Some DNS Tips

Several times in just the past week I've had to deal with DNS entries that have made things a touch more painful than they should have been so I thought it might be time for me to jot down a few notes on how DNS should be configured to save IS people's sanity!

First up the DNS servers themselves. You should always have a primary and secondary which generally, speaking are two different DNS servers at your ISP's location. If two are not available you should consider switching ISP's. Personally, I use three. Two from my ISP and one from OpenDNS. This way, should the ISP change for any reason and/or should access be denied to the ISP's DNS servers I've got a third, totally separate service available to me.

Next up, A records. These should always point to the IP address of the server in question and they should always use the hostname of the server. Sure, this can lead to some unfriendly names but it's really handy to know the proper hostname of the server. If you want to use something 'pretty' then use CNames. When you create the A record make sure the PTR record is also created in the reverse look up zone. This way, when you are trying to work out what physical server a CName is all you have to do is a reverse lookup against the IP address.

MX Records should also have two internal/DMZ based mail servers which they can deliver to and a third at the ISP which can retry delivery to your internal servers at a later date.

These are simple tips and they (or variants of them) can be found as best practice advice for standard DNS configurations.

Issues upgrading Domain Schema to 2003

So I'm probably a little behind in upgrading my home networks domain schema to support Windows 2003 but better late than never!
The process itself was smooth enough once I'd corrected some problems on the machine but the upgrade logs were not the most helpful troubleshooting aid I've come across.
One particular error had me stumped for a few days:

"Error code: 0x57 Error message: The parameter is incorrect.."

No indication of which parameter it was but as it occurred when checking security descriptors and many blog articles refer to missing security ACL's on GPO's I had a look at those and sure enough, Enterprise admins was missing some rights so I fixed those up and....... the same problem. At this point I'd admit to a lot of head scratching. The event logs didn't shed much light until I realised that the security event logs were not accessible. Sure enough, somehow the ACL's on the security event logs had lost all their rights. Resetting these and then rebooting allowed the process to complete perfectly.

Centralised Logging

One of the essential features for even a small network is a centralised logging solution.
Having a centralised logging tool makes for much easier trouble shooting as it becomes possible to review logs and search for related events or even search for the same event on separate machines, traditionally this has required quite expensive software such as HP open view in order to implement but a fairly new company might be about to put an end to that.

Enter Splunk, The 'Google of IT data'. This application will happily collect all sorts of different logs once configured and the configuration is not too difficult.

Splunk needs to be installed onto a Linux, Mac or Solaris environment although a Windows version is promised soon. As a workaround Splunk recommend that SNARE is installed on Windows servers. This software will convert event logs into syslog format and send them to a named server.

Putting Splunk in the center of you logging infrastructure as a syslog server and pointing all your syslog capable devices at it and then using SNARE to roll up event logs as syslogs which also get sent to Splunk is very easy to do. Within a few hours you have a surprising amount of data available to be searched by splunk.

And the price for all this information?

SNARE is free, Splunk is free if the amount of data you send to the Splunk server is less than 500mb a day although some of the features are limited.

I will admit to being a fan of Splunk after playing with it in VMWare. Over the next few weeks I'm going to describe how to configure a simple splunk installation for Linux, Windows, NetApp filers and Cisco switches.

NT4 Emulator Key

If you happen to run a large Windows environment you might be familiar with the in place upgrade method of upgrading your domain to Active Directory. If you run a large Windows environment that spans several sites over a variety of links then you will know that an in place upgrade can be a pain.

The main problem with an in place upgrade stems from the fact that client machines will always prefer to talk to the Active Directory server instead of the Windows NT4 Backup Domain Controller. This means you can end up in a situation where a remote sites clients are traversing a poor link to authenticate against the Active Directory server and ignoring the local NT4 Domain Controller.

To work around this issue Microsoft provide a registry hack called the Windows NT4 Emulation key. If a DWORD key called NT4Emulator is created in HKLM/System/CurrentControlSet/Netlogon/Parameters and given the value of 1 is created then the server will 'pretend' to be a Windows NT4 server thus the client machines do not see any Active Directory domain controllers on the network and so will be quite happy to authenticate locally.

