or any other drive) in the Microsoft Internet Explorer address box you will be shown the contents and if proper NTFS file permissions are not in place users will be able to delete, rename, read any files on the disk. This is usually a problem if you have a locked down environment where users do not normally have access to Explorer etc (such as an Internet Cafe).

To stop the ability to view local drives from Internet Explorer perform the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  3. From the Edit menu select New > DWORD value.
  4. Enter a name of NoRun and press Enter
  5. Double click the new value and set to 1. Click OK to close the value edit dialog.
  6. From the Edit menu select New > DWORD value.
  7. Enter a name of NoDrives and press Enter
  8. Double click the new value and set to a number representing the drives you wish to hide (explained below). Click OK to close the value edit dialog.
  9. For IE 4.01 SP1 and above perform the following steps:
    1. From the Edit menu select New > DWORD value.
    2. Enter a name of NoFileUrl and press Enter
    3. Double click the new value and set to 1. Click OK to close the value edit dialog.
  10. Close the registry editor

The NoRun setting disables viewing local files by typing a file address or URL (for example, "file://d:\") in the Address box, and also disables the Run command on the Start menu.

The NoDrives setting disables the selected drives. It is explained in 'Q. How can I hide drive x from users?'. Basically drive A is 1, B is 2, C is 4, D is 8 etc. and you add the values together. So to hide drive C and D, you would add 4 and 8 which is twelve or C in hexadecimal and set NoDrives to C (selecting Hex mode).

Additional restrictions can be applied to IE 4.01 Service Pack 2 and IE 5.0 which are described in 'Q. What addition restrictions are available in Internet Explorer IE4.01 SP2 and above?'


Q. What additional restrictions are available in Internet Explorer IE4.01 SP2 and above?

A. Additional restrictions can be applied to IE 4.01 Service Pack 2 and IE 5.0 which have an updated Shdocvw.dll.

The restrictions below should be added to HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions of type DWORD value. Set to 1 to be enable, 0 to disable.

NoFileOpen Disables Open command on File menu, CTRL+O, and CTRL+L.
NoFileNew Disables CTRL+N NoBrowserSaveAs Disables Save and Save As on the File menu.
NoBrowserOptions Disables Internet Options on the View menu (disables changing browser settings).
NoFavorites No Favorites menu, adding to favorites, or organizing favorites.
NoSelectDownloadDir Prevents user from being able to select download folder by not displaying the Save As dialog box when a file is downloaded.
NoBrowserContextMenu Disables HTML context menu.
NoBrowserClose Disable ALT+F4.
NoFindFiles Disables the F3 key.
NoTheaterMode Disables the F11 key.

NoFindFiles and NoTheaterMode are created by default during the installation of Service Pack 2 but are of type BINARY due to limitations of .inf files. You can, if you wish, delete and recreate these as DWORD values.

Also HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\ Toolbars\Restrictions\NoToolbarOptions can be created which disables adding, removing, or moving toolbars.


Q. How can I configure proxy settings in Internet Explorer 5.0?

A. To configure LAN Proxy settings in Internet Explorer 5.0 perform the following:

  1. Start Internet Explorer
  2. From the Tools mention select 'Internet Options'
  3. Select the 'Connections' tab
  4. Click the 'LAN Settings' button
  5. By default the 'Automatically detect settings' option will be selected but this causes a large amount of polling on the network and you may wish to disable this. You can also configure the location of a configuration script.
  6. To manually configure check the 'Use a proxy server' and enter the DNS or IP address of the server and the port it uses.
  7. Click OK
  8. Click OK to the main dialog

The following registry entries can be directly updated instead:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable - Set to 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer - Set to <proxy server>:port, e.g. proxy:80
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride - When not to use the proxy server. For local set to "<local>" (don't type the quotes but do type the < and >)

Q. How can I install Internet Explorer 4.0 without adding the IE icon to the desktop?

A. Install using the following command to stop IE adding an icon on the desktop or from becoming the default browser (this will not work if you have installed the Windows Desktop Updated):

C:\> IE4SETUP.EXE /C:"ie4wzd" /S:""#e"" /X /R:N /Q:A /m:0"


Q. How do I use the Internet Explorer 5.0 repair tool?

A. The Internet Explorer Repair tool can be used to diagnose and possibly fix problems with Internet Explorer 5. This tool has the following features:

  • It is used to identify problems with Internet Explorer caused by the presence of files that are out of date.
  • It is used to fix problems caused by the incorrect or incomplete registration of Internet Explorer files.
  • It is used to restore or repair the desktop or Start Menu short-cuts for Internet Explorer that have been deleted or do not function properly.

To start the repair tool perform the following:

  1. From the Start menu select Settings - Control Panel
  2. Double click the Add/Remove Software control panel applet
  3. Select 'Microsoft Internet Explorer 5 and Internet Tools'
  4. Click the 'Add/Remove' button
  5. Select 'Repair Internet Explorer' and click OK
  6. Click 'Yes' to the repair confirmation

If you don't have the option in the Add/Remove Software control panel applet it can be run from the command line:

C:\> rundll32 setupwbv.dll,IE5Maintenance "C:\Program Files\Internet Explorer\Setup\SETUP.EXE" /g "C:\WINDOWS\IE Uninstall Log.Txt"


Q. How do I install NT Workstation 4.0?

A. The installation of NT is quite simple, and below is just a simple example of an installation of a Workstation using TCP/IP and NetBEUI connected to a Domain.

  1. Insert the first NT installation disk an boot the computer
  2. You will have to put in Disk 2 and then press Enter.
  3. You will be given a choice of options. Choose "Setup Windows NT" by pressing Enter
  4. Press Enter to Detect Hardware and you will have to insert Disk 3.
  5. When the detection is finished, if you have extra drivers to install, insert the OEM disk and press S to specify addition devices.
  6. Once all drivers have been installed read the license agreement by scrolling down using the page down key and press F8 to agree at the end.
  7. You will be shown a list of all hard disks and partitions. You can create partitions from here. Select the partition you want to install on and press enter
  8. You will be asked which file system to use. You can format FAT or NTFS. If you choose NTFS it will format it FAT and schedule a conversion later on in the installation process.
  9. Select the directory name (you can except the default of winnt) and press enter
  10. Allow the setup program to check the harddisks for errors, press enter
  11. A number of core files will be copied to the disk and then you will have to reboot the machine
  12. Once the machine has rebooted you will now be in the graphical portion of the installation procedure
  13. Click Next for the installation procedure to check the pc
  14. Next select the type of installation, in this case I select Custom
  15. You will be asked for your name and organization (this can be changed later by editing the values RegisteredOrganization and RegisterOwner from the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion key). Click Next.
  16. You will be asked for the CD Key which is on the back of the NT installation CD-ROM case on the yellow sticker
  17. Enter a Computer Name and click Next
  18. Enter an Administrator password and click Next
  19. Choose if you want an Emergency Repair Disk and click Next
  20. Select the components you wish to install such