Useful operational advice on the Microsoft website

This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Finding information on the Microsoft website is not always easy, but there is some good stuff buried deep there. Like the Windows Server 2003 TechCenter, with topics including:

For anyone looking at developing a set of operational procedures, the Active Directory product operations guide is worth a look. Drill down through this, and it goes right down to the level of commands/clicks in the detailed procedures (e.g. back up system state and the system disk). Other product operations guides are linked from the Microsoft management and operations page for both core products (AD, DHCP, DNS, file, print, WINS) and server application products (Exchange Server, MOM, SMS, SQL Server).

Why consultants should leave hardware alone…

This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Today has not been a good day for me and computer hardware.

It all started a couple of weeks back, when I dropped the bag in which I carry the Dell Latitude D600 that I use for work. When I took the computer out of the bag, I had cracked the case on the edge of the screen, although everything was still working. Of course, this type of damage is not covered by warranty (and I can hardly blame Dell on this one) but when I e-mailed the internal support department they had an identical computer over which a colleague had spilt red wine. So, it should just be a case of swapping over the screens and my laptop will be good as new – or that’s what I thought…

Once I put it all back together, I powered on the computer and… smelt burning electronics, combined with wisps of smoke from the motherboard. So that was the end of laptops 1 and 2.

The guys in internal support are helpful (and do have a sense of humour); luckily they had a spare D600 which was working, although the previous user had reported a problem with the display that no-one had managed to look at yet. I slid my original hard disk into the spare unit and it all fired up. Windows Server 2003 plug and play detected a hardware change (just a different wireless network card) and I was away – except that the display switched off after a few minutes, and attaching an external monitor didn’t make any difference. After half an hour on the phone (during which I reseated the monitor connector and restarted the computer several times, with the screen going blank on each occasion after varying lengths of time) I managed to convince Dell that a new motherboard was required and they are dispatching an engineer in due course. In the meantime, I need a computer to work with and so, on to laptop number 4, on which I am typing this post (it has a dodgy trackpad and the DVD drive makes some funny noises, but I can live with that for a few days).

Now, the combination of my recent iPod purchase (so far I’ve managed to rip about a sixth of my CD collection and I’m up to 11Gb of MP3s) and my hobby as a photographer (over 2000 6-megapixel images in the last 6 months) means that I have run out of hard disk space on my home PC, so this morning I bought a 250Gb Seagate Barracuda hard disk from RL Supplies. I was understandably a bit nervous about installing new hardware after the debacle which destroyed 2 laptops and disabled one more – my IT Manager suggested I look out for at least two pairs of magpies on the way home, hang a horseshoe over the door, get hold of some lucky heather and find a four-leaf clover before even opening the case.

I quickly hooked up the new disk and then, armed only with an MS-DOS boot disk and a copy of Symantec Ghost, I cloned my old disk onto the new one in half an hour. Then I removed the original disk, rebooted and after a quick restart to let Windows XP sort itself out once it had detected the hardware change I was away again with a 625% increase in capacity.

Phew! Now I think I’ll stick to software for a while…

Troubleshooting group policy

This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I picked up the following advice for troubleshooting application of group policy objects (GPOs) from John Howard at a recent Microsoft TechNet UK event and thought it might be useful if I posted it here:

  1. Is the client operating system Windows 2000 or later? Group policy is not available with legacy clients.
  2. Are computer and user accounts valid in the Active Directory (AD) domain? Group policy is not available with NT domains.
  3. Are the accounts in the correct organizational unit (OU)?
  4. Can clients access the sysvol share on the domain controller? GPOs are partly stored in AD, but also within sysvol.
  5. Is AD replicating correctly? AD information and sysvol information are replicated via the file replication service (FRS).
  6. What is the connectivity like between the client and the nearest domain controller (it may be useful to know that slow link detection relies on ICMP – if ICMP is disabled then this may cause some issues and further information is contained in Microsoft knowledge base article 816045).
  7. Have changes been made to the default policies that may be causing issues? Microsoft recommend that the default policies are not changed, but instead to new policies created to override the defaults (policy precedence is discussed in the priority order for the application of GPOs post from September 2004.
  8. Check DNS – Microsoft UK claim that 50% of the GPO calls received by their product support services (PSS) division are actually DNS issues.

