Mark Minasi's Windows 2000/NT Newsletter

Issue #11 February 2001

To subscribe, visit http://www.minasi.com/nwsreg.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm.

What's Inside

News

Hi --

I can't speak for anyone else, but I'm getting tired of this winter.  According to the US Weather folks, November and December 2000 were the coldest ones in the US since they began keeping records, and apparently January was up there as well.  So you won't be surprised to hear that I greatly appreciated the jobs that took me to Orlando and southern California recently!  While in Orlando, I had the good fortune to be able to watch the Space Shuttle take off in a picture-perfect scene:  the sun had just set, the moon just risen, and the Shuttle launched just the right of the moon, seeming to arc over it to the left as it ascended.  The sight of the sunset and the Shuttle's contrail impressed me enough that I took a snapshot of it (although not a good one); if you're interested, take a peek at www.minasi.com/shuttle.jpg.  (The small cloud in the upper left-hand corner was the remainder of the blast as the Shuttle disconnected from its booster engine.)

Not a dull tech month, eh?  We finally found out Whistler's "official" name -- XP -- now all we need is some code.  And speaking of code, some Dutch hacker decided to make things lively for network support folks with yet another childish VBScript e-mail virus.  He apparently turned himself in and my guess is that he'll probably get the same dire punishment as the other virus writers, no doubt a STERN talking-to.  Maybe even a slap on the WRIST!  Makes me wish the guy were caught in Singapore; at least we could watch the caning on the Internet, streamed off someone's site.  Personally I didn't fall for it -- at this point I always mail people back to check that they intended to send me a VBScript -- but I got about a half-dozen of them that day.

As I write this, I've just finished shepherding Mastering Windows 2000 Server, 3rd Edition through the printing process.  It's now at the printers and between printing, binding, shipping and stocking it looks like it'll hit the stands around the third week of March.  More on that next month.

US Public Seminars:  Austin, Denver, Chicago, Kansas City, Tampa, Atlanta, Detroit, Minneapolis, NYC, Pittsburgh, Irvine, San Jose

The Austin and Denver Mastering Windows 2000 Server seminars run next Monday-Thursday, and many thanks to those of you who signed up.  We should have some great sessions!  Austin enrollments are closed but we're taking Denver registrations through Friday the 15th.  The following week, I'm in Chicago... but not Kansas City, unfortunately; we had to cancel that one.  March brings me to Tampa, Atlanta, Detroit, Minneapolis, New York (well, Mahwah NJ, actually) and Pittsburgh.  I hope you'll consider joining me for a seminar near you.  You can find out more at www.minasi.com/pubsems.htm and you can see past attendee reviews as www.minasi.com/2krevs.htm.  I promise an entertaining, informative two days; sort of Mastering Windows 2000 Server, Third Edition ... the live version.

Seminars Coming to Montreal, Toronto, Dallas, St. Louis, Boston for June/July -- IF We Can Find Locations!

Our next seminar line-up will be Montreal and Toronto (many thanks for the interest from those towns!) as well as Dallas, Boston and St. Louis.  It is a major pain finding hotels that will take small sessions, so may I ask that if you know of a good facility in one of these towns that takes small meetings (under 50 people) that you forward that info to me?  I've already gotten one great suggestion for Dallas, any others would be greatly appreciated!

Tech Section:  Notes On Windows NT To 2000 Migration

I get several Win2K-migration related questions very frequently.  Here's an brief overview of some frequently-asked questions.  ("Brief" because you can write entire books on the topic.)

You Can Use 2000 Without Migrating

Before getting into the migration options, I should point out that there is the "don't" option for migration, even if you decide to put Windows 2000 in your network.  There's absolutely nothing stopping you from putting Windows 2000 Professional workstations or Win2K Server member servers on an NT 4.0 domain.  They will happily be members of an NT 4.0 (and, as far as I know, although I've not tried it, an NT 3.51) domain.

You cannot, however, install a Windows 2000 Server as a backup domain controller on an NT 4.0 domain.  If you want to use 2000 but stay with an NT 4.0 domain, then, you can only install 2000-based workstations and member servers.

Unlike Birds, NT Users Have Two Migration Directions

If you want to move from a Windows NT 4.0-based domain to a Windows 2000 Active Directory domain, then you've got two options -- an "in-place upgrade" or a "clean and pristine" upgrade.  In short, here are the differences.

In-Place

With an in-place upgrade, you install Windows 2000 to your NT PDC -- it must be the PDC! -- as an upgrade.  The complete Windows 2000 install happens as usual.  Once 2000 is completely installed, it boots for the first time.  You log in as an administrator and, once you do, the system automatically starts the "Active Directory Installation Wizard."  The Wizard asks where you'd like to place your new Windows 2000 AD domain (as a new forest, a new tree in an existing forest, a new domain in an existing tree?), what you'd like to name it, and so on.  If you've ever run the Wizard before -- which you may also know as DCPROMO -- then the whole experience will look familiar, except for one thing:  it won't ask you for a NetBIOS name for the domain, as you'll retain the existing one.  The Wizard then converts your current NT 4.0 domain, which is stored in a file named SAM, into an Active Directory database, in a file named NTDS.DIT.  Result:  instant Active Directory.

