Mark Minasi's Windows 2000/NT/XP Newsletter
Issue #23 May 2002

To subscribe, visit To unsubscribe, link to To change e-mail address, switch between HTML or text format, etc., link to  Visit the Archives at  Please do NOT reply to this mail; for comments, please link to  Document copyright 2002 Mark Minasi.

What's Inside


Hello all --

Things are looking up; the audio seminar recordings are finally out and selling briskly, I'm working on a one-day XP support class and making progress on the second edition of the Linux book.  In the tech section, you'll find some Active Directory troubleshooting -- learn how to keep your domain controllers from grinding their floppies, some more on DNS/AD troubleshooting, a free network sniffer, and a few other interesting items.

Audio Seminars are Here!

Back in November, I announced that I'd prepare and sell a version of my two-day seminar recorded onto CDs.  After much work, it's finally done and ready for sale.

The idea is that if you can't afford a $1000 seat in a seminar or can't travel to a seminar then for US$225 ($125 if you've attended the seminar in the past) I'll ship you ten audio CDs and a 200 page book filled with PowerPoints that back up the the lecture on the CDs.  You can then learn at your own pace or while doing other things -- listen while commuting, exercising or whatever.

The outline of the audio seminar is almost exactly the same as the two-day class.  The flow's a bit different because clearly I can't do demonstrations in an audio CD in the same way that I can in a live class.  So I've reworked the demonstrations with screen shots in the Audio Companion book to bridge that gap.  But I think that one of the biggest selling points in this package is in the cross-indexing; permit me to explain.

Once I had the lecture in digital WAV format, I realized that I couldn't just dump it onto CDs; it needed to be organized into smaller chunks.  So my buddy Gary Masters, who worked like a dog to assist getting the whole project done, went through the files and broke them up into roughly ten-minute segments.  We then laid down those ten-minute segments onto CDs as audio tracks.

But what good is a segmented presentation without a way of finding your way around it?  I had numbered every PowerPoint slide and referred to the number in the lecture, so that if you're listening to some discussion of Offline Files and the lecture refers to slide number 238 then it's easy to find the corresponding PowerPoint slide in the Audio Companion.  But that only lets you refer from some random point in the lecture to a page in the book, which might not be what you need to find something.  So I compiled a table of contents listing each track on each CD, as well as a description of what I discussed in each ten-minute track, as well as the range of PowerPoint slide numbers covered in that track.  You can see that table of contents at

But that's not all.  Each CD has the track list and the range of slide numbers covered on each track printed on the CD.  And, finally, I went back and added a note to every PowerPoint slide telling you where to find the lecture associated with it so that if you're paging through the Audio Companion and see something that looks interesting, then you'll see on that slide a notation telling you where to find it on the CDs.  For example, suppose you were looking at a PowerPoint slide labeled V4/T2; that would mean that you can listen to the lecture associated with that slide by playing the second track (T2) on the fourth CD (V4).  Thus, you can use this audio seminar not only as a continuous start-to-end lecture series, you can also easily refer back later to any point that you need a refresher on.

I hope you'll consider picking up a copy of the audio seminar package.  There's more information at  Thanks.

Seminars for the Rest of 2002: Chicago and Denver in June, Dallas in July, Atlanta/Boston/DC/NYC in September, New Orleans and Tampa In November

I know that training bucks are tighter -- that's one reason we created the audio seminar -- and so this year we put together the whole 2002 seminar schedule all at once so that you can see at a glance where we'll be throughout the rest of 2002.  

Those are all the publics we'll be running this year, so if you'd like to get to one of my seminars then please plan to join us for a session.

Our two-day Windows 2000 seminars have been a lot of fun and the attendees have been great.  Built atop the Fourth Edition, we add coverage of things even more up-to-date than that edition.  Visit to see specific session dates and locations, seminar outline, and how to sign up.  

NOTE that every attendee to the seminar receives a copy of the new Fourth Edition of Mastering Windows 2000 Server!

