88 High-Voltage Tips (continued...)

Become the network master of all your domains. This ultimate guide spells out new, smart ways to upgrade systems, set up services, monitor traffic, install applications and more— better, faster, cheaper.

Clean up FRS Staging Areas
One of the biggest headaches is cleaning up the staging areas where FRS files are stored, waiting for replication. Here’s how: Install Service Pack2 and the FRS post-SP2 hotfix Q307319. Stop the FRS service. The files in %windir%\sysvol\staging\domain and %windir%\sysvol\staging areas\ shouldn’t be more than about three hours old. If there are hundreds of megabytes of files and they’re several days old, you have a problem. Locate the DC with the files backed up in the staging areas. Determine its outbound replication partners. In the Sites and Services snap-in, locate the DC and look at the connection objects in NTDS Settings. They’ll show the “From Server” DCs. These are inbound connections. Locate each server object in the Sites and Services snap-in, find the connection object “From” the problem DC and delete it. This is the outbound connection From the problem DC. Once all the outbound connection objects are deleted from the problem DC, restart the FRS service. Be patient—the files should gradually disappear.
—Gary Olsen

Prevent Files from Backing up in the FRS Staging Areas
If files continually back up in large numbers (i.e. hundreds of megabytes) in the %windir%\sysvol\staging\domain and %windir%\sysvol\staging areas\ directories, it could be due to a program modifying the files and forcing a change order telling FRS to replicate them. The most common culprits are anti-virus programs and disk defragmenters. Apparently, a bug in Win2K forces a change order on a file when it’s scanned—even though the data isn’t changed. You should see entries in the FRS logs in %winnt%\debug for large numbers of files that all have the same or very close time stamps on a regular (perhaps hourly) basis. These changes are happening faster than FRS can replicate them. To fix it, clean up the staging areas (using the "Clean up FRS Staging Areas" tip above) and configure the anti-virus and defragmenter programs to avoid the %windir%\sysvol directory.
—Gary Olsen

More High Voltage Tips!

 Tips 1-15,
Plus 10 Tricks for Troubleshooting
Active Directory Replication

 Tips 26-40,
Plus 6 Tips on Exchange Transaction Log Management

 Tips 47-53,
Plus Tips 54-64 (Exclusively Online)

Troubleshoot that DC Communication Problem
There might be certain times that a client or server is having trouble communicating with a DC in your environment. There’s no way to know wherein which portion of the domain or DNS infrastructure the problem lies without further review, but here’s a little command that can help you determine if the DNS Service Resource Records (SRV Records) are incorrect. From the DCs, run the netdiag /fix command. This verifies the DNS entries in the netlogon.dns file with the DNS database and updates the appropriate entries if there’s a problem.
—Derek Melber

Manually Synchronize Active Directory DCs
If you’ve made a change to Active Directory and you want to propagate that change as rapidly as possible, you must force replication across every connection. This is tedious to do from a GUI tool such as AD Sites and Services or Replmon. The REPADMIN utility from the Support Tools can force synchronization with all replication partners and for all naming contexts. The syntax is repadmin /syncall . Be sure to use the fully qualified DNS name of the target DC. You can get a quick list of the DCs in a domain using NETDOM. The syntax is netdom query dc.
—Bill Boswell


Do Bulk User Adds
If you have to add dozens or hundreds of users at a time, you know how tedious it can be to use GUI-based tools like Active Directory Users and Computers. You can script this work, but scripts take a while to debug and are often difficult to pass between colleagues thanks to scant documentation. Because Active Directory is an LDAP directory service, it can import objects directly if they’re in LDAP Directory Interchange Format, or LDIF. Win2K comes with a utility called LDIFDE for doing this type of import and export. The problem with LDIF is that it deals with attributes in vertical fashion. For instance, here are a few lines from a sample LDIF dump of a user object:

objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
memberOf: CN= Group PolicyCreatorOwners,CN=Users,DC=company,DC=com

