Tricks & Traps: Ask Dr. Bob (November 2000)

Article from Windows 2000 Magazine

By Bob Chronister

Q: I'm running a mixed environment of Windows 2000 and Windows NT machines. (NT remains our primary server platform.) I've just inherited the network and need to add some new computers and delete some old ones. What's the best way to accomplish this task?

A: Believe it or not, all you need is the tried-and-true DOS batch file that lets you add workstations and servers that are not domain controllers. You simply use the command-line utility called Net Computer. The syntax for its use is

net computer \\computername

You can use the /add or /delete switch. In the following example, the utility adds four new machine accounts to the domain:

net computer \\bob1 /add

net computer \\bob2 /add
net computer \\bob3 /add
net computer \\bob4 /add
net computer \\NT5 /add

To add machine accounts to the Server Manager database, run this utility on the PDC. An administrator can easily synchronize these accounts to a BDC. If you use the /del switch instead of the /add switch, you'll remove the machine accounts from the domain.

Q: Considering the recent frequency of systems destroyed by intruders, I need to add security to my Windows NT systems to help prevent open ports. Should I implement C2 security for as many ports as possible?

A: The basic NT architecture presents an inherent vulnerability. A user-mode program can listen to TCP port 139, as well as UDP ports 137 and 138, which NT services use. The culprit is netbt.sys (i.e., NetBIOS over TCP/IP), which opens these ports. This problem exists on all systems running NT 4.0 Service Pack 6a (SP6a) or earlier.

Fortunately, a post-SP6a hotfix or C2 update handles the problem, in conjunction with a Registry change. To obtain the Netbt-fix, go to https://support.microsoft.com/default.aspx?scid=kb;[LN];244599. Then, go to the HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \NetBT \Parameters Registry key and modify (or create) the value EnablePortLocking of type REG_DWORD. The default value of 0 allows file share access, whereas a value of 1 disallows file share access.

After you apply the Netbt-fix and set the value of EnablePortLocking to 1, the system denies user-mode programs access to the aforementioned TCP and UDP ports, and C2 compliance is enabled. C2 security dictates that any unprivileged user-mode program shouldn't be able to listen to the TCP and UDP ports. This rule holds regardless of the encryption placed on the NT service traffic using these ports. (By default, Windows 2000 doesn't allow file share access to the ports.)

Q: My company has notebook PCs from several manufacturers. All the notebooks run Windows NT 4.0. Some of these machines use the TrackPoint device, and some use the touchpad device. However, I notice problems when I use a mouse on these systems. Every once in a while, the mouse pointer goes insane: Screens open randomly, the notebook starts beeping, and finally the pointer simply disappears. Do you know what is happening?

A: I've seen this behavior in notebooks that use the IBM PS2 TrackPoint driver and TrackPoint configuration software. Changing the mouse driver or uninstalling the software won't help. To solve your problem, open the TrackPoint application and set the scrolling type to None.

Q: My company uses the IMP80 Oracle command-line import utility on Windows NT Workstation 4.0 machines running Service Pack 6 (SP6). The machines contain 512MB of RAM. I keep getting Unable to allocate enough memory for statement messages—for a 30MB database. I tried increasing the system's virtual memory to 1024MB, but the problem remains. What am I doing wrong?

A: When large database programs such as Oracle import a database, they attempt to occupy space in virtual memory simply because the space is available. Set your virtual memory to at least 2GB, and the import should proceed as usual.

Q: I can't get my ATI Technologies 3D PRO TURBO video card to accept resolution greater than 640 * 480. Can you tell me how to get better resolution?

A: You need to obtain an updated driver from the ATI's Web site (https://mirror.ati.com/support/driver.html). Download the Windows NT driver version 3.1.76 or later display driver set. The driver set's entire filename is Windows NT 4.0 NT40-176.exe Size: 499K Date: 02-27-97. The self-extracting file contains the latest ATI display driver for NT 4.0. You use the standard NT configuration utilities to install and configure the display driver. Or simply buy a more recent video card—they're not very expensive.

