Professional Documents
Culture Documents
Flash back
As I was wondering what title to give the check list, my mind flashed back to my schoolboy days. Suddenly I remembered my chemistry teacher 'Sniffy' Pugh showing us Litmus tests. Perhaps you remember the test? What happens is you dip Litmus paper into a liquid, if the paper turns red it means acid, whereas if it turns blue the liquid is alkaline. It struck me that Litmus test was the ideal name for a quick test where there are only two possible results, one good the other bad.
Page 1 of 82
Computerperformance.co.uk
Page 2 of 82
Computerperformance.co.uk
Page 3 of 82
Computerperformance.co.uk
Case D. Photocopy
Backup!
One day the database server went down and the manager asked his assistant for the backups. The proud assistant got out a pile of photocopied records and said, 'There are the backups'! Were they able to restore the backup from photocopies? No way! I never did discover if the root cause was a language problem or just plain ignorance.
Page 4 of 82
Computerperformance.co.uk
Page 5 of 82
Computerperformance.co.uk
Below is a yellow warning message telling us that a new machine has not been properly named. The network identification tab should be configured to include the domain suffix.
Increase the log size from the default of 512K to about 4MB. Use the filter in event viewer, filter hidden away under the view menu. Employ VBScripts or PowerShell cmdlets to help you monitor the logs
Page 6 of 82
Computerperformance.co.uk
Page 7 of 82
Computerperformance.co.uk
3) Fewer Reboots
The good news is that Microsoft have reduced the number of actions that require a reboot from over 150 in NT 4.0 to just 7 in Windows 2003. The bad news is that rebooting the server is no longer as effective in curing problems as it was in NT. On occasions where rebooting solves a problem, restarting the individual service would work just as well. Think how much downtime you will save. Where do you find the settings? Administrative tools, Services
Restarting services is particularly useful when troubleshooting Exchange 2003 or SQL problems. Rebooting the machine would achieve the same result but would take an age and other services would not be available until the restart is complete. Stopping and
Page 8 of 82
Computerperformance.co.uk
restarting the services is more efficient and also teaches you the dependencies of service. For example, the Exchange Information Store is dependent on the System Attendant. Configure services to restart automatically on failure. (An idea W2K3 has taken from Exchange). Investigate a VBScript to restart services automatically.
Summary: Pros understand Services and know how to restart them and thus cure their problems
Page 9 of 82
Computerperformance.co.uk
Make it your reflex to remove the group Everyone because they have full control, and substitute users and only give them read. It usually makes sense to also add the Administrators and give them full control.
Right click a shared folder, check the permissions under both Share and NTFS Tabs. Note that there are two tabs to control permissions on any folder - Sharing (Key of the door) and Security (NTFS lock on the safe).
Page 10 of 82
Computerperformance.co.uk
The biggest change compared with NT 4.0 is that you now have the Deny permission. In NT 4.0 the No Access was rather a blunt tool, it meant you could not read documents or list files. The new Deny means that you can explicitly Deny Write. That means that if a user is a member of another group that is give Change permission, they still only end up with Read.
Page 11 of 82
Computerperformance.co.uk
If you get a few complaints from users about difficulties writing to folders, that indicates that your security is working. My Point is that no complaints about permissions may mean no security.
Right click a shared folder, check the permissions under both Share and NTFS Tabs
Page 12 of 82
Computerperformance.co.uk
5) Recovery Toolkit
Guy's Litmus Test: In event of a system failure, how many recovery tools can you use? Professionals have a tried and test list of recovery strategies Amateurs can only reinstall the server from scratch
5) Recovery Toolkit
The situation is that your machine crashes and will not restart properly, what do you do next? 1. 2. 3. 4. 5. 6. 7. Safe Mode Recovery Console - CD Directory Services Restore Windows Server 2003 Repair LKK Restore Points XP (ERD)
Safe mode
Those coming from NT 4.0 will be impressed with all the options revealed by pressing F8 on boot up; those who know Windows 98 will find old friends amongst these options. Safe Mode is my favourite strategy, I find it usually works, and I can get into the system and reverse what ever was stopping it booting normally.
Recovery Console
This is a great strategy if you have to repair a corrupted file by copying the original from CD. What happens is the command console boots into a shell which looks like dos, then you can copy the files from the CD to the WINNT folder. Organized administrators prepare by installing the command console with winnt /cmdcons. As ever Microsoft provide two ways of doing everything, and you can also access the command console by inserting the CD and choosing R = Repair from the appropriate menu.
Windows Repair
When crucial operating files get damaged, you could carry out a repair. The technique is to pretend you wish to install a new copy, but at the crucial menu, select Windows
Page 13 of 82
Computerperformance.co.uk
Repair on the menus. Note this is a different technique from Recovery Console, you will need the Product Key for this Repair option.
