Things You Pay for:-
Things for Free:-
Things You Pay for:- |
|
Things for Free:- |
|
|
|
|
||
Also on this Website: |
|||
Other Things We Do:- |
||||
| Reliable, convenient Spam-free Email Systems | Repair your server by remote control | |||
| Email optimised for Mobile Devices | Fix problems with PCs by remote control | |||
| Make sure large email attachments make it through to your clients | Install your whole network by remote control | |||
| Get all your PCs up to scratch | Get your Windows Server up to scratch | |||
| Active Directory design | Design and implement a data backup system | |||
Email or call us to discuss any of the above |
||||
 |
|||||
| EMAIL: info@rhebus.com PHONE: 07876 616685 FAX: 0870 0940102 |
Our office address is:-33 Marley Fields, Leighton Buzzard, Bedfordshire, LU7 4WH |
You might catch us on Instant Messaging at:- |
|||
|
AIM: |
rhebushelp |
||||
|
MSN: |
helpdesk@rhebus.com |
||||
|
Yahoo: |
rhebushelp |
||||
Comments about this website, good or bad, are always appreciated: webmaster@rhebus.com |
ICQ: |
230710786 |
|||
 |
|
 |
The inner ringed area is our local area where we don't charge any travel
expenses for full days. The outer ringed area is our Extended Area where Further a field there is a distance-related charge. Services via the Telephone, email, Instant Messaging and Remote Control are available worldwide. |
South-Central England |
|
This website was last updated on Thursday, January 26th 2006 |
 |
 |
|
|
|
|
|
Q1 Why do I need an office network?
Q2 What server operating system should I use? Is Windows 2000 a safe choice?
Q3 What Microsoft operating system should I use on my PCs?
Q4 How should I connect to the Internet?
Q5 What's the minimum PC hardware specification I should have?
Q6 Why is a server computer so much more expensive than an ordinary PC?
Q7 Should I use Wireless Networking Equipment?
Q8 Why on earth would I want an Intranet?
| When you see how much of a financial drain computers are on your organisation,
as well as the frustration they cause when things go wrong, you might well ask this question. The original reason why office networks got
started was to share one expensive laser printer among a dozen or so users.
This required a dedicated computer that no one used and which was left
turned on all the time - a server. Users could then store their files on the
server's hard disk and so facilitate sharing company documents and giving a
single central location from which to make back-ups. A File and Print server
continues to be a key element of modern
networks. Today we have email, web-based information services, company databases, telecommuting, connecting to the office while away on business trips, e-commerce, wireless networks, mobile phones/PDAs, branch offices to inter-connect plus a much greater concern for security. A modern office network requires external connections, especially to the Internet, and perhaps extra servers for running "network applications" such as email and databases. As an organisation comes to rely, more and more, on its computer network in order to carry out its core business activities, it needs it to be fast and reliable with built-in redundancy against equipment failure. |
||
This of course necessitates frequent injections of capital and access to skills and knowledge that are becoming ever more specialised and hard to find. Would you really want to go back to the goods old days when a fax machine and a few typewriters would do? |
Hey, you've found some! |
| You will still find plenty of networks with servers running Novell Netware, Windows NT4 and versions of Unix from the likes of IBM and Sun. Windows 2000 has been around for over 4 years and at present there is usually no good reason to upgrade an existing 2000 network to 2003. At around 18 months since its release, there has now been enough experience with Windows Server 2003 to make it the obvious choice for new installations | Click here for a guide to the differences between Windows Server 2000 and 2003 |
|
|
Support for Linux, the communally owned and developed version of Unix, continues to increase. It's obvious advantage is that Linux is free but the few £1000 you save in the purchase price over Microsoft server products could easily be offset by increased support costs. Companies see the logic that if all its desktops are running Windows then it makes sense to have a Windows server. Also, it's the desktop software that costs all the money with, say, 30 copies of Office and XP so, until Linux makes it onto business workstations, it won't be a serious threat to the Windows server market. The majority of the Internet's servers, however, currently use Unix and an increasing proportion of these are Linux.
My recommendation is to choose Windows Server 2003 for all new installations. If you have around 10 users it may be more economic to buy it in the guise of Small Business Server 2003. Here's a good rule of thumb in these matters:- If you install the latest operating system, chances are you'll go the longest time before having to spend money on another upgrade. The next version of Windows Server, currently called Longhorn Server, isn't due to be released until 2007. |
| Window 98SE (Second Edition) You shouldn't consider anything earlier
than this version of Windows, released in 1999, which is able to deal with
most modern hardware and has fixed many of the earlier Windows 95
shortcomings. One of its annoying features is its inability to shut down
properly on many systems. This version of Windows still has a large following
among those who are happy with a computer that works and are able to resist the
urge to have the latest software and the fastest hardware.
Windows ME Microsoft was pressured into releasing this in September 2000 by large PC retailers who wanted an updated version of the familiar Window 98 instead of the radically different Windows 2000 which had come out earlier that year. One new feature I liked was the System Restore facility where, if you get into trouble installing programs etc, you can tell it to go back to exactly how it was a few days ago and 10 minutes later it has. All configuration and program changes have gone and files that you put in the Recycle Bin (which you emptied!) have magically returned. Any new data you had created since the restore point is left alone. Windows XP has an improved version of System Restore. Windows ME has not been well liked, sometimes referred to as the black sheep of the Windows family, and the release of Windows XP made it largely irrelevant. Windows NT Workstation This has no inbuilt support for USB or FAT32 file systems (there are some third party solutions out there for these shortcomings) and it hasn't got plug&play hardware management. It has stronger security than 98 and ME. |
If you have any Windows 98, Windows ME or Windows NT4 machines on your business network, you should consider replacing them with new machines running XP Pro whenever your budget allows because, chances are, the hardware they are running on is nearing the end of it's life. |
|
|
Windows 2000 Professional This was released in February 2000 along with the Windows 2000 Server operating systems and is a direct replacement for Windows NT Workstation. I used Windows 2000 Professional as my main system for a year (until I upgraded to Windows XP Professional) and I loved its refusal to crash whatever I would do to it. It has a disk filing system called NTFS which is good at preventing the hard disk becoming corrupted even if the power is turned off abruptly. It's stricter about which hardware it will work with and needs to have the hardware and drivers set-up correctly. I haven't come across any software it wouldn't run although I suspect many old DOS-based games will have problems. Windows XP Professional This was released on October 25th 2001. Did we need a new operating system? Well surprisingly 20 months had elapsed since the release of Windows 2000 so perhaps, according to Microsoft's usual timetable, we did. Windows XP is a relatively minor, if flashy, evolutionary step on from Windows 2000. Most programs and drivers that work with 2000 will work with XP and if you turn off the new desktop design changes by selecting "Windows Classic" it looks pretty much as Windows has looked since 1998. It has all the advantages of Windows 2000 but with a better knowledge of modern hardware and some added features such as an improved System Restore and Remote Desktop. The most notable thing about Windows XP is a feature that Microsoft has added for its own benefit - not ours - called Windows Product Activation (WPA). This is an anti-piracy measure where, if you don't register with Microsoft within 30 days of installing XP, it will stop working. The XP activation code you're given is tied to the hardware of your PC on which it's installed so it can't be cloned to other PCs. This has the side effect that if you make certain hardware changes to your PC then XP will insist on being re-activated. Most new PCs are supplied with XP already activated and locked to the machine's BIOS enabling you can make unlimited hardware changes without affecting the activation status. It's difficult to criticise Microsoft over this new policy without sounding as though you approve of software piracy but to the honest user it's an unwanted complication. If you're lucky enough to get a corporate version of Windows XP this doesn't have WPA and installs happily with just the usual serial number to enter. Windows XP Home Edition For simplicity and efficiency Microsoft have been striving to have all its versions of a particular Windows product based on the same set of programming code and they have achieved this with Windows XP. The Home Edition of XP is cheaper than the Professional version but otherwise differs only in the parameters used when compiling the programming code. These parameter differences turn off many of the features of the Professional version (not Product Activation!) and with the amount of features that are missing in the Home Edition I would expect many home users to choose to buy the Professional Edition and it's unlikely that the Home Edition would be suitable for business use. For example, the Home Edition can't participate in any office networks with Domain Controllers. For a side-by-side comparison chart of XP Home versus XP Professional click here. Windows XP Service Pack 2 was released during August 2004 and improves security against viruses and other threats from the Internet. The full version is a 266mb download from the Microsoft website. Longhorn This is the codename for the next version of Windows for workstation PCs. It's current release date is in 2006
My Recommendations You will find that new PCs only come with Windows XP and so the only choice is between the Home and Professional versions. If you want to upgrade a PC to XP then the minimum recommended hardware specification is a 450mHz Pentium with 128mb RAM. If you want to run Windows XP on lower specification hardware than this see my tip further down this page.