I'll cover this key and some of it's drawbacks in some later articles.

FSMO Confusion in multiple domains

When I teach classes on Active Directory I will cover various domain models including the empty root domain model, this model has several security,delegation and political based benefits that I will cover in a future article suffice to say it uses two domains and the child domain is the production domain and the empty root just contains certain FSMO roles and forest-wide groups.

When I teach this model I will always ask the class to tell me how many FSMO roles there are and if the class is awake I will generally get the correct answer of five. I will then point to the empty root domain model and ask the class where the 8 FSMO roles should be placed, invariably I will get a look of confusion because there are only five.....

What a lot people forget is the minimum number of FSMO roles you can have in a domain is three and the maximum is five. Lets look at that empty root domain again - The empty root is just a windows domain that just happens to be the first in the domain to be created and as such will hold five FSMO roles. The roles are Schema Master, Domain Naming Master, PDC Emulator, RID Master and Infrastructure Master. The first two are forest wide so will only ever exist in one domain of the tree whereas the other three are domain wide and will exist in each and every domain created and this seems to be where the confusion comes in.
Your very first domain (the empty root in this example) will have FIVE FSMO roles, the child domain will hold THREE. Five+three equals eight which explains how you can have eight FSMO roles across two domains.

Creating a Default User Profile

One of the things that annoys me about windows is the Default User profile. This is the profile that a new user who logs onto a machine (or server will get).
The way it works on NT, 2000, XP and 2003 is pretty much the same.
Under the documents and settings folder on 2000, XP and 2003 are a series of folders for each person that logs on to the machine.

Hidden in here is also a profile called 'Default User' and whatever is in here gets copied to the logon name of any NEW person that logs on.

Microsoft provide a somewhat tortuous way of customising this profile by creating an additional local user which is fine unless you have already spent time customising the profile you have logged on as.

Facing this situation yesterday I realised that the easiest fix is to just log off the machine which unloads the user profile and then you can copy the existing profile over the top of default user and so have a working default user profile in seconds..... Permissions might need to be adjusted as need be but it was a quick and painless way to take an existing and cofigured profile and make it a default.

VMWare offer free P2V conversion tool

I have a windows 2000 domain controller that I want to clone and put into my test network so I can rehearse an upgrade from Exchange 2000 to Exchange 2007 and to test out the Active Directory upgrade from 2000 to 2003. At first I looked at a couple of DR type options. The standard System State backup via NTBackup will restore into VMWare but because it restores a chuck of hardware related information as well the VMWare machine reboots then blue screens - not good. I'm sure there is a way round this with sysprep or with backing up that data separately but my experiments lead to a constantly rebooting server. I also found out that DCPROMO /ADV only works for Windows 2003.

Another option is to join the VM to the live network and DCPromo it as another domain controller, Snapshot, DCPROMO it down then restore the snapshot. This would work but I've heard of problems with errant entries in DNS when this approach is used.

After some head scratching I found a free tool on VMWare's site that does Physical to Virtual conversion (P2V) and it's free for single machines to VMWare workstation or VMWare server. If you want to convert to ESX server or convert a bunch of machines then you need a licence.
I've installed the software onto my Domain controller and I'll have a go and running the conversion this week and report back on how good or bad the process is.

DST Patch for Windows 2000 updated

Just a quick update on the DST issue, I've tweaked the MSI I put together so that it can no longer be uninstalled. This is because the MSI overwrites the timezone values in the registry and uninstalling the patch was causing timezones to disappear.
There is no problem with the MSI if you don't uninstall it so I've created a v1.1 that does not allow uninstall.

The patch has been tested on Windows 2000 but not on Windows NT4. I will test on NT4 this week and post a blog article if it works.

The v1.1 patch is available here free of charge.

Setting up Email on Nokia E61

I've upgraded my personal mobile to a Nokia E61 which is based on Symbians 9.1 Operating System and it's a very nice phone especially built for it's extensive messaging capabilities which do work well.