Page 14 of 82
Computerperformance.co.uk
Page 15 of 82
Computerperformance.co.uk
7) Security Auditing
Guy's Litmus Test: How many entries does your Security Log have? Professionals set up auditing for security information Amateurs say empty security logs means no problem
7) Security Auditing
Amateurs will almost certainly have a blank Audit log because the default setting is no auditing. Professionals will be alerted to unsuccessful logon's which could mean a hacker at work, or may be just Fred having trouble locating a file. Either way, the IT Professional will know. Setting up File Auditing is a knack. There are three places you need to configure. Firstly, set Auditing at the Domain level, go to Active Directory Users and Computers, Domain Object, Properties, Group Policy. From there configure as in the diagram below.
Page 16 of 82
Computerperformance.co.uk
Secondly, you need to turn Auditing on at the Folder level. Note: that for once the group Everyone is your friend, as it may not be the person you think who is deleting the files. Warning: do not audit more than you need or the log will soon fill up and what is more, searching for the information will be like looking for a needle in a haystack.
Thirdly, check the Event Viewer, Security log for evidence of who was deleting the files. A tip for the Boss. If I was the boss, I would have a meeting with my network manager and ask to see the security log options. Just asking for this information will jog the network manger's memory. The hidden message is that even the techie's actions are accountable. If the network manager is honorable then they will have nothing to fear. If they are a rogue, then okay they can get around it by deleting the log, but that in itself would be suspicious.
Security Warning
Guy's warning: - The more security you have, the more work there will be for the administrators. Firstly, decide on an appropriate level of security for your organisation. Take passwords as an example: - ordinary companies do not need complex passwords, which users have to change every month. Whilst it would be inappropriate for banks to allow blank passwords which never expired.
Page 17 of 82
Computerperformance.co.uk
Summary: Pros turn on auditing and check the security log weekly
Page 18 of 82
Computerperformance.co.uk
8) Security Templates
Guy's Litmus Test: Have you ever used the Security Templates? Professionals use the built-in snap for Security Templates Amateurs have no structure for setting security
8) Security Templates
Security templates and the associated Security Analysis snap-in are one of the best secrets of Windows Server 2003. This is a shame, as this tool offers a powerful mechanism to configure, check and record the security settings for your domain. Needless to say there is a huge difference between those professionals who utilise these features, and the amateurs who do not realise they exist.
a) Security Templates
The first move is to load the template that most nearly describes your situation. E.g. securedc = Secure Domain controller. The next move is crucial, Save As yourfilename. This preserves the original while allowing you to experiment.
Page 19 of 82
Computerperformance.co.uk
Your next move is to check out the settings and decide how much security you need in your organization. When you have finished checking, go to the Security Configuration and Analysis snap-in. (See diagram above.)
Page 20 of 82
Computerperformance.co.uk
The powerful analysis tool shows which settings will remain the same, for example, a tick next to 'Maximum Password age' tells you there is no difference between your template and the present setting. However a red x means that the template will change the current settings if you select CONFIGURE. Experiment with different settings until you have the required security configuration. Note in passing that you can Export List from the Action menu and so save a record of your work. If you make a terrible mistake with CONFIGURE, reapply the Basic Template and start again.
Summary: Pros use Security Templates to control all aspects of their security
Page 21 of 82
Computerperformance.co.uk
9) Time Synchronisation
Guy's Litmus Test: Do all your machines show the same time? Professionals synchronize computer clocks throughout their network Amateurs wonder why they get lots of Win32 time errors in the event log
9) Time Synchronization
With Windows 2003's Kerberos security, time synchronization has a new significance. This is because the Kerberos (KDC) service uses time stamps as part of the client authentication process. The default tolerance is only 5 minutes.
Example Script to Synchronize with the Windows Time Service Purposes of the Script
The script synchronizes the local machine with an internet time server, then displays a message indicating if the internal clock was slow, fast or on time.
Page 22 of 82
Computerperformance.co.uk
Instructions for Synchronizing with the Windows Time Service This script is designed for Windows servers, but there is no reason why it should not work on an XP machine. If you use uk.pool.ntp.org or time-a.nist.gov as the time server, make sure that your machine has an internet connection. 1. Copy and paste the example script below into notepad or use a VBScript editor. 2. One advantage of a good script editor such as OnScript is that you can see the line numbers, which helps when you have to troubleshoot error messages. 3. Save the file with a .vbs extension, for example: SynchTime.vbs 4. Double click SynchTime.vbs, and check the clock synchronization in the message box.
