Mark Minasi's Windows Networking Tech Page
Issue #34 June 2003

To subscribe, visit http://www.minasi.com/nwsreg.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. To change e-mail address, switch between HTML or text format, etc., link to http://www.minasi.com/edit-newsletter-record.htm.  Visit the Archives at http://www.minasi.com/archive.htm.  Please do NOT reply to this mail; for comments, please link to www.minasi.com/gethelp.  Document copyright 2003 Mark Minasi.

What's Inside

  • News: 
    • Announcing Our AD Design Help Service
    • Summer Sale on CDs!
    • Request: Please Consider Posting An Amazon Review
    • Upcoming Free Appearances:  Security Roadshows in San Jose 6/18, Denver 6/20, Anaheim 6/24, San Diego 6/25, Chicago 6/27
    • Seminars: XP and the NEW Server 2003/2000 Classes: LA, DC, NY
  • Tech Section
    • Has Outlook/Outlook Express Started Blocking Your Attachments?
    • AD and backups
    • Online List of Ports and Usages
    • More on Eliminating NTLM and LM
    • Fixing "the computer did not resync because no time data was available"
    • VMWare Fans:  Upgrade to 4.0
    • Server 2003 Book Errata
  • Conferences
  • Bring a Seminar to Your Site

News

Hello all

Whew, it's been a long six weeks on the road (hence no May newsletter) and I'm about to get back on the road to do two weeks' worth of Security Roadshows, sponsored by Microsoft and Windows and .NET Magazine and coming to San Jose, Denver, Anaheim, San Diego and Chicago between June 18 and 27, see below for details.)

I've got lots to talk about this issue, so let's get right to it.  First, the marketing stuff, as short as I can make it...

Announcing Our AD Design Help Service

It's been three and half years since Windows 2000 came out and only about half of the NT 4 domains have upgraded ... what's going on?  In my experience people are upgrading slowly for several reasons:  insufficient funds, or insufficient people to do it, or just plain uncertainty.  A couple of months ago I realized that for many people have an AD plan almost done ... but they'd like someone to look it over before they make the Big Jump.  So I started offering an AD design service and it's keeping me pretty busy.  Find out more at http://www.minasi.com/adnow.htm

Summer Sale (With Reduced International Shipping) on CDs!

So many of you responded to our 2003 book/CD offer that we're offering the .NET, Tuning, and Security CD sets at 33% off.  We've also dropped international handling costs $15/set for this sale.  Get 'em while they're cheap!  Info at http://www.minasi.com/cdsale2003.htm

Request: Please Consider Posting An Amazon Review

The 2003 book has been selling well -- many thanks! -- and it topped Bookpool's sales list for a few weeks.  I'm very grateful for the response that the book's gotten, but I need to ask your assistance, if I may.  If you've got the 2003 book, could I ask that you take a moment and post a few words on Amazon about it?  Reviews there mean a lot; thanks in advance for any help.

The Security Roadshow's Coming To Your Town In The Next Two Weeks!

Microsoft has asked Windows and .NET Magazine to bring back the Windows Security Roadshow, so Windows SuperSite jefe Paul Thurrott and I are coming to six cities between June 18-27.  I do my "12 Tips To Secure Your Windows Network" talk and Paul talks about "The Future of Windows Security."  Locations are San Jose 6/18, Denver 6/20, Anaheim 6/24, San Diego 6/25, and Chicago 6/27.  Info at http://www.winnetmag.com/roadshows/security2003/.  See you there!

Seminars: XP and the NEW Server 2003/2000 Classes: LA, DC, NY

Just a few more days until our Los Angeles seminars:  "XP Support" and "Running a 2003/2000-Based Active Directory."  There's no faster way to become expert in desktop or network support.  And don't forget we're coming to DC in September (near Dulles) and NY in November (near LaGuardia).  Find out about the XP seminar at http://www.minasi.com/xpsupport.htm,  the Active Directory/Group Policy seminar at http://www.minasi.com/2003outln.htm, and the schedule of seminars at http://www.minasi.com/pubsems.htm

Tech Section

This month, some troubleshooting, more info on last newsletter's topic, a useful resource and some errata.

Has Outlook/Outlook Express Started Blocking Your Attachments?

About a month ago, I noticed that Outlook 2000 (on my desktop) and Outlook Express 6.0 (on my laptop) started blocking most of my e-mail attachments -- EXEs, VBS, PDF, just about everything except image, DOC, PPT, and XLS files, offering only a message to the effect that there was a potentially scary type of file attached and that Lookout (oops, I meant Outlook) was doing me a favor and blocking it.