It’s much handier to deal with spreadsheets, and Win2K has a utility called CSVDE that does just that. It imports and exports comma-delimited files rather than LDIF files. To get an idea of what to put in the spreadsheet, build a sample user object with values for all the attributes you’d normally want to have for a new user. Export the contents of this object to a file using CSVDE then examine the contents using a spreadsheet editor like Excel. When you’re doing the CSVDE export, use the –m switch to eliminate SAM-specific information that can’t be re-imported.
—Bill Boswell

Clean Up Replication Connections
If you observe in Sites and Services snap-in that a DC has more than one connection from a single DC or that it’s not a GC, yet it has many connection objects (a non-GC DC should only have three at the most), they should be cleaned up. The Knowledge Consistency Checker (KCC) often creates temporary connections to route around trouble and doesn’t do a great job of always cleaning them up.

The solution: In the Sites and Services Snap-in, go to the problem server object and open the NTDS Settings object. In the right pane, select all the connection objects and delete them. You can wait for the KCC to regenerate them on its next cycle, or you can force it by right-clicking on the NTDS Settings object, go to All Tasks and select “Check Replication Topology.” This forces the KCC to regenerate the connection objects that it needs. It might take a while and you’ll have to refresh the snap-in to see them, but they will be created. If they never are created, replication is broken on this DC.
—Gary Olsen


Recover Your Original Default Domain Policy
Say you’ve modified the default domain policy many times, and you have a problem and want to get back to the original, but you didn’t save a copy. The policy is in a folder contained in the Sysvol directory. Since the default domain policy is created by the Win2K installation, the GUID of the GPO will be the same on every domain.

Promote a server to a new domain (test.local). This creates the default Default Domain Policy. Go to %windir%\sysvol\sysvol\test.local\policies\. Copy the folder {31B2F340-016D-11D2-945F-00C04FB984F9} to a place the real DC can get to it (will fit on a floppy). Don’t zip it or it won’t work. Delete the folder {31B2F340-016D-11D2-945F-00C04FB984F9} from a DC in the “live” domain. Then copy the folder {31B2F340-016D-11D2-945F-00C04FB984F9} you just created in the test.local domain into %windir%\sysvol\sysvol\test.local\policies\. Wait for replication to catch up with these changes. You now have a clean, original default domain policy.

Note: You can do the same thing with the Default Domain Policy, {6AC1786C-016F-11D2-945F-00C04Fb984f9}, since it’s created by the Win2K Install as well. This process won’t work with any other group policies.
—Gary Olsen

Creating A Multi-domain Organization-wide Distribution Group
If you’re in a multiple domain environment and need to create an organization-wide distribution group, such as “All Employees,” then do the following. First, implement a mail-enabled Universal Distribution Group (which can be done even if Win2K is in mixed mode). Second, create a mail-enabled Global Distribution Group in each domain in your forest. Third, in the Global Group’s properties, set each group’s expansion server to be a DC in its local domain. Finally, nest these Global Groups inside the mail-enabled Universal Distribution Group. The one big advantage of this model is that since the Universal Group’s membership is static, you’ll reduce Global Catalog Replication traffic. Why? Because every time a Universal Group’s membership changes, the entire group’s membership must be replicated to each Global Catalog server. By nesting Global Groups inside the Universal Group, you bypass this replication while still allowing for day-to-day changes to each Global Group’s membership.
—Bill English

Include At Least Two GC Servers in Each Site
When you create your Active Directory design, you already know to include at least two Global Catalog servers in each Win2K site. But there’s another reason for redundancy: the smooth running of Exchange. If there’s only one GC server in each Win2K site, then you have a single point of failure for GC lookups. Should such a failure occur, the DSAccess service on the Exchange 2000 Server will be forced to find a GC server in a remote Win2K site through an additional query to the DNS server. After a remote GC server is found, queries for address book lookups will be sent to that remote GC server, which, by definition of its being in a different site, will travel across slow and/or unreliable bandwidth. I’m guessing you won’t like this scenario. So, best practice is to have at least two GC servers per Win2K site so that if one server goes down, the other one can service address book lookup requests. By the way, the number of domains in the Win2K site doesn’t affect this best practice. For instance, if you have three domains represented in the same Win2K site, this best practice doesn’t change. Moreover, you won’t need to map at least one GC server per domain. The site boundaries matter in this scenario.
—Bill English


