Mark Minasi's Windows Networking Tech Page
Issue #58 November 2006

To subscribe, visit http://www.minasi.com/nwsreg.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. To change e-mail address or other info, link to http://www.minasi.com/edit-newsletter-record.htm.  Visit the Archives at http://www.minasi.com/archive.htm.  Please do not reply to this mail; for comments, please link to www.minasi.com/gethelp.  Document copyright 2006 Mark Minasi.

What's Inside

  • News
    • New Two-Day Seminar "Supporting Vista" Comes to DC, NY, Dallas, Seattle in a Few Weeks
    • Spring Vista Sessions in Atlanta, San Jose, Philadelphia, Chicago
  • Tech Section
    • Vista RTMs, We'll See it Soon
    • Vista Setup for BitLocker
    • How to Modify HOSTS on a Vista System
    • Letting Vista Respond to Pings
  • Conferences
  • Bring a Seminar to Your Site

News

Hi all --

Well, the 25 October RTM of Vista didn't happen, but the 8 November RTM did, which means that we'll all be living with Vista in a while.  But I've found that there are few Vista questions that come up over and over... things I call "Vysteries."  In this newsletter, I'll cover these Vista problems and solutions in the hopes of making your early Vista exploration easier.  But, first, a word from our sponsor...

New Two-Day Seminar "Supporting Vista" Comes to DC, NY, Dallas, Seattle in a Few Weeks

My two-day "Supporting Vista" seminar is coming to the New York area (Mahwah, actually, I got yelled at about that last time), Dallas, Seattle, and then the DC area (near Dulles).  In two days of lecture and demonstrations, I'll show you how installing, configuring, managing, securing and troubleshooting Vista is different from doing the same things for XP... and you'll learn all that without falling asleep.

You can see a course outline for the new Vista class at www.minasi.com/vista/vsupport.htm and you can find the links to sign up for Mahwah (November 30/December 1), Dallas (December 4-5), Seattle (December 7-8), or DC (December 11-12).  Even if you're not planning on rolling out Vista any time soon, come to this seminar to find out about the pains and gains of Vista!  (I mean, it's a great time to go to a seminar, nothing happens in the office between Thanksgiving and New Years, right?)

Next Year's Seminars:  Vista in Atlanta and San Jose in February, Philadelphia and Chicago in March

Some folks have asked about our spring schedule, so here's what we've got so far:  we've scheduled classes in Atlanta and San Jose the first week of February, and classes in Philadelphia and Chicago the first week in March.  I hope one of those cities is convenient and that we'll see a lot of you folks!

Tech Section

This month, we attack some questions about making Vista work that I've been asked at least a few times.  But first a bit of news:

Vista RTMs, We'll See it Soon

Last Wednesday, Microsoft released about three dozen -- okay, small exaggeration -- versions of Windows Vista to manufacturing.  Finally.

What's that mean?  Well, I wrote about that a couple of weeks ago in my newsletter at www.minasi.com/newsletters/nws0610a.htm, and I invite you to give that a peek to read what I thought were the biggest strengths and weaknesses of Vista.  Overall, it's a good OS and is more secure in many ways but that offers a number of challenges -- in other words, it's about the same as previous Windowses.

So should you run out and buy it today?  Well, you can't.  "Release to manufacturing" or "RTM" just means that Microsoft has essentially created one "golden DVD" containing the seven or eight versions of Vista.  It then gives that DVD to some firm that creates a bazillion copies of that DVD, creates as many cardboard boxes to contain those DVDs on store shelves.  The process of copying DVDs, boxing them, shipping them and selling them usually takes about two months, so in fact we probably wouldn't be able to actually buy a copy of Vista from, say, Amazon and receive it before the end of January.

Large companies already have a copy of that DVD, so some non-Microsoft folks have been playing with it for a week.  When will the rest of us see it?  Again, anybody will be able to get it by late January.  Or if you've got access to MSDN on Microsoft's site, then you can probably get ahold of the ISO image of that golden DVD by this Friday.  With that, you can, burn your own DVD and install it on a test machine or two.  If you have the time, then give Vista a try... if for no other reason that while your company may not move to Vista before 2008, you can be sure that many of your users will move to Vista earlier than that.  (And don't you hate having a user explain some Vista thing to you!<g>)

Meanwhile, here's a few of the most common things that seem to annoy new Vista users.

Vista Setup for BitLocker

I really like Vista Ultimate's BitLocker feature.  BitLocker's a pretty neat way to set up a laptop with a C: drive that's entirely encrypted and, even better, in my experience the cryptographic overhead isn't all that bad performance-wise.

The thing that drives people crazy about BitLocker, however, is the odd setup that it requires in order to work.  Despite being called "BitLocker Drive Encryption," BitLocker actually encrypts just the C: volume, and can't work unless your system's first hard disk is chopped up into two partitions.  One partition must be 1.5 GB in size, and it contains some basic boot code.  You can use the rest of the drive for C:.  To make BitLocker work, then, your system's first hard disk must be arranged so that

  • One partition is 1.5 GB in size and is marked "active," and
  • One other partition is at least 16 GB in size, and Vista is installed to that partition.

This requirement presents two problems.  First, no one seems to know about it, and so people just set up their laptop's entire disk as C: and install Vista.  Then, once Vista's installed, they want to turn on BitLocker... only to find that it refuses to install because of the lack of the 1.5 GB partition.  Second, even if you do know beforehand about the 1.5 GB partition requirement, there isn't any way in Vista's Setup GUI that would let you create a 1.5 GB partition and mark it active.