'============================================== ' VBScript Source File -- Created with XLnow OnScript ' SynchTime.vbs ' AUTHOR: Guy Thomas ' COMPANY: Computer Performance ' DATE: January 2006 Version 3.2 ' COMMENT: Script to synchronize with the Time service '============================================== Option Explicit Dim objShell Dim intShortSleep, intLongSleep, strService Dim strTimeSrv, timeBefore, timeAfter, timeDiff Set objShell = CreateObject("WScript.Shell") strService = "w32Time" intShortSleep = 3000 intLongSleep = 6000 '1000 = 1 second ' Time Server set (Remove ' Rem if you want to change) strTimeSrv = "time-a.nist.gov" 'strTimeSrv = "uk.pool.ntp.org" ' Use .Run method to configure the time server objShell.Run "w32tm /config /syncfromflags:manual /manualpeerlist:"_ & strTimeSrv Call Restart() ' Collect time before the script synchronizes timeBefore = DatePart("s" , Now) + DatePart("n" , Now) *60 timeBefore = timeBefore + DatePart("h", Now) *3600 ' Key command to resynchronize with time server objShell.Run "w32Tm /resync /rediscover" Wscript.Sleep intShortSleep timeAfter = DatePart("s" , Now) + DatePart("n" , Now) *60 timeAfter = timeAfter + DatePart("h", Now) *3600 ' Cosmetic section to display the clock adjustment timeDiff = (timeAfter - timeBefore) - (intShortSleep/1000) If timeDiff < 0 then WScript.Echo "Clock was fast by " & -timeDiff & " secs" ElseIf timeDiff > 0 then WScript.Echo "Clock was slow by " & timeDiff & " secs"
Page 23 of 82
Computerperformance.co.uk
ElseIf timeDiff = 0 then WScript.Echo " Clock synchronized " & timeDiff & " difference" End if WScript.Quit Sub Restart() ' Restart Service objShell.Run "net stop " & strService objShell.Run "net start " & strService Wscript.Sleep intLongSleep End Sub
Challenges
Try deliberately setting the computer's script fast or slow. Give the script a real job by stopping the Windows Time service before running the script. Experiment with the intSleep variables. Try changing the values, or even removing them. See the difference a space makes in Else If (Instead of ElseIf) and see how Else If requires its own matching End If. I tried simplifying, timeAfter = DatePart("s" , Time) + DatePart("n" , Time) *60 to timeAfter = Time. My results were disappointing, the value was always the same, even though I changed the time on the computer clock.
Summary: Pros ensure that the clocks are synchronized on all their network machines
Page 24 of 82
Computerperformance.co.uk
10) UPS
I sometimes offer my services on a no fee no fix basis. One job was abruptly terminated. When I went into test my solution, I was told that the server room had burnt down. When the fire brigade investigated it turned out that the UPS (uninterruptible power supply) was the centre of the inferno. It seemed that acid seeped out from the UPS battery and set fire to paper on the floor. It transpired that the UPS was 12 years old and had never been serviced. Naturally I did not get paid, and had to settle for an ironic smile - the very device that should protect the server was responsible for its downfall. It is a situation where you can imagine a cartoon sequence of the acid leaking causing paper to catch fire, and the blaze enveloping the server. The moral of the story - do not work for people who do not service their UPS!
Page 25 of 82
Computerperformance.co.uk
1) Dynamic Disks
Professionals take the trouble to investigate the features of 'Dynamic Disk'. One advantage of Dynamic Disk is that you can extend data partitions. How is this useful? Take a case where you need 3 partitions on a disk, but it is not clear which partition will grow the fastest. Assign 1/4 of the space to each partition leaving 1/4 available to extend which ever partition gets full first. Dynamic disk has the advantages of supporting an unlimited number of volumes; this overcomes the limitation of only 4 primary partitions and 1 logical drive. You may also import dynamic disks from other computers, this is because the file information is held on the disk itself not in the registry. This also explains why you need 1 MB of unallocated space to convert from basic to dynamic disk; the space is needed to create the disk information database. To convert to Dynamic Disk, go to Disk Management, right click the Disk and select : Upgrade to Dynamic Disk. (Call for the built in Help if you cannot find Disk Management)
Page 26 of 82
Computerperformance.co.uk
This last point means that you may leave XP professional with the default basic disk. I have not found a convenient switch to automatically upgrade to dynamic disk, moreover the advantages of dynamic disk are not so important on a workstation.
Page 27 of 82
Computerperformance.co.uk
12 ) Disk Quotas
Controlling use (abuse) of server disk space has been high on administrator's wish list for a long time. Now with Disk Quotas you can limit users disk space. Disk usage conforms to the 'Pareto Principle'; 20% of your users will consume 80% of the disk space. Configure disk quotas and make things fairer, stop one or two selfish users filling up the disk space unnecessarily. One strategy is to set the limits high and use quotas to plant the idea that users should implement good housekeeping with their files. To activate disk quotas: Right click the root of any partition and you will see the Disk Quota tab.
Page 28 of 82
Computerperformance.co.uk
Trap: Remember to check both boxes :Enable quota management and Deny disk space to users exceeding their quota limit. Tip: If you wanted to use disk quotas on separate folders rather than the whole disk investigate : Volume Mount Points.
On a related topic: Encrypted File System (EFS) Litmus test: Professionals show laptop users how to encrypt their files
There have been several high profile cases of lost laptops containing sensitive information. Windows 2003 offers the facility to transparently encrypt sensitive folders. So if the files get into the wrong hands, they will be very difficult to decrypt.
Summary: Pros set quota limits for users on shared server volumes
Page 29 of 82
Computerperformance.co.uk
13) DHCP
Guy's Simple Litmus Test: How do you assign a client's IP address? Professionals automatically assign IP addresses for XP desktops Amateurs manually configure the IP addresses on each client machine
Guy's Advanced Litmus Test: How many DHCP Options do you configure? Professionals configure at least Type 003 Router and Type 006 DNS Servers Amateurs never configure any Scope Options.