Flush the DNS Cache When Troubleshooting
Win2K incorporates negative query caching based on RFC 2308, “Negative Caching of DNS Queries (DNS NCACHE).” This means that if a client requests a record for server WWW in the zone, and the DNS server replies that it has no host record by that name, then the client will include the negative reply in its local name cache. You can see the contents of the name cache by entering ipconfig /displaydns. Here’s a sample listing of a negative query cache entry:
Name does not exist.

The negative reply stays in the cache for the time duration specified by the Start of Authority (SOA) record at the DNS server. For Windows DNS servers, the default cache interval is one hour. During this interval, even if the host record is entered in the DNS zone, the client will continue to return a negative reply to any applications using that host name.

Negative query caching can disrupt troubleshooting if you aren’t aware that it’s happening. You can clear the contents of the client’s DNS cache using the ipconfig command as follows:

ipconfig /flushdns

—Bill Boswell

Speed Up DNS Lookups for GC Servers
If you have multiple Win2K domains in a forest, you might have a situation where a DNS server for a site has only the SRV records for the local domain. This forces clients to do recursive searches of DNS looking for Service Locator (SRV) records for Global Catalog servers and other forest-wide resources. These recursive searches reach out across the WAN, causing performance problems for the clients. You could avoid this problem by putting a full secondary zone of each domain onto the DNS server in each site, but this might result in more zone transfer traffic than you want to incur. Instead, you can create a zone specifically for the forest-wide SRV records. This zone would be named _msdcs., for example:

Create this zone in the root domain of the forest then create a secondary of the zone on each DNS server. There aren’t many SRV records in this zone, and they don’t change often, so the zone transfer traffic is minimal.
—Bill Boswell


How to Run SysPrep Without Querying for the CD Key
The problem: The system administrator is using the System Preparation Tool (SysPrep) to set up Win2K machines, but he or she wants to remove the option in the mini-setup that queries for the CD key. The solution: If a SysPrep.inf file is used when running SysPrep.exe, only the dialogues omitted in the .INF file will be presented to the user. Run SetupMgr.exe from the Win2K Server Resource Kit to create a SysPrep.inf file, then modify SysPrep.inf with the product ID information. For example:

FullName=" Computer Center"

; skips prompting for product code

When the mini-setup wizard runs, the product ID information is provided automatically.
—Gary Marshall

Use Terminal Services for Testing
Often, we make setting changes on machines and then want to test the effects on a representative user. For example, suppose you’ve configured some new software deployment policies via a GPO that’s linked to your Marketing department OU. You could test the configuration by logging on under a test user on a different machine (or, you could log off the local machine and log on as the test user). However, a quicker and easier way to do this on a server that is running Terminal Services for remote administration is simply to open up a “remote” connection to the same machine. You’ll now have two users logged on to the same machine, and you can quickly and easily switch between the two to test the effects of your settings.
—Anil Desai

Control Admin Permissions on Terminal Services
As you probably know, a Win2K server has a Terminal Services feature that can be configured to give concurrent connection privileges to two administrators. The definition of “administrator,” in this case, is someone in the Administrator local group on the server. Win2K makes it possible to delegate administrative permissions at a server without giving them full Administrator rights. This makes it a nuisance to manage the server remotely. You can give non-Administrators permission to make a terminal service connection to a Win2K server by putting the user (or a group containing the user) on the permissions for the RDP (Remote Desktop Protocol) connection for the server. To do this, launch Terminal Services Configuration console for the server. Open the Properties window for the RDP-Tcp connection. Select the Permissions tab. Place the individual or group on the access list with User Access and Guest Access permissions.

