Mark Minasi's Windows 2000/NT Newsletter

Issue #4 April 2000

To subscribe, visit http://www.minasi.com/nwsreg.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm.

What's Inside

News  

Whew, it's been a busy month -- that's why this is late, please accept my apologies.  Not only is the next six weeks or so nonstop travel, I've got a deadline on the Linux book and I'm hiring a replacement for my assistant Brenda Davidson, who's left us to move along to Bigger and Better Things.  (She's going to Bell Atlantic to become a DSL guru ... or is gurette, I'm never sure.)  This month:  two important free tools you can download from Microsoft including an Active Directory redesign tool,   Windows 2000's "secret" remote control tool.  Extending Task Manager's power, 2000 Professional has a Telnet server, the easy way to see all of Windows 2000's command line tools, completing a hands-off RIS installation.  Upcoming conferences, Windows 2000 seminars, discount books and reader reviews. 

Windows 2000 Classes Available

I've been traveling quite a bit lately doing Windows 2000 classes.  We don't do public classes but I'm available to come to your company and do seminars of whatever length you'd like on Windows 2000 administration and deployment.  I don't teach the official Microsoft curriculum, as I know you don't have the time to take a week or two away from your desk -- instead, in just two days I can teach NT experts how to set up and administer a Windows 2000 network, as well how to roll out Windows 2000 Professional to your workstations with the least muss, fuss, and greasy aftertaste.  And if you're still just exploring Win2K for a possible future rollout, I've got a great one-day technical overview that'll give you the straight dope on Active Directory concepts and planning, Intellimirror possibilities, strengths, and weaknesses, and suggestions for when and how to deploy Windows 2000, of course all from an independent point of view.  For more information, Contact brenda@minasi.com or call (757) 426-1431. 

Discount Books and Thanks for the Reviews

Mastering Windows 2000 Server, 2nd Edition is consistently in Amazon's top 400 and often the top 100 -- many thanks to those of you who've purchased it!   As always, the Windows 2000 book is discounted at Amazon via this link: http://www.amazon.com/exec/obidos/ASIN/0782127746/qid%3D951327728/sr%3D1-24/103-1360566-4240609/markminasi/002-6700447-8468236 or just jump off from http://www.minasi.com/covers/booklink.htm.

Readers Tam Nguyen, Bernhard Klinder, Timothy Warner, John Vong, Kevin Wix and David Palumbo wrote some very kind reviews on-line and let me say "thanks a million" to them.  

Tech Tips

Downloads from Microsoft:  Active Directory Migration Tool and Sysprep 1.1

The past month has seen two very useful tools arrive from Microsoft:  the Active Directory Migration Tool (ADMT) and Sysprep 1.1.  And they're free, so don't miss them!

Active Directory Migration Tool

Active Directory Migration Tool essentially puts the "eraser" on Active Directory.  By itself, AD doesn't let you merge two different trees or forests; but ADMT lets you change all that.  It's a tool that lets you copy entire domains' worth of user accounts, machine accounts, and permission information.

Let me illustrate what it does with a simple example.  Suppose I've got a domain named Source, which can be either an NT 4.0 or a Windows 2000 domain.  Then I've got a domain named Target, which must be a Windows 2000 domain in native mode.  ADMT is a GUI-based tool that will let you clone every user and machine account from Source to Target, even allowing you to place all of those accounts into a particular OU.  The users from Source, then, can immediately choose to log onto their new accounts on Target (although their old accounts on Source still exist -- which can be useful if you find that something went wrong with the new Target copies).  But those Source users probably have permissions on other servers.  Some member server in (for example) Source might give some Source users read access and others full control.  But what about when those users log on via their new Target accounts?  No problem -- ADMT adds the permissions to the member server.

Basically, ADMT is a very nice migration tool.  The requirement that the target domain must be native mode is a bit undesirable, but the price is right.  With a bit of work, you could even merge entire Active Directory trees.  ADMT is at http://www.microsoft.com/windows2000/downloads/deployment/admt/default.asp.