This was of course irritating ... but also familiar.  I recalled that back when Office 2000 SR-1 came out that Outlook had started doing something similar.  I vaguely recalled that it'd required a Registry change to disable this new "feature" that SR-1 came with, called the "Outlook E-mail Security Update."  It seemed at the time kind of funny that some of the extensions that Microsoft didn't block (Word, Excel, PowerPoint) could contain pretty dangerous macros, while at the same time I couldn't imagine what would be bad about a PDF.  In any case, I was puzzled about why the E-mail Security Update would return now.

A bit of searching showed that IE6's SP1, a "critical" update in Microsoft's eyes, did me the favor of re-enabling the E-mail Security Update without asking.  Here's how to un-do it.  This is apparently the "cod liver oil" model of security through updates -- "swallow it, it's good for you."

Getting my attachments back in Outlook Express 6.0 was simple.  Click Tools/Options and then the Security tab on the resulting property page.  Un-check the box in the middle of the page that says "Do not allow attachments to be saved or opened that could potentially be a virus."  Click OK to clear the box and you can get to your attachments.

With Outlook 2000, it was a trifle more complex.

1) Open Regedit and go to HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Security.
If you don't have the key, then create it.
2) In that key, create a new entry of type REG_SZ called "Level1Remove".
3) Fill the key with a list of extensions that you don't want Lookout to block, separated by semicolons.  For example:

.url;.exe

Note that some places say NOT to use the periods. I used them and it worked.

4) Close Regedit.
5) Exit Outlook.
6) Use Task Manager to ensure that Outlook.exe is indeed not running.
7) Restart Outlook.

OL2002 apparently works the same but you substitute "10.0" for "9.0." And there are a few utilities around that will save you the Registry hacking.  A Forum member suggested this freeware tool which puts a GUI on it:

http://www.downloadvista.com/proghtml/389/38912.htm

I've not tried it but I've heard good things about it.

AD and Backups: One For Each Server

Now that I'm teaching AD disaster recovery in class, I'm finding that virtually everyone has made the same mistake at some time when it comes to protecting their AD backups.  You need to back up the Active Directory on every domain controller.  In general an AD backup on one DC cannot be restored to another DC.

I guess this doesn't seem to make sense -- can't a backup from any DC be restored to any DC, isn't that what disaster recovery is all about? -- and so people simply take one set of AD backups and leave it at that.  Unfortunately, they then find that the backups are no good when restored to other DCs.

So what do you do if all of your DCs are destroyed at once or, equivalently, what if you have only one DC?  (Note that I strongly recommend against ever running just one DC.  But I realize that sometimes economic realities prevent that second DC.  If that's the case, tell the boss exactly how many hours the network will be down if you lose the one DC and how cheap a little clone and a copy of Server is.  If the boss can do math you'll have that second DC in no time.)  In that situation, Microsoft says that you can rebuild your domain by installing Window 2000 Server on a new system and then restoring any AD backup from any of the now-destroyed domain controllers.  KB article 263532 isn't a short one, but it does offer some valuable advice.

But why is it that you can't restore an AD taken from DC1 onto DC2?  Simple: USNs (uniform sequence numbers).  Where NT 4.0 BDCs had copies of the SAM that were identical because they were just carbon copies of the PDC, recall that in AD every DC maintains its own set of internal pointers etc.  So let's say that DC1 replicates with DC2 at noon on Tuesday.  DC1 then updates what it knows about DC2, which (simplified) might be something like "the last time I asked DC2 what was new, it told me that its most recent update was USN number 10000."  That USN is just an internal sequence number indicating how many times someone's updated DC2's copy of AD.  So if Jane, a user on the AD, has changed her password 20 times since DC2 came up, then that accounts for 20 of the 10,000 changes that DC2 has seen.  In contrast, DC1 might have been up longer and might have a highest USN of 50,000 because it's seen many more changes; it could have been around for 117 of Jane's password changes.  Both DC1 and DC2 have the same information in their databases, but not necessarily the same USNs.  So suppose we have yet another DC named DC3 and the last time that DC1 replicated with DC3 then DC1 found out that DC3's highest USN was 5000.  Now let's say that DC3, suffers damage to its AD and no one can find a backup of its AD, and someone decides to just restore a backup of DC2's AD to DC3.  