In Windows .NET, you can accomplish the same thing by making the user a member of the Remote Desktop Users group, a new default group designed specifically to give terminal service access to non-Administrators.
—Bill Boswell


On SharePoints Sharing a Server
There are situations where it might be beneficial to install SharePoint Portal Server on a system with SharePoint Team Services. There are no restrictions on having both on the same system, but there are plenty of caveats. Even though some of the requirements of the two products are similar, there are some major differences. Team Services is designed to be used by small groups (less than 75) working on documents on a single Web site. Portal Server is designed for large corporations with 75-plus users with multiple Web sites and data stores. Other differences include memory and disk space requirements, Web site customizations, storage systems, document management, and licensing. If you have Team Services installed, and you wish to install Portal Server on that system, you must remove Team Services before installing Portal Server. You must also remove a registry key. You’ll also lose some of the functionality of Portal Server by installing Team Services after Portal Server is installed. The loss of functionality relates to Web discussions, subscriptions, and the backup process. To learn more, visit
—Michael Keter

Give SharePoint Portal Server Its Own Place
Exchange 2000 Server and SharePoint Portal Server don’t belong on the same server. Period. Such a configuration isn’t supported, and while it may appear to work out of the box, the first time you need support, you’ll find yourself out in the cold. Have you been thinking about implementing SharePoint Portal Server in your environment? If so, then plan on installing SPS on a separate physical server and leave your Exchange 2000 Server alone.
—Bill English

Assign More Than One SMTP Address To A Mailbox
If you want to have more than one SMTP address assigned to each mailbox in your organization, either create a new Recipient Policy or modify the default Recipient Policy to include the new address. For instance, if your domain name is, and you need to receive mail at this address plus, then modify the Recipient Policy for your Exchange organization. To do this, open the Recipient Policy container in the Exchange System Manager snap-in, then open the E-mail Addresses tab, click on New, select the e-mail address type and enter the desired address. Be sure to click Apply or OK and then select the address’ check box in the E-Mail Addresses tab. Select Yes when prompted if you want this address to be propagated immediately around your organization.
—Bill English

 Tip Contributors

Bill Boswell, MCSE, is an instructor, consultant and author specializing in Windows networking topics. He’s the author of Inside Windows 2000 Server and the upcoming Inside Windows.NET Server, both from New Riders. You can contact Bill at [email protected].

Chris Brooke, MCSE+Internet, is a contributing editor for MCP Magazine and product and technology editor for ComponentSource, an online component market place for professional developers and technical decision-makers. He’s been a practicing tech head for more than 14 years, specializing in development, integration services, and network/Internet administration. You can contact Chris at [email protected].

J. Peter Bruzzese, MCSE, MCT, CCNA, has been in the IT training and support fields for eight years, working with companies like Goldman Sachs & Co., Solomon Smith Barney, CommVault Systems and New Horizons. He has written several books for Coriolis Press revolving around MCSE certification, including the Directory Services Exam Cram. He’s also written for Sybex, recently completing Windows 2000: Enterprise Storage Solutions.

Anil Desai, MCSE, MCSD, MCDBA, is an independent consultant working in Austin, Texas. He specializes in systems and server management and is the author of several technical books, including Windows 2000 Directory Services Administration Exam Guide (Sybex) and SQL Server 2000 Backup and Recovery (McGraw-Hill/Osborne Media). Reach him at [email protected].

Bill English, MCSE, MCT, CTT, is an author, trainer, and consultant specializing in network security and the Microsoft Exchange and SharePoint platforms. He owns Networknowledge, ( a consulting and training business, and has co-authored four books on Exchange 2000 Server, including The Exchange 2000 Server Administrator’s Companion (Microsoft Press) and Exchange 2000 Server: The Complete Reference (McGraw-Hill/Osborne Media). He’s currently working on a new book from Addison Wesley on SharePoint Portal Server 2001.

