Litmus Tests

7/29/2019 Litmus Tests

1/83

Guys Litmus Tests

Page 1 of 82 Computerperformance.co.uk

Guy's Litmus Tests

Guy s Litmus test idea

Guy's Litmus test is a concept that you can apply literally anywhere. Each test givesyou an instant answer to the basic question: - 'Are you dealing with a professional, or isan amateur?' Is this the real deal or is it a turkey?

I have narrowed my Litmus test concept to focus on computing, each page will give youat least one test to see if you have the amateur or professional settings. This rating is apersonal view, based on my professional judgement as an independent computerconsultant and trainer.

Where the idea came from

The brainwave for the Litmus challenge came to me when a delegate said:- 'Guy, I havejust joined a company; how do I know if their network and servers are running properly?'So I gave him a check list to find out whether his network was run by amateurs orprofessionals.

Flash back

As I was wondering what title to give the check list, my mind flashed back to myschoolboy days. Suddenly I remembered my chemistry teacher 'Sniffy' Pugh showingus Litmus tests. Perhaps you remember the test? What happens is you dip Litmuspaper into a liquid, if the paper turns red it means acid, whereas if it turns blue the liquid

is alkaline. It struck me that Litmus test was the ideal name for a quick test where thereare only two possible results, one good the other bad.


2/83

Guys Litmus Tests


Table of Contents for Guy s Litmus Tests

Guy's Litmus Test challenge............................................................................................11) Backup and the neglected Restore. ............................................................................32) Event Viewer and Logs ................................................................................................5

3) Restart Services instead of Rebooting........................................................................84) Share and NTFS permissions......................................................................................105) Recovery Toolkit .......................................................................................................136) Security - Administrator Account..............................................................................157) Security Auditing .......................................................................................................168) Security Templates ...................................................................................................199) Time Synchronisation ................................................................................................2210) Uninterruptible Power Supply.................................................................................2511) Dynamic Disk ...........................................................................................................2612) Disk Quotas ..............................................................................................................2813) DHCP ......................................................................................................................3014) DNS ..........................................................................................................................3315) Networks..................................................................................................................3616) Partitions .................................................................................................................3717) Printer Pools ............................................................................................................3918) Remote Administration ...........................................................................................4119) Routing and Remote Access (RRAS) ........................................................................4220) WINS.........................................................................................................................4421) Active Directory ......................................................................................................4722) FSMO (Flexible Single Master Operations) ..............................................................4823) Group Policy and GPMC ...........................................................................................5124) Installing Windows Server 2003 or W2K3 ................................................................5325) Logon Scripts ...........................................................................................................5526) Raise Domain Levels (Mixed v Native Mode)........................................................... 5827) Organizational Units and Delegation ......................................................................60

28) Printer Location.......................................................................................................62

29) Site Links .................................................................................................................6530) Universal Groups .....................................................................................................6731) CMD.exe...................................................................................................................6932) First impressions......................................................................................................7133) Luddites ...................................................................................................................7234) Problem solving characteristics ..............................................................................7335) Protocols..................................................................................................................7436) Readme files............................................................................................................7537) Screen Savers...........................................................................................................7638) Tool kit ....................................................................................................................7839) TCP/IP protocol suite ..............................................................................................7940) What next?...............................................................................................................81


3/83

Guys Litmus Tests


1) Backup and the neglected Restore.

Guy's Litmus Test: When did you last test a full restore?

Professionals have tested a full restore in the last 6 months

Amateurs carry on backing up but they have no idea if the tapes willrestore

1) Backup and Restore

One of my questions to companies is: 'Have you tried a restore lately?' Insome ways this is a 'cheap shot' because hardly anyone tests a full restore. But thinkabout it; you have invested in expensive software like ArcServe or BackupExec, howwould you feel if you try a restore and it fails?

At first I did not believe the statistic that 35% of all backups do not restore in the waythat you think. The software itself rarely fails; it is more likely that it's the human logicwhich is faulty. As I visited sites, the reasons for these failures became apparent. Letme illustrate with some salutary case histories.

Case A. The shifting files.

Backup does its job perfectly. It is just that the vital database files were moved to a newfolder, e:\dbase to j:\dbase Carelessly, the new folder was not included in path for thebackup job. So when it came to restore the database there were no files from theJ:\dbase - woops! A variation of this problem is still backing up the old server, when youhave moved all the data to the new server!

Case B. The nervous operator.

The boss buys a box of DAT tapes and shows the timid assistant how to insert the firsttape into the drive. On day one backup works brilliantly. However, on day two theoperator cannot eject the tape; so being resourceful, they get out the Tippex*. You haveguessed what happened next; they write today's date on the label and repeat everyday. Guess what happens when you want a full restore of last week s data? You onlyget yesterday's incremental backup, because each day the previous tape is overwritten.

*Tippex is a white paint used for correcting typing misnakes.


4/83

Guys Litmus Tests


Case C. The 'Rambo' operator

A new young strapping lad wishes to make an impression. The backup tape wasreluctant to eject. No problem for our young Rambo - he ripped the tape out - drive andall! Well at least everyone knew that there was a problem with backing up.

Case D. Photocopy Backup!

One day the database server went down and the manager asked his assistant for thebackups. The proud assistant got out a pile of photocopied records and said, 'There arethe backups'! Were they able to restore the backup from photocopies? No way! Inever did discover if the root cause was a language problem or just plain ignorance.

Case E. No tape drives

Shortly after I first started in IT, the IRA blew up Bishopsgate in London (England).Amazingly no-one was killed, but IT people were walking around like zombies, they had

lost their data. Then the rumours started. Word was that the banks had no back-ups;people were saying: 'The bank phoned me up yesterday and asked me how muchmoney I had in my account. Well I told them a million pounds. Their next question wascan we see last month's statement to prove it.'

I must confess to repeating the story to anyone who would listen, then one day I told thesorry tale to an engineer. He said 'Guy, I was on that case, of course they had backups,the assistant manager had hundreds in his garage. So we collected all the tapes, buthow do we restore the data? The IRA had destroyed the computer and that banksmainframe was so old that there was not another machine in the world that had acompatible tape drive.'

That was 1992, disaster recovery has come along way since then, but the ultimate proof

of any backup strategy remains a full restore on another machine.

Summary: Pros always check backup by carrying out a full restore.


5/83

Guys Litmus Tests


2) Event Viewer and Logs

Guy's Litmus Test: How many errors do you see in your Event Logs?

Professionals have very few errors in the Event Logs

Amateurs see lots of red dots in their Event Viewer

2) Event Viewer and Logs

Where NT 4.0 had three event logs, Windows 2000 domain controllers had six eventlogs and Server 2003 even more. Lots of red dots in the event logs shout to me -'Amateurs in charge'. On the other had few red dots, and regular archives it whispers

quietly: - Professionals work here'. While you are in the Event Viewer, remember tocheck the Application log as well as the System Log, especially if you are runningExchange or SQL.

Here is a severe problem with the CP domain - no logon servers available. Investigationrevealed that CP domain controllers were offline.


6/83

Guys Litmus Tests


Below is a yellow warning message telling us that a new machine has not been properlynamed. The network identification tab should be configured to include the domainsuffix.

Increase the log size from the default of 512K to about 4MB.

Use the filter in event viewer, filter hidden away under the view menu.

Employ VBScripts or PowerShell cmdlets to help you monitor the logs

Challenge: Check the event logs DAILY.

It will give you a chance to practice troubleshooting skillsYou will get a feel for your server and its network.It will prevent problems building up on your network. For example, the log tells you

that the mail service has stopped, so you restart it before users notice that there isno e-mail.


7/83

Guys Litmus Tests


You are always allowed to ask for a bonus!

I dare you: ask your boss for a bonus based on how many red dots (Errors) there are inthe logs. This is the system that my mate 'mad' Mick negotiated. He starts with 100 aquarter per server, if there are no errors he gets the 100, but for each error he loses1. Blue (Information) and yellow (Warning) messages do not count. After a shaky start

where he owed the company 574, Mick now pockets a nice bonus and has learnt agreat deal in the process.

Summary Pros check their event logs daily


8/83

Guys Litmus Tests


3) Restart Services instead of Rebooting

Guy's Litmus Test: Is your reflex to restart services or reboot theserver?

Professionals prefer to restart faulty services

Amateurs always reboot the server - even if there is no need

3) Fewer Reboots

The good news is that Microsoft have reduced the number of actions that require areboot from over 150 in NT 4.0 to just 7 in Windows 2003. The bad news is thatrebooting the server is no longer as effective in curing problems as it was in NT. Onoccasions where rebooting solves a problem, restarting the individual service wouldwork just as well. Think how much downtime you will save.