One problem I had at first was working out how to configure the E61 to pick up email from my IMAP server. The help page described how to do it but the menu I needed was hidden so deeply down the tree that when I finally figured it out I thought it would be worth passing the configuration process on.






From the main menu click on your messaging button (the envelope icon to the right of the joystick).










Click on Select then onto Settings













Scroll to Email
















Just click on start











elect the mailbox type - POP3 or IMAP. It's important to remember that once selected you CANNOT change it. You must delete the mailbox and then recreate it.
A second thing to note is that POP3 does not delete email from the mail server but works pretty much the same way as IMAP.












Enter your email address












Enter the name of the mail server. Note: This server must be on the Internet if you want to pick up your emails from remote locations. Internal mail servers are fine for using the phone via wireless over the LAN.









Enter the DNS name of the outgoing mail server. You need to put something in here even if you don't want to send emails.












Pick the default type of connection for that email account









Give it a nice friendly name - This is the name that will appear in the messaging list.













All done! And that's all there is to it.

NTP & Time Zones

With the upcoming DST issues it's worth remembering how NTP works.

NTP and SNTP both work in the same way, time is pulled from a time source (generally a server on the Internet) as UTC time. The Operating System THEN applies any change relevant to the time zone that the server lives in. NTP cannot and will not change any clock on a server or other operating system, this is something the application must deal with itself.

Tomorrow I will cover how this problem affects Windows and other various applications as well as provide a download for Windows 2000 machines which Microsoft no longer support for anything other than security updates.

Troubleshooting DHCP

I had an interesting time quite recently troubleshooting a DHCP problem. The server wasn't giving out IP addresses when connected to the network or when connected to a hub.
The reason turned out to be a cisco switch problem but the fact that DHCP wasn't working when on a hub clouded the issue.

After fixing the problem (rebooting the switch) I figured that a blog on how to troubleshoot DHCP in Windows 2003 might be of some use as even though this wasn't a DHCP issue I did need to rule out DHCP.

1. Take a look at the DHCP log file normally held in %systemroot%\system32\dhcp. They are in day order and so rotated every 7 days. A healthy log will show lots of 11,[DATE],[TIME],[RENEW],[IP],,[MAC]

2. If the log doesn't show any IP's being issued restart the DHCP service and check that the log shows AUTHORISED. This means that it's ready to start issuing addresses.

3. Verify that the IP addresses issued are for the CORRECT SUBNET. For example, if your server's NIC is configured for the 192.168.1.0 network and you're DHCP server is issuing addresses for the 172.16.1.0 network then it will NOT issue addresses even if the client is connected to the server over a hub or similar. I will do another posting soon showing a quick way of working out a machine network address.

4. Bring up the properties of the DHCP server and check that you have free addresses that can be issued.

5. Verify that any switches have IP Helpers/DHCP forwarders setup. Remember that DHCP is broadcast only so it is limited to a single subnet.

Unattended Vista Build - Failed first attempt

Unattended installations really do remove the pain from installing an operating system simply because they will answer all the routine questions of user names, serial numbers, country codes and can configure a fair chunk of the operating system.

Windows Vista, like operating system before it, will come with a tool to enable the creation of unattended installation files.
Vista is doing things slightly differently though. Whilst it's possible to create an unattend.xml file there is a whole lot more you can do in a new tool called Business Desktop Deployment (or BDD)
I'm on the BETA for this so armed with the latest BETA of BDD and the current release candidate version of Vista I set about creating a fully unattended install... Well, that was the plan at least. The reality was rather disappointing.

First of all, I created a Windows XP workstation as BDD won't install onto Windows 2000 Professional. Once XP is installed you need to install a couple of pre-requisites, namely .Net Framework 2.0 and MSXML 6. So these go onto the machine and finally I'm ready for BDD itself. This software installed very easily and very soon I was ready to go.

The first time I fired up the MMC snap in for BDD (called the deployment workbench) BDD crashed on me. A quick trip to Microsoft's page showed that installing MMC 3.0 should fix this and so another download later and BDD is running.

Windows Vista's installation is contained in a single .WIM (Windows IMage) file. You can really think of this as a giant zip archive containing the actual software - No more thousands of separate files - just one 4GB image file that contains all the versions of Vista.