Page 30 of 82
Computerperformance.co.uk
When you create a DHCP scope, as well as Router (DHCP Option Type 003), it costs little time to add a DNS Server (Type 006) and also Domain name (Type 015). It is worth checking out over 40 other automatic settings you can assign at the same time as the IP address.
Incidentally, DHCP is an example of Windows 2003 having more options, menus and sub menus than NT 4.0. Take the time to investigate which options would help your network. For example, check dynamic updates and class options. If you are troubleshooting client DHCP problems, ipconfig /all is the classic tool to run from the command prompt. (Do remember the /all switch)
Page 31 of 82
Computerperformance.co.uk
DHCP Logging
One persistent reason companies gave for not implementing DHCP was that it could not track who was using which IP address. They obviously did not realise that you could turn on Audit Logging. Diagram taken from the properties of the DHCP Server Object.
Summary: Pros setup DHCP and reap the benefits of reduced administrative effort.
Page 32 of 82
Computerperformance.co.uk
14) DNS
Guy's Litmus Test: Can you troubleshoot DNS? Professionals take the time to master DNS settings Amateurs use WINS where ever possible and avoid DNS
Note: The Cached Lookups in the diagram, to see that container, go to the View (Menu), Advanced. To truly master DNS you must invest time in the terminology and learn to configure, Reverse Lookup, Zone, Active Directory Integration and other specialist DNS settings. In Windows Server 2003, DNS can dynamically update its host records - hence the name DDNS. This overcomes a limitation of DNS in NT 4.0 and allows WINS to be phased out in pure Windows Server 2003 networks. The only real use of WINS is for organizations with distributed Exchange servers.
Page 33 of 82
Computerperformance.co.uk
DNS holds SRV or Service records which enables desktop computers and servers to find domain controllers that are providing specific services. For example Global Catalog and Kerberos are need for logon authentication; DNS returns the IP address of domain controller offering those services. You can see the Active Directory SRV records in the above diagram, for example, look under nwtraders.msft and see _msdcs (Microsoft Domain Controllers). Check out the new Monitoring tab; right click the DNS SERVER, Properties.
Page 34 of 82
Computerperformance.co.uk
Summary: Pros are experts in DNS, they realise its essential role in Windows Server 2003
Page 35 of 82
Computerperformance.co.uk
15) Networks
Guy's Litmus Test: Do you use client server networks? Professionals run a client server network with Windows Server 2003 and XP client Amateurs run a Peer to Peer network of XP and Windows 98
15) Networks
The decision to use a client server network or a peer to peer network is really a 'no brainer'. The benefits of central administration and single user logon far outweigh the cost of a server. I would stick my neck out and say that no company is too small to benefit from a server on their network. One client spent ages grappling with problems of XP acting as a server with Windows 98 clients. Both are designed as clients and neither works well as a server.
Factors to consider
Network speed (LAN and WAN). Server scalability e.g. extra RAM, another disk rack. Server characteristics e.g. DC, GC, DNS, DHCP services to well together while email and databases are best having their own server.
Page 36 of 82
Computerperformance.co.uk
16) Partitions
Guy's Litmus Test: How much FAT do you have! Professionals format every partition with NTFS Amateurs use FAT32 where ever possible
16) Partitions
The traditional reason to use NTFS was for file level security. However, the number one reason that I recommend NTFS on all partitions is, NTFS has 'write ahead' logs which protect the file system. This transaction logging is similar to the method that databases use to record events before they are committed to disk. There are more technical benefits to formatting NTFS: Faster recovery through checkpoint files More efficient storage of smaller files More efficient indexing Faster file access, especially for large disks
NTFS is a pre-requisite for important Windows Server 2003 features: Active Directory. NTDS.dit and its logs must all reside on NTFS Disk Quotas Mount Points - useful when your c:\ drive is full EFS (Encrypted File System) DFS (Distributed File System)
Neither FAT nor FAT32 can support any of the above features. The only indisputable advantage of FAT32 is that you can dual boot into Window 98 - not much of an advantage for a server.
Page 37 of 82
Computerperformance.co.uk
Summary: Pros use NTFS everywhere, and have no FAT what so ever.
Page 38 of 82
Computerperformance.co.uk
Page 39 of 82
Computerperformance.co.uk
Summary: Pros create a number of printers and give them different priorities
Page 40 of 82
Computerperformance.co.uk
Summary: Pros install AdminPak and, or Terminal Services to administer their servers
Page 41 of 82
Computerperformance.co.uk
Page 42 of 82
Computerperformance.co.uk
N.B. To get the most out of your RRAS Policy and Profiles, your domain needs to be in NATIVE mode. Each Policy has a PROFILE tab this is where you configure how long users can connect to the server, which protocols they use and much more besides.
Page 43 of 82
Computerperformance.co.uk
20) WINS
Guy's Litmus Test: Have you a plan to phase out WINS? Professionals prefer DNS and avoid WINS where ever possible Amateurs prefer WINS and do not understand DNS
If you wish to find entries in WINS use * (Star) If you must implement WINS, make sure that you integrate it with DNS and DHCP.
Summary: Pros plan to phase out WINS and use 100% DNS for name resolution.