New Series Book:  Windows 2000 Enterprise Storage Solutions

Sybex's "Mark Minasi Windows 2000 Series" has a new member:  Windows 2000 Enterprise Storage Solutions.  I felt that the market needed a good book that focused on the specifics of storage, from the basics -- NTFS 5.0 enhancements, Removable Storage Manager, and EFS -- to the more complex, like Storage Area Networks, Network Attached Storage (SAN and NAS), RAID, cluster file systems.  But I felt that it needed more than just coverage of the basic operating system, so the book includes a chapter on Exchange backup and recovery and SQL backup and recovery.  

The problem was finding someone who understood all this stuff.  I was fortunate to meet Peter Bruzzese.  Peter at the time was working with CommVault, an enterprise storage vendor.  Peter was at the time an instructor for CommVault, teaching people how storage technology worked and how they could use it to make their networks run better.  Peter's presentation style is energetic, enthusiastic and, perhaps most important, clear -- he takes tough subjects and makes them childishly simple to understand.  Peter had authored several other books with a colleague, Chris Wolf, so I asked them if they'd like to take on enterprise storage.  They jumped at the chance and produced a great book.

At about 450 pages, this is a quick and and informative read.  If you need to get smart on storage issues then I don't think you could find a better text than Windows 2000 Enterprise Storage Solutions.  Find it at Amazon at  

Be VERY Careful Before Buying the Fourth Edition From Amazon!

Speaking of Peter Bruzzese and Amazon, I was talking to Peter today and he commented that the sales rank of Mastering Windows 2000 Server was in the mid-hundreds at Amazon.  I was surprised because the last time I looked it was at a lackluster 2600 or so.  That's when I realized that Amazon is once again out to lunch.  If you search for "Mastering Windows 2000 Server" then they will point you to the THIRD edition, which apparently they are still selling.  (grumble grumble grumble...)  My advice is to either buy it at Bookpool (, Readme.Doc (I referred to them last newsletter), or use this link to get it from Amazon:; that will take you to the Fourth.

Enough marketing for one newsletter, let's do the techie stuff...

Tech Section

Troubleshooting "the domain does not exist or cannot be contacted," Or:

What to Do When You Can't Get the Second Domain Controller to DCPROMO

The other day, a friend complained that he'd started having trouble with his back while running.  Without thinking, I said "check that your DNS server is configured correctly."  

Well, okay, I'm kidding, I didn't really say that.  But I think it might not be all that long before I do answer every troubleshooting question that way.  Or at least every Active Directory-related question, because it seems that a very significant percentage of my reader troubleshooting questions boil down to simple DNS problems.  I know that I've written about this before, but I keep getting so many letters about problems that people are having in setting up their ADs that in this article I'm going to put the solution in cookbook form, and then offer some insights.

The Problem

Jack wants to set up an Active Directory to create a domain named  He's not 100 percent sure if he's got the DNS set up right, so he decides to just go for it and run DCPROMO on his first Windows 2000 Server.  It seems to set up correctly, creating the first domain controller.  So far, so good.

But then Jack tries to create a second DC for his domain.  He runs DCPROMO and when he tells DCPROMO that he's creating a new DC on an existing domain, then DCPROMO asks him what account to use -- in other words, it's saying, "show me that you have an account with administrative powers on the existing domain."  So Jack punches in the name and password of the administrator for

DCPROMO thinks about it for a minute and pops up a dialog box saying "The domain does not exist or cannot be contacted," and stops.

Jack would see something like this -- not the same exact error message, but a similar one -- when he tries to join a workstation to his new domain.  What causes this?  DNS.

What Really Happened

In both the case of trying to add another DC or trying to join a domain, you've got to log onto the domain to establish your credentials.  But you can only log on via a domain controller, so your computer must find a DC to log you on.  And how do machines find DCs under Active Directory?  With DNS.  Incorrectly configured DNS, then, is often the root of larger problems.