The domain is in "mixed mode," which means that your newly-upgraded Windows 2000 AD domain controller can employ any existing NT 4.0 backup domain controllers.  Mixed mode is good because it lets you keep those NT 4.0 BDCs as NT 4.0 BDCs for as long as you like; you needn't upgrade them immediately.  Mixed mode is bad because it limits what you can do with AD -- universal groups and multimaster replication will not work until you shift your domain from mixed to "native" mode, and you can't go to native mode until you've shot the last NT 4.0 domain controller in the head.  Mixed mode also brings an odd side-effect if you have any Windows 2000 Professional workstations or Win2K member servers in your network.  Previously, those Win2K machines would go to any domain controller to log on (remember that NT and 2000 machines can be members of a domain just as users can, and so need to log onto the domain); but once those 2000 boxes sense the presence of a domain controller that is also running Windows 2000, then they will only go to that machine to log on, which might make that 2000-based DC a bit busy first thing in the morning.  Therefore, plan to upgrade more than one domain controller as quickly as possible!

But for safety's sake, some people like to hedge their bets before doing the upgrade.  They synchronize an NT 4.0 BDC and then just shut it off.  In extremis, you could always take down the Windows 2000 domain controller, bring up the NT 4.0 BDC, and promote the BDC to PDC, then force the remaining BDCs to flush their SAMs and synchronize with the newly-promoted PDC's SAM.

Clean and Pristine

In-place upgrades are good, but they stir the paranoid in many of us.  Consider Microsoft's problem in building a Setup program for Windows 2000, or, rather, Setup programs for Windows 2000, because there are at least two.  One Setup program puts 2000 on a "fresh" PC, a box with an empty hard disk -- a so-called "clean install."  Another Setup program puts 2000 on a box that is already running NT 4.0, without disturbing the NT operation's settings -- in other words, an upgrade.  These are really two different jobs, and Windows 2000's Setup program handles them both.  But consider:  which job is harder.  That is, which of these two faces of Setup are more likely to be buggy?  It's really an easy question -- the upgrade routine.  For this (and other reasons as well), some people adopt a different approach to a Windows 2000 migration, called "clean and pristine."

The idea with clean and pristine is this.  Get a few more new machines.  Install Windows 2000 Server on them.  Then run DCPROMO to make them domain controllers.  When DCPROMO asks where to put the new domain -- in a new forest, new tree in an existing forest, or new domain in an existing tree -- tell it to create a brand-new forest.  Convert the domain to native mode immediately.  Now you've got a fully functional Windows 2000-based Active Directory domain.

There's nothing in that domain, but you have a domain nonetheless.

Next, use the new Windows 2000 version of the NETDOM.EXE command to create a two-way trust relationship between your existing NT 4.0 domain and your new Windows 2000 AD domain.  Then just copy all of the user accounts, directory shares, applications and the like from the old NT 4.0 domain to the new AD domain.

"HEYWAITAMINUTE!" I hear you cry.  "Just how do I do that account copying thing?"  That's the bad news.  You need a tool called a "migration tool" that will do that kind of thing.  In general they cost a fair amount of money -- see Fastlane's DM/Manager tool, or NetIQ's Domain Migration Administrator, or Entevo and Aelita have products as well.  (Disclosure:  I own NetIQ stock and both Fastlane and NetIQ are clients of mine.)  Or you could download Microsoft's Active Directory Migration Tool from their Web site.

Why do a C&P?  A clean and pristine migration is more work, requires more machines, and often means that you must buy some software.  As I said, there is really just one major reason:  it gives you a fallback position.  You copy the user accounts from the NT 4.0 domain, not MOVE them.  That means that the users can either log onto their new 2000 AD user accounts or just logon using their old NT 4.0 accounts.  You'll of course tell them to use their new accounts.  But if you find a few weeks into the process that AD's not for you, then you can always return to the NT 4.0 accounts.  And I suppose there's another reason -- you're building a clean, new directory, rather than one built out of an old SAM that just might have some leftover garbage from some previous NT issue.

Well, there's one other big reason -- domain consolidation.  As you can copy users/machine accounts/etc from one domain to another, you can use a migration tool to consolidate a bunch of old NT 4.0 domains into a single Windows 2000 Active Directory domain.

"I Haven't Migrated Yet But I Have This New Machine..."

I get this question about twice a week.  It goes something like this:  "I'm about to upgrade our NT 4.0 domain to an Active Directory.  I just received a four-way Dell PowerEdge server with 2 GB of RAM and I want it to be my PDC on the new domain.  How do I do that?"   As you can see from the previous discussion, there are two possible answers.

First, you might be doing a clean and pristine upgrade.  If that's the case, then just do a clean install of 2000 Server on the box, run DCPROMO to create the new domain, get a migration tool and start migrating.

Alternatively, you may want to do a simple in-place upgrade with the new server.  In that case, the process is also simple.

First, install NT 4.0 on the new system and tell Setup that you want the new box to be a backup domain controller on your existing NT 4.0 domain.

