Windows Tips & Tricks UPDATE--December 29, 2003

Windows Tips & Tricks UPDATE, December 29, 2003, —brought to you by the Windows & .NET Magazine Network and the Windows 2000 FAQ site
http://www.windows2000faq.com

This Issue Sponsored By

Argent Software
NETWORK TESTING LABS COMPARES MOM TO THE ARGENT GUARDIAN
http://www.argent.com/products/download_whitepaper.cgi?product=mom&&Source=WNT

FREE WHITE PAPER ON MONITORING AND ALERTING SOLUTIONS
http://www.argent.com/products/download_whitepaper.cgi?product=ema&&Source=WNT

1. Commentary

2. FAQs

Q. What domain group types are available in Windows 2000 and later?
Q. What's the best way of assigning permissions to users and groups in Windows 2000 and later?
Q. How can I change the default container in which Active Directory (AD) creates new users in Windows Server 2003?
Q. How can I change the default container in which Active Directory (AD) creates new computers in Windows Server 2003?
Q. How can I view the contents of the DNS resolution cache in Windows 2000 and later?
Q. How can I clear the contents of the DNS resolution cache in Windows 2000 and later?

3. Announcements

Take Our Print Publications Survey!
2004 Dates Announced: Connections Conferences

4. Event

New--Microsoft Security Strategies Roadshow!

5. Contact Us

See this section for a list of ways to contact us.

Sponsor: Argent Software

NETWORK TESTING LABS COMPARES MOM TO THE ARGENT GUARDIAN
Network Testing Labs, one of the world's leading independent research companies, put together a comprehensive Comparison Paper on two leading enterprise monitoring solutions. Their conclusion: "The Argent Guardian easily beats out MOM in all our tests... The Argent Guardian will cost far less than MOM and yet provide significantly more functionality." Find out for yourself why organizations like Major League Baseball, GE Capital, AT&T, Harley Davidson, and Nokia all rely on The Argent Guardian for their enterprise monitoring and alerting needs. Download this Comparison Paper now:
http://www.argent.com/products/download_whitepaper.cgi?product=mom&&Source=WNT

1. Commentary
by John Savill, FAQ Editor, [email protected]

This week, I tell you which domain group types are available in Windows 2000 and later, the best way of assigning permissions to users and groups in Win2K and later, and how to change the default container in which Active Directory (AD) creates new users and computers in Windows Server 2003. I also tell you how to view and clear the contents of the DNS resolution cache in Win2K and later.

Sponsor: Argent Software

FREE WHITE PAPER ON MONITORING AND ALERTING SOLUTIONS
Enterprise Management Associates (EMA) is the first technology firm to specialize exclusively in management software and services. Get EMA's expert insight as to what you should know when you are evaluating server and application monitoring and alerting solutions. Download this White Paper now.
http://www.argent.com/products/download_whitepaper.cgi?product=ema&&Source=WNT

2. FAQs

Q. What domain group types are available in Windows 2000 and later?

A. Three types of groups are available in Win2K and later domains:

global--This group type can contain user and computer accounts from the group's domain. If you set the domain level to Win2K native or later, global groups can contain other global groups from the local domain.
domain local--This group type exists only on domain controllers (DCs) and is used to assign permissions to a DC's resources (for member servers, you'd use the standard local group type). Domain local groups can contain users and global groups from any domain in the forest. If you set the domain level to Win2K native or later, domain local groups can contain other domain local groups and universal groups.
universal--This group type is available only in Win2K native mode and later and belongs to the forest rather than to a specific domain. As a result, universal groups can contain users and global groups from any domain and other universal groups. You can give universal groups access to any resource in any domain.

Take care when using universal groups because Active Directory (AD) stores them in the Global Catalog (GC). Any change that you make to a universal group requires replicating the entire contents of the group to all GCs in the forest (in Windows Server 2003 forest mode, only the changes replicate to the GCs, which requires less replication traffic). Therefore, the best policy is to place global groups only in a universal group to minimize any changes to the universal group membership.