The next time that DC1 tries to replicate with DC3, it says to DC3, "hmmm... the last time we talked you were up to USN 5000.  What do you know that's happened since?"  As DC3 has gotten a brain transplant from DC2, it says to DC1, "hey, a lot's happened -- my highest USN is now 10,000!" and re-replicates a whole lot of stuff to DC1, creating havoc.

Now you can see why it's possible to take any old AD backup and put it on a restored DC, provided that DC is the only one in the domain -- there' s no replicating to do, and so no USN mixups.  Of course, even in that case, Microsoft recommends that you use this DC to get another built-from-scratch DC up and running, and then demote that first DC and format its hard disk.

You may be wondering if this is true for 2003, given that with Server 2003 it's possible to DCPROMO an entirely new DC based on a backup.  Assuming that all of your DCs were destroyed, could you build a fresh new 2003 system and DCPROMO it using the backup from a DC on your destroyed domain?  No; DCPROMO won't run in any case unless it can contact a DC and authenticate whoever's running DCPROMO.  If it didn't do that, then anybody could add extra domain controllers to a domain -- and that wouldn't be good.  As there wouldn't be any working DCs, DCPROMO would never get a response, and would fail before creating the domain controller.

Online List of Ports and Usages

Ever needed to know who uses port 1080?  Our good friend Morten Zierson at the Forum suggests http://www.chebucto.ns.ca/~rakerman/port-table.html  as a good reference on ports.

More on Eliminating NTLM and LM

Last time I published a lengthy article about how to eliminate the antique LM authentication protocol from your network, and suggested banishing its stronger cousin NTLM in favor of the more-secure NTLMv2.  Thanks for the huge volume of kind mail over the article, I'm glad so many of you liked it.  

Some of you wrote to tell me that, as expected, shutting off NTLM would break some things.  But I was surprised to find that shutting off LM, an authentication protocol that I'd have thought obsolete for the past ten years, broke some things as well.  Some readers discovered these compatibility issues:

  • Quantum SNAP servers need LM, some readers reported.  Quite surprising!
  • Older versions of SAMBA needed LM, some reported.  My experience with SAMBA on Linux has shown, however, that any version of SAMBA from the past two or so years can work fine without LM.  It does seem to need NTLM, however, so restricting your network to NTLMv2 only will probably cause problems for SAMBA.  I am told that SAMBA 3.0, shipping soon, has no such requirements.  It sounds pretty neat, as 3.0 can even act as a member of an Active Directory without NetBIOS.
  • Novell CIFS:  one reader reported that NetWare -- he didn't say which version -- needed LM for authentication.  That's disturbing to hear, as LM's so easy to crack.

In most cases, readers who experienced problems when disabling NTLM and LM solved those problems by loosening their security back to allow NTLM, still disallowing LM.

Please keep sending me these reports, I'd like very much to hear about subsystems that won't work without NTLM or LM.  I'll share the results as I get them!

Fixing Time Synchronization Problems

My XP desktop stopped synchronizing its time with the domain.  The Event Log kept showing that the desktop hadn't time-synced with any of my DCs in weeks.  That worried me because if my workstation's time drifted more than five minutes from the domain controllers' time then I'd not be able to log on.  Once I was three minutes off, I figured it was time to figure out what had happened.

I tried to re-synchronize from the command line:

w32tm /resync

And got "the computer did not resync because no time data was available."  Oooh, that doesn't look good.  But then I realized that I'd fixed my system's time server as an experiment rather than letting AD set it.  Some free time sync programs do that also, so many of you may be in this position.  I just cleared out HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters's "NtpServer" value entry, and then I restarted the Windows Time Service.  Sadly, no dice ... still no sync.  For some reason, if your domain doesn't find all of the Registry entries to be "just right," then it won't sync with your system.  You can, thankfully, fix it with this command:

w32tm /config /syncfromflags:DOMHIER /update

Type that from a command line, and then restart Windows Time Service and retry the w32tm /resync or, better,

w32tm /resync /rediscover

A command that cleans out and rebuilds a few other Registry entries.  I had that problem with my XP box about a year ago; since then I've found these commands useful on a number of systems.  When workstations get more than five minutes out of sync with the DC, then they stop authenticating but they're not very forthcoming about the reason -- so when authentication's a problem then first look at DNS, and if that doesn't help then look at time!