How to Set Up DNS So Things Always Work

With that intro, let's move to the cookbook.  Follow these steps and you can be assured that any problems aren't DNS problems.  This assumes that you will be doing "split-brain" DNS, where you'll keep a separate set of DNS records for use in your AD's domain than your public DNS records.  For example, suppose already exists and has its DNS presence hosted on some Unix server on an ISP somewhere.  Now they want to do Active Directory and create an AD domain called  As AD needs DNS to rely upon, SOME server must host a dynamic zone with's name on it.  Must Bigfirm snatch back its zone from the ISP?  Certainly not.  Let the publicly visible zone for remain on the ISP -- it's only got a few records in it anyway, probably for and Bigfirm's mail servers.  No, instead we'll keep what I think of as "two sets of books" -- the public ones on the ISP, and a richer set inside our intranet.

  1. Building The First DC
    1. Let's call the server that will the first DC "DC1." Install the DNS server on DC1 and create a zone Set it to accept dynamic updates.  (Look in Chapter 7 of the Third or Fourth editions for details on setting up DNS and zones.)
    2. Re-type any records into the zone on DC1 that would be visible to the outside world.  In other words, if bigfirm has a Web site named at then be sure to include a host name record "www" with that IP address -- otherwise no one inside Bigfirm will be able to find Bigfirm's Web server!
    3. Configure DC1 so that the only DNS server that it ever refers to is itself -- set its "preferred DNS" IP address to itself, and only itself -- do not configure any alternate DNS servers.  Odd as it sounds, the mere fact that DC1 is now running a DNS server and hosting a zone for does not cause DC1 to actually look at its own DNS server or zones.  (That's because there are two programs running here -- the DNS SERVER and CLIENT.  The client software isn't automatically told of the existence of a server on the same computer.)  Many people set up their test servers to get their IP info from DHCP or their test servers are connected to cable modem or DSL, which uses DHCP to hand out IP information.  In any case, you then have a situation where your soon-to-be first DC is looking for DNS information not at itself, but instead at some DNS server on an ISP or a big corporate site.  In any case, this defeats the whole purpose of creating a second set of books for  sure, now DC1 has a nice zone that it can do with as it pleases, but no one, INCLUDING DC1 ITSELF, will ever ask the DNS server running DC1 for its opinion on names in  Again, remedy that by hard-wiring that first DC to refer to itself for DNS queries.  (If you don't know how to configure a TCP/IP stack in 2000, refer to Chapter 6, Third or Fourth editions.)
    4. Let me re-iterate:  DC1 should ONLY refer to itself for DNS.  Type IPCONFIG /ALL and verify that the list of DNS servers that DC1 uses includes only the IP address of DC1.
    5. Now run DCPROMO and set up's domain.  (Look in Chapter 8, Third/Fourth Editions, if you don't know how.)  If you get an error from DCPROMO saying something like "The wizard could not contact the DNS server...," then STOP.  The wizard will offer to set up DNS for you -- which is probably what it did for Jack -- but never do that; the error message is an indication that DNS isn't set up right.  Stop DCPROMO.  Open a command line and type "ipconfig /flushdns."  Then type "nslookup" and then "set type=soa," and finally "" (or whatever you call your domain).  You'll get several lines of output, one of which identifies the "primary name server."  That had better be DC1.  If not, then go back and follow the steps outlined so far.  Check that you set the zone to dynamic -- they are not dynamic by default.
    6. You're probably saying to yourself, "hey, I already did this once, or at least some of it.  I got that 'couldn't contact the DNS server' message and let it set up DNS, and everything turned out fine.  I've been using that computer in my test domain as my only DC with no sweats even though it HAS been looking to my ISP's DNS server as its preferred DNS server."  When you tell DCPROMO to go ahead and create a DNS zone, then DCPROMO sets up DNS on the server and creates the zone, writing the new AD records to that zone.  The problem is that once you reboot, your computer -- DC1 -- is back to looking to the ISP's DNS server, and ignoring itself.  The one DC for cannot, then, even find ITSELF.  But why does it let you log onto itself with your new accounts?  Because AD wakes up on DC1 and realizes that even though it can't find itself listed in DNS as a domain controller for that it -- AD, that is -- knows full well that it IS a DC for, and refers to itself when you want to do a local logon.  It's over-the-network logons that won't work.  Like the one that Jack tried to do from his second machine, his would-be second DC.  Let's see how to set up that second DC.
  2. Setting Up The Second DC
    1. As before, install Windows 2000 Server on a second machine.  Call it DC2.
    2. Configure DC2's IP stack to point only to DC1 for DNS.  Only the "preferred" DNS server field should be populated, with DC1's IP address.  Do NOT fill in the ISP's DNS server as an alternate.  If you did, then suppose DC2 booted up and tried to contact DC1's DNS server.  Now suppose that DC1 was busy for a minute and didn't respond; DC2 would then start depending on the ISP's DNS server.  The ISP's DNS server does not have the information about, including the list of DCs and so when DC2 tries to find a DC for to log you on, then it'll fail, as it won't be able to find a DC.
    3. You should be able to run DCPROMO on the second machine here with no trouble.  If it fails then refer to the instructions in Newsletter #12 or pages 523-525 in the Fourth Edition to use NSLOOKUP to find out what machine DC2 thinks is a DC.

