Global Catalog servers

What's a global catalog server? It's a domain controller w/ searchable information about Active Directory objects stored in other domains throughout a forest. I think that the first domain controller in a forest is automatically selected to be a GC. In a single-domain environment, you only need that first GC. In multi-site, multi-domain environments, you may need to appoint other DCs as GCs.

Microsoft's article gives a quick run-down on how to enable/disable a GC, a plain-english article on computerperformance.co.uk summarizes the role of a GC, and a particularly helpful TechNet article discusses GCs. If you logon w/ a UPN (email address), your workstation contacts the GC for a DC to authenticate to.



Learned more about replication between sites - site cost, inter/intra site scheduling, and manually triggering a replication. Not very exciting.


Alternate UPN suffixs

Tonight's study included folder redirection (which I've implemented at a school) and password policies.

Learned how to set a different UPN (User Principle Name) suffix so that people can sign into their computers or OWA using their email address! After adding the alternate UPN, you can select multiple user accounts in ADUC & set their UPN all at once. For future AD installations I think I'll always use email addresses as sign-ons. This is really nice.


Group policy, part 3

Watched the 200.1 video on gpoguy.com and have started skimming the FAQ on his site as well. Very helpful stuff. Here's what I learned from the video:

- Computer Config \ Admin Templates pertains to HKEY_Local_Machine
- User Config \ Admin Templates pertains to HKEY_Current_User

- Microsoft's policy templates (ADM files) can be "fully managed", that is, they are removed when the GPO is removed. On the other hand, "preferences" (from 3rd party developers) "tatoo" the registry, meaning they are not automatically removed when the policy is removed.

- You can have the group policy editor display ONLY configured policies.

I was troubleshooting GP application on a wireless desktop client today & disjoined/rejoined the domain, but could not get my group policy to be recognized. The event log said no domain controller could be found, so GP processing was aborted. I wonder if a wireless router between the client and domain controller is the culprit. Item #1 on GPOGuy's FAQ says that GP processing requires specific ports which are sometimes blocked by firewalls.


Group policy, part 2


RSoP can be easily accessed from within Active Directory to see what policies apply to a workstation/user. To immediately test a GPO, first run GPUPDATE on the domain controller, then run GPUPDATE on the workstation.

Software distribution via GPO:

You can install MSI packages via GPO by "assigning" them to computers (full install) or users (installed at first use). Assigned packages are installed during Windows startup, before the login screen is shown. You can also make MSI packages available in the Control Panel via GPO by "publishing" them to users. For a walk-through on how to do this, see Brian Posey's article. To create your own MSI, check out this list of installers. I should try out the free Advanced Installer.

To learn more...

http://www.gpoguy.com/ - news, free tools and training videos
http://www.gpanswers.com/ - message board w/ an emphasis on advanced concepts


Group policy, part 1

Learned more about group policy tonight:

-If user and computer policies conflict, the user policy takes precedence.
-Folder redirection in a GPO takes precedence over user profile settings in AD.

Many third parties offer extensions to group policy.

If you have a GPO w/ user settings that have to be applied no matter who is logging into a particular computer, you can use loopback processing.

An impressive tool for evaluating disk usage is TreeSize.

Drive letter conflicts

iTunes couldn't access a home user's iPod Shuffle. Windows assigned it the letter "E". No network drive letters were present. When I plugged in my own flash drive (also assigned the letter "E"), my files weren't shown. You know why? A batch file was running at startup & using the "subst" command to assign the letter "E" to a folder on the "C" drive!



My first experience w/ troubleshooting a Vonage VoIP device! I reset the Vedders wireless router this evening & knocked out their phone in the process. This was because their Linksys PAP2's IP was x.x.0.100 and the wireless router defaulted to x.x.1.1. Correcting the wireless router's IP fixed the problem!


Operation Masters

Tonight's study covered...

Domain and forest functional levels:
- 2000 mixed (compatible w/ NT 4.0)
- 2000 native (allows nested and universal security groups; SID history)
- 2003 (lets you rename domain controller)

Operation Masters:
- RID (relative IDs, required for new objects)
- PDC (syncs domain passwords and clocks)
- Infrastructure (object moves/renames and group membership)
- Domain Naming Master (ensures unique domain names in a forest)
- Schema Master (maintains the schema for a forest)

If you have multiple DCs in a domain, your global catalog server should not be the infrastructure master as well (causes infrastructure replication problems).

Active Directory Migration Tool:
- So cool. Lets you move users, groups, and computers from one domain to another.


RDP and NetDom

RDP w/ console access is really cool. You can use it from the command line "mstsc /v:<server> /console". Of course your target PC must be enabled for remote connections and you can't use an account w/ a blank password. In fact, to connect to the console, you must login w/ the same account that is logged on at the console. Once you connect, the user at the console has their screen locked for the duration of the RDP session. If the console user unlocks the screen, the RDP session is terminated.