If you do a lot of reinstalling of the operating system then Windows 2000, without Windows Product Activation, may be more practical.
For existing PCs there's no need to upgrade Windows 2000 Professional to Windows XP - just make sure you've applied the Service Pack 4 and Windows Update is set to automatically check for critical updates. If you still have Windows 98SE, ME and NT Workstation PCs, and are happy with them, perhaps you can put up with them for another year but holding on for Longhorn before replacing them is probably going to be too long. |
| If a network has several users sharing a single Internet connection then a
dial-up modem over a normal telephone line won't be satisfactory and is only
useful as a backup way to keep email flowing when the main connection has
failed. The alternatives available depend on your location. ISDN is available almost everywhere and connects in a few seconds. You are charged for each minute the line is connected, plus a quarterly line rental, and ISDN operates at 64kbps or 128kbps if you use both channels (at double the cost). Most ISPs have an unmetered ISDN option known as FRIACO (Flat Rate Internet Access Call Origination) where you pay between £15 and £30 a month (per ISDN channel) for unlimited connection time. You still also have to pay the quarterly line rental. The unmetered ISDN option is safer because if an ISDN router is not setup carefully it can be triggered to make unnecessary Internet calls by local network broadcasts - one school recently found that it's ISDN router had been doing this all through the summer holidays! FRIACO is only available for Internet connections and not office-to-office links which is a good reason to use a VPN for this. |
If you've had a new phone line installed especially for ADSL then specify a modem in your server and use this line as a backup Internet connection. Some ISPs include dial-up access in their ADSL package. |
|
|
ADSL is available in most of the UK and can cost under £20/month for a permanent connection at 512kbps incoming and 256kbps outgoing with no monthly data limit. In April 2005 the number of Broadband connections, mainly ADSL, in the UK reached 5,000,000. This is my recommended connection method for networks with under 100 users. I'd advise fitting your server with an internal PCI card ADSL modem, available from www.dslsource.co.uk for around £40, instead of the using an external USB modem as these tend to be less reliable. One reason is that the current drawn from the USB port by the modem can exceed the port limit and cause the USB port to shut down. For home use I'd recommend a wireless ADSL router/modem which cost around £110. ADSL is now available from many more suppliers than just BT and some, Demon for instance, assign you a fixed IP address as standard which is useful for running your own mailserver, VPNs and other forms of remote access. ADSL download speeds of 1 and 2 mbps are available for business connections. BT recently dropped it's requirement for you to be within a certain distance of a telephone exchange to be able to have ADSL broadband. The only requirement now is that your exchange has been ADSL enabled which I guess, before too long, they will all be. CABLE BROADBAND is available from the UK's 2 main cable operators: NTL and Telewest and give similar connection speeds to ADSL. The cable operators say that their networks are now complete so if the pavement running past your premises hasn't already been dug up to lay their cable then you're out of luck. Otherwise compare the deals available with Cable and ADSL. LEASED LINES were the traditional method of providing a permanent connection to the Internet before Broadband was available but they cost a fortune in the UK. 64kbps leased lines start at £4,000 per year and 2mbps start at £15,000 per year in central London rising to over £20,000 elsewhere. A 2mbps Internet connection would certainly be a luxury but you'd need 100s of users or a requirement to host your own website to justify it. The price of leased lines has recently started to fall due to the spread of Broadband so a 2mbps Internet connection in London can now be had for under £10,000/year. SATELLITE LINKS are available anywhere in the UK including all the places ADSL and cable don't reach - which is still quite a large part of the area of the UK. Some schemes are one-way only, using the dish for downloading and uploading over the telephone line, while others both transmit and receive using the satellite. I'd recommend the 2-way satellite option which allows an upload speed of 128kbps and download speeds of between 512kbps and 1mbps. The biggest headache is getting the dish mounted on your building (this may require permission from your landlord or local council) and cabling it to your network rack. Expect this to cost between £2000 and £3000. The monthly fee is then £100 for the 512mbps option and £200 for 1mbps. Most schemes require you to sign a 12 month contract. There are government subsidies available for businesses in some locations to help with these costs. The Satellite Internet access market is relatively new in the UK but if this is your only Broadband option it could well be worth it. If your satellite ISP goes bust, or a better one comes along, it's very likely your dish, cabling and even the position the dish is pointing in the sky will work with another ISP. Here are 3 links to companies currently offering satellite Internet access: With a satellite link, the signal travels nearly 50,000 miles as it bounces off a geostationary satellite in orbit above the equator, usually over Africa, and this introduces a ⅓ of a second round-trip delay in both the send and receive paths. This delay might be "fatal" when playing Quake 3 against Internet opponents and video-conferencing and IP telephony might also be troublesome. Setting up each TCP/IP connection across the Internet can require half a dozen control messages being send back and forth making web-browsing a bit jerky. With a local web-cache and mailserver, for normal business use the satellite system's propagation delays are not a problem. MIDBAND is a new service from BT that's faster than modems but slower than broadband. It operates over the existing ISDN infrastructure requiring no modifications to existing telephone exchanges so in theory it's available to anyone with a BT landline. It was rumoured that Midband would take advantage of the little-used ISDN D-channel to provide an "always on" 9.6kpbs connection just for email traffic to use and then one or both of the B-channels will connect in response to any other type of Internet traffic to provide upload and download speeds of up to 128kbps. However the current offering from BT disappointingly doesn't use the D-channel feature and the pricing structure discourages it from being as an "always on" system. Midband costs £78.99 as a one-off installation fee where a BT Digital Access Box is installed at your premises. It's then £35/month which includes 150hrs of B-channel connection time - when you have both B-channels connected your connection allowance is used up twice as fast. You can check your remaining connection allowance with an online meter and when the 150hrs is exhausted you're charged per minute. You can use one of the B-channels to make regular phone calls, temporarily reducing your Internet bandwidth to 64kbps. Now that ADSL is more widely available, Midband is largely irrelevant. There are more details at http://www.bt.com/btmidband/ MESH RADIO is being trialled in various larger towns and cities. This uses radio broadcasts in the 5gigaHertz range and requires a dome shaped motorised antenna array to be mounted on your roof. Mesh Radio pilot schemes conducted in 2002 were not a great success. BROADBAND OVER POWER CABLES Yes, that other "local loop" that's already connected to your premises, the mains cables is being developed as a means of providing Internet access. 2mbps upload and download speeds (SDSL) are proposed for Power Cable Broadband which may be because it suits the transmission medium or as a marketing device to differentiate it from other broadband suppliers. ROAMING WIRELESS NETWORK is not a practical Internet connection method for business networks but is worth mentioning because of it's usefulness to people travelling with Laptops. BT are in the process of installing wireless networks, connected to the Internet via ADSL, in public places such as airports, railway stations, hotels and city centres, often operating from the top of their public telephone boxes. There are many already in operation and if you have a valid subscription (£55/month) and a wireless networking card in your laptop you will automatically connect to the Internet whenever you come in range. So, for instance, if you're on a train journey you can check your email each time the train stops at a station. This is seen as a rival to the proposed 3G mobile phone network so BT can expect some opposition. A similar wireless Internet access system currently operates in some Starbucks coffee shops in the US |