Then, once the new BDC is up and running, use Server Manager to promote it to PDC.

Once the new server is a PDC, install Windows 2000 and do an in-place upgrade.

Reader Tips and Questions

SYSDIFF Really Does Work for 2000

One Amazon reviewer with better typing skills than his research skills beat on the Server book because it refers to SYSDIFF, which the reviewer claimed didn't work on 2000.  Reader Brian Nottle offered me this link: http://www.microsoft.com/WINDOWS2000/library/resources/reskit/tools/hotfixes/sysdiff-o.asp ; yes, Virginia, 2000 DOES have a SYSDIFF.  (I like WININSTALL LE better, but it's still great info, thanks Brian!)

Providing TCP/IP Options Via RAS and DHCP

When people dial into your RAS/RRAS server, then they often get an IP address and subnet mask but not the other stuff -- WINS and DNS server address, Network Neighborhood info, and the like.  Mr. J. Burton of Skidmore College passed along Knowledge Base article Q232703 which reminds us that if you make your RAS/RRAS server a DHCP Relay Agent then your RAS clients will get all of the TCP/IP scope options passed to them.  (Great tip, many thanks!)

File Permissions Errata

Raffaello Giulietti  offers the following errata about the Second Edition of 2000 Server:

On page 553, "Table 9.1: Atomic and Molecular Permissions" has an error.  Atomic "Read Permissions" must not belong to molecular "Write," and  Atomic "Change Permissions" must belong to molecular "Full Control."

Thanks Raffaello!

Removing Accessories Via Control Panel in Windows 2000

I forget if I've included this tip before.  As you know, you can't just go to Control Panel and remove the games, accessories, etc. via Windows Components.  Several readers have sent me the way to re-enable Control Panel's control in this matter.  Here's Howie Daugherity's, but again I've gotten this tip from several readers -- my thanks to them all.

Open up %windir%\inf\sysoc.inf, and remove the word HIDE from all entries underneath the line "old base components" in the [Components] section (leave the commas alone).

Here's what your modified lines should look like: 

; old base components 
Games=ocgen.dll,OcEntry,games.inf,,7 
AccessUtil=ocgen.dll,OcEntry,accessor.inf,,7 
CommApps=ocgen.dll,OcEntry,communic.inf,,7 
media_clips=ocgen.dll,OcEntry,mmopt.inf,,7 
MultiM=ocgen.dll,OcEntry,multimed.inf,,7 
AccessOpt=ocgen.dll,OcEntry,optional.inf,,7 
Pinball=ocgen.dll,OcEntry,pinball.inf,,7 
MSWordPad=ocgen.dll,OcEntry,wordpad.inf,,7

Then, when you go to Add/Remove Programs, Windows Components, you'll see Accessories and Utilities. Go to Details for that component, and you'll see Games. Go to Details again, and you'll see the games!

Conferences

I hope you'll join me for a seminar but if you can't attend a class then please consider attending one of these conferences:

Spring Comdex Chicago 3-5 April 2001

My buddy George Spalding and I had such a great time in Comdex Vegas that we're doing it again in Chicago for Spring Comdex. Get the skinny on 2000 (and Whistler!) from George, me, and some great speakers including my co-authors Christa Anderson and Doug Toombs. Info at www.comdex.com.

WinConnections in Monterey May 8-11

The same folks that brought WinConnections 2000 twice in Arizona last year are returning but this time in Monterey.  I'm doing a general session as well as a variety of other topics.  Find out more at www.winconnections.com.

InterWorks 2001 in San Francisco May 6

The Interex guys, the people who put on HP World, have hired me to do an all-day pre-conference tutorial in San Francisco on Sunday, May 6 on the topic of Active Directory at their InterWorks 2001 conference.  Information at http://www.interex.org/conference/iworks2001/index.html.

Canada Comdex Toronto July 12

George and Mark visit Our Neighbor To The North to do a one-day soup-to-nuts program as part of the Toronto Comdex show.  No URL yet, although it'll eventually be on the www.comdex.com site.

Bring Mark to your site to teach

I'm keeping busy doing Windows 2000 seminars, but I've still got time to visit your firm  In just two days, I'll make your current NT techies into 2000 techies.  Find out more at www.minasi.com/w2koutln.htm, mail Jennifer Williams at jennifer@minasi.com, or call her at (757) 426-1431 (between 1 and 5 Eastern time, weekdays, please).

Until Next Month...

Have a great month -- thank God we're halfway through February, can't wait for those daffodils -- and be sure to write your Congresscritter about the proposal to award tax credits for attending technical seminars (just kidding).   Please share this newsletter; I'd like very much to expand this newsletter into a useful source of NT/2000 information.  Please forward it to any associates who might find it helpful, and accept my thanks.  We are now at more than seven thousand subscribers (at least until I clean out the "dead addresses" file) and I aim to use this to get information to every single Mastering NT and 2000 Server reader. Thanks for letting me visit with you, and take care!  Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews.  As always, I'm at help@minasi.com.

To subscribe, visit http://www.minasi.com/nwsreg.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm.

All contents copyright 2001 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.