Practiced renaming a domain controller with instructions from petri.co.il The author said that it's undesirable, but didn't say why. Renaming a DC which also happens to be a certificate authority is a very bad idea (it invalidates your existing certificates and prevents new ones from being issued).

The steps:
- netdom computername <oldserverFQD> /add:<newserverFQD>
- netdom computername <oldserverFQD> /makeprimary:<newserverFQD>
- reboot
- netdom computername <newserverFQD> /remove:<oldserverFQD>
- I manually removed the old server name from DNS at this point.


Groups and trusts

Learned the AGDLP/AGUDLP concept this evening. This sets a "role based" model on top of a "resource based" model for best performance in the following areas: smaller ACLs on resources improves performance, easier management in multi-domain environments, smaller token size. HOWEVER, in a single-domain environment it's OK to assign global groups to resources and put your users directly in those GGs.

Also started learning about how to setup a trust between domains & heard of the Active Directory Migration tool. That's exciting. BTW, an intransitive trust is like only talking to your spouse; while a transtive trust lets you talk to the spouse's family and friends (other trusted domains).



Practiced an ASR (automated system recovery) backup/restore today. I learned that the HD that you restore onto must be as large, or larger, than the original HD. The ASR backup file must also be stored on locally attached media (no network access is available when the file is needed). If your ASR backup set is on read-only media, you'll get an error message (hit cancel to continue).

Two free utilities that I've found useful are ISO Recorder and Folder2ISO.

I'm using Parallels Virtual Machine for this, but if you are working on a real server w/ no floppy disk drive, you can use the free (32-bit) Virtual Floppy Drive 2.1 to fool NTBackup.

Unfortunately, there doesn't seem to be a good way to schedule ASR backups - I have no idea why. However, a program called Firestreamer-RM ($60) claims to schedule ASR backups, auto-initialize tape media, and even email the results to you. The last two reasons are why my employer standardized on NovaBackup instead of NTBAckup.

What's the difference between an ASR backup and a normal backup + system state? ASR seems to speed up the process because the restoration of your system is integrated right into Windows setup - instead of having to go through the whole Windows setup and then do a restore.

For future reference, this page has a nice overview of restoring an Exchange server



Started learning about Active Directory and a container called LostAndFound. If one person modifies an object(s) in an OU that has just been deleted, moved, or renamed by a second person - but not yet replicated to the first person's server - then the object gets moved to LostAndFound. Also learned a bit about tombstoning and garbage collection.


70-293 - Passed!

Hurray! I passed 70-293 this evening. Went to the testing center at Davenport University in Grand Rapids, MI. Very nice facility w/ comfortable chairs and LCD monitors - I plan to return there for my remaining exams.

My 70-293 had a few questions about DHCP, DNS, WINS, NLB, clustering, backup, routing, and security templates...and a lot of questions about certificates, IPSec, and RRAS.


NLB, DFS, 2nd Shot

Last night I was lying on the floor in my room, staring at the laptop screen, wondering why my eyes felt strained...it was because the brightness on my screen was turned way down. Protecting my eyes suddenly feels very important to me as they are starting to feel tired. From now on I will work in good lighting w/ a bright laptop screen. I'm non-commitally contemplating a 22" LCD from Amazon for $230. However, I could replace my digital camera w/ a Canon SD1000 for $60 less than that.

Last night I learned about Network Load Balancing (NLB) which sounds like it's best for webservers and SQL databases. With "client affinity" enabled it can even maintain a session between a single client and a single server in the background (needed for databases). Clustering is only available in 2003 Enterprise ($800+ on eBay) and DataCenter editions. Clustering is more for high availability of changing network resources and requires a single point of storage that all the clustered servers can access. That point is called a quorum (probably a SAN or RAID setup).

Distributed File System (DFS) is used to organize file shares from multiple servers into a single point of access (e.g. a drive letter). It can also replicate data placed in one space into another geographical site (for faster access) or to a different server (for seamless failover/backup). It seems kind of clunky though and I have a hard time envisioning a really good use of DFS apart from fault tolerance for non-clustered file servers.

Registered for Microsoft's second shot offer (valid until January 30, 2008) which gives you one free retake on each $125 exam that you fail. I hope I don't need it!

Helpful thoughts on NLB unicast vs. multicast.

I read about Fibre Channel in Wikipedia & it sounds like it's a bus technology that is just a bit (25%) faster than SATA (and probably a lot more expensive). You would need need 2-3x 1Gb NICs teamed together to completely harness the power of a single SATA drive.


Microsoft is only doing exams through ProMetric now, no longer w/ Pearson VUE.


Smart cards

This evening I learned about smart cards. www.usasmartcard.com offers reasonably priced cards, reader/writers, and even videos to help people get started. For some related humor, check out this posting.

There's no built-in way in Windows 2000/2003 to restrict concurrent domain logins. To address this problem, there's a free utility available from Microsoft and a commercial utility is available from Sonarware.