Mark Minasi's Windows 2000/NT Newsletter

Issue #8 October 2000

To subscribe, visit To unsubscribe, link to Visit the Archives at

What's Inside


I'm Teaching in Philly in October, LA in November, D.C. in December -- And There Are More Cities To Choose

Last month, I announced that we'd put up a page where you could express interest in a two-day public Windows 20000 seminar.  We need 15 people at $1000 apiece to make a class worthwhile, so I was looking for nearly 30 "I'm interested" votes.  

Philadelphia and Los Angeles registered the most interest, with Washington, DC as a reasonably close third, so Jennifer is hard at work putting together three public seminars.  They're two-day seminars based on the same outline as in my in-house class (the outline is at  There's lots of details that I didn't know when I wrote the Mastering book, so it's even worthwhile attending if you've read the book cover-to-cover, and I will teach the sessions -- no substitutes, I promise!  You can find out more at  Philadelphia runs October 30/31, LA runs November 1/2 and DC will be November 30/December 1.  

Additionally, many of you asked that we consider some other cities, including New York and the Bay Area, so I've included NYC and San Jose.  I've also added Minneapolis, Raleigh, St. Louis, and Boston.  As before, if you think that you'd be interested in attending a public seminar on 2000, please consider voting at

2000 Certification Trap

Be careful which 2000 tests you take!  Dan Balter wrote me recently asking if I'd heard that Microsoft would pull your certification if you try taking the single "all-in-one" 2000 certification test (70-240) after you've finished the four separate "core" exams for 2000, or if you try to take any of the four after passing the all-in-one 70-240 test.  You can have up to three of the four core tests completed before trying the all-in-one test, however, and you're still okay.  Microsoft pointed him to for more info.

Dan is the fellow scheduling the sessions for the Win2000 Connections ( Scottsdale conference next week -- which I hope to meet some of you at!

The "Linux for NT folks" Book is Printed

My new book Linux for NT/2000 Administrators:  The Secret Decoder Ring is finally off the printers and being trucked to a bookstore near you even as we speak ... or, I guess I mean "even as you read this" ... so it should be available in days.  Just got my advanced binding copy and it looks really good.  Check out my page at for a bit of "behind the scenes" about it.

Active Directory, Force-Fed

I had an interesting conversation the other day with an IT manager at a consulting firm that is a Microsoft Solution Partner.  (And no, I can't tell you who.)  He told me that Microsoft wouldn't re-certify his firm as a partner unless they had an Active Directory implementation plan done by the end of September 2000, and a complete roll-out a few months after that.  After I picked myself up off the floor, I started to wonder:  is this a pattern?  If anyone's got a story along these lines that they'd like to share, please pass it along.  I'd love to be able to tell this story publicly but don't want to burn any sources -- anyone's welcome to act as "deep background" but of course it'd be nice to be able to name a name or two.  Amazing, eh?  "This product's so good, we had to force our customers to use it!"  Odd, I don't seem to remember anyone being forced to upgrade to DOS 2.0 because it supported hard disks -- we all kind of did it without coercion.  Guess I'm just old-fashioned about marketing.

We Exceeded 5,000 Subscribers!

I'm very proud to note that we're got more than 5200 readers.  (Or at least, we do until I do this mailing and get the usual 200 "the mail server never heard of these people" messages, prompting me to delete them from the database.)  Thanks for the support and please consider passing this along to a colleague so that she/he might decide to join up!

New Web Site Design

There's only one Webmaster around MR&D -- me -- and I've got plenty of other duties, so I've never guaranteed that my Web site would be a work or HTML or state-of-the-art art.  But a couple of you -- Barry Jones and Lee Royalty -- nudged me into some redesigns, so if you visit then you'll see a new look.  Hope you like it, it's intended to work equally well for 640x480 all the way up to 1280x1024.  Many thanks to Barry and Lee.

Additionally, I have found (or actually RE-found, I go through this every time I do a Web page) that it's just about impossible to set up a page so that both Netscape and IE see it the same.  So let me say to the Netscapers that I've worked hard to make the site attractive and useful for you, but there's some things that just elude me, so accept my apologies when you see that the pages look a bit better in IE than in Netscape.

Tech Tips

In the late August/early September issue, I discussed two technologies that I think are pretty cool but that (I felt) had some limitations.  You folks kindly helped me out with fixes for those limitations -- so here are the fixes, and thanks!

There is a way to defeat Windows File Protection -- two, in fact!

Last month, I explained Windows File Protection and claimed that while it's a great feature that it can't be disabled.  Several readers wrote to tell me that you can disable Windows File Protection.  Modify the REG_DWORD Registry entry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, named SFCDisable and set it to FFFFFF9D.  Then reboot.  A reader sent me to a Web site called Ars Technica to find this out and I'm chagrined to say that I've lost his e-mail address -- mail me back and let me give credit next issue, and thanks!

Fellow techie teacher/writer guy Jeremy Moskowitz (who you'll also meet if you're in Scottsdale) told me that there's a less drastic approach.  Let's suppose that you've got a program called MYAPP.EXE which lives in D:\NEWAPP.  Let's also say that MYAPP absolutely must have use a modified version of the basic system library called COMDLG32.DLL.