As is so often the case, however, there's an answer... the command line.

Installing BitLocker on clean system:

1) Boot Vista install disk.

2) When you get to the screen that says Windows Vista / Install Now, click "Repair Your Computer."

3) In the subsequent dialog, choose "Command Prompt"

4) From command prompt, do this:

diskpart
select disk 0
clean
create partition primary
assign letter=c
shrink minimum=1500
create partition primary
active
assign letter=p
exit
format c: /y /q /fs:NTFS
format p: /y /q fs:NTFS
exit

5) Once out of the command prompt, press ESC to return to the "Install Now" screen.

6) Install Vista as usual.  When Vista asks which partition to install Windows to, direct it to C:.

At that point you'll have a copy of Vista that works fine either with or without BitLocker, and that lets you add BitLocker whenever you'd like.  Notice also that command "shrink minimum=1500."  This is a neat diskpart command that actually lets you shrink an existing partition.  The documentation says it only works on basic disks, and I've not tried it on a dynamic disk, so I can't comment, but in any case it's a pretty neat feature, given that I used to have to buy a moderately expensive third-party utility to resize a partition without losing data.

Having dealt with that BitLocker annoyance, though, I should explain a BitLocker annoyance that I can't fix (or understand) -- you need either Vista Ultimate or Enterprise to use BitLocker.  It's kind of sad to consider that as far as Vista's concerned, security is clearly a profit center.

How to Modify HOSTS on a Vista System

A few months ago, a friend beta testing Vista asked if I'd figured out how to modify Vista's HOSTS files.  I figured it out because I'd been playing with Vista's very new and different default security settings, and since there I've been asked the question a number of times, I include this tip here.

The HOSTS file is in the same place that it's always been in Windows:  \windows\system32\drivers\etc.  But that directory has a different set of NTFS permissions than Windows has ever seen, as by default administrators can't delete files, nor do they own those files.  You can give yourself enough control of HOSTS to modify it by first taking ownership of it, then granting yourself full control to HOSTS.  That's most easily done from an elevated command prompt. 

(Note:  an "elevated command prompt" means that you right-click the Command Prompt icon and choose "Run as administrator," and then click "Confirm" when you get the User Account Control prompt.)

From the elevated command prompt, type these two lines:

takeown /f c:\windows\system32\drivers\etc\hosts
icacls c:\windows\system32\drivers\etc\hosts /grant yourusername:f

Those are two new Vista command-line tools.  The first lets you take ownership of a file or folder, as its name suggests.  That line that you typed is the simplest form of takeown:  just add a "/f" and the name of the file or folder to take ownership of.  (Takeown even lets you take ownership of things on remote systems, which can be convenient.)  The second command lets you adjust NTFS permissions and file/folder integrity levels -- it's intended to be the replacement for cacls, which has been around since NT 3.1, and its syntax closely mirrors cacls's.  In that command, I'm using the /grant option to allow me to give the account "yourusername" full control; that's what the "F" stands for.

Letting Vista Respond to Pings

Like XP SP2, Vista includes Windows Firewall, and Vista enables that firewall by default.  The firewall's defaults do not include responding to pings, something that irritates me immensely.  Worse yet, XP SP2's GUI included a way to allow ping responses, but for some reason Microsoft removed that part of GUI from Vista's firewall.  How, then, to let a Vista box respond to pings without disabling the entire firewall?

Simple:  use the command line.  Open an elevated command prompt and type

netsh firewall set icmpsetting 8 enable

Or, alternatively, you can use the Windows Firewall group policy settings, which are basically identical to Windows Firewall settings.  (Remember that you can learn Windows Firewall a-to-z from my free download of the Windows Firewall chapter of the 2003 Upgrade book at http://www.minasi.com/sp1r2book.)  Vista's firewall additionally has another, more powerful group policy interface as well, but the standard group policy one will do for this simple exception.

Bring Mark to your site to teach

I'm keeping busy doing Vista seminars and writing, but I've still got time to visit your firm.  In just two days, I'll make your current NT techies into Vista, security, XP, Active Directory or 2003 experts.  (And better yet they won't have to sit through any Redmondian propaganda.)  To join the large educational, pharmaceutical, agricultural, aerospace, utility, banking, government, telecommunication, law enforcement, publishing, transportation, military and other organizations that I've assisted, either take a peek at the course outlines at www.minasi.com/presentations.htm, mail our assistant Jean Snead at Assistant@Minasi.com, or call her at (757) 426-1431 (only between noon-5 Eastern time, weekdays, please).

Until Next Month...

Have a quiet and safe month. 

Please share this newsletter; I hope that it is a useful source of NT/2000/2003/XP information.  Please forward it to any associates who might find it helpful, and accept my thanks.  We are now at over 40,000 subscribers and I hope to use this to get information to every single Mastering 2003, XP, NT and 2000 Server reader. Thanks for letting me visit with you, and take care.  Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews.  As always, I'm at http://www.minasi.com/gethelp and please join us at the Forum with technical questions at www.minasi.com/forum

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail or other info, link to http://www.minasi.com/edit-newsletter-record.htm.  To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do not reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

All contents copyright 2006 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.