Page 44 of 82
Computerperformance.co.uk
Professionals understand Exchange 2003's dependence on WINS Amateurs have no idea that Exchange 2003 still uses WINS in certain circumstances Exchange 2003's Dependency on WINS
If you want to investigate the relationship between WINS and Exchange 2003 you have 3 choices: 1. Just install WINS and get on with life. Configure records for ALL the Exchange servers and Domain controllers. 2. Ignore WINS, everything IS working fine on MY small network. 3. The thinking man's approach. Try to make sense of Exchange's dependency on WINS. If you go down this route, you may find that the waters get muddier before you see clear bottom.
Page 45 of 82
Computerperformance.co.uk
Page 46 of 82
Computerperformance.co.uk
1) Active Directory
While the uptake of Windows Server 2003 has been brisk, by no means all administrators are confident in installing the Active Directory feature. What amateurs do is merely install Windows Server 2003 as member servers for their database and mail servers. This is a shame because it is only when you install Windows Server 2003 domain controllers that you get the full benefit of active directory services.
Summary: Pros plan the whole strategy before they implement Active Directory.
Page 47 of 82
Computerperformance.co.uk
Three of the FSMO roles (1-3) are held in each domain, whilst two (4-5) are unique to the entire forest. Thus, if you have three domains there will be 3 PDC emulators, but only 1 Schema Master. To see the Domain Naming Master (4), check out Active Directory Domains and Trusts. The Schema Master (5) is most difficult to find, first you need to register the Schema Snap with this command: regsvr32 schmmgmt.dll; then check the Administrative Tools, Active Directory Schema, Properties.
Page 48 of 82
Computerperformance.co.uk
Here is how you can see and configure the FSMO roles:
Troubleshooting FSMO
DCDiag - Not only does DCDiag have a routing to check the FSMOs but it also provides information on Active Directory replication. As ever with troubleshooting, you want to get to the root cause not merely treat one of the symptoms. NetDOM - It's a close call whether to run NetDOM before or after DCDiag, the answer partly depends on whether NetDom is already installed or if you need to get it from the Windows Server 2003 Support tools. From the command line type netdom query fsmo. You should see a list of the of the 5 roles with the corresponding Domain Controller. With FSMO problems check that the underlying problems is not related to DNS.
Page 49 of 82
Computerperformance.co.uk
Summary: Pros understand FSMO and can change the roles when needed
Page 50 of 82
Computerperformance.co.uk
23) Group Policy and GPMC Guy's Litmus Test: How do you apply Group Policies? Professionals use Group Policies to configure the desktop Amateurs use mandatory profiles to control the users
Page 51 of 82
Computerperformance.co.uk
Group Policies are fun. With Group Policies not only can you be Mr Nasty (screwing down the desktop), but you can also be Mr Nice. Mr Nice provides just the programs users need, but no extras. So when an accountant logs on they get MS Office XP and accountant software. When ordinary users log on they get only the Office suite. What is more, if the program breaks then the intellimirror software automatically restores the original settings. Having established the need, the next problem with setting up System Policy is - time. You need a week experimenting with a group of test machines before you think of rolling out to the production network. Policies can be applied at the Domain, OU and Site level. My advice is to set your security at the domain level, but control the desktop at the OUs. Avoid setting policies at the Site level, it is not necessary and only adds an extra layer of complexity.
Bonus Litmus Test - GPMC Professionals Download GPMC (Group Policy Management Console) from Microsoft's site. Amateurs try and find GPMC on the support disk then give up.
One the pros install GPMC they use the interface for planning, reporting and modeling their policies. In addition, professionals refresh their Group Policies with gpupdate, amateurs persevere with secedit.
Summary: Pros use GPMC to configure Group Policy settings and thus control the desktop
Page 52 of 82
Computerperformance.co.uk
4) Installing Windows Server 2003 Make sure you have a big enough partition
This test fulfils all the requirements of a good litmus test; the test can be easily measured and the answer is likely to be conclusive. A small installation partition indicates: trouble, lack of planning and an amateur at work. The problem is compounded because, whilst other NTFS partitions can be extended the partition containing \Windows cannot easily be increased. So plan for at least 5GB for the \Windows partition. If you choose a miserly 2GB you will soon find it inadequate. If you get stuck do not despair; investigate Mount Points as a method of increasing the partition. (Try Windows Server 2003 Help)
Page 53 of 82
Computerperformance.co.uk
If you are in the UK, I assume you change the default Keyboard from US to UK. Also beware the -8:00 Pacific time. Windows Server 2003 domain controllers (DCs) run very slowly if their times are more than 5 minutes out of synch. I was called out to a case where one DC was on Pacific time and the other on GMT. Now Windows can handle that, if the clocks are exactly 8hr different, in this case the clocks displayed the same time thus masking an 8hr difference. As a result, active directory would not synchronise. The solution was to adjust the Pacific Time to GMT and alter the clock 8hrs.
