Mark Minasi's Windows Networking Tech Page
Issue #40 May 2004

To subscribe, visit http://www.minasi.com/nwsreg.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. To change e-mail address, switch between HTML or text format, etc., link to http://www.minasi.com/edit-newsletter-record.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do NOT reply to this mail; for comments, please link to www.minasi.com/gethelp. Document copyright 2004 Mark Minasi.

What's Inside

News:
- XP audio seminar series now available!
- NEW SEMINAR: One-day security seminar comes to LA June 16, then DC and NY
- Active Directory class comes to LA, DC, NY
- New group policy book on sale
Tech Section
- Easing In-Place Upgrades: Everything You Need To Know About NT4Emulator
Conferences
Bring a Seminar to Your Site

News

Hello all —

This month, I cover a much-misunderstood tool -- NT4Emulator. It's a Registry setting that can make doing an in-place upgrade from an NT 4 domain to an AD domain much smoother. But it can be dangerous without its nemesis, NeutralizeNT4Emulator; read all about it this issue. But first a word from our sponsor...

XP Audio Seminar Series Now Available!

We've finally got it done. The entire two-day XP support seminar (minus the tuning part, as I'm already selling that as a stand-alone CD lecture) on seven audio CDs for $170, or just $99 if you've attended the XP seminar (sorry, the offer's only for those who've attended the XP seminar). Visit http://www.minasi.com/xpaudio for more info.

NEW Seminar: Securing Your Windows Desktops and Servers

Doing a short talk on security at the Microsoft Security Roadshow has been a lot of fun, but I wish I had a whole day to help attendees see how to ward off security problems. So I'm initiating a new seminar called "Securing Your Windows Desktops and Servers." It's built from the two talks from the first two road shows and adds more. I find that a lot of people have a general idea about what they should be doing to secure their networks -- they've heard terms like SMB signing, null session, secure channel, LM hash, and so on -- but haven't the time to sift through the often-contradictory knowledge base articles and the welter of group policy settings, Registry hacks, patches and the like. In this course, we spend a long day -- 9 to 6 PM -- going through what the big security issues mean and understanding the exact step by step methods that you need to know to make your system more secure.

The first session happens at our LA week, on June 16. If you'd like to find out more, please visit www.minasi.com/secoutln.htm.

"Running a 2003/2000-Based Active Directory" Runs in LA, DC, NY

It seems that AD's finally gotten some momentum and people are past the planning stages and into the rollout stage. But AD can be a fragile flower if not built and maintained properly. Find out how to build, implement, maintain, and repair Active Directory at "Running a 2003/2000-Based Active Directory;" information at www.minasi.com/2003outln.htm .

New Group Policy Book On Sale

Finally got your Active Directory running? Then it's time to reap the benefits and use group policies to make your life easier. But group policies can be a bit tricky, which is why I asked policy geek Jeremy Moskowitz to revise his popular book on group policies to bring it up to date with XP, 2003 and Group Policy Management Console. The new edition, called Group Policy, Profiles, and IntelliMirror for Windows 2003, Windows 2000, and Windows XP, is available at Amazon, Bookpool and similar places. The book is part of my Windows Administrator series and it's well worth picking up -- I find myself referring to it regularly and I suspect you will also.

Tech Section

Easing In-Place Upgrades: Everything You Need To Know About NT4Emulator

The easiest way to upgrade your NT 4 domains to Active Directory (whether 2000 or 2003-based) is an in-place upgrade. Just pop the 2000 Server or Server 2003 CD into your current NT 4 domain's primary domain controller, sit back and let Setup do its thing. An in-place upgrade isn't the best answer for everyone -- as Mastering Windows Server 2003 and Mastering Windows 2000 Server explain, there are plenty of reasons not to do an in-place upgrade and instead to do a clean and pristine AD rollout -- but if if in-place is right for you then you should know about NT4Emulator. I've covered some of its use in the books but let me first review that information and add a bit more advice.

Problems With In-Place Upgrades

If your NT 4-based domain has 2000, XP and/or 2003 members, then those members are perfectly happy to be authenticated by any of your NT 4 domain controllers. But if you upgrade just one of your NT 4 DCs to an Active Directory-based domain controller (whether that DC is running 2000 or 2003), then things change, and not for the better. The next time one of those 2000 or later members boot up, they sort of go "sniff... sniff... why, my heavens, there is a disturbance in the Force," and will only authenticate with that Active Directory domain controller from that point onward.

As far as the 2000, XP and 2003 member systems are concerned, they've been eating peanut butter and now they've got the option of caviar. And given the choice, they'll take the sturgeon eggs over the crushed goober peas any day.

The result is that the old NT 4 BDCs are ignored and the one AD domain controller is overworked.

Keeping Clients From Overloading The DC

What to do about this? Well, you could just upgrade a whole bushel of domain controllers all at roughly the same time. (Clearly you should finish the upgrade of the first one before starting the others.) Or you could do a Registry zap called NT4Emulator that Microsoft introduced in Windows 2000 SP2.

To use it, first create a CD that contains Windows 2000's I386 folder with SP2, SP3 or SP4 slipstreamed onto the I386. (I prefer SP4; some don't trust it. It's a matter of taste. You can read about how to slipstream either SP2, 3 or 4 in the books or look back at Newsletter #7.) Next, edit the Registry of the NT 4 system that is your primary domain controller. Navigate to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Netlogon \ Parameters and create a new REG_DWORD entry called NT4Emulator. Set NT4Emulator to 1 and you're ready to do DCPROMO using the CD with the slipstreamed-with-SP2-or-later I386 directory.

Let me stress that you must do the NT4Emulator setting before you upgrade your first DC. If you don't, then any 2000 or later systems that find and log onto that first DC will get "stuck" on that DC, refusing to accept any other DC for authentication. You can fix that by un-joining and re-joining the system to the domain, but it's a pain.