Where do you find the settings? Administrative tools, Services

Restarting services is particularly useful when troubleshooting Exchange 2003 or SQL

problems. Rebooting the machine would achieve the same result but would take an ageand other services would not be available until the restart is complete. Stopping and


9/83

Guys Litmus Tests


restarting the services is more efficient and also teaches you the dependencies ofservice. For example, the Exchange Information Store is dependent on the SystemAttendant.

Configure services to restart automatically on failure. (An idea W2K3 has taken fromExchange). Investigate a VBScript to restart services automatically.

7 Main causes of a reboot in Windows 2003

1. Installing Active Directory (Run DCPROMO)

2. Changing the DNS IP address or domain suffix3. Converting from Basic to Dynamic disk

4. Renaming your Machine

5. Install RIS

6. Add or Remove COM Ports

7. Modifying the Schema

Minor causes of a reboot1. Altering the ISA configuration (why are you still using ISA stuff?)

2. Changing the System Locale (Should have done in during install)

3. Changing the System Font (Why worry on a server?)

4. Removing the GSNW (Just leave it?)

5. Some Terminal Services changes

Summary: Pros understand Services and know how to restart them

and thus cure their problems


10/83

Guys Litmus Tests


4) Share and NTFS permissions

Guy's Litmus Test: What permissions do you give the group'Everyone'?

Professionals remove the default permission'Everyone' - Full Control

Amateurs don't mind 'Everyone' having full control of all shares

4) Share and NTFS permissions

Share permissions are like giving users a key to the office door. NTFS permissions arelike giving them the key to the safe. Too many organisations leave the safe unlocked!

Make it your reflex to remove the group Everyone because they have full control, andsubstitute users and only give them read. It usually makes sense to also add theAdministrators and give them full control.

Right click a shared folder, check the permissions under both Share and NTFS

Tabs.

Note that there are two tabs to control permissions on any folder - Sharing (Key of thedoor) and Security (NTFS lock on the safe).


11/83

Guys Litmus Tests


The biggest change compared with NT 4.0 is that you now have the Deny permission.In NT 4.0 the No Access was rather a blunt tool, it meant you could not read documentsor list files. The new Deny means that you can explicitly Deny Write. That means that ifa user is a member of another group that is give Change permission, they still only endup with Read.

Little Known Snap-in - Shared Folders

Here is a little known snap-in called Shared Folders, I use it to check and set sharepermissions.


12/83

Guys Litmus Tests


If you get a few complaints from users about difficulties writing to folders, that indicatesthat your security is working. My Point is that no complaints about permissions maymean no security.

Right click a shared folder, check the permissions under both Share and NTFS

Tabs

Windows Server 2003 (W2K3)

The default permissions in W2K3 and Server 2003 is users Read, Administrators fullcontrol

Summary: Pros limit the permissions given to the group Everyone


13/83

Guys Litmus Tests


5) Recovery Toolkit

Guy's Litmus Test: In event of a system failure, how many recoverytools can you use?

Professionals have a tried and test list of recovery strategies

Amateurs can only reinstall the server from scratch

5) Recovery Toolkit

The situation is that your machine crashes and will not restart properly, what do you donext?

1. Safe Mode2. Recovery Console - CD3. Directory Services Restore4. Windows Server 2003 Repair5. LKK6. Restore Points XP7. (ERD)

Safe mode

Those coming from NT 4.0 will be impressed with all the options revealed by pressingF8 on boot up; those who know Windows 98 will find old friends amongst these options.Safe Mode is my favourite strategy, I find it usually works, and I can get into the systemand reverse what ever was stopping it booting normally.

Recovery Console

This is a great strategy if you have to repair a corrupted file by copying the original fromCD. What happens is the command console boots into a shell which looks like dos,then you can copy the files from the CD to the WINNT folder.

Organized administrators prepare by installing the command console with winnt/cmdcons. As ever Microsoft provide two ways of doing everything, and you can alsoaccess the command console by inserting the CD and choosing R = Repair from theappropriate menu.

Directory Services Restore

This is a specialist technique for recovering parts of active directory that you haveinadvertently deleted, for example, you delete an OU and you want it back. I sayspecialist because you have to understand LDAP and ADSI to select the items to berestored.

Windows Repair

When crucial operating files get damaged, you could carry out a repair. The techniqueis to pretend you wish to install a new copy, but at the crucial menu, select Windows


14/83

Guys Litmus Tests


Repair on the menus. Note this is a different technique from Recovery Console, you willneed the Product Key for this Repair option.

LKK - Last Known Good

This is used in one specialist situation, you have just installed a rogue driver which youare pretty sure is preventing the machine booting. I say specialist because it only solvesincorrect configuration errors, if you did something that changed the registry, then youhave a spare control set that you can revert to, however the moment you logon youcreate a new Last Known Good so would lose that spare set. LKK is first on my listbecause it is the first you should try.

Restore Points (XP and Longhorn only)

If you can get as far as logging on, then the restore points are one of the great recoveryfeatures of XP. The operating system creates a fixed point before you make any majorchanges, or else you can create the restore points yourself. Note, restore points are notavailable on Windows Server 2003 only XP.

(ERD) Emergency Recovery Disk

I put this last and in brackets because I have never had any success with thisprocedure. The idea is worthy, all the registry configuration settings can be saved andlater restored. The fatal flaw is that the disk /file has to be updated manually every timeyou make a change, and for ordinary mortals that just does not happen. If there is onething worse than not having an ERD it is having an out-of-date disk which corrupts thesystem.

If you would like to create an ERD thenClick Start, Programs, Accessories, SystemTools, then click Backup. Amateurs believe that the ERD is bootable - wrong. However,

you CAN create a bootable disk by formatting a floppy in Windows 2003, and copyingNTLDR, NTDETECT.COM and BOOT.INI on to the floppy. This is the same strategy asused in NT 4.0.

Summary: Pros have a rich variety of recovery tools and strategies.


15/83

Guys Litmus Tests


6) Security - Administrator Account

Guy's Litmus Test: Have you renamed the Administrator's account?

Professionals rename the Administrator Account

Amateurs as usual, leave security as the default settings

6) Security - Rename your Administrator account

Renaming the Administrator account is the single best thing you can do to secure ofyour system. It amazes me that companies spend thousands on security reports but donot rename the Administrator's account. Also remember to delete the description: Built-

in account for administering the computer/domainwhen you rename the account.

The two points are:

1) Every hacker knows that Windows Server 2003 has an account called Administrator

2) By design, the Administrator account cannot be locked out. So hackers can try asmany times as they like to discover the password.

Create a Dummy account

My mate 'Barking' Eddie renames the original Administrator = fredb, then creates a newdummy Administrator account with only guest rights. This drives hackers mad becausethey cannot understand why the Administrators account does not do what they want!He even adds the description: Built-in account for administering the computer/domaintothe dummy account.

SG wrote to me pointing out what else you can do to secure the Administrator account:-

Deny Access to this computer from the network. SG reminds me that this account has aSID ending in 500 which cannot be changed. As a result, hackers using RedButton willalways know which account is the original administrator and attack it.

You could also set a Security Policy which adds additional restrictions for anonymousconnections to Do not allow enumeration of SAM accounts and shares.

Check the physical security of your server room. Also check who can log on

locally on the server.

Summary: Pros Rename the Administrator account


16/83

Guys Litmus Tests


7) Security Auditing

Guy's Litmus Test: How many entries does your Security Log have?

Professionals set up auditing for security information

Amateurs say empty security logs means no problem

7) Security Auditing

Amateurs will almost certainly have a blank Audit log because the default setting is noauditing. Professionals will be alerted to unsuccessful logon's which could mean ahacker at work, or may be just Fred having trouble locating a file. Either way, the IT

Professional will know.

Setting up File Auditing is a knack. There are three places you need to configure.

Firstly, set Auditing at the Domain level, go to Active Directory Users and Computers,Domain Object, Properties, Group Policy. From there configure as in the diagrambelow.


17/83

Guys Litmus Tests


Secondly, you need to turn Auditing on at the Folder level. Note: that for once the groupEveryone is your friend, as it may not be the person you think who is deleting the files.Warning: do not audit more than you need or the log will soon fill up and what is more,searching for the information will be like looking for a needle in a haystack.