Install Remote Installation Service RIS Litmus test: Professionals know what RIS is about
If you are convinced of the benefits of DHCP, and remember how long it took to gain acceptance, then I hope that you will give RIS a chance. Imaging software like Ghost is very good for installing workstations. However RIS has a compelling extra feature - intellimirror. In a nutshell, if users delete or move an operating system file, Windows Server 2003's built- in intellisense automatically repairs the machine. RIS, and intellimirror and intellisense work together to detect the missing file and copy it automatically from RIS image. The result less down time and reduced support costs.
Page 54 of 82
Computerperformance.co.uk
As a bonus you can also apply LogOff scripts to help users tidy up when they logoff their machines. If you apply Logon Scripts via Group Policies, then you can also write scripts which apply to the computer no matter who logs on.
Page 55 of 82
Computerperformance.co.uk
Homily
At first, the motor car was called a horseless carriage. The driver was on the outside because he had been there from the stage coach days. One day someone said 'Why don't we put the driver inside with the passengers?' So it is with Windows Server 2003, there are many new and better ways of doing old tasks. So move the logon scripts inside the Group Policies, and abandon the old DOS commands in favour of Visual basic scripts.
There will always be a place for scripting, and compared with NT 4.0, Windows Server 2003 has transformed scripting. All you need to get started is Notepad because the latest generation of Windows operating systems has a scripting host built-in. The result is your logon scripts will execute automatically, just save the script with a .VBS extension.
'
' MapNetworkDrive.vbs ' VBScript to map a network drive to a UNC Path. ' Author Guy Thomas http://computerperformance.co.uk/ ' Version 1.4 - May 2006
Page 56 of 82
Computerperformance.co.uk
' -----------------------------------------------------------------' Option Explicit Dim objNetwork Dim strDriveLetter, strRemotePath strDriveLetter = "J:" strRemotePath = "\\alan\home" ' Purpose of script to create a network object. (objNetwork) ' Then to apply the MapNetworkDrive method. Result J: drive Set objNetwork = CreateObject("WScript.Network") objNetwork.MapNetworkDrive strDriveLetter, strRemotePath WScript.Quit ' End of Example VBScript.
Learning Points
Note 1: At the top of the script is a heading section. The idea of the header is to explain what this VBScript will achieve. Some script writers feel that the Dim statements, which declare variables, are also part of the header section. Note 2: Option Explicit is a VBScript command which forces me to declare variables. Not only is this 'best practice', but in my case, it alerts me to typos later in the script. Note 3: See how this script declares the variables strDriveLetter and strRemotePath, then reuses them later in the script. If you stick with me, you will see that I love variables. In this example, MapNetworkDrive employs just two arguments, drive letter and UNC path. Note 4: Once we declare strDriveLetter, then we can assign it a value, in this case "J:". One perennial problem I have with scripting is paying attention to detail, especially the syntax. Even with a simple letter - J, we must be careful. For the script to succeed we need precisely "J:". Neither "J:\", nor "J\:" will work.
Getting Started
Once your script works copy the MapNetworkDrive.vbs into memory, next go to this path: - Active Directory Users and Computers, select (Domain), Properties, Group Policy; from there, Default Group Policy, Edit, Computer (or User) configuration, Windows settings, Scripts, then Paste your script from the clipboard.
Page 57 of 82
Computerperformance.co.uk
26) Raise Domain and Forest Levels (Mixed v Native Mode) Windows Server 2003 domain mode Domain Function Levels - (Mixed and Native)
There are now four domain 'Levels' that a Windows Server 2003 can operate in. Whilst it is easy to understand what each level means, it takes time to learn how Microsoft's terminology has changed from Windows 2000. Formerly we only had Mixed and Native modes, now their are four possible settings, and the jargon is 'Raise Level'. 1. Windows Server 2003. All Server 2003, no other domain controllers. However, even in this level, the whole range of clients and member servers can still join the domain. 2. Windows Server 2003 Interim. NT4.0 servers and Window Server 2003 (no Windows 2000). This level arises when you upgrade an NT 4.0 PDC to Server 2003. Interim mode is important where you have NT 4.0 groups with more than 5000 members. Windows 2000 does no allow you to create groups with more than 5000 users. 3. Windows 2000 Native. (Yes Windows 2000 native) allows Windows 2000 and 2003 servers (no NT 4.0). 4. Windows 2000 Mixed. (Yes Windows 2000 mixed) allows NT 4.0 BDCs and Window 2000. Naturally Windows 2000 mixed is the default function level because it supports all types of domain controllers.
When you decommission the last NT 4 BDC, raise the domain level at least to Windows 2000 Native mode, this will give you access to: Universal groups available Nesting Global groups Logon with User Principle Name (UPN) e.g. guy@cp.com RAS Policies - control dial-in users through policies USMT (User Settings Migration Tool)
N.B. If you switch to native mode you can NOT reverse, there is no path back to mixed mode. How do you make the switch? Answer a job for Active Directory Users and Computers, Properties.
Page 58 of 82
Computerperformance.co.uk
Amateurs think that mixed mode refers to the clients not to the legacy servers. They think that you must stay in mixed mode until you upgrade all the Windows 9x clients. They are wrong! Note: In addition to Raise Domain level, there is also the concept of Raise Forest level, however that is not covered here.