NT4Emulator's Effect on New DCs

What exactly does NT4Emulator do? It tells your Active Directory domain controller to not use Kerberos for logons, and instead to use NTLMv2, NTLM, or LM, depending on whatever it negotiates with the client. This has the benefit of not causing the "marriage for life" effect that you get with a 2000 or later system discovers an AD domain controller in a newly-upgraded NT 4 domain. (For some reason the "marriage for life" effect doesn't happen when you've got two or more AD DCs. NT4Emulator's still interesting in that case, however, inasmuch as if you had 50 NT 4 DCs and a few thousand 2000/XP/2003-based members and you only upgraded two DCs to AD then you'd have two very busy DCs.) You can see a side-effect of NT4Emulator by looking at the "Computer Name" tab on the System Properties page. (Right-click Manage Computer and choose "Properties" to get to the page.) If you're using NT4Emulator then the domain name will be the all-uppercase NetBIOS name. If not, you'll get the DNS-like AD name.

NT4Emulator makes your transition smooth by buying you time while you upgrade a large enough number of DCs until you don't have to worry about overloading your AD-based DCs. There's just one problem, however: you will not be able to add any new domain controllers to the domain so long as your AD domain controller (or controllers) have NT4Emulator enabled. "Hmmm...," I hear you thinking. "So if NT4Emulator keeps me from adding any new DCs to the domain, then how the blazes do I add DCs?" Simple: you neutralize the effects of NT4Emulator with NeutralizeNT4Emulator!

Understanding and Using NeutralizeNT4Emulator

Let's say that you want to add a domain controller to your newly-upgraded-from-NT Active Directory domain. When it tries to log onto the Active Directory with Kerberos -- which appears to be essential in order to be added to the domain as a DC -- then the one existing AD domain controller says "hey, I'd love to log you on with my native authentication language Kerberos, pal, but I'm under this evil NT4Emulator spell that renders me unable to do anything but NTLM and its ilk." But if you have modified the Registry of the would-be new DC with NeutralizeNT4Emulator, then the would-be new DC can say, "aha, but I've got stronger magic!" and gives the DC the power to authenticate the would-be DC with Kerberos. From that point on, the new DC can be joined to the domain.

More concretely: suppose I've got one Active Directory DC on the domain named DC1 and that it's got NT4Emulator=1. Suppose also that I've got a Windows 2000 Server (2003 works as well) named DC2 that I want to promote to be a domain controller in DC1's domain. To promote DC2, just first go to DC2's Registry and navigate to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Netlogon \ Parameters and add a new REG_DWORD value entry called NeutralizeNT4Emulator and set it to 1. Reboot DC2. Run DCPROMO on DC2 and DC1 will welcome it with open arms.

Once you've got a critical mass of Active Directory DCs in your network, go to the Registries of your DCs and remove the NT4Emulator value entry and you'll be ready to make full use of your Active Directory.

My thanks to the readers who shared their experiences with me and spurred me to find out more about this.

Conferences

Join me at one of these great shows.

User Group Talks in Charlotte, Denver and New York

Windows-oriented user groups in Charlotte, Denver and New York have been kind enough to invite me to talk to their crowds in June. Contact the North Carolina IT Pro User Group, the Rocky Mountain Technology User Group, or the New York Enterprise User's Group and New York LAN Association and come on down!

TechMentor San Jose, September 27-Oct 1

101 Communication's semi-annual geekfest comes to one of the true Meccas for us geek types -- San Jose. Everything you ever needed to know about getting your networks running and keeping them running from some of the smartest people in the business... and me too. The program's almost available at www.techmentorevents.com.

Windows Connections October 24-27, Orlando

The magazine that I write for, Windows and .NET Magazine (soon to be renamed "Windows IT Pro Magazine"), holds its next Windows Magazine Live! conference in The Land Of The Mouse this October. It's a jam-packed set of great talks by some great speakers including of the Microsoft tech world's foremost megacephaloids like Mark Russinovich, IIS Answer Man Brett Hill, Uberscripter Bob Wells, Steve Riley and Mike Danseglio (imagine, they got all three of Microsoft's best speakers) and more — great speakers all and really smart guys. I'm also doing talks on XP's SP2, Software Update Services, and XP goodies. Watch http://www.winconnections.com/ for more info on this show.

Bring Mark to your site to teach

I'm keeping busy doing Active Directory and Security seminars and writing, but I've still got time to visit your firm. In just two days, I'll make your current NT techies into 2000, XP, Active Directory and 2003 experts. (And better yet they won't have to sit through any Redmondian propaganda.) To join the large educational, pharmaceutical, agricultural, aerospace, utility, banking, government, telecommunication, law enforcement, publishing, transportation, and other organizations that I've assisted, either take a peek at the course outlines at www.minasi.com/presentations.htm, mail our assistant Jean Snead at Assistant@Minasi.com, or call her at (757) 426-1431 (only between 11-5 Eastern time, weekdays, please).

Until Next Month...

Have a quiet and safe month.

Please share this newsletter; I'd like very much to expand this periodical into a useful source of NT/2000/2003/XP information. Please forward it to any associates who might find it helpful, and accept my thanks. We are now at over 30,000 subscribers and I hope to use this to get information to every single Mastering 2003, XP, NT and 2000 Server reader. Thanks for letting me visit with you, and take care. Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews. As always, I'm at http://www.minasi.com/gethelp and please join us at the Forum with technical questions at www.minasi.com/forum.

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail, format, etc., link to http://www.minasi.com/edit-newsletter-record.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do NOT reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

Mark Minasi's Windows Networking Tech PageIssue #40 May 2004