Michael Keter, MCP, works with the Windows Enterprise Team for Compaq Global Services.

Ann Lovell, MCSE, Compaq ASE, CNE, is a Support Specialist in Compaq's Windows Enterprise Team. She has supported Compaq and Digital hardware and software for 21 years.

John MacGown, MCSE+I, Master CNE, A+, ASE, is a consultant at Compaq's Customer Support Center in Colorado Springs. He’s been supporting Windows NT since 1994.

Gary Marshall, MCSE, MCSE+Internet, Compaq ACT, has been working for Compaq since 1996 in the Customer Support Center in Colorado Springs, Colorado. He’s a technical account manager in the Business Critical Organization providing support to premier customers.

Dan McLeod, MCSE, MCSD, MCDBA, is a software specialist who has been working in Compaq Technical Support for two decades.

Derek Melber, MCSE, MCP + I, A+, is a co-founder of Brainshare ( has 10 years of experience in training, speaking, sales, IS management, network administration, computer programming, and technology solutions development. He specializes in management, solution development, network optimization, and troubleshooting of Windows NT 4.0 Server and Workstation, Windows 2000 Server and Professional, Windows 95/98,  Microsoft Internet Information Server, and TCP/IP. Reach him at [email protected].

Gary Olsen, MCSE, is currently a consultant with Compaq Global Services, Customer Support Center, which provides customer support for Windows NT, Win2K and all Microsoft products. He also consults with Compaq customers on Active Directory design and deployment. He’s the author of Windows 2000: Active Directory Design and Deployment (New Riders) and a frequent speaker at MCP TechMentor events. Contact him at [email protected].

Charles Oppermann is founder and president of Copper Software, a software engineering and design firm specializing in directory services, user interface design and training.. Formally, a program manager at Microsoft, Charles retired in late 1999 after working on several products, including Windows 95, Internet Explorer, Windows 2000 and Exchange 2000 Server. At Microsoft he specialized in creating adaptive and accessible user interfaces for people with disabilities and was the program manager and co-inventor of the Microsoft Active Accessibility technology for which he hold two patents. Contact him at [email protected].

Frank Steinberger, MCSE, MCP+I, MCT, is a server/support engineer with Compaq at the North America Customer Support Center. He specializes in Microsoft Clusters for NT 4.0, Windows 2000 AS and Datacenter.

Larry Weber, MCP, is currently attending Colorado Technical University and nearing graduation with a master’s degree in Science in Management Information Technology.

The Two Versions of Exchange 2000 Server
There are two versions of Exchange 2000 Server: Standard and Enterprise. The Standard version only allows for one mailbox store and up to 19 public stores per server. This version is best suited for the small office that doesn’t have a compelling reason to place users in different mailbox stores, for the installation of a dedicated public folder server, or for an SMTP relay server that won’t be hosting any mailboxes or public folders. When used as a public folder server, replicas of public folders can be load balanced across multiple databases; if a single database goes down or becomes corrupt, it doesn’t bring down all the public folder trees and their public folders, but only the ones hosted in that public store. The Enterprise version allows you to create any combination of mailbox and public stores you need on a single, physical server. Hence, if you need 18 mailbox stores and two public stores, the Enterprise version allows you to do this. In addition, the Enterprise version provides several additional features that don’t ship with the Standard version, including front-end/back-end services, an unlimited mailbox store (the standard version is limited to 16GB), support for Cluster Server and chat services. If you want to do data, voice and video conferencing, you’ll need to purchase Conferencing Server, a separate application altogether.
—Bill English

Is SMTP Really Working?
If you don’t know whether the SMTP service on one of your Exchange 2000 Servers is really working, you can use Telnet to check it out. Here’s what to do: Open a command prompt and enter the following sequence of commands:

Set local_echo
Open 25
(assuming you get a positive response…) ehlo
mail from: [email protected]
rcpt to: [email protected]
This is a test from myself to myself
. (Yes, type a single period on this line ".")