Page 59 of 82
Computerperformance.co.uk
Page 60 of 82
Computerperformance.co.uk
Page 61 of 82
Computerperformance.co.uk
Printer Location
Everyone that I have shown this Printer Location plan have expressed a satisfied glow when they completed their tasks and they see the printers pre-populated in the Add printer wizard. Therefore I lay down a gauntlet and challenge you to master Printer Locations, I guarantee this is mission that you will enjoy accomplishing.
Page 62 of 82
Computerperformance.co.uk
1. Subnet Location - Fiendishly difficult to understand, find and configure. 2. Printer Properties - Easy place to find, some use on its own account. 3. Group Policy - Tricky, unless you are a minor expert on Group Policies. Bonus you investigate other interesting Printer Policies. 4. Add Printer Wizard - Client side
1) Subnet Location
To find this tricky setting, open Active Directory Sites and Services, not repeat not, ADUC. Next drill down to Sites and then Subnets. If no suitable subnets appear in the leaf object, then create a New subnet by right clicking on the yellow Subnets folder. Once you have a Subnet object with and IP address and CIDR notation for the Subnet mask, then you are ready to create the location. Right click the IP address (192.168.0.0/24 in my example) and select Properties now seek the Location tab. Type a suitable name in the dialog box. In truth, any sensible name will suffice, I choose MD_Office.
2) Printer Properties
Let us assume for testing, that you have printer shared on a local server. HPLaserJet2420 in my example. Open the properties of that printer. It easy to find the Location dialog box (General Tab), however the knack is to browse and assign a location from Active Directory (Entire Directory). Browsing has two advantages, apart from avoiding typos, it confirms that the Subnet location has been created successfully. If you remember, in my example this value is MD_Office.
Page 63 of 82
Computerperformance.co.uk
3) Group Policy
Here is another tricky path, yet with attention to detail, you will soon find the correct Group Policy. Pre-Populate printer search location text. To be sure of success, I would start by editing the Default Domain Policy. Once you have opened the policy, the crucial choice is Computer Configuration. Now expand Administrative Templates and you will see the Printers folder. Eureka! There is Pre-Populate printer search location text, make sure you remember to enable the policy.
4) Add Printer Wizard (Train the users who need Printer Locations)
We are now all set to put my plan into action. If possible choose a different machine from the one where the printer is shared. Open the Printers and Fax folder. Select Add Printer, Network, Find a printer in the directory, here is the magic moment, the Location dialog box should be pre-populated with your printer. The killer feature or missing link for Printer Locations is intelligent users. If your users are not computer savvy train them with one page sheet explaining how to find the printer once you have played your part by configuring Active Directory and the print servers.
Summary: Pros set up printers so that users always find a 'printer near them'.
Page 64 of 82
Computerperformance.co.uk
Background
Undoubtedly, the logical side of Active Directory will occupy most of your configuration time, however, remember there is a physical side to Active Directory and most of the configuration is under the Sites snap-in. The default situation is that all Domain Controllers will be in the Default-First-SiteName. A good reason to create a second and third Sites is to schedule replication traffic. Over the LAN the default is a matter of seconds and can only be altered by editing the replication settings in the registry. In contrast, LAN replication defaults to 3 hours and easily adjusted.
Page 65 of 82
Computerperformance.co.uk
With a completely routed network, just make a Site Link as shown in the diagram below:
Page 66 of 82
Computerperformance.co.uk
The secret of using Universal Groups in Windows Server 2003 is to only include members who will only rarely change. Best would be to use only global groups, worst would be constantly adding individuals. The trap is to continually change the Universal group membership and so cause excessive replication traffic between Global Catalog servers. (This aberration where the whole group is replicated if you add one user is corrected in Window Server 2003.) Question: What does it mean if you tried to create a Universal Group, and the radio button was 'greyed out'? Answer: See test 6)
Page 67 of 82
Computerperformance.co.uk
Global Groups
These are great travellers, they can wander the entire Forest. The key point is that global groups are poor hosts and can only contain members from their own domain. Best practice is to make global group your default group, and for starters, make a group to represent each of your departments.
Universal Groups
Another question for you; why is the radio button next to create Universal group is greyed out? The answer is when the Domain is in mixed mode you cannot create universal groups (NT 4.0 BDC's would not understand them). You need to 'raise domain level to Windows 2000 native before you benefit from universal groups. Think of universal groups as the ultimate container for nesting groups. They are good hosts and great travellers. Best practice is make it rule to only include global groups inside Universal groups, no individual groups.
Summary: Pros use Universal groups sparingly and then to add only Global groups.
Page 68 of 82
Computerperformance.co.uk
31) CMD.exe
Guy's Litmus Test: Do you use CMD.exe or Command.com? Professionals use CMD.exe Amateurs use Command.com
31) CMD
CMD.exe is the best program to use for the 'dos' interface. Why is it better than command.com? Because CMD supports doskey (up and down arrows) which remembers your last commands. Technically CMD.exe is a 32 bit program that emulates DOS whereas command.com is a 16 bit program that runs under NTVDM.