Sysprep 1.1

Sysprep 2000 lets you use tools like Ghost or Drive Image Pro to clone a computer image to a multitude of computers.  The basic idea of cloning is that you just get a Windows 2000 system set up just the way you want it -- applications, settings, and all -- and then run Ghost or Drive Image Pro to essentially "photocopy" this entire disk "image" to as many computers as you like.

The problem with cloning NT systems (and now 2000 systems) is, however, that every 2000 system (except Active Directory domain controllers) has a SAM file that incorporates machine-specific security information called Security IDs or SIDs.  It's not a good idea to have more than one system on a network with a particular set of SIDs, so cloning a bunch of machines -- Xeroxing SIDs, essentially -- isn't the best way to roll out Windows 2000 to the desktop.

Microsoft's answer was to create Sysprep, a tool that rips the SIDs off of a system.  You get the 2000 system as you like it, again with the preferred apps and settings, then Sysprep it. The now de-SIDded system is ready for cloning.  You clone its image to a new computer and boot that new computer for the first time.  Sysprep realizes that this is the first time that this new cloned computer has ever run, and so it runs a kind of mini-Setup wizard to gather some information and then to generate a unique set of SIDs for that system.

The only problem with Sysprep stems from hardware.  What if you create the initial image on a computer with a particular set of hardware, but then impress that image on a computer with completely different hardware?  Sysprep works around that problem by doing a quick Plug and Play scan the first time that a new image runs, and adjusts the system's drivers accordingly.  (Wondering where those drivers come from?  Every Windows 2000 installation includes -- whether you like it or not -- a 50 megabyte file called driver.cab which includes all of Windows 2000's drivers.)

There was just one problem with Sysprep and Plug and Play -- Sysprepped images couldn't handle a change in disk controllers.  It could handle changes in the video, NIC, sound cards, and the like, but if you created an image on a system with an Adaptec SCSI board and you tried to impress it onto a system with an EIDE disk adapter, then the image wouldn't work.  If your enterprise uses five different SCSI and EIDE host adapters, then, you'll have to keep five different Sysprep images -- boo, hiss.

Sysprep 1.1, however, gets around that problem.  When you run it the first time, instead of typing "sysprep," type "sysprep -pnp" and your image will be able to handle a computer with any disk adapter.  You can find Sysprep 1.1 for Windows 2000 at http://www.microsoft.com/windows2000/downloads/deployment/sysprep/default.asp.

Window 2000 Professional's Secret Remote Control Tool

I'm kicking myself that I didn't cover this in either of the 2000 books, but Ryan Califato of Microsoft took me to task recently over my complaint that Windows 2000 lacks a remote control tool.  I said that it irritated me that Microsoft made me go buy PCAnywhere, Carbon Copy, or SMS if I wanted to be able to control one PC desktop from another computer.  Ryan's answer?  NetMeeting 3.0.  (Actually, it's not just a W2K feature; I think it's in Windows 98 Second Edition as well, if I recall right.)

NetMeeting 3.0 includes a feature called Remote Desktop Sharing.  Suppose you want to control a computer named Slave from a computer named Master, using RDS.  Here's the overview of what you need to do that:

1) Set up Slave to accept incoming RDS connections.  I'll talk more specifically about how to do that below.

2) You must have an administrator-level account on Slave.

3) Master and Slave must be connected somehow.  The easiest way to do a remote connection would be for both Master and Slave to be on the Internet, or on the same corporate network.  Alternatively, RDS can work over a temporary connection:  you can set up Slave with Dial-Up Networking to accept incoming calls, and then have Master call Slave before seizing control with RDS.

4) Once Master and Slave are connected, You sit at Master and "call" Slave using NetMeeting.  Slave answers, but only because you've told it in Step 1 to be ready to receive incoming NetMeeting "calls."

