Kevin Remde's IT Pro Weblog
IT Pro Resources
IT Pro Evangelist Blogs
Here, as promised, are the “Best of” Q&A from the Webcast I delivered on August 17, 2005 – “Windows Server 2003 System Administration, Part 1 of 2”.
If you didn’t see this webcast and would like to view it ON DEMAND, click here.
Don’t forget to take advantage of the Additional Resources I’ve posted. Also, be sure to sign up for (or view), PART 2, being delivered on August 24, 2005.
HUGE thanks to my teammates Chris Avis, Shawn Travers, and Harold Wong, for helping out with Q&A. These answers are their marvelous contribution to the webcast experience.
Hope you find these useful!
“What are knowledge levels 100/200/300? Is there a definition?”
100 is basic feature/benefit information, 200 is configuration/settings information, 300 is registry/service level configuration, and 400 level is bits/byte level understanding, network packet analysis, etc...
“IF I WANT TO SETUPAN AD? SHOULD I HAVE DNS CONFIGURED ON THE SAME MACHINE?”
When you run through the DCPROMO process to install an AD Domain Controller, you will be asked if you have DNS installed or wish to install a new DNS. In General you will have DNS installed to the DC itself. but it is supported when DNS is installed on another physical box.
“Thanks. what OI ment is should I Have DNS with AD, does AD can work witout DNS”
No. DNS is required for Active Directory to install and to operate.
“Can we add custom roles [in the Configure Server Roles / Manager Server Roles Wizards]?”
Sure. All it requires is ability to export/import configuration settings, or you can build a template from scratch, but you'd need to know a bit of scripting to do this.
“Why is it I can add "everyone" and " system" to folder permissions, however, If I try to search for these two accounts in AD, I can not see them”
These are default local machine accounts, every machine has them regardless of their domain membership.
“the audio is ahead of the screens...”
Fascinating. I was concerned that there was a significant audio DELAY over this webcast. If it really bothers you, try closing out of LM, clear your Internet Cache, and re-enter the meeting.
“Is it true that Windows Server 2003 R2 will offer more granular control over quotas?”
That is the current thinking, yes.
“I am in the process of setting up a new forest and will have a trust to my old NT domain (not a candidate for directly upgrading) Users in the 2k3 domain will have access to the NT resources but the opposite is not true. My printers are currently in the NT domain. Can I also set them up as resources in the new domain?”
Yes. Just make sure the correct trust direction is in place and then add users to groups and the groups to shares as normal
“I have a small network and my router plays the role of DHCP as well as my Internetb access for all my machines. If I install AD with a DNS, is there or can poibt me how to configure this AD/DNS”
You'll probably need to review the Windows Server 2003 Deployment Guide. 7Pay particular attention to the AD, DNS, and DHCP sections. For your convenience, here is a link to the DNS deployment information: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/7f6df44c-06c3-4b92-ba32-63d895a7924b.mspx
“Using dsadd, can I do a copy from an existing account?”
No, I don't believe this is possible. Check out http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/8d37ecb0-ac28-4e05-aa05-da82dc36b54b.mspx for more information.
“Is there a script that allows adding further UPN's or modifying upns?”
I don't know of a specific script off hand, but you can search for scripts at the Technet Scripting Center -- http://www.microsoft.com/technet/scriptcenter/default.mspx
“I am hearing significant audio delay during this webcast. How can I fix?”
Live Meeting support recommends disconnecting and then re-enter the Live Meeting session. If that doesn't help, turn your seat color to red and I will give you the back up phone info.
“Can we do a trust with a win2003 server standalone (not included in the ad) to a domain controlled by (one way or 2 way)?”
No, trusts are configured between domains only. The standalone server would need to be configured as a DC.
“Are there significant differences between using RIS for Server 2003 and XP?”
No, not anymore. Prior to W2K3, there were restrictions on servers, but now they are identical.
“any updates for the RIS Boot disk available (with more adapters inside)?”
Hmm...not really. It is really up to the hardware vendors to build adapters that work with the boot disk.
“Is it necessary to install the DHCP services? Will a router suffice?”
You can use any DHCP service. If your router is also handing out addresses to your internal network using DHCP, then it will work.
“Is that RIS Unique Computer name customizable?”
Absolutely. 100%. You can configure the names by static list, by prestaging MAC addresses to names in AD, or by allowing randomization of computer names. It's up to you and fully configurable. This is one of the big improvements over standalone image install using sysprep and 3rd party utilities.
“What do you do from a policy standpoint to allow a user install software on their own computer but not other computers and servers?”
In general a user must be a local administrator to install software on their own machine. Ensuring you are not allowing them to be administrators on other machines in the network is the primary step.
“What’s the proper way to backup a DC?”
This is a Windows 2000 article but it applies to Windows 2003 as well -- http://support.microsoft.com/kb/240363/
“When creating a trust for migration, is it necessary to disable SID filtering on both the target and source domains or just the target?”
It's okay to disable SID filtering on both the source and target, but only target is necessary.
“Can we use GPMC to manage XP workstation policies also?”
You can install the GPMC to an XP Machine, but it only manages Group Policy, not local policy. - http://www.microsoft.com/windowsserver2003/gpmc/gpmcfaq.mspx
“How to change the default menu within the RIS-Client-Installation-Wizard ? Some years ago there was a 3Com-Tool available, but unfortunately it disappeared “
That's a good question. I'm actually not aware of any new products that allow customization of the menu.