If none of the above resolve the issue, then the issue is likely to be with a GPO itself and there are several tools available to assist with diagnosing this. The group policy modelling wizard and group policy results wizard (which includes WMI filtering) are both included within the group policy management console (GPMC), a free download from Microsoft which also provides reports on policy settings (discussed in the new features of Windows Server 2003 Active Directory post from February 2005). GPMC makes use of the resultant set of policy (RSoP) service to ascertain the policies that would have been applied. Although it is an older utility, the gpresult.exe command line tool (along with gpupdate.exe) is extremely useful for diagnosing the application of GPOs.

Troubleshooting DNS on a Windows server

This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Earlier today, I blogged about some of the tools that are available for monitoring Active Directory (AD) enterprise replication and troubleshooting Windows authentication. Given that AD is so heavily reliant on the domain name system (DNS), it seems logical that I also list some of the tools available for monitoring and troubleshooting DNS issues.

The first port of call is the Windows version of the original Unix DNS lookup tool (nslookup.exe). Typing nslookup at a command prompt enters the nslookup shell, from where issuing the help command will list all of the available options.

The DNS server troubleshooting tool (dnscmd.exe) is a support tool for Windows 2000 Server and Windows Server 2003 (available on the Windows installation media) which allows administration of DNS from a command prompt. It extends and replaces the earlier dnsstat.exe tool provided as part of the Windows NT resource kit. The DNS server troubleshooting tool displays and changes the properties of DNS servers, zones, and resource records, manually modifying properties, creating and deleting zones and resource records, and forcing replication events between DNS server physical memory and DNS databases and data files. Some operations of the tool work at the DNS server level while others work at the zone level. Simply type dnscmd for usage information.

DNS has its own set of performance counters available under the performance monitor DNS object.

The domain controller diagnostic tool (dcdiag.exe) checks DNS functionality as part of its diagnostic tests but the command to specifically test DNS registration (which does not need to be run from a domain controller) is dcdiag /test:registerindns /dnsdomain:domainname.

The network connectivity tester (netdiag.exe) helps to isolate networking and connectivity problems by performing a series of tests to determine the state of a network client to identify and isolate network problems. Parsing the output for “DNS test” will give DNS-specific results. Type netdiag /? for usage information.

DNS debug logging may be set in the DNS server properties and creates a log file at %systemroot%\system32\dns\dns.log for further diagnosis of DNS activity.

Finally, the dnslint.exe support tool allows verification of DNS records for a specified domain name to help diagnose potential causes of incorrect delegation and other common DNS problems, producing an HTML report. Usage information can be obtained by issuing the dnslint /? command.

Monitoring Active Directory enterprise replication

This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Unlike Windows NT domains, Active Directory (AD) domains have multiple masters and so all domain controller servers must be kept up-to-date with directory modifications made at other domain controllers. AD uses two forms of replication between domain controllers – directory replication is used for directory objects (users, computers, groups, etc.) and the file replication service (FRS) replicates sysvol items (login scripts, policies, etc.).

Microsoft provides a number of free tools for monitoring and troubleshooting the FRS and at a recent Microsoft TechNet UK event, John Howard demonstrated the sonar and ultrasound tools so I decided to dig a bit deeper into their potential use.

As described in Microsoft knowledge base article 815473, the FRS cannot propagate files that are open while the propagation code is running. So, if files in the sysvol director or files hosted with the distributed file system (DFS – which also uses the FRS) aren’t being replicated, it may be because a user or an application has the files open (e.g. a virus scanner, a disk optimisation tool, or a user profile). When the system encounters sharing violations in either of these situations, it doesn’t post an error message in the FRS event log stating that the file or files to be replicated were open and couldn’t be propagated, so there is a lack of diagnostic information about what went wrong.