The government has promised that ADSL will be available everywhere in the UK by 2008. |
| The various Microsoft operating systems each have an official minimum hardware specification they require before they'll install. Windows 98SE needs at least 16mb of RAM, Windows ME needs 32mb of RAM, Windows 2000 need 64mb of RAM and a 133mHz Pentium processor while XP needs 64mb or RAM and a 233mHz Pentium II. However if you want a pleasant computing experience instead of "swimming through treacle" I'd recommend a minimum of 64mb of RAM and a 233mHz Pentium for Windows 98SE and ME, 128mb of RAM and a 450mHz Pentium for Windows 2000 and double that for Windows XP. A 4gb hard drive is also a minimum for these operating systems to allow additional business software to be installed. Any new PC sold today will have a hardware specification far in advance of these minimums so they're only relevant when considering upgrading the operating system of existing PCs. Upgrading to Windows XP is the most problematic as software drivers may not be available for hardware items more than 3 years old making replacement of the item the only option - video cards and scanners are likely candidates for such problems. |
|
Servers can provide services for
100s or 1000s of PC users and so must have the resources to do this: large, fast
hard drives, loads of memory, several CPUs, and often multiple fast network
connections. If they stop working many users will be affected and so servers have built-in redundancy which allows individual components to fail without affecting the overall operation. In cases where a server failure can't be tolerated, several identical computers are linked together into a "cluster" which allows an individual computer to fail totally while the cluster continues operating as normal. |
|
|
Important company data is kept on servers and is often "mirrored" across multiple hard disks to ensure its security. |
|
|
Servers have battery backup devices to filter out mains spikes and voltage fluctuations, to allow them to ride over short power cuts and finally to close the network down gracefully as the batteries become discharged during a prolonged power outage. |
|
|
The software installed on a server can also cost as much as the server hardware itself. Each workstation needs a licence to connect to a server - called a Client Access Licence (CAL) - and these licences are usually purchased along with the server software, adding to its price. |
| Wireless Networking has become very popular over the last few years as the equipment to install one is easily affordable at around £80 for an access point and £30 per PC adaptor. Wireless Networking is therefore set to replace conventional cabled networks completely in the near future - or so its proponents would have us believe. I don't think so but I may well be proved wrong. Mobile phones use a similar technology and have already exceeded the number of landline phones in Finland and could soon do so in the UK. |
|
|
It's very difficult or expensive to run cables - such as between buildings separated by a public street. (Wireless Networks work well within a 100ft range and, with a good aerial, can operate up to 300ft or more.) |
|
|
A network installation or extension is only needed for a few weeks or months. |
|
|
You have laptop users who want to roam around the office while remaining connected to the network and Internet. |
|
|
The maximum speed of Wireless networking devices is 56mbps (many only operate at 11mbps or 22mbps) compared with cabled networks that usually operate at 100mbps with 1000mbps gradually becoming the norm. A Wireless Network's bandwidth is shared between all the PCs accessing it at any one time while, when using network switches, cabled networks allow full-bandwidth point-to-point connections between any two computers. |
|
|
You can't get a simpler, more reliable connection than copper wires. Wireless Networks are inherently more complicated and subject to interference and poor reception problems. The frequency range used by wireless networking, 2.4 gigaHertz, is used by many other devices such as cordless phones. |
|
|
Wireless Network security is usually poor and hackers can
access your network from the street outside or a neighbouring building. There are supposed to
be special chalk marks on buildings around London indicating that you are in range of a Wireless Network.
Although the Wireless Networking standard specifies an encryption system called WEP (Wired Equivalent Privacy) the system has design flaws that allow people with the right equipment and knowledge to defeat this in under 10 minutes. It's a good idea to keep all your Wireless Networked devices on a separate branch of your network well away from valuable network resources and have strong security on the router that connects this branch to the rest of your network. Wireless networks are becoming more secure as a subset of a new Wireless Networking security standard called Wi-Fi Protected Access (WPA) or 802.11i is gradually replacing WEP. WPA is what WEP should have been: an effective and reliable way of keeping Wi-Fi networks secure. |
| Wireless Networking companies are therefore working to overcome all of Wi-Fi's drawbacks but, for the moment, my recommendations are to use copper cables whenever possible and don't use Wireless Networking as the lazy way to get desktop PCs connected to your network. Also, when using Wireless Networking equipment, be aware of the security risks and take the appropriate precautions. |
|
|
For an easily accessible, up-to-date source of company news and information that is accessed using a web browser - a free piece of software that requires the minimum of skill to operate. |
|
|
A jumping off point to commonly used Internet websites. |
|
|
The server software to provide an Intranet comes built-in to Windows 2000 and 2003. |
|
|
For show-off value. Click Here to see a simple example. |
1 - Tip: A Common Logon Script for Workstations with Different Versions of Windows
3 - Tip: Make a Windows 2000/XP/2003 Boot Floppy Disk for your Toolkit
4 - Trap: The Global Catalogue Server
5 - Tip: Suppress Unwanted Print Confirmation Messages
7 - Tip: "Slipstream" your Windows 2000 Installation CD with the Latest Service Pack
8 - Trap: Don't Get Caught Out with Negative DNS Caching
9 - Tip: Some Universal Solutions to all Windows 2000/XP Problems
10 - Trap: An NE2000 Compatible ISA non-PNP Network Card Won't Install Under Windows XP/2003
11 - Tip: Disable Unnecessary Background Service in Windows XP to get a Performance Boost
12 - Trap: Using Packet Filters to Block Specific IP Traffic
13 - Tip: If You Love Your Printers - Set Them Free!
14 - Trap: Floppy Disk, Formatted with Windows 2000, gives Alarming Boot Message
15 - Tip: Increase the Number of Simultaneous File Downloads Allowed with Internet Explorer
16 - Trap: The Event Viewer has Spam in it!
17 - Tip: Keep Your ADSL Circuit Permanently Connected and Functioning
18 - Trap: Emails Sent to AOL Addresses Never Arrive
19 - Tip: Use Terminal Server to Disable Faulty Video Drivers
20 - Trap: Windows Server 2003: Server Message Blocks (SMBs) are Encrypted by Default
21 - Tip: Stop Viruses and other "Pushy" Programs Giving Themselves Startup Privileges
22 - Trap: Problem copying Windows user profiles
23 - Tip: Assign an Existing User Profile to a different User Account
25 - Tip: Do a System State Backup on your PC - Right Now!