Q. What's the best way of assigning permissions to users and groups in Windows 2000 and later?

A. In general, the best way to assign permissions is by performing the following steps:

Assign user accounts to global groups within the user's domain.
Place global groups from any domain into universal groups.
Place universal groups into domain local groups on the domain controllers (DCs), and place local groups on member servers and workstations.
Assign permissions to the domain local groups or local groups as necessary to access the network resources.

One advantage of establishing this hierarchy is that universal group memberships are unlikely to change because they contain only global groups. A good way to remember this hierarchy is to use the following mnemonic device:

All Good Users Do Love Permissions

Accounts are placed in global groups, Global groups are placed in universal groups, Universal groups are placed in domain local groups, and Domain Local groups are assigned Permissions.

Q. How can I change the default container in which Active Directory (AD) creates new users in Windows Server 2003?

A. By default, when you add a new user, AD adds that user to the Users container. For example, typing

net user paul Pa55word! /add /domain

creates a new user account called Paul in the Users container. If you set the domain level to Windows 2003, you can use the Redirusr command to change the default container. The command syntax is

redirusr

Q. How can I change the default container in which Active Directory (AD) creates new computers in Windows Server 2003?

A. By default, when you add a new computer, AD adds that computer to the Computers container. For example, typing

net computer \\testmachine /add

creates a new computer account called testmachine in the Computers container. If you set the domain level to Windows 2003, you can use the Redirusr command to change the default container. The command syntax is

redircmp

Q. How can I view the contents of the DNS resolution cache in Windows 2000 and later?

A. If you've configured the DNS server to forward requests for other zone resolutions, the server will cache the requests it finds so that it can speed other requests for the same DNS lookup. To view the contents of the DNS cache, perform the following steps:

Start the Microsoft Management Console (MMC) DNS snap-in (go to Start, Programs, Administrative Tools, and click DNS).
From the View menu, select Advanced.
Select the Cached Lookups tree node from the left-hand pane to display the top-level domains (e.g., com, net) under ".(root)". Expand any of these domains to view the cached DNS information (the actual records will appear in the right-hand pane).

This figure shows several second-level domains under com, including Microsoft, that show three alias records (e.g., www.microsoft.com actually points to www.microsoft.akadns.net).

Q. How can I clear the contents of the DNS resolution cache in Windows 2000 and later?

A. To clear the DNS cache, perform the following steps:

Start the Microsoft Management Console (MMC) DNS snap-in (go to Start, Programs, Administrative Tools, and click DNS).
From the View menu, select Advanced.
Select and right-click the Cached Lookups tree node from the left-hand pane.
Select Clear Cache from the context menu.

You can also use the Dnscmd command in Windows Server 2003 to clear the cache. From the command prompt, type

dnscmd /clearcache

3. Announcements
(from Windows & .NET Magazine and its partners)

Take Our Print Publications Survey!

To help us improve the hardware and software product coverage in the Windows & .NET Magazine print publications, we need your opinion about which products matter most to you and your organization. The survey takes only a few minutes to finish, so share your thoughts with us at
http://websurveyor.net/wsb.dll/12237/editorsproduct.htm

2004 Dates Announced: Connections Conferences

Save these dates: Windows & .NET Magazine Connections will be held April 4-7, 2004, in Las Vegas, Nevada. Microsoft ASP.NET Connections, Visual Studio Connections, and SQL Server Magazine Connections will run concurrently on April 18-21, 2004, in Orlando, Florida. Early registrants will receive the best discounts, so go online or call 203-268-3204 or 800-505-1201 to register.
http://www.devconnections.com

Hot Release (Advertisement)
Release 7.0 of the Argent Guardian introduces an extremely customizable dashboard that vastly improves the efficiency of systems administration. From this centralized console, you can easily diagnose and resolve performance and systems issues before the issues impact the end user community. Download a copy now at:
http://www.argent.com/products/download.cgi?product=monitor&&Source=WNT

4. Event
(brought to you by Windows & .NET Magazine)

New--Microsoft Security Strategies Roadshow!

We've teamed with Microsoft, Avanade, and Network Associates to bring you a full day of training to help you get your organization secure and keep it secure. You'll learn how to implement a patch-management strategy; lock down servers, workstations, and network infrastructure; and implement security policy management. Register now for this free, 20-city tour.
http://www.winnetmag.com/roadshows/computersecurity2004

Comments

Plain text