The Mole #7: Technical Answers from Inside Microsoft - Active Directory, SBS Install, Securing Windows 98, SMS Servers

April 15, 1999

Editors Note The questions and answers below are from the Inside Microsoft column that appears regularly on the TechNet Web site (https://www.microsoft.com/technet). To find out how to submit questions of your own, see the end of this article or go to https://www.microsoft.com/technet/community/columns/insider/default.mspx.

The TechNet Mole provides expert answers from deep within Microsoft to questions from IT professionals. The sixth installment focuses on these issues:

• Active Directory for Win98

• Small Business Server Install Problem

• Securing Windows 98 Machines

• SMS Server—Rebuilt and Confused

• Ordering Video Drivers with Plug N Play

• Drive Mapping Dilemma

• Back Talk—IT Pros Share Solutions on:

  Migration Tricks

  Rebuilding NT on an Unlike Server

  Rebuilding NT on an Unlike Server, take two

On This Page

Active Directory for Win98
SBS Install Problem
Securing Windows 98 Machines
SMS Server—Rebuilt and Confused
Ordering Video Drivers Under PNP?
Drive Mapping Dilemma
Back Talk: IT Pros Share Solutions
Got Questions? Mail the Mole

Active Directory for Win98

Dear Mole:

Having installed NT5 (beta 2) Active Directory, I can't seem to find how to make Active Directory work for Win98. The Win98 workstation can "ping" the IP address of the server, but the workstation cannot gain access to the server on the network.

King Ping

Your Highness:

To make sure your Windows 95 or 98 computers work properly with a computer running Windows 2000, you'll need to verify that the Windows 95 or 98 computer has the latest Internet Explorer 4.0 client installed and that the Active Desktop feature has been enabled. Once this is done, you can install the Active Directory client from the Windows 2000 beta CD. The setup files are located in the \Client\Win9X folder and the file is called Dsclient.exe. Once you have installed the client and rebooted, you should be able to log on to a computer running Windows 2000. For your reading pleasure, you can find white papers on the subject on TechNet or on the Web at:

• https://www.microsoft.com/serviceproviders/default.mspx

SBS Install Problem

Dear Mole:

I am attempting to load & configure Small Business Server for a customer. Resolving this problem is crucial since we are performing a full turnkey installation for 25 workstations. I will also be installing a modem pool, a DSL Internet site setup with hubs, a router, all wiring, etc. While loading SBS error messages issued are:

A connection could not be made to the remote directory service, possibly due to network failure. Be sure that both directory services are running and that your network is available, and then try again.

Microsoft Exchange Server Setup

ID no: c1030b11

These are issued during initial setup and the server is plugged into a hub. I would try another set of CDs but we do not sell this item often enough to have another copy available. Later in setup the message:

Setup could not stop the service W3svc Error=1052

Proxy Setup did not end successfully.

Up to now, no error messages have stopped installation so I have been continuing. But after all questions have been answered the system starts "copying files ..." while the transfer messages icon is working. Within 5 minutes the CD stops being read but the icon continues. I have left it all night to be sure but a manual cancellation is always required. Have you heard of such problems?

John Eldred, NCS Technologies

Dear John,

It may seem like a lot of different stuff is going wrong here, but a search of previous support cases leads me to suspect you have just one problem wearing several different masks. When other users have reported almost identical symptoms and error messages, the problem has turned out to be either a failed NIC or out-of-date adapter drivers. Anecdotal evidence indicates that when one or both is replaced, it becomes impossible to reproduce the error messages you've noted, which is always a good sign. If this doesn't solve the problem, check out these Knowledge Base articles:

• 159485: XADM—Troubleshooting Setup Problems Joining an Existing Site

• 149931: XADM—Setup Cannot Connect To Remote Directory Service

• 186282: SBS Error—Proxy Setup Did Not End Successfully

Securing Windows 98 Machines

Dear Mole:

I'm currently working for a company that is very security conscious. But, for some reason unknown to me, when purchasing new workstations they ordered them with Windows 98 instead of NT workstation. My question is: How can I secure these machines? Are there any solutions available to me?

Seeking Security

Dear SS:

I sympathize with your quest for security in this uncertain world. What I can't tell, though, is from whom you wish to be protected. Are we talking about somebody sneaking into your office and exploring your hard drive while you're at lunch, or is this about a network access situation?