5) Slave prompts you for a password.  You type in the account name and password of the administrative account.

6) You then get a window on your screen which contains Slave's desktop.

You can now watch what the person sitting at Slave is doing.  But your connection isn't passive -- you can move your mouse or press keys on the keyboard and override whatever Slave's local operator is doing.  Here are a few specifics.

Setting Up NetMeeting

Before you can use NetMeeting on either Master or Slave, you've got to answer a few questions.  Start NetMeeting for the first time by clicking Start/Programs/Accessories/Communications/NetMeeting.  Normally that'll start up NetMeeting but if it's the first time that you're running it, then NetMeeting will run through a setup wizard.

The first panel of the NetMeeting setup wizard tells you about all of the things that NetMeeting can do; click Next.  The second wizard panel wants you to fill in information about yourself -- name, e-mail, location, comments..

Two things are going on here.  First, this is supposed to be of convenience to whoever you're talking to; NetMeeting's original purpose is to let you establish basic telephone-like connections between you and others, over a network.  For example, suppose you've got a sound card, a microphone, and speakers on your computer and you've got a friend across town who's similarly equipped.  Assume also that you are both connected constantly to the Internet, via cable modem or DSL, and that you've both set up NetMeeting to be listening for incoming NetMeeting "calls."  You could, then use the Internet instead of the telephone system to communicate with each other.  The sound quality will in general be terrible, but you can do it nonetheless.  If you've got a videoconferencing camera attached to your computer, then you can send video images as well -- grainy low-resolution images.

You call your friend by specifying the IP address or DNS name of his PC.  But what if you wanted to talk to someone whose machine's name or IP address you didn't know? Then you could look him/her up in a central directory that Microsoft maintains, or optionally some other directory.  But it's the "Microsoft directory" part that's important here.  The ICQ folks built a nice little messaging tool, gave it away, and forced anyone who wanted to use it to register their name in the ICQ database.  Eventually the ICQ people had a sufficiently huge database that they were worth some real money to an Internet e-commerce world hungry for new names to spam in the hopes of selling something.  Microsoft would love to have a list of names like that too, for reasons you can probably imagine.  

Anyway, go ahead and fill in whatever you like into the name, e-mail, etc. fields.  It doesn't particularly matter what you put in here if all you're planning to do is to do remote support over a company intranet or the Internet.  Then click Next. 

You'll then see a wizard panel asking if you would like to use a directory of NetMeeting users.  I talked about this a couple of paragraphs back.  If you only communicate with a group of co-workers or friends, then I can't see the point in this, but it's your call.  After all, I'm sure Microsoft doesn't sell these names ... hee hee hee ... oops, sorry, I had to pick myself up off the floor there ... okay, I'm all right now.  I un-check the box that says "Log on to a directory server when NetMeeting starts," and check "Do not list my name in the directory," and the chances that they'll get your name to spam you are reduced  Then click Next.

NetMeeting adjusts its quality based on your connection speed, and does a pretty good job of it.  Believe it or not, you can actually do very basic videoconferencing on 28.8 Kbps connection!  Choose the connection speed that best describes how you'll connect.  (You can always change this later.)  Click Next and NetMeeting will ask if you'd like to put NetMeeting icons on your desktop and Quick Launch list.  Indicate your preference and click Next.

Assuming that you have a sound card, the next few NetMeeting startup wizard panels let you adjust the output sound and the input gain on the microphone.  Click Next to let it run the tests.  Even if you'll never use your speakers and microphone, you've still got to run these next few panels.  When they're finished, you'll see the Finish button; click it to finish the initial NetMeeting setup.  If you have a videoconferencing camera (or even a movie camera connected to a video capture board) then NetMeeting will ask if you want to use it to send video.

NetMeeting will then start up for the first time.  That was a bit of a lengthy wizard, but you've only got to run it once.  To change any of the options that you selected in the Wizard, click Tools/Options on the NetMeeting menu.