To configure this there is another tool called the 'Microsoft Windows AIK' (Automated Installation Kit) - yes, even MORE acronyms to remember.
WAIK contains the Windows SIM (Sim Image Manager) and it's THIS that can make tweaks to the Vista WIM files and generate the answer files.

Unfortunately, Microsoft have made one small flaw. When using the current builds of Vista against the current builds of Windows System Image Manager the Image Manager crashes out with a very nasty error message. It seems that the WIM format has changed in any builds higher than 5800 and that the Windows System Image Manager cannot cope with it.

After this comedy of errors I've given up on unattended Vista builds for the moment but will take another look at them soon along with the entire BDD environment.

On a quest for the perfect knowledge base

I've been on a quest for some time now.

I'm seeking the perfect notepad type application to act as a PORTABLE knowledge base - All too often i'll see a link or find a fix for something and want to record the information somewhere for future usage. I'm looking for a tool that is:

• Portable (i.e. can run from a USB key)
• Doesn't need to be installed
• Can be split into categories
• Is searchable
• Can hold a large amount of data.

I did try tiddlywiki but after adding a couple of articles the .htm file it generates got too large and it became very cumbersome to use so the search goes on...

Tape Backups and why they may run slow

Due to an interesting event earlier this week I thought it might be worthwhile doing a quick blog entry on how tape drives work and why some restores of small files can take an age to restore along with some tips on how to improve this.

Tape backup technology started out many years ago with things like the QIC and DAT. It's still used today but the tapes are more likely to be DLT, SUPER-DLT or LTO. These tapes and the corresponding drives deliver superior speed and storage capacity but the very technology that makes them high speed and high capacity can have a serious detrimental effect when backing up thousands or even millions of small files.

When you back up a file to tape it works like this:
Header:Data:Checksum

The next file is encoded in the same way so you get:

Header:Data:Checksum:Header:Data:Checksum

All fine so far. The problem occurs when you have more than a few thousand files. What happens is that the drive cannot work at it's full speed, it speeds up, overshoots the header point, slows down, reverses the tape, reads the header, maybe restores the file (if it's in the list of files to be restored) then moves onto the next one where the process is repeated all over again.

This means that a nice and shiny super fast LTO can actually run SLOWER than an older technology QIC tape drive. The QIC suffers from the same problem but due to a lesser extent because the drive technology is slower.

So what can do you to work around this issue?

What you do is the equivalent of stuffing all the files into a zip archive - Backup Exec calls this the 'intelligent image option'. All it's actually doing is dumping all the files into one big file so that it can write the file at the drives top speed without having to stop, calculate the checksum, write the checksum, write the next header, etc.

If your backup software does not support an intelligent image option or similar you can configure NTBackup to backup the data to a single .BKF file then back that file up - The drawback here is simply that a restore will take a while because you will be restoring the .BKF then extricating the actual data out of the BKF rather than selecting the file directly from the backup software.

Windows Mobile Emulation

At the Microsoft Messaging & Mobility User Group meeting last week, a demo of Exchange 2007 mobile messaging policies was show. Using Exchange 2007 policies it was shown how a mobile device could be remote wiped the NEXT time it tried to sync.

The really interesting thing about this demo was that it featured a mobile emulator device rather than real hardware. This caught my attention because I didn't even know Microsoft HAD such a thing as a mobile device emulator! A quick trip around Microsoft's site showed several add ins for Visual Studio but no actual device emulator download.

After some heavy use of Google I managed to find what I was after and piece it all together. Getting the mobile emulator up and running is not as simple as it could be but for anyone interested in using the mobile emulator software this is how I got it working.

1. Download the following files:

standalone_emulator_V1.exe
efp.msi
CTP_Setup_NoNetFX.msi
netsvwrap.msi

You will also need a copy of Active Sync 4.x or higher. I'm using 4.2 which is the latest and this works like a charm.

2. Install the following:

standalone_emulator_V1 - This is the actual emulator
efp.msi - EFP contains the actual images
ntssrvsrap - Contains a networking driver
ctp_setup_nonetfx - Provides an emulator manager that is required to 'cradle' the device.