That should do it.  Set up any subsequent workstations or member servers the same way:  their DNS preferences should only refer to DC1's DNS server.  You can, of course, set up other DNS servers inside your intranet, make them secondary servers for, and spread the load around a bit by pointing some machines to one DNS server, others to another and so on.  But all domain members or would-be domain members must point to a DNS server that is primary or secondary for the internal

To summarize, then, here is the way to build a AD if you do not want the DNS zone that serves your AD to be publicly visible:

  1. Set up one or more DNS servers inside your intranet.  Have them all refer to themselves for DNS, and NEVER refer to a DNS server outside of your intranet.
  2. On one of the DNS servers, build a zone for your AD and make it dynamic.  Make all other DNS servers inside of your intranet secondary DNS servers for that zone.
  3. Copy any relevant records from your outside, publicly-visible zone to your internal zone.
  4. Take the machine (which points to one of your internal DNS servers) that will be the first DC and run DCPROMO.  If you get the DNS error from DCPROMO then re-examine how DNS is set up.
  5. Ensure that all other systems inside the intranet point only to your internal DNS servers; you can then run DCPROMO to create more DCs or join workstations and member servers to the domain.

Making Domain Controllers Stop Accessing the Floppy Every Five Minutes

I know that most of you are not yet using Active Directory.

How do I know?

Because only a couple of you have asked me this question:  "why does my domain controller grind the floppy drive every five minutes?"

After I applied Service Pack 2 to my systems, I noticed the behavior.  One of my enterprise domain controllers and a few test DCs sit in the room where I write.  I like my writing area to be quiet, or at least noisy to a constant level -- machine fans don't bother me.  (Well, that's not really true.  The fans on my Dell PowerEdge 500SC servers seem to make almost as much noise as a lawnmower.  Hence, I only turn them on when I need them.)  But after installing SP2 I soon noticed that some servers -- and I soon noticed that it was only DCs -- were trying to access the floppy drive.  Yikes, I thought, I'm being hacked.  So I ran my buddy Mark Russinovich's FILEMON program (it's free at and while you're there, check out the very neat Windows 2000 Internals seminar that he and David Solomon are running in mid-June in Boston -- I'm going to be there to soak up as much knowledge as I can and if you need to know about the geeky details of 2000's innerds then that's the place to be) to find out exactly what process was trying to read the floppies.

The answer?  Something called NTFRS.EXE.

Let's see, I thought, I know NTFRS, that does the File Replication Service.  But I'm not using any fault-tolerant Dfs shares on these servers.  Oh, wait, that's right, NTFRS is also used to keep the information in the domain's Sysvol shares consistent, and Sysvols only exist on ... domain controllers!

All of a sudden this starts to look a lot less like a hack and a lot more like a bug.