Setting up Slave to Allow a Remote Computer to Control It

Slave's got NetMeeting running now, but won't allow other machines to take control of itself.  Set that up like this.

Click Tools/Remote Desktop Sharing...

Another wizard starts up; click Next to get past its initial screen.  The next screen tells you that anyone wishing to connect to this machine and control the machine remotely must be an administrator; click Next once you've read the message.  The next panel lets you set up NetMeeting with a password-protected screen saver.  The idea is that if some sitting at some distant computer and you use RDS to control this computer (Slave), forget that you're controlling slave from your distant computer (Master), and walk away then someone could sit down at Master and have free rein of Slave.  Using a password-protected screen saver would force anyone sitting down at Master after some inactivity would be unable to do anything with Slave without re-entering the password of your administrative account.  Choose which you prefer and click Next.  Then click Finish.

Listening for Incoming Calls

Look in your system tray and you'll see a small icon that looks like a globe; that indicates that NetMeeting is ready to receive an incoming call.  But that's only a NetMeeting call -- that is, a voice-and-perhaps-video connection.  Slave is still not ready to accept remote control.  Shut down the NetMeeting window and then right-click the NetMeeting icon in the system tray.  On the context menu that results, choose "Activate Remote Desktop Sharing."  Now you're ready!

Setting up Master to Control Slave

Now let's set up another computer called "Master" that will remotely control Slave.  Set up NetMeeting on Master, running through NetMeeting's setup wizard. You needn't run through the Remote Desktop Sharing wizard.

Ensure that Master has connectivity with Slave -- pinging Slave is a nice simple way to check connectivity.  With the NetMeeting window open on Master, click Call/New Call...  A dialog box will pop up asking you who you want to call.  In the "To:" field, enter the IP address or DNS name of the Slave machine.  You must check "Require security for this call (data only)."  Then click "Call."

When Master finds Slave, you'll be prompted for an account name and password.  Enter the name and password of any account that Slave recognizes as an administrator and you'll see a window on your screen which is Slave's desktop.  You now remotely control Slave from Master.

The Readers Do My Job

As is often true, I learn as much from you folks as you've learned from me.  This month, some great tips from readers.

Killing More Processes with Task Manager

If you've ever tried to kill a process with Task Manager, then you've probably found that Task Manager often won't let you stop a basic system process like lsass.exe, claiming that you don't have the authority to kill that process.  Reader Robin Fagerlund of Sweden offers a workaround:  just use the AT command -- the scheduler -- to start up Task Manager, like so:

at sometime /interactive taskmgr.exe

This is an extremely clever solution; let's see how it works.  Processes in NT and 2000 run in the "context" of a particular user -- that is, if you start up Word, then whenever Word tries to access a file, then of course the system checks Word's permission to access that file (assuming that you're accessing the file over a network -- which would require the proper share permissions -- or on an NTFS volume, which would require the proper file and directory permissions.  But "Word" isn't a user and so has no permissions, so whose permissions does NT or 2000 use?  If you started Word, then NT or 2000 use your permissions.  In effect, Word "impersonates" you.

In the same way, Task Manager normally runs in the guise of you, and low-level system processes don't respond to your request that they shut down, because you didn't start them.  Instead, an account called "System" did.  That's the genius of Robin's suggestion.  Anything running via the Command Scheduler runs in the context of the System account, not your account.  So let's suppose it's 9:30 AM in the morning.  If I type

at 9:36 /interactive taskmgr.exe

Then I've told the Command Scheduler to start up an instance of the Task Manager a minute from now.  The "/interactive" switch is essential, or Task Manager runs in the background, which would render it unable to write to the screen or accept keyboard input.  As the Scheduler starts Task Manager, the lower-level processes will respond to it.  It's a pretty neat hack -- but be sure to save everything you're working on before playing with this!