26 - Set Important Services to Restart on Failure
| If you have a mixtureof operating systems on your network's gradually workstations from Windows 98 to Windows XP then the location of the system folder will vary as well as the way some command work. It would be nice if they could all use the same logon script. Look at the following example of a script that will work with for both Windows 98 and Windows XP: | |
@echo off |
|
| The above maps an L:\ drive to a hidden server share. | |
| You can change a Windows 2000/2003 member
server into a Domain Controller and vice versa without having to re-install
the operating system - a useful improvement over Windows NT. However, if you
are in the process of upgrading your NT domain to Windows 2003 and you buy a
new computer to be the Domain Controller, you might think the correct
sequence of events is:- Install Windows Server 2003 on the new computer, Join the NT Domain, Install Active Directory on the new server, Takeover the NT Domain from the PDC. This doesn't work - it gives you a new Windows 2003 Active Directory Domain without any users from the old NT domain.The correct sequence is:- Install Windows NT Server on the new computer as a BDC, Promote the new server to the PDC, Install Windows 2003 on the new server as a upgrade. If you don't like the sound of this, some alternatives are discussed here. |
| It takes at least 4 floppy disks to boot Windows 2000/XP/2003
into command line mode so how can you have a single floppy that boots it to
normal GUI mode? In old mainframe talk it's really a boot-strap loader - it
just takes care of the first few booting processes before handing over to an
existing Windows 2000/XP/2003 installation on the hard disk. A boot-strap
disk is useful when a
previously-working Windows 2000/XP/2003 PC fails to boot because of a boot sector
problem or a hard disk restored from a disk image file just won't boot. It works
with both FAT32 and NTFS boot partitions. To make such a disk, format a floppy in Windows Explorer on a working Windows 2000 Professional or 2000 Server PC. Then copy the files boot.ini, ntldr, and ntdetect.com from c:\ to a:\. It's as simple as that. For it to work on another Windows 2000 PC the ARC path in boot.ini must be correct for the second computer (the most common ARC path is multi(0)disk(0)rdisk(0)partition(1)\WINDOWS) but in cases where it's different, half a dozen guesses will probably hit the correct one. Also, if the installation wasn't in C:\WINDOWS (C:\WINNT for a 2000) it could get tricky. If you're having trouble, you'll need to find a way to view boot.ini on the hard drive to obtain the correct ARC path. You can download an EXE file which, when run, makes a boot-strap disk that will work with all NT, 2000, XP and 2003 machines here (791 kbytes). Booting your servers from a floppy on a permanent basis doesn't look very professional, however a boot-strap floppy can buy you enough time to solve the underlying problem. |
| Every Windows 2000 domain must have a Global Catalogue server - one of the
Flexible Single Master Operation roles that the first Domain Controller
installed in a domain is given by default. The Global Catalogue server has a
partial copy of the Active Directory information for all the domains in the
forest and facilitates browsing across the whole network. "So what? My network
consists of a single domain." The "So what?" is that although in a single domain
network the Global Catalogue server has no role to play, if it's not working
users can't log-on to the domain. Outrageous! Administrators can still log-on.
So to avoid normal users being locked out when you have the first-installed
Domain Controller off-line, give a second Domain Controller the role of a second
Global Catalogue server for the domain. Windows Server 2003 caches Global Catalogue information on the Domain Server and so avoids this problem even so a second Global Catalogue Server is still a good idea. |
| Does your Print Server insist on giving users a pop-up message that their
print job has completed and does it fill up the Event Log with successful print
messages? This seems to be the default behaviour with Windows 2000/XP/2003. The place to stop all of this is Start - Setting - Printers, then choose Server Properties from the File menu, then Advanced. Remove the ticks in the "Notify when remote documents are printed" and "Log spooler information events" boxes to stop these messages being generated. Perhaps some users want the pop-up messages and some don't? The setting is per print server which affects all users of all printers on that Print Server computer. |
| ATX power supplies are fitted inside all modern
computers and they
don't have a proper Power On/Off switch but have instead a momentary pushbutton
to merely "suggest" to the computer that it should be On or Off: "Sorry Dave, I
can't switch off right now". No, don't get me wrong, I like these in
workstations as you can send out a shutdown command over the network when
everyone's gone home and after windows closes down the PCs will actually
power-down. If you need to do some out-of-hours remote maintenance on a PC you
can send a "Magic Packet" to the PC's network card and it will turn itself
on. If you have an ATX power supply in your server make sure that it will turn itself back on after a power blackout or when the UPS switches back on when the power is restored. This feature is usually set in CMOS setting or, in rare cases, a jumper on the motherboard. |
| With Windows NT you had to remember
to re-apply the latest service pack after you have installed a new feature
or service that was extracted from the original NT installation files. In
Windows 2000, Microsoft introduced a way
to avoid re-applying service packs which they call Slipstreaming. With
this method you can produce a new Windows 2000\XP\2003
installation CD which has all the new service pack changes incorporated into it
and it's still bootable. Steven Bink explains the ins and outs of it all on his website. If you find the process a bit daunting, you have a copy of WinISO by WinISO Computing Inc and at least 1.5gigabytes of free disk space, here's an easier way:- |
||
| 1 - | Insert the original Windows Server 2003 installation disk into the CD drive and cancel any autostart splash-screen. | |
| 2 - | Create a new empty folder on the C:\ drive - say c:\aaa. Copy the i386 folder from the CD to c:\aaa\i386 | |
| 3 - | Click Start - Run and browse to the service pack file. Add the -x switch
and click Run. The Run line might read: c:\download\sp4\Win2k3sp1_en.exe -x Choose c:\aaa\sp1 when asked where to extract it. |
|
| 4 - | Click Start - Run and type: c:\aaa\sp1\i386\update\update.exe /s:c:\aaa | |
| 5 - | Run WinISO and choose Actions - Make ISO from CDROM. Choose the output file as c:\aaa\win2k3.iso with the ASPI option. After it's completed, remove the installation CD and put it away somewhere safe. |
|
| 6 - | Open the ISO image you just created and:- | |
| a) | Right-click the i386 folder and choose Delete. | |
| b) | Choose Actions - Add Directory and add c:\aaa\i386 | |
| c) | Add any files that have appeared in c:\aaa - first deleting any file with the same name that already exists in the root of the ISO image. | |
| 7 - | Save the ISO file as c:\aaa\win2K3SP1.ISO | |
| 8 - | Use
Nero Burning ROM , or its
equivalent, to make a CD from the ISO file. This CD will be bootable because the booting mechanism was captured into the ISO file from the original CD. |
|
| 9 - | Delete c:\aaa and all its contents - you might want to move win2k3SP1.ISO somewhere else first for future use. | |
| The same procedure can be used to integrate service packs into Windows
2000 and XP. I don't know of a way to integrate NT 4 with NT service pack 6a. |
||
| When a Windows 2000/XP/2003 computer fails to get an answer from a DNS-lookup operation it caches this failure with a time-to-live (TTL) so that if that domain name is requested again before the TTL has expired, the computer's DNS resolver simply returns another failure status without even consulting a DNS server this time. If a user reports to you that they have a DNS problem and you subsequently discover what's causing the problem and fix it, you might be puzzled to find the user is still having the same problem. When the TTL of the original failed lookup expires things will work again but you need to be sure the problem's solved and keep the user's confidence in you, so go to the Command Prompt and type ipconfig /flushdns to empty the local DNS cache of everything including any failed lookup entries. |
| Surely we only need one? Universal Solution 1 - Re-register all program components. Sometimes a problem is caused by one or more DLL or OCX files that have mysteriously become unregistered but instead of trying to identify the ones causing the problem just re-register the lot! Here are 3 examples of problems it has fixed for me:- |
|
| 1 - | When running the New Dial-Up Connection Wizard things proceed fine until you click finish and then there's an error message saying it can't save the connection. |
| 2 - | No Setup.exe programs will run - you get a brief flash of the hourglass and then nothing. |
| 3 - | The Network Connections folder is completely empty, although the LAN connection is working normally. |
| The type of problem this seems to cure is when normal operating system
functions strangely stop working. So here's what you do: Use the program REGSVR32.EXE to re-register all DLL and OCX files in the system directory. Using the arcane magic of DOS batch language the following line, entered in a command prompt window, will do it all for you:- FOR %a IN (c:\winnt\system32\*.dll,c:\winnt\system32\*.ocx) DO c:\winnt\system32\regsvr32.exe /s %a NOTES |
|
|
Every space, comma and bracket needs to be exactly as shown above. |
|
If your system directory is c:\windows\systems32 then amend accordingly. |
|
It takes perhaps half a second to register each file so it will probably take several minutes to complete and you'll then have to reboot for the changes to take effect. |
|
If you wish to run this from a batch file then there must be two percentage signs instead of one. |
|
I'm not aware of any problem that is caused by re-registering DLLs and OCXs that are already registered correctly. |
|
If it helps, click here to download or run a batch file called REREG.BAT that will do the job in 99% of cases. |
|
If this doesn't fix it, the problem could still
be an unregistered DLL or OCX contained in the many subfolders under c:\Program Files\Common Files. I don't know
how to make a DOS batch script drill down through each subfolder so you'll have to run the following, slightly
modified, command in each likely subfolder:- FOR %a IN (*.dll,*.ocx) DO c:\winnt\system32\regsvr32.exe /s %a |
Universal Solution 2 - Perform a repair installation or Windows 2000/XP over itself.
