Windows Tips & Tricks UPDATE, July 19, 2004, —brought to you by the Windows & .NET Magazine Network and the Windows 2000 FAQ site
Make sure your copy of Windows Tips & Tricks UPDATE isn't mistakenly blocked by antispam software! Be sure to add [email protected] to your list of allowed senders and contacts.
This Issue Sponsored By
MKS Toolkit - Sanity while working in Windows
Sunbelt Software's iHateSpam for Exchange
Sponsor: MKS Toolkit – Sanity while working in Windows
MKS Toolkit products enable you to preserve your investments in UNIX/Linux software and expertise as you deploy Windows-based workstations and servers, because Toolkit allows you to port scripts, source code, and working environments quickly and easily from UNIX/Linux to Windows. MKS Toolkit brings the power of UNIX/Linux to Windows. UNIX/Linux scripts, commands, applications and your skills are immensely powerful tools that when mixed with over 450 utilities and a complete application SDK make even Windows palatable. Whether you have code to create or systems to administer, the MKS Toolkit product family is essential to your Windows experience.
Call 800-637-8034; +1 (703) 803-3343. Request a free Evaluation.
- Q. How does changing a domain from mixed to native mode affect how I can view a domain local group?
- Q. What are the Relative Identifiers (RIDs) of a domain's built-in accounts?
- Q. Can I change the Relative Identifier (RID) of a built-in object?
- Q. How can I check the status of the Relative Identifier (RID) pool on a domain controller (DC)?
- Q. How can I use the name domain.com for a domain when that name is hosted on a DNS server that doesn't support service records?
by John Savill, FAQ Editor, [email protected]
This week, I tell you how changing a domain from mixed to native mode affects how you can view a domain local group and explain the Relative Identifiers (RIDs) of a domain's built-in accounts and whether you can change the RID of a built-in object. I also tell you how to check the status of the RID pool on a domain controller (DC) and discuss how to use the name domain.com for a domain when the DNS server that hosts that name doesn't support service records.
Sponsor: Sunbelt Software's iHateSpam for Exchange
Try iHateSpam for Exchange Free for 30 days!
Why are 4,000+ Sites Running iHateSpam for Exchange?! Admins choose it for its robust spam filtering for V5.5, 2K and 2K3. With 95% spam detection rate right out of the box, it will save you time and money. A powerful, enterprise-wide spam filter at a great price! COMING SOON: Anti-Virus, Content Auditing & Filtering! Try it now!
Q. How does changing a domain from mixed to native mode affect how I can view a domain local group?
A. In a mixed-mode domain, you can view domain local groups only on domain controllers (DCs)--including Active Directory (AD) DCs and Windows NT Server 4.0 BDCs. After you switch to native mode, you can view domain local groups on all domain members.
Q. What are the Relative Identifiers (RIDs) of a domain's built-in accounts?
A. Every object in a domain has a SID, which consists of the domain's SID and a RID. For built-in objects, such as built-in accounts, these RIDs are hard-coded. The table at http://www.winnetmag.com/articles/misc/table071904.htm lists the built-in objects, their RIDs, and the object type. The fact that RIDs are hard-coded explains why merely renaming, say, the Domain Administrator object doesn't often thwart an intruder, who can simply locate the account by using the RID 500. However, you can create a honeypot by renaming the Domain Administrator account and creating a new account called Domain Administrator that has no permissions. You can use the bogus Domain Administrator account to fool hackers into attacking it, then log the attacks and delay any real damage to the bona fide Domain Administrator account.
Q. Can I change the Relative Identifier (RID) of a built-in object?
A. The RID values are hard-coded in the Windows OS code through header files and shouldn't be changed. Even if you did manage to change a RID, much of the internal OS code refers to the built-in objects by their RIDs instead of their names. Thus, changing the RIDs could cause a lot of problems for your Windows systems.
Q. How can I check the status of the Relative Identifier (RID) pool on a domain controller (DC)?
A. Windows gives every DC a pool of RIDs and adds to the pool as necessary in batches of 500. To check the range of RIDs in a current pool, run the command
dcdiag /v /test:ridmanager
where /v specifies verbose mode and /test:ridmanager tells the command to run only the RID Manager test and not the other default tests.
