Active Directory system volume placement

I came across a useful tip on the Microsoft website today, entitled “Why is placing the Sysvol directory on a separate partition a good practice?” As links like this have a habit of disappearing from the Microsoft website, I’ve reproduced the content below:

“The System Volume (Sysvol) shared directory is replicated to every domain controller in a domain by means of the File Replication Service (FRS). Here are a couple of good reasons for placing Sysvol on a separate partition:

  • Sysvol’s contents and its staging files might increase in size. Placing Sysvol on a separate partition contains the growth of the directory’s contents and prevents them from consuming space on the boot partition, thereby preventing problems with other components and performance degradation.
  • Placing Sysvol on its own NTFS partition minimizes disk I/O, thereby reducing the chances of receiving journal wrap errors. FRS uses the NTFS journal to monitor changes in the file system. The journal contains the update sequence number (USN) of the NTFS changes that are stored on each NTFS partition. If FRS can’t keep up with the pace of disk I/O or if FRS is turned off for a period of time, the USN that’s referenced in the FRS log might no longer exist in the NTFS volume journal. To help reduce the chance of the NTFS journal wrapping before FRS has replicated content, Windows 2000 Service Pack 3 increased the size of the NTFS journal from 32Mb 512Mb by default (with a maximum configurable limit of 10Gb).”

My leap into digital imaging

This is primarily a technology blog, and it just happens that most of what I work with is IT-related; however one of my hobbies is photography, something which is getting ever closer to IT with the rise in quality and lowering of the costs associated with digital imaging technologies.

Nikon Super Coolscan 4000 EDLast year I switched my film stock to transparency (mostly for it’s colour reproduction qualities) and bought myself a Nikon Super Coolscan 4000 ED film scanner. The problem has been that I’ve not found a lot of time to use it, and I have hundreds of slides to scan, edit, and print so I’ve been using a Sony DSC P8 digital camera to take quick snaps for the family album and getting postcard prints produced in a high-street store.

I found the Sony DSC P8 to be okay for slipping into my pocket when out and about, but to be honest I find it a bit small and light (prone to camera shake), and I miss the features of my film SLR (a Nikon F90x).

Until recently Nikon’s digital SLRs were unaffordable for most people other than professional photographers and my investment in Nikon lenses and accessories left me unwilling to switch to another manufacturer; however Nikon has recently taken a huge step forward with the release of the D70. It lacks some of the features I have on my F90x (in an ideal world I’d have an F5 for film and a D2X for digital), but it still offers a good price for me to make the switch to a digital SLR for the bulk of my photography and I’ll still hang on to the film camera.

Nikon D70The D70 is available as a body only, or in various kits with a lens included. I did consider the body only option, but as the smaller image sensor size effectively extends the length of all my lenses by 1.5, I would need a new wide-angle lens. Besides being a G-series lens, the AF-S DX 18-70mm f3.5-4.5G IF-ED largely duplicates my excellent AF 24-85mm f2.8-4 so I decided on the 18-35mm f3.5-4.5D IF-ED, and found an excellent deal (and customer service) at Calumet in Birmingham. First impressions are that the 18mm end of the lens seems more like 35mm on my film body (it should be 28mm), but by buying the lens as part of the D70 kit, I saved quite a lot of money and finding a dealer with a D70 in stock at the moment seems to be quite difficult (they also gave me a free Lexar Pro 512Mb 80x CF card).

Anyone considering investing in a Nikon D70 may find the following websites useful:

The Exchange Server Best Practices Analyzer (ExBPA)

The Microsoft Exchange Server Best Practices Analyzer tool (ExBPA) is designed for administrators who want to determine the overall health of their Exchange servers and topology.

The tool scans Exchange servers, identifying items that do not conform to Microsoft best practices, programmatically collecting settings and values from data repositories such as Active Directory, the registry, metabase and performance monitor. Once collected, a set of comprehensive best practice rules are applied to the topology using an XML schema and a detailed report produced listing the recommendations that can be made to the environment to achieve greater performance, scalability and uptime.

According to the Exchange Security website:

“ExBPA’s purpose is to automate some of the basic health-and-sanity checks that an experienced Exchange administrator, consultant, or PSS engineer might do when evaluating an unfamiliar environment. It’s not designed to find every possible mistake you can make (heaven knows there are plenty); instead, it’s intended to help you quickly find well-known misconfigurations and administrator errors. It checks the protocol configurations for SMTP, POP, IMAP, LDAP, and HTTP; GC/DC accessibility; hop counts and routing latency for message routing; the packet size and contents of the link state table; and basic DNS configuration stuff.