VMWare Fans:  Upgrade to 4.0

Regular readers will know that I'm a huge fan of VMWare's VMWare Workstation product, so much that I made it the focus of a newsletter about a year ago.  I've recently upgraded to their 4.0 version (a $99 upgrade) and wanted to pass along that it's well worth the money.  The ability to drag and drop files between virtual machines is a real godsend for someone setting up complex virtual networks.  And if you've ever tried to run XP or 2003 systems in a VMWare 3.1 environment then you know that the mouse behaves strangely when the Winlogon, the login screen, is active, but that's fixed in 4.0.  Networking is more flexible as well, as you can move virtual machines from one virtual subnet to another without a reboot.  You can also control those virtual subnets more easily, as they've included a GUI interface to manage most of a subnet's characteristics.  (Not all, unfortunately; for example, I wanted to set VMNet4 to use 192.168.0.x but the GUI doesn't let you change the network number.  Something for 4.1, perhaps!)  In any case, if you're a VMWare fan, I recommend giving it 4.0 a try.  If you're not using VMWare, then give it a look.  For just $300 you can take one machine and turn it into an entire test lab of machines.

You may know that Microsoft recently purchased VMWare's competition, VirtualPC, and will probably give it away eventually, so you might wonder:  does buying VMWare make any sense?  I think so, as I'm guessing -- and it's just a guess -- that once Microsoft finishes re-working VirtualPC that it will only run on Enterprise Server 2003 ... and that four grand for Enterprise might be a tad expensive for some budgets.  Furthermore, VMWare can also run virtual machines running Linux, NetWare or basically any other x86-based OS.

Still not using VMWare and wondering how it'd be useful?  In just a few words, VMWare Workstation is a $300 program that creates actual entire virtual PCs out of your computer.  You can tell it things like, "I'd like a new PC with this much RAM, these many hard disks, and two Ethernet cards."  You then boot that virtual machine -- it runs in a window -- and you see a Phoenix BIOS bootup message just as you would for a new computer.  You then install an operating system from scratch onto this virtual machine and it behaves in every way as if it were a separate stand-alone computer.

This has a few benefits.  First, you create as many VMs as you like, so long as their memory doesn't exceed 1GB of RAM.  Thus, one computer can host six or seven systems, a virtual test lab.  Second, you can network them, making them either look like an honest-to-God NIC on your real-world network, or you can create virtual subnets and keep all of the networking off the real network -- you can even run a network sniffer in a virtual machine and see what's going on.  Very nice for isolating a small network to diagnose a problem.  Third, when they're not running, these virtual machines live on the host computer as nothing more than a few files on the host's hard disk -- big files, yes, but files.  You can create a virtual system that does a particular function and then you can just back it, ready to restore if ever needed.  The 1GB limit only applies to the VMs actually running, recall -- you can have as many pre-built VMs ready to go as you like, there's no limit there.  Finally, there's snapshots.  A snapshot tells the VM to remember its exact state at some moment in time, and you can tell the VM to return to that snapshot in an instant.  The value?  Testing.  When I test some new software, I first set up a computer and play with that software to get the feel of it.  Then I wipe the computer clean and re-install the software fresh to test what I've learned; that wipe and reinstall is essential, but it takes time.  With a VM and a snapshot, all I've got to do is just click the "Revert" button and the VM forgets everything that I've done since I last took the snapshot.  If you teach classes and run demonstrations, you'll love snapshots; if you test systems then you'll also love snapshots.

Honestly, I don't own any stock in this company and I have no idea if they're even publicly traded.  But the product's good; give it a shot.  www.wmware.com is the place to find out more.

Server 2003 Book Errata

Many of you have written not only to tell me that you like the book (whew!) but also that you've found places were we goofed.  Here's the first batch of corrections, with my apologies.

Introduction

Typos

Page XXXIV reference to "Windows Server 2002" should of course be "Windows Server 2003."

Chapter 1, Overview

Typos

Page 16, second para from bottom "...the result will be eventually be..." should be "...the result will eventually be..."

2003 Needs New Server CALs

I had originally been led to believe that anyone upgrading from 2000 servers to 2003 servers would not need to upgrade their CALs.  Apparently Microsoft changed their mind and you do need to upgrade CALs if you go to 2003.  Let me clarify that:  add just one 2003 server to your enterprise and you'll probably have to buy 2003 CALs for everyone in your network.  Apologies for the error.  I try to avoid license issues altogether, as they're really legal rather than technical issues -- this is why.  