| This wasn't an advisable procedure with Windows NT but it seems to work OK
with the later OSs.
It keeps all your existing program settings in tact, can take as little as half an hour, and, at worst, adds a few Microsoft icons to the desktop and start menus. There are 2 ways to do it:- |
|
|
|
If Windows is still bootable, run winnt32.exe from the installation CD or an i386 folder. |
|
|
If it's so bad that you can't boot to the desktop then boot using the installation CD and perform a repair installation. (Don't choose the first repair option which is to repair using the Recovery Console but wait till it finds an existing installation to repair.) |
| When complete you will need to re-apply any service pack or hot-fixes not integrated into the installation CD you used for the repair. | |
| Microsoft has dropped this, once standard but now old-fashioned, network card from the list of drivers it provides with Windows XP/2003. Microsoft feels that it could lead to instability of the operating system if it allows users to mess about with I/O Ports and IRQs. What reasons could you have for installing such an old card rather than, say, an Intel PRO-100 PCI card that I use and recommend? Try these:- | |
| 1 - | You're in a tight corner and an NE2000 card is all you've got available. |
| 2 - | The PC you need to put a network card in has no spare PCI slots. |
| 3 - | You need to access a 10Base2 (Thinnet coax) network segment and an NE2000 card is the only one you have that has the requisite BNC connector. |
| The way to get round this is obvious really: you use the NE2000 driver from a
Windows 2000 installation CD. In more detail:- Run the Add hardware applet in Control Panel - Choose "Add a new hardware device" then "Install the hardware that I manually select from a list" - Choose "Network adaptors" then "Have Disk" and browse to where the drivers are stored - Select the Novell/Anthem NE2000 Compatible driver unless your actual card is there. The files you need are netnovel.inf (19kb 19/10/1999 15:50) and ne2000.sys (16kb 30/9/1999 15:25) which you may need to expand or extract from a .CAB file. |
|
If you want to run XP on lower specification hardware than is recommended
then visit
www.blkviper.com/WinXP/servicecfg.htm where there is a list detailing all
the services operating in the background, what they do and if they can be
disabled. According to this site about 80% of them can but I would be more
cautious than this, especially with an XP Professional PC that's part of a
Windows Domain. |
The Background Intelligent Transfer Service (BITS) is now required for Windows Update to function correctly |
Suppose your network has one Domain Controller that's also your Internet router. You have two classes of user - those with unrestricted Internet access and those with access to only a few sites. You need to filter incoming traffic to the network adaptor connected to your internal network so as to block traffic from the unlucky users' workstations from reaching unauthorised Internet sites. The Server is performing Network Address Translation on the interface connected to the Internet so packet filtering can't usually be done there as all outgoing traffic has the same source IP address. You setup the following packet filters which the router evaluates from top to bottom until a match is found:- |
|||
| Source IP | Destination | Permit/Deny | |
| Any | 10.10.10.0 to 10.10.10.255 | Permit | Local Network Traffic |
| 10.10.10.0 to 10.10.10.50 | Any | Permit | The Lucky Surfers |
| Any | 217.232.64.8 | Permit | Antivirus Definition Update Site |
| Any | 162.23.4.222 | Permit | Company's Public Website |
| Any | Any | Deny | Uh-oh - Out of luck! |
| What's the problem? You've blocked traffic from the restricted workstations to the local broadcast address - 255.255.255.255 and strange things will happen with them - such as not being able to pick up an IP address from DHCP. Before the final Deny Everything rule add a Source: ANY, Destination: 255.255.255.255 Permit rule to solve this. |
|||
| A network printer is traditionally connected to a server which manages access
to it. This way you can determine who can use the printer and when they can use
it, you can allow important people to have their print jobs queue-jump everyone
else's and setup a pool of identical printers so if one fails another will take
over. I've never used any of these features in a real network. I find that what
people want most of all is for printers to just print and they get frustrated
when they don't. Many modern printers have a built in network adaptor to allow
them to be "directly connected" (they're the ones with an "N" at the end of the
model number). This means they're not connected to a server by a printer or USB cable
and so can be located anywhere around the office, within reach of a network
socket. A small box called a "print server", costing around £100, allows any
printer to be directly connected to the network. If you have a WiFi access point
on your network you can get a wireless print server to allow you to position
a
printer anywhere in your office. My tip, for reliable printing, is to have all your printers directly connected and leave the servers out of the loop. All workstations can then access the printers directly by setting up TCP/IP printer ports. So now, when your servers have crashed, are using all their CPU-cycles doing something else or are otherwise out of action, printing will continue. Windows 95/98/ME don't have the inbuilt ability to create a TCP/IP printer port but printers and print server boxes usually come with a utility to allow such workstations to print directly to the printer. For a Hewlett Packard printer, download their Install Network Printer Wizard here (5 megabytes). |
| If, during the boot process, you see the message:- | |
| NTLDR is missing Press any key to restart |
|
| It sounds like something serious has gone wrong - like a failed hard drive or
a scrambled operating system. However your day might not be ruined, after all, as this could be something as simple as a floppy disk left in the A: drive during a reboot. In the same situation a floppy disk formatted under Windows XP gives this more helpful message:- |
|
| Remove disk or other media Press any key to restart | |
| and in earlier versions of DOS, when keyboard corporal punishment was still allowed, the message was:- | |
| Non-System disk or disk error Replace and strike any key when ready | |
| When a floppy disk is formatted with any version of Windows 2000 it is
automatically set to be a boot disk, even though no files are copied across to
it. When unintentionally chosen to boot a computer the message it displays
indicates that the first file required for the boot process, NTLDR, can't be
found. This message, and the ability to boot, are contained on the floppy disk itself and so it will exhibit the same behaviour on any computer set to boot from the A: drive first no matter what operating system is installed on it. |
|
| If you feel you're being limited by Internet Explorer's default setting of 2
simultaneous file downloads - especially if you're connecting to the Internet at
ADSL speed or better - you can increase this by adding 2 new registry keys. Create the DWORD keys:- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Internet Settings\MaxConnectionsPerServer and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Internet Settings\MaxConnectionsPer1_0Server Set the value of both keys to the number of simultaneous downloads you want - 10 would be a sensible maximum. |
| Yes, unsolicited advertising has found another way to intrude upon us. The
event I saw in a Windows 2000 Server's System Log was actually the report of an
Application Popup and the subject was a phoney degree qualification for sale. If
I'd been logged on when it arrived I'd have seen the advert in a pop-up window
similar to the ones you see that announce a completed print job or the network
is closing down in 5 minutes which are delivered by the Windows Messenger
Service. The message came from the Internet via UDP port 135 from a computer
that must spend it's time scanning through every IP address looking for any such
ports which have the Messenger Service running behind them. The lesson here is
that there is never a good reason to expose to the Internet any of the
ports that provide Remote Procedure Call (RPC) or NetBios services as these
services are only needed for the correct operation of Windows networks. The full list of ports involved are TCP and UDP ports 135, 137, 138, 139, and 445. Someone with access to a range of these ports could:- |
|
|
Access private data on your PC. |
|
Initiate a Denial of Service attack on some well known website from your PC - this is soon to be an offence in the UK. |