The command displays the next RID that will be allocated to an object created on the DC and the range of currently allocated RIDs, as in the following sample output:
Testing server: Gotham\VPC2003DC1MN Test omitted by user request: Replications Test omitted by user request: Topology Test omitted by user request: CutoffServers Test omitted by user request: NCSecDesc Test omitted by user request: NetLogons Test omitted by user request: Advertising Test omitted by user request: KnowsOfRoleHolders Starting test: RidManager * Available RID Pool for the Domain is 2608 to 1073741823 * omega.savilltech.com is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 2108 to 2607 * rIDPreviousAllocationPool is 2108 to 2607 * rIDNextRID: 2156 ......................... VPC2003DC1MN passed test RidManager
In this example, the range of RIDs that can be allocated is from 2108 to 2607, and the next RID that will be allocated is 2156, which means that the pool contains 451 unallocated RIDs (2607-2156).
Notice that in this sample output, rIDAllocationPool and rIDPreviousAllocationPool are the same. That won't always be the case, however. rIDPreviousAllocationPool is the pool that RIDs are currently being taken from for object SID allocation. When more than a specified percentage of RIDs in this pool have been allocated (50 percent for Windows 2000 Service Pack 4--SP4--and later), the OS asks the DC that holds the RID Flexible Single-Master Operation (FSMO) role for another batch of RIDs to add to rIDAllocationPool. When rIDPreviousAllocationPool is totally depleted, the OS copies the RIDs from rIDAllocationPool into rIDPreviousAllocationPool and starts using the copied RIDs as needed. This process ensures that a temporary interruption in communication with the RID FSMO DC doesn't prevent DCs from creating new objects because their RID pools are exhausted.
Q. How can I use the name domain.com for a domain when that name is hosted on a DNS server that doesn't support service records?
A. Ideally, you'd migrate the DNS zone to a new Windows-based DNS server. If that isn't possible, don't use domain.com for your Active Directory (AD) domain. Instead, use either ads.domain.com or, if ads.domain.com isn't practical, domain.net.
There's no reason to use domain.com. However, if you must use it and can't move the domain to another DNS server, you can delegate the four core subdomains that AD uses to a Windows DNS server. These subdomains are
You'd create subdomains as new zones on your Windows DNS server and enable dynamic update. These zones would then contain all the service records that AD needs. However, you'd still need to manually add a host (A) record in the main DNS zone for domain.com for each domain controller's (DC's) IP address (e.g., domain.com IN A 220.127.116.11) and one host record per DC. Adding these records is easy, although you must remember to update the A record if your IP addressing changes.
(from Windows & .NET Magazine and its partners)
Our VIP Web site/Super CD subscribers are used to getting online access to all of our publications, plus a print subscription to Windows & .NET Magazine and exclusive access to our banner-free VIP Web site. Now we've added even more content from the archives of SQL Server Magazine! You won't find a more complete and comprehensive resource anywhere--check it out!
Take the next steps against the "silent killer" and learn how to prepare for directory harvest attacks. Plus, find out how to eliminate spam and viruses by learning spammers' new covert tactics designed to get past conventional spam content filters. Get the latest Email Security Toolkit now!
This eBook will educate Exchange administrators and systems managers about how to best approach the migration and overall management of an Exchange 2003 environment. The book will focus on core issues such as configuration management, accounting, and monitoring performance with an eye toward migration, consolidation, security, and management.
(A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events )
In this free Web seminar, attendees will learn about the scalability of blade servers and how the HP BL series of servers work. And, we'll look at support for remote management, Integrated Lights Out (ILO) management, automated configuration, and server provisioning, as well as specialized server designations within a blade enclosure and more. Register now!
Comparison Paper: The Argent Guardian Easily Beats Out MOM
Free Download--New - Launch NetOp Remote Control from a USB Drive
Here's how to reach us with your comments and questions:
- About the newsletter — [email protected]
- About technical questions — http://www.winnetmag.com/forums
- About product news — [email protected]
- About your subscription — [email protected]
- About sponsoring UPDATE — [email protected]
Contact Our Sponsors
MKS Software -- http://www.mkssoftware.com -- 1-800-637-8034
Sunbelt Software -- http://www.sunbelt-software.com -- 1-888-688-8457
This weekly email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.