3. Click on Start -> All Programs -> Microsoft Windows Mobile 5.0 MSFP Emulator Images -> Pocket PC Coldboot.

4. Configure and mess around with the pocket pc

5. To sync just launch the Device Manager (Start -> All Programs -> Microsoft Windows Mobile 5.0 MSFP Emulator Images -> Device Emulator Manager)

6. Click on the GUID for your device (you might have to mess around with this if you have both the smartphone and the pda running). Click on Actions -> Cradle

7. You can now use ActiveSync to sync with your Exchange server as long as the connection in Active Sync is set to DMA.

8. Finally, to save your settings click on File -> Save State in the emulator. This will allow you to use the savestate icon options under Microsoft Windows Mobile 5.0 MSFP Emulator Images.



Enjoy!

Issue with MS06-049 and NTFS compression

Microsoft have announced that there is a bug with the MS06-049 patch when compressing individual folders under Windows 2000.

From reading the bulletin it seems that whatever driver is used to read the contents of the compressed file is having some problems and returns junk. The actual data is unaffected as uncompressing the folder fixes the problem.

Once again, This seems to be a poor show on Microsoft's part as stuff like this should be tested by them. A fix for the problem is due 'soon'. Probably prior to the 8th October patching cycle.

MM&M User Group Inaugural Meeting

I had the good fortune to be invited to Microsoft in London's Soho for the inaugural meeting of the MM&M UG (Microsoft Messaging & Mobility User Group UK).

This group has been created in order to encourage users in the UK to share knowledge and tips on Microsoft Messaging platforms so things it's main focus is on Exchange server.
The session I went to in London was fairly well attended for a first meeting. About 20 people showed up to see three presentations ranging from an overview of Exchange 2007 to a live demo of some of the text-to-voice capabilities of Exchange 2007.

The meeting did demonstrate that Microsoft really do 'eat their own dogfood' with Eileen Brown (Microsoft Technology Evangelist) hitting a stumbling block for a couple of minutes because the Exchange server her test account was on had been upgraded!

A couple of demos showed some nice features of Exchange 2007 - Something that's new is the ability to set policies on mobile devices so that if a mobile device is stolen it can be automatically wiped on the next sync. This wasn't demonstrated directly but we did see it in a movie file and it looked quite impressive.

Obviously, a lot of the new features in Exchange 2007 have been in other products for a while now but Exchange puts them in the right place - On the mail server where you can have all your messaging and messaging policies in one place.

The final thing that came out of the meeting was the information that Microsoft are removing support for public folders. Everything will link into SharePoint so if you have data in public folders you will need to consider going down the sharepoint route. This is something that will happen over a number of years so public folder support *MAY* be in Exchange 2007. I've not installed it yet so cannot comment on that.

Overall the meeting was quite good. If you are in the UK and heavily involved in Exchange server you could do a lot worse than register on the MM&M UG site.

Set up a free PXE server on your Network

PXE is a great way of booting client machines from a network card. It's useful for accessing network resources, disk tools and imaging software and you don't have to mess around with bootable CD's or floppy disks.

Companies like Symantec sell quite high end solutions that allow PXE to be on their networks yet you don't need to spend a single penny in order to get a useful, working PXE environment - This is how you do it for free.

1. Obtain the following software:
TFTP32
WinImage
3Com's MBAUTIL (This one might be a pain to get hold of. If so, drop me an email and I can make it available for download from this site).

2. On a Windows DHCP Server (it might work on others but this is untested) add the following options:

66 Boot Server Host Name
67 Bootfile Name

Bootfile Name should be mba.pxe (Which we will create later).
Boot Server Host Name should be the IP address of where the TFTP server will live.

3. On the server you want to have acting as a PXE server install TFTP32.

4. Create a folder called PXE on the root of C:\ then Launch TFPT32 and click on Settings.

5. Configure TFTP32 as follows:
turn OFF DHCP Server, Syslog Server and SNTP Server.
Change the DEFAULT folder to C:\PXE
Close and relaunch TFTP32.