It took them a while, but Microsoft eventually admitted the bug (they didn't when I first asked) and now they have a fix.  You can find it at Q307319.  Unfortunately, Microsoft has stopped giving away these fixes.  Apparently they only want to give them to you if you actually need them, in their opinion.  So you might try calling the Microsoft $245-for-a-question line and tell them that you want the hotfix referred to in that Q article or at this URL:;en-us;Q307319.  Now, let me stress that the article says nothing about the floppy grind.  But tell 'em that you have DCs that grind the floppy disk every five minutes for no reason at all and that running OH.EXE from the Resource Kit shows that NTFRS.EXE is the program doing the grinding.  Tell them also that the behavior started after you applied SP2.  You should get the patch free then.  Now, clearly I cannot control what Microsoft Product Support Services does, so don't yell at me if they charge you. And please don't e-mail me to ask for the patch, I cannot re-distribute it.  (Sorry, but Microsoft's got more lawyers than I've got.  Way more.)

More On Deleting Undelete-able Directories On Hacked FTP Sites

Last newsletter, I talked about my experience where I'd accidentally left an FTP site open and some jerk created a directory for saving his stolen software.  He'd used a trick that I explained that made the directory difficult to delete using the normal GUI methods, and offered an idea or two about how to fix it.  Some of you wrote in to tell me of even sneakier tricks of the FTP-thieving dirtbags.  An idea occurred to me also that you might find useful.

Apparently some of them actually create directories with names like COM1.  That makes them hard to delete because, as you may know, COM1 is a "magic" name, as it refers to the first serial port.  But, several of you told me, all's not lost.

For years, the Resource Kit has included some NT versions of old Unix utilities.  Unix and Linux users may recognize the name "rm," as it's the Unix/Linux version of the "erase" or "del" command.  As rm isn't aware of any of the "magic" directory names, apparently it can zap any "un-delete-able" directory, even one named LPT1 or COM1 or the like.

But another idea occurred to me.  Remember that the trick that the thieves used to steal disk space relied upon the fact that NTFS drives maintain two names for every file or directory -- the normal long one that you see and the old "8.3" style name maintained on the off-chance that you want to run some old DOS app.  The trick was that the normal long name could be something strange because the short 8.3 name was something more normal.  You then used the 8.3 name to get a handle on the directory and zap it.

Now, personally I haven't run many DOS apps in the past few years save for the odd game, so I'm not sure I care if my drives support the 8.3 names.  Then I remembered... there is a Registry setting that disables 8.3 names.  Now, let me clarify -- disabling 8.3 name creation will not completely kill DOS or other old-style programs.  What it'll do is make them unable to understand files with names longer than 8.3.  For example, I tried installing and running Master of Orion, an old DirectX 2.0 game.  All of its files are 8.3 format and it ran fine.  You get the extra benefit that there's a bit less nonsense that the OS must handle whenever creating a file and less space required in MFT$ to store the file's information.  I'm not 100 percent certain that this will stop the diskspace thieves, but I think it'll slow 'em down and insofar as I can see may well improve your system's performance just a trifle.

Make the change in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem, value entry name is NtfsDisable8dot3NameCreation.  Set it to 1 (it's 0 by default) and reboot and your NTFS drives will no longer store 8.3 names.  I have been doing this on my XP workstation (the machine that hosted the FTP site that had space stolen before) for several days and have not found any problems.

Time Servers at National Institute of Standards and Technology

You may recall that an Active Directory requires that the first domain controller built in the first domain built be directed to a reliable time source.  (Strictly speaking it's not the first DC in the first domain, it's the DC that happens to be the PDC emulator operations master in the forest root domain, but if by default that's the first DC in the first domain.)  That machine is the machine that all other PCs in the forest look to when they need accurate time.  You tell the root PDC emulator operations master what time server or servers to get its time from with a NET TIME /SETSNTP command.

I didn't mention this in the book, but the National Institute of Standards and Technology (NIST) runs a number of time servers.  You can find a listing of them at  You could, then, construct a command for your PDC emulator like

net time /setsntp:""

Free Basic Network Sniffer

I ran across something pretty neat on the Net the other day.  It's a free network "sniffer," a program that captures and displays information about every packet that goes by your machine on the network.  It is very basic in that it lacks a complex parser to help you analyze those packets but if you can't afford the full-blown version of Network Monitor then you might find this useful.  I found it at  They say it's beta now and therefore free but for the basic things that it tries to do it seems to work fine.