The sonar utility (sonar.exe – taken from the Windows 2000 Server resource kit) can help troubleshoot file-sharing violations and other replication problems. Sonar monitors key replication statistics, including traffic levels, backlogs, and free space, providing feedback about any issues and optionally logging to a comma-separated value (.CSV) file.

Sonar is effectively a cut down version of the ultrasound utility, which installs WMI providers on replica members in an organisation and effectively acts as a domain controller replica with the WMI providers gathering FRS status information, which is polled and gathered by the ultrasound controller (the service component of the tool) and pushed into its own database for analysis. By using the user interface portion of ultrasound, known as the console, administrators can configure ultrasound to alert them via email of serious problems and use an incident log to keep track of changes or tasks they performed in response to alerts. Ultrasound can also be used to propagate test files.

Other tools include:

  • The file replication service diagnostics tool (frsdiag.exe), which provides a graphical interface to help troubleshoot and diagnose problems with the FRS, gathering snap-shot information about the service, performing automated tests against that data, and compiling an overview of possible problems that may exist in the environment.
  • ntfrsutl.exe, shipped with Windows Server 2003 and part of the Windows 2000 Server resource kit, which provides a snapshot view of the FRS internal state dumping the internal tables, thread and memory information for the FRS. It runs against local as well as remote servers but to access the internal information, the logged in user should have the required access on the following registry keys on the target server:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ntfrs\Parameters\Access Checks\Get Internal Information (Full control).
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ntfrs\Parameters\Access Checks\Get Ds Polling Interval (Read).
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ntfrs\Parameters\Access Checks\Set Ds Polling Interval (Full Control).

The FRS monitoring and troubleshooting tools also include a MOM management pack for the FRS, an FRS monitoring help file and both reporting and scripting packs for Ultrasound.

For directory replication there are two tools of particular use, both of which are available as support tools for installation from the Windows Server 2003 media:

  • replmon.exe is the AD replication monitor, which allows an administrator to view the status of AD replication, to view the replication topology in a graphical format and to force replication between domain controller servers. Specifically, the AD replication monitor can be used to:
    • See when a replication partner fails.
    • View the history of successful and failed replication changes for troubleshooting purposes.
    • View the properties of directory replication partners.
    • Create applications or scripts to extract specific data from AD.
    • View a snapshot of the performance counters on the computer, and the registry configuration of the server.
    • Generate status reports that include direct and transitive replication partners, and detail a record of changes.
    • Find all direct and transitive replication partners on the network.
    • Display replication topology.
    • Poll replication partners and generate individual histories of successful and failed replication events.
    • Force replication.
    • Trigger the knowledge consistency checker (KCC) to recalculate the replication topology.
    • Display changes that have not yet replicated from a given replication partner.
    • Display a list of the trust relationships maintained by the domain controller being monitored.
    • Display the metadata of an AD object’s attributes.
    • Monitor replication status of domain controllers from multiple forests.
  • repadmin.exe is the replication diagnostics tool, whch assists administrators in diagnosing replication problems between domain controllers by allowing administrators to:
    • View the replication topology as seen from the perspective of each domain controller.
    • Manually create the replication topology (although in normal practice this should not be necessary as usually, the KCC manages the replication topology for each naming context).
    • Force replication events between domain controllers
    • View both the replication metadata and up-to-datedness vectors
    • Monitor the relative health of an AD forest using the replsummary, showreps, showreps /csv, and showvector /latency operations to check for replication problems.

In the case of directory failure, some of the troubleshooting tools available include:

  • dcdiag.exe – a support tool used to analyse domain controllers across the forest.
  • netdom.exe – a support tool which can help in verifying domain trust relationships and replication credentials.
  • ntdsutil.exe – provided with Windows 2000 and Windows Server 2003 for AD database maintenance, management of FSMO roles and clearing out unnecessary metadata (beware that this is an extremely powerful tool and should be used with care).