Q: My company's engineering department is looking into new source-control tools. We're currently using Microsoft SourceSafe, but we need a Change Management (CM) tool that works well in a heterogeneous environment. We also need a tool that has hooks into niche compilers such as the ARM Developer Kit. Do you have any experience with Windows NT-based source-control tools such as Rational Software's ClearCase?

A: I've worked with ClearCase before. Although early versions of ClearCase require a UNIX backend if you use it in a mixed OS environment, version 4.1 overcomes this requirement. You can now run ClearCase from an NT server in a mixed OS environment.

ClearCase is a powerful tool that goes beyond source control. I would consider ClearCase more of a process-control tool with CM capabilities. Rational Software's ClearQuest builds on ClearCase by integrating strong project-management functions. Rational Software has been around for a long time and is well respected in the source-control arena.

If you're looking for a source-control tool that runs with an NT back end, take a look at Starbase's StarTeam. StarTeam doesn't have hooks into the ARM Developer Kit, but you can still use Windows Explorer to check software in and out. StarTeam offers a UNIX client that you can run from the command line or from a Java-enabled browser.

Q: I need to upgrade my IBM ThinkPad 600's hard disk. I upgraded the hard disk once before by simply purchasing a new disk and reinstalling the OS and applications. However, I don't want to go through that process again because I have too much invested in my current configuration. Do you recommend Symantec Ghost?

A: If you use Ghost, you'll need to attach your existing disk and your new disk to a PC to replicate the existing disk. A better option might be to consider some of the new hard disk upgrade kits on the market. Many of these kits come with a PC card and software that let you replicate your old disk onto the new disk. The kits work with Windows 2000, Windows NT 4.0, and Windows 9x. I've used the Kingston StrataDrive kits to upgrade disks in the IBM ThinkPad 600E and 560 without difficulty.

If you obtain a large disk for the ThinkPad 600, make sure you have Logical Block Addressing (LBA) support. (LBA is a BIOS enhancement that lets you use large disks.) Hard disk upgrade kits will upgrade your disk regardless of whether you have LBA support, and you might not realize the disk isn't working properly until too late.

Q: I recently lost my Web server to a Windows NT blue screen, and I didn't have a backup. The server, which was running SQL Server 7.0, has a RAID controller that NT doesn't natively detect, and if I use the manufacturer's automated installation process, the system will reformat the primary disk and I'll lose any chance of recovering the database. I'm considering installing Windows 2000, which has native drivers for the RAID controller. Can I then rename the old SQL Server directories, install SQL Server into the default directory, and name the old directories back to the default install name?

A: This workaround rescued me from disaster a few times when I was running SQL Server 6.5. Unfortunately, the process won't work in SQL Server 7.0. SQL Server 7.0 contains a few stored procedures that can address your problem, but you need to perform a few preparatory tasks.

First, go ahead and get either Win2K or NT 4.0 running on the server again without reformatting the disks. Second, rename your old SQL Server directories and reinstall SQL Server. Next, copy your old .mdf and .ldf files from your database to the SQL Server data directory. You can manually type this query in ISQL/w, but an easier way to accomplish this task is to bring up SQL Server Books Online and perform a search for SP_attach_db. When you search the body of the stored procedure description, you'll see the following sample script:

exec sp_attach 'pubs',
 'C:\mssql7\data\pubs.mdf',
 'C:\mssql7\data\pubs_log.ldf'

Take the sample script and substitute the listed "pubs" database with your old database name. Also, change the file path names to the renamed SQL Server directories that you created. Now, run the query. Your database should be live again. For this workaround to work properly, you need to keep the database names consistent. To get your Web server running again, you might need to recreate the database's Data Source Name (DSN).

Bob Chronister is a contributing editor for Windows 2000 Magazine and president of Chronister Consultants in Mobile, Alabama. He is coauthor of Windows NT Backup and Recovery (Osborne/McGraw-Hill). You can reach him at bob@win2000mag.com.

The above article is courtesy of Windows 2000 Magazine. Click here to subscribe to Windows 2000 Magazine.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.

Click to subscribe