6. Install WinImage onto your workstation.

7. Either take an existing floppy boot image or take an actual bootable floppy and allow Winimage to create a IMA file. DO NOT use compressed IMZ format. For this example I'm using a bootable version of partition magic.

8. On the PXE server, create a folder called PXE and drop the IMA file from step 7 into it.

9. On the workstation or on the PXE server install the 3COM MBAUTIL tool. Because this is a 16 bit tool do NOT install it into program files. The root of C: is best.

10. Launch c:\MBAUTIL\IMGEDIT\IMGEDIT.EXE and accept all the defaults.

11. Click on 'Create a PXE menu file' - Add in options for Hard Disk boot and for the floppy disk tool you are going to convert. save this file as c:\pxe\mba.pxe

12. On the main IMGEDIT menu click on Edit an existing file.

13. Click on the IMA file in the C:\PXE folder.

14. Click on Properties and then change.

15. Change the type to TCP/IP and select the PRE-OS and WRITABLE radio buttons. You need to do this every time you modify the IMA file or drop a new one in the PXE folder.

That's It! You now have a working PXE environment. To try it boot a machine from it's network card. REMEMBER! The machine MUST be on the same subnet as the PXE server otherwise it may not be able to get across the router without additional router configs. This increases complexity and makes it a pain to troubleshoot.

NetBackup and _vxfiVspCacheFile

I've used various backup tools and one of the STRANGEST is Veritas/Symantec Netbackup. This software is strange for a variety of reasons that I may go into one day but for now I'll concentrate on one issue and that's the way it backs up files that are in use.

NetBackup has an add on called 'OTM' this stands for Open Transaction Manager and it backs up open files by copying them byte for byte into a special file called _vxfiVspCacheFile. Sometimes NetBackup does not do the decent thing and delete this file when it's done and on several occasions I have seen this file grow to some horrendous sizes. Recently I saw this file hit 91GB in size and eat nearly a third of the disk space of a server.

The simple fact that BACKUP SOFTWARE has the potential to seriously ruin your day by eating up so much disk space would seem to indicate that NetBackup has some issues to overcome. There are various ways of limiting the size of this file but I would have expected some internal logic to work out the best place to put such a file and to ensure that it cleans up after itself.

The worst situation is where the _vxfiVspCacheFile is locked in use by system and so cannot be deleted, because it's locked by system there is no service or application that can be killed to remove the handle on the file fortunately sys internals provide a solution for this problem.
On their website is a wonderful tool called process explorer. This tool will run just by double-clicking the .exe file and will show every file, directory, token and other resource in use by the system.

To kill _vxfiVspCacheFile its just a matter of running process explorer, clicking on SYSTEM then finding the file handle, right-clicking and selecting CLOSE FILE HANDLE. This allows the file to be deleted and thus gain back all that disk space until NetBackup goes and does it again......!

Active Directory DNS zones

Almost everyone who has played with Active Directory knows that DNS is important. In fact, DNS is so important to Active Directory that it simply is a must for Active Directory to work.

By default Active Directory creates a Active Directory integrated DNS zone. This is quite a clever method for replicating within an Active Directory domain as any changes to DNS are replicated to other DNS servers using Active Directory replication technology.
It also means that there is no such thing as a primary or secondary DNS server. A change can be made on any DNS server and that change will be replicated to the other DNS servers for that domain.

All well and good so far.

But take the following scenario that I wanted to setup:

A test network with Active Directory DNS intergrated zones.
A live network with Active Directory intergrated zones.

From the live network there needs to be resolution of servers in the test network and the test network servers need to re able to resolve things on the internet.

On the test network its quite possible to set the DNS forwarders to be the ISP's DNS servers but that would be a waste of bandwidth as the DNS server on the production network is already doing this task. Therefore the test network DNS server can have it's forwarders setup to use the production DNS servers.

The second problem is how do we get name resolution from the production network into the test network? There are two ways of doing this:
1. Create a stub zone
2. Create a secondary zone.