Then, go check your inbox in Outlook. If the mail is there, you’ll know that SMTP is working properly. If it isn’t, then you’ve got some troubleshooting to do. First, if you weren’t able to open a connection to port 25 on the Exchange 2000 Server, then ensure that the SMTP service is started. Second, if you could open the connection but were unable to send e-mail, then stop the anti-virus services on your Exchange 2000 Server. If this fixes the problem, then contact your anti-virus vendor. If it doesn’t fix the problem, then you may have a problem that may require support from Microsoft’s Product Support Services. One other thing to check is to ensure that your routing group connections are in the UP state and that the sending and target mailboxes are in databases that are mounted.
—Bill English

Moving User Mailboxes Without Error
There may be times when you’ll need to move a user’s mailbox from one Exchange 2000 Server to another. In most cases, the Move Mailbox command in the Exchange Tasks Wizard will work just fine. However, in some instances, you may encounter a MAPI error message saying that the server was unable to connect to the mailbox. The confusing part will be that the user can open his or her mailbox using the Outlook client and perform all the functions he or she is accustomed to performing. Should this scenario arise in your environment, turn off the anti-virus services before attempting to move the mailbox. Some anti-virus products interfere with execution of the Move Mailbox command. After turning off anti-virus protection on the source server, you should be able to move the mailbox without difficulty.
—Bill English

Smaller is Better in Exchange
Exchange Server 5.5 had one huge database for the Private Information Store. To back up the store meant backing up the entire database (unless you used third-party backup agents). With Exchange 2000 you can create additional storage groups with multiple stores to manipulate your mailboxes and public folders in such a way so as to distribute your information across multiple databases. This makes it easier to back up and restore your e-mail. For example, rather than having 500 mailboxes as part of one database, you can break them into individual groups of 100. The backup and restore processes would only handle 100 at a time, making it quicker in the case of a recovery issue.
—Peter Bruzzese

Meeting Schedules in Outlook
When your users attempt to schedule a New Meeting in Outlook, they may find that they can see calendar information for some users but not for others. If this is the case, ensure that you’re replicating the Schedule+ Free Busy system public folder to all your Exchange 2000 Servers. To find this folder, right-click on the default public folder tree and select System Folders. Then, open the properties of the Schedule+ Free Busy public folder and replicate it fully around your Exchange organization. Ensure that this replication schedule is applied to any subfolders that exist beneath this folder. Allow time for replication to occur. This should solve your problem.
—Bill English

Avoid Piling On a New .NET DC
When you upgrade an NT PDC to Win2K or Windows .NET, all the existing Win2K and XP clients in the domain will perform their next authentication at that DC. This is done by design so that all modern desktops will get group policies. Unfortunately, if you’ve already rolled out 10,000 desktops into your NT domain, the PDC is going to get very busy on the day after the upgrade.

Win2K SP2 and Windows .NET include a feature that permits the newly upgraded server to continue to pretend to be a classic NT DC. This feature requires a special Registry entry:

Key:   HKLM | System | CurrentControlSet
       | Services | Netlogon | Parameters.
Value: NT4Emulator
Data:  1 (REG_DWORD)

It’s important that you enter this Registry entry prior to upgrading the NT DC. Once you have sufficient Win2K DC in strategic locations to handle the onslaught, set the NT4Emulator entry to 0 on all DCs.

While the NT4Emulator entry is in effect, if you want to manage a Win2K DC from a Win2K or XP workstation, you must make the following Registry entry:

Key:   HKLM | System | CurrentControlSet
       | Services | Netlogon | Parameters.
Value: NeutralizeNT4Emulator
Data:  1 (REG_DWORD)

This permits the client to perform a Kerberos authentication, which is required to use LDAP tools such as Active Directory Users and Computers and Active Directory Sites and Services.
—Bill Boswell

About the Author

Got a tip you want to share with fellow IT pros?


comments powered by Disqus

Subscribe on YouTube