I hope you'll join me for a seminar but if you can't attend a class then please consider attending one of these conferences:

WinConnections in Palm Springs May 5-8

The same folks that put on that Windows 2000/Exchange 2000 Connections conference in Scottsdale are coming to Palm Springs in early May of this year.  I get to open the conference with a keynote and I'm also doing some breakouts; my "AD classic" talk (an overview of Active Directory with Whistler updates), an explanation of what Windows XP and 2002 will do for (or to) you, and my "DNS Fundamentals" talk.  

Find out more at

(Free) Windows Decisions 2002 in Chicago May 8-10

The folks (who run a great portal offering tons of Windows 2000 information as well as jumping-off points to other great resources) have put together an interesting conference in The Windy City early this November, but world events have prompted them to move it to May.  (Better time for good weather in Chicago anyway.) John Enck, one of my former co-workers at Windows NT (now Windows And .NET) magazine, will be offering his unique perspectives, as will Laura DiDio -- Laura's been an NT industry watcher for as long as I can remember. They'll also have geek talks, including my look ahead at .NET Server (and what will be by then a look BEHIND to XP) as well as an AD/migration talk.

Interestingly enough, the conference is free. Free, that is, if you meet their criteria and no, I don't know what those criteria are -- but it only takes a minute or two to apply. Give it a shot and perhaps I'll see you at the Chicago Hilton!

Find out more at

Support Services in San Diego May 21/22

Every geek's favorite conference emcee, George Spalding, is in charge of this year's Support Services Conference and Expo in San Diego.  I'm keynoting with my talk Why Bad Software Happens To Good People.  I'm also doing my Future of Windows talk as well as teaming up with George for "Computer Networking 101," a sort of cross between improv and education.  Top it off with Tech Support Jeopardy and it's gonna be a great show.  Heck, they even have GOOD speakers like Todd Lammle, Roberta Bragg, Gene Ball, Rae Ann Bruno, Sandra Simpson lots of other folks who know a lot more about running a help desk than I do.   More info at  

TechMentor San Diego September 3-7

A terrific show that I'd attend even if they didn't pay me to be there.  It's got great sessions and is in San Diego this September.  Info at   For the past two conferences that have offered you the opportunity to take any Microsoft cert test for half price, so on the off-chance that you didn't see any sessions that you wanted to sit in on (an unlikely event!), then you could take a test.  They even ran tests until about 9 at night.

I'm doing "Securing Your Network -- A Dozen Tips," "Troubleshooting Group Policies," and "Tuning Windows 2000/XP/.NET Computers" as well as a general session.  If you can make it then I surely hope to see you there!

Bring Mark to your site to teach

I'm keeping busy doing Windows 2000/.NET Server seminars and writing, but I've still got time to visit your firm.  In just two days, I'll make your current NT techies into 2000/.NET techies.  To join the large educational, pharmaceutical, agricultural, aerospace, banking, government, transportation, and other organizations that I've assisted, either take a peek at the course outline at, mail our assistant at, or call her at (757) 426-1431 (only between 9-5 Eastern time, weekdays, please).

Until Next Month...

Have a quiet and safe month.  Summer's busting out here, get out and get some sun!  (Well, if you live in the Northern Hemisphere, that is.  Apologies to those below the equator.)

Next month, I'll feature a few articles on digital imaging -- how to choose the number of megapixels in a camera, and some information on an interesting technology that most of the world knows about that Americans generally don't know much about -- video CDs or VCDs.  (There will be network stuff, too, fear not.)

Please share this newsletter; I'd like very much to expand this newsletter into a useful source of NT/2000/.NET Server/XP information.  Please forward it to any associates who might find it helpful, and accept my thanks.  We are now at over seventeen thousand subscribers and I hope to use this to get information to every single Mastering XP, NT and 2000 Server reader. Thanks for letting me visit with you, and take care -- my prediction is that the economy will roar back by September, so polish up those resumes!  Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews.  As always, I'm at

To subscribe, visit To change e-mail, format, etc., link to  To unsubscribe, link to Visit the Archives at Please do NOT reply to this mail; for comments, please link to

All contents copyright 2002 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.