You can tweak the rules to control which specific areas ExBPA checks for, which is handy. ExBPA generates XML report files that you can parse yourself, or import into another instance of ExBPA on another machine. One output is a list of issues that the tool found – this is similar in concept to the problem report you get from MBSA, and it serves the same purpose of allowing you to quickly pinpoint and fix whatever needs fixing.”

Further details are available at the Microsoft Exchange team blog (you had me at EHLO…) and known issues are discussed on the Microsoft website.

Windows XP SP2 support tools

The support tools for Microsoft Windows XP are intended for use by support personnel and experienced users to assist in diagnosing and resolving computer problems. They are found in the \support\tools folder on the Windows XP installation CD. With the release of Windows XP service pack 2, some of these tools have been updated. Full details may be found on the Microsoft website.

New commands in recent Windows releases

This morning, I discovered a new command in Windows XP (and Windows Server 2003) – systeminfo.exe allows an administrator to query a local or remote computer for basic system configuration information.

Additionally, the TweakXP.com website suggests a useful method of restricting the output from systeminfo.exe so that only certain information is displayed, by piping it through find.exe. Deepak Sharma posted similar information on his weblog, but also points towards Microsoft’s uptime reliability and availability information tool (uptime.exe), a Windows NT download (that also works on XP).

After some more research, I found that systeminfo.exe is just one of a few new commands in recent versions of Windows and full details may be found in the %windir%\help\ntcmds.chm file.

Shelling out to a command prompt from within an Office application

Earlier today I needed to shell out to a command prompt from a locked-down desktop PC. With only a limited set of icons and no access to the Run dialog from the Start Menu, I asked a colleague if he knew any back doors in the client build. He showed me this neat method for shelling out to pretty much anything you like from within an Office application:

  1. Open Microsoft Word, Excel, Outlook or another application that supports Microsoft Visual Basic for Applications (VBA).
  2. Select Macro, then Visual Basic Editor from the Tools menu (or type Alt-F11).
  3. Select Module from the Insert menu and enter the following code in the Module window:
    Sub Main()Dim x
    x = Shell("cmd.exe")
    End Sub
  4. Select Run Sub/User Form from the Run menu (or type F5) and a new instance of cmd.exe will be launched.

The security implications of this could be severe, but as an administrator it’s a useful trick to know.

Priority order for the application of GPOs

The group policy management console (GPMC) integrates group policy functionality from a variety of Active Directory administrative tools into a single, unified console dedicated to group policy management tasks. One of the many useful features of GPMC is the ability to carry out group policy modelling, for example when diagnosing issues with GPO application.

Policies are applied in the following order:

  1. Local
  2. Site
  3. Domain
  4. Organizational unit (OU)
  5. Child OU
  6. [Child OU etc.]

When a container (site, domain or OU) has links to multiple GPOs, these can be assigned a link order to designate an order of precedence. Sounds straightforward enough, except that to me, the term “link order” suggests the order in which links to GPOs are applied – i.e. 1, then 2, then 3, etc. In that way, if GPO a (with link order 1) is overridden by a setting in GPO b (with link order 2), then GPO b (second to be applied) would be the winning GPO. Except that it doesn’t work that way!

Microsoft’s Group Policy Management Console Technical Reference provides a full description of how GPMC can be used, and provided me with a gem of information that seems to me totally illogical, but solved a problem I’ve been struggling with this afternoon:

“When a container has multiple GPO links, administrators can use GPMC to manipulate the link order for every container. GPMC assigns each link a link order number; the GPO link with link order of 1 has highest precedence on that container.”

The GPO with link order 1 has the highest priority – i.e it is applied last! I switched the policy link order and now the resultant set of policies is exactly the way I need it to be.

SP1 for Windows SharePoint Services and SharePoint Portal Server 2003

Microsoft has two information sharing and collaboration platforms for Windows Server 2003:

Service pack 1 has been released for each of these platforms and is available from the Microsoft website (WSS, SPS). SPS SP1 requires WSS SP1 to have been installed. Once installed, neither of these updates can be removed.

Full details of WSS SP1 are available in Microsoft knowledge base article 841876. Similarly, full details of SPS SP1 are available in Microsoft knowledge base article 841883.

Note that if multiple WSS servers are being used in a web farm, these should all be updated to SP1 at the same time as described in Microsoft knowledge base article 875358. For SPS, see Microsoft knowledge base article 875371.

The Windows SharePoint Services Administrator’s Guide has been updated for SP1 and there is also a SharePoint Portal Server Administrator’s Guide.

Migration tool for IIS web applications

Microsoft have released the Internet Information Services (IIS) 6.0 Migration Tool – a command line tool to automates several of the steps involved in migrating a web application (configuration data, site content, and application settings) from IIS 4.0, IIS 5.0 or IIS 6.0 to a clean installation of IIS 6.0.