Thirdly, check the Event Viewer, Security log for evidence of who was deleting the files.

A tip for the Boss. If I was the boss, I would have a meeting with my network managerand ask to see the security log options. Just asking for this information will jog thenetwork manger's memory. The hidden message is that even the techie's actions areaccountable. If the network manager is honorable then they will have nothing to fear. Ifthey are a rogue, then okay they can get around it by deleting the log, but that in itselfwould be suspicious.

Security Warning

Guy's warning: - The more security you have, the more work there will be for theadministrators.

Firstly, decide on an appropriate level of security for your organisation. Take passwordsas an example: - ordinary companies do not need complex passwords, which usershave to change every month. Whilst it would be inappropriate for banks to allow blankpasswords which never expired.


18/83

Guys Litmus Tests


Bonus Litmus Test: Professionals use account lock out

Account lockout - if an organisation has debated account policies then they are probablyprofessionals. However, this is a classic case of there is no 'right answer'.

Several Universities have admitted to me that they have problems with account lockout.Immature students deliberately lockout their friends accounts by typing in the wrongpassword. If they can lock out a lecturer's account they think it's hilarious. (Sad people,but we have to deal with them.)

Guy's first suggestion for the University's problem was to add donotdisplaylastusernamesetting to the Winlogonpart of the registry. This prevents users seeing the account thatpreviously used the machine. Secondly I showed the administrators how to set upauditing; then we could see which workstations the rogue passwords were comingfrom. Then we had a word in the ear!

Summary: Pros turn on auditing and check the security log weekly


19/83

Guys Litmus Tests


8) Security Templates

Guy's Litmus Test: Have you ever used the Security Templates?

Professionals use the built-in snap for Security Templates

Amateurs have no structure for setting security

8) Security Templates

Security templates and the associated Security Analysis snap-in are one of the bestsecrets of Windows Server 2003. This is a shame, as this tool offers a powerfulmechanism to configure, check and record the security settings for your domain.

Needless to say there is a huge difference between those professionals who utilisethese features, and the amateurs who do not realise they exist.

a) Security Templates

The first move is to load the template that most nearly describes your situation. E.g.securedc = Secure Domain controller. The next move is crucial, Save As -yourfilename. This preserves the original while allowing you to experiment.


20/83

Guys Litmus Tests


Your next move is to check out the settings and decide how much security you need inyour organization. When you have finished checking, go to the Security Configurationand Analysis snap-in. (See diagram above.)


21/83

Guys Litmus Tests


b) Security Configuration and Analysis

Note this is a second separate snap-in. The first step is to right click and Load databaseand add your saved template. Next right click the Security Configuration, and selectAnalyse (NOT CONFIGURE)

The powerful analysis tool shows which settings will remain the same, for example, atick next to 'Maximum Password age' tells you there is no difference between yourtemplate and the present setting. However a red x means that the template will change

the current settings if you select CONFIGURE.

Experiment with different settings until you have the required security configuration.Note in passing that you can Export List from the Action menu and so save a record ofyour work.

If you make a terrible mistake with CONFIGURE, reapply the Basic Template

and start again.

Summary: Pros use Security Templates to control all aspects of theirsecurity


22/83

Guys Litmus Tests


9) Time Synchronisation

Guy's Litmus Test: Do all your machines show the same t ime?

Professionals synchronize computer clocks throughout their network

Amateurs wonder why they get lots of Win32 time errors in theevent log

9) Time Synchronization

With Windows 2003's Kerberos security, time synchronization has a new significance.This is because the Kerberos (KDC) service uses time stamps as part of the clientauthentication process. The default tolerance is only 5 minutes.

Command to issue from a batch file or the command line.

Use the SNTP (Time Protocol) to synchronisation time on your network. Naturally youneed a server with a reliable time source. I suggest using google.com to search for'internet time servers'.

Here is the syntax of the net time command :

net time /setsntp: where is a time server.

Example net time /setsntp: ntp2.usno.navy.mil at 192.5.41.209. Note the precisesyntax, especially the colon.

One of my more controversial ideas is to give network managers bonuses dependent oncuring red error dots in the Event logs. My proposal is to give them a bonus of x dollarsor pounds, but to reduce the bonus by one dollar for each red dot. Those who take upthis idea realise that they lose a lot of bonus if they do not master the win32 timecommand. See 2) Event Viewer

Example Script to Synchronize with the Windows Time Service

Purposes of the Script

The script synchronizes the local machine with an internet time server, then displays amessage indicating if the internal clock was slow, fast or on time.


23/83

Guys Litmus Tests


Instructions for Synchronizing with the Windows Time Service

This script is designed for Windows servers, but there is no reason why it should notwork on an XP machine. If you use uk.pool.ntp.org or time-a.nist.gov as the time server,make sure that your machine has an internet connection.

1. Copy and paste the example script below into notepad or use a VBScripteditor.

2. One advantage of a good script editor such as OnScript is that you can seethe line numbers, which helps when you have to troubleshoot errormessages.

3. Save the file with a .vbs extension, for example: SynchTime.vbs4. Double click SynchTime.vbs, and check the clock synchronization in the

message box.

'============================================== ' VBScript Source File -- Created with XLnow OnScript' SynchTime.vbs' AUTHOR: Guy Thomas' COMPANY: Computer Performance' DATE: January 2006 Version 3.2' COMMENT: Script to synchronize with the Time service'============================================== Option ExplicitDim objShellDim intShortSleep, intLongSleep, strServiceDim strTimeSrv, timeBefore, timeAfter, timeDiffSet objShell = CreateObject("WScript.Shell")

strService = "w32Time"intShortSleep = 3000intLongSleep = 6000 '1000 = 1 second

' Time Server set (Remove ' Rem if you want to change)strTimeSrv = "time-a.nist.gov"'strTimeSrv = "uk.pool.ntp.org"

' Use .Run method to configure the time serverobjShell.Run "w32tm /config /syncfromflags:manual /manualpeerlist:"_& strTimeSrvCall Restart()' Collect time before the script synchronizes

timeBefore = DatePart("s" , Now) + DatePart("n" , Now) *60timeBefore = timeBefore + DatePart("h", Now) *3600

' Key command to resynchronize with time serverobjShell.Run "w32Tm /resync /rediscover"Wscript.Sleep intShortSleeptimeAfter = DatePart("s" , Now) + DatePart("n" , Now) *60timeAfter = timeAfter + DatePart("h", Now) *3600

' Cosmetic section to display the clock adjustmenttimeDiff = (timeAfter - timeBefore) - (intShortSleep/1000) If timeDiff < 0 then

WScript.Echo "Clock was fast by " & -timeDiff & " secs"

ElseIf timeDiff > 0 thenWScript.Echo "Clock was slow by " & timeDiff & " secs"


24/83

Guys Litmus Tests


ElseIf timeDiff = 0 thenWScript.Echo " Clock synchronized " & timeDiff & " difference"

End ifWScript.Quit

Sub Restart()

' Restart ServiceobjShell.Run "net stop " & strServiceobjShell.Run "net start " & strServiceWscript.Sleep intLongSleepEnd Sub

VBScript Tutorial - Learning Points

Note 1: Get into the rhythm of the If, then, End If. This simple construction is versatileand greases the wheels of many VBScripts.

Note 2: ElseIf is better than Else If. My advice is avoid a space between Else and If,unless you deliberately want a different outcome. If you have more than five ElseIfsthen investigate the alternative Select Case.

Note 3: Observe how this script employs the .Run method rather than .Sendkeys {}.

Challenges

Try deliberately setting the computer's script fast or slow.Give the script a real job by stopping the Windows Time service before running the

script.

Experiment with the intSleep variables. Try changing the values, or even removingthem.

See the difference a space makes in Else If (Instead of ElseIf) and see how Else Ifrequires its own matching End If.

I tried simplifying, timeAfter = DatePart("s" , Time) + DatePart("n" , Time) *60to timeAfter = Time. My results were disappointing, the value was always thesame, even though I changed the time on the computer clock.

XP Professional and Network Time

A neat feature of XP and Windows 2000 Professional clients is that they willautomatically synchronise with their Domain Controller. The client uses the Windows

Time service to communicate with the logon server. To begin with this happens every45 minutes, when the machines get in synchrony, the time checks extend to 8 hrs.