The 'Dos Box' is just a start for so many other tools, that is why it is worth spending a few minutes getting it to your satisfaction. Configure the properties, increase the Width to about 100 and the Height to about 50.
Page 69 of 82
Computerperformance.co.uk
Bonus CMDHere.inf
CMDHere allows you to open up the DOS Box from any Explorer folder; I find it particularly useful for running scripts. You can get CMDHere from the Windows Server 2003 Resource Kit or click here and try now.
Page 70 of 82
Computerperformance.co.uk
Summary: Pros quickly show their knowledge and come to the point
Page 71 of 82
Computerperformance.co.uk
33) Luddites
Guy's Litmus Test: What Luddite tendencies do you have? Professionals use the MMC and Explorer Amateurs (Luddites) use Progman and File Manger
33) Luddites
Luddites were named after Ned Lud. Back in 1811 new knitting frames were introduced which produced more garments with less people. Ned Lud and his friends did not see this as progress and started smashing up the machines. Needless to say the revolt did not stop industrialization. I must say that hanging the Luddites was a trifle harsh. When training I find that old timers and those with a fixed mind set, insist on doing things the way they have always done them. When Windows 95 first arrived, people would not use Explorer, preferring to copy files with the File Manger - just as they had always done in Windows for Workgroups. It is a real advantage in training to get people when they are new to the product and before they get into bad habits.
Page 72 of 82
Computerperformance.co.uk
Here are more ideas that have helped me solve computer problems.
Believe in yourself - get into troubleshooting 'state' Collect information - ask what has changed on your computer Narrow the search - Hardware or Software Assemble your software tools - Event Viewer and TechNet Develop a theory - think of the most likely cause of the problem Phone a friend! - call in favours
Page 73 of 82
Computerperformance.co.uk
35) Protocols
Guy's Litmus Test: How many protocols does your LAN use? Professionals use TCP/IP as their only protocol Amateurs find reasons to use NetBEUI
Page 74 of 82
Computerperformance.co.uk
Page 75 of 82
Computerperformance.co.uk
Page 76 of 82
Computerperformance.co.uk
Amateurs
Use ISA network cards - Always use PCI cards
Summary: Pros are always looking for ways of getting the most from their servers
Page 77 of 82
Computerperformance.co.uk
* Can be found on the \support folder on the Windows Server 2003 Server CD # Built-in to Windows Server 2003
Summary: Pros take the time to check out the right tool for the right job
Page 78 of 82
Computerperformance.co.uk
Page 79 of 82
Computerperformance.co.uk
Bonus Litmus Test NSLookup (Name Server lookup) Professionals master interactive mode Amateurs just use the non-interactive mode
This command line utility will give you valuable information about DNS servers. To begin with you can use NSLookup to discover the name of a server when you know its IP address. For instance you can ping the machine, but what is its hostname? NSLookup will tell you that name. NSLOOKUP has two modes, the first mode will simply to tell you the hostname when you type the IP address. Example: NSLOOKUP 192.168.0.15. This will return the hostname registered in DNS a server called ron in the example below.
Note use the 'exit' command to break out of NSLookup. Type HELP, check out the list, then choose which other command you need. Prerequisites: NSLookup will not work until you configure the DNS server with a reverse lookup zone. Then you will need to create the PTRs (Pointer records) that maps the IP address to the hostname.
Page 80 of 82
Computerperformance.co.uk
Two Hairdressers
You find yourself in a one horse town which has only one hairdressing shop. When you go in there are two assistants cutting away. The first assistant has a great, sharp haircut but is loud and all action. The second hairdresser has a very average hair cut but quiet and attentive to their client. Which do you choose and why. When your turn for a haircut comes, you realise that the assistant with the stylish cut must have been coiffured by the other quiet hairdresser. So you choose the second quiet assistant. Also you do not like people shouting down your ear when you are having a haircut!
Restaurants
Eating in a new town can be one of the last great discovery experiences. These days restaurants are plentiful, but great eating experiences are rare. Restaurants offer a great possibility for Litmus Tests, and you do need an instant indication because if its no good you want to walk out quickly before you place an order. The first litmus test is are they full? If they are empty, check there if there is a full restaurant around the corner. When you go in is there an attentive waiter to see you to your seat. A maitre'de, who is dutifully overseeing the waiters, is a guarantee that the service will be good. However it will be expensive, but if this a special occasion you will not be disappointed. On the other hand, I take the Chef who mingles with the guests as sign the food will be overcooked, the Chef should be giving the kitchen 100% of his attention!
Page 81 of 82
Computerperformance.co.uk
You peruse the Wine list and say to the waiter 'A bottle of your number 61 please'. If the waiter puts you down by saying loudly 'Do you mean the Wehlener Sonnenhur', watch out for more surly behaviour. Of course if you were to pronounce Wehlener Sonnenhur in immaculate German, the no-good waiter would but you down with - ' Do mean the number 61 sir?'
Summary: Have fun with my Litmus Test concept and look for every opportunity to create a new test.
Page 82 of 82
Computerperformance.co.uk
This document was created with Win2PDF available at http://www.daneprairie.com. The unregistered version of Win2PDF is for evaluation or non-commercial use only.