Datacenter Versus Enterprise Editions

When I wrote the Overview -- the first chapter of the book -- Microsoft hadn't yet decided what went into Enterprise and what into Datacenter.  They decided late in the game (too late to get into the book) to enhance Enterprise's attraction by including a bunch of Datacenter tools, including

  • 8-node clusters
  • Windows Resource Manager
  • NUMA support
  • Hot plug PCI support

So the references to these tools as Datacenter-only are no longer correct.

MSDE is Outa There!

I mentioned in Chapter 1 that Microsoft shipped Server 2003 with MSDE, the reduced-function version of SQL Server 2000.  They did in RC2 and earlier, but pulled it from the final version, probably over post-Slammer jitters.  So apologies, but there's no free database server in 2003.  Shucks.

Chapter 4, Registry

Typos

Page 89, last sentence -- "You can see the hive files that correspond to parts of the subtree listed in Table 4.3" should refer instead to Table 4.4.

Page 90, first sentence -- "Table 4.3 needs a few notes..." should say "Table 4.4 needs a few notes..."

Page 91, last sentence before Table 4.5 should be "Confused about where all the keys come from?  You'll find a recap in Table 4.5.  It's similar to Table 4.4, but it's more specific about how the keys are built at boot time."

Domain Controllers Do Have SAMs

On page 90 I discuss the SAM file, noting that domain controllers do not have SAM files -- they have Active Directory databases.  A reader correctly points out that DCs do indeed have SAMs, even though those SAMs have only one account -- the Directory Service Restore Mode password.

Chapter 5, Setup

Typos

Page 95, third paragraph, second sentence "You can script, as before, but scripts are easier" should be "You can script your  installs, as before, but creating those scripts has become easier."

RIS Goes on DCs

Somewhere in Chapter 5 I said that you can't put RIS on a DC.  (I'm not sure why I wrote that, I've done it.  Brain damage from too much CRT emissions; good thing I'll be 100% LCD soon.)  It's not true, you can put RIS on a DC with no trouble.

Chapter 7, DNS/WINS/DHCP

Typos

Page 439 -- the text is unclear about what is the default choice for AD-integrated zone replication.  The default pathway for AD-integrated zones is to all DCs in the AD domain, rather than to all of the DCs in a given forest.

Page 460 -- the second paragraph refers once to a system at 100.1.1.5 and twice to a system at 10.1.1.5.  All three references should be to 10.1.1.5 -- the 100.1.1.5 reference is incorrect.

HOSTS, Then DNS Cache

Page 363, top, says

"Summarizing, then, a Windows 2000 or later system looks in its DNS cache, then its HOSTS file, then asks a DNS server, then a WINS server, and finally broadcasts."

This is true except for the order.  Systems always look in HOSTS first, then DNS cache.  That was actually explained correctly earlier in the text; I just messed up the summary.  Corrected, the statement should be

"Summarizing, then, a Windows 2000 or later system looks in its HOSTS file, then its DNS cache, then asks a DNS server, then a WINS server, and finally broadcasts."

You Can Now Define Vendor Classes

Another RTM surprise!  For years you've been able to create user classes in DHCP, as you've read in my 2000 book and in the 2003 book.  But in the final release of Windows Server 2003, Microsoft added the ability to create new vendor classes.

Chapter 8, Active Directory

Complex Passwords are the Default!

When I first built domains from the final "RTM" version of Windows Server 2003, I got bit of a surprise:  any AD domain built on Windows Server 2003 requires that user accounts have complex passwords.  That wasn't the case for RC2 or earlier versions.

Active Directory Migration Tool:  Good For All Sizes, Says Microsoft

In chapter 8, I mention that Microsoft recommends ADMT for organizations of 1000 or fewer persons.  I passed that along because I'd heard it from Peter Houston, the former group product manager for Active Directory.  I never really agreed with the point of view, and have helped larger organizations migrate with ADMT, but felt that duty-bound to pass along Microsoft's recommendation.

I then got an e-mail from Andreas Luther, one of the Giant Brains in the Active Directory world at Microsoft.  Andreas has helped many firms move to AD and so I was happy to read that no such recommendation existed at the moment.  From MS's point of view one could migrate an enterprise of any size with Active Directory Migration Tool 2.0.  It's a bit rough-edged compared to some of the third-party migration tools from NetIQ, Quest, BindView or Aelita, but the price is right.

Modifying Intrasite Replication Intervals

I mention in the book that AD domain controllers replicate to their partners every five minutes and that you can't change the number.  Apparently you can, although I wouldn't recommend it.  Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters and change the REG_DWORD value "Replicator notify pause after modify (secs)" as you like.  Again, I wouldn't mess with it.  More info at KB 214678.