Summary: Pros ensure that the clocks are synchronized on all theirnetwork machines


25/83

Guys Litmus Tests


10) Uninterruptible Power Supply

Guy's Litmus Test: When did you last service the UPS

Professionals have the UPS regularly serviced

Amateurs allow the UPS to leak acid

10) UPS

I sometimes offer my services on a no fee no fix basis. One job was abruptlyterminated. When I went into test my solution, I was told that the server room had burntdown. When the fire brigade investigated it turned out that the UPS (uninterruptible

power supply) was the centre of the inferno. It seemed that acid seeped out from theUPS battery and set fire to paper on the floor. It transpired that the UPS was 12 yearsold and had never been serviced.

Naturally I did not get paid, and had to settle for an ironic smile - the very device thatshould protect the server was responsible for its downfall. It is a situation where youcan imagine a cartoon sequence of the acid leaking causing paper to catch fire, and theblaze enveloping the server.

The moral of the story - do not work for people who do not service their UPS!

The Role of the UPS in Disaster Recovery

Those great big batteries (UPS) at the side of the server aredesigned to prevent disaster striking should your site suffer apower failure.

I once stopped by at the UPS stand in a trade fair - they had greatcoffee and I needed a rest. Now I thought I knew about UPSdevices, but the salesmen showed me some extra capabilities for disaster protection.

1. The most important job of the UPS is to cut-in when the power fails2. UPS also protects against 'brown outs' when the light dims but the power stays on.3. UPS will also smooth voltage preventing power surges during electric storms.

Additional UPS Features

The system I saw at the trade fair had 'bells and whistles' like short term capacitors anddiesel engines that would deliver conventional AC power. It also had microprocessorsensors and switch over.


26/83

Guys Litmus Tests


11) Dynamic Disk

Guy's Litmus Test: Do you understand Dynamic Disk?

Professionals evaluate the pros and cons before upgrading toDynamic Disk

Amateurs in their ignorance, retain basic disk

1) Dynamic Disks

Professionals take the trouble to investigate the features of 'Dynamic Disk'. Oneadvantage of Dynamic Disk is that you can extend data partitions. How is this useful?Take a case where you need 3 partitions on a disk, but it is not clear which partition willgrow the fastest. Assign 1/4 of the space to each partition leaving 1/4 available toextend which ever partition gets full first.

Dynamic disk has the advantages of supporting an unlimited number of volumes; thisovercomes the limitation of only 4 primary partitions and 1 logical drive. You may alsoimport dynamic disks from other computers, this is because the file information is heldon the disk itself not in the registry. This also explains why you need 1 MB ofunallocated space to convert from basic to dynamic disk; the space is needed to createthe disk information database.

To convert to Dynamic Disk, go to Disk Management, right click the Disk and select :

Upgrade to Dynamic Disk. (Call for the built in Help if you cannot find Disk Management)


27/83

Guys Litmus Tests


Reasons not to upgrade to Dynamic Disk

Dynamic disk may not work with Cluster Service.Take care when converting disks that have Shadow copy enabled.You cannot revert to basic disk once you have converted to dynamic disk.You cannot boot into other operating systems on dual boot machines.

You cannot install or Upgrade to Windows Server 2003.For some reason dynamic disk is not supported on laptop.Dynamic disk is not compatible with 'Ghosting' client disks.

This last point means that you may leave XP professional with the default basic disk. Ihave not found a convenient switch to automatically upgrade to dynamic disk, moreoverthe advantages of dynamic disk are not so important on a workstation.

More Disk Configuration Utilities

Defrag: Professionals regularly defragment their disks for faster file access.

Diskpart: Professionals employ Diskpart for command line configuration.

Summary: Pros research the consequences of Dynamic Disk


28/83

Guys Litmus Tests


12) Disk Quotas

Guy's Litmus Test Have you set Disk Quota?

Professionals set Quota limits on their file servers' volumes

Amateurs allow a few users to hog the available disk space

12 ) Disk Quotas

Controlling use (abuse) of server disk space has been high onadministrator's wish list for a long time. Now with Disk Quotas you canlimit users disk space.

Disk usage conforms to the 'Pareto Principle'; 20% of your users will consume 80% ofthe disk space. Configure disk quotas and make things fairer, stop one or two selfishusers filling up the disk space unnecessarily. One strategy is to set the limits high anduse quotas to plant the idea that users should implement good housekeeping with theirfiles.

To activate disk quotas: Right click the root of any partition and you will see the DiskQuota tab.


29/83

Guys Litmus Tests


Trap: Remember to check both boxes :-Enable quota management andDeny disk space to users exceeding their quota limit.

Tip: If you wanted to use disk quotas on separate folders rather than the whole diskinvestigate : Volume Mount Points.

On a related topic:

Encrypted File System (EFS)

Litmus test: Professionals show laptop users how to encrypt theirfiles

There have been several high profile cases of lost laptops containing sensitive

information. Windows 2003 offers the facility to transparently encrypt sensitive folders.So if the files get into the wrong hands, they will be very difficult to decrypt.

Summary: Pros set quota limits for users on shared server volumes


30/83

Guys Litmus Tests


13) DHCP

Guy's Simple Litmus Test: How do you assign a client's IP address?

Professionals automatically assign IP addresses for XP desktops

Amateurs manually configure the IP addresses on each clientmachine

Guy's Advanced Litmus Test: How many DHCP Options do you

configure?

Professionals configure at least Type 003 Router and Type 006 DNSServers

Amateurs never configure any Scope Options.

3) Dynamic Host Configuration Protocol (DHCP)

As late as 2004 I read a survey that found 20% of organisations still assign static IPaddresses. Reasons included the need to track IP addresses to individual machines

and dislike of DHCP. 80% of respondents trust DHCP and consider it to be the way ofthe future. My feeling is that in 2006 only about 10% of administrators are 'amateurs'and still refuse to consider DHCP.

It is relatively easy to configure a client so that it automatically get an IP address fromthe DHCP server. However, the benefits of DHCP are greater than just giving out theclient IP address. For example, you can also give clients the IP address of the DNSserver and the router. Thus if a DNS server changes its IP, you only have to alterconfiguration once on the DHCP scope. This is much better than going to every clientand manually changing the default gateway at each TCP/IP property sheet.

DHCP is a service that you install on Windows Server 2003. The server does not haveto be a Domain controller. Once installed you need to configure a scope or range of IP

addresses. My advice is to configure 2 servers (but no more) for each subnet. Forexample, Server A range 20-120, server B range 121-254

I heard a horror story of how one company had to employ a contractor to alter thedefault gateway of all 750 machines by hand. If only they had used DHCP it would havetaken but a minute, a classic of modern methods reducing the TCO (Total Cost ofOwnership).


31/83

Guys Litmus Tests


When you create a DHCP scope, as well as Router (DHCP Option Type 003), it costslittle time to add a DNS Server (Type 006) and also Domain name (Type 015). It isworth checking out over 40 other automatic settings you can assign at the same time asthe IP address.

Incidentally, DHCP is an example of Windows 2003 having more options, menus andsub menus than NT 4.0. Take the time to investigate which options would help yournetwork. For example, check dynamic updates and class options.

If you are troubleshooting client DHCP problems, ipconfig /all is the classic tool to runfrom the command prompt. (Do remember the /all switch)


32/83

Guys Litmus Tests


DHCP Logging

One persistent reason companies gave for not implementing DHCP was that it could nottrack who was using which IP address. They obviously did not realise that you couldturn on Audit Logging. Diagram taken from the properties of the DHCP Server Object.

What else is new with DHCP?

On the server the DHCP server has to be registered in Active Directory before it can beactivated. Microsoft claim this is to stop a tide of unauthorized DHCP servers on thenetwork. Personally I think it is an unnecessary extra step! That said, I do recognise that

there has been a tendency to have too many DHCP servers with the resultant risk ofduplicate IP addresses where the administrators are not careful with scope ranges.

On a brighter note, Windows 2003 and XP support APIPA (Automatic Private IPAddresses). This was first introduced with Windows 98, if a DHCP server isunavailable, the client gives itself an IP address in the range 169.254.x.y. The benefit isthat it can communicate with other clients on its subnet, and since it has a proper IPaddress, it can keep trying to contact the DHCP server for a more suitable IP address.

Summary: Pros setup DHCP and reap the benefits of reducedadministrative effort.


33/83

Guys Litmus Tests


14) DNS

Guy's Litmus Test: Can you troubleshoot DNS?

Professionals take the time to master DNS settings

Amateurs use WINS where ever possible and avoid DNS

14) Domain Name System (DNS or DDNS)

In NT 4.0 DNS was a useful if peripheral skill, in Windows Server 2003 you cannot eveninstall active directory without being an expert in DNS.