Troubleshooting Windows authentication with the Microsoft account lockout and management tools

This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A few weeks back I was at a Microsoft TechNet UK event where John Howard demonstrated the free tools provided by Microsoft to troubleshoot and diagnose account lockout and management issues for Windows NT, 2000 and 2003:

  • acctinfo.dll (also included with the Windows Server 2003 resource kit tools) is installed using the regsvr32 acctinfo.dll command and extends the functionality of the Active Directory users and computers MMC snap-in, with an Additional Account Info page on the user object properties to assist in isolating and troubleshooting account lockouts and to change a user’s password on a domain controller in that user’s site. This extra page contains a variety of information, including:
    • The last time the password was set.
    • Domain password policies.
    • Password expiration date.
    • Lockout status.
    • Last good and bad logons.
  • alockout.dll can be used to create a log file to assist in diagnosing the cause of account lockout problems. It should be copied to the %systemroot%\system32 folder on the computer experiencing the lockout problems (usually a user’s workstation) and the appinit.reg script run to add alockout.dll to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs key. Once the computer is restarted and an account locked out, a log file called alockout.log will be created in the %systemroot%\debug folder. This tool should not be used on servers that host network applications or services (in particular it should not be used on Exchange servers, because it may prevent the Exchange store from starting).
  • aloinfo.exe displays the password age for user accounts to allow determination of accounts which are about to expire in order to anticipate problems before they occur. It is a command prompt tool, with two options:
    • aloinfo /expires /server:servername returns a list of user names followed by the age of their password.
    • aloinfo /stored returns a list of services and the accounts used as well as mapped drives for the currently logged on user.
  • enablekerblog.vbs can be used as a startup script to enable Kerberos logging (as described in Microsoft knowledge base article 262177) on all clients running Windows 2000 or later (it actually sets HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Parameters\LogLevel to 1, which once removed will disable Kerberos logging). When looking at Kerberos authentication issues, it is worth checking to see that the Kerberos key distribution center service is started on all domain controllers, that time synchronisation is working correctly from the PDC emulator at the root of the forest down to all client machines (Kerberos authentication will fail if the time is skewed by more than 5 minutes by default), and that both Kerberos and LDAP have service location records defined in DNS (check with nslookup _kerberos._udp.domainname and nslookup _ldap._tcp.domainname).
  • eventcombmt.exe (also included with the Windows Server 2003 resource kit tools) searches event logs on multiple computers and collects event records matching specified criteria (useful for gathering specific events from event logs on several different computers to one central location).
  • lockoutstatus.exe (also included with the Windows Server 2003 resource kit tools) determines all the domain controllers that are involved in a lockout of a user in order to assist in gathering the logs. It can be useful in identifying if lockout problems are arising from Active Directory replication issues, as typically this means there will be two or more entries for different domain controllers.
  • nlparse.exe can be used to extract and display desired entries from the netlogon log files generated by lockoutstatus.exe or alockout.dll, parsing the logs for specific return status codes and directing the output to a comma-separated value (.CSV) file. It is also possible to enable netlogon debug logging with the nltest.exe Windows support tool, or via the registry, as described in Microsoft knowledge base article 109626.

Links

Implementing and troubleshooting account lockout (WindowSecurity.com).
Microsoft account lockout and management tools.

Migrating from a Novell NetWare environment to the Windows Server System

This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

In my last job, I managed the migration of a major fashion design, marketing and retail company’s European business from Novell NetWare and GroupWise to a Microsoft platform. With a limited budget (none) for migration tools, only free utilities could be used and it worked, but was restrictive. This post discussed some of the alternatives that are available, based on a presentation from Microsoft’s Steve Plank at the IT Forum highlights event back in January.