A Quick List of Windows 2000 Command Line Commands

A letter in response to another letter:

Greetings,
I noticed in the march newsletter that there was a request for all of the NT commands available under win2k: "Fred Clausen of Australia asks why I discuss how nice it is that you can do more with the command line under 2000 and yet didn't include a command-line reference."

There actually is a command-line reference which is available from the basic NT help (start - help - navigate to Troubleshooting and Additional resources and you will find Windows 2000 commands under Additional Resources.. Just wanted to save you the time of recompiling the list :)

Thanks for all your excellent books.

Thomas Wismer
MCSE
Intellitech Informatics

Many thanks, Thomas!  Now I know where to get started for the Third Edition...

There's a Telnet server in Windows 2000 Professional, Too!

Ryan Klym illuminates an embarrassingly dark corner of my Windows 2000 knowledge (or lack of knowledge):

Mark:

I was reading the 2nd Edition of Mastering Win2k Server and noticed that on page 22, you mentioned that the telnet server only shipped with Win2K Server. This is untrue. Windows 2K Pro also ships with a build in telnet server. Just wanted to let you know. Keep up the great work, I still think that "you da man!" Thanks again!

Ryan

Ryan A. Klym
Information Technology Manager
The Schumacher Group
Tel: 337.237.1915 ext 248
Fax: 337.572.8184

I tried it and he's 100 percent right, thanks so much Ryan.  Coupled with the power of Windows Scripting Host, this means that you can do some pretty cool remote control of a W2K Pro machine, even over a low-speed line.

Making RIS Completely Hands-Off

Mark

On page 185 of Mastering Windows 2000 server you give a warning about the
"Hands-Off" Riprep image. You can stop the click next "error" by adding the
following line to riprep.sif: In the [GUIUnattend] section add
OemSkipRegional=1. That does the trick.

This information incidentally came from the MOC course "Designing a Change &
Configuration Management Infrastructure for Windows 2000 Professional"
Course 1563 written for beta 3. Module 3 p43. Funnily enough MS don't
mention it in any of the theory part of their courseware, just a little
aside in one of the labs.

I hope that helps.....keep those books coming...I got a shelf full!

Regards

Jon Sabberton (MCT + MCSE)
Lead Trainer
Tech Connect Limited
Birmingham, UK

Thanks, Jon.  Actually, I had discovered that, as the Setup Manager under the final "RTM" version of Windows 2000 fixes this problem, but the book was to press by then.  (Windows 2000 Magazine readers can see my multi-part series on unattended 2000 installs starting in a couple of months.)  I appreciate the help!

Recommended Knowledge Base Articles

Christopher Ard says that Q249346 "tells all" about installing Single Instance Store on any volume.  Dave Barcelou offers that Q250603 & Q254241 answered some questions about Internet Connection Sharing.  Thanks! 

Conferences This Month

I'm keynoting Win2000 Connections in Phoenix the evening of Sunday April 30 (www.winconnections.com).  I hope to see some of you there.  I'll also be attending the Windows 2000 Deployment Conference that Microsoft is running next week in New Orleans.

If you missed Mission Critical Software's Minasi Unplugged, a fast-paced Q&A about Active Directory and Windows 2000 migration, it's still available as a rebroadcast at http://webevents.broadcast.com/missioncritical/minasiunplugged/flash.html.

Until Next Month...

Please share this newsletter!  I'd like very much to grow this newsletter into a useful source of NT/2000 information.  Please forward it to any associates who might find it helpful, and accept my thanks.  We are now at 2500 subscribers and I aim to use this to get information to every single Mastering NT and 2000 Server reader.

Next month, I'll look at the Encrypting File System, an exceptionally cool way to make your files truly secure, even on a network, as well as answer your questions.  Thanks for letting me visit with you, take care, and get away from that computer for a bit and enjoy Spring!  Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews.  As always, I'm at help@minasi.com

-- Mark

To subscribe, visit http://www.minasi.com/nwsreg.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm.

All contents copyright 2001 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.