|
Load pirated software onto your hard disk and use your PC as a distribution point. |
| Any modern network firewall program will shut these ports up tight and so the
people most at risk are those with new always-on ADSL connection that
aren't using any form of firewall (Windows XP has a useful one built-in and
ZoneAlarm and Sygate
personal firewalls are available for free!). The Windows Messenger Service is a completely different thing from Windows Instant Messenger and if you never want to receive any pop-up messages you can safely disable the service (Those ports still need to be closed as well though!). Microsoft Outlook email clients communicate with Microsoft Exchange Servers using TCP port 135 which is perfectly fine if both client and server are on the same internal network. If you want to use Outlook to communicate with an Exchange server in a remote office via the Internet then, if the Internet portion of the link uses a VPN, TCP port 135 is not being exposed to attack from the Internet and so this is still fine. |
Exchange 2003 has a feature called RPC over HTTP which is another way of getting around this problem |
|
| So how did my server receive the spam popup message? Mea culpa, I'd left the All Ports packet filter enabled overnight on the firewall that I'd been using for some tests and that scanning computer found me. |
| Some ADSL circuits are rock solid and stay connected permanently while others can't even go a week without dropping out or mysteriously stopping working. This can be a problem if you want to use your ADSL circuit to host an Internet server or allow access to your internal network over a VPN. I always recommended using an internal PCI ADSL modem, instead of an external USB modem, for extra reliability but this won't prevent drop-outs caused by problems further down the line. There's a program called ADSL Autoconnect designed specifically to keep an ADSL circuit up and functioning. It performs the following functions:- | |
|
Whenever the circuit is not connected it dials and connects. The program runs as a service and so connects as soon as the computer boots up. |
|
It Pings an IP address on the Internet at regular intervals and, after a preset number of consecutive failures, it hangs-up and redials the connection. |
|
At longer interval, such as every day, it can routinely hang up and reconnect. |
|
Whenever the IP address of the ADSL connection changes it can email you the new one. |
|
To enable the program to disconnect the ADSL circuit you should disable any other autoconnect settings such as the one in Internet Explorer - Tools - Internet Options - Connections. ADSL Autoconnect was written by Patrick Poly, is freeware and can be downloaded from www.ADSLAutoconnect.net (Téléchargement means Download) The only inconvenience with the program is that Patrick is French and all the menus are in French. Perhaps France has flakier ADSL connections than we do. Anyway don't be put off by this and, to help, here are some translations: |
|
| démarré | = started | l'expéditeur | = sender (email) |
| hôte | = host | jouer un son | = play a sound |
| annuler | = cancel | dureé | = duration (uptime) |
| afficher | = open | réglages avancé | = advanced settings |
| échec | = attempt | divers | = miscellaneous |
| l'observateur d'événements | = event viewer | ||
| montrer la fenêtre principale | = open main window | ||
| lancer au démarrage de Windows | = launch when Windows starts | ||
| options de démarrage de l'application | = application start options | ||
| délai entre chaque tentative de connection | = delay between each connection attempt | ||
| You could have this problem, right now, with one of your mailservers and not
even realise it! When the log of a mailserver suffering this problem is examined, the SMTP mail transfer between this server and AOL's appears to have concluded successfully but nothing ever arrives in the AOL member's inbox. The likely cause is the reverse DNS lookup of the Internet IP address this mailserver's operating behind doesn't match the DNS name it gave to the AOL server in the EHLO command. (That's where the Teletubbies got it from!) Most of the Internet's mailservers don't mind this discrepancy, others accept and deliver the mail but record a complaint in the sending server's log file, however AOL politely accepts the emails and then silently deletes them. This behaviour is designed to protect AOL's members from spammer tricks and, as the problem of spam continues to grow, perhaps more mailservers will adopt this approach. To solve the problem change the mailserver's DNS name setting to the correct one. You can find what this is by typing "ipconfig /all" in a Command Prompt window on the computer connected to the Internet - if this proves difficult visit Gibson Research and find ShieldsUP! then Test My Shields! to get your IP address. Finally, in the same Command Prompt window, type "nslookup 111.222.111.222" - substituting your IP address for 111.222.111.222. If you find your DNS name is something like host212-147-32-112.inaddr.btopenworld.com you're probably using a dynamic IP which will change, along with the DNS name, each time your ADSL line reconnects. Enter this DNS name into your mailserver anyway as AOL doesn't mind about the host portion of the DNS name being wrong as long as the domain part is correct. |
Some ISPs don't have DNS names for the IP addresses they provide to customers. Some will register one if you ask while others will refuse. |
|
|
A similar problem when operating a mailserver from behind a dynamically allocated IP address. Some large ISPs have prepared a list of IP addresses used throughout the world as dynamic address pools and will refuse to receive mail from them. A static IP address is now essential for operating an SMTP server setup to deliver mail directly to the destination domains. The extra charge for a static IP address is typically only £2/month. |
| After the main Windows 2000/XP/2003 installation program has completed, you're
running in standard VGA mode because you haven't installed the correct video
drivers as you've got other things you want to tackle first. When you finally
get around to installing the video drivers be aware that this process involves
some risk. The video drivers you've downloaded or have on CDROM may not be the
correct ones and so you risk having to restart the whole installation. Sometimes
faulty video drivers produce a Blue Screen of Death during the boot process that
you can recover from by using Safe Mode or Last Known Good Configuration,
however sometimes the monitor just goes blank - perhaps because the video card
has shutdown - and then you're stuck. My tip is to enable Terminal Server in Administration Mode on your Windows 2000 server (Remote Desktop if it's XP or 2003) before installing the video drivers. If your screen then goes blank you can start a Terminal Server client session from another computer on the network, view and control the server's desktop and uninstall the troublesome drivers. Terminal Server is included free with Windows 2000/2003 server and will operate in Administration Mode without any additional licences. The Terminal Server client software is installed as standard with Windows XP/2003 (called Remote Desktop Connection, you can find it in Accessories - Communications) but for Windows 2000 it needs to be downloaded from Microsoft's website. This tip also applies if you're changing a server's video card - although a better tip might be, if you have a production server with a working video card and driver, leave it alone! |
| In the '90s, when NT Server was young and competing for a foothold in a
networking market then dominated by Novell, an advantage much emphasised by
Microsoft was how its product was easy to install and worked straight out of the
box. This "install everything" and "turn everything on" policy has persisted up until very recently. How many Windows 2000 Servers are out there right now with the SMTP service running without the owner's knowledge, ready to relay spam? Microsoft's policy has gone into reverse and products will now install with all security measures enabled so expect many more problems like this one:- Windows 2000/XP workstations operate fine after a Windows Domain has been upgraded to Windows 2003 however some Windows 95/98/ME/NT clients and all Macintosh and Unix clients can no longer log on or connect to shared folders. The reason is that SMB encryption or signing, a seldom-used feature introduced with Windows NT Service Pack 3, has been turned on and made mandatory but only Windows 2000/XP clients can understand it by default. If you only have Windows clients then changing some registry keys (plus installing the DS client for Windows 95) will restore normal operation otherwise the solution is to disable mandatory SMB signing by using the Group Policy Editor on a 2003 Domain Controller until such time as all network clients are Windows ones. This is how to do it:- |