If you're trying to keep an unauthorized user from gaining access to the information stored on your computer while you're not around, you can enable the screen saver feature of Windows 98 and apply a password to the saver. Several third-party screen savers also offer this type of security.

If you want to secure these computers while they're attached to your network, you'll need to set up the proper user accounts on your Microsoft Windows NT domain to insure that users are validated by logging on to an NT server. This will allow you to implement logon scripts, policies, and profiles that can further enhance the security of your network. The Microsoft Windows 98 Resource Kit, which comes with its own CD-ROM, is especially helpful on implementing Windows 98 security features in an NT environment. You can order it through the following Microsoft Web site:

• https://www.microsoft.com/technet/archive/win98/reskit/win98rk.mspx

For further information on configuring policies, profiles, and logon scripts, checkout these Knowledge Base articles (or read Guide to MS Windows NT 4.0 Profiles and Policies on TechNet):

• 161334: Guide To Windows NT 4.0 Profiles and Policies (Part 1 of 6)

• 185587: Guide To Windows NT 4.0 Profiles and Policies (Part 2 of 6)

• 185588: Guide To Windows NT 4.0 Profiles and Policies (Part 3 of 6)

• 185589: Guide To Windows NT 4.0 Profiles and Policies (Part 4 of 6)

• 185590: Guide To Windows NT 4.0 Profiles and Policies (Part 5 of 6)

• 185591: Guide To Windows NT 4.0 Profiles and Policies (Part 6 of 6)

You'll also want to make sure that your Windows 98 computers have the latest product updates, especially security hotfixes. These can be obtained from:

• https://support.microsoft.com/ph/1139

For general security-related information, visit the Microsoft Security Web site at:

• https://www.microsoft.com/security/default.mspx

A white paper on Microsoft products and security can also be accessed at the following Microsoft Web site:

• https://www.microsoft.com/security/default.mspx

After you've mastered all of the above, it may well be time to ask for a raise.

SMS Server—Rebuilt and Confused

Dear Mole,

We had to rebuild our SMS Server. Since then two things keep happening.

Problem one:* *I am getting about 15 users that keep getting double entries. I delete them daily but the next day they are back. I realize that the SMS.ini needs to be accessed three times before it changes domains but as you see below we are removing the SMS.ini and are starting over.

Problem 2:* *When we rebuilt the SMS Srv we changed the site code, I modified the SMSLS.Bat to remove the SMS.ini and also the Uinfo.xnf and the Uinfo.sev. It then reinstalls SMS, puts a new SMS.ini and uinfo.xnf. So far that has been working out fine. The problem we are having is, Package command keeps locking up the server looking for the old site. Where can I change this? I removed all references to the old site on all of our logon Srvs by removing the SMS entries in the registry. I am still new with SMS (6 months) so it is very possible I have missed something. Likely, even.

SMS Rebuild

Answer one: Your users are getting double entries because as far as SMS is concerned, they are two different machines. SMS uses a unique identifier to identify the machine (the smsid). This ID is stored in the SMS.INI. If the INI file is removed from the client, the client gets reinstalled with a new ID. The database reflects the old and the new client, hence the double entries. You may need to manually clean up the entries.

It may be that something is also wrong with the Smsls.bat file, and the Sms.ini file is being deleted one too many times. You may also want to read these KB articles:

• 127052: SMS Unique ID (SMSID) Allocation

• 183398: Duplicate SMS IDs Exist After a Package Is Deployed

Answer 2: From what you say, it sounds like the reinstall procedure may be incorrect. Package Commander (PCM) gets its info from the SMS.INI. Your SMS.INI may be pointing to the old site and may not have been removed as you think it has. Try uninstalling your clients using the Deinstall.bat file, and then reboot as prompted, rather than using the method you have outlined. You can also check the SMS.INIi for PCM services server locations, and User Manager for its account properties.

Ordering Video Drivers Under PNP?

Dear Mole:

Is it possible to manipulate the drivers that Plug and Play "sees" when updating?

I need to install a large variety of different video cards in machines. I HAVE to set the existing video driver to "vga", on some cards prior to replacing the card or the new card setup will fail. Not pci vga, or xvga, or anything else. For the new driver to work I really need to try to use this driver first. ATI setup, go figure....

Now when I look at all video drivers, on some machines the 800x600 driver is there, and not on others. It also can be there once and "disappear". What's happening? How does Windows establish the list of existing drivers on its menu? Can I remove the data or manipulate it in any way? Can you give me an article or URL that will deal with this topic?