“Is it possible to automatically deploy different images to different computers, based on which part of the network they were plugged in at, or certain group membership, or any other criteria?”
No, the administrator who logs onto the machine picks the appropriate image after booting to the network card. The list of images that the administrator sees can be limited using permissioning to the administrator account.
“Which one would have a higher priority on GPO >> User Configuration or Computer Configuration?”
Computer Configuration trumps User Configuration for conflicts only. All settings that do not directly conflict will apply.
“Are you really sure, that ANY DHCP-Service (e.g. DHCP based upon a cheap Linksys-Router) will support the BootP-Protocol and provide the RIS-Installation-Wizard-Code over TFTP ? Can´t believe that ...”
If you are booting with a RIS disk, you can use ANY DHCP server to get an IP address. If your adapter is PXE enabled then you will have to make sure the DHCP provider is compatible - see the following for PXE interaction infromation -- http://support.microsoft.com/default.aspx?scid=kb;en-us;244036
“With Folder redirection, in an environment with multiple servers in multiple locations, is there a way for people who travel to different locations to retrieve their documents in a timely manor?”
Well, sure, you could use FRS (File Replication Service) to replicate the users "My Documents" folders to multiple locations. The user would then retrieve from the nearest copy.
“Can DSAdd create the exchange account too?”
DSADD cannot create the Exchange Mailbox within the Exchange enviroment.
“Related to RIS it´s not the problem to get an IP address from a non-Windows-DHCP-Server - the problem is to get Code over TFTP from that DHCP-Server ...”
I'm not sure I understand your question exactly. TFTP runs on the RIS server and is used to transfer the images to the RIS client. A separate DHCP server can be used for obtaining IP address, but it would not be able to run TFTP for the purposes of RIS.
“Can a GPO be applied to laptops that will turn on offline folders so that after redirection of My Documents they will have their docs availiable offline?”
Yes, there are two separate settings in your GPO....one setting redirects mydocs, and the other makes mydocs available offline.
“Is there a policy for setting the password for the local computer administrator to a given value for a group of machines?”
Unfortunately, there is no GPO setting that can do this. You can take advantage of scripts to peform this task.
“Can you describe "distinguished name"?”
Here is the technical description - http://www.faqs.org/rfcs/rfc1779.html -- it is essentially a name used in LDAP to identify a unique object
“Can a GPO be utilized to lockdown USB ports?”
No, hardware configuration should be done with WMI scripts, or you can buy a large stick of caulk to plug up those ports. :)
“;) thanks, that works too...(writes "caulk" on the shopping list)”
“Is there a GP Setting to restrict who can 'shutdown or restart a server?' ?”
Yes -- \computer settings\Windows Settings\Security Settings\Local Policies\User Rights Assignments\Shut Down the System
“When a computer is booted there is a noticeable amount of time where the applying policies message is displayed how can you determine if the delay is normal or if something is wrong. I have a small 6 user single server 100M network.”
You should only see an extensive delay after a significant change to a GPO. If you continue to see extensive delays, even after the policies have been allowed to run and apply, you have an issue. First place to check would be to make sure DNS is configured properly.
“Can u give me link regarding automating of adding/deleting objects in AD using VB scripts?”
The TechNet Script Center is a GREAT resource for this: http://www.microsoft.com/technet/scriptcenter/default.mspx.
“I’m not sure this is the proper discussion to ask this, but is there a method to allow 'users' to access the Terminal Services? ie. Not just domain admins. <we already bought proper licenses>”
Once the licenses are applied, you can use the Terminal Server Manager to determine the number of connections and who can connect.
“I see that that GPO user configuration settings will be worked on XP clients, but will work on W95/W98 clients?”
No, GPO settings will have NO effect on Win95/Win98 clients.
“Is it possible to give users group access through TS to a win 2003 sever without being in an admin group”
Absolutely. If you just want the user to be able to log on through Terminal Services, they do not have to be in the admin group. You just need to grant TS and local log on privileges to their account.
“What is the tool i can use to move exchange 5.5 mailboxes across different organization/site?”
This is built into the Exchange System Manager with Exchange 2003 SP1.
“For exchange 5.5 ?”
If you don't have Exchange 2003 SP1 installed in your environment, then you would need to use ExMerge.
“Will that support moving exch 5.5 mailbox?”
“Where can I find this Webcast recorded, So I can watch it again since it took me 1 hour to get connected???”
“Can Win2003 allow a non-administrator to run taskmgr, see any process and kill any process (admin like access without admin)? Win2k wouldn't show the "Show processes from all users" unless the user was in the administrator group.”
Should be the same for Windows 2003.
“I didn't listening a Webcast from a beggining - what need to be installed on client machine to run terminal server?”
If you have a WinXP client, you use the Remote Desktop Connection tool under Start --> Programs --> Communications, otherwise, there are terminal Server clients that are added to the Terminal Server upon installation that can be distributed to Non XP Clients -- http://support.microsoft.com/default.aspx?scid=kb;en-us;816590
Regarding Terminal Services....Which configuration will take precedence regarding sessiion (1)ADUC User Properties (2)GPO Machine Config (3)GPO Computer Config (4) Terminal Services Configuration
LSDOu - Local machine policies are lowest priority, Site settings next higher priority, Domain GPO's next highest priority, and OU GPO's are highest priority. ADUC User Properties don't really conflict with GPO's, but they would have a higher priority than GPO's, I suppose. TS configuration also doesn't conflict with GPO settings.