At its simplest, DNS is responsible for mapping IP addresses to machine names. Forexample in, the DNS database there could be a host record (Type = A) for a machinecalled London with an IP address of 192.168.0.230.

Note: The Cached Lookups in the diagram, to see that container, go to the View (Menu),Advanced.

To truly master DNS you must invest time in the terminology and learn to configure,Reverse Lookup, Zone, Active Directory Integration and other specialist DNS settings.

In Windows Server 2003, DNS can dynamically update its host records - hence thename DDNS. This overcomes a limitation of DNS in NT 4.0 and allows WINS to bephased out in pure Windows Server 2003 networks. The only real use of WINS is fororganizations with distributed Exchange servers.

DNS and Active Directory


34/83

Guys Litmus Tests


DNS holds SRV or Service records which enables desktop computers and servers tofind domain controllers that are providing specific services. For example Global Catalogand Kerberos are need for logon authentication; DNS returns the IP address of domaincontroller offering those services.

You can see the Active Directory SRV records in the above diagram, for example, look

under nwtraders.msft and see _msdcs (Microsoft Domain Controllers).

Check out the new Monitoring tab; right click the DNS SERVER, Properties.

Bonus DNS litmus tests

Professionals configure DNS to use Active Integrated Zones and thus reduce replicationtraffic.

Amateurs use Primary and Secondary Zones

By integrating AD and DNS you reduce network traffic because only new or changedrecords are updated. This is known as incremental zone transfer (IXFR). In NT 4.0, thewhole database was sent over the network even if just one record changed.

How to change to AD zones? Right click the DNS Zone, Properties, General Tab.


35/83

Guys Litmus Tests


Challenge: Master NSLOOKUP

One of the most difficult, but most rewarding of the TCP/IP suite is NSLookup. Take thetime to master it in interactive and non-interactive mode.

Summary: Pros are experts in DNS, they realise its essential role inWindows Server 2003


36/83

Guys Litmus Tests


15) Networks

Guy's Litmus Test: Do you use client server networks?

Professionals run a client server network with Windows Server 2003and XP client

Amateurs run a Peer to Peer network of XP and Windows 98

15) Networks

The decision to use a client server network or a peer to peer network is really a 'nobrainer'. The benefits of central administration and single user logon far outweigh thecost of a server. I would stick my neck out and say that no company is too small tobenefit from a server on their network.

One client spent ages grappling with problems of XP acting as a server with Windows98 clients. Both are designed as clients and neither works well as a server.

How many servers do you need?

Having made the case for servers, it is interesting to see the server philosophy in largecompanies. I keep wondering whether having hundreds servers is a badge of successor mark of inefficiency. Each case must be taken on merit. A small server in a branchoffice, can be much better than a using a slow link to authenticate at corporate HQ.Even this decision is not straightforward as fast WAN links get cheaper.

On the other hands 10 's of small servers in a large building can be efficiently replacedby one or two powerful servers.

Factors to consider

Network speed (LAN and WAN).Server scalability e.g. extra RAM, another disk rack.Server characteristics e.g. DC, GC, DNS, DHCP services to well together while email

and databases are best having their own server.

Summary: Even small networks should have a proper server


37/83

Guys Litmus Tests


16) Partitions

Guy's Litmus Test: How much FAT do you have!

Professionals format every partition with NTFS

Amateurs use FAT32 where ever possible

16) Partitions

The traditional reason to use NTFS was for file level security. However, the number onereason that I recommend NTFS on all partitions is, NTFS has 'write ahead' logs whichprotect the file system. This transaction logging is similar to the method that databases

use to record events before they are committed to disk.

There are more technical benefits to formatting NTFS:

Faster recovery through checkpoint filesMore efficient storage of smaller filesMore efficient indexingFaster file access, especially for large disks

NTFS is a pre-requisite for important Windows Server 2003 features:

Active Directory. NTDS.dit and its logs must all reside on NTFSDisk QuotasMount Points - useful when your c:\drive is fullEFS (Encrypted File System)DFS (Distributed File System)

Neither FAT nor FAT32 can support any of the above features. The only indisputableadvantage of FAT32 is that you can dual boot into Window 98 - not much of anadvantage for a server.


38/83

Guys Litmus Tests


Command Console (CMDCONS)

For some (amateur) administrators the last stronghold of FAT was the c:\drive. TheseLuddites insisted on formatting the c: drive as FAT or FAT 32. Their justification is : 'sothat we can copy files from floppy'. Guysays: 'Try the Command Console'. Get the

Windows Server 2003 CD and install with winnt32\cmdcons.' With CMDCONS you canboot into a dos like shell and read and copy to NTFS partitions. You can also stop orstart services that maybe preventing a boot.

Note: Do not confuse Command Console with F8 Safe mode, they are two different startup strategies.

Summary: Pros use NTFS everywhere, and have no FAT what soever.


39/83

Guys Litmus Tests


17) Printer Pools

Guy's Litmus Test: Do you have a pool of printers?

Professionals create a pool of printers with different priorities

Amateurs only create one printer

17) Printer Pools

The idea of Printer Pools is to have several printers or print queuesleading to one physical print device. The advantage is that you can set differentpriorities for different users. For example: high priority for mangers low priority forsecretaries (or would that be better the other way around!).

How to Setup Printer Pools

To create a Printer Pool: Start Menu, Settings, Printer folder, add printer.

The trick is to create multiple printers, each with a different priority.

To adjust the priority, go to the Advanced Tab and look for the Priority box.Finally give different permissions to the various printers.


40/83

Guys Litmus Tests


Bonus : Check out Web based printers

Once Microsoft realised the power of the browser they have made more and moreinterfaces browser compatible. Users can now use their Internet Explorers tosearch for printers and install the appropriate driver. Show the users this path:http://server/PRINTERS.

Note: Whilst server will vary dependent on the name of your print server,PRINTERS should be typed as shown, as there will be a share called PRINTERSon each server.

Summary: Pros create a number of printers and give themdifferent priorities
http://server/PRINTERS


41/83

Guys Litmus Tests


18) Remote Administration

Guy's Litmus Test: Can you remotely administerto your server?

Professionals install Adminpak.msi on their Professional machines

Amateurs make that long walk to the noisy server room

18) Remote Administration - AdminPak

When I offer my advice to network managers, there comes a time when we actuallyhave to check settings on the server. If we have to make a long walk to a noisy freezingserver room, I start having doubts if I am working with professionals. On the other hand,

if they are able to bring up an MMC console and we can configure the servers from thecomfort of the normal office, then I am impressed.

To avoid those spooky flashing lights, to get away from that feeling that aliens havelanded in this dungeon called a server room, install Adminpak.msi. It surprises someamateurs that you need the Server CD\i386 folder and not the Professional CD to installthese snap-ins that allow you to configure the server from the comfort of you own chair.

Bonus method: Remote Administration - Terminal Services

Perhaps an even better method of configuring distant servers is to use TerminalServices in Remote Administration mode. In Windows 2000 you must first plan andinstall the Terminal Services on the servers that you wish to configure ahead of time.But do you need terminal services licenses? No, in remote administration mode twoadministrators can connect concurrently without the need to purchase licenses.

It is even easier administer Windows Server 2003 because Terminal Services isinstalled by default. If there is a secret, it's to remember to enable Remote Desktop onthe distant server.

With Terminal Services you can also configure RRAS and accept dial-in so that you canconfigure the server.

Summary: Pros install AdminPak and, or Terminal Services toadminister their servers


42/83

Guys Litmus Tests


19) Routing and Remote Access (RRAS)

Guy's Litmus Test: Have you tested RRAS?

Professionals investigate Routing and RAS

Amateurs do not realise that RAS is installed by default

19) Routing and Remote Access Services (RRAS)

The fact that Routing and Remote Access is installed by default is an indicationof its improved reliability. While RRAS is installed Windows Server 2003 server, youneed to activate and decide whether to use it just for RAS or also as a static router.

Once you have run the wizard once, you can right click the server object and configurethe properties.

Group policies are every where in Windows Server 2003, and that includes RRAS. Usethe power of the Group Policy to control users settings when ever they logon. One ofthe main benefits of switching the domain from mixed to native mode is that you can usegroup policies when users dial-in.

My Goal - To get you started with RRAS policies

1. Go to Start\Programs\Administrative Tools\Routing and Remote Access

2. Add Server (Local Computer)

3. Run the Wizard (Start with the VPN option if you want to practice)4. Look for REMOTE ACCESS POLICIES (Start\Help if you are stuck)

N.B. The default RRAS Policy is to Deny user s access. This is a failsafe mechanismso that no-one can access the RAS server until the administrator has configured theserver (or knows what they are doing!).