Driver Dick

Dear Dick:

First, let it be noted that it's harder to find out if the proper name is Plug and Play or Plug n Play than it is to troubleshoot the process itself. In any case, here's the way driver detection works. Each card is assigned a I/O address range which is reserved for that card. These are enumerated according to that range. This usually corresponds to the physical arrangement of the cards on the bus. One by one, the address ranges are loaded via the Configuration Address Port and the possible resource utilization catalogued. The bus arbiter (built into the chipset) then assigns resources based on rules drawn from the PNP specification. Still, NT has no control over the order. It takes them as they come.

That said, most of the relevant information is in the Registry under HKLM/SYSTEM/CurrentControlSet/Services. Do we need to repeat our grave warning about messing with the Registry? Yes, we do. You do it at your own risk, with no official blessings from the Microsoft Corporation. The only supported method for changing the video driver is to use the GUI to install the driver, or alternatively, to use NT Setup or unattended setup, not such a bad idea since you're installing several machines anyway.

You can find a good overview of the subject in Chapter Sixteen of PCI System Architecture, written by Tom Shandley and published by Mindshare, Inc. The Microsoft Driver Developer Kit (DDK) is also worth consulting.

These Knowledge Base articles should be helpful, too, especially if you choose unattended setup:

• 126690: Windows NT 4.0 Setup Troubleshooting Guide

• 191612: Installing Multiple Third-Party OEM Video Drivers

• 191602: Bypassing Display Adapter Autodetect during Unattended Setup

• 156344: Plug and Play Devices Not Detected or Installed

Hot web resources include:

• https://www.microsoft.com/ntworkstation/technicalresources/Deployment/default.asp

• https://agent.microsoft.com/hwdev/plugnplay/

Drive Mapping Dilemma

Dear Mole,

I have a network environment. I am using Windows NT 4.0 Sp4 Server with Windows 98 workstations. I have all my student user accounts in the server. How can I make Windows 98 use them to map to their home directory on the server and make my Office 97 products map there as well?.

Mr. Unmapped, aka John White, Network Admin—Quanah ISD

Dear John,

The short answer is that you'll need to create a logon script for the users (to be placed in the NetLogon share) and then configure User Manager to point the individual accounts to the logon script. This is done using the Profiles button after you have selected the Properties display for each individual user. But of course, when it comes to IT, there really is no such thing as a short answer. Take a deep breath and think on these things:

• You must configure Client for Microsoft Networks as the Primary Network Logon client if you want to take advantage of user profiles for configuring or managing custom desktops on a Microsoft network, or if you want users to use system policies stored on a Windows NT server.

• To share resources with computers running other Microsoft networking products, the computers must be running a common protocol.

If you set Client for Microsoft Networks as the Primary Network Logon, the computer downloads system policies and user profiles from the Windows-based network, and the first logon prompt that appears is for the Windows NT network. Also, if more than one network client is installed, the last logon script is run from Windows NT (or LAN Manager, depending on your network).

In the Network option in Control Panel, you can specify logon validation and resource connection options. If you enable logon validation, Windows 98 automatically attempts to validate the user by checking the specified domain. You must enable this option if you want to gain access to user profiles and system policies on a Windows NT domain. If logon validation is required on your network but is not enabled on your computer, you might not have access to most network resources. If logon validation is enabled and you do not provide the correct password, you might not have access to network resources.

You can also set logon validation by using system policies. With system policies, you can prevent the user from booting Windows 98 until the user is validated by either a Windows NT server or a NetWare server. For more information, see Chapter 8: System Policies in the Microsoft Windows 98 Resource Kit.

Policies and profiles are a first rate way of securing networks in school environments. One school district IT manager told Mole that it took his sharpest students the better part of a school year to hack his system, and by then, he'd won their loyalty so they didn't do any real damage once they got inside.