NetWare has always been good at file and print, directory services, and management but traditionally it has lacked an application platform (although that is changing with Novell’s adoption of SuSE Linux) so many organisations have implemented Microsoft applications such as Exchange Server and SQL Server. Depending on the application, this may lead to a requirement for Active Directory (AD), and once the Windows servers for AD are in place, then it seems logical to provide file and print, or web services from the same infrastructure (IT Week recently reported that even Novell concedes that it has been losing between 12 and 15% of NetWare users every year for the last 4-5 years). This leads to a number of challenges around migration and interoperability. For many organisations, there is simply too big an investment in the existing environment to dump it all and move to a new platform, and so interoperability is a must; however by moving away from a mixed environment, support (and licensing) costs can be reduced, and the existing NetWare Directory Services (NDS)/eDirectory experience can even be used in planning the AD design.

There are a number of tools available to assist organisations with a migration to the Windows server system, the first of which is Microsoft Services for NetWare (SFN). Formerly chargeable, but now available as a free download, SFN provides:

  • File migration utility, which migrates files, preserving access controls (with some limitations as NetWare file attributes do not map directly onto the NTFS file system).
  • File and Print Services for NetWare, making a Windows server appear as a NetWare box (although only supporting the IPX transport and NetWare 3.x bindery mode – from v5.03 of SFN onwards, file and print services for NetWare, have been removed and are now available as a separate download).
  • Microsoft directory synchronisation services for NetWare (MSDSS), which provides 1- or 2-way synchronisation between NDS versions 4.x-6.x and AD; however there are some schema extensions required (which may or may not be desirable) and the Novell NetWare 32-bit client (v4.9 SP2) must also be installed (on a domain controller).

Third-party tools are also available (e.g. from Quest Software, who bought the previous Fastlane product set) and Microsoft is said to be producing solution accelerators to assist organisations in the transition.

It is important to bear in mind that data can co-exist in the two environments and that a migration is really a file copy. Therefore it is important to decommission old copies of data, to prevent two copies from being altered from users on different systems.

On the interoperability front, besides the gateway services for NetWare (GSNW) Windows server component (and client services for NetWare in Windows client operating systems), there is Microsoft Identity Integration Server (MIIS), which provides directory synchronisation, password management and user provisioning, or SFN can be used as a short term fix.

Implementing MSDSS for one way synchronisation from AD to NDS is good if AD is the focal point for management (e.g. as a short term, strategy until a move to AD can be completed), but is probably not sustainable in the long term. Two-way synchronisation allows both directories to be managed. There are some “gotchas” though:

  • Synchronisation is not real time – it works on a schedule, with an agent on the Windows side performing a push/pull operation.
  • More significantly, whilst AD does allow MSDSS to store passwords using reversible encryption, using a key which is only known by MSDSS, passwords cannot be passed from AD back to NDS as there is no reversible encryption option.

The file migration utility is actually a cut-down version of the Fastlane product, supporting NetWare versions 4.x, 5.x and 6.x as well as eDirectory 8.7.3. It preserves user permissions and provides some limited logging capabilities (although for reporting, the full product is required). Some considerations when using the tool include:

  • Data volumes (i.e. can all the data be physically migrated in the time available) – consequently, it may be appropriate to perform a trial run, then to actually migrated users and data in small volumes (scheduled for quiet times). One advantages of the migration may be the opportunity to consolidate server smaller servers into one.
  • Drive letters in document links – many Office applications, convert drive letters to UNC paths when saving documents. If the server location changes, then the link will be broken, although tools are available to assist in modifying this.
  • Encryption – encrypted files will need to be de-encrypted before they can be migrated.

There may also be migration considerations such as directory restructuring, removing the NetWare client from workstations and changes to login scripts, so whilst the free tools will be of use to many organisations, those enterprises with more than about 2000 users may wish to make use of third party tools. Quest Software’s NDS Migrator handles both object and data migration (together or as separate operations), with a central console for management which makes use of a mapping database to store metadata (either SQL Server or MSDE – although MSDE is limited to 2Gb in size).

NDS MigratorNDS Migrator is able to deal with a number of complex scenarios, as well as supporting the saving of configuration options (for a repeatable migration). Security principles are examined first, before attempting file migration, based on a file scan (during which information is written to the mapping database) and then finally a migration which uses the information from the database.