43/83

Guys Litmus Tests


N.B. To get the most out of your RRAS Policy and Profiles, your domain needs to be inNATIVE mode.

Each Policy has a PROFILE tab this is where you configure how long users can connectto the server, which protocols they use and much more besides.

Bonus: The Routing side of RRAS

Windows Server servers can act as a software router. Naturally you need at least twonetwork cards. Check out the Routing by going to RRAS\\IP Routing\General and then right click and add the Interface or Routing protocol that you need.

This RRAS console has menus with sub menus so there are many features to evaluatee.g. OSPF, L2TP, NAT.

RAS and DHCP Relay Agent

The Relay Agent is now found inside the\IP Routing\General tab of RRAS, if you aregoing to set up RRAS you either need to configure a separate scope of IP addresses orelse use a DHCP Relay Agent to point to the real DHCP server.

Summary: Pros have run the RRAS wizard - many times.


44/83

Guys Litmus Tests


20) WINS

Guy's Litmus Test: Have you a plan to phase out WINS?

Professionals prefer DNS and avoid WINS where ever possible

Amateurs prefer WINS and do not understand DNS

10) Windows Internet Naming Service (WINS)

WINS is a Microsoft method for resolving names to IP addresses. As you have probablyguessed I do not like WINS!

WINS is no longer needed in a pure Windows Server 2003 and XP networks. This isbecause DNS can handle the name resolution and find all the resources XP and W2KPro need. However, WINS still has two minor roles, enabling Windows 9x clients to findtheir logon servers. Also WINS enables Exchange 2003 servers to see each other ifthey are on Remote Networks.

To be fair to WINS, it has always allowed dynamic updates, but with DDNS clients cannow also automatically change their IP registrations in DNS. To be fair to WINS, it hasalways allowed dynamic updates, but with DDNS clients can now also automaticallychange their IP registrations in DNS.

Finding WINS entries

If you wish to find entries in WINS use * (Star)

If you must implement WINS, make sure that you integrate it with DNS and

DHCP.

Summary: Pros plan to phase out WINS and use 100% DNS for nameresolution.


45/83

Guys Litmus Tests


Professionals understand Exchange 2003's dependence on WINS

Amateurs have no idea that Exchange 2003 still uses WINS in certain

circumstances

Exchange 2003's Dependency on WINS

If you want to investigate the relationship between WINS and Exchange 2003 you have3 choices:

1. Just install WINS and get on with life. Configure records for ALL the Exchangeservers and Domain controllers.

2. Ignore WINS, everything IS working fine on MY small network.3. The thinking man's approach. Try to make sense of Exchange's dependency on

WINS. If you go down this route, you may find that the waters get muddier before

you see clear bottom.

Clarifying Exchange 2003's Dependency on WINS

I had been labouring under the delusion that Windows and Exchange 2003 servers nolonger need WINS, it seems that I was wrong. However, what I now believe is thatExchange 2003 does not absolutely need WINS. What various Exchange 2003processes absolutely need is, NetBIOS name resolution. On simple networks, likemine, Exchange 2003 can resolve NetBIOS names simply by just broadcasting. Now Iexpect that you are ahead of me on why big networks still need WINS, becausebroadcasts are limited to the local subnet.

Let us consider a quote: 'Microsoft tries to make sure all programs work withoutNetBIOS, but this may only apply to future products.' From the Microsoft sourceknowledgebase article: PSS ID Number: 837391.

The above article points out problems with these configurations:

Exchange Setup needs WINS. (Setup works fine on my simple network withoutWINS.)

ExMerge the Mailbox Merge Wizard requires WINS.Changing the password from an OWA client needs WINS.Outlook 2002 and earlier, versions need WINS. Outlook 2003 and future versionswill not need WINS. This typifies Microsoft's approach to NetBIOS.

Exchange System Manger loses some (unspecified) functionality.Exchange 2003 needs WINS to contact Exchange 5.5. (Especially if there is anyNT 4.0 around.)

There are consistent reports that clustering needs WINS. Particularly for setup.SMS 2003 needs NetBIOS, but SMS 2003 with SP1, no longer uses NetBIOS.Messenger and Alerter services require WINS. However, they both work for mewithout WINS, provided I start the services and send messages to computers onthe same subnet.

Solutions to Exchange's need for NetBIOS Name Resolution.

1. WINS (Best).2. LMHosts - Troubleshooting.

3. Broadcast - Local Subnet only.


46/83

Guys Litmus Tests


Associated programs - DNS, DHCP, Outlook and possibly SMS.

Exchange 2003's Dependency on WINS - Summary

Exchange 2003 still makes NetBIOS calls. So either configure resource records inWINS, or else rely on broadcasts to resolve the NetBIOS requests.

Footnote:

WINS will be phased out in Exchange 2007 and Longhorn.


47/83

Guys Litmus Tests


21) Active Directory

Guy's Litmus Test: How do you deploy Windows Server 2003?

Professionals install the Active Directory feature of Windows 2003

Amateurs use Windows Server 2003 only as Member servers in an NT4.0 Domain

1) Active Directory

While the uptake of Windows Server 2003 has been brisk, by no means alladministrators are confident in installing the Active Directory feature. What amateurs dois merely install Windows Server 2003 as member servers for their database and mailservers. This is a shame because it is only when you install Windows Server 2003domain controllers that you get the full benefit of active directory services.

Professionals are planners, Amateurs are assemblers

Amateurs would merely assemble the CDs and kick off the installation, then fumblealong as best they could. Professionals, on the other hand, would analyse the followingfactors and then plan their Windows Server 2003 active directory.

1.Decide on your overall strategy.a) Reformat the machines and build from scratch; I have heard this strategy called

'Wipe and Roll'.b) Go for an 'In Place' upgrade to the new system.c) Introduce the new Windows 2003 server in the existing Windows 2000 domain,then plan to Raise the Domain and Forest levels to Windows Server 2003.

2.Understand DNS. Design a naming system which embraces DNS and ActiveDirectory.

3.Plan how many domains you really need, and how they will be linked? Same tree ormultiple trees?

4.Take advantage of Organizational Units and delegation to manage your users andcomputers.

5.Develop a vision of your desktops, create that lockdown through Group Policy.

6.Calculate the best distribution of physical sites. Consider upgrading networkconnections.

7.Understand the role of the Schema because it defines all the objects in ActiveDirectory.

8.Upgrade the desktops first. The reasons for this tactic are practical rather than logical- users need the benefits of XP Professional quickly.

Summary: Pros plan the whole strategy before theyimplementActive Directory.


48/83

Guys Litmus Tests


22) FSMO (Flexible Single Master Operations)

Guy's Litmus Test: Can you find the FSMO roles?

Professionals can find and control the Flexible Single MasterOperations

Amateurs think FSMO is a fizzy drink!

22) Introduction to FSMO

For most operations Windows Server 2003 uses the multiple master model. Forexample if you have three domain controllers, you can physically create a new user inthe NTDS.dit database on any of the three. 30 seconds later, the new user object willbe replicated to the other domain controllers in the same site.

Unlike NT 4.0, there are no primary and backup domain controllers in Windows Server2003. However, a few operations are so critical that only one domain controller cancarry out critical operations. These operations are called Flexible Single MasterOperations (FSMO); creating a new child domain would be one example of a singlemaster operation.

I have to confess a hidden agenda with FSMO. If I want to instantly know how wellsomeone knows active directory, I introduce FSMO into the conversation and watchtheir reaction. Professionals will know what FSMO means and its significance,

amateurs just frown.

The five FSMO roles are

1. PDC Emulator - For NT 4.0 BDC's. But also for synchronizing time and creatinggroup policies.

2. RID Master - Each object must have a globally unique number. The RID mastermakes sure each domain controller issues unique numbers when you createobjects such as users.

3. Infrastructure Master - Responsible for checking Universal group membership inmultiple domain forests.

4. Domain Naming Master - Ensures that each child domain has a unique name.

5. Schema Master - Operations that involve expanding user properties e.g. Exchange2000 adds the mailbox property to users.

Three of the FSMO roles (1-3) are held in each domain, whilst two (4-5) are unique tothe entire forest. Thus, if you have three domains there will be 3 PDC emulators, butonly 1 Schema Master.

To see the Domain Naming Master (4), check out Active Directory Domains and Trusts.