One of the neat things you can do even with Active Directory integrated zones is to create a secondary zone from an Active Directory zone. This allows for a read-only copy of that zone to exist on the production network. As soon as the Active Directory integrated copy is updated (via dynamic DNS for example) our secondary zone has a copy of that entry.

Password Policies on Domain Controllers

Many times now I have seen the same errornous answer to the question of "How can I give people in different OU's different password policies?"

You cannot.

Password policy is function of the DOMAIN policy and not an OU policy therefore you need to think carefully about your password policies because this will affect your Active Directory design considerations.

Tips for Active Directory Restores

Over the past few weeks I have had the chance to play with Active Directory Restoration and various failure scenarios. During this I have come up with a set of tips that I thought it would be worth sharing. If you have any more then please add them into the comments.

1. You should always have a MINIMUM of two domain controllers doing replication between them and they should be at different sites.

2. Should you ever need to restore the system state you should only restore the system state to the machine it was backed up FROM. This is because the system state contains more than just active directory, it contains all the registry settings and more therefore restoring
system state to a different machine will overwrite the settings on that machine.

3. The only exception to rule 2 is when you restore system state to a DIFFERENT location in order to promote a domain controller from another domain controllers system state.

4. DCPROMO /ADV is the command that will allow you to point the DCPROMO process at a restored system state. This is called a non-authoritative restore.

5. An authoritative restore cheats. It just increments the USN (Unique Sequence Number) of all objects that you are restoring by a huge amount (20 to 100 thousand) .

6. The Active Directory Database is called NTDS.DIT

7. It's helpful to understand Active Directories replication model - A domain controller will look in it's NTDS.DIT database and THEN ask the server running the PDC Emulator if it has a recorded with a higher USN.

8. Dependent on how your replication environment is configured it MAY be possible to jump onto another DC and mark the object you want recovered authoritative. This way, when the replication occurs it will be ignored because the USN's have changed.

9. To recover Active Directory the server MUST be in Active Directory services Restore Mode. This mode is a variant on Safe Mode and means the Active Directory database is NOT loaded. You must login using a logon name of Administrator and the Active Directory services restore password you set during DCPROMO. This password is the ONLY password that is stored locally on the domain controller. It can be changed by following tip 16.

10. To recover the ENTIRE Active Directory database you type NTDSUTIL -> authoritative Restore -> Restore Database

11. To recover an OU you type NTDSUTIL -> Authoritative Restore > Restore Subtree "OU=X, OU=Y, DC=A, DC=B"

12. To recover a single object you type NTDSUTIL -> Authoritative Restore > Restore Object "OU=X, OU=Y, DC=A, DC=B"

13. When restoring objects you need to use the full distinguished Name. The distinguished Name is the CN=X, OU=Y, DC=Z as listed above.

14. Acronyms used in distinguished Names:
CN is Common Name
OU is Organizational Unit
DC is Domain Component

15. It's possible to perform an authoritative restore WITHOUT being in Active Directory Services Restore mode. To do so you need to set a flag with the following command:
SET SAFEBOOT_OPTION=DSREPAIR.
Attempting this type of restore is NOT recommended. It's much cleaner and safer to be in Active Directory services restore mode.

16. NTBACKUP has a bug. If your NTDS.DIT database is on any drive other than C: you must back up a file on the same drive NTDS.DIT lives on. For example, if NTDS.DIT lives on the G: drive then you must back up ONE OTHER file on G: otherwise it won't work.
The bug is documented here.

17. You can change the Active Directory Services Restore Mode password by using the following command:
NTDSUTIL -> SET DSRM PASSWORD -> RESET PASSWORD ON SERVER
you will then be prompted for a new Active Directory Services Restore Mode password.

Windows 2000/XP can't see entire Hard Disk Space

Several times now I have used big (greater than 128GB) IDE hard disks in Windows 2000 and found that Windows cannot address more than 128GB. This is down to a limitation of the service pack (you need to be on service pack 4) and the simple fact that there is a registry value called EnableBigLBA that needs to be activated.

The required registry key is listed on Microsoft's support site. Click on this link to see the article.


This really is one of those tweaks that's handly to have in an automatic build or in a ghost image.