Logging Time Service Info

Page 571 says there's no way to get the Time Service to log errors and successes, but there is indeed a way, although it only works on 2003 and not XP or 2000.  Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config.  Create a new REG_DWORD named FileLogSize and fill it with the maximum size of the log in bytes -- you'd have to enter 20000000 for a 20 MB log.  Then tell it where to put the log with a fully specified file name in a new value entry "FileLogName" which should be REG_SZ.  An example entry might be "C:\logs\timelog.txt."  Finally, tell the Time Service how much detail you want with a third entry, FileLogEntries.  (This is another REG_SZ.)  Give it a numeric value between zero and 72.  Microsoft doesn't tell us exactly what each of these levels offer.

Chapter 9, User Accounts

Removing IPSec Policies Isn't Automatic

On page 737, Lisa tells us that removing a group policy object causes its effects to be un-done, and I'd have told you that too, with the exception of course of "unmanaged" administrative templates.  Michele Beveridge, however, tells me that IPSec policies need an extra step -- you must first unassign the policy before removing it, or the the IPSec policy will remain.

Chapter 10, Storage

There are No Setup Floppies

Page 872's sidebar "Should I use FAT on the system partition?" has a third paragraph that refers to a set of floppies that you can start 2003 Setup from.  Those floppies existed for 2000; they don't for 2003.  There is no Setup option in 2003 that starts from a boot floppy -- it's either RIS, files on the hard disk, or the CD-ROM.

More Details On Dynamic Disks

Page 837 -- the italicized sentence points out that you can't create dynamic disks on laptops.  (I've always wondered, "how would 2003 know?")  A reader points out that according to Microsoft, you also can't create dynamic volumes on cluster shared disks and "external" disks, whatever MS means by "external" disks.

Many, many thanks to Kevin Casper, David Martin, Sue Diefenderfer, Yuval Sinay, Tracy Ratz, Erik Rozman, Kim Robinson, rmilewsk at the Forum, Michele Beveridge and anyone who I missed.  Keep those comments coming in... and thanks so much for reading.

Conferences

I hope you'll join me for a seminar but if you can't attend a class then please consider attending another show:

Security Roadshow

Six cities this month -- see the earlier article.  Just a morning long and the price is right! 

TechMentor San Diego, September 2-6

101 Communications' semi-annual geekfest comes to San Diego in fall's waning days.  Join me when I keynote this great show featuring Windows Giant Brain Bill Boswell, Security Expert Nonpareil Roberta Bragg, Group Policy Expert Dude Jeremy Moskowitz and others.  It happens right around back-to-school time, so come on back to school with some of the industry's leading lights.  http://www.techmentorevents.com for more info.

Windows Magazine Live! November 2-6, Orlando

The magazine that I write for, Windows and .NET Magazine, holds its next Windows Magazine Live! conference in Orlando this November.  It's a jam-packed set of great talks by some great speakers including of the Microsoft tech world's foremost megacephaloids like Mark Russinovich, Intel's Sean Deuby, IIS Answer Man Brett Hill, Uberscripter Bob Wells and more great speakers all and really smart guys.  I'm also doing three talks, more details on that as the show gets closer.  Watch www.winconnections.com for more info on this show, coming to The Land Of The Mouse.

Bring Mark to your site to teach

I'm keeping busy doing Windows Server 2003/2000 and XP seminars and writing, but I've still got time to visit your firm.  In just two days, I'll make your current NT techies into 2000 and/or 2003 techies.  To join the large educational, pharmaceutical, agricultural, aerospace, utility, banking, government, transportation, and other organizations that I've assisted, either take a peek at the course outline at www.minasi.com/2003outln.htm, mail our assistant Jean Snead at Assistant@Minasi.com, or call her at (757) 426-1431 (only between 9-5 Eastern time, weekdays, please).

Until Next Month...

Have a quiet and safe month.     

Please share this newsletter; I'd like very much to expand this periodical into a useful source of NT/2000/2003/XP information.  Please forward it to any associates who might find it helpful, and accept my thanks.  We are now at over 25,000 subscribers and I hope to use this to get information to every single Mastering 2003, XP, NT and 2000 Server reader. Thanks for letting me visit with you, and take care.  Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews.  As always, I'm at http://www.minasi.com/gethelp and please join us at the Forum with technical questions at www.minasi.com/forum

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail, format, etc., link to http://www.minasi.com/edit-newsletter-record.htm.  To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do NOT reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

All contents copyright 2003 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.