|
| Start - Settings - Control Panel - Administrative Tools - Active Directory
Users and Computers Right-click on Domain Controllers, choose Properties and then select the Group Policy tab and Edit. Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ and disable both Digitally sign client communication (always) and Digitally sign server communication (always). |
|
| Disabling mandatory SMB signing may also give as much as a 10% performance boost for some older client PCs. | |
| Conventional definitions-based virus protection has an inherent weakness:
there's a time lag between a new virus being released "into the wild" and an
updated definitions file, containing the new virus's signature, arriving at your
PC. This delay may be less than 24 hours but it will always exist. Any measure that can extend the protection gained from conventional antivirus software and be immediately effective against new viruses is, therefore, always welcome. One such method is to have your mailserver zap any email attachments with filename extensions such as EXE, COM, BAT, SCR, PIF and VBS, and here's another:- For a virus to have any effect it must find a way to have its program code run on your computer. Opening an attachment or downloading and opening a file from a website are common ways to achieve this. A virus's next big priority is to ensure that it's effects will survive a reboot and it does this by adding itself to the list of programs that run at startup. Does it put a shortcut to itself in the Start - Programs - Startup folder? No - too easy to spot. Instead it makes a new registry entry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ and keeps reinstating this entry if you try to remove it. You may be aware that with NTFS file systems, all files and folders have security permissions to control the type of access that's allowed - read, write, create, delete, etc. The Windows Registry is a special object in Windows NT/2000/XP/2003 in that every one of the 1000s of registry keys has its own security permissions that can be set individually, even when stored on FAT16/32 partitions - no wonder the Registry can get so big! So here's the tip:-Change the permission on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ so that users with existing access permissions can still read it but nobody has write access. This is how to do it:-Run the program regedt32.exe (the more popular regedit.exe knows nothing about access permissions). Navigate to and select HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Find the "Permissions..." menu option - Windows 2000's regedt32.exe is different to XP's and has "Permissions..." in a different place - but it's not hard to find. With 2000/XP/2003 you first have to click Advanced and remove the "Inherit parent permissions...." Then choose the Copy option which copies the currently inherited permissions. You'll probably find that the users listed are Users, Power Users, Administrators, SYSTEM and CREATOR OWNER. You should edit each one, in turn, to leave only 4 permissions: Query Value, Enumerate Subkeys, Notify and Read Control. Leave the "Apply onto" settings as they are. And that's it - mission accomplished! Just make sure you remember to reinstate Full Control for Administrators while you're installing or uninstalling programs with a legitimate right to have startup privileges such as antivirus programs and some video, network card and modem drivers. The occasional installer program (including the Windows XP Service Pack 2 installer) will abort if it can't add its unwanted startup entry so play along with it and then clean up after it's finished. This topic is worthy of further discussion which you can skip if editing the Registry has left you drained. Is this just re-inventing the wheel?Microsoft has already thought of this problem and provided an easy-to-use solution, built-in to Windows 2000/XP/2003 in the form of special security groups with carefully crafted registry key permissions. These groups are Users, Power Users and Administrators and your user account is granted the rights of whichever of these groups it's a member of. The Users group can only change personal settings and run approved programs while Power Users can run all programs, install approved programs that don't require installing system services and can make many system changes but can't install legacy programs or change any hardware settings. Administrators can do anything and everything. So Microsoft's idea is that you log on with an Administrator-level account when you need to make changes and use a Power User account all the rest of the time. This will limit the effects of viruses and, of particular relevance here, Power Users can't add entries to the list of startup programs. Hands up anyone who uses anything other than a local Administer-level account to log on to their personal PC. "Don't Know" means you don't. I can't see any hands. Many IT departments end up giving their users Administrator rights to their local machines to stop them being bothered by so many call-outs. This tip is therefore valid for all of us who use our PCs daily using Administrator-level accounts. What happens when the next generation of viruses include code to reset write permissions on the Registry key we've protected?Hang on, we removed all Write permissions from that key including Write DAC, which is the Change Permissions permission, so how come we can just set them back again? The answer is that every Windows object has an owner, which starts out as the user who created it, and an owner always has Read and Change Permissions rights even if they don't show up under their name in the Security window. Your account, or the Administrators group, is likely to own all the Registry keys. So if you want to make things harder still for the bad guys you should "disown" the startup programs Registry key by doing the following:- Log off your account and log back on again as Administrator, run regedt32.exe, navigate back to the key and select Permissions - Advanced - Owner. Under "Change owner to:" select Administrator (not Administrators) and click apply. Now when you log on again under your account you'll find you can't change the key's permissions anymore. While you continue to use an account with local administrator privileges you'll be able to seize back ownership of the key - so this is still not good enough. The final step is to edit just your user account's permissions to deny yourself Write Owner permission. Making absolute statements in computing is always unwise, but I'd say that with this final step it is now impossible for any code running under your user account to change the contents of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ |
| A virus that appeared in 2002 sneakily kept writing its startup entry to:- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce a key designed to help installation programs complete after a reboot. There can also be extra, user-specific, startup programs specified in:- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ with a corresponding: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Then, to stop a virus installing its code as a system service (a program that runs before anyone logs on) you might want to remove the Create SubKey permission from:- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
For simplicity I'd advise just removing the Write permissions from the keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce as they're next door to each other. |
| While you're there, why not find out what all the existing entries do in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run? Do you you really want them there? A search of an entry's program name on Google is a quick way to find out what it does. If there's an entry that you can't bring yourself to delete for fear that it really is something important, try life without it for a while by editing the entry to give it a simple obvious error - such as leaving off the final 'e' of 'exe'. The invalid entry will then fail, silently, during logon and you can easily restore its operation later if you need to. |
This website is a good resource for determining what a particular startup programs does. |
| In Window 2000/XP/2003 every user who logs on has a profile. This is a folder
under c:\Documents and Settings\ which contains Desktop, Start Menu and
application specific settings, the My Documents folder and your Outlook/Outlook
Express mail store..