In NDS, a container is a security principle; whereas in AD, it is well known that security permissions cannot be applied to an OU. Instead, NDS Migrator creates global groups in AD called container permission equivalent groups (CPEGs), which correspond to an NDS container and are always named with a $ prefix.

NDS allows common names to be duplicated in different parts of the whereas AD common names must be unique. NDS Migrator handles this with pre-migration mapping and planning (identifying intra-NDS naming conflicts and remapping accordingly), as well as allowing for flexible migration (e.g. moving files to a new location), with a pre-migration file scan, Macintosh file support and a multi-threaded copy engine (the version in the SFN file migration utility is single-threaded).

Attribute mapping is supported, such that if NDS has been extended with additional attributes, these can be created in AD. It also handles the differences between NetWare and Windows file system permissions and file ownership (as NDS allows files to exist without an owner, but Windows does not).

It may be of interest that not all of Quest’s tools are available for purchase – some are only available to Quest’s professional services organisation, including NDS reporter (used to assess the NDS environment), workgroup migration tools, and a tool to remove the Novell NetWare client from Windows 2000 and XP clients.

In summary, there are many tools available to assist with the migration from NetWare to Windows and as with any migration, the key to success is in the planning. With careful preparation and by through becoming familiar with the tools that are available, administrators may be confident in performing a successful migration.

Links

Novell NetWare to Windows Server 2003 migration planning guide (Microsoft).
Quest NDS Migrator.

(Since I wrote the original notes for this post, the Microsoft TechNet Industry Insiders blog has carried another article on NDS Migrations, contributed by Darren Catteral from Quest Software).

Adding policy pages to McAfee ePolicy Orchestrator

This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

After installing Networks Associates/McAfee ePolicy Orchestrator (ePO) for a client, I was mystified by the lack of a policy page for VirusScan Enterprise 7.x. VirusScan Enterprise 8.0 was there, as were competitive products (e.g. Norton Antivirus Corporate Edition v7.5x/7.6/8.0).

Eventually, I found a document on the McAfee website, which described that the policy pages (NAP) required to change settings for VirusScan 4.5.1 and VirusScan Enterprise 8.0i were added to the server repository at install time but before it is possible to change settings for other products, their policy pages must be added to the server repository. These policy pages are stored locally and contain the files needed to change policy settings and create scheduled tasks for products.

Locating the VSE710.NAP file was reasonably straightforward (it is contained with the installation source for Virus Scan Enterprise 7.1). Once I had the file, I could follow the McAfee instructions for adding policy pages to the server repository, although with the version of ePO I was using (v3.5.0) the import process was slightly different to that illustrated as the check in package and check in NAP options have been separated.

Although this information is also available in the ePO v3.5 Product Guide, it does help to know that the key to this is a .NAP file. I spent a considerable amount of time trying to find this out, so I thought I’d blog it here for the benefit of anyone else…

Using server side includes in web pages served from IIS

This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Last year I blogged about using server side includes in web pages. My SSI code has all been working well on my ISP’s Apache servers, but my development server runs under IIS 5 on Windows 2000. Even with the default document list set to include index.shtml, I was getting HTTP 404 errors for pages that I knew existed. I checked that I had application mappings in place for .shtml files, but what none of the documentation told me was that I needed to change the executable path for .shtml from %systemroot%\System32\inetsrv\404.dll to %systemroot%\System32\inetsrv\ssinc.dll. Once I had made that change, everything jumped into life and my dynamic pages were served as expected.

Tracking down the vendor portion of a MAC address

This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I was trying to track down the source of an IP address conflict earlier today and I came across two sites offering a search service for the initial 24-bit (6 digit hexadecimal) vendor portion of an Ethernet media access control (MAC) address. The IEEE service is the official one, from where you can also download the complete listing, but MAC finder is also useful as you can use the ?string=00%3a00%3a00 command on the end of the URL (replacing the zeros with the appropriate hexadecimal digits).