For further information on configuring policies, profiles, and logon scripts, checkout these Knowledge Base articles (or read Guide to MS Windows NT 4.0 Profiles and Policies on TechNet):

• 161334: Guide To Windows NT 4.0 Profiles and Policies (Part 1 of 6)

• 185587: Guide To Windows NT 4.0 Profiles and Policies (Part 2 of 6)

• 185588: Guide To Windows NT 4.0 Profiles and Policies (Part 3 of 6)

• 185589: Guide To Windows NT 4.0 Profiles and Policies (Part 4 of 6)

• 185590: Guide To Windows NT 4.0 Profiles and Policies (Part 5 of 6)

• 185591: Guide To Windows NT 4.0 Profiles and Policies (Part 6 of 6)

There is also a great amount of useful information concerning this subject in the Resource Kit. You will want to pay special attention to the following chapters:

Chapter 16 of the Microsoft Windows 98 Resource Kit entitled "Windows 98 on MS Networks"

Chapter 18 of the Microsoft Windows 98 Resource Kit entitled "Logon, Browsing, and Resource Sharing"

Chapter 25 of the Microsoft Windows 98 Resource Kit entitled "Application Support"

Whew. That's a very long answer indeed. In hopes it answers the question you asked, and maybe a few you didn't.

Back Talk: IT Pros Share Solutions

Mole hails Martin, Joel, and Larry for taking the time and having the temerity to talk back. He hopes that henceforth this portion of his column will provide an occasional forum for the sharing of IT arcana.

Re: Migration Tricks

Hi Mole:

I read the query from Michael Russo regarding the mixed environment issue he has. We had the same problem during our migration from NetWare 3.12 to NT 4.

The answer we found was to use Kixstart (NT Server resource kit) to process login scripts. This clever little tool gave all of the functionality that NetWare does,i.e. drive mapping by group membership, and very few problems.

Martin O' Dowd, System Administrator, Memorex Telex Ireland Ltd.

RE: Rebuilding NT on an Unlike Server

Hi Molemeister:

I read your answer today to Bob Stary from Entex Information Services with great interest, as I am working up to migrating to NT, and D.R. is a big concern to me. I think IBM has info on their website about this type of recovery ("unofficially", of course) where they rebuild NT and restore from tape, but not restoring the original HAL. There may have been registry hacks, but it seemed simple enough to perform, not to the extent of figuring out the DISKS section, etc. The instructions took up about one ordinary sheet of paper.

Seems like someone here is missing a development opportunity... hmmm... How about a D.R. package that starts from a couple of floppies and an installation CD? or less?

Joel Bates, Systems Admin., Information Services Partner, Inc.

RE: Rebuilding NT on an Unlike Server, take two

Dear Mole,

The question from Bob Stary of Enterprise Consulting regarding disaster recovery (DR) of NT servers to unlike hardware struck a chord with me. I wanted to share my experience with this topic. The company I work for has a contracted hot site where we are to be deployed in the event of a disaster. We are deployed to test twice a year to make sure we are prepared. Because of the need of DR sites to constantly update their hardware, we may work with Compaq servers on one test, IBM Servers the next, etc. In order to accommodate this we have had to shift our focus slightly to achieve our objectives.

Rebuild, don't restore. NT is extremely difficult to restore to unlike hardware and no matter what process is developed to work with a given hardware setup it may not work with what you will receive in a true disaster. Create documentation (A script) that details what will need to be done to restore your data to another system with the same name, IP Address and so on. This may mean restoring the data and manually recreating some shares, working in DNS and WINS to reroute traffic, or any other work around you can come up with. The objective is to get back on-line as fast as possible every time. In my case I must restore a Multiple Server Microsoft Exchange site with over 1200 users, an Enterprise wide FAX server, and file servers in less than 48 hours. This task seemed insurmountable at first but with a little practice on desktop computers loaded as servers we found ways to rebuild a server in most cases faster than doing a full restore. Using this method our restoration time for our Exchange site went from over 24 hours to less than 7 hours with Exchange Information Stores of 10 Gigabytes per server (and growing). We have reaped additional benefits from the shift in strategy. We no longer do image backups for our systems but rather focus on only the data. This allows us to complete backups more rapidly using fewer tapes. We are not backing up OS files using yards of tape to copy the same OS files again and again.

This has worked well for my company and has proven to be the only way to be successful consistently. Once an adequate script is written you will spend more time waiting for tapes to spin than troubleshooting once the tapes are restored.

Larry Rice, MCSE, Senior Support Analyst, NIBCO INC.

Got Questions? Mail the Mole

Communicate with Mole at [closed account]. Send him your toughest questions. And if you think you have a better answer than Mole's, or a different one, send that along, as well. Please include the following:

• Your name

• Your title

• Your company

• Your email address

• Your question/solution/compliment

Credits

Keith Van Hulle, he the man.