The Schema Master (5) is most difficult to find, first you need to register the Schema

Snap with this command: regsvr32

schmmgmt.dll;then check the Administrative Tools,Active Directory Schema, Properties.


49/83

Guys Litmus Tests


Here is how you can see and configure the FSMO roles:

Troubleshooting FSMO

DCDiag- Not only does DCDiag have a routing to check the FSMOs but it also providesinformation on Active Directory replication. As ever with troubleshooting, you want toget to the root cause not merely treat one of the symptoms.

NetDOM- It's a close call whether to run NetDOM before or after DCDiag, the answerpartly depends on whether NetDom is already installed or if you need to get it from theWindows Server 2003 Support tools.

From the command line type netdom query fsmo. You should see a list of the of the 5roles with the corresponding Domain Controller.

With FSMO problems check that the underlying problems is not related to DNS.


50/83

Guys Litmus Tests


Seizing a FSMO Role

If you need to switch the Operation Master then you have two choices. Either click onthe Change button in the diagram below, or by Seizing the role using NTDSUTIL. Thislatter method is difficult but you should practice because it will be the only methodavailable if your server crashes or is stolen.

Summary: Pros understand FSMO and can change the roles whenneeded


51/83

Guys Litmus Tests


23) Group Policy and GPMC

Guy's Litmus Test: How do you apply Group Policies?

Professionals use Group Policies to configure the desktop

Amateurs use mandatory profiles to control the users

23) Group Policy

In Windows Server 2003, understanding Group Policy is second in importance only tounderstanding Active Directory. The key thinking behind Group Policies is 'prevention isbetter than cure'. Restrict users settings and so prevent them from causing problems.Group Policies are like putting blinkers on the users. Policies make people concentrateon their job tasks, while stopping them from being distracted by all the extra settings thathave no business case. As a result of a good group policy the users are moreproductive and you get less support calls to the help desk.

Professionals master Group Policies. Amateurs either ignore them or get into a messbecause they do not appreciate the intricacies of setting a good policy.


52/83

Guys Litmus Tests


Group Policies are fun. With Group Policies not only can you be Mr Nasty (screwingdown the desktop), but you can also be MrNice. Mr Nice provides just the programsusers need, but no extras. So when an accountant logs on they get MS Office XP andaccountant software. When ordinary users log on they get only the Office suite. What ismore, if the program breaks then the intellimirror software automatically restores theoriginal settings.

Having established the need, the next problem with setting up System Policy is - time.You need a week experimenting with a group of test machines before you think of rollingout to the production network.

Policies can be applied at the Domain, OU and Site level. My advice is to set yoursecurity at the domain level, but control the desktop at the OUs. Avoid setting policiesat the Site level, it is not necessary and only adds an extra layer of complexity.

Tips to make you a Group Policy expert

When you experiment with Group Policies, create and use a special test user account

Create a special OU (Organisation Unit) for testing Group PoliciesTake the time to investigate all the Group Policy settingsConsider mastering the Group Policy templates to apply your settings at the

Domain levelUse 'No Override' and 'Block Inheritance' to isolate a problemCreate a 'VISION' of the perfect desktop

Bonus Litmus Test - GPMC

Professionals Download GPMC (Group Policy Management Console)from Microsoft's site.

Amateurs try and find GPMC on the support disk then give up.

One the pros install GPMC they use the interface for planning, reporting and modelingtheir policies. In addition, professionals refresh their Group Policies with gpupdate,amateurs persevere with secedit.

Summary: Pros use GPMC to configure Group Policy settings and thuscontrol the desktop


53/83

Guys Litmus Tests


24) Installing Windows Server 2003 or W2K3

Guy's Litmus Test: How big is your C:\drive?

Professionals install Windows Server 2003 on a 20GB partition

Amateurs stick with a small 2GB system partition

4) Installing Windows Server 2003

Make sure you have a big enough partition

This test fulfils all the requirements of a good litmus test; the test can be easilymeasured and the answer is likely to be conclusive. A small installation partitionindicates: trouble, lack of planning and an amateur at work.

The problem is compounded because, whilst other NTFS partitions can be extended thepartition containing\Windows cannot easily be increased. So plan for at least 5GB forthe\Windows partition. If you choose a miserly 2GB you will soon find it inadequate.

If you get stuck do not despair; investigate Mount Points as a method of

increasing the partition. (Try Windows Server 2003 Help)

More Installation Advice

Before you build a server, you need a plan, think like a general thinks when he plans amilitary campaign; a list, as in a shopping list, is not good enough to install a WindowsServer 2003 server.

Refer to the HCLAvoid Pacific time (in the UK!)Learn about RIS

Litmus test: Professionals always refer to the HCL

Step 0 (zero) before you order ANY equipment for Windows Server 2003 or W2K3

check Microsoft's HCL (hardware compatibility list). One of the reasons for studyinghistory is to learn from others mistakes. Those of us who remember the early days ofNT 4.0 learned that only kit that is on the HCL worked properly. Those who do not heedthe lessons of history are destined to repeat the mistakes.

I also use HCL as a litmus tests when dealing with suppliers in general and salesmen inparticular. Basically if they do not know what HCL is, they are amateurs.

If you are doubtful of your kit's ability to run Windows Server 2003,try winnt

\checkupgradeonly or get a program called Chkupgrd.exe from Microsoft's site.

Litmus test: UK Amateurs, have Pacific time (in the UK!)


54/83

Guys Litmus Tests


If you are in the UK, I assume you change the default Keyboard from US to UK. Alsobeware the -8:00 Pacific time. Windows Server 2003 domain controllers (DCs) run veryslowly if their times are more than 5 minutes out of synch.

I was called out to a case where one DC was on Pacific time and the other on GMT.Now Windows can handle that, if the clocks are exactly 8hr different, in this case the

clocks displayed the same time thus masking an 8hr difference. As a result, activedirectory would not synchronise. The solution was to adjust the Pacific Time to GMTand alter the clock 8hrs.

Install Remote Installation Service RIS

Litmus test: Professionals know what RIS is about

If you are convinced of the benefits of DHCP, and remember how long it took to gainacceptance, then I hope that you will give RIS a chance.

Imaging software like Ghost is very good for installing workstations. However RIS has acompelling extra feature - intellimirror. In a nutshell, if users delete or move anoperating system file, Windows Server 2003's built- in intellisense automatically repairsthe machine. RIS, and intellimirror and intellisense work together to detect the missingfile and copy it automatically from RIS image. The result less down time and reducedsupport costs.

Summary: Pros always plan and test and a server installation


55/83

Guys Litmus Tests


25) Logon Scripts

Guy's Litmus Test: Where do you configure Logon Scripts?

Professionals apply Logon Scripts through Group Policies

Amateurs set Logon Scripts individually on users' property sheets

5) Professionals apply logon scripts via Group Policies

The benefit of assigning logon scripts via Group Policies is that you can change thelogon script in a central location. In Windows Server 2003 you can no longer use thecontrol key and change multiple users' property sheets. (This limitation is overcome on

Windows Server 2003)

The technique I recommend is : Go to Active Directory Users and Computers; nowselect the path:-\(Domain) \Properties,\Group Policy; from there,\Default Group Policy,\Edit,\Computer (or User) configuration,\Windows settings.

As a bonus you can also apply LogOff scripts to help users tidy up when they logoff theirmachines. If you apply Logon Scripts via Group Policies, then you can also write scriptswhich apply to the computer no matter who logs on.


56/83

Guys Litmus Tests


Homily

At first, the motor car was called a horseless carriage. The driver was on the outside

because he had been there from the stage coach days. One day someone said 'Whydon't we put the driver inside with the passengers?' So it is with Windows Server 2003,there are many new and better ways of doing old tasks. So move the logon scriptsinside the Group Policies, and abandon the old DOS commands in favour of Visualbasic scripts.

Group Policies v Logon Script Strategy

In my opinion logon scripts are gradually being replaced by system policies. Forexample, mapping home drives via a logon script, can now be replaced by policy which

redirects the 'My Documents' to a server. However, it is often a case that there is morethan one way to achieve the desktop that you want. If a logon script gets it done thenfine, but if not, then do consider a policy. Group policies are here to stay, WindowsServer 2003 has about 400 and XP has an extra 200 policies. Many large companieswrite their own policies, once you remember that policies control either the USER orHKLM part of the registry, then you can see that virtually any registry setting can bewritten into a policy.