The folder name is usually the same as the username but Windows adds a suffix if a folder with that
a folder with name already exists. Sometimes it's useful to copy the contents of one profile to another. Here are 2 reasons why:- |
|
| 1 - | You have optimised the profile for a particular user account and now you want
every new user to be given a copy of this profile. In this case you would copy
the optimised profile to the Default Profile which is the profile that any user
logging on without an existing profile is given a copy of. The Default Profile is stored at c:\Documents and Settings\Default User\ |
| 2 - | You have been logging on to your computer with a Windows Domain account however your computer has now left this domain so you need to copy over your old domain profile to the local account you're now using so that you can get back your old desktop, data and email |
| Windows has a special procedure for copying user profiles and warns against
just using Windows Explorer to copy the files. You'll find this procedure under User Profiles in Control Panels - System (it's exact location varies with the operating system). To be able to copy a profile successfully, the account that you are logged on with must have administrator privileges on the local computer and mustn't be the owner of the source or destination profile. So What's the Trap?I have found that, even when obeying all the rules, when I select a profile to be copied the "Copy To" button is often, but not always, greyed-out with no explanation or error message. I've then had to copy the profile using Windows Explorer with mixed results. The SolutionWhen you log-off an account without rebooting and then log-on using a different account, Windows still keeps open some of the files from the previous account's profile which therefore makes the User Profile utility unable to copy the profiles of any user that has logged on since the computer last rebooted. So just reboot and log-on with the account whose profile isn't being copied and the "Copy To" button will now be available for all the other profiles. |
|
| The folder which contains a user's profile is
located under C:\Documents and Settings and the folder's name is the same as
the username with, perhaps, a suffix added in cases where Windows found an
existing folder with that name when it was trying to create it. For a long time I assumed that this username/profile folder name relationship was hard -coded into Windows however it turns out that there's a registry key that controls this. When would it be useful to change the profile folder associated with a user account?1 - Perhaps you accidentally deleted your user account and just recreating an account with the same name doesn't connect you to the profile associated with the deleted account but instead a new profile folder is created when you first logon. This happens because, to Windows, the main identifying attribute of a user account is its Security Identifier (SID), an example of which is shown below:- |
|||
|
S-1-5-21-3718436116-2484245854-1656481220-1003 Other account properties such as the username and password are just account properties that can be changed. Even if you know the SID of the deleted account I don't know of any way to create a new account with the old SID. 2 - Maybe your used to regularly log onto your PC with a Windows Domain account and now your PC has left this domain and has only local accounts to log on with or maybe it's joined a different domain. 3 - Perhaps your only Active Directory Domain Controller failed and you were unable to restore it from backups. You've recreated a new Active Directory structure on a new server which matches the old one plus you have re-setup all the file shares etc. The big problem now is that, after joining all the workstations to a workgroup and then back to the new domain, all the users' Profiles have been lost. Here's how to change the profile linked to a particular user account:- |
S-1-5-21 means an interactive user. The administrator account's RID is 500 and the Guest's is 501 |
||
| 1 - | Look in C:\Documents and Settings and make a note of the folder-name that contains the profile you want. | ||
| 2 - | Go to Control Panel - Administrative Tools - Computer Management - User and Groups - Users and make the new account you want for the old profile. Log off and then log on with the new account and note the name of the newly-created profile folder-name. | ||
| 3 - |
Run regedit and navigate to registry key:- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList |
||
 The newly-created account should have the highest numbered RID and this key will contain a value called Profile Image Path which will be pointing to the new account's profile folder. Edit this value to point to the old profile folder. |
|||
| 4 - | Close Regedit, log off, log back on with the new user account and you will be using the old folder. | ||
| 5 - | If the new account is a member of the Administrator's group then everything will work. Otherwise, using an administrator-level account you'll need to change the NTFS permissions of the old profile folder to give the new account change permissions. | ||
| With Windows Server 2000 you are given 2 options when you install
Terminal Server: Application Mode and Administration Mode.
Administration Mode is great for remote controlling servers and it comes
with 2 free connection licences. Application Mode requires a sackfull of
licenses, plenty of server muscle and is usually best left alone. I've
written about this at greater length here. If you choose to install Terminal Server in Windows Server 2003 you don't get a choice: it just installs in Application Mode. Stop, don't do it. It will work for 120 days after which, if you haven't installed a licence server and purchased some Terminal Server Client Access Licenses, it will stop working and you'll get one of these in your Event Viewer every day: |
 |
| Worse still, if you then go to Add and Remove Programs to remove Terminal Server you get this warning:- |
 |
| It's a brave person who clicks "Yes" to this. You've now also blown your grace period if you ever do want to use Terminal Server in Application Mode. |
| A System State Backup is an option built-in to the backup program included with Windows 2000/XP/2003. It backs up all of Windows' important system files so that the current "system state" can be restored at some future date. Sure, this is a good idea for people that look after servers and take backups seriously but that's not why I want you to do it, once only, right now. In fact you could delete the backup file when it's finished. |
|
|
| During a System State Backup, after all the files have been backed up, the
backup program does one final job: it copies the current Registry files to
c:\windows\repair When a Windows system has become so badly messed up by a virus, spyware or some other mishap that it won't boot to the Desktop then sometimes the only thing that can be done is to restore the Registry files from c:\windows\repair by using the Recovery Console or some 3rd party utility. Unfortunately the Registry backup files usually date back to the day Windows was installed as the installation process also makes a backup of the Registry to c:\windows\repair |
c:\winnt\repair for Windows 2000 and systems that have been upgraded from 2000. |
|
| If those original repair files have to be used then it can take a lot of
work reinstalling programs etc. to get your system into a usable state
again. If your system is working fine right now and you use the System
State Backup process to copy your current Registry files to the repair
folder then, come that black day, you can recover back to how your
system is today which will be much more useful. So click Start - Programs - Accessories - System Tools - Backup Select the Backup tab and put a tick next to System State Accept the default backup destination of the file C:\Backup.bkf Click Start Backup on the main window and then again on the pop-up and after about 5 minutes you're done. Backup.bks could be up to 500mb so keep it or delete it, it's up to you. |
The Registry files in the repair folder also contain the logon passwords current at the time they were copied so if something goes wrong with your password you can use these files as a way back into Windows. |
| A service is a program that runs in the background on a
Windows computer irrespective of whether anyone is logged on. Services normally perform important functions, especially on servers. For every service, you can set a recovery option which tells Windows what to do if a service crashes. Services shouldn't ever crash and if they do the best solution is to find the cause and remedy it. I had a situation where a firewall program, running as a service, crashed every few weeks and needed to be manually restarted to restore Internet access to a whole office. The firewall service was an otherwise fine program that had some minor bug which caused users inconvenience every few weeks. When I set the service to automatically restart after a crash the inconvenience to users disappeared. The firewall service still crashed but was back running again a minute later. |
Windows' default recovery option for a failed service is:- Take No Action |
|
| To view the services running on a computer
click Start - Run and type services.msc and click OK. This
displays an alphabetical list of the services. If you right-click on a
service and choose Properties and click the Recovery tab
you see the following:-
The four Recovery options are:- Take No Action Restart the Service Run a Program Restart the Computer |
||
| My tip is, if you have an important service
that occasionally fails or you just want to play safe, set the service
recovery options as follows:-
Now, every time the service crashes, Windows will restart it after a minute. (Because the same action is being taken every time, you don't have to worry about the "fail count".) |
The recovery option that Microsoft has set for the Remote Procedure Call service is to restart the computer after a 1 minute warning. The Blaster Worm , in 2003, caused this service to fail and people were locked into a loop of their computers rebooting. A legitimate reason for restarting the computer when a service fails is if the service is absolutely vital to the computer's job and you think a reboot will have a better chance of preventing the service crashing again than simply restarting it. |
PROBLEM: There are no files listed in the Recent Files entry on any program's
File Menu or the Recent Files option is greyed out.SOLUTION: Change the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Explorer\NoRecentDocs History from 0000 01 00 00 00 to 0000 00 00 00 00.
PROBLEM: All MSI installer packages progress right to the end of the installation process before giving up with an error message. The progress bar then goes backwards and uninstalls itself. SOLUTION: Initially I used Task Manager to end the install program while the error message was showing and found the program had successfully installed. The proper solution is to set the NTFS permissions on the C:\Winnt\Installer folder to Full Control for administrator and system.
PROBLEM: In Control Panel - Add/Remove Programs - Windows Components the usual options like Accessories, Games and Multimedia are missing. SOLUTION: Edit the file C:\WINNT\Inf\Sysoc.inf and remove all occurrences of the word Hide (leave the commas).
PROBLEM: In Windows XP that pesky Windows Messenger icon won't go away from the notification area. Deleting it from the list of start-up programs in the registry doesn't work as it mysteriously returns. SOLUTION: Move the file MSMSGS.EXE from C:\Program Files\Messenger to a new folder you create such as C:\Program Files\Messenger\TempDelete it if you want but some day you might become a convert to Instant Messaging. The file may still reappear after using the Windows Update website or applying a Service Pack so then just move it again.If you read your Hotmail account using Outlook Express you need to leave Windows Messenger running for this to work. |