Now, ordinarily, the installation program for MYAPP would just merrily overwrite the copy of COMDLG32.DLL in the \winnt\system32 directory with MYAPP's version.  So MYAPP works great, but some other apps might not be so happy.  That's just the kind of thing that caused Microsoft to add Windows File Protection in the first place.  But if MYAPP absolutely must have its own COMDLG32.DLL, then what to do?  Well, as it turns out, it's possible to tell W2K to let a particular application have its own private version of some system DLL, EXE, SYS, or OCX file, without screwing up the entire system.

  1. Put the modified system file (COMDLG32.DLL, in my example) into MYAPP's directory, D:\NEWAPP.  
  2. Create a file in the NEWAPP directory with the application's name and the extension ".local" -- in this case, that means create a file named MYAPP.EXE.LOCAL, in the NEWAPP directory.  That file should be zero bytes long.

That's it -- now 2000 will look for DLLs for MYAPP first in the same directory as MYAPP.EXE.  A neat trick, and many thanks to Jeremy!

You can use $OEM$ features in RIS after all

I also said last month that while RIS can do a bunch of cool things, that it could not exploit the convenient features that an automated install using the $OEM$ features could accomplish.  Shawn Frye of SmithKline Beecham wrote to tell me that RIS installs can indeed use the $OEM$ features.  The trick, Shawn explained, was not to place the $OEM$ folder inside I386 as you normally do, but instead at the same directory level as I386.  So, for example, if I had an I386 image on a RIS server in a directory named D:\RemoteInstall\Setup\English\BASIC2000\I386, then I'd also create a directory named D:\RemoteInstall\Setup\English\BASIC2000\$OEM$.  

The tip works perfectly -- I've been able to roll out RIS images with all of the terrific $OEM$ functions in place.  Well worth some investigation if you're rolling out servers by the truckload.

Changing Operations Masters

Reader Andy Herrero wrote to ask how to move Operations Master roles.  Here's some background on Operations Masters, why you care, and how to change them.

To centralize user accounts, NT 4.0 relied upon a single domain controller with a read-write copy of the SAM (the file that contains user accounts).  The other DCs were read-only and so could handle logins and authentication (which doesn't require modifying the SAM) but couldn't help with SAM changes like resetting passwords.  Windows 2000 improves upon that with the notion of "multimaster replication," which gives every domain controller a read-write copy of the Active Directory's version of SAM.  (It's actually not called SAM any more, it's now NTDS.DIT.)  Despite that multimaster nature, however, 2000 still has a few centralized roles -- server functions that cannot be distributed.  These functions reside on one computer, making that computer what Microsoft once called a "Flexible Single Master Operator" (FSMO) but more recently renamed as an "Operations Master."  There are five Operations Master roles:

You have a RID, PDC, and Infrastructure FSMO for each domain, rather than just one for the entire forest.  By default, it's the first DC that you create in a new domain.  You can change the RID, PDC, or Infrastructure FSMOs with the Active Directory Users and Computers tool. Open ADUC and right-click on the icon representing the domain and choose "Connect to Domain Controller...," then choose the DC that want to become the new FSMO.  Once again, click the domain's icon and choose "Operations Masters..."; you'll get a property page with a tab for each of the three FSMO roles.  Click the appropriate tab and click "Change..." to move the FSMO role to that domain controller. 


If you're looking for a good source of information about Windows 2000, then please consider attending one of the conferences that I'll be speaking at in the next few months.

Windows 2000 and Exchange Connections in Scottsdale, AZ October 4-7

Another great conference and well worth considering. The Connections folks took the formula that succeeded so well this spring and have added Exchange 2000 content to create a great conference focused on helping administrators get their jobs done more quickly and easily. In addition to keynoting with a brand-new talk called "The Ten Best and Worst Things About Windows 2000," I will be doing sessions on DHCP, DNS and WINS under Windows 2000, explaining the basics of Active Directory planning, and providing an overview of Intellimirror. More information's at

Fastlane Presents DM/World October 23-25 in Toronto

You may know Fastlane for its directory migration tools, but did you know that they also run a great NT/2000 conference? "Winning Strategies for Planning, Designing and Implementing Large Scale Directory Management Solutions" happens at Toronto's Four Seasons hotel, so I'll have to remember to keep the pinkies out when sipping tea. I'm doing my "Windows 2000 Report Card" talk, and my fellow Windows 2000 Magazine writers Sean Daily and Paula Sharick will speak on a variety of topics. My U.S. readers should plan to join us in Toronto because remember -- your Yank dollars go further up north! Find out more at  

Comdex Vegas

This year's Comdex in Las Vegas (yeah, like I had to tell you where they run Comdex) will include a Windows 2000 mini-conference run by the one and only George Spalding. George has kindly asked me to do two talks -- my DNS for 2000 talk and my Active Directory concepts talk. If you're going to be in Vegas this year, please consider attending George's show and my talks.

Bring Mark to your site to teach

I'm keeping busy doing Windows 2000 seminars, but I've still got time to visit your firm.  In just two days, I'll make your current NT techies into 2000 techies.  Find out more at

Until Next Month...

Please share this newsletter!  I'd like very much to expand this newsletter into a useful source of NT/2000 information.  Please forward it to any associates who might find it helpful, and accept my thanks.  We are now at more than five thousand subscribers (heck, I didn't even know that many people read my books!) and I aim to use this to get information to every single Mastering NT and 2000 Server reader. Thanks for letting me visit with you, and take care!  Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews.  As always, I'm at

To subscribe, visit To unsubscribe, link to Visit the Archives at

All contents copyright 2001 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.