There will always be a place for scripting, and compared with NT 4.0,Windows Server 2003 has transformed scripting. All you need to getstarted is Notepad because the latest generation of Windows operating

systems has a scripting host built-in. The result is your logon scripts willexecute automatically, just save the script with a .VBS extension.

Example Script - MapNetworkDrive with extra VBScript code

Our objective remains to map a drive, but this time the J:. My share name and serverare the same as example 1, '\home' and '\\alan'.

Pre-requisites.

1. On Line 10 change the server name from '\\alan' to your server name.2. Make sure that your server has a share called '\home'.

Instructions to MapNetworkDrive

1. Copy and paste the script below into notepad.2. Check strPath, your server is unlikely to be called "\\alan, so amend to the name of

your server.3. Save the file with .vbs extension e.g. MapNetworkDrive.vbs.4. Double click your script and check in your Windows Explorer for a new drive called

: home on 'alan' (J:)

'

' MapNetworkDrive.vbs

' VBScript to map a network drive to a UNC Path.' Author Guy Thomas http://computerperformance.co.uk/' Version 1.4 - May 2006
http://computerperformance.co.uk/


57/83

Guys Litmus Tests


' ----------------------------------------------------------------- 'Option ExplicitDim objNetworkDim strDriveLetter, strRemotePathstrDriveLetter = "J:"strRemotePath = "\\alan\home"

' Purpose of script to create a network object. (objNetwork)' Then to apply the MapNetworkDrive method. Result J: driveSet objNetwork = CreateObject("WScript.Network")

objNetwork.MapNetworkDrive strDriveLetter, strRemotePathWScript.Quit

' End of Example VBScript.

Learning Points

Note 1: At the top of the script is a heading section. The idea of the header is toexplain what this VBScript will achieve. Some script writers feel that the Dimstatements, which declare variables, are also part of the header section.

Note 2: Option Explicit is a VBScript command which forces me to declare variables.Not only is this 'best practice', but in my case, it alerts me to typos later in the script.

Note 3: See how this script declares the variables strDriveLetter and strRemotePath,then reuses them later in the script. If you stick with me, you will see that I lovevariables. In this example, MapNetworkDrive employs just two arguments, drive letterand UNC path.

Note 4: Once we declare strDriveLetter, then we can assign it a value, in this case "J:".One perennial problem I have with scripting is paying attention to detail, especially thesyntax. Even with a simple letter - J, we must be careful. For the script to succeed weneed precisely "J:". Neither "J:\", nor "J\:" will work.

Getting Started

Once your script works copy the MapNetworkDrive.vbs into memory, next go to thispath: - Active Directory Users and Computers, select (Domain), Properties, GroupPolicy; from there, Default Group Policy, Edit, Computer (or User) configuration,Windows settings, Scripts, then Paste your script from the clipboard.

Summary: Pros apply logon scripts through group policies


58/83

Guys Litmus Tests


26) Raise Domain Levels (Mixed v Native Mode)

Guy's Litmus Test: When will you Raise your Domain Level?

Professionals set a date to Raise their Domain Level

Amateurs think Mixed mode means Windows 98 clients

26) Raise Domain and Forest Levels (Mixed v Native Mode)

Windows Server 2003 domain mode

Domain Function Levels - (Mixed and Native)

There are now four domain 'Levels' that a Windows Server 2003 can operate in. Whilstit is easy to understand what each level means, it takes time to learn how Microsoft'sterminology has changed from Windows 2000. Formerly we only had Mixed and Nativemodes, now their are four possible settings, and the jargon is 'Raise Level'.

1. Windows Server 2003. All Server 2003, no other domain controllers.However, even in this level, the whole range of clients and member serverscan still join the domain.

2. Windows Server 2003 Interim. NT4.0 servers and Window Server 2003 (noWindows 2000). This level arises when you upgrade an NT 4.0 PDC to

Server 2003. Interim mode is important where you have NT 4.0 groups withmore than 5000 members. Windows 2000 does no allow you to creategroups with more than 5000 users.

3. Windows 2000 Native. (Yes Windows 2000 native) allows Windows 2000and 2003 servers (no NT 4.0).

4. Windows 2000 Mixed. (Yes Windows 2000 mixed) allows NT 4.0 BDCs andWindow 2000. Naturally Windows 2000 mixed is the default function levelbecause it supports all types of domain controllers.

When you decommission the last NT 4 BDC, raise the domain level at least to Windows

2000 Native mode, this will give you access to:

Universal groups availableNesting Global groupsLogon with User Principle Name (UPN) e.g. [email protected] Policies - control dial-in users through policiesUSMT (User Settings Migration Tool)

N.B. If you switch to native mode you can NOT reverse, there is no path back to mixedmode. How do you make the switch? Answer a job for Active Directory Users and

Computers, Properties.


59/83

Guys Litmus Tests


Amateurs think that mixed mode refers to the clients not to the legacy servers. Theythink that you must stay in mixed mode until you upgrade all the Windows 9x clients.They are wrong!

Note: In addition to Raise Domain level, there is also the concept of Raise Forest level,however that is not covered here.

Summary: Pros plan to Raise Level to Windows 2003 Native Mode.


60/83

Guys Litmus Tests


27) Organizational Units and Delegation

Guy's Litmus Test: Do your OUs reflect your company structure?

Professionals plan an Active Directory Domain with lots ofOrganizational Units

Amateurs create all new objects in the Users folder

27) Organizational Units (OUs)

Windows Server 2003 supports Organization units, this allows you to classify users bydepartment or site. In addition to good housekeeping, there are two advantages of thisarrangement, you can delegate within units, and you can create different Group Policiesfor each OU.

If you do not create OUs, all your users will be born in the default container, and so youlose a valuable chance to categorize people by department or site.


61/83

Guys Litmus Tests


Delegation and OUs

Delegation is an item that has been high on administrator's wish list for many years.The problem in NT 4.0 is that if you wanted help desk staff to be able to change user'spasswords, then you had to make them members of the Account operator's group.There was no half way house, they either had full rights over the users or none at all.

With Windows Server 2003 you can achieve fine control through delegation. Forexample, help desk staff can reset passwords of the sales OU. Human resources canbe delegated to create new users in the manufacturing OU. Neither group would beallowed to view the audit logs or reset the administrator's password.

To configure, got to\Active Directory Users and Computer\\organizationalunit\Right Click Delegate Control.

Summary: Pros plan an OU hierarchy bearing in mind delegation andpolicies


62/83

Guys Litmus Tests


28) Printer Location

Guy's Litmus Test: Can you configure Printer Locations for yourActive Directory domain?

Professionals: Have both the vision of what Printer Locations canachieve and the technical expertise to configure the necessarysettings.

Amateurs: Either cannot see the advantages of Printer Locations, orelse cannot find the four different places you need to visit beforethe job is complete.

Printer Location

Everyone that I have shown this Printer Location planhave expressed a satisfied glow when they completedtheir tasks and they see the printers pre-populated in theAdd printer wizard. Therefore I lay down a gauntlet andchallenge you to master Printer Locations, I guarantee thisis mission that you will enjoy accomplishing.

Printer Location Vision

Before we start, here is the most fantastic vision that I can think of for Printer Locations.Imagine that you are sitting in your office and urgently, you need to send a hard copy ofa document to manager in one of your faraway offices in Australia, Paris or Toronto.You know from bitter experience that if you send an email, the attachment will begobbled by an over jealous filter; even if the document gets through the technophobe atthe other end wont open it. Yet you want them to attend to your document urgently.The good news is you know, because they complained to you about it, that they have aLaserJet 2420 printer right by their desk.

What if you could open the Printers and Faxes folder, Select: New printer, Network,Find, Location and then select Australia, Paris or wherever the manager operates? Loand behold, there is their LaserJet 2420, you click OK. Once the printer object arrives inyour folder then you can print the urgent document from your workstation and direct theoutput to that distant LaserJet. In a minute or two, it will churn out the printed page inthe tray of that faraway office. Now this is not pure fantasy, with a little expertise, theabove scenario could become reality.

A more mundane reason for configuring printer locations is for pampering reps or othermobile workers who need to print out documents in whichever of your offices they findthemselves. For these users, when they select New printer, Network, the Location boxis already pre-populated with printers on their subnet. Clever.

Printer Location Configuration

These are the four stages in configuring Printer Locations in your Active Directory

domain.


63/83

Guys Litmus Tests


1. Subnet Location - F

Date post:	03-Apr-2018
Category:	Documents
Upload:	cucu-bau
View:	231 times
Download:	0 times